ThaiCERT    ETDA    MDES
Report
Search
Home > List all groups > List all tools > List all groups using tool Leash

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link Tool: Leash

NamesLeash
CategoryMalware
TypeBackdoor
Description(Palo Alto) The Magic Hound campaign was also discovered deploying an IRC Bot, which we have named MagicHound.Leash. We discovered this connection when we observed a DropIt sample installing a backdoor Trojan that used IRC for its C2 communications.

Leash obtains its commands via private messages (PRIVMSG) sent from the adversary who must also be connected to the IRC server. All of its available commands (see Appendix), except for the VER command seen in Figure 5, must be issued by individuals in the IRC channel with nicknames that start with “AS_” or “AF_”.
Information<https://unit42.paloaltonetworks.com/unit42-magic-hound-campaign-attacks-saudi-targets/>
Malpedia<https://malpedia.caad.fkie.fraunhofer.de/details/win.leash>

Last change to this tool card: 22 April 2020

Download this tool card in JSON format

All groups using tool Leash

ChangedNameCountryObserved

APT groups

 Cutting Kitten, TG-2889Iran2012-Mar 2016X
 Magic Hound, APT 35, Cobalt Gypsy, Charming KittenIran2013-Jan 2021X

2 groups listed (2 APT, 0 other, 0 unknown)

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key