This is a custom instance of the MITRE ATT&CK Website. The official website can be found at attack.mitre.org.

SOFTWARE

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

IronNetInjector

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

RemoteUtilities

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

E-F

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

IronNetInjector

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

RemoteUtilities

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

Explosive

Explosive is a custom-made remote access tool used by the group Volatile Cedar. It was first identified in the wild in 2015.^[1]^[2]

ID: S0569

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 08 February 2021

Last Modified: 27 April 2021

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Explosive has used HTTP for communication.^[1]
Enterprise	T1115		Clipboard Data	Explosive has a function to use the OpenClipboard wrapper.^[1]
Enterprise	T1025		Data from Removable Media	Explosive can scan all .exe files located in the USB drive.^[1]
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	Explosive has encrypted communications with the RC4 method.^[2]
Enterprise	T1564	.001	Hide Artifacts: Hidden Files and Directories	Explosive has commonly set file and path attributes to hidden.^[1]
Enterprise	T1105		Ingress Tool Transfer	Explosive has a function to download a file to the infected system.^[1]
Enterprise	T1056	.001	Input Capture: Keylogging	Explosive has leveraged its keylogging capabilities to gain access to administrator accounts on target servers.^[1]^[2]
Enterprise	T1112		Modify Registry	Explosive has a function to write itself to Registry values.^[1]
Enterprise	T1106		Native API	Explosive has a function to call the OpenClipboard wrapper.^[1]
Enterprise	T1082		System Information Discovery	Explosive has collected the computer name from the infected host.^[1]
Enterprise	T1016		System Network Configuration Discovery	Explosive has collected the MAC address from the victim's machine.^[1]
Enterprise	T1033		System Owner/User Discovery	Explosive has collected the username from the infected host.^[1]

Groups That Use This Software

ID	Name	References
G0123	Volatile Cedar	^[1]^[2]

References

Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.

ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.