SpicyOmelette
SpicyOmelette is a JavaScript based remote access tool that has been used by Cobalt Group since at least 2018.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .007 | Command and Scripting Interpreter: JavaScript |
SpicyOmelette has the ability to execute arbitrary JavaScript code on a compromised host.[1] |
| Enterprise | T1005 | Data from Local System |
SpicyOmelette has collected data and other information from a compromised host.[1] |
|
| Enterprise | T1105 | Ingress Tool Transfer |
SpicyOmelette can download malicious files from threat actor controlled AWS URL's.[1] |
|
| Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
SpicyOmelette has been distributed via emails containing a malicious link that appears to be a PDF document.[1] |
| Enterprise | T1018 | Remote System Discovery |
SpicyOmelette can identify payment systems, payment gateways, and ATM systems in compromised environments.[1] |
|
| Enterprise | T1518 | Software Discovery |
SpicyOmelette can enumerate running software on a targeted system.[1] |
|
| .001 | Security Software Discovery |
SpicyOmelette can check for the presence of 29 different antivirus tools.[1] |
||
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
SpicyOmelette has been signed with valid digital certificates.[1] |
| Enterprise | T1082 | System Information Discovery |
SpicyOmelette can identify the system name of a compromised host.[1] |
|
| Enterprise | T1016 | System Network Configuration Discovery |
SpicyOmelette can identify the IP of a compromised system.[1] |
|
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
SpicyOmelette has been executed through malicious links within spearphishing emails.[1] |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0080 | Cobalt Group |