SOFTWARE

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

IronNetInjector

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

RemoteUtilities

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/AdDisplay.Ashas

Android/Chuli.A

AndroidOS/MalLocker.B

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Caterpillar WebShell

CSPY Downloader

Desert Scorpion

E-F

ECCENTRICBANDWAGON

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

IronNetInjector

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

P.A.S. Webshell

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

RemoteUtilities

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

Kerrdown

Kerrdown is a custom downloader that has been used by APT32 since at least 2018 to install spyware from a server on the victim's network.^[1]^[2]

ID: S0585

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 2.0

Created: 02 March 2021

Last Modified: 15 October 2021

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.005	Command and Scripting Interpreter: Visual Basic	Kerrdown can use a VBS base64 decoder function published by Motobit.^[2]
Enterprise	T1140		Deobfuscate/Decode Files or Information	Kerrdown can decode, decrypt, and decompress multiple layers of shellcode.^[2]
Enterprise	T1574	.002	Hijack Execution Flow: DLL Side-Loading	Kerrdown can use DLL side-loading to load malicious DLLs.^[2]
Enterprise	T1105		Ingress Tool Transfer	Kerrdown can download specific payloads to a compromised host based on OS architecture.^[2]
Enterprise	T1027		Obfuscated Files or Information	Kerrdown can encrypt, encode, and compress multiple layers of shellcode.^[2]
Enterprise	T1566	.001	Phishing: Spearphishing Attachment	Kerrdown has been distributed through malicious e-mail attachments.^[1]
		.002	Phishing: Spearphishing Link	Kerrdown has been distributed via e-mails containing a malicious link.^[1]
Enterprise	T1082		System Information Discovery	Kerrdown has the ability to determine if the compromised host is running a 32 or 64 bit OS architecture.^[2]
Enterprise	T1204	.001	User Execution: Malicious Link	Kerrdown has gained execution through victims opening malicious links.^[1]
		.002	User Execution: Malicious File	Kerrdown has gained execution through victims opening malicious files.^[1]^[2]

Groups That Use This Software

ID	Name	References
G0050	APT32	^[1]^[2]

References

Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.

Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021.