Industroyer Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (168)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

zh88
en70
de10

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us82
ch42
cn38
ru2
lu2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

TeleBots2
Industroyer1
AsyncRAT1
Cobalt Strike1
ISFB1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined56
Router Operating System12
Content Management System10
WordPress Plugin6
Network Management Software6

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined48
Juniper6
Microsoft6
Wowza6
Apache4

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

Juniper Junos OS6
Wowza Streaming Engine6
Microsoft Windows4
WP Statistics Plugin4
Apache Guacamole2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemEPSSCTICVE
1Zend Framework SQL Statement order sql injection7.36.6$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.000000.04
2Backdoor.Win32.Tiny.c Service Port 7778 backdoor7.36.4$0-$5k$0-$5kProof-of-ConceptWorkaround0.000000.04
3phpLDAPadmin LDAP injection ldap injection8.57.7$0-$5k$0-$5kProof-of-ConceptNot Defined0.192500.05CVE-2018-12689
4adminlte cookie httponly flag5.55.5$0-$5k$0-$5kNot DefinedOfficial Fix0.001590.04CVE-2021-3706
5Oracle Primavera Unifier Document Manager information disclosure7.27.1$5k-$25k$0-$5kNot DefinedOfficial Fix0.003670.05CVE-2023-44981
6OPNsense Login Page redirect5.55.5$0-$5k$0-$5kNot DefinedNot Defined0.001790.01CVE-2020-23015
7jc21 NGINX Proxy Manager Access List os command injection5.55.5$0-$5k$0-$5kNot DefinedNot Defined0.014840.05CVE-2023-23596
8Cacti LDAP improper authentication6.36.3$0-$5k$0-$5kNot DefinedNot Defined0.004470.04CVE-2022-0730
9ISPConfig sql injection6.36.3$0-$5k$0-$5kNot DefinedOfficial Fix0.001520.00CVE-2021-3021
10Linux Kernel NILFS File System inode.c security_inode_alloc use after free8.38.1$25k-$100k$0-$5kNot DefinedOfficial Fix0.000420.02CVE-2022-2978
11phpMyAdmin Two-factor Authentication improper authentication6.36.0$5k-$25k$0-$5kNot DefinedOfficial Fix0.000540.04CVE-2022-23807
12DSpace path traversal7.06.8$0-$5k$0-$5kNot DefinedOfficial Fix0.002880.00CVE-2016-10726
13RouterOS Upgrade Package code download7.47.4$0-$5k$0-$5kNot DefinedNot Defined0.001760.02CVE-2019-3977
14WP Statistics Plugin class-wp-statistics-hits.php sql injection8.58.4$0-$5k$0-$5kNot DefinedNot Defined0.269550.00CVE-2022-0651
15Crow HTTP Pipelining use after free8.58.4$0-$5k$0-$5kNot DefinedOfficial Fix0.007910.04CVE-2022-38667
16mySCADA myPRO command injection9.29.0$0-$5k$0-$5kNot DefinedOfficial Fix0.001050.03CVE-2022-2234
17GNU Bash Environment Variable variables.c Shellshock os command injection9.89.6$25k-$100k$0-$5kHighOfficial Fix0.975590.00CVE-2014-6271
18Microsoft Windows Remote Desktop Client Remote Code Execution8.87.7$100k and more$5k-$25kUnprovenOfficial Fix0.049270.04CVE-2021-38666
19MailGates/MailAudit command injection8.88.4$0-$5k$0-$5kNot DefinedOfficial Fix0.001620.01CVE-2020-25849
20Juniper Junos OS J-Web input validation7.87.5$5k-$25k$0-$5kNot DefinedOfficial Fix0.000440.00CVE-2021-0278

IOC - Indicator of Compromise (7)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
15.39.218.152Industroyer12/23/2020verifiedHigh
246.28.200.132hosted-by.solarcom.chIndustroyer12/23/2020verifiedHigh
3XX.XXX.XXX.XXXXxxxxxxxxxx07/21/2022verifiedHigh
4XX.XXX.XX.XXXxxxxxxxxxx12/23/2020verifiedHigh
5XXX.XX.XXX.XXxx-xxxxxx-xxx-xx-xxx-xx.xxxxxx.xxXxxxxxxxxxx12/23/2020verifiedHigh
6XXX.XX.XX.Xxxxxxxxxxxx.xxxxxxxxxxx.xxxXxxxxxxxxxx12/23/2020verifiedHigh
7XXX.XXX.XX.XXXxxxxxxxxxx07/21/2022verifiedHigh

TTP - Tactics, Techniques, Procedures (18)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueClassVulnerabilitiesAccess VectorTypeConfidence
1T1006CAPEC-126CWE-21, CWE-22Path TraversalpredictiveHigh
2T1055CAPEC-10CWE-74Improper Neutralization of Data within XPath ExpressionspredictiveHigh
3T1059CAPEC-242CWE-94Argument InjectionpredictiveHigh
4T1059.007CAPEC-209CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
5TXXXXCAPEC-122CWE-XXX, CWE-XXX, CWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
6TXXXX.XXXCAPEC-191CWE-XXXXxxx-xxxxx XxxxxxxxxxxpredictiveHigh
7TXXXXCAPEC-136CWE-XX, CWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
8TXXXX.XXXCAPEC-178CWE-XXXXxxx XxxxxxxxpredictiveHigh
9TXXXXCAPEC-CWE-XXX7xx Xxxxxxxx XxxxxxxxpredictiveHigh
10TXXXXCAPEC-1CWE-XXX, CWE-XXXXxxxxxxxxx XxxxxxpredictiveHigh
11TXXXXCAPEC-184CWE-XXXXxxxxxxx Xx Xxxx Xxxxxxx Xxxxxxxxx XxxxxpredictiveHigh
12TXXXXCAPEC-108CWE-XX, CWE-XXXxx XxxxxxxxxpredictiveHigh
13TXXXXCAPEC-38CWE-XXXXxxxxxxxx Xxxxxx XxxxpredictiveHigh
14TXXXX.XXXCAPEC-459CWE-XXXXxxxxxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
15TXXXX.XXXCAPEC-133CWE-XXXXxxxxxxxpredictiveHigh
16TXXXXCAPEC-116CWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
17TXXXX.XXXCAPEC-112CWE-XXX, CWE-XXXXxx Xxxxxxxxxx XxxxxpredictiveHigh
18TXXXX.XXXCAPEC-1CWE-XXXXxxxxxxxxx Xxxxxxxxxxxxxx Xx Xxxxxxxx Xxxx XxxxxxxxxpredictiveHigh

IOA - Indicator of Attack (65)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/cgi-bin/supervisor/PwdGrp.cgipredictiveHigh
2File/CMD_SELECT_USERSpredictiveHigh
3File/dashboard/updatelogo.phppredictiveHigh
4File/dcim/sites/add/predictiveHigh
5File/enginemanager/server/user/delete.htmpredictiveHigh
6File/etc/openshift/server_priv.pempredictiveHigh
7File/forum/away.phppredictiveHigh
8File/goform/delAdpredictiveHigh
9File/xxxxx.xxxpredictiveMedium
10File/xxxxxx/xxx/xxxxxxx.xxxpredictiveHigh
11File/xxxxx-xxxxxx/xxxxx.xxxpredictiveHigh
12File/xxxxx?xxxxxxpredictiveHigh
13File/xxxxxxpredictiveLow
14Filexxxxxxx.xxxpredictiveMedium
15Filexxx_xxxxx.xxxpredictiveHigh
16Filexxxxxxxxxxxxxxx.xxxpredictiveHigh
17Filexxx.xxx?xxx=xxxxx_xxxxpredictiveHigh
18Filexxxx/xxxxxxxxxxxxxxxxxxxxxxxxx.xxpredictiveHigh
19Filexx.xpredictiveLow
20Filexxxxx.xxxpredictiveMedium
21Filexxxxxx.xxxpredictiveMedium
22Filexxxxxxxxxxxxx/xxxxxxxxxxx.xxxxpredictiveHigh
23Filexxxxxxxxxxxxx/xxxxxx/xxxxxxxxxxx/xxxx_xxx.xxxpredictiveHigh
24Filexxxx.xxxpredictiveMedium
25Filexxxxx.xpredictiveLow
26Filexxx/xxxxxxxxxxxxxxxxxxxxxxxxx.xxxpredictiveHigh
27Filexxxxx_xxxxxxx.xxxpredictiveHigh
28Filexxxx.xxxpredictiveMedium
29Filexxxxx.xxxxpredictiveMedium
30Filexxxxxx/xxxxxxxxxxx/xxxxxxxxpredictiveHigh
31Filexxxxxx/predictiveLow
32Filexxxx/xxx/xxxx-xxxxx.xxxpredictiveHigh
33Filexxxxxxxxx.xpredictiveMedium
34Filexxx_xxxxx.xxxxpredictiveHigh
35Filexxx/xxxxxx/xxxxxxxxxxxxx.xxxpredictiveHigh
36Filexx-xxxxx/xxxxx-xxxx.xxxpredictiveHigh
37File~/xxxxxxxx/xxxxx-xx-xxxxxxxxxx-xxxx.xxxpredictiveHigh
38File~/xxxxxxxx/xxxxx-xx-xxxxxxxxxx-xx.xxxpredictiveHigh
39File~/xxx/xxxxxxx/xxxxxxxxxxxxx.xxxpredictiveHigh
40ArgumentxxxxpredictiveLow
41ArgumentxxxxxpredictiveLow
42ArgumentxxxpredictiveLow
43Argumentxxxxxx_xxxx_xxxxxxxxpredictiveHigh
44Argumentxxxxxxx_xxxx_xxxxpredictiveHigh
45Argumentxxx_xxxx/xxx_xxxxxxxpredictiveHigh
46ArgumentxxxxxxxxxxxpredictiveMedium
47ArgumentxxpredictiveLow
48ArgumentxxpredictiveLow
49Argumentxxxx/xxx_xxxxxxxxxpredictiveHigh
50ArgumentxxxxxxxxpredictiveMedium
51ArgumentxxxxxxxpredictiveLow
52Argumentxxx_xxpredictiveLow
53ArgumentxxxxxxxxxxpredictiveMedium
54ArgumentxxxxxxpredictiveLow
55Argumentxxxxxx/xxxxxx_xxxxxxpredictiveHigh
56Argumentxxxxxx_xxpredictiveMedium
57ArgumentxxxpredictiveLow
58ArgumentxxxpredictiveLow
59ArgumentxxxxxxxxpredictiveMedium
60Argumentxxxxx/xxxxxpredictiveMedium
61Input Value"><xxxxxx>xxxxx(/xxx/)</xxxxxx>predictiveHigh
62Input Valuexxxxx' xxx (xxxxxx xxxx xxxx (xxxxxx(xxxxx(x)))xxxx) xxx 'xxxx'='xxxx&xxxxxxxx=xxxxxxxxxxpredictiveHigh
63Input Valuexxx_xxx_xxxx_xxxx'"><xxxxxx>xxxxx(/xxxxx.xx/)</xxxxxx>predictiveHigh
64Pattern() {predictiveLow
65Network Portxxx/xxxxpredictiveMedium

References (3)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!