(ClearSky) In July 2021, we detected a second wave of similar attacks against additional companies in Israel. In this wave, Siamesekitten upgraded their backdoor malware to a new version called “Shark” and it replaced the old version of their malware called “{{Milan}}”.
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
| IP:Port | Timestamp |
|---|
| Domain | Timestamp |
|---|
| URL | Timestamp |
|---|
2021-11-09 by Prevailion from Prevailion
2021-08-17 by ClearSky from ClearSky
Tool: Shark
Names: Shark
Description: (ClearSky) In July 2021, we detected a second wave of similar attacks against additional companies in Israel. In this wave, Siamesekitten upgraded their backdoor malware to a new version called “Shark” and it replaced the old version of their malware called “{{Milan}}”.
Category: Malware
Type: Backdoor
Information: https://www.clearskysec.com/wp-content/uploads/2021/08/Siamesekitten.pdf
Mitre-attack: https://attack.mitre.org/software/S1019/
Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/win.shark
Last-card-change: 2022-12-30
Source: https://apt.etda.or.th/cgi-bin/listtools.cgi
| TA0043 | TA0042 | TA0001 | TA0002 | TA0003 | TA0004 | TA0005 | TA0006 | TA0007 | TA0008 | TA0009 | TA0011 | TA0010 | TA0040 |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
T1059.003 COMMAND AND SCRIPTING INTERPRETER : WINDOWS COMMAND SHELL shark has the ability to use cmd to execute commands. | T1070.004 INDICATOR REMOVAL : FILE DELETION shark can delete files downloaded to the compromised host. T1036.005 MASQUERADING : MATCH LEGITIMATE NAME OR LOCATION shark binaries have been named audioddg.pdb and winlangdb.pdb in order to appear legitimate. T1497.001 VIRTUALIZATION/SANDBOX EVASION : SYSTEM CHECKS shark can stop execution if the screen width of the targeted machine is not over 600 pixels. | T1012 QUERY REGISTRY shark can query hkey_local_machine\software\microsoft\cryptography machineguid to retrieve the machine guid. T1497.001 VIRTUALIZATION/SANDBOX EVASION : SYSTEM CHECKS shark can stop execution if the screen width of the targeted machine is not over 600 pixels. | T1071.001 APPLICATION LAYER PROTOCOL : WEB PROTOCOLS shark has the ability to use http in c2 communications. T1568.002 DYNAMIC RESOLUTION : DOMAIN GENERATION ALGORITHMS shark can send dns c2 communications using a unique domain generation algorithm. | T1041 EXFILTRATION OVER C2 CHANNEL shark has the ability to upload files from the compromised host over a dns or http c2 channel. |