Open Hunting - Threat Library

Openhunting Threat Library

CMDEmber

(Type: Backdoor)

(SentinelLabs) CMDEmber interacts with a Google Firebase Realtime Database instance that has the role of a C2 server.

[News Analysis] Trends:

Total Trend: 0

Trend Per Year

Trend Per Month

[News Analysis] News Mention Another Threat Name:

[TTP Analysis] Technique Performance:

reconnaissance

0/43

resource development

0/45

initial access

0/19

execution

1/36

persistence

0/113

privilege escalation

0/96

defense evasion

1/184

credential access

0/63

discovery

2/44

lateral movement

1/22

collection

0/37

command and control

1/39

exfiltration

0/18

impact

0/26

[TTP Analysis] Mitre Attack Matrix:

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1059.003 Command And Scripting Interpreter : Windows Command Shell			T1070.004 Indicator Removal : File Deletion		T1083 File And Directory Discovery T1082 System Information Discovery	T1570 Lateral Tool Transfer		T1105 Ingress Tool Transfer

[Infrastructure Analysis] Based on Related IOC:

IP:Port	Timestamp

Domain	Timestamp

URL	Timestamp

[Target Analysis] Region/Sector:

No information

References:

News Basic Information Indicator of Compromise Mitre Attack

Basic Information (Credit @etda.or.th)

Tool: CMDEmber

Names: CMDEmber

Description: (SentinelLabs) CMDEmber interacts with a Google Firebase Realtime Database instance that has the role of a C2 server.

Category: Malware

Type: Backdoor

Information: https://www.sentinelone.com/labs/wip26-espionage-threat-actors-abuse-cloud-infrastructure-in-targeted-telco-attacks/

Last-card-change: 2023-02-17

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043	TA0042	TA0001	TA0002	TA0003	TA0004	TA0005	TA0006	TA0007	TA0008	TA0009	TA0011	TA0010	TA0040
Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
			T1059.003 COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL cmd is used to execute programs and other actions at the command-line interface.			T1070.004 INDICATOR REMOVAL : FILE DELETION cmd can be used to delete files from the file system.		T1083 FILE AND DIRECTORY DISCOVERY cmd can be used to find files and directories with native functionality such as dir commands. T1082 SYSTEM INFORMATION DISCOVERY cmd can be used to find information about the operating system.	T1570 LATERAL TOOL TRANSFER cmd can be used to copy files to/from a remotely connected internal system.		T1105 INGRESS TOOL TRANSFER cmd can be used to copy files to/from a remotely connected external system.