ASPXSpy

Malware updated 6 months ago (2024-05-04T16:17:27.709Z)

Download STIX

Preview STIX

ASPXSpy is a type of malware, specifically a web shell, that has been used by various threat actors to exploit and damage computer systems. The earliest deployment attempts date back to 2022 when this malicious software was deployed to multiple hosted websites. It's typically installed on vulnerable web servers of targeted organizations, often using stolen legitimate credentials to compromise externally facing resources such as Outlook Web Access (OWA). This allows threat actors to secure unauthorized access to web servers and carry out further attacks. The cybersecurity firm Volexity has observed numerous instances of ASPXSpy use, alongside other web shells like China Chopper variants and ANTAK. One specific instance involved the Gelsemium group, which reportedly employed one of the ASPXSpy web shells previously used by Iron Taurus (aka APT 27) for Operation Iron Tiger in 2015. This highlights the public availability and widespread use of this malware across different cyber-attack campaigns. The ASPXSpy web shell has also been prevalent in XeGroup’s attacks, demonstrating its widespread usage among different threat actors. In addition to exploiting vulnerabilities like CVE-2019-18935, XeGroup has been known to use ASPXSpy web shells to gain unauthorized access to web servers. The continued use of this web shell underscores the persistent threat it poses to organizations and emphasizes the need for robust cybersecurity measures to mitigate these risks.

Description last updated: 2024-05-04T16:12:36.631Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Web Shell

Apt

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The China Chopper Malware is associated with ASPXSpy. China Chopper is a notorious malware, a harmful program designed to exploit and damage computer systems. It has been primarily used by the threat actor group BRONZE UNION to establish connections to China Chopper web shells on compromised servers, as seen in multiple instances where its code was fou	Unspecified	3
The Iron Taurus Malware is associated with ASPXSpy. Iron Taurus, also known as APT27, is a malware that has been linked to various cyber-espionage activities. This malicious software is designed to infiltrate systems surreptitiously through suspicious downloads, emails, or websites, and once inside, it can steal personal information, disrupt operatio	Unspecified	2

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The Iron Tiger Threat Actor is associated with ASPXSpy. Iron Tiger, also known as Iron Taurus or APT27, is a threat actor group believed to be aligned with China. The group has been involved in numerous cyber-espionage campaigns, targeting various entities including United States defense contractors and other international organizations. Their activities	Unspecified	2
The Regeorg Threat Actor is associated with ASPXSpy. Regeorg is a threat actor known for its malicious activities in the cyber landscape. Notably, operators of LuckyMouse initiated an attack by dropping the Nbtscan tool in C:\programdata\, followed by installing a variant of the ReGeorg webshell and issuing a GET request using curl. They then tried to	Unspecified	2

Source Document References

Information about the ASPXSpy Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
CERT-EU	a year ago	Stealthy APT Gelsemium Seen Targeting Southeast Asian Government
Securityaffairs	a year ago	Is Gelsemium APT behind an attack in Southeast Asian Govt?
Unit42	a year ago	Rare Backdoors Suspected to be Tied to Gelsemium APT Found in Targeted Attack in Southeast Asian Government
CERT-EU	a year ago	Analyzing Four Diverse Attack Techniques Used by XeGroup
CERT-EU	a year ago	Analyzing Threat Techniques Used By XeGroup
Unit42	a year ago	Manic Menagerie 2.0: The Evolution of a Highly Motivated Threat Actor
MITRE	2 years ago	Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities
MITRE	2 years ago	APT39: An Iranian Cyber Espionage Group Focused on Personal Information \| Mandiant
MITRE	2 years ago	Advanced Persistent Threats (APTs) \| Threat Actors & Groups
MITRE	2 years ago	Threat Group-3390 Targets Organizations for Cyberespionage