SOFTWARE

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

IronNetInjector

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

RemoteUtilities

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

E-F

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

IronNetInjector

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

RemoteUtilities

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

GRIFFON

GRIFFON is a JavaScript backdoor used by FIN7. ^[1]

ID: S0417

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 11 October 2019

Last Modified: 23 June 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	GRIFFON has used a persistence module that stores the implant inside the Registry, which executes at logon.^[1]
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	GRIFFON has used PowerShell to execute the Meterpreter downloader TinyMet.^[1]
		.007	Command and Scripting Interpreter: JavaScript	GRIFFON is written in and executed as JavaScript.^[1]
Enterprise	T1069	.002	Permission Groups Discovery: Domain Groups	GRIFFON has used a reconnaissance module that can be used to retrieve Windows domain membership information.^[1]
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	GRIFFON has used `sctasks` for persistence. ^[1]
Enterprise	T1113		Screen Capture	GRIFFON has used a screenshot module that can be used to take a screenshot of the remote system.^[1]
Enterprise	T1082		System Information Discovery	GRIFFON has used a reconnaissance module that can be used to retrieve information about a victim's computer, including the resolution of the workstation .^[1]
Enterprise	T1124		System Time Discovery	GRIFFON has used a reconnaissance module that can be used to retrieve the date and time of the system.^[1]

Groups That Use This Software

ID	Name	References
G0046	FIN7	^[1]^[2]

References

Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.

Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.