Skip to main content
Mallory
Back to malware
MalwareUsed by 2 actorsExploits 1 CVE

CustomTCP

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2015-7501Apache Commons Collections Java Deserialization RCEExploited in the wild

It is our hypothesis that these legitimate compromised sites were all compromised sometime after early November using CVE-2015-7501 [7,8] and publicly available exploit code [9].

via proofpoint threat insight blogproofpoint.com
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT19

Several items of importance were located in this archive... a custom Trojan (aka, CustomTCP) that beacons to port 22... The CustomTCP Trojan was covered in a recent article and tentatively attributed to C0d0s0, while also explaining the same similarities we discussed earlier to the November 2014 Forbes watering hole attack.

via proofpoint threat insight blogproofpoint.com
C0d0so

Several items of importance were located in this archive... a custom Trojan (aka, CustomTCP) that beacons to port 22... The CustomTCP Trojan was covered in a recent article and tentatively attributed to C0d0s0, while also explaining the same similarities we discussed earlier to the November 2014 Forbes watering hole attack.

via proofpoint threat insight blogproofpoint.com
MITRE ATT&CK

Techniques & procedures

5 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1190Exploit Public-Facing ApplicationEvidence1
TacticInitial Access

It is our hypothesis that these legitimate compromised sites were all compromised sometime after early November using CVE-2015-7501 and publicly available exploit code.

Execution

2 techniques
T1059.005Visual BasicEvidence1
TacticExecution

Several items of importance were located in this archive, including VBS downloaders... Both VBS scripts operate very similarly...

T1574.001DLLEvidence1
TacticsExecutionStealth

Like the custom downloader/McAltLib.dll payload, Rekaf/dbgeng.dll utilizes a signed, legitimate executable (iefix.exe) and DLL Search Order Hijacking for execution.

Stealth

1 technique
T1574.001DLLEvidence1
TacticsExecutionStealth

Like the custom downloader/McAltLib.dll payload, Rekaf/dbgeng.dll utilizes a signed, legitimate executable (iefix.exe) and DLL Search Order Hijacking for execution.

Command and Control

2 techniques
T1095Non-Application Layer ProtocolEvidence1
TacticCommand and Control

a custom Trojan (aka, CustomTCP) that beacons to port 22

T1105Ingress Tool TransferEvidence1
TacticCommand and Control

In one instance related to this cluster of activity, we observed Bergard receive instructions from its C2 to retrieve a PNG file containing an encoded PlugX payload... Rekaf supported commands... upload: Download file from C2 ... update: Retrieve an updated payload.

INDICATORS OF COMPROMISE

IOCs tracked for this family

23 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
7 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
16 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app10 years ago
domain●●●●●●●●●●●●View more in app10 years ago
hash.md5●●●●●●●●●●●●View more in app10 years ago
hash.md5●●●●●●●●●●●●View more in app10 years ago
hash.md5●●●●●●●●●●●●View more in app10 years ago
hash.md5●●●●●●●●●●●●View more in app10 years ago
ACTIVITY FEED

Recent activity

1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

1 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching23

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping5

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.