APT37 Analysis

💳 Purchase Required

You need to purchase an additional CTI license to see detailed indicators.

IOB - Indicator of Behavior (117)

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Lang

en82
de26
pl4
es4
zh2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Country

us98
pl14
ru4
vn2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Actors

APT372
Grizzly Steppe1
CryptoPHP1
Cobalt Strike1
STRRAT1

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Activities

Interest

Timeline

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Type

Not Defined16
Content Management System6
Database Administration Software6
Web Server2
NPM Package2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vendor

Not Defined20
MGB2
Lars Ellingsen2
Winn2
Cplinks2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Product

phpMyAdmin6
nginx2
FLDS2
MGB OpenSource Guestbook2
Lars Ellingsen Guestserver2

The data in this chart does not reflect real data. It is dummy data, distorted and not usable in any way. You need an additional purchase to unlock this view to get access to more details of real data.

Vulnerabilities

#VulnerabilityBaseTemp0dayTodayExpRemCTIEPSSCVE
1PHP phpinfo cross site scripting4.33.9$5k-$25k$0-$5kProof-of-ConceptOfficial Fix0.050.02101CVE-2007-1287
2Lars Ellingsen Guestserver guestbook.cgi cross site scripting4.34.3$0-$5k$0-$5kNot DefinedNot Defined0.070.00169CVE-2005-4222
3RDM Intuitive 650 TDB Controller Password access control7.57.2$0-$5k$0-$5kNot DefinedOfficial Fix0.030.00206CVE-2016-4505
4Siemens EN100 Ethernet Module Web Server Memory information disclosure5.35.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.000.00516CVE-2016-4785
5DZCP deV!L`z Clanportal config.php code injection7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.700.00943CVE-2010-0966
6Siemens EN100 Ethernet Module Web Server information disclosure5.35.2$5k-$25k$0-$5kNot DefinedOfficial Fix0.030.00516CVE-2016-4784
7RDM Intuitive 650 TDB Controller cross-site request forgery6.15.8$0-$5k$0-$5kNot DefinedOfficial Fix0.000.00069CVE-2016-4506
8TikiWiki tiki-register.php input validation7.36.6$0-$5k$0-$5kProof-of-ConceptOfficial Fix10.000.01009CVE-2006-6168
9LogicBoard CMS away.php redirect6.36.1$0-$5k$0-$5kNot DefinedUnavailable5.080.00000
10MGB OpenSource Guestbook email.php sql injection7.37.3$0-$5k$0-$5kHighUnavailable0.520.01302CVE-2007-0354
11FLDS redir.php sql injection7.37.3$0-$5k$0-$5kHighUnavailable0.060.00203CVE-2008-5928
12SourceCodester Employee and Visitor Gate Pass Logging System GET Parameter view_designation.php sql injection7.16.9$0-$5k$0-$5kProof-of-ConceptNot Defined0.110.00135CVE-2023-2090
13Apple Mac OS X Server Wiki Server sql injection5.34.6$5k-$25k$0-$5kUnprovenOfficial Fix0.060.00339CVE-2015-5911
14Responsive Menus Configuration Setting responsive_menus.module responsive_menus_admin_form_submit cross site scripting3.23.2$0-$5k$0-$5kNot DefinedOfficial Fix0.060.00073CVE-2018-25085
15PHPWind goto.php redirect6.36.3$0-$5k$0-$5kNot DefinedNot Defined0.040.00348CVE-2015-4134
16Winn Winn GuestBook addPost cross site scripting4.34.1$0-$5k$0-$5kHighOfficial Fix0.020.00336CVE-2011-5026
17Cplinks cpDynaLinks category.php sql injection7.37.1$0-$5kCalculatingHighUnavailable0.020.00387CVE-2007-5408
18vldPersonals index.php cross site scripting4.33.9$0-$5k$0-$5kProof-of-ConceptOfficial Fix0.040.00155CVE-2014-9004
19esoftpro Online Guestbook Pro ogp_show.php sql injection7.37.1$0-$5k$0-$5kHighUnavailable0.070.00135CVE-2010-4996
20PHP locale_methods.c get_icu_disp_value_src_php memory corruption8.58.4$5k-$25k$0-$5kNot DefinedOfficial Fix0.040.01086CVE-2014-9912

Campaigns (3)

These are the campaigns that can be associated with the actor:

IOC - Indicator of Compromise (6)

These indicators of compromise highlight associated network ressources which are known to be part of research and attack activities.

IDIP addressHostnameActorCampaignsIdentifiedTypeConfidence
134.13.42.35APT37Scarcruft12/15/2020verifiedHigh
2120.192.73.202APT37Scarcruft12/15/2020verifiedHigh
3XXX.XX.XXX.XXXxxx-xxx-xx-xxx.xxxxxxx-xxxXxxxx03/18/2024verifiedHigh
4XXX.XXX.XX.XXXxxxxXxxxxxxxx12/15/2020verifiedHigh
5XXX.XXX.XX.XXXXxxxxXxxxx#xxxxx07/26/2022verifiedHigh
6XXX.X.XXX.XXxxx-x-xxx-xx.xxxxxx.xxXxxxxXxxxxxxx12/15/2020verifiedHigh

TTP - Tactics, Techniques, Procedures (8)

Tactics, techniques, and procedures summarize the suspected MITRE ATT&CK techniques used. This data is unique as it uses our predictive model for actor profiling.

IDTechniqueVulnerabilitiesAccess VectorTypeConfidence
1T1059CWE-94Argument InjectionpredictiveHigh
2T1059.007CWE-79, CWE-80Cross Site ScriptingpredictiveHigh
3TXXXXCWE-XXXXxxxxxxxx Xxxx Xxxxxxxxxxx XxxxxxxxxxpredictiveHigh
4TXXXXCWE-XXXxxxxxx Xxxxx Xx Xxxxxxxxxx Xxxxxxxxxx XxxxxxxxxpredictiveHigh
5TXXXX.XXXCWE-XXXXxxx XxxxxxxxpredictiveHigh
6TXXXXCWE-XXXxx XxxxxxxxxpredictiveHigh
7TXXXXCWE-XXXXxxxxxxxxx Xx Xxxxxxx Xxxxx Xxxxxxx Xxxxxxxxx XxxxxxxxxxxpredictiveHigh
8TXXXXCWE-XXXXxxxxxxxxxxxx XxxxxxpredictiveHigh

IOA - Indicator of Attack (29)

These indicators of attack list the potential fragments used for technical activities like reconnaissance, exploitation, privilege escalation, and exfiltration. This data is unique as it uses our predictive model for actor profiling.

IDClassIndicatorTypeConfidence
1File/admin/maintenance/view_designation.phppredictiveHigh
2File/forum/away.phppredictiveHigh
3Fileadclick.phppredictiveMedium
4Filecategory.phppredictiveMedium
5Filexxxxx.xxxpredictiveMedium
6Filexxxxxxxx/xxxxxx.xxxpredictiveHigh
7Filexxx/xxxx/xxxxxx/xxxxxx_xxxxxxx.xpredictiveHigh
8Filexxxxxxxxxxx.xxxpredictiveHigh
9Filexxxx.xxxpredictiveMedium
10Filexxxxxxxxx.xxxpredictiveHigh
11Filexxx/xxxxxx.xxxpredictiveHigh
12Filexxxxxxxx/xxxxxxx.xxxpredictiveHigh
13Filexxxxx.xxxpredictiveMedium
14Filexxxxxxxxx/xxxxxx.xxxpredictiveHigh
15Filexxx_xxxx.xxxpredictiveMedium
16Filexxxxx.xxxpredictiveMedium
17Filexxxxxxxxxx_xxxxx.xxxxxxpredictiveHigh
18Filexxxx-xxxxxxxx.xxxpredictiveHigh
19Filexx-xxxxxxxx/xxxxx-xx-xxxxx.xxxpredictiveHigh
20ArgumentxxxxxxxxpredictiveMedium
21ArgumentxxxxxxxxpredictiveMedium
22ArgumentxxxxpredictiveLow
23ArgumentxxpredictiveLow
24ArgumentxxxpredictiveLow
25ArgumentxxxxpredictiveLow
26ArgumentxxxxxxxxpredictiveMedium
27ArgumentxxxxxxpredictiveLow
28ArgumentxxxxxxxxpredictiveMedium
29ArgumentxxxpredictiveLow

References (5)

The following list contains external sources which discuss the actor and the associated activities:

PreviousOverviewNext

Want to stay up to date on a daily basis?

Enable the mail alert feature now!