Earth Kitsune Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (17)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en18

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us12
ru4
cn2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

Earth Kitsune2
RedLine Stealer1
Dacls RAT1
Lazarus1
Cobalt Strike1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined6
Operating System4
Database Software2
Network Camera Software2
Programming Language Software2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Microsoft6
Not Defined4
TRENDnet2
Oracle2
Pivotal2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Microsoft Windows4
Microsoft SQL Server2
TRENDnet IP Camera2
Openads2
Oracle Java SE2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1RARLabs WinRAR ZIP Archive Remote Code Execution6.36.0$0-$5k$0-$5kHighOfficial Fix0.338500.00CVE-2023-38831
2AjaxPro .NET Class deserialization7.87.8$0-$5k$0-$5kNot DefinedOfficial Fix0.320810.00CVE-2021-23758
3Microsoft SQL Server Privilege Escalation7.56.8$25k-$100k$0-$5kUnprovenOfficial Fix0.012570.00CVE-2022-29143
4Microsoft Windows ReFS Local Privilege Escalation7.87.1$25k-$100k$5k-$25kUnprovenOfficial Fix0.000430.00CVE-2023-23418
5Microsoft Windows Kernel Local Privilege Escalation7.87.1$25k-$100k$5k-$25kUnprovenOfficial Fix0.000440.00CVE-2023-23423
6Microsoft Windows Kernel Privilege Escalation9.28.4$100k and more$5k-$25kUnprovenOfficial Fix0.000430.04CVE-2022-29133
7Craft CMS Seomatic injection6.46.3$0-$5k$0-$5kNot DefinedOfficial Fix0.962940.03CVE-2020-9757
8Vignette Content Management HTML Source Code Password credentials management7.57.5$0-$5k$0-$5kNot DefinedUnavailable0.007520.00CVE-2018-18941
9Microsoft Windows Remote Desktop Client Remote Code Execution8.07.3$25k-$100k$5k-$25kUnprovenOfficial Fix0.023870.05CVE-2022-23285
10TRENDnet IP Camera Authentication mjpg.cgi improper authentication7.36.7$0-$5k$0-$5kProof-of-ConceptWorkaround0.000000.03
11vBulletin redirector.php6.66.6$0-$5k$0-$5kNot DefinedNot Defined0.001060.03CVE-2018-6200
12MGB OpenSource Guestbook email.php sql injection7.37.3$0-$5k$0-$5kHighUnavailable0.013020.62CVE-2007-0354
13Openads adclick.php Remote Code Execution7.36.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.018710.18CVE-2007-2046
14Oracle Java SE JNDI access control8.38.2$25k-$100k$5k-$25kNot DefinedOfficial Fix0.003460.00CVE-2018-3149
15Pivotal Spring Framework ResourceServlet path traversal7.06.8$0-$5k$0-$5kNot DefinedOfficial Fix0.003440.04CVE-2016-9878

Campaigns (1)

These are the campaigns that can be associated with the actor:

  • WhiskerSpy

IOC - Indicator of Compromise (2)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
145.76.62.19845.76.62.198.vultrusercontent.comEarth KitsuneWhiskerSpy02/22/2023verifiedHigh
2XXX.XX.XXX.XXXxxx-xxx-xx-xxx.xxxxxxx-xxxXxxxx XxxxxxxXxxxxxxxxx02/22/2023verifiedHigh

TTP - Tactics, Techniques, Procedures (6)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3TXXXXCAPEC-19CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
4TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
5TXXXXCAPEC-108CWE-XXXxx XxxxxxxxxpredictiveHigh
6TXXXXCAPEC-CWE-XXXXxxxxxxxxxx XxxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (9)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/anony/mjpg.cgipredictiveHigh
2Fileadclick.phppredictiveMedium
3Filexxxxx.xxxpredictiveMedium
4Filexxxxxxxxxx.xxxpredictiveHigh
5Filexxx/xxx/xxxx/xxxx/xxxx/xxxx/x/xxxx/x/xx.xxxx?xxx=xxxxxpredictiveHigh
6ArgumentxxxxpredictiveLow
7ArgumentxxpredictiveLow
8ArgumentxxxpredictiveLow
9Network Portxxx xxxxxx xxxxpredictiveHigh

References (2)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Want to stay up to date on a daily basis?

Enable the mail alert feature now!