SOFTWARE

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

IronNetInjector

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

RemoteUtilities

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

E-F

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

IronNetInjector

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

RemoteUtilities

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

Caterpillar WebShell

Caterpillar WebShell is a self-developed Web Shell tool created by the group Volatile Cedar.^[1]

ID: S0572

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.0

Created: 10 February 2021

Last Modified: 27 April 2021

Techniques Used

Domain	ID		Name	Use
Enterprise	T1110		Brute Force	Caterpillar WebShell has a module to perform brute force attacks on a system.^[1]
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	Caterpillar WebShell can run commands on the compromised asset with CMD functions.^[1]
Enterprise	T1005		Data from Local System	Caterpillar WebShell has a module to collect information from the local database.^[1]
Enterprise	T1041		Exfiltration Over C2 Channel	Caterpillar WebShell can upload files over the C2 channel.^[1]
Enterprise	T1083		File and Directory Discovery	Caterpillar WebShell can search for files in directories.^[1]
Enterprise	T1105		Ingress Tool Transfer	Caterpillar WebShell has a module to download and upload files to the system.^[1]
Enterprise	T1112		Modify Registry	Caterpillar WebShell has a command to modify a Registry key.^[1]
Enterprise	T1046		Network Service Scanning	Caterpillar WebShell has a module to use a port scanner on a system.^[1]
Enterprise	T1069	.001	Permission Groups Discovery: Local Groups	Caterpillar WebShell can obtain a list of local groups of users from a system.^[1]
Enterprise	T1057		Process Discovery	Caterpillar WebShell can gather a list of processes running on the machine.^[1]
Enterprise	T1014		Rootkit	Caterpillar WebShell has a module to use a rootkit on a system.^[1]
Enterprise	T1082		System Information Discovery	Caterpillar WebShell has a module to gather information from the compromrised asset, including the computer version, computer name, IIS version, and more.^[1]
Enterprise	T1016		System Network Configuration Discovery	Caterpillar WebShell can gather the IP address from the victim's machine using the IP config command.^[1]
Enterprise	T1033		System Owner/User Discovery	Caterpillar WebShell can obtain a list of user accounts from a victim's machine.^[1]
Enterprise	T1007		System Service Discovery	Caterpillar WebShell can obtain a list of the services from a system.^[1]

Groups That Use This Software

ID	Name	References
G0123	Volatile Cedar	^[1]^[2]

References

ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.

Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.