Register to stream the next session of ATT&CKcon Power Hour November 12

SOFTWARE

Android/Chuli.A

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

Desert Scorpion

Exaramel for Linux

Exaramel for Windows

Hacking Team UEFI Rootkit

Imminent Monitor

Olympic Destroyer

OSX_OCEANLOTUS.D

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

SOFTWARE

1-9

A-B

Android/Chuli.A

ANDROIDOS_ANSERVER.A

AutoIt backdoor

Backdoor.Oldrea

C-D

Desert Scorpion

E-F

Exaramel for Linux

Exaramel for Windows

G-H

Hacking Team UEFI Rootkit

I-J

Imminent Monitor

K-L

M-N

O-P

Olympic Destroyer

OSX_OCEANLOTUS.D

Pass-The-Hash Toolkit

Pegasus for Android

Pegasus for iOS

Q-R

S-T

ShimRatReporter

Trojan-SMS.AndroidOS.Agent.ao

Trojan-SMS.AndroidOS.FakeInst.a

Trojan-SMS.AndroidOS.OpFake.a

Trojan.Karagany

U-V

W-X

Windows Credential Editor

Winnti for Linux

Winnti for Windows

X-Agent for Android

XLoader for Android

XLoader for iOS

Y-Z

GRIFFON

GRIFFON is a JavaScript backdoor used by FIN7. ^[1]

ID: S0417

Type: MALWARE

Platforms: Windows

Version: 1.1

Created: 11 October 2019

Last Modified: 23 June 2020

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	GRIFFON has used a persistence module that stores the implant inside the Registry, which executes at logon.^[1]
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	GRIFFON has used PowerShell to execute the Meterpreter downloader TinyMet.^[1]
		.007	Command and Scripting Interpreter: JavaScript/JScript	GRIFFON is written in and executed as JavaScript/JScript.^[1]
Enterprise	T1069	.002	Permission Groups Discovery: Domain Groups	GRIFFON has used a reconnaissance module that can be used to retrieve Windows domain membership information.^[1]
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	GRIFFON has used `sctasks` for persistence. ^[1]
Enterprise	T1113		Screen Capture	GRIFFON has used a screenshot module that can be used to take a screenshot of the remote system.^[1]
Enterprise	T1082		System Information Discovery	GRIFFON has used a reconnaissance module that can be used to retrieve information about a victim's computer, including the resolution of the workstation .^[1]
Enterprise	T1124		System Time Discovery	GRIFFON has used a reconnaissance module that can be used to retrieve the date and time of the system.^[1]

Groups That Use This Software

ID	Name	References
G0046	FIN7	^[1]

References

Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.