BIRDWATCH
Description
(Mandiant) Our deep dive also revealed usage of BIRDWATCH and its’ similar variants used by FIN7 and suspected FIN7 groups such as UNC3381. BIRDWATCH is a .NET-based downloader which retrieves payloads over HTTP, writing them to disk and then executing them. BIRDWATCH uploads reconnaissance information from targeted systems as well, which includes running processes, software installed, network configuration, web browser information and active directory data.
BIRDWATCH is often referred to collectively as “JSSLoader”; however, multiple variations of BIRDWATCH exist which we track as separate code families. One variant of BIRDWATCH is CROWVIEW, which is also .NET-based, but has enough code differences from prototypical BIRDWATCH that we cluster it separately. Unlike BIRDWATCH, CROWVIEW can house an embedded payload, can self-delete, supports additional arguments and stores a slightly different configuration.
Names
| Name |
|---|
| BIRDWATCH |
Category
Malware
Type
- Loader
Information
Other Information
Uuid
cf534111-0a03-442d-a487-aecec978ba25
Last Card Change
2022-04-05