1. Home
  2. Software
  3. ASPXSpy

ASPXSpy

ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. [1]

ID: S0073
Associated Software: ASPXTool
Type: MALWARE
Platforms: Windows
Version: 1.3
Created: 31 May 2017
Last Modified: 22 May 2024
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1505 .003 Server Software Component: Web Shell

ASPXSpy is a Web shell. The ASPXTool version used by Threat Group-3390 has been deployed to accessible servers running Internet Information Services (IIS).[1]

Groups That Use This Software

ID Name References
G0096 APT41

[2]
G0125 HAFNIUM

[3]
G0027 Threat Group-3390

Threat Group-3390 has used a modified version of ASPXSpy called ASPXTool.[1][4]
G0087 APT39

[5]
G1030 Agrius

Agrius relies on web shells for persistent access post exploitation, with an emphasis on variants of ASPXSpy.[6]

Campaigns

ID Name Description
C0002 Night Dragon

During Night Dragon, threat actors deployed ASPXSpy on compromised web servers.[7]

References

  1. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  2. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  3. Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
  4. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
  1. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  2. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  3. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.