SOFTWARE

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

IronNetInjector

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

RemoteUtilities

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

E-F

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

IronNetInjector

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

RemoteUtilities

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

DropBook

DropBook is a Python-based backdoor compiled with PyInstaller.^[1]

ID: S0547

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 22 December 2020

Last Modified: 18 August 2021

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	DropBook can execute arbitrary shell commands on the victims' machines.^[1]^[2]
		.006	Command and Scripting Interpreter: Python	DropBook is a Python-based backdoor compiled with PyInstaller.^[1]
Enterprise	T1140		Deobfuscate/Decode Files or Information	DropBook can unarchive data downloaded from the C2 to obtain the payload and persistence modules.^[1]
Enterprise	T1567		Exfiltration Over Web Service	DropBook has used legitimate web services to exfiltrate data.^[2]
Enterprise	T1083		File and Directory Discovery	DropBook can collect the names of all files and folders in the Program Files directories.^[1]^[2]
Enterprise	T1105		Ingress Tool Transfer	DropBook can download and execute additional files.^[1]^[2]
Enterprise	T1082		System Information Discovery	DropBook has checked for the presence of Arabic language in the infected machine's settings.^[1]
Enterprise	T1614	.001	System Location Discovery: System Language Discovery	DropBook has checked for the presence of Arabic language in the infected machine's settings.^[2]
Enterprise	T1102		Web Service	DropBook can communicate with its operators by exploiting the Simplenote, DropBox, and the social media platform, Facebook, where it can create fake accounts to control the backdoor and receive instructions.^[1]^[2]

Groups That Use This Software

ID	Name	References
G0021	Molerats	^[1]

References

Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.

Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.