This is a custom instance of the MITRE ATT&CK Website. The official website can be found at attack.mitre.org.

SOFTWARE

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

IronNetInjector

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

RemoteUtilities

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

E-F

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

IronNetInjector

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

RemoteUtilities

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

MoonWind

MoonWind is a remote access tool (RAT) that was used in 2016 to target organizations in Thailand. ^[1]

ID: S0149

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 31 May 2017

Last Modified: 30 March 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	MoonWind can execute commands via an interactive command shell.^[1] MoonWind uses batch scripts for various purposes, including to restart and uninstall itself.^[1]
Enterprise	T1543	.003	Create or Modify System Process: Windows Service	MoonWind installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance.^[1]
Enterprise	T1074	.001	Data Staged: Local Data Staging	MoonWind saves information from its keylogging routine as a .zip file in the present working directory.^[1]
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	MoonWind encrypts C2 traffic using RC4 with a static key.^[1]
Enterprise	T1083		File and Directory Discovery	MoonWind has a command to return a directory listing for a specified directory.^[1]
Enterprise	T1070	.004	Indicator Removal on Host: File Deletion	MoonWind can delete itself or specified files.^[1]
Enterprise	T1056	.001	Input Capture: Keylogging	MoonWind has a keylogger.^[1]
Enterprise	T1095		Non-Application Layer Protocol	MoonWind completes network communication via raw sockets.^[1]
Enterprise	T1571		Non-Standard Port	MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports.^[1]
Enterprise	T1120		Peripheral Device Discovery	MoonWind obtains the number of removable drives from the victim.^[1]
Enterprise	T1057		Process Discovery	MoonWind has a command to return a list of running processes.^[1]
Enterprise	T1082		System Information Discovery	MoonWind can obtain the victim hostname, Windows version, RAM amount, number of drives, and screen resolution.^[1]
Enterprise	T1016		System Network Configuration Discovery	MoonWind obtains the victim IP address.^[1]
Enterprise	T1033		System Owner/User Discovery	MoonWind obtains the victim username.^[1]
Enterprise	T1124		System Time Discovery	MoonWind obtains the victim's current time.^[1]

References

Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.