1. Home
  2. Software
  3. Caterpillar WebShell

Caterpillar WebShell

Caterpillar WebShell is a self-developed Web Shell tool created by the group Volatile Cedar.[1]

ID: S0572
Type: MALWARE
Platforms: Windows
Version: 1.0
Created: 10 February 2021
Last Modified: 27 April 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1014 Rootkit

Caterpillar WebShell has a module to use a rootkit on a system.[1]

Enterprise T1005 从本地系统获取数据

Caterpillar WebShell has a module to collect information from the local database.[1]

Enterprise T1112 修改注册表

Caterpillar WebShell has a command to modify a Registry key.[1]
Enterprise T1059 .003 命令与脚本解释器: Windows Command Shell

Caterpillar WebShell can run commands on the compromised asset with CMD functions.[1]
Enterprise T1083 文件和目录发现

Caterpillar WebShell can search for files in directories.[1]

Enterprise T1110 暴力破解

Caterpillar WebShell has a module to perform brute force attacks on a system.[1]

Enterprise T1069 .001 权限组发现: Local Groups

Caterpillar WebShell can obtain a list of local groups of users from a system.[1]
Enterprise T1082 系统信息发现

Caterpillar WebShell has a module to gather information from the compromrised asset, including the computer version, computer name, IIS version, and more.[1]

Enterprise T1033 系统所有者/用户发现

Caterpillar WebShell can obtain a list of user accounts from a victim's machine.[1]
Enterprise T1007 系统服务发现

Caterpillar WebShell can obtain a list of the services from a system.[1]

Enterprise T1016 系统网络配置发现

Caterpillar WebShell can gather the IP address from the victim's machine using the IP config command.[1]

Enterprise T1046 网络服务发现

Caterpillar WebShell has a module to use a port scanner on a system.[1]

Enterprise T1105 输入工具传输

Caterpillar WebShell has a module to download and upload files to the system.[1]

Enterprise T1057 进程发现

Caterpillar WebShell can gather a list of processes running on the machine.[1]

Enterprise T1041 通过C2信道渗出

Caterpillar WebShell can upload files over the C2 channel.[1]

Groups That Use This Software

ID Name References
G0123 Volatile Cedar

[1][2]

References

  1. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
  1. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.