S0073 ASPXSpy
ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. 1
| Item | Value |
|---|---|
| ID | S0073 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 31 May 2017 |
| Last Modified | 22 September 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1505 | Server Software Component | - |
| enterprise | T1505.003 | Web Shell | ASPXSpy is a Web shell. The ASPXTool version used by Threat Group-3390 has been deployed to accessible servers running Internet Information Services (IIS).1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0096 | APT41 | 3 |
| G0125 | HAFNIUM | 4 |
| G0087 | APT39 | 5 |
| G0027 | Threat Group-3390 | Threat Group-3390 has used a modified version of ASPXSpy called ASPXTool.16 |
References
-
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. ↩↩↩
-
McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. ↩
-
Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. ↩
-
Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021. ↩
-
Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. ↩
-
Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021. ↩