Caterpillar WebShell

Caterpillar WebShell is a self-developed Web Shell tool created by the group Volatile Cedar.[1]

ID: S0572
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 10 February 2021
Last Modified: 27 April 2021

Techniques Used

Domain ID Name Use
Enterprise T1110 Brute Force

Caterpillar WebShell has a module to perform brute force attacks on a system.[1]

Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Caterpillar WebShell can run commands on the compromised asset with CMD functions.[1]

Enterprise T1005 Data from Local System

Caterpillar WebShell has a module to collect information from the local database.[1]

Enterprise T1041 Exfiltration Over C2 Channel

Caterpillar WebShell can upload files over the C2 channel.[1]

Enterprise T1083 File and Directory Discovery

Caterpillar WebShell can search for files in directories.[1]

Enterprise T1105 Ingress Tool Transfer

Caterpillar WebShell has a module to download and upload files to the system.[1]

Enterprise T1112 Modify Registry

Caterpillar WebShell has a command to modify a Registry key.[1]

Enterprise T1046 Network Service Discovery

Caterpillar WebShell has a module to use a port scanner on a system.[1]

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

Caterpillar WebShell can obtain a list of local groups of users from a system.[1]

Enterprise T1057 Process Discovery

Caterpillar WebShell can gather a list of processes running on the machine.[1]

Enterprise T1014 Rootkit

Caterpillar WebShell has a module to use a rootkit on a system.[1]

Enterprise T1082 System Information Discovery

Caterpillar WebShell has a module to gather information from the compromrised asset, including the computer version, computer name, IIS version, and more.[1]

Enterprise T1016 System Network Configuration Discovery

Caterpillar WebShell can gather the IP address from the victim's machine using the IP config command.[1]

Enterprise T1033 System Owner/User Discovery

Caterpillar WebShell can obtain a list of user accounts from a victim's machine.[1]

Enterprise T1007 System Service Discovery

Caterpillar WebShell can obtain a list of the services from a system.[1]

Groups That Use This Software

ID Name References
G0123 Volatile Cedar

[1][2]

References