SOFTWARE

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

IronNetInjector

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

RemoteUtilities

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

E-F

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

IronNetInjector

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

RemoteUtilities

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

Spark

Spark is a Windows backdoor and has been in use since as early as 2017.^[1]

ID: S0543

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 15 December 2020

Last Modified: 18 August 2021

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Spark has used HTTP POST requests to communicate with its C2 server to receive commands.^[1]
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	Spark can use cmd.exe to run commands.^[1]
Enterprise	T1132	.001	Data Encoding: Standard Encoding	Spark has encoded communications with the C2 server with base64.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	Spark has used a custom XOR algorithm to decrypt the payload.^[1]
Enterprise	T1041		Exfiltration Over C2 Channel	Spark has exfiltrated data over the C2 channel.^[1]
Enterprise	T1027	.002	Obfuscated Files or Information: Software Packing	Spark has been packed with Enigma Protector to obfuscate its contents.^[1]
Enterprise	T1082		System Information Discovery	Spark can collect the hostname, keyboard layout, and language from the system.^[1]
Enterprise	T1614	.001	System Location Discovery: System Language Discovery	Spark has checked the results of the `GetKeyboardLayoutList` and the language name returned by `GetLocaleInfoA` to make sure they contain the word "Arabic" before executing.^[1]
Enterprise	T1033		System Owner/User Discovery	Spark has run the whoami command and has a built-in command to identify the user logged in.^[1]
Enterprise	T1497	.002	Virtualization/Sandbox Evasion: User Activity Based Checks	Spark has used a splash screen to check whether an user actively clicks on the screen before running malicious code.^[1]

Groups That Use This Software

ID	Name	References
G0021	Molerats	^[1] ^[2]

References

Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.

Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.