Tools

Tool is a generic term for custom or commercial code, operating system utilities, open-source software, or other tools used to conduct behavior modeled in ATT&CK. Some instances of software have multiple names associated with the same instance due to various organizations tracking the same set of software by different names. The team makes a best effort to track overlaps between names based on publicly reported associations, which are designated as “Associated Software” on each page (formerly labeled “Aliases”), because we believe these overlaps are useful for analyst awareness.

Software entries include publicly reported technique use or capability to use a technique and may be mapped to Threat actors who have been reported to use that Tool. The information provided does not represent all possible technique use by a piece of Software, but rather a subset that is available solely through open source reporting.

  • Tool - Commercial, open-source, built-in, or publicly available software that could be used by a defender, pen tester, red teamer, or an adversary. This category includes both software that generally is not found on an enterprise system as well as software generally available as part of an operating system that is already present in an environment. Examples include PsExec, Metasploit, Mimikatz, as well as Windows utilities such as Net, netstat, Tasklist, etc.
  • Malware - Commercial, custom closed source, or open source software intended to be used for malicious purposes by adversaries. Examples include PlugX, CHOPSTICK, etc.
Software: 18
Name Associated Software Description
Adwind

Adwind RAT is a cross-platform, multifunctional malware program written in Java that is distributed through a single malware-as-a-service platform.

In June 2020, Adwind variant was exploiting a spoofing vulnerability in Windows (CVE-2020-1464) discovered in 2018 by security researchers and stayed unpatched for two years. The vulnerability allowed an attacker to take a clean MSI file which is digitally code signed from Microsoft, Google etc. and append a malicious JAR file to it, without impacting or changing its digital signature.

BADNEWS

BADNEWS malware has been used by the actors responsible for the Patchwork campaign. Its name was given due to its use of RSS feeds, forums, and blogs for command and control.

CCBkdr

CCBkdr refers to the backdoor injected into a signed and valid version of CCleaner and distributed from legitimate CCleaner's distribution website.

The backdoor which was delivered to 2.27 million CCleaner customers worldwide was designed to collect information from CCleaner users and download a second and third stage malware to around 40 targets, making it a highly targeted attack. The third stage malware is reported to be the infamous ShadowPad backdoor that also hit NetSarang in a Supply Chain Compromise.

The [Initial Access[(https://threatmodel.venafi.com/tactics/VTA0001/) seems to be an infected end point of CCleaner developer. According to Avast investigation, the threat actors accessed Piriform’s network in March 2017 before Avast acquired the company, using login credentials to a TeamViewer account on a developer workstation.

Security researchers attributed this attack to the APT group APT17, also tracked as Axiom.

Cobalt Strike

Cobalt Strike is an exploitation framework developed for security professionals for emulating targeted and post-exploitation attacks by advanced adversaries. Like other threat emulation tools like Metasploit, Cobalt Strike framework has became a popular option among threat actors and is used for malicious intents, mainly due to it being very well written, stable, and highly customizable.

Specifically, Cobalt's Beacon is a preferred choice since it includes a wealth of functionality to the attacker, including, but not limited to command execution, keylogging, file transfer, SOCKS proxying, privilege escalation, Mimikatz, Network Scanning and Lateral Movement. Beacon is in-memory/fileless, and consists of stageless or multi-stage shellcode that once loaded by exploiting a vulnerability or executing a shellcode loader, will reflectively load itself into the memory of a process without touching the disk. It supports C2 and staging over HTTP, HTTPS, DNS, SMB named pipes as well as forward and reverse TCP.

Ebury

Ebury is an SSH backdoor targeting Linux operating systems. Attackers require root-level access, which allows them to replace SSH binaries (ssh, sshd, ssh-add, etc) or modify a shared library used by OpenSSH (libkeyutils).

Facefish

Facefish is a Linux rootkit that targets Linux x64 systems to inject malicious code, hijack the server and install a backdoor that intercepts sensitive information and SSH credentials and keys. Unlike other SSH-targeting malware, the rootkit doesn’t immediately use the resources to mine cryptocurrency or to spread further to other targets and likely compromises targets for selling access in the future.

Kobalos

Kobalos is a multi-platform backdoor dubbed targeting Linux, FreeBSD, Solaris, AIX and Windows. Kobalos targets high-profile servers in academia, including high-performance computers)(HPCs), endpoint security vendors, and large ISP in Europe, North America, and Asia.

The Kobalos backdoor is designed to steal SSH Private Keys and propagate through SSH Remote Services. Since the academic networks are highly interconnected through SSH, it can explain how numerous networks were compromised.

Linux Rabbit

Linux Rabbit is malware that targeted Linux servers and IoT devices in a campaign lasting from August to October 2018. It shares code with another strain of malware known as Rabbot. The goal of the campaign was to install cryptocurrency miners onto the targeted servers and devices.

Machete Pyark

Machete is a cyber espionage toolset used by Machete. It is a Python-based backdoor targeting Windows machines that was first observed in 2010.

Mimikatz

Mimikatz is an open source Windows utility available for download from GitHub. It is used for plaintext credentials and Private Keys dumping and acts asa post-exploitation tool for lateral movement within a network by both defenders and threat actors.

Mimikatz is widely used by penetration testers and red teams for testing enterprises' network security, but also by various threat actors and groups after gaining initial access to an organization. The tool is part of the most infamous post-exploitation frameworks like Metasploit Meterpreter and part of the arsenal of many threat groups around the world.

Mimikatz can map the certificates on the victim machine, both Digital Certificates and Code Signing Certs

Mimikatz's CRYPTO::Extract module can extract Private Keys from installed certificates by interacting with Windows cryptographic application programming interface (API) functions. It will use certutil to recover Private Keys of each certificate that resides on the server side, export it as a PFX file with a mimikatz password and download it from the target system.

PLEAD

PLEAD is a remote access tool (RAT) and downloader active since 2012 and used by BlackTech in targeted attacks in East Asia including Taiwan, Japan, and Hong Kong.

In some cases PLEAD has been referred to as TSCookie, however some reports indicate that these are two separate tools.

PLEAD's toolset includes the PLEAD backdoor and the DRIGO exfiltration tool. PLEAD uses spear-phishing emails to deliver and install their backdoor, either as an attachment or through links to cloud storage services. Some of the cloud storage accounts used to deliver PLEAD are also used as drop-off points for exfiltrated documents stolen by DRIGO.

Both tool families were signed with a valid certificate signed by D-Link Corporation Code Signing Certificate, used to sign legitimate D-Link software.

Other samples found in the PLEAD campaign were signed with a Code Signing Certificate belonging to a Taiwanese security company named Changing Information Technology Inc.

Both certificates were likely stolen in a separate campaign in the preparation stages of the attack.

Ratty

Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums.

In June 2020, a new variant of Ratty was found to be exploiting a spoofing vulnerability (CVE-2020-1464) discovered in 2018 security researchers, which was exploited by threat actors for two years. The vulnerability allowed an attacker to take a clean MSI file, which is digitally signed from Microsoft, Google etc. and append a malicious JAR file to it, without impacting or changing the signature of the file.

ShadowHammer

ShadowHammer discovered in January 2019 refers to a Software Supply Chain Compromise of one of ASUS's update servers. The [Supply Chain Compromise] allowed the attackers to distribute a signed backdoored version of an application called ASUS Live Update Utility to ASUS users.

The backdoored ASUS binaries were signed with two different certificates issued by DigiCer CA, one of which was signed with EV Code Signing Certificate, indicating that either the attackers obtained Code Signing Certificates or abused a system on the ASUS network that had the certificates installed.

ShadowHammer reused algorithms used in multiple malware samples, including many of PlugX. PlugX is a backdoor quite popular among Chinese-speaking hacker groups.

The backdoor was delivered to over a million ASUS users and a second stage payload to only those that of interest for cyberespionage purposes.

ShadowPad POISONPLUG.SHADOW

ShadowPad is a modular backdoor that was first identified in a Software Supply Chain Compromise of the NetSarang software in mid-July 2017. The malware was originally thought to be exclusively used by APT41, but has since been observed to be used by various Chinese threat activity groups.

The ShadowPad backdoor was planted in NetSarang's software, a server management software product based in the U.S. and South Korea and used by large businesses around the world. When activated, the backdoor allows attackers to download further malicious modules or steal data.

A slight change was made to a one of NetSarang's dynamic link libraries (dll) files, which was then signed with a legitimate NetSarang certificate, implying that the the attackers modified the source code or patched software on the build servers.

Skidmap

Skidmap is a kernel-mode Linux rootkit used for cryptocurrency mining.

Skidmap maintains persistence by adding its key to the SSH Authorized Keys list.

SUNBURST

SUNBURST is a trojanized DLL designed to replace a source code file of the SolarWinds Orion software update framework at runtime. It was used by UNC2452 since at least February 2020.

SUNSPOT

Sunspot is an implant that injected the SUNBURST backdoor into the SolarWinds Orion software update. It was used by UNC2452 since at least February 2020.

TrickBot Totbrick, TSPY_TRICKLOAD

TrickBot is a Trojan spyware program that has mainly been used for targeting banking users in the U.S., Canada, UK, Germany, Australia, Austria, Ireland, London, Switzerland, and Scotland. TrickBot first emerged in the wild in September 2016 and appears to be a successor to Dyre or Dyreza.

After 2019 TrickBot became a flexible, universal, module-based crimeware solution and has shifted focus to enterprise environments over the years to incorporate many features from network profiling, mass data collection, and incorporation of lateral traversal exploits.

TrickBot uses Private Keys and credentials' grabbing module for OpenSSH and OpenVPN as well as for PuTTY for Windows - to enable Lateral Movement through SSH Remote Services.

In an effort to take down Trickbot, different vendors worked together to take down 94% of core servers crucial for Trickbot operations in October 2020 and disrupt the botnet that spreads it. However, one year later, CheckPoint discovered thousands of infections, including an information stealer module targeting SSH keys and credentials.