SHOTPUT

Shotput is a sophisticated malware associated with Advanced Persistent Threat 3 (APT3), an infamous cyber-espionage group. The malware, also detected as Backdoor.APT.CookieCutter by FireEye, infiltrates systems through phishing emails that appear to be spam. The attack vector involves the use of a Flash file that downloads an obfuscated GIF containing a Shotput payload. This payload is typically compiled on the same day that APT3 dispatches the phishing emails, indicating a high level of coordination and precision. Shotput is a DLL backdoor that communicates over HTTP and has capabilities such as uploading or downloading files, managing processes, executing system commands, and collecting system information. The operation of Shotput results in the delivery of a custom backdoor into the victim's system. This backdoor communicates with hardcoded command and control (CnC) addresses, including psa.perrydale[.]com, link.angellroofing[.]com, 107.20.255.57, and 23.99.20.198. Once installed, it can disrupt operations, steal personal data, or even hold data for ransom. FireEye MVX identifies this threat as a web infection, with the IPS engine reporting the attack as CVE-2015-3113. APT3's use of Shotput marks the third time since mid-2014 that the group has exploited zero-day vulnerabilities, underscoring its ability to leverage new exploits. The group's persistent and evolving tactics pose a significant threat to cybersecurity. Mitigating this risk requires continuous vigilance, advanced threat detection tools, and robust cybersecurity practices, including user education about phishing and suspicious downloads.