Comfoo

Community Synonyms

• Tabcteng
• DPD or backdoor-DPD (McAfee)
• Wakbot.B (Microsoft)
•  

Malware References

• http://www.secureworks.com/cyber-threat-intelligence/threats/secrets-of-the-comfoo-masters/
• http://global.ahnlab.com/global/upload/download/asecreport/ASEC_Report_Vol.32_Eng.pdf 
• http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp_luckycat_redux.pdf
• [related] http://pwc.blogs.com/cyber_security_updates/2014/10/orcarat-a-whale-of-a-tale.html  
• http://home.mcafee.com/virusinfo/virusprofile.aspx?key=144578#none

IExplore RAT

Community Synonyms

• Sharky RAT (Seth Hardy)
• Briba (Symantec)
• c0d0so0 (iSight)
• file hash: 3D099498CEC9760616437C5265349B83
• Amisharp 

Malware References

• https://citizenlab.org/wp-content/uploads/2012/09/IEXPL0RE_RAT.pdf
• https://citizenlab.org/2011/10/citizen-lab-senior-security-analyst-seth-hardy-presents-at-sector-conference/
• http://www.symantec.com/security_response/writeup.jsp?docid=2012-051515-2843-99&tabid=2
• https://www.alienvault.com/open-threat-exchange/blog/cve-2012-1535-adobe-flash-being-exploited-in-the-wild

Black Energy

Community Synonyms

• Sandworm (via SandWorm usage of BE2; iSight Partners)
• Kernelbot (malware.dontneedcoffe)
• Lancafdo (Symantec)
• Blacken (Sophos)

Malware References

• http://www.welivesecurity.com/2016/01/03/blackenergy-sshbeardoor-details-2015-attacks-ukrainian-news-media-electric-industry/
• http://www.welivesecurity.com/2014/09/22/back-in-blackenergy-2014/
• http://www.welivesecurity.com/2014/10/14/cve-2014-4114-details-august-blackenergy-powerpoint-campaigns/
• https://www.virusbtn.com/conference/vb2014/abstracts/LM3-LipovskyCherepanov.xml
• http://atlas-public.ec2.arbor.net/docs/BlackEnergy+DDoS+Bot+Analysis.pdf
• https://securelist.com/blog/research/67353/be2-custom-plugins-router-abuse-and-target-profiles/
• https://securelist.com/analysis/publications/36309/black-ddos/
• https://www.f-secure.com/documents/996508/1030745/blackenergy_whitepaper.pdf
• http://malware.dontneedcoffee.com/2014/06/botnetkernel.html
• http://blog.trendmicro.com/sandworm-and-scada/
• http://www.isightpartners.com/2014/10/cve-2014-4114/
• http://blog.trendmicro.com/trendlabs-security-intelligence/an-analysis-of-windows-zero-day-vulnerability-cve-2014-4114-aka-sandworm/
• https://www.first.org/resources/papers/conf2015/first_2015_-_wilhoit-_kyle_-_malware_in_your_pipes_20150630.pdf
• http://www.cyactive.com/total-blackout-sandworm-team-reuse-blackenergy/
• http://www.critical-intelligence.com/resources/papers/CI-Sandworm-BE2.pdf
• http://www.secureworks.com/assets/pdf-store/articles/Understanding_and_Combating_DDoS_Attacks.pdf
• http://www.symantec.com/connect/blogs/destructive-disakil-malware-linked-ukraine-power-outages-also-used-against-media-organizations
• https://nakedsecurity.sophos.com/2016/01/06/ukraine-power-outages-blamed-on-hackers-and-malware/

Lstudio

Community Synonyms

• Wumins
• Elise
• Evora
• Emissary
• stscout
• Page

Malware References

• http://www.slideshare.net/burguzbozo/hunting-the-shadows-in-depth-analysis-of-escalated-apt-attacks or https://media.blackhat.com/us-13/US-13-Yarochkin-In-Depth-Analysis-of-Escalated-APT-Attacks-Slides.pdf
• http://contagioexchange.blogspot.com/2013/09/page-elise-lstudio-wumins-strings-apt.html
• http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/
• http://researchcenter.paloaltonetworks.com/2015/06/operation-lotus-blossom/

Elirks

Community Synonyms

Malware References

• http://www.slideshare.net/burguzbozo/hunting-the-shadows-in-depth-analysis-of-escalated-apt-attacks
• http://www.secureworks.com/cyber-threat-intelligence/threats/chasing_apt/

Lecna

Community Synonyms

• Backspace

Malware References

• https://www.fireeye.com/content/dam/fireeye-www/current-threats/pdfs/rpt-southeast-asia-threat-landscape.pdf
• https://www2.fireeye.com/WEB-2015RPTAPT30.html
• https://www.fireeye.com/blog/threat-research/2015/04/apt_30_and_the_mecha.html
• http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=BACKDOOR:WIN32/LECNA.G#tab-link-3
• https://www.symantec.com/security_response/writeup.jsp?docid=2006-053112-3821-99&tabid=2
• https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=246

PlugX

Community Synonyms

• Derusbi
• Destory RAT
• Kaba
• Sogu
• Thoper
• TVT
• Gulpix

Malware References

• http://blogs.cisco.com/security/talos/threat-spotlight-group-72
• https://www.circl.lu/pub/tr-24/
• http://labs.lastline.com/an-analysis-of-plugx
• https://www.fireeye.com/blog/threat-research/2014/07/pacific-ring-of-fire-plugx-kaba.html
• https://www.fireeye.com/blog/threat-research/2013/11/exploit-proliferation-additional-threat-groups-acquire-cve-2013-3906.html
• http://blog.cassidiancybersecurity.com/post/2014/01/plugx-some-uncovered-points.html
• https://www.fireeye.com/blog/threat-research/2014/06/clandestine-fox-part-deux.html
• http://researchcenter.paloaltonetworks.com/2015/05/plugx-uses-legitimate-samsung-application-for-dll-side-loading/
• http://www.csee.umbc.edu/courses/undergraduate/CMSC491malware/fireeye-malware-supply-chain.pdf
• https://securityledger.com/2013/11/malware-supply-chain-links-eleven-attacks/
• https://www.blackhat.com/docs/asia-14/materials/Haruyama/Asia-14-Haruyama-I-Know-You-Want-Me-Unplugging-PlugX.pdf
• http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf

ZoxPNG

Community Synonyms

• BlackCoffee

Malware References

• https://www.novetta.com/wp-content/uploads/2014/11/ZoxPNG.pdf
• https://www2.fireeye.com/WEB-2015RPTAPT17.html
• https://www.fireeye.com/blog/threat-research/2015/05/hiding_in_plain_sigh.html

Fexel

Community Synonyms

• Agtid
• Deputy Dog

Malware References

• https://www.symantec.com/security_response/writeup.jsp?docid=2013-092314-4620-99&tabid=2
• http://www.novetta.com/wp-content/uploads/2014/11/Executive_Summary-Final_1.pdf
• http://blog.jpcert.or.jp/2015/11/a-volatility-plugin-created-for-detecting-malware-used-in-targeted-attacks.html
• http://blogs.cisco.com/security/talos/threat-spotlight-group-72

Stealer

Community Synonyms

• Sayad (NCC Group)

Malware References

• https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-operation-saffron-rose.pdf
• http://www.crowdstrike.com/blog/cat-scratch-fever-crowdstrike-tracks-newly-reported-iranian-actor-flying-kitten/
• https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2014/july/a-new-flying-kitten/

ZxShell

Community References

• Sensode (Cisco)

Malware References

• http://blog.trendmicro.com/trendlabs-security-intelligence/mers-news-used-in-targeted-attack-against-japanese-media-company/
• http://blogs.cisco.com/security/talos/opening-zxshell
• https://www.symantec.com/security_response/writeup.jsp?docid=2014-021716-3303-99&tabid=2
• https://www.f-secure.com/v-descs/backdoor_w32_zxshell_a.shtml
• http://blogs.cisco.com/security/talos/threat-spotlight-group-72
• http://www.talosintel.com/files/publications_and_presentations/papers/Cisco_security_Group72_wp.pdf
• http://www.symantec.com/connect/blogs/operation-cloudyomega-ichitaro-zero-day-and-ongoing-cyberespionage-campaign-targeting-japan
• http://www.crowdstrike.com/blog/french-connection-french-aerospace-focused-cve-2014-0322-attack-shares-similarities-2012/
• https://www.fireeye.com/blog/threat-research/2014/02/operation-snowman-deputydog-actor-compromises-us-veterans-of-foreign-wars-website.html
• https://www.bluecoat.com/security-blog/2014-07-21/korean-gaming-industry-still-under-fire
• https://www.novetta.com/2014/10/operation-smn-detailed-reporting-released/
• http://www.kashifali.ca/category/backdoor-zxshell/

AspxSpy

Introduction

Community Synonyms

Malware References

• https://github.com/tennc/webshell/blob/master/net-friend/aspx/aspxspy.aspx
• http://hackingscripts.com/aspxspy-shell-script/

9002

Introduction

The 9002 RAT was first noticed when used in 2009 as part of the Operation Aurora attacks and then the Sunshop Campaign and Operation DeputyDog.

Community References

• Trojan.Hydraq!gen1 (Symantec)
• Trojan.Hydraq labeled malware are a different backdoor)
• HomeUnix (FireEye)
• Naid (Symantec)
• Vasport (Symantec)
• Boda (Symantec)
• McRat
• MdMBot
• Troj/Agent-XAL
• 3102 (Palo Alto)

Malware References

• http://cybercampaigns.net/wp-content/uploads/2013/05/Hydraq.pdf
• http://blogs.cisco.com/security/talos/threat-spotlight-group-72
• http://malware-unplugged.blogspot.com/2013/11/hunting-apt-rat-9002-in-memory-using.html
• http://holisticinfosec.blogspot.com/search/label/Trojan.APT.9002
• http://blog.cylance.com/another-9002-trojan-variant
• https://www.fireeye.com/blog/threat-research/2013/08/the-sunshop-campaign-continues.html
• https://www.fireeye.com/blog/threat-research/2013/11/operation-ephemeral-hydra-ie-zero-day-linked-to-deputydog-uses-diskless-method.html
• http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/hidden_lynx.pdf
• http://researchcenter.paloaltonetworks.com/2015/09/chinese-actors-use-3102-malware-in-attacks-on-us-government-and-eu-media/ [3102 Malware]

Poison Ivy

Community Synonyms

• Darkmoon (Symatec)

Malware References

• http://www.fireeye.com/resources/pdfs/fireeye-poison-ivy-report.pdf

Hikit

Community Synonyms

• Matrix RAT
• Gaolmay

Malware References

• https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-1.html
• https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html
• https://www.novetta.com/wp-content/uploads/2014/11/HiKit.pdf
• http://www.symantec.com/security_response/writeup.jsp?docid=2012-082113-5541-99&tabid=2
• http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_HIKIT.A
• http://www.slideshare.net/ragebeast/infragard-hikitflash
• https://www.threatconnect.com/opm-breach-analysis-update/
• https://blog.bit9.com/2013/02/25/bit9-security-incident-update/
• http://krebsonsecurity.com/2013/03/new-java-0-day-attack-echoes-bit9-breach/
• http://blogs.cisco.com/security/talos/threat-spotlight-group-72
• http://www.talosintel.com/files/publications_and_presentations/papers/Cisco_security_Group72_wp.pdf

Gh0st

Community Synonyms:
Moudoor (Symantec)
HTTPS
Lurk (TrendMicro)

Malware Reference:
https://www.sentinelone.com/blog/the-curious-case-of-gh0st-malware/
https://www.emc.com/collateral/so-ASOC-use-case-gh0st-rat.pdf
http://malware-unplugged.blogspot.com/2015/01/hunting-and-decrypting-communications.html
http://download01.norman.no/documents/ThemanyfacesofGh0stRat.pdf
http://henrybasset.blogspot.com/2014/04/red-sky-weekly-gh0st-rat.html
http://www.mcafee.com/in/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf
http://www.trendmicro.com/cloud-content/us/pdfs/security-intelligence/white-papers/wp-detecting-apt-activity-with-network-traffic-analysis.pdf
http://blogs.rsa.com/will-gragido/lions-at-the-watering-hole-the-voho-affair/
http://www.mcafee.com/ca/resources/white-papers/foundstone/wp-know-your-digital-enemy.pdf
http://blog.trendmicro.com/trendlabs-security-intelligence/kunming-attack-leads-to-gh0st-rat-variant/
http://xanalysis.blogspot.com/2009/04/gh0st-rat.html

Proxydown

Community Synonyms

• Miancha
• Snefix
• Preshin

Malware Reference

http://www.symantec.com/security_response/writeup.jsp?docid=2012-122110-0259-99&tabid=2

Preshin

Community Synonyms:

Malware Reference:

http://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/BKDR_PRESHIN.JTT