Version 15.1 → 16.0

Software — Enterprise ATT&CK Changelog

Added Software

Description
[VPNFilter](https://attack.mitre.org/software/S1010) is a multi-stage, modular platform with versatile capabilities to support both intelligence-collection and destructive cyber attack operations. [VPNFilter](https://attack.mitre.org/software/S1010) modules such as its packet sniffer ('ps') can collect traffic that passes through an infected device, allowing the theft of website credentials and monitoring of Modbus SCADA protocols. (Citation: William Largent June 2018) (Citation: Carl Hurd March 2019) [VPNFilter](https://attack.mitre.org/software/S1010) was assessed to be replaced by [Sandworm Team](https://attack.mitre.org/groups/G0034) with [Cyclops Blink](https://attack.mitre.org/software/S0687) starting in 2019.(Citation: NCSC CISA Cyclops Blink Advisory February 2022)

Description
[Raspberry Robin](https://attack.mitre.org/software/S1130) is initial access malware first identified in September 2021, and active through early 2024. The malware is notable for spreading via infected USB devices containing a malicious LNK object that, on execution, retrieves remote hosted payloads for installation. [Raspberry Robin](https://attack.mitre.org/software/S1130) has been widely used against various industries and geographies, and as a precursor to information stealer, ransomware, and other payloads such as [SocGholish](https://attack.mitre.org/software/S1124), [Cobalt Strike](https://attack.mitre.org/software/S0154), [IcedID](https://attack.mitre.org/software/S0483), and [Bumblebee](https://attack.mitre.org/software/S1039).(Citation: TrendMicro RaspberryRobin 2022)(Citation: RedCanary RaspberryRobin 2022)(Citation: HP RaspberryRobin 2024) The DLL componenet in the [Raspberry Robin](https://attack.mitre.org/software/S1130) infection chain is also referred to as "Roshtyak."(Citation: Avast RaspberryRobin 2022) The name "Raspberry Robin" is used to refer to both the malware as well as the threat actor associated with its use, although the Raspberry Robin operators are also tracked as <code>Storm-0856</code> by some vendors.(Citation: Microsoft RaspberryRobin 2022)

Description
NPPSPY is an implementation of a theoretical mechanism first presented in 2004 for capturing credentials submitted to a Windows system via a rogue Network Provider API item. NPPSPY captures credentials following submission and writes them to a file on the victim system for follow-on exfiltration.(Citation: Huntress NPPSPY 2022)(Citation: Polak NPPSPY 2004)

Description
[IPsec Helper](https://attack.mitre.org/software/S1132) is a post-exploitation remote access tool linked to [Agrius](https://attack.mitre.org/groups/G1030) operations. This malware shares significant programming and functional overlaps with [Apostle](https://attack.mitre.org/software/S1133) ransomware, also linked to [Agrius](https://attack.mitre.org/groups/G1030). [IPsec Helper](https://attack.mitre.org/software/S1132) provides basic remote access tool functionality such as uploading files from victim systems, running commands, and deploying additional payloads.(Citation: SentinelOne Agrius 2021)

Description
[Apostle](https://attack.mitre.org/software/S1133) is malware that has functioned as both a wiper and, in more recent versions, as ransomware. [Apostle](https://attack.mitre.org/software/S1133) is written in .NET and shares various programming and functional overlaps with [IPsec Helper](https://attack.mitre.org/software/S1132).(Citation: SentinelOne Agrius 2021)

Description
[DEADWOOD](https://attack.mitre.org/software/S1134) is wiper malware written in C++ using Boost libraries. [DEADWOOD](https://attack.mitre.org/software/S1134) was first observed in an unattributed wiping event in Saudi Arabia in 2019, and has since been incorporated into [Agrius](https://attack.mitre.org/groups/G1030) operations.(Citation: SentinelOne Agrius 2021)

Description
[MultiLayer Wiper](https://attack.mitre.org/software/S1135) is wiper malware written in .NET associated with [Agrius](https://attack.mitre.org/groups/G1030) operations. Observed samples of [MultiLayer Wiper](https://attack.mitre.org/software/S1135) have an anomalous, future compilation date suggesting possible metadata manipulation.(Citation: Unit42 Agrius 2023)

Description
[BFG Agonizer](https://attack.mitre.org/software/S1136) is a wiper related to the open-source project CRYLINE-v.5.0. The malware is associated with wiping operations conducted by the [Agrius](https://attack.mitre.org/groups/G1030) threat actor.(Citation: Unit42 Agrius 2023)

Description
[Moneybird](https://attack.mitre.org/software/S1137) is a ransomware variant written in C++ associated with [Agrius](https://attack.mitre.org/groups/G1030) operations. The name "Moneybird" is contained in the malware's ransom note and as strings in the executable.(Citation: CheckPoint Agrius 2023)

Description
[Gootloader](https://attack.mitre.org/software/S1138) is a Javascript-based infection framework that has been used since at least 2020 as a delivery method for the Gootkit banking trojan, [Cobalt Strike](https://attack.mitre.org/software/S0154), [REvil](https://attack.mitre.org/software/S0496), and others. [Gootloader](https://attack.mitre.org/software/S1138) operates on an "Initial Access as a Service" model and has leveraged [SEO Poisoning](https://attack.mitre.org/techniques/T1608/006) to provide access to entities in multiple sectors worldwide including financial, military, automotive, pharmaceutical, and energy.(Citation: Sophos Gootloader)(Citation: SentinelOne Gootloader June 2021)

Description
[INC Ransomware](https://attack.mitre.org/software/S1139) is a ransomware strain that has been used by the [INC Ransom](https://attack.mitre.org/groups/G1032) group since at least 2023 against multiple industry sectors worldwide. [INC Ransomware](https://attack.mitre.org/software/S1139) can employ partial encryption combined with multi-threading to speed encryption.(Citation: SentinelOne INC Ransomware)(Citation: Huntress INC Ransom Group August 2023)(Citation: Secureworks GOLD IONIC April 2024)

Description
[Spica](https://attack.mitre.org/software/S1140) is a custom backdoor written in Rust that has been used by [Star Blizzard](https://attack.mitre.org/groups/G1033) since at least 2023.(Citation: Google TAG COLDRIVER January 2024)

Description
[LunarWeb](https://attack.mitre.org/software/S1141) is a backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) together with [LunarLoader](https://attack.mitre.org/software/S1143) and [LunarMail](https://attack.mitre.org/software/S1142). [LunarWeb](https://attack.mitre.org/software/S1141) has only been observed deployed against servers and can use [Steganography](https://attack.mitre.org/techniques/T1001/002) to obfuscate command and control.(Citation: ESET Turla Lunar toolset May 2024)

Description
[LunarMail](https://attack.mitre.org/software/S1142) is a backdoor that has been used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2020 including in a compromise of a European ministry of foreign affairs (MFA) in conjunction with [LunarLoader](https://attack.mitre.org/software/S1143) and [LunarWeb](https://attack.mitre.org/software/S1141). [LunarMail](https://attack.mitre.org/software/S1142) is designed to be deployed on workstations and can use email messages and [Steganography](https://attack.mitre.org/techniques/T1001/002) in command and control.(Citation: ESET Turla Lunar toolset May 2024)

Description
[LunarLoader](https://attack.mitre.org/software/S1143) is the loader component for the [LunarWeb](https://attack.mitre.org/software/S1141) and [LunarMail](https://attack.mitre.org/software/S1142) backdoors that has been used by [Turla](https://attack.mitre.org/groups/G0010) since at least 2020 including against a European ministry of foreign affairs (MFA). [LunarLoader](https://attack.mitre.org/software/S1143) has been observed as a standalone and as a part of trojanized open-source software such as AdmPwd.(Citation: ESET Turla Lunar toolset May 2024)

Description
[FRP](https://attack.mitre.org/software/S1144), which stands for Fast Reverse Proxy, is an openly available tool that is capable of exposing a server located behind a firewall or Network Address Translation (NAT) to the Internet. [FRP](https://attack.mitre.org/software/S1144) can support multiple protocols including TCP, UDP, and HTTP(S) and has been abused by threat actors to proxy command and control communications.(Citation: FRP GitHub)(Citation: Joint Cybersecurity Advisory Volt Typhoon June 2023)(Citation: RedCanary Mockingbird May 2020)(Citation: DFIR Phosphorus November 2021)

Description
[Pikabot](https://attack.mitre.org/software/S1145) is a backdoor used for initial access and follow-on tool deployment active since early 2023. [Pikabot](https://attack.mitre.org/software/S1145) is notable for extensive use of multiple encoding, encryption, and defense evasion mechanisms to evade defenses and avoid analysis. [Pikabot](https://attack.mitre.org/software/S1145) has some overlaps with [QakBot](https://attack.mitre.org/software/S0650), but insufficient evidence exists to definitively link these two malware families. [Pikabot](https://attack.mitre.org/software/S1145) is frequently used to deploy follow on tools such as [Cobalt Strike](https://attack.mitre.org/software/S0154) or ransomware variants.(Citation: Zscaler Pikabot 2023)(Citation: Elastic Pikabot 2024)(Citation: Logpoint Pikabot 2024)

Description
[MgBot](https://attack.mitre.org/software/S1146) is a modular malware framework exclusively associated with [Daggerfly](https://attack.mitre.org/groups/G1034) operations since at least 2012. [MgBot](https://attack.mitre.org/software/S1146) was developed in C++ and features a module design with multiple available plugins that have been under active development through 2024.(Citation: Szappanos MgBot 2014)(Citation: ESET EvasivePanda 2023)(Citation: Symantec Daggerfly 2024)

Description
[Nightdoor](https://attack.mitre.org/software/S1147) is a backdoor exclusively associated with [Daggerfly](https://attack.mitre.org/groups/G1034) operations. [Nightdoor](https://attack.mitre.org/software/S1147) uses common libraries with [MgBot](https://attack.mitre.org/software/S1146) and [MacMa](https://attack.mitre.org/software/S1016), linking these malware families together.(Citation: ESET EvasivePanda 2024)(Citation: Symantec Daggerfly 2024)

Description
[Raccoon Stealer](https://attack.mitre.org/software/S1148) is an information stealer malware family active since at least 2019 as a malware-as-a-service offering sold in underground forums. [Raccoon Stealer](https://attack.mitre.org/software/S1148) has experienced two periods of activity across two variants, from 2019 to March 2022, then resurfacing in a revised version in June 2022.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon1 2022)

Description
[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) is a backdoor malware that was deployed during [HomeLand Justice](https://attack.mitre.org/campaigns/C0038) along with [ROADSWEEP](https://attack.mitre.org/software/S1150) ransomware, and has been used to target Farsi and Arabic speakers since at least 2012.(Citation: Mandiant ROADSWEEP August 2022)

Description
[ROADSWEEP](https://attack.mitre.org/software/S1150) is a ransomware that was deployed against Albanian government networks during [HomeLand Justice](https://attack.mitre.org/campaigns/C0038) along with the [CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) backdoor.(Citation: Mandiant ROADSWEEP August 2022)

Description
[ZeroCleare](https://attack.mitre.org/software/S1151) is a wiper malware that has been used in conjunction with the [RawDisk](https://attack.mitre.org/software/S0364) driver since at least 2019 by suspected Iran-nexus threat actors including activity targeting the energy and industrial sectors in the Middle East and political targets in Albania.(Citation: Microsoft Albanian Government Attacks September 2022)(Citation: CISA Iran Albanian Attacks September 2022)(Citation: Mandiant ROADSWEEP August 2022)(Citation: IBM ZeroCleare Wiper December 2019)

Description
[IMAPLoader](https://attack.mitre.org/software/S1152) is a .NET-based loader malware exclusively associated with [CURIUM](https://attack.mitre.org/groups/G1012) operations since at least 2022. [IMAPLoader](https://attack.mitre.org/software/S1152) leverages email protocols for command and control and payload delivery.(Citation: PWC Yellow Liderc 2023)

Description
[Cuckoo Stealer](https://attack.mitre.org/software/S1153) is a macOS malware with characteristics of spyware and an infostealer that has been in use since at least 2024. [Cuckoo Stealer](https://attack.mitre.org/software/S1153) is a universal Mach-O binary that can run on Intel or ARM-based Macs and has been spread through trojanized versions of various potentially unwanted programs or PUP's such as converters, cleaners, and uninstallers.(Citation: Kandji Cuckoo April 2024)(Citation: SentinelOne Cuckoo Stealer May 2024)

Description
[VersaMem](https://attack.mitre.org/software/S1154) is a web shell designed for deployment to Versa Director servers following exploitation. Discovered in August 2024, [VersaMem](https://attack.mitre.org/software/S1154) was used during [Versa Director Zero Day Exploitation](https://attack.mitre.org/campaigns/C0039) by [Volt Typhoon](https://attack.mitre.org/groups/G1017) to target ISPs and MSPs. [VersaMem](https://attack.mitre.org/software/S1154) is deployed as a Java Archive (JAR) and allows for credential capture for Versa Director logon activity as well as follow-on execution of arbitrary Java payloads.(Citation: Lumen Versa 2024)

Description
[Covenant](https://attack.mitre.org/software/S1155) is a multi-platform command and control framework written in .NET. While designed for penetration testing and security research, the tool has also been used by threat actors such as [HAFNIUM](https://attack.mitre.org/groups/G0125) during operations. [Covenant](https://attack.mitre.org/software/S1155) functions through a central listener managing multiple deployed "Grunts" that communicate back to the controller.(Citation: Github Covenant)(Citation: Microsoft HAFNIUM March 2020)

Description
[Manjusaka](https://attack.mitre.org/software/S1156) is a Chinese-language intrusion framework, similar to [Sliver](https://attack.mitre.org/software/S0633) and [Cobalt Strike](https://attack.mitre.org/software/S0154), with an ELF binary written in GoLang as the controller for Windows and Linux implants written in Rust. First identified in 2022, [Manjusaka](https://attack.mitre.org/software/S1156) consists of multiple components, only one of which (a command and control module) is freely available.(Citation: Talos Manjusaka 2022)

Description
[DUSTPAN](https://attack.mitre.org/software/S1158) is an in-memory dropper written in C/C++ used by [APT41](https://attack.mitre.org/groups/G0096) since 2021 that decrypts and executes an embedded payload.(Citation: Google Cloud APT41 2024)(Citation: Google Cloud APT41 2022)

Description
[DUSTTRAP](https://attack.mitre.org/software/S1159) is a multi-stage plugin framework associated with [APT41](https://attack.mitre.org/groups/G0096) operations with multiple components.(Citation: Google Cloud APT41 2024)

Description
[Latrodectus](https://attack.mitre.org/software/S1160) is a Windows malware downloader that has been used since at least 2023 to download and execute additional payloads and modules. [Latrodectus](https://attack.mitre.org/software/S1160) has most often been distributed through email campaigns, primarily by [TA577](https://attack.mitre.org/groups/G1037) and [TA578](https://attack.mitre.org/groups/G1038), and has infrastructure overlaps with historic [IcedID](https://attack.mitre.org/software/S0483) operations.(Citation: Latrodectus APR 2024)(Citation: Bleeping Computer Latrodectus April 2024)(Citation: Bitsight Latrodectus June 2024)

Description
[BPFDoor](https://attack.mitre.org/software/S1161) is a Linux based passive long-term backdoor used by China-based threat actors. First seen in 2021, [BPFDoor](https://attack.mitre.org/software/S1161) is named after its usage of Berkley Packet Filter (BPF) to execute single task instructions. [BPFDoor](https://attack.mitre.org/software/S1161) supports multiple protocols for communicating with a C2 including TCP, UDP, and ICMP and can start local or reverse shells that bypass firewalls using iptables.(Citation: Sandfly BPFDoor 2022)(Citation: Deep Instinct BPFDoor 2023)

Description
[Playcrypt](https://attack.mitre.org/software/S1162) is a ransomware that has been used by [Play](https://attack.mitre.org/groups/G1040) since at least 2022 in attacks against against the business, government, critical infrastructure, healthcare, and media sectors in North America, South America, and Europe. [Playcrypt](https://attack.mitre.org/software/S1162) derives its name from adding the .play extension to encrypted files and has overlap with tactics and tools associated with Hive and Nokoyawa ransomware and infrastructure associated with Quantum ransomware.(Citation: Microsoft PlayCrypt August 2022)(Citation: CISA Play Ransomware Advisory December 2023)(Citation: Trend Micro Ransomware Spotlight Play July 2023)

Modified Software

Description
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. (Citation: Deply Mimikatz) (Citation: Adsecurity Mimikatz Guide)
Details
Values Changed
Field Old value New value
modified 2024-02-09 21:31:30.227000+00:00 2024-09-25 20:34:58.387000+00:00

Description
[Windows Credential Editor](https://attack.mitre.org/software/S0005) is a password dumping tool. (Citation: Amplia WCE)
Details
Dictionary Item Added
Field Old value New value
x_mitre_deprecated False
Values Changed
Field Old value New value
modified 2020-03-30 18:28:34.296000+00:00 2024-09-12 15:17:22.004000+00:00
external_references[1]['description'] Amplia Security. (n.d.). Windows Credentials Editor (WCE) F.A.Q.. Retrieved December 17, 2015. Amplia Security. (n.d.). Windows Credentials Editor (WCE) F.A.Q.. Retrieved September 12, 2024.
external_references[1]['url'] http://www.ampliasecurity.com/research/wcefaq.html https://web.archive.org/web/20240904163410/https://www.ampliasecurity.com/research/wcefaq.html
x_mitre_attack_spec_version 2.1.0 3.2.0

Description
[PoisonIvy](https://attack.mitre.org/software/S0012) is a popular remote access tool (RAT) that has been used by many groups.(Citation: FireEye Poison Ivy)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Darkmoon Aug 2005)
Details
Values Changed
Field Old value New value
modified 2024-02-14 19:16:01.583000+00:00 2024-09-19 14:30:03.923000+00:00
external_references[5]['description'] FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014. FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved September 19, 2024.
external_references[5]['url'] https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-poison-ivy.pdf https://www.mandiant.com/sites/default/files/2021-09/rpt-poison-ivy.pdf

Description
[GLOOXMAIL](https://attack.mitre.org/software/S0026) is malware used by [APT1](https://attack.mitre.org/groups/G0006) that mimics legitimate Jabber/XMPP traffic. (Citation: Mandiant APT1)
Details
Dictionary Item Added
Field Old value New value
x_mitre_deprecated False
Values Changed
Field Old value New value
modified 2020-03-30 16:42:52.248000+00:00 2024-08-28 14:16:00.884000+00:00
x_mitre_attack_spec_version 2.1.0 3.2.0
x_mitre_version 1.1 1.2

Description
[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS PsExec)
Details
Values Changed
Field Old value New value
modified 2024-04-04 03:50:11+00:00 2024-09-25 20:31:21.768000+00:00
x_mitre_version 1.6 1.7

Description
[gh0st RAT](https://attack.mitre.org/software/S0032) is a remote access tool (RAT). The source code is public and it has been used by multiple groups.(Citation: FireEye Hacking Team)(Citation: Arbor Musical Chairs Feb 2018)(Citation: Nccgroup Gh0st April 2018)
Details
Values Changed
Field Old value New value
modified 2024-02-06 19:00:45.557000+00:00 2024-05-07 19:07:45.403000+00:00
x_mitre_version 3.2 3.3

Description
[BLACKCOFFEE](https://attack.mitre.org/software/S0069) is malware that has been used by several Chinese groups since at least 2013. (Citation: FireEye APT17) (Citation: FireEye Periscope March 2018)
Details
Dictionary Item Added
Field Old value New value
x_mitre_deprecated False
Values Changed
Field Old value New value
modified 2020-03-30 14:58:42.298000+00:00 2024-09-04 17:04:35.670000+00:00
external_references[2]['url'] https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf https://web.archive.org/web/20240119213200/https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf
x_mitre_attack_spec_version 2.1.0 3.2.0

Description
[ASPXSpy](https://attack.mitre.org/software/S0073) is a Web shell. It has been modified by [Threat Group-3390](https://attack.mitre.org/groups/G0027) actors to create the ASPXTool version. (Citation: Dell TG-3390)
Details
Values Changed
Field Old value New value
modified 2022-09-22 20:56:06.265000+00:00 2024-05-22 19:06:12.701000+00:00
x_mitre_attack_spec_version 2.1.0 3.2.0
x_mitre_version 1.2 1.3

Description
[ftp](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a system or to exfiltrate data.(Citation: Microsoft FTP)(Citation: Linux FTP)
Details
Dictionary Item Added
Field Old value New value
x_mitre_deprecated False
Values Changed
Field Old value New value
modified 2022-03-07 22:20:18.809000+00:00 2024-08-14 15:21:48.196000+00:00
x_mitre_attack_spec_version 2.1.0 3.2.0
x_mitre_version 2.0 2.1

Description
[Remsec](https://attack.mitre.org/software/S0125) is a modular backdoor that has been used by [Strider](https://attack.mitre.org/groups/G0041) and appears to have been designed primarily for espionage purposes. Many of its modules are written in Lua. (Citation: Symantec Strider Blog)
Details
Values Changed
Field Old value New value
modified 2024-04-11 00:16:18.864000+00:00 2024-08-05 18:23:59.724000+00:00
x_mitre_version 1.3 1.4

Description
[Miner-C](https://attack.mitre.org/software/S0133) is malware that mines victims for the Monero cryptocurrency. It has targeted FTP servers and Network Attached Storage (NAS) devices to spread. (Citation: Softpedia MinerC)
Details
Dictionary Item Added
Field Old value New value
x_mitre_aliases ['Miner-C']
x_mitre_deprecated False
Values Changed
Field Old value New value
modified 2018-10-17 00:14:20.652000+00:00 2024-09-12 15:19:00.433000+00:00
external_references[1]['description'] Cimpanu, C.. (2016, September 9). Cryptocurrency Mining Malware Discovered Targeting Seagate NAS Hard Drives. Retrieved October 12, 2016. Cimpanu, C.. (2016, September 9). Cryptocurrency Mining Malware Discovered Targeting Seagate NAS Hard Drives. Retrieved September 12, 2024.
external_references[1]['url'] http://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml https://news.softpedia.com/news/cryptocurrency-mining-malware-discovered-targeting-seagate-nas-hard-drives-508119.shtml
x_mitre_attack_spec_version 2.1.0 3.2.0

Description
[ChChes](https://attack.mitre.org/software/S0144) is a Trojan that appears to be used exclusively by [menuPass](https://attack.mitre.org/groups/G0045). It was used to target Japanese organizations in 2016. Its lack of persistence methods suggests it may be intended as a first-stage tool. (Citation: Palo Alto menuPass Feb 2017) (Citation: JPCERT ChChes Feb 2017) (Citation: PWC Cloud Hopper Technical Annex April 2017)
Details
Values Changed
Field Old value New value
modified 2023-03-23 15:14:18.599000+00:00 2024-09-12 19:32:28.615000+00:00
external_references[4]['description'] Carr, N.. (2017, April 6). Retrieved June 29, 2017. Carr, N.. (2017, April 6). Retrieved September 12, 2024.
external_references[4]['url'] https://twitter.com/ItsReallyNick/status/850105140589633536 https://x.com/ItsReallyNick/status/850105140589633536
x_mitre_attack_spec_version 3.1.0 3.2.0

Description
[RedLeaves](https://attack.mitre.org/software/S0153) is a malware family used by [menuPass](https://attack.mitre.org/groups/G0045). The code overlaps with [PlugX](https://attack.mitre.org/software/S0013) and may be based upon the open source tool Trochilus. (Citation: PWC Cloud Hopper Technical Annex April 2017) (Citation: FireEye APT10 April 2017)
Details
Values Changed
Field Old value New value
modified 2024-04-11 00:17:52.256000+00:00 2024-09-12 19:32:28.614000+00:00
external_references[3]['description'] Carr, N.. (2017, April 6). Retrieved June 29, 2017. Carr, N.. (2017, April 6). Retrieved September 12, 2024.
external_references[3]['url'] https://twitter.com/ItsReallyNick/status/850105140589633536 https://x.com/ItsReallyNick/status/850105140589633536

Description
[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.(Citation: cobaltstrike manual) In addition to its own capabilities, [Cobalt Strike](https://attack.mitre.org/software/S0154) leverages the capabilities of other well-known tools such as Metasploit and [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: cobaltstrike manual)
Details
Values Changed
Field Old value New value
modified 2024-04-17 22:05:58.343000+00:00 2024-09-25 20:32:57.099000+00:00
x_mitre_version 1.12 1.13

Description
[Janicab](https://attack.mitre.org/software/S0163) is an OS X trojan that relied on a valid developer ID and oblivious users to install it. (Citation: Janicab)
Details
Dictionary Item Added
Field Old value New value
x_mitre_deprecated False
Values Changed
Field Old value New value
modified 2020-03-19 18:00:00.645000+00:00 2024-09-12 19:07:36.511000+00:00
external_references[1]['url'] http://www.thesafemac.com/new-signed-malware-called-janicab/ https://web.archive.org/web/20230331162455/https://www.thesafemac.com/new-signed-malware-called-janicab/
x_mitre_attack_spec_version 2.1.0 3.2.0

Description
[FinFisher](https://attack.mitre.org/software/S0182) is a government-grade commercial surveillance spyware reportedly sold exclusively to government agencies for use in targeted and lawful criminal investigations. It is heavily obfuscated and uses multiple anti-analysis techniques. It has other variants including [Wingbird](https://attack.mitre.org/software/S0176). (Citation: FinFisher Citation) (Citation: Microsoft SIR Vol 21) (Citation: FireEye FinSpy Sept 2017) (Citation: Securelist BlackOasis Oct 2017) (Citation: Microsoft FinFisher March 2018)
Details
Dictionary Item Added
Field Old value New value
x_mitre_deprecated False
Values Changed
Field Old value New value
modified 2022-03-02 15:47:13.329000+00:00 2024-09-12 17:23:46.687000+00:00
external_references[3]['description'] FinFisher. (n.d.). Retrieved December 20, 2017. FinFisher. (n.d.). Retrieved September 12, 2024.
external_references[3]['url'] http://www.finfisher.com/FinFisher/index.html https://web.archive.org/web/20171222050934/http://www.finfisher.com/FinFisher/index.html
x_mitre_attack_spec_version 2.1.0 3.2.0

Description
[Winexe](https://attack.mitre.org/software/S0191) is a lightweight, open source tool similar to [PsExec](https://attack.mitre.org/software/S0029) designed to allow system administrators to execute commands on remote servers. (Citation: Winexe Github Sept 2013) [Winexe](https://attack.mitre.org/software/S0191) is unique in that it is a GNU/Linux based client. (Citation: Überwachung APT28 Forfiles June 2015)
Details
Dictionary Item Added
Field Old value New value
x_mitre_aliases ['Winexe']
x_mitre_deprecated False
Values Changed
Field Old value New value
modified 2018-10-17 00:14:20.652000+00:00 2024-09-04 21:09:10.255000+00:00
x_mitre_attack_spec_version 2.1.0 3.2.0
Iterable Item Removed
Field Old value New value
external_references {'source_name': 'Winexe', 'description': '(Citation: Winexe Github Sept 2013) (Citation: Überwachung APT28 Forfiles June 2015)'}

Description
[HAPPYWORK](https://attack.mitre.org/software/S0214) is a downloader used by [APT37](https://attack.mitre.org/groups/G0067) to target South Korean government and financial victims in November 2016. (Citation: FireEye APT37 Feb 2018)
Details
Dictionary Item Added
Field Old value New value
x_mitre_aliases ['HAPPYWORK']
x_mitre_deprecated False
Values Changed
Field Old value New value
modified 2018-10-17 00:14:20.652000+00:00 2024-09-04 20:44:43.949000+00:00
x_mitre_attack_spec_version 2.1.0 3.2.0
Iterable Item Removed
Field Old value New value
external_references {'source_name': 'HAPPYWORK', 'description': '(Citation: FireEye APT37 Feb 2018)'}

Description
[SHUTTERSPEED](https://attack.mitre.org/software/S0217) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)
Details
Dictionary Item Added
Field Old value New value
x_mitre_aliases ['SHUTTERSPEED']
x_mitre_deprecated False
Values Changed
Field Old value New value
modified 2018-10-17 00:14:20.652000+00:00 2024-09-04 21:36:27.669000+00:00
x_mitre_attack_spec_version 2.1.0 3.2.0
Iterable Item Removed
Field Old value New value
external_references {'source_name': 'SHUTTERSPEED', 'description': '(Citation: FireEye APT37 Feb 2018)'}

Description
[WINERACK](https://attack.mitre.org/software/S0219) is a backdoor used by [APT37](https://attack.mitre.org/groups/G0067). (Citation: FireEye APT37 Feb 2018)
Details
Dictionary Item Added
Field Old value New value
x_mitre_aliases ['WINERACK']
x_mitre_deprecated False
Values Changed
Field Old value New value
modified 2018-10-17 00:14:20.652000+00:00 2024-09-04 21:37:24.766000+00:00
x_mitre_attack_spec_version 2.1.0 3.2.0
Iterable Item Removed
Field Old value New value
external_references {'source_name': 'WINERACK', 'description': '(Citation: FireEye APT37 Feb 2018)'}

Description
[Gold Dragon](https://attack.mitre.org/software/S0249) is a Korean-language, data gathering implant that was first observed in the wild in South Korea in July 2017. [Gold Dragon](https://attack.mitre.org/software/S0249) was used along with [Brave Prince](https://attack.mitre.org/software/S0252) and [RunningRAT](https://attack.mitre.org/software/S0253) in operations targeting organizations associated with the 2018 Pyeongchang Winter Olympics. (Citation: McAfee Gold Dragon)
Details
Values Changed
Field Old value New value
modified 2022-04-11 21:45:35.889000+00:00 2024-05-06 20:40:17+00:00
x_mitre_attack_spec_version 2.1.0 3.2.0
x_mitre_version 1.2 1.3

Description
[Koadic](https://attack.mitre.org/software/S0250) is a Windows post-exploitation framework and penetration testing tool that is publicly available on GitHub. [Koadic](https://attack.mitre.org/software/S0250) has several options for staging payloads and creating implants, and performs most of its operations using Windows Script Host.(Citation: Github Koadic)(Citation: Palo Alto Sofacy 06-2018)(Citation: MalwareBytes LazyScripter Feb 2021)
Details
Values Changed
Field Old value New value
modified 2022-04-06 19:32:33.511000+00:00 2024-09-27 18:36:30.831000+00:00
external_references[4]['description'] Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018. Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024.
external_references[4]['url'] https://github.com/zerosum0x0/koadic https://github.com/offsecginger/koadic
x_mitre_attack_spec_version 2.1.0 3.2.0

Description
[DDKONG](https://attack.mitre.org/software/S0255) is a malware sample that was part of a campaign by [Rancor](https://attack.mitre.org/groups/G0075). [DDKONG](https://attack.mitre.org/software/S0255) was first seen used in February 2017. (Citation: Rancor Unit42 June 2018)
Details
Dictionary Item Added
Field Old value New value
x_mitre_aliases ['DDKONG']
x_mitre_deprecated False
Values Changed
Field Old value New value
modified 2018-10-17 00:14:20.652000+00:00 2024-09-04 21:38:11.979000+00:00
x_mitre_attack_spec_version 2.1.0 3.2.0
Iterable Item Removed
Field Old value New value
external_references {'source_name': 'DDKONG', 'description': '(Citation: Rancor Unit42 June 2018)'}

Description
[QuasarRAT](https://attack.mitre.org/software/S0262) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://attack.mitre.org/software/S0262) is developed in the C# language.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)
Details
Values Changed
Field Old value New value
modified 2022-08-02 15:36:30.238000+00:00 2024-05-07 19:10:03.843000+00:00
x_mitre_attack_spec_version 2.1.0 3.2.0
x_mitre_version 2.0 2.1

Description
[NanoCore](https://attack.mitre.org/software/S0336) is a modular remote access tool developed in .NET that can be used to spy on victims and steal information. It has been used by threat actors since 2013.(Citation: DigiTrust NanoCore Jan 2017)(Citation: Cofense NanoCore Mar 2018)(Citation: PaloAlto NanoCore Feb 2016)(Citation: Unit 42 Gorgon Group Aug 2018)
Details
Dictionary Item Added
Field Old value New value
x_mitre_deprecated False
Values Changed
Field Old value New value
modified 2020-03-30 17:10:28.673000+00:00 2024-09-25 15:05:04.341000+00:00
external_references[3]['description'] Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved November 9, 2018. Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved September 25, 2024.
external_references[3]['url'] https://cofense.com/nanocore-rat-resurfaced-sewers/ https://web.archive.org/web/20240522112705/https://cofense.com/blog/nanocore-rat-resurfaced-sewers/
x_mitre_attack_spec_version 2.1.0 3.2.0

Description
[Micropsia](https://attack.mitre.org/software/S0339) is a remote access tool written in Delphi.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)
Details
Values Changed
Field Old value New value
modified 2024-04-11 00:43:46.245000+00:00 2024-10-04 11:08:25.923000+00:00
external_references[3]['url'] https://blog.radware.com/security/2018/07/micropsia-malware/ https://www.radware.com/blog/security/2018/07/micropsia-malware/

Description
[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.(Citation: Impacket Tools)
Details
Values Changed
Field Old value New value
modified 2024-03-14 17:27:34.759000+00:00 2024-10-07 19:08:53.273000+00:00
x_mitre_version 1.6 1.7

Description
[Ruler](https://attack.mitre.org/software/S0358) is a tool to abuse Microsoft Exchange services. It is publicly available on GitHub and the tool is executed via the command line. The creators of [Ruler](https://attack.mitre.org/software/S0358) have also released a defensive tool, NotRuler, to detect its usage.(Citation: SensePost Ruler GitHub)(Citation: SensePost NotRuler)
Details
Values Changed
Field Old value New value
modified 2020-06-22 21:31:54.771000+00:00 2024-10-14 22:11:30.271000+00:00
x_mitre_platforms[1] Office 365 Office Suite

Description
[Nltest](https://attack.mitre.org/software/S0359) is a Windows command-line utility used to list domain controllers and enumerate domain trusts.(Citation: Nltest Manual)
Details
Values Changed
Field Old value New value
modified 2023-08-09 18:03:17.167000+00:00 2024-09-25 20:27:04.356000+00:00
x_mitre_attack_spec_version 3.1.0 3.2.0
x_mitre_version 1.2 1.3

Description
[Empire](https://attack.mitre.org/software/S0363) is an open source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure [PowerShell](https://attack.mitre.org/techniques/T1059/001) for Windows and Python for Linux/macOS. [Empire](https://attack.mitre.org/software/S0363) was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.(Citation: NCSC Joint Report Public Tools)(Citation: Github PowerShell Empire)(Citation: GitHub ATTACK Empire)
Details
Values Changed
Field Old value New value
modified 2023-07-27 15:44:31.364000+00:00 2024-09-25 20:32:02.152000+00:00
x_mitre_attack_spec_version 3.1.0 3.2.0
x_mitre_version 1.7 1.8

Description
[RawDisk](https://attack.mitre.org/software/S0364) is a legitimate commercial driver from the EldoS Corporation that is used for interacting with files, disks, and partitions. The driver allows for direct modification of data on a local computer's hard drive. In some cases, the tool can enact these raw disk modifications from user-mode processes, circumventing Windows operating system security features.(Citation: EldoS RawDisk ITpro)(Citation: Novetta Blockbuster Destructive Malware)
Details
Values Changed
Field Old value New value
modified 2022-07-28 18:55:35.991000+00:00 2024-08-14 15:22:38.134000+00:00
x_mitre_attack_spec_version 2.1.0 3.2.0
x_mitre_version 1.0 1.1

Modified Description View changes side-by-side
[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and [IcedID](https://attack.mitre.org/software/S0483). Emotet first emerged in June 2014 2014, initially targeting the financial sector, and has been primarily used expanded to target the banking sector. (Citation: multiple verticals over time.(Citation: Trend Micro Banking Malware Jan 2019)
Details
Values Changed
Field Old value New value
modified 2023-09-29 19:44:43.868000+00:00 2024-07-09 16:04:18.570000+00:00
description [Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and [IcedID](https://attack.mitre.org/software/S0483). Emotet first emerged in June 2014 and has been primarily used to target the banking sector. (Citation: Trend Micro Banking Malware Jan 2019) [Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and [IcedID](https://attack.mitre.org/software/S0483). Emotet first emerged in June 2014, initially targeting the financial sector, and has expanded to multiple verticals over time.(Citation: Trend Micro Banking Malware Jan 2019)
x_mitre_version 1.5 1.6

Description
[Astaroth](https://attack.mitre.org/software/S0373) is a Trojan and information stealer known to affect companies in Europe, Brazil, and throughout Latin America. It has been known publicly since at least late 2017. (Citation: Cybereason Astaroth Feb 2019)(Citation: Cofense Astaroth Sept 2018)(Citation: Securelist Brazilian Banking Malware July 2020)
Details
Values Changed
Field Old value New value
modified 2024-04-11 02:58:17.763000+00:00 2024-09-25 15:03:49.408000+00:00
external_references[2]['description'] Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024.
external_references[2]['url'] https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/ https://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/

Modified Description View changes side-by-side
[Ebury](https://attack.mitre.org/software/S0377) is an SSH OpenSSH backdoor and credential stealer targeting Linux operating systems. Attackers require root-level access, which allows them servers and container hosts developed by [Windigo](https://attack.mitre.org/groups/G0124). [Ebury](https://attack.mitre.org/software/S0377) is primarily installed through modifying shared libraries (`.so` files) executed by the legitimate OpenSSH program. First seen in 2009, [Ebury](https://attack.mitre.org/software/S0377) has been used to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify maintain a shared library used by OpenSSH (libkeyutils).(Citation: botnet of servers, deploy additional malware, and steal cryptocurrency wallets, credentials, and credit card details.(Citation: ESET Ebury Feb 2014)(Citation: BleepingComputer Ebury March 2017)(Citation: ESET Ebury Oct 2017) 2017)(Citation: ESET Ebury May 2024)
Details
Dictionary Item Added
Field Old value New value
x_mitre_deprecated False
Values Changed
Field Old value New value
modified 2021-04-23 22:56:14.591000+00:00 2024-09-20 21:15:51.302000+00:00
description [Ebury](https://attack.mitre.org/software/S0377) is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).(Citation: ESET Ebury Feb 2014)(Citation: BleepingComputer Ebury March 2017)(Citation: ESET Ebury Oct 2017) [Ebury](https://attack.mitre.org/software/S0377) is an OpenSSH backdoor and credential stealer targeting Linux servers and container hosts developed by [Windigo](https://attack.mitre.org/groups/G0124). [Ebury](https://attack.mitre.org/software/S0377) is primarily installed through modifying shared libraries (`.so` files) executed by the legitimate OpenSSH program. First seen in 2009, [Ebury](https://attack.mitre.org/software/S0377) has been used to maintain a botnet of servers, deploy additional malware, and steal cryptocurrency wallets, credentials, and credit card details.(Citation: ESET Ebury Feb 2014)(Citation: BleepingComputer Ebury March 2017)(Citation: ESET Ebury Oct 2017)(Citation: ESET Ebury May 2024)
x_mitre_attack_spec_version 2.1.0 3.2.0
x_mitre_version 1.3 2.0
Iterable Item Added
Field Old value New value
external_references {'source_name': 'ESET Ebury May 2024', 'description': 'Marc-Etienne M.Léveillé. (2024, May 1). Ebury is alive but unseen. Retrieved May 21, 2024.', 'url': 'https://web-assets.esetstatic.com/wls/en/papers/white-papers/ebury-is-alive-but-unseen.pdf'}

Description
[Ursnif](https://attack.mitre.org/software/S0386) is a banking trojan and variant of the Gozi malware observed being spread through various automated exploit kits, [Spearphishing Attachment](https://attack.mitre.org/techniques/T1566/001)s, and malicious links.(Citation: NJCCIC Ursnif Sept 2016)(Citation: ProofPoint Ursnif Aug 2016) [Ursnif](https://attack.mitre.org/software/S0386) is associated primarily with data theft, but variants also include components (backdoors, spyware, file injectors, etc.) capable of a wide variety of behaviors.(Citation: TrendMicro Ursnif Mar 2015)
Details
Values Changed
Field Old value New value
modified 2024-04-10 22:18:21.527000+00:00 2024-09-12 19:50:37.023000+00:00
external_references[6]['description'] NJCCIC. (2016, September 27). Ursnif. Retrieved June 4, 2019. NJCCIC. (2016, September 27). Ursnif. Retrieved September 12, 2024.
external_references[6]['url'] https://www.cyber.nj.gov/threat-profiles/trojan-variants/ursnif https://www.cyber.nj.gov/threat-landscape/malware/trojans/ursnif

Description
[EvilBunny](https://attack.mitre.org/software/S0396) is a C++ malware sample observed since 2011 that was designed to be a execution platform for Lua scripts.(Citation: Cyphort EvilBunny Dec 2014)
Details
Dictionary Item Added
Field Old value New value
x_mitre_deprecated False
Values Changed
Field Old value New value
modified 2021-04-02 00:14:13.954000+00:00 2024-08-05 18:21:34.265000+00:00
x_mitre_attack_spec_version 2.1.0 3.2.0
x_mitre_version 1.2 1.3

Description
MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used by a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain.(Citation: GitHub MailSniper)
Details
Dictionary Item Added
Field Old value New value
x_mitre_deprecated False
Values Changed
Field Old value New value
modified 2020-03-30 17:01:41.302000+00:00 2024-10-14 22:11:30.271000+00:00
x_mitre_attack_spec_version 2.1.0 3.2.0
Iterable Item Added
Field Old value New value
x_mitre_platforms Office Suite
Iterable Item Removed
Field Old value New value
x_mitre_platforms Office 365
x_mitre_platforms Azure AD

Description
[BabyShark](https://attack.mitre.org/software/S0414) is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. (Citation: Unit42 BabyShark Feb 2019)
Details
Dictionary Item Added
Field Old value New value
x_mitre_deprecated False
Values Changed
Field Old value New value
modified 2021-03-12 17:26:12.324000+00:00 2024-05-06 20:38:32.432000+00:00
x_mitre_attack_spec_version 2.1.0 3.2.0
x_mitre_version 1.2 2.0
Iterable Item Added
Field Old value New value
external_references {'source_name': 'LATEOP', 'description': '(Citation: Mandiant APT43 March 2024)'}
external_references {'source_name': 'Mandiant APT43 March 2024', 'description': 'Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.', 'url': 'https://services.google.com/fh/files/misc/apt43-report-en.pdf'}
x_mitre_aliases LATEOP

Description
[PoetRAT](https://attack.mitre.org/software/S0428) is a remote access trojan (RAT) that was first identified in April 2020. [PoetRAT](https://attack.mitre.org/software/S0428) has been used in multiple campaigns against the private and public sectors in Azerbaijan, including ICS and SCADA systems in the energy sector. The STIBNITE activity group has been observed using the malware. [PoetRAT](https://attack.mitre.org/software/S0428) derived its name from references in the code to poet William Shakespeare. (Citation: Talos PoetRAT April 2020)(Citation: Talos PoetRAT October 2020)(Citation: Dragos Threat Report 2020)
Details
Values Changed
Field Old value New value
modified 2023-03-22 05:09:38.370000+00:00 2024-08-05 18:24:31.652000+00:00
x_mitre_attack_spec_version 3.1.0 3.2.0
x_mitre_version 2.2 2.3

Description
[IcedID](https://attack.mitre.org/software/S0483) is a modular banking malware designed to steal financial information that has been observed in the wild since at least 2017. [IcedID](https://attack.mitre.org/software/S0483) has been downloaded by [Emotet](https://attack.mitre.org/software/S0367) in multiple campaigns.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020)
Details
Dictionary Item Added
Field Old value New value
x_mitre_contributors ['Jorge Orchilles', 'Matt Brenton', 'Zaw Min Htun, @Z3TAE']
Values Changed
Field Old value New value
modified 2024-04-11 02:16:08.503000+00:00 2024-10-28 19:20:20.633000+00:00
x_mitre_version 1.1 1.2

Description
[BloodHound](https://attack.mitre.org/software/S0521) is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.(Citation: GitHub Bloodhound)(Citation: CrowdStrike BloodHound April 2018)(Citation: FoxIT Wocao December 2019)
Details
Values Changed
Field Old value New value
modified 2023-08-09 18:00:13.178000+00:00 2024-09-25 20:33:37.892000+00:00
x_mitre_attack_spec_version 3.1.0 3.2.0
x_mitre_version 1.5 1.6

Description
[SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) is a remote access Trojan written in C++ that has been used by an unidentified "sophisticated cyber actor" since at least January 2017.(Citation: CISA MAR SLOTHFULMEDIA October 2020)(Citation: Costin Raiu IAmTheKing October 2020) It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.(Citation: USCYBERCOM SLOTHFULMEDIA October 2020)(Citation: Kaspersky IAmTheKing October 2020) In October 2020, Kaspersky Labs assessed [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) is part of an activity cluster it refers to as "IAmTheKing".(Citation: Kaspersky IAmTheKing October 2020) ESET also noted code similarity between [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) and droppers used by a group it refers to as "PowerPool".(Citation: ESET PowerPool Code October 2020)
Details
Dictionary Item Added
Field Old value New value
x_mitre_deprecated False
Values Changed
Field Old value New value
modified 2021-04-13 20:44:14.476000+00:00 2024-09-12 19:39:44.514000+00:00
external_references[4]['description'] Costin Raiu. (2020, October 2). Costin Raiu Twitter IAmTheKing SlothfulMedia. Retrieved November 16, 2020. Costin Raiu. (2020, October 2). Costin Raiu Twitter IAmTheKing SlothfulMedia. Retrieved September 12, 2024.
external_references[4]['url'] https://twitter.com/craiu/status/1311920398259367942 https://x.com/craiu/status/1311920398259367942
external_references[7]['description'] ESET Research. (2020, October 1). ESET Research Tweet Linking Slothfulmedia and PowerPool. Retrieved November 17, 2020. ESET Research. (2020, October 1). ESET Research Tweet Linking Slothfulmedia and PowerPool. Retrieved September 12, 2024.
external_references[7]['url'] https://twitter.com/ESETresearch/status/1311762215490461696 https://x.com/ESETresearch/status/1311762215490461696
external_references[5]['description'] USCYBERCOM. (2020, October 1). USCYBERCOM Cybersecurity Alert SLOTHFULMEDIA. Retrieved November 16, 2020. USCYBERCOM. (2020, October 1). USCYBERCOM Cybersecurity Alert SLOTHFULMEDIA. Retrieved September 12, 2024.
external_references[5]['url'] https://twitter.com/CNMF_CyberAlert/status/1311743710997159953 https://x.com/CNMF_CyberAlert/status/1311743710997159953
x_mitre_attack_spec_version 2.1.0 3.2.0

Description
[AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation: FireEye Ryuk and Trickbot January 2019)
Details
Values Changed
Field Old value New value
modified 2024-04-04 03:49:04.493000+00:00 2024-09-25 15:21:53.462000+00:00
x_mitre_version 1.4 1.5

Description
[GrimAgent](https://attack.mitre.org/software/S0632) is a backdoor that has been used before the deployment of [Ryuk](https://attack.mitre.org/software/S0446) ransomware since at least 2020; it is likely used by [FIN6](https://attack.mitre.org/groups/G0037) and [Wizard Spider](https://attack.mitre.org/groups/G0102).(Citation: Group IB GrimAgent July 2021)
Details
Values Changed
Field Old value New value
modified 2022-07-29 19:44:21.016000+00:00 2024-09-19 14:32:39.426000+00:00
external_references[1]['description'] Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
external_references[1]['url'] https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer https://www.group-ib.com/blog/grimagent/
x_mitre_attack_spec_version 2.1.0 3.2.0

Description
[Wevtutil](https://attack.mitre.org/software/S0645) is a Windows command-line utility that enables administrators to retrieve information about event logs and publishers.(Citation: Wevtutil Microsoft Documentation)
Details
Values Changed
Field Old value New value
modified 2022-10-13 17:45:16.377000+00:00 2024-09-25 20:32:25.006000+00:00
x_mitre_attack_spec_version 2.1.0 3.2.0
x_mitre_version 1.1 1.2

Description
[QakBot](https://attack.mitre.org/software/S0650) is a modular banking trojan that has been used primarily by financially-motivated actors since at least 2007. [QakBot](https://attack.mitre.org/software/S0650) is continuously maintained and developed and has evolved from an information stealer into a delivery agent for ransomware, most notably [ProLock](https://attack.mitre.org/software/S0654) and [Egregor](https://attack.mitre.org/software/S0554).(Citation: Trend Micro Qakbot December 2020)(Citation: Red Canary Qbot)(Citation: Kaspersky QakBot September 2021)(Citation: ATT QakBot April 2021)
Details
Values Changed
Field Old value New value
modified 2023-12-05 20:22:37.368000+00:00 2024-09-17 16:10:03.901000+00:00
x_mitre_version 1.2 1.3

Description
[DarkWatchman](https://attack.mitre.org/software/S0673) is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations; it was first observed in November 2021.(Citation: Prevailion DarkWatchman 2021)
Details
Values Changed
Field Old value New value
modified 2024-04-11 02:40:18.361000+00:00 2024-08-26 16:28:39.922000+00:00
external_references[1]['url'] https://www.prevailion.com/darkwatchman-new-fileless-techniques/ https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/

Description
[AADInternals](https://attack.mitre.org/software/S0677) is a PowerShell-based framework for administering, enumerating, and exploiting Azure Active Directory. The tool is publicly available on GitHub.(Citation: AADInternals Github)(Citation: AADInternals Documentation)
Details
Values Changed
Field Old value New value
modified 2023-04-15 00:59:18.335000+00:00 2024-10-14 22:11:30.271000+00:00
x_mitre_platforms[2] Office 365 Identity Provider
x_mitre_platforms[1] Azure AD Office Suite

Description
[ROADTools](https://attack.mitre.org/software/S0684) is a framework for enumerating Azure Active Directory environments. The tool is written in Python and publicly available on GitHub.(Citation: ROADtools Github)
Details
Dictionary Item Added
Field Old value New value
x_mitre_deprecated False
x_mitre_platforms ['Identity Provider']
Values Changed
Field Old value New value
modified 2022-04-01 13:27:48.378000+00:00 2024-09-16 17:02:37.377000+00:00
x_mitre_attack_spec_version 2.1.0 3.2.0

Modified Description View changes side-by-side
[Cyclops Blink](https://attack.mitre.org/software/S0687) is a modular malware that has been used in widespread campaigns by [Sandworm Team](https://attack.mitre.org/groups/G0034) since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus.(Citation: Asus. [Cyclops Blink](https://attack.mitre.org/software/S0687) is assessed to be a replacement for [VPNFilter](https://attack.mitre.org/software/S1010), a similar platform targeting network devices.(Citation: NCSC Cyclops Blink February 2022)(Citation: NCSC CISA Cyclops Blink Advisory February 2022)(Citation: Trend Micro Cyclops Blink March 2022)
Details
Values Changed
Field Old value New value
modified 2022-04-14 17:00:26.886000+00:00 2024-08-15 22:36:30.074000+00:00
description [Cyclops Blink](https://attack.mitre.org/software/S0687) is a modular malware that has been used in widespread campaigns by [Sandworm Team](https://attack.mitre.org/groups/G0034) since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus.(Citation: NCSC Cyclops Blink February 2022)(Citation: NCSC CISA Cyclops Blink Advisory February 2022)(Citation: Trend Micro Cyclops Blink March 2022) [Cyclops Blink](https://attack.mitre.org/software/S0687) is a modular malware that has been used in widespread campaigns by [Sandworm Team](https://attack.mitre.org/groups/G0034) since at least 2019 to target Small/Home Office (SOHO) network devices, including WatchGuard and Asus. [Cyclops Blink](https://attack.mitre.org/software/S0687) is assessed to be a replacement for [VPNFilter](https://attack.mitre.org/software/S1010), a similar platform targeting network devices.(Citation: NCSC Cyclops Blink February 2022)(Citation: NCSC CISA Cyclops Blink Advisory February 2022)(Citation: Trend Micro Cyclops Blink March 2022)
x_mitre_attack_spec_version 2.1.0 3.2.0
x_mitre_version 1.0 1.1

Description
[SILENTTRINITY](https://attack.mitre.org/software/S0692) is an open source remote administration and post-exploitation framework primarily written in Python that includes stagers written in Powershell, C, and Boo. [SILENTTRINITY](https://attack.mitre.org/software/S0692) was used in a 2019 campaign against Croatian government agencies by unidentified cyber actors.(Citation: GitHub SILENTTRINITY March 2022)(Citation: Security Affairs SILENTTRINITY July 2019)
Details
Values Changed
Field Old value New value
modified 2023-04-14 19:27:39.308000+00:00 2024-09-23 14:18:53.140000+00:00
x_mitre_attack_spec_version 3.1.0 3.2.0
x_mitre_version 1.0 1.1
x_mitre_contributors[0] Daniel Acevedo, @darmad0, ARMADO Daniel Acevedo, Blackbot

Description
[Flagpro](https://attack.mitre.org/software/S0696) is a Windows-based, first-stage downloader that has been used by [BlackTech](https://attack.mitre.org/groups/G0098) since at least October 2020. It has primarily been used against defense, media, and communications companies in Japan.(Citation: NTT Security Flagpro new December 2021)
Details
Dictionary Item Added
Field Old value New value
x_mitre_deprecated False
Values Changed
Field Old value New value
modified 2022-04-01 14:41:47.579000+00:00 2024-09-04 21:39:21.144000+00:00
x_mitre_attack_spec_version 2.1.0 3.2.0
Iterable Item Removed
Field Old value New value
external_references {'source_name': 'Flagpro ', 'description': '(Citation: NTT Security Flagpro new December 2021)'}

Modified Description View changes side-by-side
[MacMa](https://attack.mitre.org/software/S1016) is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. [MacMa](https://attack.mitre.org/software/S1016) has been observed in the wild since November 2021.(Citation: ESET DazzleSpy Jan 2022) [MacMa](https://attack.mitre.org/software/S1016) shares command and control and unique libraries with [MgBot](https://attack.mitre.org/software/S1146) and [Nightdoor](https://attack.mitre.org/software/S1147), indicating a relationship with the [Daggerfly](https://attack.mitre.org/groups/G1034) threat actor.(Citation: Symantec Daggerfly 2024)
Details
Values Changed
Field Old value New value
modified 2022-10-24 18:52:29.002000+00:00 2024-07-26 17:48:10.580000+00:00
description [MacMa](https://attack.mitre.org/software/S1016) is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. [MacMa](https://attack.mitre.org/software/S1016) has been observed in the wild since November 2021.(Citation: ESET DazzleSpy Jan 2022) [MacMa](https://attack.mitre.org/software/S1016) is a macOS-based backdoor with a large set of functionalities to control and exfiltrate files from a compromised computer. [MacMa](https://attack.mitre.org/software/S1016) has been observed in the wild since November 2021.(Citation: ESET DazzleSpy Jan 2022) [MacMa](https://attack.mitre.org/software/S1016) shares command and control and unique libraries with [MgBot](https://attack.mitre.org/software/S1146) and [Nightdoor](https://attack.mitre.org/software/S1147), indicating a relationship with the [Daggerfly](https://attack.mitre.org/groups/G1034) threat actor.(Citation: Symantec Daggerfly 2024)
x_mitre_attack_spec_version 3.0.0 3.2.0
x_mitre_version 1.0 2.0
Iterable Item Added
Field Old value New value
external_references {'source_name': 'Symantec Daggerfly 2024', 'description': 'Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.', 'url': 'https://symantec-enterprise-blogs.security.com/threat-intelligence/daggerfly-espionage-updated-toolset'}

Modified Description View changes side-by-side
[OutSteel](https://attack.mitre.org/software/S1017) is a file uploader and document stealer developed with the scripting language AutoIT that has been used by [Ember Bear](https://attack.mitre.org/groups/G1003) [Saint Bear](https://attack.mitre.org/groups/G1031) since at least March 2021.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Details
Dictionary Item Added
Field Old value New value
x_mitre_aliases ['OutSteel']
Values Changed
Field Old value New value
modified 2022-06-09 18:53:30.145000+00:00 2024-10-08 20:11:00.316000+00:00
description [OutSteel](https://attack.mitre.org/software/S1017) is a file uploader and document stealer developed with the scripting language AutoIT that has been used by [Ember Bear](https://attack.mitre.org/groups/G1003) since at least March 2021.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) [OutSteel](https://attack.mitre.org/software/S1017) is a file uploader and document stealer developed with the scripting language AutoIT that has been used by [Saint Bear](https://attack.mitre.org/groups/G1031) since at least March 2021.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
x_mitre_attack_spec_version 2.1.0 3.2.0
x_mitre_version 1.0 2.0

Modified Description View changes side-by-side
[Saint Bot](https://attack.mitre.org/software/S1018) is a .NET downloader that has been used by [Ember Bear](https://attack.mitre.org/groups/G1003) [Saint Bear](https://attack.mitre.org/groups/G1031) since at least March 2021.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Details
Dictionary Item Added
Field Old value New value
x_mitre_aliases ['Saint Bot']
Values Changed
Field Old value New value
modified 2022-06-09 19:56:56.809000+00:00 2024-10-08 20:10:44.570000+00:00
description [Saint Bot](https://attack.mitre.org/software/S1018) is a .NET downloader that has been used by [Ember Bear](https://attack.mitre.org/groups/G1003) since at least March 2021.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) [Saint Bot](https://attack.mitre.org/software/S1018) is a .NET downloader that has been used by [Saint Bear](https://attack.mitre.org/groups/G1031) since at least March 2021.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
x_mitre_attack_spec_version 2.1.0 3.2.0
x_mitre_version 1.0 2.0

Description
[CreepyDrive](https://attack.mitre.org/software/S1023) is a custom implant has been used by [POLONIUM](https://attack.mitre.org/groups/G1005) since at least early 2022 for C2 with and exfiltration to actor-controlled OneDrive accounts.(Citation: Microsoft POLONIUM June 2022) [POLONIUM](https://attack.mitre.org/groups/G1005) has used a similar implant called CreepyBox that relies on actor-controlled DropBox accounts.(Citation: Microsoft POLONIUM June 2022)
Details
Values Changed
Field Old value New value
modified 2022-08-10 13:07:11.790000+00:00 2024-10-14 22:11:30.271000+00:00
x_mitre_platforms[1] Office 365 Office Suite

Description
[Amadey](https://attack.mitre.org/software/S1025) is a Trojan bot that has been used since at least October 2018.(Citation: Korean FSI TA505 2020)(Citation: BlackBerry Amadey 2020)
Details
Values Changed
Field Old value New value
modified 2022-10-14 21:33:47.608000+00:00 2024-05-07 19:11:33.669000+00:00
x_mitre_attack_spec_version 2.1.0 3.2.0
x_mitre_version 1.0 1.1

Description
[Bumblebee](https://attack.mitre.org/software/S1039) is a custom loader written in C++ that has been used by multiple threat actors, including possible initial access brokers, to download and execute additional payloads since at least March 2022. [Bumblebee](https://attack.mitre.org/software/S1039) has been linked to ransomware operations including [Conti](https://attack.mitre.org/software/S0575), Quantum, and Mountlocker and derived its name from the appearance of "bumblebee" in the user-agent.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)
Details
Values Changed
Field Old value New value
modified 2022-10-21 21:43:41.253000+00:00 2024-09-17 17:58:55.921000+00:00
x_mitre_attack_spec_version 2.1.0 3.2.0
x_mitre_version 1.0 1.1

Description
[Brute Ratel C4](https://attack.mitre.org/software/S1063) is a commercial red-teaming and adversarial attack simulation tool that first appeared in December 2020. [Brute Ratel C4](https://attack.mitre.org/software/S1063) was specifically designed to avoid detection by endpoint detection and response (EDR) and antivirus (AV) capabilities, and deploys agents called badgers to enable arbitrary command execution for lateral movement, privilege escalation, and persistence. In September 2022, a cracked version of [Brute Ratel C4](https://attack.mitre.org/software/S1063) was leaked in the cybercriminal underground, leading to its use by threat actors.(Citation: Dark Vortex Brute Ratel C4)(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)(Citation: SANS Brute Ratel October 2022)(Citation: Trend Micro Black Basta October 2022)
Details
Values Changed
Field Old value New value
modified 2023-04-17 21:44:03.462000+00:00 2024-09-19 15:46:58.008000+00:00
x_mitre_attack_spec_version 3.1.0 3.2.0
x_mitre_version 1.0 1.1

Description
[DarkGate](https://attack.mitre.org/software/S1111) first emerged in 2018 and has evolved into an initial access and data gathering tool associated with various criminal cyber operations. Written in Delphi and named "DarkGate" by its author, [DarkGate](https://attack.mitre.org/software/S1111) is associated with credential theft, cryptomining, cryptotheft, and pre-ransomware actions.(Citation: Ensilo Darkgate 2018) DarkGate use increased significantly starting in 2022 and is under active development by its author, who provides it as a Malware-as-a-Service offering.(Citation: Trellix Darkgate 2023)
Details
Values Changed
Field Old value New value
modified 2024-04-01 21:19:06.580000+00:00 2024-09-29 10:22:45.776000+00:00
Iterable Item Added
Field Old value New value
x_mitre_contributors Phyo Paing Htun (ChiLai)