This is a custom instance of the MITRE ATT&CK Website. The official website can be found at attack.mitre.org.

SOFTWARE

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

IronNetInjector

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

RemoteUtilities

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

E-F

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

IronNetInjector

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

RemoteUtilities

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

BabyShark

BabyShark is a Microsoft Visual Basic (VB) script-based malware family that is believed to be associated with several North Korean campaigns. ^[1]

ID: S0414

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.2

Created: 07 October 2019

Last Modified: 12 March 2021

Techniques Used

Domain	ID		Name	Use
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	BabyShark has added a Registry key to ensure all future macros are enabled for Microsoft Word and Excel as well as for additional persistence.^[1]^[2]
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	BabyShark has used cmd.exe to execute commands.^[1]
Enterprise	T1132	.001	Data Encoding: Standard Encoding	BabyShark has encoded data using certutil before exfiltration.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	BabyShark has the ability to decode downloaded files prior to execution.^[2]
Enterprise	T1083		File and Directory Discovery	BabyShark has used `dir` to search for "programfiles" and "appdata".^[1]
Enterprise	T1070	.004	Indicator Removal on Host: File Deletion	BabyShark has cleaned up all files associated with the secondary payload execution.^[3]
Enterprise	T1105		Ingress Tool Transfer	BabyShark has downloaded additional files from the C2.^[3]^[2]
Enterprise	T1056	.001	Input Capture: Keylogging	BabyShark has a PowerShell-based remote administration ability that can implement a PowerShell or C# based keylogger.^[3]
Enterprise	T1057		Process Discovery	BabyShark has executed the `tasklist` command.^[1]
Enterprise	T1012		Query Registry	BabyShark has executed the `reg query` command for `HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default`.^[1]
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	BabyShark has used scheduled tasks to maintain persistence.^[4]
Enterprise	T1218	.005	System Binary Proxy Execution: Mshta	BabyShark has used mshta.exe to download and execute applications from a remote server.^[2]
Enterprise	T1082		System Information Discovery	BabyShark has executed the `ver` command.^[1]
Enterprise	T1016		System Network Configuration Discovery	BabyShark has executed the `ipconfig /all` command.^[1]
Enterprise	T1033		System Owner/User Discovery	BabyShark has executed the `whoami` command.^[1]

Groups That Use This Software

ID	Name	References
G0094	Kimsuky	^[2]^[5]^[4]

References