S0646 SpicyOmelette

SpicyOmelette is a JavaScript based remote access tool that has been used by Cobalt Group since at least 2018.¹

Techniques Used

Domain	ID	Name	Use
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.007	JavaScript	SpicyOmelette has the ability to execute arbitrary JavaScript code on a compromised host.¹
enterprise	T1005	Data from Local System	SpicyOmelette has collected data and other information from a compromised host.¹
enterprise	T1105	Ingress Tool Transfer	SpicyOmelette can download malicious files from threat actor controlled AWS URL’s.¹
enterprise	T1566	Phishing	-
enterprise	T1566.002	Spearphishing Link	SpicyOmelette has been distributed via emails containing a malicious link that appears to be a PDF document.¹
enterprise	T1018	Remote System Discovery	SpicyOmelette can identify payment systems, payment gateways, and ATM systems in compromised environments.¹
enterprise	T1518	Software Discovery	SpicyOmelette can enumerate running software on a targeted system.¹
enterprise	T1518.001	Security Software Discovery	SpicyOmelette can check for the presence of 29 different antivirus tools.¹
enterprise	T1553	Subvert Trust Controls	-
enterprise	T1553.002	Code Signing	SpicyOmelette has been signed with valid digital certificates.¹
enterprise	T1082	System Information Discovery	SpicyOmelette can identify the system name of a compromised host.¹
enterprise	T1016	System Network Configuration Discovery	SpicyOmelette can identify the IP of a compromised system.¹
enterprise	T1204	User Execution	-
enterprise	T1204.001	Malicious Link	SpicyOmelette has been executed through malicious links within spearphishing emails.¹

ID	Name	References
G0080	Cobalt Group	¹