SOFTWARE

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

IronNetInjector

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

RemoteUtilities

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

E-F

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

IronNetInjector

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

RemoteUtilities

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

Backdoor.Oldrea

Backdoor.Oldrea is a backdoor used by Dragonfly. It appears to be custom malware authored by the group or specifically for it. ^[1]

ID: S0093

ⓘ

Associated Software: Havex

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 31 May 2017

Last Modified: 30 March 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1087	.003	Account Discovery: Email Account	Backdoor.Oldrea collects address book information from Outlook.^[1]
Enterprise	T1560		Archive Collected Data	Backdoor.Oldrea writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server.^[1]
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Backdoor.Oldrea adds Registry Run keys to achieve persistence.^[1]
Enterprise	T1555	.003	Credentials from Password Stores: Credentials from Web Browsers	Some Backdoor.Oldrea samples contain a publicly available Web browser password recovery tool.^[1]
Enterprise	T1132	.001	Data Encoding: Standard Encoding	Some Backdoor.Oldrea samples use standard Base64 + bzip2, and some use standard Base64 + reverse XOR + RSA-2048 to decrypt data received from C2 servers.^[1]
Enterprise	T1083		File and Directory Discovery	Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.^[1]
Enterprise	T1070	.004	Indicator Removal on Host: File Deletion	Backdoor.Oldrea contains a cleanup module that removes traces of itself from the victim.^[1]
Enterprise	T1057		Process Discovery	Backdoor.Oldrea collects information about running processes.^[1]
Enterprise	T1055		Process Injection	Backdoor.Oldrea injects itself into explorer.exe.^[1]
Enterprise	T1082		System Information Discovery	Backdoor.Oldrea collects information about the OS and computer name.^[1]
Enterprise	T1016		System Network Configuration Discovery	Backdoor.Oldrea collects information about the Internet adapter configuration.^[1]
Enterprise	T1033		System Owner/User Discovery	Backdoor.Oldrea collects the current username from the victim.^[1]

Groups That Use This Software

ID	Name	References
G0035	Dragonfly	^[1]

References

Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.