ASPXSpy
ASPXSpy is a Web shell. It has been modified by Threat Group-3390 actors to create the ASPXTool version. [1]
ID: S0073
ⓘ
Associated Software: ASPXTool
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Version: 1.3
Created: 31 May 2017
Last Modified: 22 May 2024
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
ASPXSpy is a Web shell. The ASPXTool version used by Threat Group-3390 has been deployed to accessible servers running Internet Information Services (IIS).[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0096 | APT41 | |
| G0125 | HAFNIUM | |
| G0027 | Threat Group-3390 |
Threat Group-3390 has used a modified version of ASPXSpy called ASPXTool.[1][4] |
| G0087 | APT39 | |
| G1030 | Agrius |
Agrius relies on web shells for persistent access post exploitation, with an emphasis on variants of ASPXSpy.[6] |
Campaigns
| ID | Name | Description |
|---|---|---|
| C0002 | Night Dragon |
During Night Dragon, threat actors deployed ASPXSpy on compromised web servers.[7] |
References
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
- Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
- Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
- Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
- Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
- Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
- McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.