SHOTPUT

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Shotput is a sophisticated malware associated with Advanced Persistent Threat 3 (APT3), an infamous cyber-espionage group. The malware, also detected as Backdoor.APT.CookieCutter by FireEye, infiltrates systems through phishing emails that appear to be spam. The attack vector involves the use of a Flash file that downloads an obfuscated GIF containing a Shotput payload. This payload is typically compiled on the same day that APT3 dispatches the phishing emails, indicating a high level of coordination and precision. Shotput is a DLL backdoor that communicates over HTTP and has capabilities such as uploading or downloading files, managing processes, executing system commands, and collecting system information. The operation of Shotput results in the delivery of a custom backdoor into the victim's system. This backdoor communicates with hardcoded command and control (CnC) addresses, including psa.perrydale[.]com, link.angellroofing[.]com, 107.20.255.57, and 23.99.20.198. Once installed, it can disrupt operations, steal personal data, or even hold data for ransom. FireEye MVX identifies this threat as a web infection, with the IPS engine reporting the attack as CVE-2015-3113. APT3's use of Shotput marks the third time since mid-2014 that the group has exploited zero-day vulnerabilities, underscoring its ability to leverage new exploits. The group's persistent and evolving tactics pose a significant threat to cybersecurity. Mitigating this risk requires continuous vigilance, advanced threat detection tools, and robust cybersecurity practices, including user education about phishing and suspicious downloads.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Sogu
1
SOGU is a malicious software (malware) attributed to TEMP.Hex, a threat actor linked to China. The malware is designed to exploit and damage computer systems, often infiltrating them through suspicious downloads, emails, or websites. Once inside, it can steal personal information, disrupt operations
backdoor.apt.cookiecutter
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Fireeye
Backdoor
Payload
Spam
Zero Day
Phishing
Malware
Exploits
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT3Unspecified
1
APT3, also known as the UPS Team, is a highly sophisticated threat group suspected to be based in China and attributed to the Chinese Ministry of State Security (MSS) and Boyusec. This threat actor targets sectors including Aerospace and Defense, Construction and Engineering, High Tech, Telecommunic
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
CVE-2015-3113Unspecified
1
None
Source Document References
Information about the SHOTPUT Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign | Mandiant
MITRE
a year ago
Advanced Persistent Threats (APTs) | Threat Actors & Groups
MITRE
a year ago
Demonstrating Hustle, Chinese APT Groups Quickly Use Zero-Day Vulnerability (CVE-2015-5119) Following Hacking Team Leak | Mandiant