SYMBOLCOMMON_NAMEaka. SYNONYMS
vbs.cageychameleon (Back to overview)

CageyChameleon

aka: Cabbage RAT

CageyChameleon Malware is a VBS-based backdoor which has the capability to enumerate the list of running processes and check for the presence of several antivirus products. CageyChameleon will collect user host information, system current process information, etc. The collected information is sent back to the C2 server, and continue to initiate requests to perform subsequent operations.

References
2023-11-20PWCSveva Vittoria Scenarelli
@online{scenarelli:20231120:king:0624a7c, author = {Sveva Vittoria Scenarelli}, title = {{King of Thieves: Black Alicanto and the Ecosystem of North Korea-Based Cyber Operations}}, date = {2023-11-20}, organization = {PWC}, url = {https://sansorg.egnyte.com/dl/3P3HxFiNgL}, language = {English}, urldate = {2023-12-11} } King of Thieves: Black Alicanto and the Ecosystem of North Korea-Based Cyber Operations
RustBucket CageyChameleon RustBucket
2023-05-01JPCERT/CCShusei Tomonaga
@online{tomonaga:20230501:attack:5c3693e, author = {Shusei Tomonaga}, title = {{Attack trends related to the attack campaign DangerousPassword}}, date = {2023-05-01}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/ja/2023/05/dangerouspassword.html}, language = {English}, urldate = {2023-07-11} } Attack trends related to the attack campaign DangerousPassword
RustBucket CageyChameleon Cur1Downloader SnatchCrypto
2023-01-25ProofpointGreg Lesnewich, Proofpoint Threat Research Team
@online{lesnewich:20230125:ta444:ae76e7b, author = {Greg Lesnewich and Proofpoint Threat Research Team}, title = {{TA444: The APT Startup Aimed at Acquisition (of Your Funds)}}, date = {2023-01-25}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/ta444-apt-startup-aimed-at-your-funds}, language = {English}, urldate = {2023-01-25} } TA444: The APT Startup Aimed at Acquisition (of Your Funds)
CageyChameleon
2022-11-29QianxinRed Raindrop Team
@online{team:20221129:job:1749e9c, author = {Red Raindrop Team}, title = {{Job hunting trap: Analysis of Lazarus attack activities using recruitment information such as Mizuho Bank of Japan as bait}}, date = {2022-11-29}, organization = {Qianxin}, url = {https://mp.weixin.qq.com/s/nnLqUBPX8xZ3hCr5u-iSjQ}, language = {Chinese}, urldate = {2023-07-11} } Job hunting trap: Analysis of Lazarus attack activities using recruitment information such as Mizuho Bank of Japan as bait
CageyChameleon Cur1Downloader
2022-08-11PWCSveva Vittoria Scenarelli, Allison Wikoff
@online{scenarelli:20220811:talent:faaba19, author = {Sveva Vittoria Scenarelli and Allison Wikoff}, title = {{Talent Need Not Apply. Tradecraft and Objectives of Job-themed APT Social Engineering}}, date = {2022-08-11}, organization = {PWC}, url = {https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&ved=2ahUKEwjCk7uOzMP-AhXOYMAKHYtLCKkQFnoECBIQAQ&url=https%3A%2F%2Fi.blackhat.com%2FUSA-22%2FThursday%2FUS-22-Wikoff-Talent-Need-Not-Apply.pdf&usg=AOvVaw0deqd7ozZyRTfSBOBmlbiG}, language = {English}, urldate = {2023-04-25} } Talent Need Not Apply. Tradecraft and Objectives of Job-themed APT Social Engineering
CageyChameleon
2022-01-13Kaspersky LabsSeongsu Park, Vitaly Kamluk
@online{park:20220113:bluenoroff:a3ce5e4, author = {Seongsu Park and Vitaly Kamluk}, title = {{The BlueNoroff cryptocurrency hunt is still on}}, date = {2022-01-13}, organization = {Kaspersky Labs}, url = {https://securelist.com/the-bluenoroff-cryptocurrency-hunt-is-still-on/105488/}, language = {English}, urldate = {2023-08-10} } The BlueNoroff cryptocurrency hunt is still on
CageyChameleon SnatchCrypto WebbyTea
2021-05ClearSkyClearSky
@techreport{clearsky:202105:attributing:67fb261, author = {ClearSky}, title = {{Attributing Attacks Against Crypto Exchanges to LAZARUS – North Korea}}, date = {2021-05}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2021/05/CryptoCore-Lazarus-Clearsky.pdf}, language = {English}, urldate = {2021-06-09} } Attributing Attacks Against Crypto Exchanges to LAZARUS – North Korea
CageyChameleon
2020-10-03VB LocalhostTakai Hajime, Shogo Hayashi, Rintaro Koike
@online{hajime:20201003:unveiling:826bb2b, author = {Takai Hajime and Shogo Hayashi and Rintaro Koike}, title = {{Unveiling the CryptoMimic}}, date = {2020-10-03}, organization = {VB Localhost}, url = {https://vb2020.vblocalhost.com/conference/presentations/unveiling-the-cryptomimic/}, language = {English}, urldate = {2023-05-24} } Unveiling the CryptoMimic
CageyChameleon SnatchCrypto
2020-06-26Atlas CybersecurityAtlas Cybersecurity
@online{cybersecurity:20200626:cryptocore:19a42eb, author = {Atlas Cybersecurity}, title = {{CryptoCore – Cryptocurrency Exchanges Under Attack}}, date = {2020-06-26}, organization = {Atlas Cybersecurity}, url = {https://atlas-cybersecurity.com/cyber-threats/cryptocore-cryptocurrency-exchanges-under-attack/}, language = {English}, urldate = {2021-06-08} } CryptoCore – Cryptocurrency Exchanges Under Attack
CageyChameleon
2020-06-24ClearSkyClearSky Research Team
@techreport{team:20200624:cryptocore:c9dde67, author = {ClearSky Research Team}, title = {{CryptoCore: A Threat Actor Targeting Cryptocurrency Exchanges}}, date = {2020-06-24}, institution = {ClearSky}, url = {https://www.clearskysec.com/wp-content/uploads/2020/06/CryptoCore_Group.pdf}, language = {English}, urldate = {2021-06-09} } CryptoCore: A Threat Actor Targeting Cryptocurrency Exchanges
CageyChameleon
2020-06-24ClearSkyClearSky Research Team
@online{team:20200624:cryptocore:16e4ad2, author = {ClearSky Research Team}, title = {{CryptoCore Group : A Threat Actor Targeting Cryptocurrency Exchanges}}, date = {2020-06-24}, organization = {ClearSky}, url = {https://www.clearskysec.com/cryptocore-group/}, language = {English}, urldate = {2021-06-21} } CryptoCore Group : A Threat Actor Targeting Cryptocurrency Exchanges
CageyChameleon
2020-05-06Cyber StruggleCyber Struggle
@techreport{struggle:20200506:leery:ec06996, author = {Cyber Struggle}, title = {{Leery Turtle Threat Report}}, date = {2020-05-06}, institution = {Cyber Struggle}, url = {https://cyberstruggle.org/delta/LeeryTurtleThreatReport_05_20.pdf}, language = {English}, urldate = {2021-06-09} } Leery Turtle Threat Report
CageyChameleon
2020-04-02Github (StrangerealIntel)StrangerealIntel
@online{strangerealintel:20200402:dangerous:f169889, author = {StrangerealIntel}, title = {{Dangerous Password}}, date = {2020-04-02}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/offshore%20APT%20organization/DangerousPassword/2020-04-02/Analysis.md}, language = {English}, urldate = {2023-07-19} } Dangerous Password
CageyChameleon
2019-11-21ThreatBookThreatBook
@techreport{threatbook:20191121:nightmare:f88dec3, author = {ThreatBook}, title = {{The Nightmare of Global Cryptocurrency Companies -Demystifying the “DangerousPassword” of the APT Organization}}, date = {2019-11-21}, institution = {ThreatBook}, url = {https://threatbook.cn/ppt/The%2520Nightmare%2520of%2520Global%2520Cryptocurrency%2520Companies%2520-%2520Demystifying%2520the%2520%25E2%2580%259CDangerousPassword%25E2%2580%259D%2520of%2520the%2520APT%2520Organization.pdf}, language = {English}, urldate = {2023-06-22} } The Nightmare of Global Cryptocurrency Companies -Demystifying the “DangerousPassword” of the APT Organization
CageyChameleon SnatchCrypto
2019-07-09JPCERT/CCTomoaki Tani, Yukako Uchida
@online{tani:20190709:spear:e571fac, author = {Tomoaki Tani and Yukako Uchida}, title = {{Spear Phishing against Cryptocurrency Businesses}}, date = {2019-07-09}, organization = {JPCERT/CC}, url = {https://blogs.jpcert.or.jp/en/2019/07/spear-phishing-against-cryptocurrency-businesses.html}, language = {English}, urldate = {2023-06-22} } Spear Phishing against Cryptocurrency Businesses
CageyChameleon
2019-03-14ProofpointProofpoint
@online{proofpoint:20190314:daily:859e554, author = {Proofpoint}, title = {{Daily Ruleset Update Summary 2019/03/14}}, date = {2019-03-14}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/daily-ruleset-update-summary-20190314}, language = {English}, urldate = {2021-06-08} } Daily Ruleset Update Summary 2019/03/14
CageyChameleon

There is no Yara-Signature yet.