SpicyOmelette
SpicyOmelette is a JavaScript based remote access tool that has been used by Cobalt Group since at least 2018.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
SpicyOmelette has collected data and other information from a compromised host.[1] |
|
| Enterprise | T1059 | .007 | 命令与脚本解释器: JavaScript |
SpicyOmelette has the ability to execute arbitrary JavaScript code on a compromised host.[1] |
| Enterprise | T1204 | .001 | 用户执行: Malicious Link |
SpicyOmelette has been executed through malicious links within spearphishing emails.[1] |
| Enterprise | T1082 | 系统信息发现 |
SpicyOmelette can identify the system name of a compromised host.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
SpicyOmelette can identify the IP of a compromised system.[1] |
|
| Enterprise | T1518 | 软件发现 |
SpicyOmelette can enumerate running software on a targeted system.[1] |
|
| .001 | Security Software Discovery |
SpicyOmelette can check for the presence of 29 different antivirus tools.[1] |
||
| Enterprise | T1105 | 输入工具传输 |
SpicyOmelette can download malicious files from threat actor controlled AWS URL's.[1] |
|
| Enterprise | T1018 | 远程系统发现 |
SpicyOmelette can identify payment systems, payment gateways, and ATM systems in compromised environments.[1] |
|
| Enterprise | T1566 | .002 | 钓鱼: Spearphishing Link |
SpicyOmelette has been distributed via emails containing a malicious link that appears to be a PDF document.[1] |
| Enterprise | T1553 | .002 | 颠覆信任控制: Code Signing |
SpicyOmelette has been signed with valid digital certificates.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0080 | Cobalt Group |