TINYTYPHON

TINYTYPHON is a backdoor that has been used by the actors responsible for the MONSOON campaign. The majority of its code was reportedly taken from the MyDoom worm. [1]

ID: S0131
Aliases: TINYTYPHON
Type: MALWARE
Platforms: Windows

Version: 1.0

Techniques Used

DomainIDNameUse
EnterpriseT1020Automated ExfiltrationWhen a document is found matching one of the extensions in the configuration, TINYTYPHON uploads it to the C2 server.[1]
EnterpriseT1083File and Directory DiscoveryTINYTYPHON searches through the drive containing the OS, then all drive letters C through to Z, for documents matching certain extensions.[1]
EnterpriseT1027Obfuscated Files or InformationTINYTYPHON has used XOR with 0x90 to obfuscate its configuration file.[1]
EnterpriseT1060Registry Run Keys / Startup FolderTINYTYPHON installs itself under Registry Run key to establish persistence.[1]

Groups

Groups that use this software:

Patchwork

References