{ "type": "bundle", "id": "bundle--5f1ac471-f022-4353-9b3b-bccde011cbdf", "objects": [ { "type": "threat-actor", "spec_version": "2.1", "id": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "created": "2021-07-21T11:34:40.013631Z", "modified": "2022-09-16T14:24:17.664875Z", "name": "[CERT-CIS] APT31", "description": "Under construction (30.07.2021) Alleged nationality group People's Republic of China (CHN) Overview APT31 ( aka Zirconium, Judgment Panda) is believed to be a Chinese APT group acting on behalf of the People's Republic of China (CHN) and first seen in 2014. According to recent Occidental countries official statements about malicious cyber activity conducted by China, APT31 is likely affiliated to the Ministry of State of Security (aka MSS). APT31 has demonstrated a high-level sophistication targeting individuals associated with POTUS J.Biden during 2020 presidential's run, targeting Finnish Parliament in 2020 or leveraging the so-called \"EpMe\" ( aka Jian) US-alleged APT actors of Equation Group zero-day years before Shadow Brokers made the case public. In July 2021, a coalition composed by Five Eyes members, EU, NATO and led by USA officially attributed the March 2021 infamous Microsoft Exchange attack (allowed by the Proxylogon flaw) to China state-backed groups APT40 and APT31. By the way, they named APT31 and APT40 the two groups behind the HAFNIUM group spotted by Microsoft during its investigations. Geographic victimology Targeted countries : Asia IND PAK AFG KAZ KGZ TJK UZB Sectoral victimology To our best knowledge and as of writing, APT31 has targeted the following sectors : Nation State Aerospace and National Defense contractors Cable and Telecommunication Mining and Quarrying Research organisations Tactics, Techniques & Procedures See associations tab (for associated TTPs) and attachment tab (for JSON and EXCEL TTPs mapping) Tools APT31 threat actors have been observed leveraging the following tools : Icefog PlugX (C2 infrastructure) Royal Road RTF weaponizer Poison Ivy Shadow Pad PCShare (RAT) Quickheal Axiomaticasymptote (alleged C2 infrastructure for the ShadowPad backdoor) References [1] Insikt Group., Threat activity group RedFoxtrot linked to China's PLA Unit 69010 ; targets bordering asian countries , RECORDED FUTURE : 2021. [online] . Available at : https://www.recordedfuture.com/redfoxtrot-china-pla-targets-bordering-asian-countries/ . (Last accessed : 29.06.2021).", "threat_actor_types": [ "nation-state" ], "aliases": [ "Judgment Panda", " Zirconium" ], "labels": [ "[CHN]" ], "object_marking_refs": [ "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82" ] }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062", "created": "2021-05-26T15:03:33.033027Z", "modified": "2022-10-20T08:33:13.445744Z", "name": "T1027.002 - Obfuscated Files or Information: Software Packing", "description": "

T1027.002 - Obfuscated Files or Information: Software Packing

Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.[1]

\n

Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.[2]

Other sub-techniques of User Execution (6)

ID Name
T1027.001 Binary Padding
T1027.002 Software Packing
T1027.003 Steganography
T1027.004 Compile After Delivery
T1027.005 Indicator Removal from Tools
T1027.006 HTML Smuggling

Procedure Examples

ID Name Description
S0504 Anchor Anchor has come with a packed payload.[3]
S0622 AppleSeed AppleSeed has used UPX packers for its payload DLL.[4]
G0016 APT29 APT29 used UPX to pack files.[5]
G0022 APT3 APT3 has been known to pack their tools.[6][7]
G0082 APT38 APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.[8]
G0087 APT39 APT39 has packed tools with UPX, and has repacked a modified version of Mimikatz to thwart anti-virus detection.[9][10]
S0373 Astaroth Astaroth uses a software packer called Pe123\\RPolyCryptor.[11]
S0638 Babuk Versions of Babuk have been packed.[12][13][14]
S0534 Bazar Bazar has a variant with a packed payload.[15][16]
S0268 Bisonal Bisonal has used the MPRESS packer and similar tools for obfuscation.[17]
S0520 BLINDINGCAN BLINDINGCAN has been packed with the UPX packer.[18]
S0020 China Chopper China Chopper's client component is packed with UPX.[19]
S0611 Clop Clop has been packed to help avoid detection.[20][21]
S0614 CostaBricks CostaBricks can implement a custom-built virtual machine mechanism to obfuscate its code.[22]
S0527 CSPY Downloader CSPY Downloader has been packed with UPX.[23]
S0625 Cuba Cuba has a packed payload when delivered.[24]
G0070 Dark Caracal Dark Caracal has used UPX to pack Bandook.[25]
S0334 DarkComet DarkComet has the option to compress its payload using UPX or MPRESS.[26]
S0187 Daserf A version of Daserf uses the MPRESS packer.[27]
S0281 Dok Dok is packed with an UPX executable packer.[28]
S0695 Donut Donut can generate packed code modules.[29]
S0694 DRATzarus DRATzarus's dropper can be packed with UPX.[30]
S0024 Dyre Dyre has been delivered with encrypted resources and must be unpacked for execution.[31]
S0554 Egregor Egregor's payloads are custom-packed, archived and encrypted to prevent analysis.[32][33]
G0066 Elderwood Elderwood has packed malware payloads before delivery to victims.[34]
S0367 Emotet Emotet has used custom packers to protect its payloads.[35]
S0512 FatDuke FatDuke has been regularly repacked by its operators to create large binaries and evade detection.[36]
S0182 FinFisher A FinFisher variant uses a custom packer.[37][38]
S0628 FYAnti FYAnti has used ConfuserEx to pack its .NET module.[39]
G0093 GALLIUM GALLIUM packed some payloads using different types of packers, both known and custom.[40]
S0588 GoldMax GoldMax has been packed for obfuscation.[41]
S0342 GreyEnergy GreyEnergy is packed for obfuscation.[42]
S0132 H1N1 H1N1 uses a custom packing algorithm.[43]
S0601 Hildegard Hildegard has packed ELF files into other binaries.[44]
S0431 HotCroissant HotCroissant has used the open source UPX executable packer.[45]
S0398 HyperBro HyperBro has the ability to pack its payload.[46]
S0483 IcedID IcedID has packed and encrypted its loader module.[47]
S0283 jRAT jRAT payloads have been packed.[48]
G0094 Kimsuky Kimsuky has packed malware with UPX.[4]
S0356 KONNI KONNI has been packed for obfuscation.[49]
G0032 Lazarus Group Lazarus Group has used Themida to pack malicious DLLs and other files.[30][50]
S0513 LiteDuke LiteDuke has been packed with multiple layers of encryption.[36]
S0447 Lokibot Lokibot has used several packing methods for obfuscation.[51]
S0532 Lucifer Lucifer has used UPX packed binaries.[52]
S0409 Machete Machete has been packed with NSIS.[53]
S0530 Melcoz Melcoz has been packed with VMProtect and Themida.[54]
S0455 Metamorfo Metamorfo has used VMProtect to pack and protect files.[55]
S0198 NETWIRE NETWIRE has used .NET packer tools to evade detection.[56]
G0014 Night Dragon Night Dragon is known to use software packing in its tools.[57]
S0264 OopsIE OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2.[58]
S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D has a variant that is packed with UPX.[59]
G0040 Patchwork A Patchwork payload was packed with UPX.[60]
S0650 QakBot QakBot can encrypt and pack malicious payloads.[61]
S0565 Raindrop Raindrop used a custom packer for its Cobalt Strike payload, which was compressed using the LZMA algorithm.[62][63]
G0106 Rocke Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.[64][65][66]
G0034 Sandworm Team Sandworm Team used UPX to pack a copy of Mimikatz.[67]
S0461 SDBbot SDBbot has used a packed installer file.[68]
S0053 SeaDuke SeaDuke has been packed with the UPX packer.[69]
S0444 ShimRat ShimRat's loader has been packed with the compressed ShimRat core DLL and the legitimate DLL for it to hijack.[70]
S0543 Spark Spark has been packed with Enigma Protector to obfuscate its contents.[71]
S0663 SysUpdate SysUpdate can use packed binaries.[46]
G0092 TA505 TA505 has used UPX to obscure malicious code.[68]
G0139 TeamTNT TeamTNT has used UPX and Ezuri packer to pack its binaries.[72]
G0089 The White Company The White Company has obfuscated their payloads through packing.[73]
G0027 Threat Group-3390 Threat Group-3390 has packed malware and tools.[74]
S0671 Tomiris Tomiris has been packed with UPX.[75]
S0678 Torisma Torisma has been packed with Iz4 compression.[50]
S0266 TrickBot TrickBot leverages a custom packer to obfuscate its functionality.[76]
S0094 Trojan.Karagany Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.[77][78]
S0022 Uroburos Uroburos uses a custom packer.[79]
S0476 Valak Valak has used packed DLL payloads.[80]
S0257 VERMIN VERMIN is initially packed.[81]
S0248 yty yty packs a plugin with UPX.[82]
S0251 Zebrocy Zebrocy's Delphi variant was packed with UPX.[83][84]
S0230 ZeroT Some ZeroT DLL files have been packed with UPX.[85]
G0128 ZIRCONIUM ZIRCONIUM has used multi-stage packers for exploit code.[86]

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware Employ heuristic-based malware detection. Ensure updated virus definitions and create custom signatures for observed malware.

Detection

Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.

References

1. Kafka, F. (2018, January). ESET's Guide to Deobfuscating and Devirtualizing FinFisher. Retrieved August 12, 2019.

2. Alexandre D'Hondt. (n.d.). Awesome Executable Packing. Retrieved March 11, 2022.

3. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.

4. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.

5. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.

6. Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018.

7. Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf \u2013 Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.

8. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.

9. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.

10. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.

11. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.

12. Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021.

13. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.

14. Sebdraven. (2021, February 8). Babuk is distributed packed. Retrieved August 11, 2021.

15. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9\u2019S DEVELOPMENT CYCLES. Retrieved November 18, 2020.

16. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.

17. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.

18. US-CERT. (2020, August 19). MAR-10295134-1.v1 \u2013 North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.

19. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.

20. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.

21. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.

22. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.

23. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.

24. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.

25. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.

26. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.

27. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER\u2019s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.

28. fluffybunny. (2019, July 9). OSX.Dok Analysis. Retrieved October 4, 2021.

29. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.

30. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.

31. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.

32. NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020.

33. Cybleinc. (2020, October 31). Egregor Ransomware \u2013 A Deep Dive Into Its Activities and Techniques. Retrieved December 29, 2020.

34. O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.

35. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.

36. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.

37. FinFisher. (n.d.). Retrieved December 20, 2017.

38. Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.

39. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.

40. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.

41. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.

42. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.

43. Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016.

44. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.

45. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.

46. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.

47. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.

48. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.

49. Santos, R. (2022, January 26). KONNI evolves into stealthier RAT. Retrieved April 13, 2022.

50. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.

51. Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.

52. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.

53. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.

54. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.

55. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.

56. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.

57. McAfee\u00ae Foundstone\u00ae Professional Services and McAfee Labs\u2122. (2011, February 10). Global Energy Cyberattacks: \u201cNight Dragon\u201d. Retrieved February 19, 2018.

58. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.

59. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.

60. Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant \u2013 aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.

61. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.

62. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.

63. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.

64. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.

65. Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020.

66. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.

67. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.

68. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.

69. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.

70. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.

71. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.

72. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.

73. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.

74. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.

75. Kwiatkoswki, I and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021.

76. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.

77. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.

78. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.

79. Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.

80. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.

81. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.

82. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.

83. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group\u2019s Global Campaign. Retrieved April 19, 2019.

84. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.

85. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.

86. Itkin, E. and Cohen, I. (2021, February 22). The Story of Jian \u2013 How APT31 Stole and Used an Unknown Equation Group 0-Day. Retrieved March 24, 2021.


Original source: T1027.002 - Obfuscated Files or Information: Software Packing
", "external_references": [ { "source_name": "Wikipedia Exe Compression", "url": "http://en.wikipedia.org/wiki/Executable_compression" }, { "source_name": "ESET FinFisher Jan 2018", "url": "https://www.welivesecurity.com/wp-content/uploads/2018/01/WP-FinFisher.pdf" }, { "source_name": "capec (CAPEC-570)", "url": "https://capec.mitre.org/data/definitions/570.html" }, { "source_name": "mitre-attack (T1027.002)", "url": "https://attack.mitre.org/techniques/T1027/002" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--061bb72e-ab0f-4d15-b41d-2c7f77a93f74", "created": "2022-11-08T14:37:13.643465Z", "modified": "2022-11-08T14:37:13.643465Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--deb98323-e13f-4b0c-8d94-175379069062" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0", "created": "2021-05-26T15:04:16.914161Z", "modified": "2022-10-28T13:42:46.233777Z", "name": "T1036 - Masquerading", "description": "

T1036 - Masquerading

Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.

\n

Renaming abusable system utilities to evade security monitoring is also a form of Masquerading.[1]

Sub-techniques (7)

ID Name
T1036.001 Invalid Code Signature
T1036.002 Right-to-Left Override
T1036.003 Rename System Utilities
T1036.004 Masquerade Task or Service
T1036.005 Match Legitimate Name or Location
T1036.006 Space after Filename
T1036.007 Double File Extension

Procedure Examples

ID Name Description
S0622 AppleSeed AppleSeed can disguise JavaScript files as PDFs.[2]
G0007 APT28 APT28 has renamed the WinRAR utility to avoid detection.[3]
G0016 APT29 APT29 has set the hostnames of its C2 infrastructure to match legitimate hostnames in the victim environment. They have also used IP addresses originating from the same country as the victim for their VPN infrastructure.[4]
G0050 APT32 APT32 has disguised a Cobalt Strike beacon as a Flash Installer.[5]
S0268 Bisonal Bisonal dropped a decoy payload with a .jpg extension that contained a malicious Visual Basic script.[6]
S0635 BoomBox BoomBox has the ability to mask malicious data strings as PDF files.[7]
G0060 BRONZE BUTLER BRONZE BUTLER has masked executables with document file icons including Word and Adobe PDF.[8]
S0497 Dacls The Dacls Mach-O binary has been disguised as a .nib file.[9]
S0673 DarkWatchman DarkWatchman has used an icon mimicking a text file to mask a malicious executable.[10]
G0035 Dragonfly Dragonfly has created accounts disguised as legitimate backup and service accounts as well as an email administration account.[11]
S0634 EnvyScout EnvyScout has used folder icons for malicious files to lure victims into opening them.[7]
S0512 FatDuke FatDuke has attempted to mimic a compromised user's traffic by using the same user agent as the installed browser.[12]
S0696 Flagpro Flagpro can download malicious files with a .tmp extension and append them with .exe prior to execution.[13]
S0661 FoggyWeb FoggyWeb can masquerade the output of C2 commands as a fake, but legitimately formatted WebP file.[14]
G0094 Kimsuky Kimsuky has disguised its C2 addresses as the websites of shopping malls, governments, universities, and others.[15]
G0032 Lazarus Group Lazarus Group has disguised malicious template files as JPEG files to avoid detection.[16]
G0140 LazyScripter LazyScripter has used several different security software icons to disguise executables.[17]
G0045 menuPass menuPass has used esentutl to change file extensions to their true type that were masquerading as .txt files.[18]
S0637 NativeZone NativeZone has, upon execution, displayed a message box that appears to be related to a Ukrainian electronic document management system.[19]
G0133 Nomadic Octopus Nomadic Octopus attempted to make Octopus appear as a Telegram Messenger with a Russian interface.[20]
S0368 NotPetya NotPetya drops PsExec with the filename dllhost.dat.[21]
G0049 OilRig OilRig has used .doc file extensions to mask malicious executables.[22]
G0068 PLATINUM PLATINUM has renamed rar.exe to avoid detection.[23]
S0650 QakBot The QakBot payload has been disguised as a PNG file.[24]
S0565 Raindrop Raindrop was built to include a modified version of 7-Zip source code (including associated export names) and Far Manager source code.[25][26]
S0458 Ramsay Ramsay has masqueraded as a JPG image file.[27]
S0662 RCSession RCSession has used a file named English.rtf to appear benign on victim hosts.[28][29]
S0148 RTM RTM has been delivered as archived Windows executable files masquerading as PDF documents.[30]
S0446 Ryuk Ryuk can create .dll files that actually contain a Rich Text File format document.[31]
S0615 SombRAT SombRAT can use a legitimate process name to hide itself.[32]
G0127 TA551 TA551 has masked malware DLLs as dat and jpg files.[33]
S0682 TrailBlazer TrailBlazer has used filenames that match the name of the compromised system in attempt to avoid detection.[34]
S0266 TrickBot The TrickBot downloader has used an icon to appear as a Microsoft Word document.[35]
S0609 TRITON TRITON attempts to write a dummy program into memory if it fails to reset the Triconex controller.[36]
G0118 UNC2452 UNC2452 set the hostnames of its C2 infrastructure to match legitimate hostnames in the victim environment. They also primarily used IP addresses originating from the same country as the victim for their VPN infrastructure.[4]
S0689 WhisperGate WhisperGate has been disguised as a JPG extension to avoid detection as a malicious PE file.[37]
G0112 Windshift Windshift has used icons mimicking MS Office files to mask malicious executables.[38] Windshift has also attempted to hide executables by changing the file extension to \".scr\" to mimic Windows screensavers.[39]
S0466 WindTail WindTail has used icons mimicking MS Office files to mask payloads.[38]
S0658 XCSSET XCSSET builds a malicious application bundle to resemble Safari through using the Safari icon and Info.plist. [40]
G0128 ZIRCONIUM ZIRCONIUM has spoofed legitimate applications in phishing lures and changed file extensions to conceal installation of malware.[41][42]

Mitigations

ID Mitigation Description
M1045 Code Signing Require signed binaries.
M1038 Execution Prevention Use tools that restrict program execution via application control by attributes other than file name for common operating system utilities that are needed.
M1022 Restrict File and Directory Permissions Use file system access controls to protect folders such as C:\\Windows\\System32.

Detection

Collect file hashes; file names that do not match their expected hash are suspect. Perform file monitoring; files with known names but in unusual locations are suspect. Likewise, files that are modified outside of an update or patch are suspect.

\n

If file names are mismatched between the file name on disk and that of the binary's PE metadata, this is a likely indicator that a binary was renamed after it was compiled. Collecting and comparing disk and resource filenames for binaries by looking to see if the InternalName, OriginalFilename, and/or ProductName match what is expected could provide useful leads, but may not always be indicative of malicious activity. [43] Do not focus on the possible names a file could have, but instead on the command-line arguments that are known to be used and are distinct because it will have a better rate of detection.[44]

\n

Look for indications of common characters that may indicate an attempt to trick users into misidentifying the file type, such as a space as the last character of a file name or the right-to-left override characters\"\\u202E\", \"[U+202E]\", and \"%E2%80%AE\u201d.

References

1. LOLBAS. (n.d.). Living Off The Land Binaries and Scripts (and also Libraries). Retrieved February 10, 2020.

2. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.

3. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.

4. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.

5. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.

6. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.

7. MSTIC. (2021, May 28). Breaking down NOBELIUM\u2019s latest early-stage toolset. Retrieved August 4, 2021.

8. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.

9. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020.

10. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.

11. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.

12. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.

13. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.

14. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.

15. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.

16. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.

17. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.

18. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.

19. Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.

20. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.

21. Chiu, A. (2016, June 27). New Ransomware Variant \"Nyetya\" Compromises Systems Worldwide. Retrieved March 26, 2019.

22. Check Point. (2021, April 8). Iran\u2019s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.

23. Carr, N.. (2018, October 25). Nick Carr Status Update. Retrieved April 22, 2019.

24. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.

25. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.

26. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.

27. Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020.

28. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.

29. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.

30. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.

31. ANSSI. (2021, February 25). RYUK RANSOMWARE. Retrieved March 29, 2021.

32. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.

33. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.

34. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.

35. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.

36. Johnson, B, et. al. (2017, December 14). Attackers Deploy New ICS Attack Framework \"TRITON\" and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021.

37. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.

38. Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.

39. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.

40. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.

41. Huntley, S. (2020, October 16). How We're Tackling Evolving Online Threats. Retrieved March 24, 2021.

42. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.

43. Ewing, P. (2016, October 31). How to Hunt: The Masquerade Ball. Retrieved October 31, 2016.

44. Carr, N.. (2018, October 25). Nick Carr Status Update Masquerading. Retrieved April 22, 2019.


Original source: T1036 - Masquerading
", "external_references": [ { "source_name": "Twitter ItsReallyNick Masquerading Update", "url": "https://twitter.com/ItsReallyNick/status/1055321652777619457" }, { "source_name": "Elastic Masquerade Ball", "url": "http://pages.endgame.com/rs/627-YBU-612/images/EndgameJournal_The%20Masquerade%20Ball_Pages_R2.pdf" }, { "source_name": "LOLBAS Main Site", "url": "https://lolbas-project.github.io/" }, { "source_name": "capec (CAPEC-177)", "url": "https://capec.mitre.org/data/definitions/177.html" }, { "source_name": "mitre-attack (T1036)", "url": "https://attack.mitre.org/techniques/T1036" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0b0e05c1-5431-4f46-817b-6a7a86016edd", "created": "2022-11-08T14:37:13.648903Z", "modified": "2022-11-08T14:37:13.648903Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--42e8de7b-37b2-4258-905a-6897815e58e0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9", "created": "2021-05-26T15:06:36.325571Z", "modified": "2022-05-30T23:29:29.762001Z", "name": "T1204.001 - User Execution: Malicious Link", "description": "

T1204.001 - User Execution: Malicious Link

An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Link. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File.

Other sub-techniques of User Execution (3)

ID Name
T1204.001 Malicious Link
T1204.002 Malicious File
T1204.003 Malicious Image

Procedure Examples

ID Name Description
S0584 AppleJeus AppleJeus's spearphishing links required user interaction to navigate to the malicious website.[1]
G0007 APT28 APT28 has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.[2][3]
G0016 APT29 APT29 has used various forms of spearphishing attempting to get a user to click on a malicous link.[4][5][6][7]
G0022 APT3 APT3 has lured victims into clicking malicious links delivered through spearphishing.[8]
G0050 APT32 APT32 has lured targets to download a Cobalt Strike beacon by including a malicious link within spearphishing emails.[9][10][11]
G0064 APT33 APT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails.[12][13]
G0087 APT39 APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious link.[14][15]
S0475 BackConfig BackConfig has compromised victims via links to URLs hosting malicious content.[16]
S0534 Bazar Bazar can gain execution after a user clicks on a malicious link to decoy landing pages hosted on Google Docs.[17][18][19]
G0098 BlackTech BlackTech has used e-mails with malicious links to lure victims into installing malware.[20]
G0080 Cobalt Group Cobalt Group has sent emails containing malicious links that require users to execute a file or macro to infect the victim machine.[21][22][23]
G0142 Confucius Confucius has lured victims into clicking on a malicious link sent through spearphishing.[24]
G0066 Elderwood Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links.[25][26]
S0367 Emotet Emotet has relied upon users clicking on a malicious link delivered through spearphishing.[27][28]
G0120 Evilnum Evilnum has sent spearphishing emails designed to trick the recipient into opening malicious shortcut links which downloads a .LNK file.[29]
G0085 FIN4 FIN4 has lured victims to click malicious links delivered via spearphishing emails (often sent from compromised accounts).[30][31]
G0046 FIN7 FIN7 has used malicious links to lure victims into downloading malware.[32]
G0061 FIN8 FIN8 has used emails with malicious links to lure victims into installing malware.[33][34][35]
S0531 Grandoreiro Grandoreiro has used malicious links to gain execution on victim machines.[36][37]
S0561 GuLoader GuLoader has relied upon users clicking on links to malicious documents.[38]
S0499 Hancitor Hancitor has relied upon users clicking on a malicious link delivered through phishing.[39]
S0528 Javali Javali has achieved execution through victims clicking links to malicious websites.[40]
S0585 Kerrdown Kerrdown has gained execution through victims opening malicious links.[11]
G0094 Kimsuky Kimsuky has lured victims into clicking malicious links.[41]
S0669 KOCTOPUS KOCTOPUS has relied on victims clicking on a malicious link delivered via email.[42]
G0032 Lazarus Group Lazarus Group has sent spearphishing emails in an attempt to lure users to click on a malicious link.[43][44]
G0140 LazyScripter LazyScripter has relied upon users clicking on links to malicious files.[42]
G0065 Leviathan Leviathan has sent spearphishing email links attempting to get a user to click.[45][46]
G0095 Machete Machete has has relied on users opening malicious links delivered through spearphishing to execute malware.[47][48][49]
G0059 Magic Hound Magic Hound has attempted to lure victims into opening malicious links embedded in emails.[50][51]
S0530 Melcoz Melcoz has gained execution through victims opening malicious links.[40]
G0103 Mofang Mofang's spearphishing emails required a user to click the link to connect to a compromised website.[52]
G0021 Molerats Molerats has sent malicious links via email trick users into opening a RAR archive and running an executable.[53][54]
G0069 MuddyWater MuddyWater has distributed URLs in phishing e-mails that link to lure documents.[55][56]
G0129 Mustang Panda Mustang Panda has sent malicious links including links directing victims to a Google Drive folder.[57][58][59]
S0198 NETWIRE NETWIRE has been executed through convincing victims into clicking malicious links.[60][38]
G0014 Night Dragon Night Dragon enticed users to click on links in spearphishing emails to download malware.[61]
S0644 ObliqueRAT ObliqueRAT has gained execution on targeted systems through luring users to click on links to malicious URLs.[62][63]
G0049 OilRig OilRig has delivered malicious links to achieve execution on the target system.[64][65][66]
G0040 Patchwork Patchwork has used spearphishing with links to try to get users to click, download and open malicious files.[67][68][69][16]
S0435 PLEAD PLEAD has been executed via malicious links in e-mails.[20]
S0453 Pony Pony has attempted to lure targets into clicking links in spoofed emails from legitimate banks.[70]
S0650 QakBot QakBot has gained execution through users opening malicious links.[71][72][73][74][75][76]
G0034 Sandworm Team Sandworm Team has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.[77]
G0121 Sidewinder Sidewinder has lured targets to click on malicious links to gain execution in the target environment.[78][79][80][81]
S0649 SMOKEDHAM SMOKEDHAM has relied upon users clicking on a malicious link delivered through phishing.[82]
S0646 SpicyOmelette SpicyOmelette has been executed through malicious links within spearphishing emails.[23]
G0092 TA505 TA505 has used lures to get users to click links in emails and attachments. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. [83][84][85][86][87][88][89][90]
G0134 Transparent Tribe Transparent Tribe has directed users to open URLs hosting malicious content.[62][63]
S0436 TSCookie TSCookie has been executed via malicious links embedded in e-mails spoofing the Ministries of Education, Culture, Sports, Science and Technology of Japan.[91]
G0010 Turla Turla has used spearphishing via a link to get users to download and run their malware.[92]
G0112 Windshift Windshift has used links embedded in e-mails to lure victims into executing malicious code.[93]
G0102 Wizard Spider Wizard Spider has lured victims into clicking a malicious link delivered through spearphishing.[94]
G0128 ZIRCONIUM ZIRCONIUM has used malicious links in e-mails to lure victims into downloading malware.[95][96]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.
M1021 Restrict Web-Based Content If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files.
M1017 User Training Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.

Detection

Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization.

\n

Anti-virus can potentially detect malicious documents and files that are downloaded from a link and executed on the user's computer.

References

1. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea\u2019s Cryptocurrency Malware. Retrieved March 1, 2021.

2. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.

3. Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.

4. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.

5. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.

6. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.

7. Secureworks CTU. (2021, May 28). USAID-Themed Phishing Campaign Leverages U.S. Elections Lure. Retrieved February 24, 2022.

8. Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf \u2013 Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.

9. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.

10. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.

11. Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.

12. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.

13. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.

14. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.

15. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.

16. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.

17. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9\u2019S DEVELOPMENT CYCLES. Retrieved November 18, 2020.

18. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.

19. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.

20. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020.

21. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.

22. Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018.

23. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.

24. Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.

25. O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.

26. Clayton, M.. (2012, September 14). Stealing US business secrets: Experts ID two huge cyber 'gangs' in China. Retrieved February 15, 2018.

27. Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.

28. Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.

29. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.

30. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.

31. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.

32. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.

33. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.

34. Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.

35. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.

36. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.

37. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.

38. Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021.

39. Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020.

40. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.

41. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.

42. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.

43. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.

44. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.

45. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.

46. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory \u2013 Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China\u2019s MSS Hainan State Security Department.. Retrieved August 12, 2021.

47. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.

48. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.

49. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.

50. ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021.

51. Certfa Labs. (2021, January 8). Charming Kitten\u2019s Christmas Gift. Retrieved May 3, 2021.

52. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.

53. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.

54. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.

55. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.

56. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.

57. Meyers, A. (2018, June 15). Meet CrowdStrike\u2019s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.

58. Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021.

59. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.

60. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.

61. McAfee\u00ae Foundstone\u00ae Professional Services and McAfee Labs\u2122. (2011, February 10). Global Energy Cyberattacks: \u201cNight Dragon\u201d. Retrieved February 19, 2018.

62. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.

63. Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.

64. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.

65. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.

66. Meyers, A. (2018, November 27). Meet CrowdStrike\u2019s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.

67. Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.

68. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.

69. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.

70. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.

71. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.

72. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.

73. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021.

74. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.

75. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.

76. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.

77. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.

78. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.

79. Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021.

80. Rewterz. (2020, June 22). Analysis on Sidewinder APT Group \u2013 COVID-19. Retrieved January 29, 2021.

81. Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.

82. FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021.

83. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.

84. Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.

85. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.

86. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.

87. Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.

88. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.

89. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group\u2019s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.

90. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.

91. Tomonaga, S.. (2018, March 6). Malware \u201cTSCookie\u201d. Retrieved May 6, 2020.

92. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.

93. Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020.

94. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.

95. Huntley, S. (2020, October 16). How We're Tackling Evolving Online Threats. Retrieved March 24, 2021.

96. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.


Original source: T1204.001 - User Execution: Malicious Link
", "external_references": [ { "source_name": "mitre-attack (T1204.001)", "url": "https://attack.mitre.org/techniques/T1204/001" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--52d3c749-f036-4670-95f9-30b27c6446b8", "created": "2022-11-08T14:37:13.65435Z", "modified": "2022-11-08T14:37:13.65435Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--ef67e13e-5598-4adc-bdb2-998225874fa9" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d", "created": "2021-05-26T15:07:01.060963Z", "modified": "2022-05-30T23:38:49.325673Z", "name": "T1041 - Exfiltration Over C2 Channel", "description": "

T1041 - Exfiltration Over C2 Channel

Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.

Procedure Examples

ID Name Description
S0045 ADVSTORESHELL ADVSTORESHELL exfiltrates data over the same channel used for C2.[1]
S0584 AppleJeus AppleJeus has exfiltrated collected host information to a C2 server.[2]
S0622 AppleSeed AppleSeed can exfiltrate files via the C2 channel.[3]
G0022 APT3 APT3 has a tool that exfiltrates data over the C2 channel.[4]
G0050 APT32 APT32's backdoor has exfiltrated data using the already opened channel with its C&C server.[5]
G0087 APT39 APT39 has exfiltrated stolen victim data through C2 communications.[6]
S0373 Astaroth Astaroth exfiltrates collected information from its r1.log file to the external C2 server. [7]
S0438 Attor Attor has exfiltrated data over the C2 channel.[8]
S0031 BACKSPACE Adversaries can direct BACKSPACE to upload files to the C2 Server.[9]
S0234 Bandook Bandook can upload files from a victim's machine over the C2 channel.[10]
S0239 Bankshot Bankshot exfiltrates data over its C2 channel.[11]
S0268 Bisonal Bisonal has added the exfiltrated data to the URL over the C2 channel.[12]
S0520 BLINDINGCAN BLINDINGCAN has sent user and system information to a C2 server via HTTP POST requests.[13][14]
S0657 BLUELIGHT BLUELIGHT has exfiltrated data over its C2 channel.[15]
S0651 BoxCaon BoxCaon uploads files and data from a compromised host over the existing C2 channel.[16]
S0077 CallMe CallMe exfiltrates data to its C2 server over the same protocol as C2 communications.[17]
S0351 Cannon Cannon exfiltrates collected data over email via SMTP/S and POP3/S C2 channels.[18]
S0484 Carberp Carberp has exfiltrated data via HTTP to already established C2 servers.[19][20]
S0572 Caterpillar WebShell Caterpillar WebShell can upload files over the C2 channel.[21]
S0674 CharmPower CharmPower can exfiltrate gathered data to a hardcoded C2 URL via HTTP POST.[22]
G0114 Chimera Chimera has used Cobalt Strike C2 beacons for data exfiltration.[23]
G0142 Confucius Confucius has exfiltrated stolen files to its C2 server.[24]
S0538 Crutch Crutch can exfiltrate data over the primary C2 channel (Dropbox HTTP API).[25]
S0687 Cyclops Blink Cyclops Blink has the ability to upload exfiltrated files to a C2 server.[26]
S0600 Doki Doki has used Ngrok to establish C2 and exfiltrate data.[27]
S0502 Drovorub Drovorub can exfiltrate files over C2 infrastructure.[28]
S0062 DustySky DustySky has exfiltrated data to the C2 server.[29]
S0024 Dyre Dyre has the ability to send information staged on a compromised host externally to C2.[30]
S0377 Ebury Ebury can exfiltrate SSH credentials through custom DNS queries.[31]
S0367 Emotet Emotet has been seen exfiltrating system information stored within cookies sent within an HTTP GET request back to its C2 servers. [32]
S0363 Empire Empire can send data gathered from a target through the command and control channel.[33]
S0568 EVILNUM EVILNUM can upload files over the C2 channel from the infected host.[34]
S0696 Flagpro Flagpro has exfiltrated data to the C2 server.[35]
S0661 FoggyWeb FoggyWeb can remotely exfiltrate sensitive information from a compromised AD FS server.[36]
G0101 Frankenstein Frankenstein has collected information via Empire, which is automatically sent the data back to the adversary's C2.[37]
G0093 GALLIUM GALLIUM used Web shells and HTRAN for C2 and to exfiltrate data.[38]
G0047 Gamaredon Group A Gamaredon Group file stealer can transfer collected files to a hardcoded C2 server.[39]
S0493 GoldenSpy GoldenSpy has exfiltrated host environment information to an external C2 domain via port 9006.[40]
S0588 GoldMax GoldMax can exfiltrate files over the existing C2 channel.[41][42]
S0477 Goopy Goopy has the ability to exfiltrate data over the Microsoft Outlook C2 channel.[43]
S0531 Grandoreiro Grandoreiro can send data it retrieves to the C2 server.[44]
S0632 GrimAgent GrimAgent has sent data related to a compromise host over its C2 channel.[45]
S0391 HAWKBALL HAWKBALL has sent system information and files over the C2 channel.[46]
G0126 Higaisa Higaisa exfiltrated data over its C2 channel.[47]
S0376 HOPLIGHT HOPLIGHT has used its C2 channel to exfiltrate data.[48]
S0431 HotCroissant HotCroissant has the ability to download files from the infected host to the command and control (C2) server.[49]
S0434 Imminent Monitor Imminent Monitor has uploaded a file containing debugger logs, network information and system information to the C2.[50]
S0604 Industroyer Industroyer sends information about hardware profiles and previously-received commands back to the C2 server in a POST-request.[51]
G0004 Ke3chang Ke3chang transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations.[52]
S0487 Kessel Kessel has exfiltrated information gathered from the infected system to the C2 server.[53]
S0526 KGH_SPY KGH_SPY can exfiltrate collected information from the host to the C2 server.[54]
G0094 Kimsuky Kimsuky has exfiltrated data over its C2 channel.[55][56]
S0356 KONNI KONNI has sent data and files to its C2 server.[57][58][59]
G0032 Lazarus Group Lazarus Group has exfiltrated data and files over a C2 channel through its various tools and malware.[60][61][62][63]
G0065 Leviathan Leviathan has exfiltrated data over its C2 channel.[64]
S0395 LightNeuron LightNeuron exfiltrates data over its email C2 channel.[65]
S0680 LitePower LitePower can send collected data, including screenshots, over its C2 channel.[66]
S0447 Lokibot Lokibot has the ability to initiate contact with command and control (C2) to exfiltrate stolen data.[67]
S0409 Machete Machete's collected data is exfiltrated over the same channel used for C2.[68]
S0652 MarkiRAT MarkiRAT can exfiltrate locally stored data via its C2.[69]
S0459 MechaFlounder MechaFlounder has the ability to send the compromised user's account name and hostname within a URL to C2.[70]
S0455 Metamorfo Metamorfo can send the data it collects to the C2 server.[71]
S0079 MobileOrder MobileOrder exfiltrates data to its C2 server over the same protocol as C2 communications.[17]
G0069 MuddyWater MuddyWater has used C2 infrastructure to receive exfiltrated data.[72]
S0034 NETEAGLE NETEAGLE is capable of reading files over the C2 channel.[9]
S0385 njRAT njRAT has used HTTP to receive stolen information from the infected machine.[73]
S0340 Octopus Octopus has uploaded stolen files and data from a victim's machine over its C2 channel.[74]
S0439 Okrum Data exfiltration is done by Okrum using the already opened channel with the C2 server.[75]
S0264 OopsIE OopsIE can upload files from the victim's machine to its C2 server.[76]
G0116 Operation Wocao Operation Wocao has used the Xserver backdoor to exfiltrate data.[77]
S0587 Penquin Penquin can execute the command code do_upload to send files to C2.[78]
S0428 PoetRAT PoetRAT has exfiltrated data over the C2 channel.[79]
S0441 PowerShower PowerShower has used a PowerShell document stealer module to pack and exfiltrate .txt, .pdf, .xls or .doc files smaller than 5MB that were modified during the past two days.[80]
S0238 Proxysvc Proxysvc performs data exfiltration over the control server channel using a custom protocol.[81]
S0078 Psylo Psylo exfiltrates data to its C2 server over the same protocol as C2 communications.[17]
S0147 Pteranodon Pteranodon exfiltrates screenshot files to its C2 server.[39]
S0192 Pupy Pupy can send screenshots files, keylogger data, files, and recorded audio back to the C2 server.[82]
S0650 QakBot QakBot can send stolen information to C2 nodes including passwords, accounts, and emails.[83]
S0495 RDAT RDAT can exfiltrate data gathered from the infected system via the established Exchange Web Services API C2 channel.[84]
S0375 Remexi Remexi performs exfiltration over BITSAdmin, which is also used for the C2 channel.[85]
S0496 REvil REvil can exfiltrate host and malware information to C2 servers.[86]
S0448 Rising Sun Rising Sun can send data gathered from the infected machine via HTTP POST request to the C2.[87]
S0240 ROKRAT ROKRAT can send collected files back over same C2 channel.[88]
G0034 Sandworm Team Sandworm Team has sent system information to its C2 server using HTTP.[89]
S0445 ShimRatReporter ShimRatReporter sent generated reports to the C2 via HTTP POST requests.[90]
S0610 SideTwist SideTwist has exfiltrated data over its C2 channel.[91]
S0692 SILENTTRINITY SILENTTRINITY can transfer files from an infected host to the C2 server.[92]
S0633 Sliver Sliver can exfiltrate files from the victim using the download command.[93]
S0533 SLOTHFULMEDIA SLOTHFULMEDIA has sent system information to a C2 server via HTTP and HTTPS POST requests.[94]
S0649 SMOKEDHAM SMOKEDHAM has exfiltrated data to its C2 server.[95]
S0543 Spark Spark has exfiltrated data over the C2 channel.[96]
G0038 Stealth Falcon After data is collected by Stealth Falcon malware, it is exfiltrated over the existing C2 channel.[97]
S0491 StrongPity StrongPity can exfiltrate collected documents through C2 channels.[98][99]
S0603 Stuxnet Stuxnet sends compromised victim information via HTTP.[100]
S0467 TajMahal TajMahal has the ability to send collected files over its C2.[101]
S0595 ThiefQuest ThiefQuest exfiltrates targeted file extensions in the /Users/ folder to the command and control server via unencrypted HTTP. Network packets contain a string with two pieces of information: a file path and the contents of the file in a base64 encoded string.[102][103]
S0671 Tomiris Tomiris can upload files matching a hardcoded set of extensions, such as .doc, .docx, .pdf, and .rar, to its C2 server.[104]
S0678 Torisma Torisma can send victim data to an actor-controlled C2 server.[63]
S0266 TrickBot TrickBot can send information about the compromised host and upload data to a hardcoded C2 server.[105][106]
S0386 Ursnif Ursnif has used HTTP POSTs to exfil gathered information.[107][108][109]
S0476 Valak Valak has the ability to exfiltrate data over the C2 channel.[110][111][112]
S0670 WarzoneRAT WarzoneRAT can send collected victim data to its C2 server.[113]
G0102 Wizard Spider Wizard Spider has exfiltrated domain credentials and network enumeration information over command and control (C2) channels.[114]
S0658 XCSSET XCSSET exfiltrates data stolen from a system over its C2 channel.[115]
S0251 Zebrocy Zebrocy has exfiltrated data to the designated C2 server using HTTP POST requests.[116][117]
G0128 ZIRCONIUM ZIRCONIUM has exfiltrated files via the Dropbox API C2.[118]

Mitigations

ID Mitigation Description
M1057 Data Loss Prevention Data loss prevention can detect and block sensitive data being sent over unencrypted protocols.
T1041 Exfiltration Over Command and Control Channel Mitigation Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level
M1031 Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. [119]

Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. [119]

References

1. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.

2. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea\u2019s Cryptocurrency Malware. Retrieved March 1, 2021.

3. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.

4. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.

5. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.

6. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.

7. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.

8. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.

9. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.

10. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.

11. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.

12. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.

13. NHS Digital . (2020, August 20). BLINDINGCAN Remote Access Trojan. Retrieved August 20, 2020.

14. US-CERT. (2020, August 19). MAR-10295134-1.v1 \u2013 North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.

15. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.

16. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.

17. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.

18. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New \u2018Cannon\u2019 Trojan. Retrieved November 26, 2018.

19. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.

20. Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020.

21. ClearSky Cyber Security. (2021, January). \u201cLebanese Cedar\u201d APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.

22. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.

23. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.

24. Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.

25. Faou, M. (2020, December 2). Turla Crutch: Keeping the \u201cback door\u201d open. Retrieved December 4, 2020.

26. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.

27. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.

28. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.

29. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.

30. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.

31. Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., L\u00e9veill\u00e9, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo \u2013 the vivisection of a large Linux server\u2011side credential\u2011stealing malware campaign. Retrieved February 10, 2021.

32. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.

33. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.

34. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.

35. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.

36. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.

37. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.

38. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.

39. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.

40. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.

41. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM\u2019s layered persistence. Retrieved March 8, 2021.

42. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.

43. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.

44. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.

45. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.

46. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.

47. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.

48. US-CERT. (2019, April 10). MAR-10135536-8 \u2013 North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.

49. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.

50. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.

51. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.

52. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION \u201cKE3CHANG\u201d: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.

53. Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.

54. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.

55. Tarakanov , D.. (2013, September 11). The \u201cKimsuky\u201d Operation: A North Korean APT?. Retrieved August 13, 2019.

56. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.

57. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.

58. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.

59. Santos, R. (2022, January 26). KONNI evolves into stealthier RAT. Retrieved April 13, 2022.

60. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.

61. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.

62. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.

63. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.

64. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory \u2013 Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China\u2019s MSS Hainan State Security Department.. Retrieved August 12, 2021.

65. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.

66. Yamout, M. (2021, November 29). WIRTE\u2019s campaign in the Middle East \u2018living off the land\u2019 since at least 2019. Retrieved February 1, 2022.

67. Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020.

68. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.

69. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.

70. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.

71. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.

72. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.

73. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.

74. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.

75. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.

76. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.

77. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China\u2019s hidden hacking groups. Retrieved October 8, 2020.

78. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA \u201cPenquin_x64\u201d. Retrieved March 11, 2021.

79. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.

80. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.

81. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.

82. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.

83. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.

84. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.

85. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.

86. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.

87. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.

88. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.

89. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.

90. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.

91. Check Point. (2021, April 8). Iran\u2019s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.

92. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.

93. BishopFox. (n.d.). Sliver Download. Retrieved September 16, 2021.

94. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 \u2013 Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.

95. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate\u2019s Supply Chain Software Compromise. Retrieved September 22, 2021.

96. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.

97. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don\u2019t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.

98. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.

99. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.

100. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.

101. GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019.

102. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.

103. Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021.

104. Kwiatkoswki, I and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021.

105. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.

106. Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot\u2019s Ever-Improving VNC Module. Retrieved September 28, 2021.

107. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.

108. Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.

109. Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.

110. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.

111. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.

112. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.

113. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.

114. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK; Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.

115. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.

116. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.

117. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.

118. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.

119. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.


Original source: T1041 - Exfiltration Over C2 Channel
", "external_references": [ { "source_name": "University of Birmingham C2", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" }, { "source_name": "mitre-attack (T1041)", "url": "https://attack.mitre.org/techniques/T1041" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--01cc035e-d9b8-4f92-8773-23a53e098084", "created": "2022-11-08T14:37:13.660132Z", "modified": "2022-11-08T14:37:13.660132Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--92d7da27-2d91-488e-a00c-059dc162766d" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104", "created": "2021-05-26T15:08:41.604703Z", "modified": "2022-05-30T23:28:34.237843Z", "name": "T1033 - System Owner/User Discovery", "description": "

T1033 - System Owner/User Discovery

Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping. The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from System Owner/User Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

\n

Various utilities and commands may acquire this information, including whoami. In macOS and Linux, the currently logged in user can be identified with w and who. On macOS the dscl . list /Users | grep -v '_' command can also be used to enumerate user accounts. Environment variables, such as %USERNAME% and $USER, may also be used to access this information.

Procedure Examples

ID Name Description
S0331 Agent Tesla Agent Tesla can collect the username from the victim\u2019s machine.[1][2][3]
S0092 Agent.btz Agent.btz obtains the victim username and saves it to a file.[4]
G0073 APT19 APT19 used an HTTP malware variant and a Port 22 malware variant to collect the victim\u2019s username.[5]
G0022 APT3 An APT3 downloader uses the Windows command \"cmd.exe\" /C whoami to verify that it is running with the elevated privileges of \u201cSystem.\u201d[6]
G0050 APT32 APT32 collected the victim's username and executed the whoami command on the victim's machine. APT32 executed shellcode to collect the username on the victim's machine. [7][8][9]
G0067 APT37 APT37 identifies the victim username.[10]
G0082 APT38 APT38 has identified primary users, currently logged in users, sets of users that commonly use a system, or inactive users.[11]
G0087 APT39 APT39 used Remexi to collect usernames from the system.[12]
G0096 APT41 APT41 used the WMIEXEC utility to execute whoami commands on remote machines.[13]
S0456 Aria-body Aria-body has the ability to identify the username on a compromised host.[14]
S0344 Azorult Azorult can collect the username from the victim\u2019s machine.[15]
S0414 BabyShark BabyShark has executed the whoami command.[16]
S0093 Backdoor.Oldrea Backdoor.Oldrea collects the current username from the victim.[17]
S0534 Bazar Bazar can identify the username of the infected user.[18]
S0017 BISCUIT BISCUIT has a command to gather the username from the system.[19]
S0521 BloodHound BloodHound can collect information on user sessions.[20]
S0657 BLUELIGHT BLUELIGHT can collect the username on a compromised host.[21]
S0486 Bonadan Bonadan has discovered the username of the user running the backdoor.[22]
S0635 BoomBox BoomBox can enumerate the username on a compromised host.[23]
S0351 Cannon Cannon can gather the username from the system.[24]
S0348 Cardinal RAT Cardinal RAT can collect the username from a victim machine.[25]
S0572 Caterpillar WebShell Caterpillar WebShell can obtain a list of user accounts from a victim's machine.[26]
S0631 Chaes Chaes has collected the username and UID from the infected machine.[27]
G0114 Chimera Chimera has used the quser command to show currently logged on users.[28]
S0667 Chrommme Chrommme can retrieve the username from a targeted system.[29]
S0660 Clambling Clambling can identify the username on a compromised host.[30][31]
S0115 Crimson Crimson can identify the user on a targeted system.[32][33]
S0498 Cryptoistic Cryptoistic can gather data on the user of a compromised host.[34]
S0334 DarkComet DarkComet gathers the username from the victim\u2019s machine.[35]
S0673 DarkWatchman DarkWatchman has collected the username from a victim machine.[36]
S0354 Denis Denis enumerates and collects the username from the victim\u2019s machine.[37][9]
S0021 Derusbi A Linux version of Derusbi checks if the victim user ID is anything other than zero (normally used for root), and the malware will not execute if it does not have root privileges. Derusbi also gathers the username of the victim.[38]
S0659 Diavol Diavol can collect the username from a compromised host.[39]
S0186 DownPaper DownPaper collects the victim username and sends it to the C2 server.[40]
G0035 Dragonfly Dragonfly used the command query user on victim hosts.[41]
S0694 DRATzarus DRATzarus can obtain a list of users from an infected machine.[42]
S0024 Dyre Dyre has the ability to identify the users on a compromised host.[43]
S0554 Egregor Egregor has used tools to gather information about users.[44]
S0091 Epic Epic collects the user name from the victim\u2019s machine.[45]
S0568 EVILNUM EVILNUM can obtain the username from the victim's machine.[46]
S0401 Exaramel for Linux Exaramel for Linux can run whoami to identify the system owner.[47]
S0569 Explosive Explosive has collected the username from the infected host.[48]
S0171 Felismus Felismus collects the current username and sends it to the C2 server.[49]
S0267 FELIXROOT FELIXROOT collects the username from the victim\u2019s machine.[50][51]
G0051 FIN10 FIN10 has used Meterpreter to enumerate users on remote systems.[52]
S0696 Flagpro Flagpro has been used to run the whoami command on the system.[53]
S0381 FlawedAmmyy FlawedAmmyy enumerates the current user during the initial infection.[54]
G0101 Frankenstein Frankenstein has enumerated hosts, gathering username, machine name, and administrative permissions information.[55]
G0093 GALLIUM GALLIUM used whoami and query user to obtain information about the victim user.[56]
G0047 Gamaredon Group A Gamaredon Group file stealer can gather the victim's username to send to a C2 server.[57]
S0168 Gazer Gazer obtains the current user's security identifier.[58]
S0666 Gelsemium Gelsemium has the ability to distinguish between a standard user and an administrator on a compromised host.[29]
S0460 Get2 Get2 has the ability to identify the current username of an infected host.[59]
S0249 Gold Dragon Gold Dragon collects the endpoint victim's username and uses it as a basis for downloading additional components from the C2 server.[60]
S0477 Goopy Goopy has the ability to enumerate the infected system's user name.[9]
S0531 Grandoreiro Grandoreiro can collect the username from the victim's machine.[61]
S0237 GravityRAT GravityRAT collects the victim username along with other account information (account type, description, full name, SID and status).[62]
S0632 GrimAgent GrimAgent can identify the user id on a target machine.[63]
S0214 HAPPYWORK can collect the victim user name.[64]
S0391 HAWKBALL HAWKBALL can collect the user name of the system.[65]
S0431 HotCroissant HotCroissant has the ability to collect the username on the infected host.[66]
S0260 InvisiMole InvisiMole lists local users and session information.[67]
S0015 Ixeshe Ixeshe collects the username from the victim\u2019s machine.[68]
S0201 JPIN JPIN can obtain the victim user name.[69]
S0265 Kazuar Kazuar gathers information on users.[70]
G0004 Ke3chang Ke3chang has used implants capable of collecting the signed-in username.[71]
S0250 Koadic Koadic can identify logged in users across the domain and views user sessions.[72][73]
S0162 Komplex The OsInfo function in Komplex collects the current running username.[74]
S0356 KONNI KONNI can collect the username from the victim\u2019s machine.[75]
S0236 Kwampirs Kwampirs collects registered owner details by using the commands systeminfo and net config workstation.[76]
G0032 Lazarus Group Various Lazarus Group malware enumerates logged-on users.[77][78][79][80][81][34][82]
S0362 Linux Rabbit Linux Rabbit opens a socket on port 22 and if it receives a response it attempts to obtain the machine's hostname and Top-Level Domain. [83]
S0513 LiteDuke LiteDuke can enumerate the account name on a targeted system.[84]
S0680 LitePower LitePower can determine if the current user has admin privileges.[85]
S0681 Lizar Lizar can collect the username from the system.[86]
S0447 Lokibot Lokibot has the ability to discover the username on the infected host.[87]
S0532 Lucifer Lucifer has the ability to identify the username on a compromised host.[88]
G0059 Magic Hound Magic Hound malware has obtained the victim username and sent it to the C2 server.[89]
S0652 MarkiRAT MarkiRAT can retrieve the victim\u2019s username.[90]
S0459 MechaFlounder MechaFlounder has the ability to identify the username and hostname on a compromised host.[91]
S0455 Metamorfo Metamorfo has collected the username from the victim's machine.[92]
S0339 Micropsia Micropsia collects the username from the victim\u2019s machine.[93]
S0280 MirageFox MirageFox can gather the username from the victim\u2019s machine.[94]
S0084 Mis-Type Mis-Type runs tests to determine the privilege level of the compromised user.[95]
S0149 MoonWind MoonWind obtains the victim username.[96]
S0284 More_eggs More_eggs has the capability to gather the username from the victim's machine.[97][98]
S0256 Mosquito Mosquito runs whoami on the victim\u2019s machine.[99]
G0069 MuddyWater MuddyWater has used malware that can collect the victim\u2019s username.[100][101]
S0228 NanHaiShu NanHaiShu collects the username from the victim.[102]
S0590 NBTscan NBTscan can list active users on the system.[103][104]
S0272 NDiskMonitor NDiskMonitor obtains the victim username and encrypts the information to send over its C2 channel.[105]
S0691 Neoichor Neoichor can collect the user name from a victim's machine.[71]
S0385 njRAT njRAT enumerates the current user during the initial infection.[106]
S0353 NOKKI NOKKI can collect the username from the victim\u2019s machine.[107]
S0644 ObliqueRAT ObliqueRAT can check for blocklisted usernames on infected endpoints.[108]
S0340 Octopus Octopus can collect the username from the victim\u2019s machine.[109]
G0049 OilRig OilRig has run whoami on a victim.[110][111][112]
S0439 Okrum Okrum can collect the victim username.[113]
G0116 Operation Wocao Operation Wocao has enumerated sessions and users on a remote host, and identified privileged users logged into a targeted system.[114]
G0040 Patchwork Patchwork collected the victim username and whether it was running as admin, then sent the information to its C2 server.[115][105]
S0428 PoetRAT PoetRAT sent username, computer name, and the previously generated UUID in reply to a \"who\" command from C2.[116]
S0139 PowerDuke PowerDuke has commands to get the current user's name and SID.[117]
S0441 PowerShower PowerShower has the ability to identify the current user on the infected host.[118]
S0223 POWERSTATS POWERSTATS has the ability to identify the username on the compromised host.[119]
S0184 POWRUNER POWRUNER may collect information about the currently logged in user by running whoami on a victim.[120]
S0113 Prikormka A module in Prikormka collects information from the victim about the current user name.[121]
S0192 Pupy Pupy can enumerate local information for Linux hosts and find currently logged on users for Windows hosts.[122]
S0650 QakBot QakBot can identify the user name on a compromised system.[123]
S0269 QUADAGENT QUADAGENT gathers the victim username.[124]
S0241 RATANKBA RATANKBA runs the whoami and query user commands.[125]
S0662 RCSession RCSession can gather system owner information, including user and administrator privileges.[126]
S0172 Reaver Reaver collects the victim's username.[127]
S0153 RedLeaves RedLeaves can obtain information about the logged on user both locally and for Remote Desktop sessions.[128]
S0125 Remsec Remsec can obtain information about the current user.[129]
S0379 Revenge RAT Revenge RAT gathers the username from the system.[130]
S0258 RGDoor RGDoor executes the whoami on the victim\u2019s machine.[131]
S0433 Rifdoor Rifdoor has the ability to identify the username on the compromised host.[66]
S0448 Rising Sun Rising Sun can detect the username of the infected host.[132]
S0270 RogueRobin RogueRobin collects the victim\u2019s username and whether that user is an admin.[133]
S0240 ROKRAT ROKRAT can collect the username from a compromised host.[134]
S0148 RTM RTM can obtain the victim username and permissions.[135]
G0034 Sandworm Team Sandworm Team has collected the username from a compromised host.[136]
S0461 SDBbot SDBbot has the ability to identify the user on a compromised host.[59]
S0382 ServHelper ServHelper will attempt to enumerate the username of the victim.[137]
S0596 ShadowPad ShadowPad has collected the username of the victim system.[138]
S0450 SHARPSTATS SHARPSTATS has the ability to identify the username on the compromised host.[119]
S0610 SideTwist SideTwist can collect the username on a targeted system.[112]
G0121 Sidewinder Sidewinder has used tools to identify the user of a compromised host.[139]
S0692 SILENTTRINITY SILENTTRINITY can gather a list of logged on users.[140]
S0533 SLOTHFULMEDIA SLOTHFULMEDIA has collected the username from a victim machine.[141]
S0649 SMOKEDHAM SMOKEDHAM has used whoami commands to identify system owners.[142]
S0627 SodaMaster SodaMaster can identify the username on a compromised host.[143]
S0615 SombRAT SombRAT can execute getinfo to identify the username on a compromised host.[144][145]
S0543 Spark Spark has run the whoami command and has a built-in command to identify the user logged in.[146]
S0374 SpeakUp SpeakUp uses the whoami command. [147]
S0058 SslMM SslMM sends the logged-on username to its hard-coded C2.[148]
G0038 Stealth Falcon Stealth Falcon malware gathers the registered user and primary owner name via WMI.[149]
S0559 SUNBURST SUNBURST collected the username from a compromised host.[150][151]
S0242 SynAck SynAck gathers user names from infected hosts.[152]
S0060 Sys10 Sys10 collects the account name of the logged-in user and sends it to the C2.[148]
S0098 T9000 T9000 gathers and beacons the username of the logged in account during installation. It will also gather the username of running processes to determine if it is running as SYSTEM.[153]
G0027 Threat Group-3390 Threat Group-3390 has used whoami to collect system user information.[30]
S0266 TrickBot TrickBot can identify the user and groups the user belongs to on a compromised host.[154]
S0094 Trojan.Karagany Trojan.Karagany can gather information about the user on a compromised host.[155]
G0081 Tropic Trooper Tropic Trooper used letmein to scan for saved usernames on the target system.[156]
S0647 Turian Turian can retrieve usernames.[157]
S0130 Unknown Logger Unknown Logger can obtain information about the victim usernames.[158]
S0275 UPPERCUT UPPERCUT has the capability to collect the current logged on user\u2019s username from a machine.[159]
S0476 Valak Valak can gather information regarding the user.[160]
S0257 VERMIN VERMIN gathers the username from the victim\u2019s machine.[161]
S0515 WellMail WellMail can identify the current username on the victim system.[162]
S0514 WellMess WellMess can collect the username on the victim machine to send to C2.[163]
S0155 WINDSHIELD WINDSHIELD can gather the victim user name.[164]
G0112 Windshift Windshift has used malware to identify the username on a compromised host.[165]
S0219 WINERACK WINERACK can gather information on the victim username.[64]
S0059 WinMM WinMM uses NetUser-GetInfo to identify that it is running under an \u201cAdmin\u201d account on the local system.[148]
G0102 Wizard Spider Wizard Spider has used \"whoami\" to identify the local user and their privileges.[166]
S0161 XAgentOSX XAgentOSX contains the getInfoOSX function to return the OS X version as well as the current user.[167]
S0248 yty yty collects the victim\u2019s username.[168]
S0251 Zebrocy Zebrocy gets the username from the system.[169][170]
G0128 ZIRCONIUM ZIRCONIUM has used a tool to capture the username on a compromised host in order to register it with C2.[171]
S0350 zwShell zwShell can obtain the name of the logged-in user on the victim.[172]
S0412 ZxShell ZxShell can collect the owner and organization information from the target workstation.[173]

Mitigations

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about system users, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.

\n

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References

1. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.

2. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.

3. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.

4. Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016.

5. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.

6. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.

7. Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020.

8. Folt\u00fdn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.

9. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.

10. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.

11. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.

12. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.

13. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.

14. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.

15. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.

16. Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.

17. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.

18. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.

19. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.

20. Red Team Labs. (2018, April 24). Hidden Administrative Accounts: BloodHound to the Rescue. Retrieved October 28, 2020.

21. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.

22. Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.

23. MSTIC. (2021, May 28). Breaking down NOBELIUM\u2019s latest early-stage toolset. Retrieved August 4, 2021.

24. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New \u2018Cannon\u2019 Trojan. Retrieved November 26, 2018.

25. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.

26. ClearSky Cyber Security. (2021, January). \u201cLebanese Cedar\u201d APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.

27. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.

28. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.

29. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.

30. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.

31. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.

32. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.

33. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.

34. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020.

35. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.

36. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.

37. Shulmin, A., Yunakovsky, S. (2017, April 28). Use of DNS Tunneling for C&C; Communications. Retrieved November 5, 2018.

38. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.

39. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.

40. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.

41. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.

42. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.

43. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.

44. Bichet, J. (2020, November 12). Egregor \u2013 Prolock: Fraternal Twins ?. Retrieved January 6, 2021.

45. Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.

46. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.

47. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.

48. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.

49. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.

50. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.

51. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.

52. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.

53. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.

54. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.

55. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.

56. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.

57. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.

58. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.

59. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.

60. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.

61. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.

62. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.

63. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.

64. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.

65. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.

66. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.

67. Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.

68. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.

69. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.

70. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.

71. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.

72. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.

73. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.

74. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.

75. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.

76. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.

77. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.

78. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.

79. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.

80. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.

81. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.

82. Saini, A. and Hossein, J. (2022, January 27). North Korea\u2019s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.

83. Anomali Labs. (2018, December 6). Pulling Linux Rabbit/Rabbot Malware Out of a Hat. Retrieved March 4, 2019.

84. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.

85. Yamout, M. (2021, November 29). WIRTE\u2019s campaign in the Middle East \u2018living off the land\u2019 since at least 2019. Retrieved February 1, 2022.

86. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker\u2019s toolkit. Retrieved February 2, 2022.

87. Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020.

88. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.

89. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.

90. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.

91. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.

92. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.

93. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.

94. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.

95. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.

96. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.

97. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.

98. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.

99. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.

100. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.

101. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.

102. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.

103. Bezroutchko, A. (2019, November 19). NBTscan man page. Retrieved March 17, 2021.

104. SecTools. (2003, June 11). NBTscan. Retrieved March 17, 2021.

105. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.

106. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: \"njRAT\" Uncovered. Retrieved June 4, 2019.

107. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.

108. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.

109. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.

110. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.

111. Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.

112. Check Point. (2021, April 8). Iran\u2019s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.

113. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.

114. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China\u2019s hidden hacking groups. Retrieved October 8, 2020.

115. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.

116. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.

117. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.

118. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.

119. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.

120. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.

121. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.

122. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.

123. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.

124. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.

125. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.

126. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.

127. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.

128. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.

129. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.

130. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.

131. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.

132. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.

133. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.

134. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.

135. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.

136. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.

137. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.

138. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.

139. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.

140. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.

141. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 \u2013 Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.

142. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate\u2019s Supply Chain Software Compromise. Retrieved September 22, 2021.

143. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.

144. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.

145. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.

146. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.

147. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.

148. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.

149. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don\u2019t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.

150. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.

151. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.

152. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelg\u00e4nging technique. Retrieved May 22, 2018.

153. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.

154. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.

155. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.

156. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.

157. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021

158. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.

159. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.

160. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.

161. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.

162. CISA. (2020, July 16). MAR-10296782-3.v1 \u2013 WELLMAIL. Retrieved September 29, 2020.

163. CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020.

164. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.

165. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.

166. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They\u2019re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.

167. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.

168. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.

169. ESET. (2018, November 20). Sednit: What\u2019s going on with Zebrocy?. Retrieved February 12, 2019.

170. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.

171. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.

172. McAfee\u00ae Foundstone\u00ae Professional Services and McAfee Labs\u2122. (2011, February 10). Global Energy Cyberattacks: \u201cNight Dragon\u201d. Retrieved February 19, 2018.

173. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.


Original source: T1033 - System Owner/User Discovery
", "external_references": [ { "source_name": "capec (CAPEC-577)", "url": "https://capec.mitre.org/data/definitions/577.html" }, { "source_name": "mitre-attack (T1033)", "url": "https://attack.mitre.org/techniques/T1033" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b4e52bd2-8264-44d4-a240-d42632f0abf1", "created": "2022-11-08T14:37:13.667226Z", "modified": "2022-11-08T14:37:13.667226Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--03d7999c-1f4c-42cc-8373-e7690d318104" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add", "created": "2021-05-26T15:09:45.713356Z", "modified": "2022-11-01T17:57:54.383129Z", "name": "T1105 - Ingress Tool Transfer", "description": "

T1105 - Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).

\n

Files can also be transferred using various Web Services as well as native or otherwise present tools on the victim system.[1]

\n

On Windows, adversaries may use various utilities to download tools, such as copy, finger, and PowerShell commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as curl, scp, sftp, tftp, rsync, finger, and wget.[2]

Procedure Examples

ID Name Description
S0469 ABK ABK has the ability to download files from C2.[3]
S0331 Agent Tesla Agent Tesla can download additional files for execution on the victim\u2019s machine.[4][5]
S0092 Agent.btz Agent.btz attempts to download an encrypted binary from a specified domain.[6]
G0130 Ajax Security Team Ajax Security Team has used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.[7]
S0504 Anchor Anchor can download additional payloads.[8][9]
G0138 Andariel Andariel has downloaded additional tools and malware onto compromised hosts.[10]
G0099 APT-C-36 APT-C-36 has downloaded binary data from a specified domain after the malicious document is opened.[11]
G0026 APT18 APT18 can upload a file to the victim\u2019s machine.[12]
G0007 APT28 APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.[13][14][15][16][17]
G0016 APT29 APT29 has downloaded additional tools, such as TEARDROP malware and Cobalt Strike, to a compromised host following initial access.[18]
G0022 APT3 APT3 has a tool that can copy files to remote machines.[19]
G0050 APT32 APT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.[20]
G0064 APT33 APT33 has downloaded additional files and programs from its C2 server.[21][22]
G0067 APT37 APT37 has downloaded second stage malware from compromised websites.[23][24][25][26]
G0082 APT38 APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim\u2019s machine.[27]
G0087 APT39 APT39 has downloaded tools to compromised hosts.[28][29]
G0096 APT41 APT41 used certutil to download additional files.[30][31][32]
G0143 Aquatic Panda Aquatic Panda has downloaded additional malware onto compromised hosts.[33]
S0456 Aria-body Aria-body has the ability to download additional payloads from C2.[34]
S0373 Astaroth Astaroth uses certutil and BITSAdmin to download additional malware. [35][36][37]
S0438 Attor Attor can download additional plugins, updates and other files. [38]
S0347 AuditCred AuditCred can download files and additional malware.[39]
S0473 Avenger Avenger has the ability to download files from C2 to a compromised host.[3]
S0344 Azorult Azorult can download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes.[40][41]
S0414 BabyShark BabyShark has downloaded additional files from the C2.[42][43]
S0475 BackConfig BackConfig can download and execute additional payloads on a compromised host.[44]
S0093 Backdoor.Oldrea Backdoor.Oldrea can download additional modules from C2.[45]
G0135 BackdoorDiplomacy BackdoorDiplomacy has downloaded additional files and tools onto a compromised host.[46]
S0642 BADFLICK BADFLICK has download files from its C2 server.[47]
S0128 BADNEWS BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.[48][49][50]
S0337 BadPatch BadPatch can download and execute or update malware.[51]
S0234 Bandook Bandook can download files to the system.[52]
S0239 Bankshot Bankshot uploads files and secondary payloads to the victim's machine.[53]
S0534 Bazar Bazar can download and deploy additional payloads, including ransomware and post-exploitation frameworks such as Cobalt Strike.[54][55][56][57]
S0470 BBK BBK has the ability to download files from C2 to the infected host.[3]
S0574 BendyBear BendyBear is designed to download an implant from a C2 server.[58]
S0017 BISCUIT BISCUIT has a command to download a file from the C2 server.[59]
S0268 Bisonal Bisonal has the capability to download files to execute on the victim\u2019s machine.[60][61][62]
S0190 BITSAdmin BITSAdmin can be used to create BITS Jobs to upload and/or download files.[63]
S0564 BlackMould BlackMould has the ability to download files to the victim's machine.[64]
S0520 BLINDINGCAN BLINDINGCAN has downloaded files to a victim machine.[65]
S0657 BLUELIGHT BLUELIGHT can download additional files onto the host.[25]
S0486 Bonadan Bonadan can download additional modules from the C2 server.[66]
S0360 BONDUPDATER BONDUPDATER can download or upload files from its C2 server.[67]
S0635 BoomBox BoomBox has the ability to download next stage malware components to a compromised system.[68]
S0651 BoxCaon BoxCaon can download files.[69]
S0204 Briba Briba downloads files onto infected hosts.[70]
G0060 BRONZE BUTLER BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).[71]
S0471 build_downer build_downer has the ability to download files from C2 to the infected host.[3]
S0482 Bundlore Bundlore can download and execute new versions of itself.[72]
S0274 Calisto Calisto has the capability to upload and download files to the victim's machine.[73]
S0077 CallMe CallMe has the capability to download a file to the victim from the C2 server.[74]
S0351 Cannon Cannon can download a payload for execution.[75]
S0484 Carberp Carberp can download and execute new plugins from the C2 server. [76][77]
S0348 Cardinal RAT Cardinal RAT can download and execute additional payloads.[78]
S0465 CARROTBALL CARROTBALL has the ability to download and install a remote payload.[79]
S0462 CARROTBAT CARROTBAT has the ability to download and execute a remote file via certutil.[80]
S0572 Caterpillar WebShell Caterpillar WebShell has a module to download and upload files to the system.[81]
S0160 certutil certutil can be used to download files from a given URL.[82][83]
S0631 Chaes Chaes can download additional files onto an infected machine.[84]
S0674 CharmPower CharmPower has the ability to download additional modules to a compromised host.[85]
S0144 ChChes ChChes is capable of downloading files, including additional modules.[86][87][88]
G0114 Chimera Chimera has remotely copied tools and malware onto targeted systems.[89]
S0020 China Chopper China Chopper's server component can download remote files.[90][91][92]
S0023 CHOPSTICK CHOPSTICK is capable of performing remote file transmission.[93]
S0667 Chrommme Chrommme can download its code from C2.[94]
S0054 CloudDuke CloudDuke downloads and executes additional malware from either a Web address or a Microsoft OneDrive account.[95]
S0106 cmd cmd can be used to copy files to/from a remotely connected external system.[96]
G0080 Cobalt Group Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers.[97][1] The group's JavaScript backdoor is also capable of downloading files.[98]
S0154 Cobalt Strike Cobalt Strike can deliver additional payloads to victim machines.[99][100]
S0369 CoinTicker CoinTicker executes a Python script to download its second stage.[101]
S0608 Conficker Conficker downloads an HTTP server to the infected machine.[102]
G0142 Confucius Confucius has downloaded additional files and payloads onto a compromised host following initial access.[103][104]
S0492 CookieMiner CookieMiner can download additional scripts from a web server.[105]
S0137 CORESHELL CORESHELL downloads another dropper from its C2 server.[106]
S0614 CostaBricks CostaBricks has been used to load SombRAT onto a compromised host.[107]
S0115 Crimson Crimson contains a command to retrieve files from its C2 server.[108][109]
S0498 Cryptoistic Cryptoistic has the ability to send and receive files.[110]
S0527 CSPY Downloader CSPY Downloader can download additional tools to a compromised host.[111]
S0625 Cuba Cuba can download files from its C2 server.[112]
S0687 Cyclops Blink Cyclops Blink has the ability to download files to target systems.[113][114]
S0497 Dacls Dacls can download its payload from a C2 server.[110][115]
S0334 DarkComet DarkComet can load any files onto the infected machine to execute.[116][117]
G0012 Darkhotel Darkhotel has used first-stage payloads that download additional malware from C2 servers.[118]
S0187 Daserf Daserf can download remote files.[119][71]
S0255 DDKONG DDKONG downloads and uploads files on the victim\u2019s machine.[120]
S0616 DEATHRANSOM DEATHRANSOM can download files to a compromised host.[121]
S0354 Denis Denis deploys additional backdoors and hacking tools to the system.[122]
S0659 Diavol Diavol can receive configuration updates and additional payloads including wscpy.exe from C2.[123]
S0200 Dipsind Dipsind can download remote files.[124]
S0213 DOGCALL DOGCALL can download and execute additional payloads.[125]
S0600 Doki Doki has downloaded scripts from C2.[126]
S0695 Donut Donut can download and execute previously staged shellcode payloads.[127]
S0472 down_new down_new has the ability to download files to the compromised host.[3]
S0134 Downdelph After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.[128]
G0035 Dragonfly Dragonfly has copied and installed tools for operations once in the victim environment.[129]
S0694 DRATzarus DRATzarus can deploy additional tools onto an infected machine.[130]
S0547 DropBook DropBook can download and execute additional files.[131][132]
S0502 Drovorub Drovorub can download files to a compromised host.[133]
S0567 Dtrack Dtrack\u2019s can download and upload a file to the victim\u2019s computer.[134][135]
S0024 Dyre Dyre has a command to download and executes additional files.[136]
S0624 Ecipekac Ecipekac can download additional payloads to a compromised host.[137]
S0554 Egregor Egregor has the ability to download files from its C2 server.[138][139]
G0066 Elderwood The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location.[140]
S0081 Elise Elise can download additional files from the C2 server for execution.[141]
S0082 Emissary Emissary has the capability to download files from the C2 server.[142]
S0363 Empire Empire can upload and download to and from a victim machine.[143]
S0404 esentutl esentutl can be used to copy files from a given URL.[144]
S0396 EvilBunny EvilBunny has downloaded additional Lua scripts from the C2.[145]
S0568 EVILNUM EVILNUM can download and upload files to the victim's computer.[146][147]
G0120 Evilnum Evilnum can deploy additional components or tools as needed.[146]
S0401 Exaramel for Linux Exaramel for Linux has a command to download a file from and to a remote C2 server.[148][149]
S0569 Explosive Explosive has a function to download a file to the infected system.[150]
S0171 Felismus Felismus can download files from remote servers.[151]
S0267 FELIXROOT FELIXROOT downloads and uploads files to and from the victim\u2019s machine.[152][153]
G0046 FIN7 FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.[154][155]
G0061 FIN8 FIN8 has used remote code execution to download subsequent payloads.[156][157]
S0696 Flagpro Flagpro can download additional malware from the C2 server.[158]
S0661 FoggyWeb FoggyWeb can receive additional malicious components from an actor controlled C2 server and execute them on a compromised AD FS server.[159]
G0117 Fox Kitten Fox Kitten has downloaded additional tools including PsExec directly to endpoints.[160]
G0101 Frankenstein Frankenstein has uploaded and downloaded files to utilize additional plugins.[161]
S0095 ftp ftp may be abused by adversaries to transfer tools or files from an external system into a compromised environment.[162][163]
S0628 FYAnti FYAnti can download additional payloads to a compromised host.[137]
G0093 GALLIUM GALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN.[164][64]
G0047 Gamaredon Group Gamaredon Group has downloaded additional malware and tools onto a compromised host.[165][166][167][168]
S0168 Gazer Gazer can execute a task to download a file.[169][170]
S0666 Gelsemium Gelsemium can download additional plug-ins to a compromised host.[94]
S0032 gh0st RAT gh0st RAT can download files to the victim\u2019s machine.[171][172]
S0249 Gold Dragon Gold Dragon can download additional components from the C2 server.[173]
S0493 GoldenSpy GoldenSpy constantly attempts to download and execute files from the remote C2, including GoldenSpy itself if not found on the system.[174]
S0588 GoldMax GoldMax can download and execute additional files.[175][176]
G0078 Gorgon Group Gorgon Group malware can download additional files from C2 servers.[177]
S0531 Grandoreiro Grandoreiro can download its second stage from a hardcoded URL within the loader's code.[178][179]
S0342 GreyEnergy GreyEnergy can download additional modules and payloads.[153]
S0632 GrimAgent GrimAgent has the ability to download and execute additional payloads.[180]
S0561 GuLoader GuLoader can download further malware for execution on the victim's machine.[181]
S0132 H1N1 H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.[182]
G0125 HAFNIUM HAFNIUM has downloaded malware and tools--including Nishang and PowerCat--onto a compromised host.[183]
S0499 Hancitor Hancitor has the ability to download additional files from C2.[184]
S0214 HAPPYWORK can download and execute a second-stage payload.[23]
S0170 Helminth Helminth can download additional files.[185]
S0087 Hi-Zor Hi-Zor has the ability to upload and download files from its C2 server.[186]
S0394 HiddenWasp HiddenWasp downloads a tar compressed archive from a download server to the system.[187]
S0009 Hikit Hikit has the ability to download files to a compromised host.[188]
S0601 Hildegard Hildegard has downloaded additional scripts that build and run Monero cryptocurrency miners.[189]
S0376 HOPLIGHT HOPLIGHT has the ability to connect to a remote host in order to upload and download files.[190]
S0431 HotCroissant HotCroissant has the ability to upload a file from the command and control (C2) server to the victim machine.[191]
S0070 HTTPBrowser HTTPBrowser is capable of writing a file to the compromised system from the C2 server.[192]
S0203 Hydraq Hydraq creates a backdoor through which remote attackers can download files and additional malware components.[193][194]
S0398 HyperBro HyperBro has the ability to download additional files.[195]
S0483 IcedID IcedID has the ability to download additional modules and a configuration file from C2.[196][197]
G0136 IndigoZebra IndigoZebra has downloaded additional files and tools from its C2 server.[69]
G0119 Indrik Spider Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host.[198][199]
S0604 Industroyer Industroyer downloads a shellcode payload from a remote C2 server and loads it into memory.[200]
S0260 InvisiMole InvisiMole can upload files to the victim's machine for operations.[201][202]
S0015 Ixeshe Ixeshe can download and execute additional files.[203]
S0528 Javali Javali can download payloads from remote C2 servers.[37]
S0044 JHUHUGIT JHUHUGIT can retrieve an additional payload from its C2 server.[204][205] JHUHUGIT has a command to download files to the victim\u2019s machine.[206]
S0201 JPIN JPIN can download files and upgrade itself.[124]
S0283 jRAT jRAT can download and execute files.[207][208][209]
S0648 JSS Loader JSS Loader has the ability to download malicious executables to a compromised host.[210]
S0215 KARAE KARAE can upload and download files, including second-stage malware.[23]
S0088 Kasidet Kasidet has the ability to download and execute additional files.[211]
S0265 Kazuar Kazuar downloads additional plug-ins to load on the victim\u2019s machine, including the ability to upgrade and replace its own binary.[212]
G0004 Ke3chang Ke3chang has used tools to download files to compromised machines.[213]
S0585 Kerrdown Kerrdown can download specific payloads to a compromised host based on OS architecture.[214]
S0487 Kessel Kessel can download additional modules from the C2 server.[66]
S0387 KeyBoy KeyBoy has a download and upload functionality.[215][216]
S0271 KEYMARBLE KEYMARBLE can upload files to the victim\u2019s machine and can download additional payloads.[217]
S0526 KGH_SPY KGH_SPY has the ability to download and execute code from remote servers.[111]
G0094 Kimsuky Kimsuky has downloaded additional scripts, tools, and malware onto victim systems.[31][218]
S0599 Kinsing Kinsing has downloaded additional lateral movement scripts from C2.[219]
S0437 Kivars Kivars has the ability to download and execute files.[220]
S0250 Koadic Koadic can download additional files and tools.[221][222]
S0669 KOCTOPUS KOCTOPUS has executed a PowerShell command to download a file to the system.[222]
S0356 KONNI KONNI can download files and execute them on the victim\u2019s machine.[223][224]
S0236 Kwampirs Kwampirs downloads additional files from C2 servers.[225]
G0032 Lazarus Group Lazarus Group has downloaded files, malware, and tools from its C2 onto a compromised host.[226][227][228][110][115][130][229][230][231][232][233][234][235]
G0140 LazyScripter LazyScripter had downloaded additional tools to a compromised host.[222]
G0065 Leviathan Leviathan has downloaded additional scripts and files from adversary-controlled servers.[236][90]
S0395 LightNeuron LightNeuron has the ability to download and execute additional files.[237]
S0211 Linfo Linfo creates a backdoor through which remote attackers can download files onto compromised hosts.[238]
S0513 LiteDuke LiteDuke has the ability to download files.[239]
S0680 LitePower LitePower has the ability to download payloads containing system commands to a compromised host.[240]
S0681 Lizar Lizar can download additional plugins, files, and tools.[241]
S0447 Lokibot Lokibot downloaded several staged items onto the victim's machine.[242]
S0451 LoudMiner LoudMiner used SCP to update the miner from the C2.[243]
S0042 LOWBALL LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.[244]
S0532 Lucifer Lucifer can download and execute a replica of itself using certutil.[245]
S0409 Machete Machete can download additional files for execution on the victim\u2019s machine.[246]
G0059 Magic Hound Magic Hound has downloaded additional code and files from servers onto victims.[247]
S0652 MarkiRAT MarkiRAT can download additional files and tools from its C2 server, including through the use of BITSAdmin.[248]
S0500 MCMD MCMD can upload additional files to a compromised host.[249]
S0459 MechaFlounder MechaFlounder has the ability to upload and download files to and from a compromised host.[250]
S0530 Melcoz Melcoz has the ability to download additional files to a compromised host.[37]
G0045 menuPass menuPass has installed updates and new malware on victims.[251][252]
S0455 Metamorfo Metamorfo has used MSI files to download additional files to execute.[253][254][255][256]
S0688 Meteor Meteor has the ability to download additional files for execution on the victim's machine.[257]
S0339 Micropsia Micropsia can download and execute an executable from the C2 server.[258][259]
S0051 MiniDuke MiniDuke can download additional encrypted backdoors onto the victim via GIF files.[260][239]
S0083 Misdat Misdat is capable of downloading files from the C2.[261]
S0080 Mivast Mivast has the capability to download and execute .exe files.[262]
S0079 MobileOrder MobileOrder has a command to download a file from the C2 server to the victim mobile device's SD card.[74]
S0553 MoleNet MoleNet can download additional payloads from the C2.[131]
G0021 Molerats Molerats used executables to download malicious files from different sources.[263][264]
S0284 More_eggs More_eggs can download and launch additional payloads.[265][266]
S0256 Mosquito Mosquito can upload and download files to the victim.[267]
G0069 MuddyWater MuddyWater has used malware that can upload additional files to the victim\u2019s machine.[268][269][270][271]
G0129 Mustang Panda Mustang Panda has downloaded additional executables following the initial infection stage.[272]
S0228 NanHaiShu NanHaiShu can download additional files from URLs.[236]
S0336 NanoCore NanoCore has the capability to download and activate additional modules for execution.[273][274]
S0247 NavRAT NavRAT can download files remotely.[275]
S0272 NDiskMonitor NDiskMonitor can download and execute a file from given URL.[50]
S0630 Nebulae Nebulae can download files from C2.[276]
S0691 Neoichor Neoichor can download additional files onto a compromised host.[213]
S0210 Nerex Nerex creates a backdoor through which remote attackers can download files onto a compromised host.[140]
S0457 Netwalker Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload.[277]
S0198 NETWIRE NETWIRE can downloaded payloads from C2 to the compromised host.[278][279]
S0118 Nidiran Nidiran can download and execute files.[280]
S0385 njRAT njRAT can download files to the victim\u2019s machine.[281][282]
S0353 NOKKI NOKKI has downloaded a remote module for execution.[283]
G0133 Nomadic Octopus Nomadic Octopus has used malicious macros to download additional files to the victim's machine.[284]
S0340 Octopus Octopus can download additional files and tools onto the victim\u2019s machine.[285][286][284]
G0049 OilRig OilRig can download remote files onto victims.[287]
S0439 Okrum Okrum has built-in commands for uploading, downloading, and executing files to the system.[288]
S0264 OopsIE OopsIE can download files from its C2 server to the victim's machine.[289][290]
G0116 Operation Wocao Operation Wocao can download additional files to the infected system.[291]
S0229 Orz Orz can download files onto the victim.[236]
S0402 OSX/Shlayer OSX/Shlayer can download payloads, and extract bytes from files. OSX/Shlayer uses the curl -fsL \"$url\" >$tmp_path command to download malicious payloads into a temporary directory.[292][293][294][295]
S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D has a command to download and execute a file on the victim\u2019s machine.[296][297]
S0598 P.A.S. Webshell P.A.S. Webshell can upload and download files to and from compromised hosts.[149]
S0626 P8RAT P8RAT can download additional payloads to a target system.[137]
S0664 Pandora Pandora can load additional drivers and files onto a victim machine.[298]
S0208 Pasam Pasam creates a backdoor through which remote attackers can upload files.[299]
G0040 Patchwork Patchwork payloads download additional files from the C2 server.[300][50]
S0587 Penquin Penquin can execute the command code do_download to retrieve remote files from C2.[301]
S0643 Peppy Peppy can download and execute remote files.[108]
S0501 PipeMon PipeMon can install additional modules via C2 commands.[302]
S0124 Pisloader Pisloader has a command to upload a file to the victim machine.[303]
S0254 PLAINTEE PLAINTEE has downloaded and executed additional plugins.[120]
G0068 PLATINUM PLATINUM has transferred files using the Intel\u00ae Active Management Technology (AMT) Serial-over-LAN (SOL) channel.[304]
S0435 PLEAD PLEAD has the ability to upload and download files to and from an infected host.[305]
S0013 PlugX PlugX has a module to download and execute files on the compromised machine.[306][307]
S0428 PoetRAT PoetRAT has the ability to copy files and download/upload files into C2 channels using FTP and HTTPS.[308][309]
S0012 PoisonIvy PoisonIvy creates a backdoor through which remote attackers can upload files.[310]
S0518 PolyglotDuke PolyglotDuke can retrieve payloads from the C2 server.[239]
S0453 Pony Pony can download additional files onto the infected system.[311]
S0150 POSHSPY POSHSPY downloads and executes additional PowerShell code and Windows binaries.[312]
S0139 PowerDuke PowerDuke has a command to download a file.[313]
S0685 PowerPunch PowerPunch can download payloads from adversary infrastructure.[168]
S0145 POWERSOURCE POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims.[314]
S0223 POWERSTATS POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server.[315]
S0184 POWRUNER POWRUNER can download or upload files from its C2 server.[287]
S0078 Psylo Psylo has a command to download a file to the system from its C2 server.[74]
S0147 Pteranodon Pteranodon can download and execute additional files.[165][316][317]
S0196 PUNCHBUGGY PUNCHBUGGY can download additional files and payloads to compromised hosts.[318][319]
S0192 Pupy Pupy can upload and download to/from a victim machine.[320]
S0650 QakBot QakBot has the ability to download additional components and malware.[321][322][323][324][325][326]
S0262 QuasarRAT QuasarRAT can download files to the victim\u2019s machine and execute them.[327][328]
S0686 QuietSieve QuietSieve can download and execute payloads on a target host.[168]
S0629 RainyDay RainyDay can download files to a compromised host.[276]
G0075 Rancor Rancor has downloaded additional malware, including by using certutil.[120]
S0055 RARSTONE RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.[329]
S0241 RATANKBA RATANKBA uploads and downloads information.[330][331]
S0662 RCSession RCSession has the ability to drop additional files to an infected machine.[332]
S0495 RDAT RDAT can download files via DNS.[333]
S0153 RedLeaves RedLeaves is capable of downloading a file from a specified URL.[334]
S0511 RegDuke RegDuke can download files from C2.[239]
S0332 Remcos Remcos can upload and download files to and from the victim\u2019s machine.[335]
S0166 RemoteCMD RemoteCMD copies a file over to the remote system before execution.[336]
S0592 RemoteUtilities RemoteUtilities can upload and download files to and from a target machine.[271]
S0125 Remsec Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.[337][338]
S0379 Revenge RAT Revenge RAT has the ability to upload and download files.[339]
S0496 REvil REvil can download a copy of itself from an attacker controlled IP address to the victim machine.[340][341][342]
S0258 RGDoor RGDoor uploads and downloads files to and from the victim\u2019s machine.[343]
G0106 Rocke Rocke used malware to download additional malicious files to the target system.[344]
S0270 RogueRobin RogueRobin can save a new file to the system from the C2 server.[345][346]
S0240 ROKRAT ROKRAT can retrieve additional malicious payloads from its C2 server.[347][348][26][349]
S0148 RTM RTM can download additional files.[350][351]
S0074 Sakula Sakula has the capability to download files.[352]
G0034 Sandworm Team Sandworm Team has pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data.[353][354]
S0461 SDBbot SDBbot has the ability to download a DLL from C2 to a compromised host.[355]
S0053 SeaDuke SeaDuke is capable of uploading and downloading files.[356]
S0345 Seasalt Seasalt has a command to download additional files.[59][59]
S0185 SEASHARPEE SEASHARPEE can download remote files onto victims.[357]
S0382 ServHelper ServHelper may download additional files to execute.[358][359]
S0639 Seth-Locker Seth-Locker has the ability to download and execute files on a compromised host.[360]
S0596 ShadowPad ShadowPad has downloaded code from a C2 server.[361]
S0140 Shamoon Shamoon can download an executable to run on the victim.[362]
G0104 Sharpshooter Sharpshooter downloaded additional payloads after a target was infected with a first-stage downloader.[363]
S0546 SharpStage SharpStage has the ability to download and execute additional payloads via a DropBox API.[131][132]
S0450 SHARPSTATS SHARPSTATS has the ability to upload and download files.[364]
S0444 ShimRat ShimRat can download additional files.[365]
S0445 ShimRatReporter ShimRatReporter had the ability to download additional payloads.[365]
S0217 SHUTTERSPEED SHUTTERSPEED can download and execute an arbitary executable.[23]
S0589 Sibot Sibot can download and execute a payload onto a compromised system.[175]
S0610 SideTwist SideTwist has the ability to download additional files.[366]
G0121 Sidewinder Sidewinder has used LNK files to download remote files to the victim's network.[367][368]
G0091 Silence Silence has downloaded additional modules and malware to victim\u2019s machines.[369]
S0692 SILENTTRINITY SILENTTRINITY can load additional files and tools, including Mimikatz.[370]
S0468 Skidmap Skidmap has the ability to download files on an infected host.[371]
S0633 Sliver Sliver can upload files from the C2 server to the victim machine using the upload command.[372]
S0533 SLOTHFULMEDIA SLOTHFULMEDIA has downloaded files onto a victim machine.[373]
S0218 SLOWDRIFT SLOWDRIFT downloads additional payloads.[23]
S0226 Smoke Loader Smoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins.[374]
S0649 SMOKEDHAM SMOKEDHAM has used Powershell to download UltraVNC and Ngrok from third-party file sharing sites.[375]
S0627 SodaMaster SodaMaster has the ability to download additional payloads from C2 to the targeted system.[137]
S0615 SombRAT SombRAT has the ability to download and execute additional payloads.[107][121][376]
S0516 SoreFang SoreFang can download additional payloads from C2.[377][378]
S0374 SpeakUp SpeakUp downloads and executes additional files from a remote server. [379]
S0646 SpicyOmelette SpicyOmelette can download malicious files from threat actor controlled AWS URL's.[380]
S0390 SQLRat SQLRat can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk.[381]
S0380 StoneDrill StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine.[382]
S0491 StrongPity StrongPity can download files to specified targets.[383]
S0559 SUNBURST SUNBURST delivered different payloads, including TEARDROP in at least one instance.[18]
S0663 SysUpdate SysUpdate has the ability to download files to a compromised host.[298]
G0092 TA505 TA505 has downloaded additional malware to execute on victim systems.[384][359][385]
G0127 TA551 TA551 has retrieved DLLs and installer binaries for malware execution from C2.[386]
S0011 Taidoor Taidoor has downloaded additional files onto a compromised host.[387]
S0586 TAINTEDSCRIBE TAINTEDSCRIBE can download additional modules from its C2 server.[388]
S0164 TDTESS TDTESS has a command to download and execute an additional file.[389]
G0139 TeamTNT TeamTNT has the curl command and batch scripts to download new tools.[390]
S0595 ThiefQuest ThiefQuest can download and execute payloads in-memory or from disk.[391]
G0027 Threat Group-3390 Threat Group-3390 has downloaded additional malware and tools, including through the use of certutil, onto a compromised host .[192][392]
S0665 ThreatNeedle ThreatNeedle can download additional tools to enable lateral movement.[229]
S0668 TinyTurla TinyTurla has the ability to act as a second-stage dropper used to infect the system with additional malware.[393]
S0671 Tomiris Tomiris can download files and execute them on a victim's system.[394]
G0131 Tonto Team Tonto Team has downloaded malicious DLLs which served as a ShadowPad loader.[395]
S0266 TrickBot TrickBot downloads several additional files and saves them to the victim's machine.[396][397]
S0094 Trojan.Karagany Trojan.Karagany can upload, download, and execute files on the victim.[398][399]
G0081 Tropic Trooper Tropic Trooper has used a delivered trojan to download additional files.[400]
S0436 TSCookie TSCookie has the ability to upload and download files to and from the infected host.[401]
S0647 Turian Turian can download additional files and tools from its C2.[46]
G0010 Turla Turla has used shellcode to download Meterpreter after compromising a victim.[402]
S0199 TURNEDUP TURNEDUP is capable of downloading additional files.[403]
S0263 TYPEFRAME TYPEFRAME can upload and download files to the victim\u2019s machine.[404]
S0333 UBoatRAT UBoatRAT can upload and download files to the victim\u2019s machine.[405]
G0118 UNC2452 UNC2452 downloaded additional tools, such as TEARDROP malware and Cobalt Strike, to the compromised host following initial compromise.[18]
S0130 Unknown Logger Unknown Logger is capable of downloading remote files.[48]
S0275 UPPERCUT UPPERCUT can download and upload files to and from the victim\u2019s machine.[406]
S0386 Ursnif Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads.[407][408]
S0476 Valak Valak has downloaded a variety of modules and payloads to the compromised host, including IcedID and NetSupport Manager RAT-based malware.[409][410]
S0636 VaporRage VaporRage has the ability to download malicious shellcode to compromised systems.[68]
S0207 Vasport Vasport can download files.[411]
S0442 VBShower VBShower has the ability to download VBS files to the target computer.[412]
S0257 VERMIN VERMIN can download and upload files to the victim's machine.[413]
G0123 Volatile Cedar Volatile Cedar can deploy additional tools.[81]
S0180 Volgmer Volgmer can download remote files and additional payloads to the victim's machine.[414][415][416]
S0670 WarzoneRAT WarzoneRAT can download and execute additional files.[417]
S0579 Waterbear Waterbear can receive and load executables from remote C2 servers.[418]
S0109 WEBC2 WEBC2 can download and execute a file.[419]
S0515 WellMail WellMail can receive data and executable scripts from C2.[420]
S0514 WellMess WellMess can write files to a compromised host.[421][422]
S0689 WhisperGate WhisperGate can download additional stages of malware from a Discord CDN channel.[423][424][425][426]
G0107 Whitefly Whitefly has the ability to download additional tools from the C2.[427]
S0206 Wiarp Wiarp creates a backdoor through which remote attackers can download files.[428]
G0112 Windshift Windshift has used tools to deploy additional payloads to compromised hosts.[429]
S0430 Winnti for Linux Winnti for Linux has the ability to deploy modules directly from command and control (C2) servers, possibly for remote command execution, file exfiltration, and socks5 proxying on the infected host. [430]
S0141 Winnti for Windows The Winnti for Windows dropper can place malicious payloads on targeted systems.[431]
G0044 Winnti Group Winnti Group has downloaded an auxiliary program named ff.exe to infected machines.[432]
G0090 WIRTE WIRTE has downloaded PowerShell code from the C2 server to be executed.[433]
S0341 Xbash Xbash can download additional malicious files from its C2 server.[434]
S0653 xCaon xCaon has a command to download files to the victim's machine.[69]
S0658 XCSSET XCSSET downloads browser specific AppleScript modules using a constructed URL with the curl command, https://\" & domain & \"/agent/scripts/\" & moduleName & \".applescript.[435]
S0388 YAHOYAH YAHOYAH uses HTTP GET requests to download other files that are executed in memory.[436]
S0251 Zebrocy Zebrocy obtains additional code to execute on the victim's machine, including the downloading of a secondary payload.[437][75][438][15]
S0230 ZeroT ZeroT can download additional payloads onto the victim.[439]
S0330 Zeus Panda Zeus Panda can download additional malware plug-in modules and execute them on the victim\u2019s machine.[440]
G0128 ZIRCONIUM ZIRCONIUM has used tools to download malicious files to compromised hosts.[441]
S0086 ZLib ZLib has the ability to download files.[261]
S0672 Zox Zox can download files to a compromised machine.[188]
S0412 ZxShell ZxShell has a command to transfer files from a remote host.[442]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[443]

Detection

Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as ftp, that does not normally occur may also be suspicious.

\n

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Specifically, for the finger utility on Windows and Linux systems, monitor command line or terminal execution for the finger command. Monitor network activity for TCP port 79, which is used by the finger utility, and Windows netsh interface portproxy modifications to well-known ports such as 80 and 443. Furthermore, monitor file system for the download/creation and execution of suspicious files, which may indicate adversary-downloaded payloads. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[443]

References

1. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.

2. LOLBAS. (n.d.). LOLBAS Mapped to T1105. Retrieved March 11, 2022.

3. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.

4. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.

5. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.

6. Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016.

7. Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.

8. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.

9. Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020.

10. AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021.

11. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.

12. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.

13. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.

14. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.

15. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.

16. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm\u2019s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.

17. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.

18. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.

19. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.

20. Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.

21. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.

22. Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.

23. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.

24. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.

25. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.

26. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.

27. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.

28. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.

29. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.

30. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.

31. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.

32. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.

33. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.

34. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.

35. Doaty, J., Garrett, P.. (2018, September 10). We\u2019re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.

36. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.

37. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.

38. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.

39. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.

40. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.

41. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.

42. Lim, M.. (2019, April 26). BabyShark Malware Part Two \u2013 Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019.

43. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.

44. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.

45. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE\u2019S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.

46. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021

47. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.

48. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.

49. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.

50. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.

51. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.

52. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.

53. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.

54. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9\u2019S DEVELOPMENT CYCLES. Retrieved November 18, 2020.

55. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.

56. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.

57. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.

58. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.

59. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.

60. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.

61. Zykov, K. (2020, August 13). CactusPete APT group\u2019s updated Bisonal backdoor. Retrieved May 5, 2021.

62. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.

63. Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.

64. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.

65. US-CERT. (2020, August 19). MAR-10295134-1.v1 \u2013 North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.

66. Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.

67. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.

68. MSTIC. (2021, May 28). Breaking down NOBELIUM\u2019s latest early-stage toolset. Retrieved August 4, 2021.

69. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.

70. Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.

71. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.

72. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.

73. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.

74. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.

75. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New \u2018Cannon\u2019 Trojan. Retrieved November 26, 2018.

76. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.

77. Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020.

78. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.

79. McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.

80. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.

81. ClearSky Cyber Security. (2021, January). \u201cLebanese Cedar\u201d APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.

82. Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017.

83. LOLBAS. (n.d.). Certutil.exe. Retrieved July 31, 2019.

84. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.

85. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.

86. Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.

87. Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C; Servers Using Cookie Headers. Retrieved March 1, 2017.

88. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.

89. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.

90. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.

91. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.

92. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.

93. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.

94. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.

95. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.

96. Microsoft. (n.d.). Copy. Retrieved April 26, 2016.

97. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.

98. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.

99. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.

100. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.

101. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.

102. Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.

103. Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021.

104. Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.

105. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved July 22, 2020.

106. FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.

107. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.

108. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.

109. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.

110. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple\u2019s macOS Platform. Retrieved August 7, 2020.

111. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.

112. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.

113. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.

114. Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.

115. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus\u2019 Multi-Platform Attack Capability. Retrieved August 10, 2020.

116. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.

117. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.

118. Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021.

119. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER\u2019s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.

120. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.

121. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.

122. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.

123. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.

124. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.

125. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.

126. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.

127. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.

128. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.

129. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.

130. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.

131. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.

132. Ilascu, I. (2020, December 14). Hacking group\u2019s new malware abuses Google and Facebook services. Retrieved December 28, 2020.

133. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.

134. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.

135. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.

136. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.

137. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.

138. Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020.

139. Bichet, J. (2020, November 12). Egregor \u2013 Prolock: Fraternal Twins ?. Retrieved January 6, 2021.

140. Ladley, F. (2012, May 15). Backdoor.Ritsol. Retrieved February 23, 2018.

141. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS\u2019 MEETING AND ASSOCIATES. Retrieved November 14, 2018.

142. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.

143. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.

144. LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.

145. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.

146. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.

147. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.

148. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.

149. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.

150. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.

151. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.

152. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.

153. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.

154. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.

155. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.

156. Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.

157. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.

158. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.

159. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.

160. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.

161. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.

162. Microsoft. (2021, July 21). ftp. Retrieved February 25, 2022.

163. N/A. (n.d.). ftp(1) - Linux man page. Retrieved February 25, 2022.

164. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.

165. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.

166. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.

167. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.

168. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.

169. ESET. (2017, August). Gazing at Gazer: Turla\u2019s new second stage backdoor. Retrieved September 14, 2017.

170. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.

171. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.

172. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.

173. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.

174. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.

175. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM\u2019s layered persistence. Retrieved March 8, 2021.

176. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.

177. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.

178. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.

179. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.

180. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.

181. Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021.

182. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities \u2013 part 2. Retrieved September 26, 2016.

183. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.

184. Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020.

185. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.

186. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.

187. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.

188. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.

189. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.

190. US-CERT. (2019, April 10). MAR-10135536-8 \u2013 North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.

191. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.

192. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.

193. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.

194. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.

195. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.

196. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.

197. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.

198. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.

199. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.

200. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.

201. Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.

202. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.

203. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.

204. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.

205. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.

206. Mercer, W., et al. (2017, October 22). \"Cyber Conflict\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.

207. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.

208. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.

209. Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019.

210. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.

211. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.

212. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.

213. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.

214. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus\u2019 new Downloader, KerrDown. Retrieved October 1, 2021.

215. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.

216. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.

217. US-CERT. (2018, August 09). MAR-10135536-17 \u2013 North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.

218. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.

219. Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.

220. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020.

221. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.

222. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.

223. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.

224. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.

225. Moench, B. and Aboud, E. (2016, August 23). Trojan.Kwampirs. Retrieved May 10, 2018.

226. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.

227. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.

228. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.

229. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.

230. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.

231. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.

232. Weidemann, A. (2021, January 25). New campaign targeting security researchers. Retrieved December 20, 2021.

233. Saini, A. and Hossein, J. (2022, January 27). North Korea\u2019s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.

234. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.

235. Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved March 2, 2022.

236. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.

237. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.

238. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.

239. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.

240. Yamout, M. (2021, November 29). WIRTE\u2019s campaign in the Middle East \u2018living off the land\u2019 since at least 2019. Retrieved February 1, 2022.

241. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker\u2019s toolkit. Retrieved February 2, 2022.

242. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.

243. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.

244. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.

245. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.

246. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.

247. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.

248. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.

249. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.

250. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.

251. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.

252. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.

253. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.

254. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.

255. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.

256. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.

257. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.

258. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.

259. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.

260. Kaspersky Lab's Global Research & Analysis Team. (2013, February 27). The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor. Retrieved April 5, 2017.

261. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.

262. Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.

263. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.

264. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.

265. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.

266. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.

267. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.

268. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.

269. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.

270. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.

271. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.

272. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP \u2018REDDELTA\u2019 TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.

273. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.

274. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.

275. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.

276. Vrabie, V. (2021, April 23). NAIKON \u2013 Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.

277. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.

278. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.

279. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.

280. Sponchioni, R.. (2016, March 11). Backdoor.Nidiran. Retrieved August 3, 2016.

281. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: \"njRAT\" Uncovered. Retrieved June 4, 2019.

282. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.

283. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.

284. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.

285. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.

286. Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021.

287. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.

288. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.

289. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.

290. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.

291. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China\u2019s hidden hacking groups. Retrieved October 8, 2020.

292. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.

293. Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021.

294. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.

295. Patrick Wardle. (2020, August 30). Apple Approved Malware malicious code ...now notarized!? #2020. Retrieved September 13, 2021.

296. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.

297. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.

298. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.

299. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.

300. Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant \u2013 aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.

301. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA \u201cPenquin_x64\u201d. Retrieved March 11, 2021.

302. Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020.

303. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.

304. Kaplan, D, et al. (2017, June 7). PLATINUM continues to evolve, find ways to maintain invisibility. Retrieved February 19, 2018.

305. Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.

306. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.

307. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.

308. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.

309. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.

310. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.

311. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.

312. Dunwoody, M.. (2017, April 3). Dissecting One of APT29\u2019s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.

313. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.

314. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.

315. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.

316. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.

317. Unit 42. (2022, February 3). Russia\u2019s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.

318. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.

319. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.

320. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.

321. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.

322. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.

323. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021.

324. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.

325. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.

326. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.

327. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.

328. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.

329. Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.

330. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.

331. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.

332. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.

333. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.

334. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.

335. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.

336. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.

337. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.

338. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.

339. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.

340. Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.

341. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020.

342. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.

343. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.

344. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.

345. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.

346. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.

347. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.

348. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.

349. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.

350. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.

351. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.

352. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.

353. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.

354. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.

355. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.

356. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.

357. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.

358. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.

359. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.

360. Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021.

361. GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021.

362. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.

363. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.

364. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.

365. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.

366. Check Point. (2021, April 8). Iran\u2019s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.

367. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.

368. Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.

369. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.

370. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.

371. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.

372. BishopFox. (n.d.). Sliver Upload. Retrieved September 16, 2021.

373. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 \u2013 Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.

374. Hasherezade. (2016, September 12). Smoke Loader \u2013 downloader with a smokescreen still alive. Retrieved March 20, 2018.

375. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate\u2019s Supply Chain Software Compromise. Retrieved September 22, 2021.

376. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.

377. CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020.

378. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.

379. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.

380. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.

381. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.

382. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.

383. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.

384. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.

385. Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.

386. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.

387. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.

388. USG. (2020, May 12). MAR-10288834-2.v1 \u2013 North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.

389. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.

390. Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021.

391. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.

392. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.

393. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.

394. Kwiatkoswki, I and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021.

395. Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021.

396. Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.

397. Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot\u2019s Ever-Improving VNC Module. Retrieved September 28, 2021.

398. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.

399. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.

400. Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.

401. Tomonaga, S.. (2018, March 6). Malware \u201cTSCookie\u201d. Retrieved May 6, 2020.

402. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.

403. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.

404. US-CERT. (2018, June 14). MAR-10135536-12 \u2013 North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.

405. Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.

406. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.

407. Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019.

408. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.

409. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.

410. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.

411. Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018.

412. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.

413. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.

414. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA \u2013 North Korean Trojan: Volgmer. Retrieved December 7, 2017.

415. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.

416. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.

417. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.

418. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.

419. Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.

420. CISA. (2020, July 16). MAR-10296782-3.v1 \u2013 WELLMAIL. Retrieved September 29, 2020.

421. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.

422. CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020.

423. MSTIC. (2022, January 15). Destructive malware targeting Ukrainian organizations. Retrieved March 10, 2022.

424. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.

425. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.

426. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.

427. Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020.

428. Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.

429. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.

430. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.

431. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.

432. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.

433. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.

434. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.

435. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.

436. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.

437. Lee, B., Falcone, R. (2018, June 06). Sofacy Group\u2019s Parallel Attacks. Retrieved June 18, 2018.

438. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.

439. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.

440. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.

441. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.

442. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.

443. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.


Original source: T1105 - Ingress Tool Transfer
", "external_references": [ { "source_name": "University of Birmingham C2", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" }, { "source_name": "mitre-attack (T1105)", "url": "https://attack.mitre.org/techniques/T1105" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a15b1e81-77cb-4287-8c32-b8eade6f47ce", "created": "2022-11-08T14:37:13.676407Z", "modified": "2022-11-08T14:37:13.676407Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896", "created": "2021-05-26T15:19:49.64524Z", "modified": "2022-05-30T23:30:44.920902Z", "name": "T1012 - Query Registry", "description": "

T1012 - Query Registry

Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.

\n

The Registry contains a significant amount of information about the operating system, configuration, software, and security.[1] Information can easily be queried using the Reg utility, though other means to access the Registry exist. Some of the information may help adversaries to further their operation within a network. Adversaries may use the information from Query Registry during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

Procedure Examples

ID Name Description
S0045 ADVSTORESHELL ADVSTORESHELL can enumerate registry keys.[2][3]
G0050 APT32 APT32's backdoor can query the Windows Registry to gather system information. [4]
G0087 APT39 APT39 has used various strains of malware to query the Registry.[5]
S0438 Attor Attor has opened the registry and performed query searches.[6]
S0344 Azorult Azorult can check for installed software on the system under the Registry key Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall.[7]
S0414 BabyShark BabyShark has executed the reg query command for HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default.[8]
S0031 BACKSPACE BACKSPACE is capable of enumerating and making modifications to an infected system's Registry.[9]
S0239 Bankshot Bankshot searches for certain Registry keys to be configured before executing the payload.[10]
S0534 Bazar Bazar can query Windows\\CurrentVersion\\Uninstall for installed applications.[11][12]
S0574 BendyBear BendyBear can query the host's Registry key at HKEY_CURRENT_USER\\Console\\QuickEdit to retrieve data.[13]
S0268 Bisonal Bisonal has used the RegQueryValueExA function to retrieve proxy information in the Registry.[14]
S0570 BitPaymer BitPaymer can use the RegEnumKeyW to iterate through Registry keys.[15]
S0252 Brave Prince Brave Prince gathers information about the Registry.[16]
S0030 Carbanak Carbanak checks the Registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings for proxy configurations information.[17]
S0484 Carberp Carberp has searched the Image File Execution Options registry key for \"Debugger\" within every subkey.[18]
S0335 Carbon Carbon enumerates values in the Registry.[19]
S0348 Cardinal RAT Cardinal RAT contains watchdog functionality that periodically ensures HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load is set to point to its executable.[20]
S0674 CharmPower CharmPower has the ability to enumerate Uninstall registry values.[21]
G0114 Chimera Chimera has queried Registry keys using reg query \\\\HKU\\\\SOFTWARE\\Microsoft\\Terminal Server Client\\Servers and reg query \\\\HKU\\\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings.[22]
S0023 CHOPSTICK CHOPSTICK provides access to the Windows Registry, which can be used to gather information.[23]
S0660 Clambling Clambling has the ability to enumerate Registry keys, including KEY_CURRENT_USER\\Software\\Bitcoin\\Bitcoin-Qt\\strDataDir to search for a bitcoin wallet.[24][25]
S0154 Cobalt Strike Cobalt Strike can query HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\\Excel\\Security\\AccessVBOM\\ to determine if the security setting for restricting default programmatic access is enabled.[26][27]
S0126 ComRAT ComRAT can check the default browser by querying HKCR\\http\\shell\\open\\command.[28]
S0115 Crimson Crimson can check the Registry for the presence of HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\last_edate to determine how long it has been installed on a host.[29]
S0673 DarkWatchman DarkWatchman can query the Registry to determine if it has already been installed on the system.[30]
S0354 Denis Denis queries the Registry for keys and values.[31]
S0021 Derusbi Derusbi is capable of enumerating Registry keys and values.[32]
S0186 DownPaper DownPaper searches and reads the value of the Windows Update Registry Run key.[33]
G0035 Dragonfly Dragonfly has queried the Registry to identify victim information.[34]
S0567 Dtrack Dtrack can collect the RegisteredOwner, RegisteredOrganization, and InstallDate registry values.[35]
S0091 Epic Epic uses the rem reg query command to obtain values from Registry keys.[36]
S0512 FatDuke FatDuke can get user agent strings for the default browser from HKCU\\Software\\Classes\\http\\shell\\open\\command.[37]
S0267 FELIXROOT FELIXROOT queries the Registry for specific keys for potential privilege escalation and proxy information. FELIXROOT has also used WMI to query the Windows Registry.[38][39]
S0182 FinFisher FinFisher queries Registry values as part of its anti-sandbox checks.[40][41]
G0117 Fox Kitten Fox Kitten has accessed Registry hives ntuser.dat and UserClass.dat.[42]
S0032 gh0st RAT gh0st RAT has checked for the existence of a Service key to determine if it has already been installed on the system.[43]
S0249 Gold Dragon Gold Dragon enumerates registry keys with the command regkeyenum and obtains information for the Registry key HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run.[16]
S0376 HOPLIGHT A variant of HOPLIGHT hooks lsass.exe, and lsass.exe then checks the Registry for the data value 'rdpproto' under the key SYSTEM\\CurrentControlSet\\Control\\Lsa Name.[44]
S0203 Hydraq Hydraq creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys.[45][46]
S0604 Industroyer Industroyer has a data wiper component that enumerates keys in the Registry HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services.[47]
S0260 InvisiMole InvisiMole can enumerate Registry values, keys, and data.[48]
S0201 JPIN JPIN can enumerate Registry keys.[49]
G0094 Kimsuky Kimsuky has obtained specific Registry keys and values on a compromised host.[50]
G0032 Lazarus Group Lazarus Group malware IndiaIndia checks Registry keys within HKCU and HKLM to determine if certain applications are present, including SecureCRT, Terminal Services, RealVNC, TightVNC, UltraVNC, Radmin, mRemote, TeamViewer, FileZilla, pcAnyware, and Remote Desktop. Another Lazarus Group malware sample checks for the presence of the following Registry key:HKEY_CURRENT_USER\\Software\\Bitcoin\\Bitcoin-Qt.[51][52][53]
S0513 LiteDuke LiteDuke can query the Registry to check for the presence of HKCU\\Software\\KasperskyLab.[37]
S0680 LitePower LitePower can query the Registry for keys added to execute COM hijacking.[54]
S0532 Lucifer Lucifer can check for existing stratum cryptomining information in HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\spreadCpuXmr \u2013 %stratum info%.[55]
S0385 njRAT njRAT can read specific registry values.[56]
G0049 OilRig OilRig has used reg query \u201cHKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default\u201d on a victim to query the Registry.[57]
G0116 Operation Wocao Operation Wocao has queried the registry to detect recent PuTTY sessions.[58]
S0165 OSInfo OSInfo queries the registry to look for information about Terminal Services.[59]
S0517 Pillowmint Pillowmint has used shellcode which reads code stored in the registry keys \\REGISTRY\\SOFTWARE\\Microsoft\\DRM using the native Windows API as well as read HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces as part of its C2.[60]
S0013 PlugX PlugX can enumerate and query for information contained within the Windows Registry.[61][62]
S0145 POWERSOURCE POWERSOURCE queries Registry keys in preparation for setting Run keys to achieve persistence.[63]
S0194 PowerSploit PowerSploit contains a collection of Privesc-PowerUp modules that can query Registry keys for potential opportunities.[64][65]
S0184 POWRUNER POWRUNER may query the Registry by running reg query on a victim.[66]
S0238 Proxysvc Proxysvc gathers product names from the Registry key: HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion ProductName and the processor description from the Registry key HKLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0 ProcessorNameString.[67]
S0269 QUADAGENT QUADAGENT checks if a value exists within a Registry key in the HKCU hive whose name is the same as the scheduled task it has created.[68]
S0241 RATANKBA RATANKBA uses the command reg query \u201cHKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\InternetSettings\u201d.[69]
S0172 Reaver Reaver queries the Registry to determine the correct Startup path to use for persistence.[70]
S0075 Reg Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface.[71]
S0496 REvil REvil can query the Registry to get random file extensions to append to encrypted files.[72]
S0240 ROKRAT ROKRAT can access the HKLM\\System\\CurrentControlSet\\Services\\mssmbios\\Data\\SMBiosData Registry key to obtain the System manufacturer value to identify the machine type.[73]
S0140 Shamoon Shamoon queries several Registry keys to identify hard disk partitions to overwrite.[74]
S0589 Sibot Sibot has queried the registry for proxy server information.[75]
S0692 SILENTTRINITY SILENTTRINITY can use the GetRegValue function to check Registry keys within HKCU\\Software\\Policies\\Microsoft\\Windows\\Installer\\AlwaysInstallElevated and HKLM\\Software\\Policies\\Microsoft\\Windows\\Installer\\AlwaysInstallElevated. It also contains additional modules that can check software AutoRun values and use the Win32 namespace to get values from HKCU, HKLM, HKCR, and HKCC hives.[76]
S0627 SodaMaster SodaMaster has the ability to query the Registry to detect a key specific to VMware.[77]
G0038 Stealth Falcon Stealth Falcon malware attempts to determine the installed version of .NET by querying the Registry.[78]
S0380 StoneDrill StoneDrill has looked in the registry to find the default browser path.[79]
S0603 Stuxnet Stuxnet searches the Registry for indicators of security programs.[80]
S0559 SUNBURST SUNBURST collected the registry value HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid from compromised hosts.[81]
S0242 SynAck SynAck enumerates Registry keys associated with event logs.[82]
S0011 Taidoor Taidoor can query the Registry on compromised hosts using RegQueryValueExA.[83]
S0560 TEARDROP TEARDROP checked that HKU\\SOFTWARE\\Microsoft\\CTF existed before decoding its embedded payload.[81][84]
G0027 Threat Group-3390 A Threat Group-3390 tool can read and decrypt stored Registry values.[85]
S0668 TinyTurla TinyTurla can query the Registry for its configuration information.[86]
G0010 Turla Turla surveys a system upon check-in to discover information in the Windows Registry with the reg query command.[36] Turla has also retrieved PowerShell payloads hidden in Registry keys as well as checking keys associated with null session named pipes .[87]
S0386 Ursnif Ursnif has used Reg to query the Registry for installed programs.[88][89]
S0476 Valak Valak can use the Registry for code updates and to collect credentials.[90]
S0180 Volgmer Volgmer checks the system for certain Registry keys.[91]
S0612 WastedLocker WastedLocker checks for specific registry keys related to the UCOMIEnumConnections and IActiveScriptParseProcedure32 interfaces.[92]
S0579 Waterbear Waterbear can query the Registry key \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MSDTC\\MTxOCI\" to see if the value OracleOcilib exists.[93]
S0155 WINDSHIELD WINDSHIELD can gather Registry values.[94]
S0251 Zebrocy Zebrocy executes the reg query command to obtain information in the Registry.[95]
S0330 Zeus Panda Zeus Panda checks for the existence of a Registry key and if it contains certain values.[96]
G0128 ZIRCONIUM ZIRCONIUM has used a tool to query the Registry for proxy settings.[97]
S0412 ZxShell ZxShell can query the netsvc group value data located in the svchost group Registry key.[98]

Mitigations

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information within the Registry, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

\n

Interaction with the Windows Registry may come from the command line using utilities such as Reg or through running malware that may interact with the Registry through an API. Command-line invocation of utilities used to query the Registry may be detected through process and command-line monitoring. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References

1. Wikipedia. (n.d.). Windows Registry. Retrieved February 2, 2015.

2. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.

3. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.

4. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.

5. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.

6. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.

7. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.

8. Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.

9. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.

10. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.

11. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9\u2019S DEVELOPMENT CYCLES. Retrieved November 18, 2020.

12. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.

13. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.

14. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.

15. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.

16. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.

17. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.

18. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.

19. ESET. (2017, March 30). Carbon Paper: Peering into Turla\u2019s second stage backdoor. Retrieved November 7, 2018.

20. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.

21. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.

22. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.

23. FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.

24. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.

25. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.

26. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.

27. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.

28. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.

29. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.

30. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.

31. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.

32. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.

33. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.

34. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.

35. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.

36. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.

37. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.

38. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.

39. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.

40. FinFisher. (n.d.). Retrieved December 20, 2017.

41. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher\u2019s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.

42. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.

43. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.

44. US-CERT. (2019, April 10). MAR-10135536-8 \u2013 North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.

45. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.

46. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.

47. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.

48. Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.

49. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.

50. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.

51. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.

52. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.

53. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.

54. Yamout, M. (2021, November 29). WIRTE\u2019s campaign in the Middle East \u2018living off the land\u2019 since at least 2019. Retrieved February 1, 2022.

55. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.

56. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.

57. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.

58. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China\u2019s hidden hacking groups. Retrieved October 8, 2020.

59. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.

60. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020.

61. Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.

62. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.

63. Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.

64. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.

65. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.

66. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.

67. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.

68. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.

69. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.

70. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.

71. Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.

72. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.

73. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.

74. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.

75. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM\u2019s layered persistence. Retrieved March 8, 2021.

76. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.

77. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.

78. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don\u2019t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.

79. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.

80. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.

81. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.

82. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelg\u00e4nging technique. Retrieved May 22, 2018.

83. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 \u2013 Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.

84. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.

85. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda \u2013 A potential new malicious tool. Retrieved June 25, 2018.

86. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.

87. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.

88. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.

89. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.

90. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.

91. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.

92. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.

93. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.

94. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.

95. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.

96. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.

97. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.

98. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.


Original source: T1012 - Query Registry
", "external_references": [ { "source_name": "Wikipedia Windows Registry", "url": "https://en.wikipedia.org/wiki/Windows_Registry" }, { "source_name": "capec (CAPEC-647)", "url": "https://capec.mitre.org/data/definitions/647.html" }, { "source_name": "mitre-attack (T1012)", "url": "https://attack.mitre.org/techniques/T1012" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f5281e53-ce48-404e-a25c-02aa9b9b5d39", "created": "2022-11-08T14:37:13.682057Z", "modified": "2022-11-08T14:37:13.682057Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--c32f7008-9fea-41f7-8366-5eb9b74bd896" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41", "created": "2021-05-26T15:20:40.457472Z", "modified": "2022-05-30T23:31:00.4505Z", "name": "T1573.001 - Encrypted Channel: Symmetric Cryptography", "description": "

T1573.001 - Encrypted Channel: Symmetric Cryptography

Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.

Other sub-techniques of User Execution (2)

ID Name
T1573.001 Symmetric Cryptography
T1573.002 Asymmetric Cryptography

Procedure Examples

ID Name Description
S0066 3PARA RAT 3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode with a key derived from the MD5 hash of the string HYF54&%9&jkMCXuiS. 3PARA RAT will use an 8-byte XOR key derived from the string HYF54&%9&jkMCXuiS if the DES decoding fails[1]
S0065 4H RAT 4H RAT obfuscates C2 communication using a 1-byte XOR with the key 0xBE.[1]
S0045 ADVSTORESHELL A variant of ADVSTORESHELL encrypts some C2 with 3DES.[2]
G0007 APT28 APT28 installed a Delphi backdoor that used a custom algorithm for C2 communications.[3]
G0064 APT33 APT33 has used AES for encryption of command and control traffic.[4]
S0438 Attor Attor has encrypted data symmetrically using a randomly generated Blowfish (OFB) key which is encrypted with a public RSA key.[5]
S0344 Azorult Azorult can encrypt C2 traffic using XOR.[6][7]
S0245 BADCALL BADCALL encrypts C2 traffic using an XOR/ADD cipher.[8]
S0128 BADNEWS BADNEWS encrypts C2 data with a ROR by 3 and an XOR by 0x23.[9][10]
S0234 Bandook Bandook has used AES encryption for C2 communication.[11]
S0534 Bazar Bazar can send C2 communications with XOR encryption.[12]
S0127 BBSRAT BBSRAT uses a custom encryption algorithm on data sent back to the C2 server over HTTP.[13]
S0574 BendyBear BendyBear communicates to a C2 server over port 443 using modified RC4 and XOR-encrypted chunks.[14]
S0268 Bisonal Bisonal variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some Bisonal samples encrypt C2 communications with RC4.[15][16][17]
S0520 BLINDINGCAN BLINDINGCAN has encrypted its C2 traffic with RC4.[18]
S0486 Bonadan Bonadan can XOR-encrypt C2 communications.[19]
G0060 BRONZE BUTLER BRONZE BUTLER has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic. BRONZE BUTLER has also used a tool called RarStar that encodes data with a custom XOR algorithm when posting it to a C2 server.[20]
S0077 CallMe CallMe uses AES to encrypt C2 traffic.[21]
S0030 Carbanak Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode). Carbanak also uses XOR with random keys for its communications.[22][23]
S0348 Cardinal RAT Cardinal RAT uses a secret key with a series of XOR and addition operations to encrypt C2 traffic.[24]
S0220 Chaos Chaos provides a reverse shell connection on 8338/TCP, encrypted via AES.[25]
S0674 CharmPower CharmPower can send additional modules over C2 encrypted with a simple substitution cipher.[26]
S0144 ChChes ChChes can encrypt C2 traffic with AES or RC4.[27][28]
S0023 CHOPSTICK CHOPSTICK encrypts C2 communications with RC4.[29]
S0154 Cobalt Strike Cobalt Strike has the ability to use AES-256 symmetric encryption in CBC mode with HMAC-SHA-256 to encrypt task commands and XOR to encrypt shell code and configuration data.[30]
S0244 Comnie Comnie encrypts command and control communications with RC4.[31]
S0137 CORESHELL CORESHELL C2 messages are encrypted with custom stream ciphers using six-byte or eight-byte keys.[32]
S0050 CosmicDuke CosmicDuke contains a custom version of the RC4 algorithm that includes a programming error.[33]
G0012 Darkhotel Darkhotel has used AES-256 and 3DES for C2 communications.[34]
S0187 Daserf Daserf uses RC4 encryption to obfuscate HTTP traffic.[20]
S0021 Derusbi Derusbi obfuscates C2 traffic with variable 4-byte XOR keys.[35]
S0200 Dipsind Dipsind encrypts C2 data with AES256 in ECB mode.[36]
S0472 down_new down_new has the ability to AES encrypt C2 communications.[37]
S0134 Downdelph Downdelph uses RC4 to encrypt C2 responses.[38]
S0384 Dridex Dridex has encrypted traffic with RC4.[39]
S0038 Duqu The Duqu command and control protocol's data stream can be encrypted with AES-CBC.[40]
S0377 Ebury Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.[41]
S0081 Elise Elise encrypts exfiltrated data with RC4.[42]
S0082 Emissary The C2 server response to a beacon sent by a variant of Emissary contains a 36-character GUID value that is used as an encryption key for subsequent network communications. Some variants of Emissary use various XOR operations to encrypt C2 data.[43]
S0091 Epic Epic encrypts commands from the C2 server using a hardcoded key.[44]
S0569 Explosive Explosive has encrypted communications with the RC4 method.[45]
S0076 FakeM The original variant of FakeM encrypts C2 traffic using a custom encryption cipher that uses an XOR key of \u201cYHCRA\u201d and bit rotation between each XOR operation. Some variants of FakeM use RC4 to encrypt C2 traffic.[21]
S0181 FALLCHILL FALLCHILL encrypts C2 data with RC4 encryption.[46][47]
S0512 FatDuke FatDuke can AES encrypt C2 communications.[48]
S0171 Felismus Some Felismus samples use a custom encryption method for C2 traffic that utilizes AES and multiple keys.[49]
S0381 FlawedAmmyy FlawedAmmyy has used SEAL encryption during the initial C2 handshake.[50]
S0661 FoggyWeb FoggyWeb has used a dynamic XOR key and custom XOR methodology for C2 communications.[51]
G0101 Frankenstein Frankenstein has communicated with a C2 via an encrypted RC4 byte stream and AES-CBC.[52]
S0168 Gazer Gazer uses custom encryption for C2 that uses 3DES.[53][54]
S0032 gh0st RAT gh0st RAT uses RC4 and XOR to encrypt C2 traffic.[55]
S0342 GreyEnergy GreyEnergy encrypts communications using AES256.[56]
S0632 GrimAgent GrimAgent can use an AES key to encrypt C2 communications.[57]
S0132 H1N1 H1N1 encrypts C2 traffic using an RC4 key.[58]
S0037 HAMMERTOSS Before being appended to image files, HAMMERTOSS commands are encrypted with a key composed of both a hard-coded value and a string contained on that day's tweet. To decrypt the commands, an investigator would need access to the intended malware sample, the day's tweet, and the image file containing the command.[59]
S0170 Helminth Helminth encrypts data sent to its C2 server over HTTP with RC4.[60]
S0087 Hi-Zor Hi-Zor encrypts C2 traffic with a double XOR using two distinct single-byte keys.[61]
S0394 HiddenWasp HiddenWasp uses an RC4-like algorithm with an already computed PRGA generated key-stream for network communication.[62]
G0126 Higaisa Higaisa used AES-128 to encrypt C2 traffic.[63]
S0009 Hikit Hikit performs XOR encryption.[64]
S0431 HotCroissant HotCroissant has compressed network communications and encrypted them with a custom stream cipher.[65][66]
S0068 httpclient httpclient encrypts C2 content with XOR using a single byte, 0x12.[1]
S0203 Hydraq Hydraq C2 traffic is encrypted using bitwise NOT and XOR operations.[67]
S0537 HyperStack HyperStack has used RSA encryption for C2 communications.[68]
G0100 Inception Inception has encrypted network communications with AES.[69]
S0260 InvisiMole InvisiMole uses variations of a simple XOR encryption routine for C&C communications.[70]
S0271 KEYMARBLE KEYMARBLE uses a customized XOR algorithm to encrypt C2 communications.[71]
S0641 Kobalos Kobalos's post-authentication communication channel uses a 32-byte-long password with RC4 for inbound and outbound traffic.[72][73]
S0162 Komplex The Komplex C2 channel uses an 11-byte XOR algorithm to hide data.[74]
S0356 KONNI KONNI has used AES to encrypt C2 traffic.[75]
G0032 Lazarus Group Several Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another Lazarus Group malware sample XORs C2 traffic. Other Lazarus Group malware uses Caracachs encryption to encrypt C2 payloads. Lazarus Group has also used AES to encrypt C2 traffic.[76][77][78][79][80]
S0395 LightNeuron LightNeuron uses AES to encrypt C2 traffic.[81]
S0582 LookBack LookBack uses a modified version of RC4 for data transfer.[82]
S0532 Lucifer Lucifer can perform a decremental-xor encryption on the initial C2 request before sending it over the wire.[83]
S0010 Lurid Lurid performs XOR encryption.[84]
S0409 Machete Machete has used AES to exfiltrate documents.[85]
S0455 Metamorfo Metamorfo has encrypted C2 commands with AES-256.[86]
S0149 MoonWind MoonWind encrypts C2 traffic using RC4 with a static key.[87]
S0284 More_eggs More_eggs has used an RC4-based encryption method for its C2 communications.[88]
S0256 Mosquito Mosquito uses a custom encryption algorithm, which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm.[89]
G0129 Mustang Panda Mustang Panda has encrypted C2 communications with RC4.[90]
S0336 NanoCore NanoCore uses DES to encrypt the C2 traffic.[91]
S0272 NDiskMonitor NDiskMonitor uses AES to encrypt certain information sent over its C2 channel.[10]
S0630 Nebulae Nebulae can use RC4 and XOR to encrypt C2 communications.[92]
S0034 NETEAGLE NETEAGLE will decrypt resources it downloads with HTTP requests by using RC4 with the key \"ScoutEagle.\"[93]
S0198 NETWIRE NETWIRE can use AES encryption for C2 data transferred.[94]
S0439 Okrum Okrum uses AES to encrypt network traffic. The key can be hardcoded or negotiated with the C2 server in the registration phase. [95]
S0664 Pandora Pandora has the ability to encrypt communications with D3DES.[96]
S0501 PipeMon PipeMon communications are RC4 encrypted.[97]
S0254 PLAINTEE PLAINTEE encodes C2 beacons using XOR.[98]
S0435 PLEAD PLEAD has used RC4 encryption to download modules.[99]
S0013 PlugX PlugX can use RC4 encryption in C2 communications.[100]
S0012 PoisonIvy PoisonIvy uses the Camellia cipher to encrypt communications.[101]
S0371 POWERTON POWERTON has used AES for encrypting C2 traffic.[4]
S0113 Prikormka Prikormka encrypts some C2 traffic with the Blowfish cipher.[102]
S0650 QakBot QakBot can RC4 encrypt strings in C2 communication.[103]
S0262 QuasarRAT QuasarRAT uses AES to encrypt network communication.[104][105]
S0629 RainyDay RainyDay can use RC4 to encrypt C2 communications.[92]
S0495 RDAT RDAT has used AES ciphertext to encode C2 communications.[106]
S0153 RedLeaves RedLeaves has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear.[107]
S0433 Rifdoor Rifdoor has encrypted command and control (C2) communications with a stream cipher.[65]
S0003 RIPTIDE APT12 has used the RIPTIDE RAT, which communicates over HTTP with a payload encrypted with RC4.[108]
S0148 RTM RTM encrypts C2 traffic with a custom RC4 variant.[109]
S0074 Sakula Sakula encodes C2 traffic with single-byte XOR keys.[110]
S0053 SeaDuke SeaDuke C2 traffic has been encrypted with RC4 and AES.[111][112]
S0610 SideTwist SideTwist can encrypt C2 communications with a randomly generated key.[113]
S0633 Sliver Sliver can use AES-GCM-256 to encrypt a session key for C2 message exchange.[114]
S0649 SMOKEDHAM SMOKEDHAM has encrypted its C2 traffic with RC4.[115]
S0159 SNUGRIDE SNUGRIDE encrypts C2 traffic using AES with a static key.[116]
S0627 SodaMaster SodaMaster can use RC4 to encrypt C2 communications.[117]
G0038 Stealth Falcon Stealth Falcon malware encrypts C2 traffic using RC4 with a hard-coded key.[118]
S0603 Stuxnet Stuxnet encodes the payload of system information sent to the command and control servers using a one byte 0xFF XOR key. Stuxnet also uses a 31-byte long static byte string to XOR data sent to command and control servers. The servers use a different static key to encrypt replies to the implant.[119]
S0559 SUNBURST SUNBURST encrypted C2 traffic using a single-byte-XOR cipher.[120]
S0060 Sys10 Sys10 uses an XOR 0x1 loop to encrypt its C2 domain.[121]
S0011 Taidoor Taidoor uses RC4 to encrypt the message body of HTTP content.[122][123]
S0586 TAINTEDSCRIBE TAINTEDSCRIBE uses a Linear Feedback Shift Register (LFSR) algorithm for network encryption.[124]
S0678 Torisma Torisma has encrypted its C2 communications using XOR and VEST-32.[125]
S0266 TrickBot TrickBot uses a custom crypter leveraging Microsoft\u2019s CryptoAPI to encrypt C2 traffic.[126]Newer versions of TrickBot have been known to use bcrypt to encrypt and digitally sign responses to their C2 server. [127]
S0436 TSCookie TSCookie has encrypted network communications with RC4.[128]
S0275 UPPERCUT Some versions of UPPERCUT have used the hard-coded string \u201cthis is the encrypt key\u201d for Blowfish encryption when communicating with a C2. Later versions have hard-coded keys uniquely for each C2 address.[129]
S0180 Volgmer Volgmer uses a simple XOR cipher to encrypt traffic and files.[130]
S0670 WarzoneRAT WarzoneRAT can encrypt its C2 with RC4 with the password warzone160\\x00.[131]
S0514 WellMess WellMess can encrypt HTTP POST data using RC6 and a dynamically generated AES key encrypted with a hard coded RSA public key.[132][133][134]
S0430 Winnti for Linux Winnti for Linux has used a custom TCP protocol with four-byte XOR for command and control (C2).[135]
S0141 Winnti for Windows Winnti for Windows can XOR encrypt C2 traffic.[136]
S0653 xCaon xCaon has encrypted data sent to the C2 server using a XOR key.[137]
S0658 XCSSET XCSSET uses RC4 encryption over TCP to communicate with its C2 server.[138]
S0230 ZeroT ZeroT has used RC4 to encrypt C2 traffic.[139][140]
G0128 ZIRCONIUM ZIRCONIUM has used AES encrypted communications in C2.[141]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.

Detection

With symmetric encryption, it may be possible to obtain the algorithm and key from samples and use them to decode network traffic to detect malware communications signatures.

\n

In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[142]

References

1. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.

2. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.

3. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.

4. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.

5. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.

6. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.

7. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.

8. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.

9. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.

10. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.

11. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.

12. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.

13. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.

14. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.

15. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.

16. Zykov, K. (2020, August 13). CactusPete APT group\u2019s updated Bisonal backdoor. Retrieved May 5, 2021.

17. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.

18. US-CERT. (2020, August 19). MAR-10295134-1.v1 \u2013 North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.

19. Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.

20. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.

21. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.

22. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.

23. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.

24. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.

25. Sebastian Feldmann. (2018, February 14). Chaos: a Stolen Backdoor Rising Again. Retrieved March 5, 2018.

26. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.

27. Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.

28. Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C; Servers Using Cookie Headers. Retrieved March 1, 2017.

29. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.

30. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.

31. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.

32. FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.

33. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.

34. Microsoft. (2016, July 14). Reverse engineering DUBNIUM \u2013 Stage 2 payload analysis . Retrieved March 31, 2021.

35. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.

36. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.

37. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.

38. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.

39. Slepogin, N. (2017, May 25). Dridex: A History of Evolution. Retrieved May 31, 2019.

40. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.

41. M.L\u00e9veill\u00e9, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.

42. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.

43. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.

44. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.

45. ClearSky Cyber Security. (2021, January). \u201cLebanese Cedar\u201d APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.

46. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA \u2013 North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.

47. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea\u2019s Cryptocurrency Malware. Retrieved March 1, 2021.

48. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.

49. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.

50. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.

51. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.

52. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.

53. ESET. (2017, August). Gazing at Gazer: Turla\u2019s new second stage backdoor. Retrieved September 14, 2017.

54. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.

55. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.

56. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.

57. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.

58. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities \u2013 part 2. Retrieved September 26, 2016.

59. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.

60. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.

61. Fidelis Threat Research Team. (2016, January 27). Introducing Hi-Zor RAT. Retrieved March 24, 2016.

62. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.

63. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.

64. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.

65. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.

66. US-CERT. (2020, February 20). MAR-10271944-1.v1 \u2013 North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020.

67. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.

68. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.

69. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.

70. Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.

71. US-CERT. (2018, August 09). MAR-10135536-17 \u2013 North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.

72. M.Leveille, M., Sanmillan, I. (2021, February 2). Kobalos \u2013 A complex Linux threat to high performance computing infrastructure. Retrieved August 24, 2021.

73. M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021.

74. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.

75. Santos, R. (2022, January 26). KONNI evolves into stealthier RAT. Retrieved April 13, 2022.

76. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.

77. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.

78. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.

79. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.

80. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.

81. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.

82. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.

83. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.

84. Villeneuve, N., Sancho, D. (2011). THE \u201cLURID\u201d DOWNLOADER. Retrieved November 12, 2014.

85. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.

86. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.

87. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.

88. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.

89. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.

90. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP \u2018REDDELTA\u2019 TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.

91. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.

92. Vrabie, V. (2021, April 23). NAIKON \u2013 Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.

93. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.

94. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.

95. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.

96. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.

97. Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020.

98. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.

99. Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.

100. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.

101. FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.

102. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.

103. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.

104. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.

105. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.

106. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.

107. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.

108. Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin\u2019s Favorite APT Group [Blog]. Retrieved November 12, 2014.

109. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.

110. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.

111. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.

112. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.

113. Check Point. (2021, April 8). Iran\u2019s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.

114. BishopFox. (n.d.). Sliver Transport Encryption. Retrieved September 16, 2021.

115. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate\u2019s Supply Chain Software Compromise. Retrieved September 22, 2021.

116. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.

117. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.

118. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don\u2019t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.

119. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.

120. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.

121. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.

122. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.

123. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 \u2013 Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.

124. USG. (2020, May 12). MAR-10288834-2.v1 \u2013 North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.

125. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.

126. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.

127. Liviu Arsene, Radu Tudorica. (2020, November 23). TrickBot is Dead. Long Live TrickBot!. Retrieved September 28, 2021.

128. Tomonaga, S.. (2018, March 6). Malware \u201cTSCookie\u201d. Retrieved May 6, 2020.

129. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.

130. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.

131. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.

132. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.

133. PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020.

134. CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020.

135. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.

136. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.

137. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.

138. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.

139. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.

140. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.

141. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.

142. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.


Original source: T1573.001 - Encrypted Channel: Symmetric Cryptography
", "external_references": [ { "source_name": "University of Birmingham C2", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" }, { "source_name": "mitre-attack (T1573.001)", "url": "https://attack.mitre.org/techniques/T1573/001" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--22f88127-669a-40b2-86ef-7ef7c366adeb", "created": "2022-11-08T14:37:13.687966Z", "modified": "2022-11-08T14:37:13.687966Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--24bfaeba-cb0d-4525-b3dc-507c77ecec41" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4", "created": "2021-05-26T15:21:35.929619Z", "modified": "2022-05-30T23:31:10.978372Z", "name": "T1102.002 - Web Service: Bidirectional Communication", "description": "

T1102.002 - Web Service: Bidirectional Communication

Adversaries may use an existing, legitimate external Web service as a means for sending commands to and receiving output from a compromised system over the Web service channel. Compromised systems may leverage popular websites and social media to host command and control (C2) instructions. Those infected systems can then send the output from those commands back over that Web service channel. The return traffic may occur in a variety of ways, depending on the Web service being utilized. For example, the return traffic may take the form of the compromised system posting a comment on a forum, issuing a pull request to development project, updating a document hosted on a Web service, or by sending a Tweet.

\n

Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.

Other sub-techniques of User Execution (3)

ID Name
T1102.001 Dead Drop Resolver
T1102.002 Bidirectional Communication
T1102.003 One-Way Communication

Procedure Examples

ID Name Description
G0005 APT12 APT12 has used blogs and WordPress for C2 infrastructure.[1]
G0007 APT28 APT28 has used Google Drive for C2.[2]
G0016 APT29 APT29 has used social media platforms to hide communications to C2 servers.[3]
G0067 APT37 APT37 leverages social networking sites and cloud platforms (AOL, Twitter, Yandex, Mediafire, pCloud, Dropbox, and Box) for C2.[4][5]
G0087 APT39 APT39 has communicated with C2 through files uploaded to and downloaded from DropBox.[6]
S0128 BADNEWS BADNEWS can use multiple C2 channels, including RSS feeds, Github, forums, and blogs.[7][8][9]
S0069 BLACKCOFFEE BLACKCOFFEE has also obfuscated its C2 traffic as normal traffic to sites such as Github.[10][11]
S0657 BLUELIGHT BLUELIGHT can use different cloud providers for its C2.[12]
S0651 BoxCaon BoxCaon has used DropBox for C2 communications.[13]
S0025 CALENDAR The CALENDAR malware communicates through the use of events in Google Calendar.[14][15]
G0008 Carbanak Carbanak has used a VBScript named \"ggldr\" that uses Google Apps Script, Sheets, and Forms services for C2.[16]
S0660 Clambling Clambling can use Dropbox to download malicious payloads, send commands, and receive information.[17][18]
S0054 CloudDuke One variant of CloudDuke uses a Microsoft OneDrive account to exchange commands and stolen data with its operators.[19]
S0244 Comnie Comnie uses blogs and third-party sites (GitHub, tumbler, and BlogSpot) to avoid DNS-based blocking of their communication to the command and control server.[20]
S0126 ComRAT ComRAT has the ability to use the Gmail web UI to receive commands and exfiltrate information.[21][22]
S0046 CozyCar CozyCar uses Twitter as a backup C2 channel to Twitter accounts specified in its configuration file.[23]
S0538 Crutch Crutch can use Dropbox to receive commands and upload stolen data.[24]
S0213 DOGCALL DOGCALL is capable of leveraging cloud storage APIs such as Cloud, Box, Dropbox, and Yandex for C2.[4][25]
S0363 Empire Empire can use Dropbox and GitHub for C2.[26]
G0046 FIN7 FIN7 used legitimate services like Google Docs, Google Scripts, and Pastebin for C2.[27]
S0026 GLOOXMAIL GLOOXMAIL communicates to servers operated by Google using the Jabber/XMPP protocol.[14][28]
S0531 Grandoreiro Grandoreiro can utilize web services including Google sites to send and receive C2 data.[29][30]
S0215 KARAE KARAE can use public cloud-based storage providers for command and control.[4]
S0265 Kazuar Kazuar has used compromised WordPress blogs as C2 servers.[31]
G0094 Kimsuky Kimsuky has used Blogspot pages for C2.[32]
G0032 Lazarus Group Lazarus Group has used GitHub as C2, pulling hosted image payloads then committing command execution output to files in specific directories.[33]
S0042 LOWBALL LOWBALL uses the Dropbox cloud storage service for command and control.[34]
G0059 Magic Hound Magic Hound malware can use a SOAP Web service to communicate with its C2 server.[35]
G0069 MuddyWater MuddyWater has used web services including OneHub to distribute remote access tools.[36]
S0229 Orz Orz has used Technet and Pastebin web pages for command and control.[37]
S0216 POORAIM POORAIM has used AOL Instant Messenger for C2.[4]
S0393 PowerStallion PowerStallion uses Microsoft OneDrive as a C2 server via a network drive mapped with net use.[38]
S0511 RegDuke RegDuke can use Dropbox as its C2 server.[3]
S0379 Revenge RAT Revenge RAT used blogpost.com as its primary command and control server during a campaign.[39]
S0270 RogueRobin RogueRobin has used Google Drive as a Command and Control channel. [40]
S0240 ROKRAT ROKRAT has used legitimate social networking sites and cloud platforms (including but not limited to Twitter, Yandex, Dropbox, and Mediafire) for C2 communications.[41][42][43]
G0034 Sandworm Team Sandworm Team has used the Telegram Bot API from Telegram Messenger to send and receive commands to its Python backdoor. Sandworm Team also used legitimate M.E.Doc software update check requests for sending and receiving commands and hosted malicious payloads on putdrive.com.[44][45]
S0218 SLOWDRIFT SLOWDRIFT uses cloud based services for C2.[4]
G0010 Turla A Turla JavaScript backdoor has used Google Apps Script as its C2 server.[46][47]
S0333 UBoatRAT UBoatRAT has used GitHub and a public blog service in Hong Kong for C2 communications.[48]
S0248 yty yty communicates to the C2 server by retrieving a Google Doc.[49]
G0128 ZIRCONIUM ZIRCONIUM has used Dropbox for C2 allowing upload and download of files as well as execution of arbitrary commands.[50][51]

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level.
M1021 Restrict Web-Based Content Web proxies can be used to enforce external network communication policy that prevents use of unauthorized external services.

Detection

Host data that can relate unknown or suspicious process activity using a network connection is important to supplement any existing indicators of compromise based on malware command and control signatures and infrastructure or the presence of strong encryption. Packet capture analysis will require SSL/TLS inspection if data is encrypted. Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). User behavior monitoring may help to detect abnormal patterns of activity.[52]

References

1. Meyers, A. (2013, March 29). Whois Numbered Panda. Retrieved January 14, 2016.

2. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm\u2019s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.

3. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.

4. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.

5. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.

6. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.

7. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.

8. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.

9. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.

10. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.

11. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.

12. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.

13. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.

14. Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.

15. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.

16. Griffin, N. (2017, January 17). CARBANAK GROUP USES GOOGLE FOR MALWARE COMMAND-AND-CONTROL. Retrieved February 15, 2017.

17. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.

18. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.

19. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.

20. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.

21. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.

22. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.

23. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.

24. Faou, M. (2020, December 2). Turla Crutch: Keeping the \u201cback door\u201d open. Retrieved December 4, 2020.

25. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.

26. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.

27. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.

28. CyberESI. (2011). TROJAN.GTALK. Retrieved June 29, 2015.

29. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.

30. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.

31. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.

32. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.

33. Saini, A. and Hossein, J. (2022, January 27). North Korea\u2019s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.

34. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.

35. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.

36. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.

37. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.

38. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.

39. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019.

40. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.

41. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.

42. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.

43. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.

44. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.

45. Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.

46. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.

47. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.

48. Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.

49. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.

50. Huntley, S. (2020, October 16). How We're Tackling Evolving Online Threats. Retrieved March 24, 2021.

51. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.

52. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.


Original source: T1102.002 - Web Service: Bidirectional Communication
", "external_references": [ { "source_name": "University of Birmingham C2", "url": "https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" }, { "source_name": "mitre-attack (T1102.002)", "url": "https://attack.mitre.org/techniques/T1102/002" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8dd94892-58db-4133-aeb3-cb844de2b297", "created": "2022-11-08T14:37:13.693095Z", "modified": "2022-11-08T14:37:13.693095Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--be055942-6e63-49d7-9fa1-9cb7d8a8f3f4" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--bf1b6176-597c-4600-bfcd-ac989670f96b", "created": "2021-05-26T15:24:47.461602Z", "modified": "2022-06-07T14:13:03.588043Z", "name": "T1567.002 - Exfiltration Over Web Service: Exfiltration To Cloud Storage", "description": "

T1567.002 - Exfiltration Over Web Service: Exfiltration To Cloud Storage

Adversaries may exfiltrate data to a cloud storage service rather than over their primary command and control channel. Cloud storage services allow for the storage, edit, and retrieval of data from a remote cloud storage server over the Internet.

\n

Examples of cloud storage services include Dropbox and Google Docs. Exfiltration to these cloud storage services can provide a significant amount of cover to the adversary if hosts within the network are already communicating with the service.

Other sub-techniques of User Execution (2)

ID Name
T1567.001 Exfiltration to Code Repository
T1567.002 Exfiltration to Cloud Storage

Procedure Examples

ID Name Description
S0635 BoomBox BoomBox can upload data to dedicated per-victim folders in Dropbox.[1]
S0651 BoxCaon BoxCaon has the capability to download folders' contents on the system and upload the results back to its Dropbox drive.[2]
G0114 Chimera Chimera has exfiltrated stolen data to OneDrive accounts.[3]
S0660 Clambling Clambling can send files from a victim's machine to Dropbox.[4][5]
G0142 Confucius Confucius has exfiltrated victim data to cloud storage service accounts.[6]
S0538 Crutch Crutch has exfiltrated stolen data to Dropbox.[7]
S0363 Empire Empire can use Dropbox for data exfiltration.[8]
G0046 FIN7 FIN7 has exfiltrated stolen data to the MEGA file sharing site.[9]
G0125 HAFNIUM HAFNIUM has exfiltrated data to file sharing sites, including MEGA.[10]
S0037 HAMMERTOSS HAMMERTOSS exfiltrates data by uploading it to accounts created by the actors on Web cloud storage providers for the adversaries to retrieve later.[11]
G0094 Kimsuky Kimsuky has exfiltrated stolen files and data to actor-controlled Blogspot accounts.[12]
G0032 Lazarus Group Lazarus Group has exfiltrated stolen data to Dropbox using a customized version of dbxcli.[13][14]
G0065 Leviathan Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.[15][16]
S0340 Octopus Octopus has exfiltrated data to file sharing sites.[17]
S0629 RainyDay RainyDay can use a file exfiltration tool to upload specific files to Dropbox.[18]
S0240 ROKRAT ROKRAT can send collected data to cloud storage services such as PCloud.[19][20]
G0027 Threat Group-3390 Threat Group-3390 has exfiltrated stolen data to Dropbox.[4]
G0010 Turla Turla has used WebDAV to upload stolen USB files to a cloud drive.[21] Turla has also exfiltrated stolen files to OneDrive and 4shared.[22]
G0128 ZIRCONIUM ZIRCONIUM has exfiltrated stolen data to Dropbox.[23]

Mitigations

ID Mitigation Description
M1021 Restrict Web-Based Content Web proxies can be used to enforce an external network communication policy that prevents use of unauthorized external services.

Detection

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server) to known cloud storage services. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. User behavior monitoring may help to detect abnormal patterns of activity.

References

1. MSTIC. (2021, May 28). Breaking down NOBELIUM\u2019s latest early-stage toolset. Retrieved August 4, 2021.

2. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.

3. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.

4. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.

5. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.

6. Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group's Cyberespionage Operations. Retrieved December 26, 2021.

7. Faou, M. (2020, December 2). Turla Crutch: Keeping the \u201cback door\u201d open. Retrieved December 4, 2020.

8. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.

9. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.

10. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.

11. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.

12. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.

13. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.

14. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.

15. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.

16. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.

17. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.

18. Vrabie, V. (2021, April 23). NAIKON \u2013 Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.

19. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.

20. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.

21. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.

22. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.

23. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.


Original source: T1567.002 - Exfiltration Over Web Service: Exfiltration To Cloud Storage
", "external_references": [ { "source_name": "mitre-attack (T1567.002)", "url": "https://attack.mitre.org/techniques/T1567/002" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--aff2f53b-11ff-4619-86b4-35c318a8a08c", "created": "2022-11-08T14:37:13.698051Z", "modified": "2022-11-08T14:37:13.698051Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--bf1b6176-597c-4600-bfcd-ac989670f96b" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1", "created": "2021-05-26T16:19:30.865852Z", "modified": "2022-05-30T23:37:11.370911Z", "name": "T1059.006 - Command and Scripting Interpreter: Python", "description": "

T1059.006 - Command and Scripting Interpreter: Python

Adversaries may abuse Python commands and scripts for execution. Python is a very popular scripting/programming language, with capabilities to perform many functions. Python can be executed interactively from the command-line (via the python.exe interpreter) or via scripts (.py) that can be written and distributed to different systems. Python code can also be compiled into binary executables.

\n

Python comes with many built-in packages to interact with the underlying system, such as file operations and device I/O. Adversaries can use these libraries to download and execute commands or other scripts as well as perform various malicious behaviors.

Other sub-techniques of User Execution (8)

ID Name
T1059.001 PowerShell
T1059.002 AppleScript
T1059.003 Windows Command Shell
T1059.004 Unix Shell
T1059.005 Visual Basic
T1059.006 Python
T1059.007 JavaScript
T1059.008 Network Device CLI

Procedure Examples

ID Name Description
G0016 APT29 APT29 has developed malware variants written in Python.[1]
G0067 APT37 APT37 has used Python scripts to execute payloads.[2]
G0087 APT39 APT39 has used a command line utility and a network scanner written in python.[3][4]
S0234 Bandook Bandook can support commands to execute Python-based payloads.[5]
G0060 BRONZE BUTLER BRONZE BUTLER has made use of Python-based remote access tools.[6]
S0482 Bundlore Bundlore has used Python scripts to execute payloads.[7]
S0631 Chaes Chaes has used Python scripts for execution and the installation of additional files.[8]
S0154 Cobalt Strike Cobalt Strike can use Python to perform execution.[9][10][11][12]
S0369 CoinTicker CoinTicker executes a Python script to download its second stage.[13]
S0492 CookieMiner CookieMiner has used python scripts on the user\u2019s system, as well as the Python variant of the Empire agent, EmPyre.[14]
S0695 Donut Donut can generate shellcode outputs that execute via Python.[15]
G0035 Dragonfly Dragonfly has used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.[16]
S0547 DropBook DropBook is a Python-based backdoor compiled with PyInstaller.[17]
S0377 Ebury Ebury has used Python to implement its DGA.[18]
S0581 IronNetInjector IronNetInjector can use IronPython scripts to load payloads with the help of a .NET injector.[19]
S0387 KeyBoy KeyBoy uses Python scripts for installing files and performing execution.[20]
S0276 Keydnap Keydnap uses Python for scripting to execute additional commands.[21]
G0094 Kimsuky Kimsuky has used a macOS Python implant to gather data as well as MailFetcher.py code to automatically collect email data.[22][23]
G0095 Machete Machete used multiple compiled Python scripts on the victim\u2019s system. Machete's main backdoor Machete is also written in Python.[24][25][26]
S0409 Machete Machete is written in Python and is used in conjunction with additional Python scripts.[25][27][26]
S0459 MechaFlounder MechaFlounder uses a python-based payload.[28]
G0069 MuddyWater MuddyWater has used developed tools in Python including Out1.[29]
G0116 Operation Wocao Operation Wocao's backdoors have been written in Python and compiled with py2exe.[30]
S0428 PoetRAT PoetRAT was executed with a Python script and worked in conjunction with additional Python-based post-exploitation tools.[31]
S0196 PUNCHBUGGY PUNCHBUGGY has used python scripts.[32]
S0192 Pupy Pupy can use an add on feature when creating payloads that allows you to create custom Python scripts (\u201cscriptlets\u201d) to perform tasks offline (without requiring a session) such as sandbox detection, adding persistence, etc.[33]
S0583 Pysa Pysa has used Python scripts to deploy ransomware.[34]
S0332 Remcos Remcos uses Python scripts.[35]
G0106 Rocke Rocke has used Python-based malware to install and spread their coinminer.[36]
S0692 SILENTTRINITY SILENTTRINITY is written in Python and can use multiple Python scripts for execution on targeted systems.[37][38]
S0374 SpeakUp SpeakUp uses Python scripts.[39]
G0131 Tonto Team Tonto Team has used Python-based tools for execution.[40]
S0609 TRITON TRITON was run as trilog.exe, a Py2EXE compiled python script that accepts a single IP address as a flag.[41]
S0647 Turian Turian has the ability to use Python to spawn a Unix shell.[42]
G0010 Turla Turla has used IronPython scripts as part of the IronNetInjector toolchain to drop payloads.[19]
G0128 ZIRCONIUM ZIRCONIUM has used Python-based implants to interact with compromised hosts.[43][44]

Mitigations

ID Mitigation Description
M1049 Antivirus/Antimalware Anti-virus can be used to automatically quarantine suspicious files.
M1047 Audit Inventory systems for unauthorized Python installations.
M1038 Execution Prevention Denylist Python where not required.
M1033 Limit Software Installation Prevent users from installing Python where not required.

Detection

Monitor systems for abnormal Python usage and python.exe behavior, which could be an indicator of malicious activity. Understanding standard usage patterns is important to avoid a high number of false positives. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

\n

Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.

References

1. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.

2. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.

3. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.

4. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.

5. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.

6. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.

7. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.

8. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.

9. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.

10. Mudge, R. (2017, May 23). Cobalt Strike 3.8 \u2013 Who\u2019s Your Daddy?. Retrieved June 4, 2019.

11. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.

12. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.

13. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.

14. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved July 22, 2020.

15. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.

16. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.

17. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.

18. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.

19. Reichel, D. (2021, February 19). IronNetInjector: Turla\u2019s New Malware Loading Tool. Retrieved February 24, 2021.

20. Hulcoop, A., et al. (2016, November 17). It\u2019s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.

21. Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.

22. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.

23. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.

24. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.

25. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.

26. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries \u2014 HpReact campaign. Retrieved November 20, 2020.

27. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.

28. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.

29. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.

30. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China\u2019s hidden hacking groups. Retrieved October 8, 2020.

31. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.

32. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.

33. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.

34. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.

35. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.

36. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.

37. Salvati, M (2019, August 6). SILENTTRINITY. Retrieved March 23, 2022.

38. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.

39. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.

40. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.

41. Johnson, B, et. al. (2017, December 14). Attackers Deploy New ICS Attack Framework \"TRITON\" and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021.

42. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021

43. Huntley, S. (2020, October 16). How We're Tackling Evolving Online Threats. Retrieved March 24, 2021.

44. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.


Original source: T1059.006 - Command and Scripting Interpreter: Python
", "external_references": [ { "source_name": "mitre-attack (T1059.006)", "url": "https://attack.mitre.org/techniques/T1059/006" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--34efd268-f2ae-499b-a38e-91ba4767fc42", "created": "2022-11-08T14:37:13.703218Z", "modified": "2022-11-08T14:37:13.703218Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--cc3502b5-30cc-4473-ad48-42d51a6ef6d1" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c", "created": "2021-05-26T16:21:01.131443Z", "modified": "2022-05-30T23:32:34.577425Z", "name": "T1140 - Deobfuscate/Decode Files Or Information", "description": "

T1140 - Deobfuscate/Decode Files Or Information

Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.

\n

One such example is use of certutil to decode a remote access tool portable executable file that has been hidden inside a certificate file. [1] Another example is using the Windows copy /b command to reassemble binary fragments into a malicious payload. [2]

\n

Sometimes a user's action may be required to open it for deobfuscation or decryption as part of User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. [3]

Procedure Examples

ID Name Description
S0469 ABK ABK has the ability to decrypt AES encrypted payloads.[4]
S0331 Agent Tesla Agent Tesla has the ability to decrypt strings encrypted with the Rijndael symmetric encryption algorithm.[5]
S0584 AppleJeus AppleJeus has decoded files received from a C2.[6]
S0622 AppleSeed AppleSeed can decode its payload prior to execution.[7]
G0073 APT19 An APT19 HTTP malware variant decrypts strings using single-byte XOR keys.[8]
G0007 APT28 An APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload.[9][10]
G0016 APT29 APT29 used 7-Zip to decode its Raindrop malware.[11]
G0087 APT39 APT39 has used malware to decrypt encrypted CAB files.[12]
S0456 Aria-body Aria-body has the ability to decrypt the loader configuration and payload DLL.[13]
S0373 Astaroth Astaroth uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code. [14][15]
S0347 AuditCred AuditCred uses XOR and RC4 to perform decryption on the code functions.[16]
S0640 Avaddon Avaddon has decrypted encrypted strings.[17]
S0473 Avenger Avenger has the ability to decrypt files downloaded from C2.[4]
S0344 Azorult Azorult uses an XOR key to decrypt content and uses Base64 to decode the C2 address.[18][19]
S0638 Babuk Babuk has the ability to unpack itself into memory using XOR.[20][21]
S0414 BabyShark BabyShark has the ability to decode downloaded files prior to execution.[22]
S0475 BackConfig BackConfig has used a custom routine to decrypt strings.[23]
S0642 BADFLICK BADFLICK can decode shellcode using a custom rotating XOR cipher.[24]
S0234 Bandook Bandook has decoded its PowerShell script.[25]
S0239 Bankshot Bankshot decodes embedded XOR strings.[26]
S0534 Bazar Bazar can decrypt downloaded payloads. Bazar also resolves strings and API calls at runtime.[27][28]
S0470 BBK BBK has the ability to decrypt AES encrypted payloads.[4]
S0127 BBSRAT BBSRAT uses Expand to decompress a CAB file into executable content.[29]
S0574 BendyBear BendyBear has decrypted function blocks using a XOR key during runtime to evade detection.[30]
S0268 Bisonal Bisonal has decoded strings in the malware using XOR and RC4.[31][32]
S0520 BLINDINGCAN BLINDINGCAN has used AES and XOR to decrypt its DLLs.[33]
S0635 BoomBox BoomBox can decrypt AES-encrypted files downloaded from C2.[34]
S0415 BOOSTWRITE BOOSTWRITE has used a a 32-byte long multi-XOR key to decode data inside its payload.[35]
G0060 BRONZE BUTLER BRONZE BUTLER downloads encoded payloads and decodes them on the victim.[36]
S0482 Bundlore Bundlore has used openssl to decrypt AES encrypted payload data. Bundlore has also used base64 and RC4 with a hardcoded key to deobfuscate data.[37]
S0335 Carbon Carbon decrypts task and configuration files for execution.[38][39]
S0348 Cardinal RAT Cardinal RAT decodes many of its artifacts and is decrypted (AES-128) after being downloaded.[40]
S0160 certutil certutil has been used to decode binaries hidden inside certificate files as Base64 information.[1]
S0631 Chaes Chaes has decrypted an AES encrypted binary file to trigger the download of other files.[41]
S0674 CharmPower CharmPower can decrypt downloaded modules prior to execution.[42]
S0660 Clambling Clambling can deobfuscate its payload prior to execution.[43][44]
S0611 Clop Clop has used a simple XOR operation to decrypt strings.[45]
S0154 Cobalt Strike Cobalt Strike can deobfuscate shellcode using a rolling XOR and decrypt metadata from Beacon sessions.[46][47]
S0369 CoinTicker CoinTicker decodes the initially-downloaded hidden encoded file using OpenSSL.[48]
S0126 ComRAT ComRAT has used unique per machine passwords to decrypt the orchestrator payload and a hardcoded XOR key to decrypt its communications module. ComRAT has also used a unique password to decrypt the file used for its hidden file system.[49][50]
S0575 Conti Conti has decrypted its payload using a hardcoded AES-256 key.[51][52]
S0492 CookieMiner CookieMiner has used Google Chrome's decryption and extraction operations.[53]
S0614 CostaBricks CostaBricks has the ability to use bytecode to decrypt embedded payloads.[54]
S0115 Crimson Crimson can decode its encoded PE file prior to execution.[55]
S0687 Cyclops Blink Cyclops Blink can decrypt and parse instructions sent from C2.[56]
G0012 Darkhotel Darkhotel has decrypted strings and imports using RC4 during execution.[57][58]
S0673 DarkWatchman DarkWatchman has the ability to self-extract as a RAR archive.[59]
S0255 DDKONG DDKONG decodes an embedded configuration using XOR.[60]
S0354 Denis Denis will decrypt important strings used for C&C communication.[61]
S0547 DropBook DropBook can unarchive data downloaded from the C2 to obtain the payload and persistence modules.[62]
S0502 Drovorub Drovorub has de-obsfuscated XOR encrypted payloads in WebSocket messages.[63]
S0567 Dtrack Dtrack has used a decryption routine that is part of an executable physical patch.[64]
S0024 Dyre Dyre decrypts resources needed for targeting the victim.[65][66]
S0377 Ebury Ebury has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key.[67]
S0624 Ecipekac Ecipekac has the ability to decrypt fileless loader modules.[68]
S0554 Egregor Egregor has been decrypted before execution.[69][70]
S0634 EnvyScout EnvyScout can deobfuscate and write malicious ISO files to disk.[34]
S0401 Exaramel for Linux Exaramel for Linux can decrypt its configuration file.[71]
S0361 Expand Expand can be used to decompress a local or remote CAB file into an executable.[72]
S0512 FatDuke FatDuke can decrypt AES encrypted C2 communications.[73]
S0355 Final1stspy Final1stspy uses Python code to deobfuscate base64-encoded strings.[74]
S0182 FinFisher FinFisher extracts and decrypts stage 3 malware, which is stored in encrypted resources.[75][76]
S0618 FIVEHANDS FIVEHANDS has the ability to decrypt its payload prior to execution.[77][78][79]
S0661 FoggyWeb FoggyWeb can be decrypted in memory using a Lightweight Encryption Algorithm (LEA)-128 key and decoded using a XOR key.[80]
G0101 Frankenstein Frankenstein has deobfuscated base64-encoded commands following the execution of a malicious script, which revealed a small script designed to obtain an additional payload.[81]
S0628 FYAnti FYAnti has the ability to decrypt an embedded .NET module.[68]
G0047 Gamaredon Group Gamaredon Group tools decrypted additional payloads from the C2. Gamaredon Group has also decoded base64-encoded source code of a downloader.[82][83]
S0666 Gelsemium Gelsemium can decompress and decrypt DLLs and shellcode.[84]
S0032 gh0st RAT gh0st RAT has decrypted and loaded the gh0st RAT DLL into memory, once the initial dropper executable is launched.[85]
S0588 GoldMax GoldMax has decoded and decrypted the configuration file when executed.[86][87]
S0477 Goopy Goopy has used a polymorphic decryptor to decrypt itself at runtime.[61]
G0078 Gorgon Group Gorgon Group malware can decode contents from a payload that was Base64 encoded and write the contents to a file.[88]
S0531 Grandoreiro Grandoreiro can decrypt its encrypted internal strings.[89]
S0690 Green Lambert Green Lambert can use multiple custom routines to decrypt strings prior to execution.[90][91]
S0632 GrimAgent GrimAgent can use a decryption algorithm for strings based on Rotate on Right (RoR) and Rotate on Left (RoL) functionality.[92]
S0499 Hancitor Hancitor has decoded Base64 encoded URLs to insert a recipient\u2019s name into the filename of the Word document. Hancitor has also extracted executables from ZIP files.[93][94]
S0697 HermeticWiper HermeticWiper can decompress and copy driver files using LZCopy.[95]
S0394 HiddenWasp HiddenWasp uses a cipher to implement a decoding function.[96]
G0126 Higaisa Higaisa used certutil to decode Base64 binaries at runtime and a 16-byte XOR key to decrypt data.[97][98]
S0601 Hildegard Hildegard has decrypted ELF files with AES.[99]
G0072 Honeybee Honeybee drops a Word file containing a Base64-encoded file in it that is read, decoded, and dropped to the disk by the macro.[100]
S0398 HyperBro HyperBro can unpack and decrypt its payload prior to execution.[43][101]
S0434 Imminent Monitor Imminent Monitor has decoded malware components that are then dropped to the system.[102]
S0604 Industroyer Industroyer decrypts code to connect to a remote C2 server.[103]
S0260 InvisiMole InvisiMole can decrypt, unpack and load a DLL from its resources, or from blobs encrypted with Data Protection API, two-key triple DES, and variations of the XOR cipher.[104][105]
S0581 IronNetInjector IronNetInjector has the ability to decrypt embedded .NET and PE payloads.[106]
S0189 ISMInjector ISMInjector uses the certutil command to decode a payload file.[107]
G0004 Ke3chang Ke3chang has deobfuscated Base64-encoded shellcode strings prior to loading them.[108]
S0585 Kerrdown Kerrdown can decode, decrypt, and decompress multiple layers of shellcode.[109]
S0487 Kessel Kessel has decrypted the binary's configuration once the main function was launched.[110]
S0526 KGH_SPY KGH_SPY can decrypt encrypted strings and write them to a newly created folder.[111]
G0094 Kimsuky Kimsuky has decoded malicious VBScripts using Base64.[112]
S0641 Kobalos Kobalos decrypts strings right after the initial communication, but before the authentication process.[113]
S0669 KOCTOPUS KOCTOPUS has deobfuscated itself before executing its commands.[114]
S0356 KONNI KONNI has used certutil to download and decode base64 encoded strings and has also devoted a custom section to performing all the components of the deobfuscation process.[115][116]
S0236 Kwampirs Kwampirs decrypts and extracts a copy of its main DLL payload when executing.[117]
G0032 Lazarus Group Lazarus Group has used shellcode within macros to decrypt and manually map DLLs and shellcode into memory at runtime.[118][119]
G0065 Leviathan Leviathan has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.[120]
S0395 LightNeuron LightNeuron has used AES and XOR to decrypt configuration files and commands.[121]
S0513 LiteDuke LiteDuke has the ability to decrypt and decode multiple layers of obfuscation.[73]
S0681 Lizar Lizar can decrypt its configuration data.[122]
S0447 Lokibot Lokibot has decoded and decrypted its stages multiple times using hard-coded keys to deliver the final payload, and has decoded its server response hex string using XOR.[123]
S0582 LookBack LookBack has a function that decrypts malicious data.[124]
S0532 Lucifer Lucifer can decrypt its C2 address upon execution.[125]
S0409 Machete Machete\u2019s downloaded data is decrypted using AES.[126]
S0576 MegaCortex MegaCortex has used a Base64 key to decode its components.[127]
G0045 menuPass menuPass has used certutil in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has also used certutil -decode to decode files on the victim\u2019s machine when dropping UPPERCUT.[128][129]
S0443 MESSAGETAP After checking for the existence of two files, keyword_parm.txt and parm.txt, MESSAGETAP XOR decodes and read the contents of the files. [130]
S0455 Metamorfo Upon execution, Metamorfo has unzipped itself after being downloaded to the system and has performed string decryption.[131][132][133]
S0280 MirageFox MirageFox has a function for decrypting data containing C2 configuration information.[134]
G0021 Molerats Molerats decompresses ZIP files once on the victim machine.[135]
S0284 More_eggs More_eggs will decode malware components that are then dropped to the system.[136]
G0069 MuddyWater MuddyWater decoded base64-encoded PowerShell commands using a VBS file.[137][138][139]
S0637 NativeZone NativeZone can decrypt and decode embedded Cobalt Strike beacon stage shellcode.[34]
S0457 Netwalker Netwalker's PowerShell script can decode and decrypt multiple layers of obfuscation, leading to the Netwalker DLL being loaded into memory.[140]
S0353 NOKKI NOKKI uses a unique, custom de-obfuscation technique.[141]
G0049 OilRig A OilRig macro has run a PowerShell command to decode file contents. OilRig has also used certutil to decode base64-encoded files on victims.[142][107][143][144]
S0439 Okrum Okrum's loader can decrypt the backdoor code, embedded within the loader or within a legitimate PNG file. A custom XOR cipher or RC4 is used for decryption.[145]
S0052 OnionDuke OnionDuke can use a custom decryption algorithm to decrypt strings.[73]
S0264 OopsIE OopsIE concatenates then decompresses multiple resources to load an embedded .Net Framework assembly.[143]
S0402 OSX/Shlayer OSX/Shlayer can base64-decode and AES-decrypt downloaded payloads.[146] Versions of OSX/Shlayer pass encrypted and password-protected code to openssl and then write the payload to the /tmp folder.[147][148]
S0598 P.A.S. Webshell P.A.S. Webshell can use a decryption mechanism to process a user supplied password and allow execution.[71]
S0517 Pillowmint Pillowmint has been decompressed by included shellcode prior to being launched.[149]
S0501 PipeMon PipeMon can decrypt password-protected executables.[150]
S0013 PlugX PlugX decompresses and decrypts itself using the Microsoft API call RtlDecompressBuffer.[151][43][152]
S0428 PoetRAT PoetRAT has used LZMA and base64 libraries to decode obfuscated scripts.[153]
S0518 PolyglotDuke PolyglotDuke can use a custom algorithm to decrypt strings used by the malware.[73]
S0223 POWERSTATS POWERSTATS can deobfuscate the main backdoor code.[139]
S0279 Proton Proton uses an encrypted file to store commands and configuration values.[154]
S0613 PS1 PS1 can use an XOR key to decrypt a PowerShell loader and payload binary.[54]
S0147 Pteranodon Pteranodon can decrypt encrypted data strings prior to using them.[155]
S0196 PUNCHBUGGY PUNCHBUGGY has used PowerShell to decode base64-encoded assembly.[156]
S0650 QakBot QakBot can deobfuscate and re-assemble code strings for execution.[157][158][159]
S0269 QUADAGENT QUADAGENT uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts.[160]
S0565 Raindrop Raindrop decrypted its Cobalt Strike payload using an AES-256 encryption algorithm in CBC mode with a unique key per sample.[11][161]
S0629 RainyDay RainyDay can decrypt its payload via a XOR key.[162]
S0458 Ramsay Ramsay can extract its agent from the body of a malicious document.[163]
S0495 RDAT RDAT can deobfuscate the base64-encoded and AES-encrypted files downloaded from the C2 server.[164]
S0511 RegDuke RegDuke can decrypt strings with a key either stored in the Registry or hardcoded in the code.[73]
S0375 Remexi Remexi decrypts the configuration data using XOR with 25-character keys.[165]
S0496 REvil REvil can decode encrypted strings to enable execution of commands and payloads.[166][167][168][169][170][171]
S0258 RGDoor RGDoor decodes Base64 strings and decrypts strings using a custom XOR algorithm.[172]
S0448 Rising Sun Rising Sun decrypted itself using a single-byte XOR scheme. Additionally, Rising Sun can decrypt its configuration data at runtime.[173]
G0106 Rocke Rocke has extracted tar.gz files after downloading them from a C2 server.[174]
S0270 RogueRobin RogueRobin decodes an embedded executable using base64 and decompresses it.[175]
S0240 ROKRAT ROKRAT can decrypt strings using the victim's hostname as the key.[176][177]
G0034 Sandworm Team Sandworm Team's VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip.[178][179]
S0461 SDBbot SDBbot has the ability to decrypt and decompress its payload to enable code execution.[180][181]
S0596 ShadowPad ShadowPad has decrypted a binary blob to start execution.[182]
S0140 Shamoon Shamoon decrypts ciphertext using an XOR cipher and a base64-encoded string.[183]
S0546 SharpStage SharpStage has decompressed data received from the C2 server.[184]
S0444 ShimRat ShimRat has decompressed its core DLL using shellcode once an impersonated antivirus component was running on a system.[185]
S0589 Sibot Sibot can decrypt data received from a C2 and save to a file.[86]
S0610 SideTwist SideTwist can decode and decrypt messages received from C2.[186]
S0623 Siloscape Siloscape has decrypted the password of the C2 server with a simple byte by byte XOR. Siloscape also writes both an archive of Tor and the unzip binary to disk from data embedded within the payload using Visual Studio\u2019s Resource Manager.[187]
S0468 Skidmap Skidmap has the ability to download, unpack, and decrypt tar.gz files .[188]
S0226 Smoke Loader Smoke Loader deobfuscates its code.[189]
S0615 SombRAT SombRAT can run upload to decrypt and upload files from storage.[54][78]
S0516 SoreFang SoreFang can decode and decrypt exfiltrated data sent to C2.[190]
S0543 Spark Spark has used a custom XOR algorithm to decrypt the payload.[191]
S0390 SQLRat SQLRat has scripts that are responsible for deobfuscating additional scripts.[192]
S0188 Starloader Starloader decrypts and executes shellcode from a file called Stars.jps.[193]
S0603 Stuxnet Stuxnet decrypts resources that are loaded into memory and executed.[194]
S0562 SUNSPOT SUNSPOT decrypts SUNBURST, which was stored in AES128-CBC encrypted blobs.[195]
S0663 SysUpdate SysUpdate can deobfuscate packed binaries in memory.[101]
S0011 Taidoor Taidoor can use a stream cipher to decrypt stings used by the malware.[196]
S0560 TEARDROP TEARDROP was decoded using a custom rolling XOR algorithm to execute a customized Cobalt Strike payload.[197][198][161]
G0027 Threat Group-3390 During execution, Threat Group-3390 malware deobfuscates and decompresses code that was encoded with Metasploit\u2019s shikata_ga_nai encoder as well as compressed with LZNT1 compression.[199]
S0665 ThreatNeedle ThreatNeedle can decrypt its payload using RC4, AES, or one-byte XORing.[200]
S0678 Torisma Torisma has used XOR and Base64 to decode C2 data.[201]
S0266 TrickBot TrickBot decodes the configuration data and modules.[202][203][204]
G0081 Tropic Trooper Tropic Trooper used shellcode with an XOR algorithm to decrypt a payload. Tropic Trooper also decrypted image files which contained a payload.[205][206]
S0436 TSCookie TSCookie has the ability to decrypt, load, and execute a DLL and its resources.[207]
S0647 Turian Turian has the ability to use a XOR decryption key to extract C2 server domains and IP addresses.[208]
G0010 Turla Turla has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WMI filter or PowerShell Profile, to decode encrypted PowerShell payloads.[209]
S0263 TYPEFRAME One TYPEFRAME variant decrypts an archive using an RC4 key, then decompresses and installs the decrypted malicious DLL module. Another variant decodes the embedded file by XORing it with the value \"0x35\".[210]
G0118 UNC2452 UNC2452 used 7-Zip to decode its Raindrop malware.[11]
S0386 Ursnif Ursnif has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk.[211]
S0476 Valak Valak has the ability to decode and decrypt downloaded files.[212][213]
S0636 VaporRage VaporRage can deobfuscate XOR-encoded shellcode prior to execution.[34]
S0257 VERMIN VERMIN decrypts code, strings, and commands to use once it's on the victim's machine.[214]
S0180 Volgmer Volgmer deobfuscates its strings and APIs once its executed.[215]
S0670 WarzoneRAT WarzoneRAT can use XOR 0x45 to decrypt obfuscated code.[216]
S0612 WastedLocker WastedLocker's custom cryptor, CryptOne, used an XOR based algorithm to decrypt the payload.[217]
S0579 Waterbear Waterbear has the ability to decrypt its RC4 encrypted payload for execution.[218]
S0515 WellMail WellMail can decompress scripts received from C2.[219]
S0514 WellMess WellMess can decode and decrypt data received from C2.[220][221][222]
S0689 WhisperGate WhisperGate can deobfuscate downloaded files stored in reverse byte order and decrypt embedded resources using multiple XOR operations.[223][224]
S0466 WindTail WindTail has the ability to decrypt strings using hard-coded AES keys.[225]
S0430 Winnti for Linux Winnti for Linux has decoded XOR encoded strings holding its configuration upon execution.[226]
S0141 Winnti for Windows The Winnti for Windows dropper can decrypt and decompresses a data blob.[227]
G0090 WIRTE WIRTE has used Base64 to decode malicious VBS script.[228]
S0653 xCaon xCaon has decoded strings from the C2 server before executing commands.[229]
S0388 YAHOYAH YAHOYAH decrypts downloaded files before execution.[230]
S0251 Zebrocy Zebrocy decodes its secondary payload and writes it to the victim\u2019s machine. Zebrocy also uses AES and XOR to decrypt strings and payloads.[231][232]
S0230 ZeroT ZeroT shellcode decrypts and decompresses its RC4-encrypted payload.[233]
S0330 Zeus Panda Zeus Panda decrypts strings in the code during the execution process.[234]
G0128 ZIRCONIUM ZIRCONIUM has used the AES256 algorithm with a SHA1 derived key to decrypt exploit code.[235]

Mitigations

Identify unnecessary system utilities or potentially malicious software that may be used to deobfuscate or decode files or information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Detection

Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the action may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as certutil.

\n

Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.

References

1. Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017.

2. Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.

3. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.

4. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.

5. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.

6. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea\u2019s Cryptocurrency Malware. Retrieved March 1, 2021.

7. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.

8. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.

9. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.

10. Lee, B., Falcone, R. (2018, June 06). Sofacy Group\u2019s Parallel Attacks. Retrieved June 18, 2018.

11. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.

12. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.

13. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.

14. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.

15. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.

16. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.

17. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.

18. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.

19. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.

20. Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021.

21. Sebdraven. (2021, February 8). Babuk is distributed packed. Retrieved August 11, 2021.

22. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.

23. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.

24. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.

25. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.

26. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.

27. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9\u2019S DEVELOPMENT CYCLES. Retrieved November 18, 2020.

28. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.

29. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.

30. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.

31. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.

32. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.

33. US-CERT. (2020, August 19). MAR-10295134-1.v1 \u2013 North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.

34. MSTIC. (2021, May 28). Breaking down NOBELIUM\u2019s latest early-stage toolset. Retrieved August 4, 2021.

35. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators\u2019 New Tools and Techniques. Retrieved October 11, 2019.

36. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.

37. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.

38. ESET. (2017, March 30). Carbon Paper: Peering into Turla\u2019s second stage backdoor. Retrieved November 7, 2018.

39. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.

40. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.

41. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.

42. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.

43. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.

44. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.

45. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.

46. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.

47. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.

48. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.

49. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.

50. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.

51. Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021.

52. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.

53. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved July 22, 2020.

54. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.

55. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.

56. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.

57. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.

58. Microsoft. (2016, July 14). Reverse engineering DUBNIUM \u2013 Stage 2 payload analysis . Retrieved March 31, 2021.

59. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.

60. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.

61. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.

62. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.

63. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.

64. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.

65. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.

66. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.

67. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.

68. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.

69. NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020.

70. Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020.

71. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.

72. Microsoft. (2017, October 15). Expand. Retrieved February 19, 2019.

73. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.

74. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.

75. FinFisher. (n.d.). Retrieved December 20, 2017.

76. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher\u2019s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.

77. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.

78. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.

79. Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021.

80. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.

81. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.

82. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.

83. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.

84. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.

85. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.

86. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM\u2019s layered persistence. Retrieved March 8, 2021.

87. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.

88. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.

89. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.

90. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.

91. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK.; Retrieved March 21, 2022.

92. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.

93. Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020.

94. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.

95. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.

96. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.

97. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.

98. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.

99. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.

100. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.

101. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.

102. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.

103. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.

104. Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.

105. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.

106. Reichel, D. (2021, February 19). IronNetInjector: Turla\u2019s New Malware Loading Tool. Retrieved February 24, 2021.

107. Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.

108. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.

109. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus\u2019 new Downloader, KerrDown. Retrieved October 1, 2021.

110. Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.

111. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.

112. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.

113. M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021.

114. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.

115. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.

116. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.

117. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.

118. Saini, A. and Hossein, J. (2022, January 27). North Korea\u2019s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.

119. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.

120. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.

121. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.

122. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker\u2019s toolkit. Retrieved February 2, 2022.

123. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.

124. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.

125. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.

126. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.

127. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.

128. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.

129. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.

130. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who\u2019s Reading Your Text Messages?. Retrieved May 11, 2020.

131. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.

132. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.

133. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.

134. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.

135. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.

136. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.

137. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.

138. Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018.

139. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.

140. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.

141. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.

142. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.

143. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.

144. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.

145. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.

146. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.

147. Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021.

148. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.

149. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7\u2019s Monkey Thief . Retrieved July 27, 2020.

150. Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020.

151. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.

152. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.

153. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.

154. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.

155. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.

156. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.

157. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.

158. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.

159. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.

160. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.

161. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.

162. Vrabie, V. (2021, April 23). NAIKON \u2013 Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.

163. Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020.

164. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.

165. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.

166. Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020.

167. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.

168. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.

169. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020.

170. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service \u2013 An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.

171. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.

172. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.

173. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.

174. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.

175. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.

176. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.

177. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.

178. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.

179. Cherepanov, A.. (2017, July 4). Analysis of TeleBots\u2019 cunning backdoor . Retrieved June 11, 2020.

180. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.

181. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.

182. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.

183. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.

184. Ilascu, I. (2020, December 14). Hacking group\u2019s new malware abuses Google and Facebook services. Retrieved December 28, 2020.

185. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.

186. Check Point. (2021, April 8). Iran\u2019s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.

187. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.

188. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.

189. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.

190. CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020.

191. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.

192. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.

193. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.

194. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.

195. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.

196. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 \u2013 Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.

197. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.

198. Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.

199. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.

200. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.

201. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.

202. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.

203. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.

204. Joe Security. (2020, July 13). TrickBot's new API-Hammering explained. Retrieved September 30, 2021.

205. Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018.

206. Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.

207. Tomonaga, S.. (2018, March 6). Malware \u201cTSCookie\u201d. Retrieved May 6, 2020.

208. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021

209. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.

210. US-CERT. (2018, June 14). MAR-10135536-12 \u2013 North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.

211. Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.

212. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.

213. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.

214. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.

215. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.

216. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.

217. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.

218. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.

219. CISA. (2020, July 16). MAR-10296782-3.v1 \u2013 WELLMAIL. Retrieved September 29, 2020.

220. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.

221. PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020.

222. CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020.

223. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.

224. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.

225. Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.

226. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.

227. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.

228. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.

229. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.

230. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.

231. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New \u2018Cannon\u2019 Trojan. Retrieved November 26, 2018.

232. ESET. (2018, November 20). Sednit: What\u2019s going on with Zebrocy?. Retrieved February 12, 2019.

233. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.

234. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.

235. Itkin, E. and Cohen, I. (2021, February 22). The Story of Jian \u2013 How APT31 Stole and Used an Unknown Equation Group 0-Day. Retrieved March 24, 2021.


Original source: T1140 - Deobfuscate/Decode Files Or Information
", "external_references": [ { "source_name": "Volexity PowerDuke November 2016", "url": "https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" }, { "source_name": "Carbon Black Obfuscation Sept 2016", "url": "https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/" }, { "source_name": "Malwarebytes Targeted Attack against Saudi Arabia", "url": "https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/" }, { "source_name": "mitre-attack (T1140)", "url": "https://attack.mitre.org/techniques/T1140" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--8c0cf322-5f14-416b-9c83-f14bca287dfb", "created": "2022-11-08T14:37:13.71051Z", "modified": "2022-11-08T14:37:13.71051Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--3ccef7ae-cb5e-48f6-8302-897105fbf55c" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336", "created": "2021-05-26T16:33:16.027763Z", "modified": "2022-05-30T23:25:51.265227Z", "name": "T1218.007 - Signed Binary Proxy Execution: Msiexec", "description": "

T1218.007 - System Binary Proxy Execution: Msiexec

Adversaries may abuse msiexec.exe to proxy execution of malicious payloads. Msiexec.exe is the command-line utility for the Windows Installer and is thus commonly associated with executing installation packages (.msi).[1] The Msiexec.exe binary may also be digitally signed by Microsoft.

\n

Adversaries may abuse msiexec.exe to launch local or network accessible MSI files. Msiexec.exe can also execute DLLs.[2][3] Since it may be signed and native on Windows systems, msiexec.exe can be used to bypass application control solutions that do not account for its potential abuse. Msiexec.exe execution may also be elevated to SYSTEM privileges if the AlwaysInstallElevated policy is enabled.[4]

Other sub-techniques of User Execution (13)

ID Name
T1218.001 Compiled HTML File
T1218.002 Control Panel
T1218.003 CMSTP
T1218.004 InstallUtil
T1218.005 Mshta
T1218.007 Msiexec
T1218.008 Odbcconf
T1218.009 Regsvcs/Regasm
T1218.010 Regsvr32
T1218.011 Rundll32
T1218.012 Verclsid
T1218.013 Mavinject
T1218.014 MMC

Procedure Examples

ID Name Description
S0584 AppleJeus AppleJeus has been installed via MSI installer.[5]
S0631 Chaes Chaes has used .MSI files as an initial way to start the infection chain.[6]
S0611 Clop Clop can use msiexec.exe to disable security tools on the system.[7]
S0038 Duqu Duqu has used msiexec to execute malicious Windows Installer packages. Additionally, a PROPERTY=VALUE pair containing a 56-bit encryption key has been used to decrypt the main payload from the installer packages.[8]
S0531 Grandoreiro Grandoreiro can use MSI files to execute DLLs.[9]
S0483 IcedID IcedID can inject itself into a suspended msiexec.exe process to send beacons to C2 while appearing as a normal msi application. [10]
S0528 Javali Javali has used the MSI installer to download and execute malicious payloads.[9]
S0451 LoudMiner LoudMiner used an MSI installer to install the virtualization software.[11]
G0095 Machete Machete has used msiexec to install the Machete malware.[12]
S0449 Maze Maze has delivered components for its ransomware attacks using MSI files, some of which have been executed from the command-line using msiexec.[13]
S0530 Melcoz Melcoz can use MSI files with embedded VBScript for execution.[9]
S0455 Metamorfo Metamorfo has used MsiExec.exe to automatically execute files.[14][15]
G0021 Molerats Molerats has used msiexec.exe to execute an MSI payload.[16]
S0650 QakBot QakBot can use MSIExec to spawn multiple cmd.exe processes.[17]
S0481 Ragnar Locker Ragnar Locker has been delivered as an unsigned MSI package that was executed with msiexec.exe.[18]
G0075 Rancor Rancor has used msiexec to download and execute malicious installer files over HTTP.[19]
S0662 RCSession RCSession has the ability to execute inside the msiexec.exe process.[20]
S0592 RemoteUtilities RemoteUtilities can use Msiexec to install a service.[21]
G0092 TA505 TA505 has used msiexec to download and execute malicious Windows Installer files.[22][23][24]
G0128 ZIRCONIUM ZIRCONIUM has used the msiexec.exe command-line utility to download and execute malicious MSI files.[25]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program Consider disabling the AlwaysInstallElevated policy to prevent elevated execution of Windows Installer packages.[4]
M1026 Privileged Account Management Restrict execution of Msiexec.exe to privileged accounts or groups that need to use it to lessen the opportunities for malicious usage.

Detection

Use process monitoring to monitor the execution and arguments of msiexec.exe. Compare recent invocations of msiexec.exe with prior history of known good arguments and executed MSI files or DLLs to determine anomalous and potentially adversarial activity. Command arguments used before and after the invocation of msiexec.exe may also be useful in determining the origin and purpose of the MSI files or DLLs being executed.

References

1. Microsoft. (2017, October 15). msiexec. Retrieved January 24, 2020.

2. LOLBAS. (n.d.). Msiexec.exe. Retrieved April 18, 2019.

3. Co, M. and Sison, G. (2018, February 8). Attack Using Windows Installer msiexec.exe leads to LokiBot. Retrieved April 18, 2019.

4. Microsoft. (2018, May 31). AlwaysInstallElevated. Retrieved December 14, 2020.

5. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea\u2019s Cryptocurrency Malware. Retrieved March 1, 2021.

6. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.

7. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.

8. Kaspersky Lab. (2015, June 11). The Duqu 2.0. Retrieved April 21, 2017.

9. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.

10. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.

11. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.

12. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries \u2014 HpReact campaign. Retrieved November 20, 2020.

13. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.

14. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.

15. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.

16. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.

17. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.

18. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.

19. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.

20. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.

21. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.

22. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.

23. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.

24. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group\u2019s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.

25. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.


Original source: T1218.007 - System Binary Proxy Execution: Msiexec
", "external_references": [ { "source_name": "Microsoft AlwaysInstallElevated 2018", "url": "https://docs.microsoft.com/en-us/windows/win32/msi/alwaysinstallelevated" }, { "source_name": "TrendMicro Msiexec Feb 2018", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/attack-using-windows-installer-msiexec-exe-leads-lokibot/" }, { "source_name": "LOLBAS Msiexec", "url": "https://lolbas-project.github.io/lolbas/Binaries/Msiexec/" }, { "source_name": "Microsoft msiexec", "url": "https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/msiexec" }, { "source_name": "mitre-attack (T1218.007)", "url": "https://attack.mitre.org/techniques/T1218/007" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--ed24cb73-f391-49de-b1cf-034aeb50c67b", "created": "2022-11-08T14:37:13.71579Z", "modified": "2022-11-08T14:37:13.71579Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--365be77f-fc0e-42ee-bac8-4faf806d9336" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279", "created": "2021-05-26T16:34:00.834314Z", "modified": "2022-05-30T23:27:13.118155Z", "name": "T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder", "description": "

T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the \"run keys\" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.[1] These programs will be executed under the context of the user and will have the account's associated permissions level.

\n

Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\\Users\\[Username]\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup. The startup folder path for all users is C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\StartUp.

\n

The following run keys are created by default on Windows systems:

\n\n

Run keys may exist under multiple hives.[2][3] The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.[4] For example, it is possible to load a DLL at logon using a \"Depend\" key with RunOnceEx: reg add HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\RunOnceEx\\0001\\Depend /v 1 /d \"C:\\temp\\evil[.]dll\" [5]

\n

The following Registry keys can be used to set startup folder items for persistence:

\n\n

The following Registry keys can control automatic startup of services during boot:

\n\n

Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:

\n\n

The Winlogon key controls actions that occur when a user logs on to a computer running Windows 7. Most of these actions are under the control of the operating system, but you can also add custom actions here. The HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell subkeys can automatically launch programs.

\n

Programs listed in the load value of the registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows run when any user logs on.

\n

By default, the multistring BootExecute value of the registry key HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager is set to autocheck autochk *. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.

\n

Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.

Other sub-techniques of User Execution (14)

ID Name
T1547.001 Registry Run Keys / Startup Folder
T1547.002 Authentication Package
T1547.003 Time Providers
T1547.004 Winlogon Helper DLL
T1547.005 Security Support Provider
T1547.006 Kernel Modules and Extensions
T1547.007 Re-opened Applications
T1547.008 LSASS Driver
T1547.009 Shortcut Modification
T1547.010 Port Monitors
T1547.012 Print Processors
T1547.013 XDG Autostart Entries
T1547.014 Active Setup
T1547.015 Login Items

Procedure Examples

ID Name Description
S0045 ADVSTORESHELL ADVSTORESHELL achieves persistence by adding itself to the HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run Registry key.[6][7][8]
S0331 Agent Tesla Agent Tesla can add itself to the Registry as a startup program to establish persistence.[9][10]
S0622 AppleSeed AppleSeed has the ability to create the Registry key name EstsoftAutoUpdate at HKLU\\Software\\Microsoft/Windows\\CurrentVersion\\RunOnce to establish persistence.[11]
G0026 APT18 APT18 establishes persistence via the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key.[12][13]
G0073 APT19 An APT19 HTTP malware variant establishes persistence by setting the Registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Windows Debug Tools-%LOCALAPPDATA%\\.[14]
G0007 APT28 APT28 has deployed malware that has copied itself to the startup directory for persistence.[15]
G0016 APT29 APT29 added Registry Run keys to establish persistence.[16]
G0022 APT3 APT3 places scripts in the startup folder for persistence.[17]
G0050 APT32 APT32 established persistence using Registry Run keys, both to execute PowerShell and VBS scripts as well as to execute their backdoor directly.[18][19][20]
G0064 APT33 APT33 has deployed a tool known as DarkComet to the Startup folder of a victim, and used Registry run keys to gain persistence.[21][22]
G0067 APT37 APT37's has added persistence via the Registry key HKCU\\Software\\Microsoft\\CurrentVersion\\Run\\.[23][24]
G0087 APT39 APT39 has maintained persistence using the startup folder.[25]
G0096 APT41 APT41 created and modified startup files for persistence.[26][27] APT41 added a registry key in HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Svchost to establish persistence for Cobalt Strike.[28]
S0456 Aria-body Aria-body has established persistence via the Startup folder or Run Registry key.[29]
S0373 Astaroth Astaroth creates a startup item for persistence. [30]
S0640 Avaddon Avaddon uses registry run keys for persistence.[31]
S0414 BabyShark BabyShark has added a Registry key to ensure all future macros are enabled for Microsoft Word and Excel as well as for additional persistence.[32][33]
S0093 Backdoor.Oldrea Backdoor.Oldrea adds Registry Run keys to achieve persistence.[34][35]
S0031 BACKSPACE BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.[36]
S0128 BADNEWS BADNEWS installs a registry Run key to establish persistence.[37]
S0337 BadPatch BadPatch establishes a foothold by adding a link to the malware executable in the startup folder.[38]
S0534 Bazar Bazar can create or add files to Registry Run Keys to establish persistence.[39][40]
S0127 BBSRAT BBSRAT has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the Registry Run key location HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ssonsvr.exe.
S0268 Bisonal Bisonal has added itself to the Registry key HKEY_CURRENT_USER\\Software\\Microsoft\\CurrentVersion\\Run\\ for persistence.[41][42]
S0570 BitPaymer BitPaymer has set the run key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for persistence.[43]
S0089 BlackEnergy The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.[44]
S0635 BoomBox BoomBox can establish persistence by writing the Registry value MicroNativeCacheSvc to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.[45]
S0204 Briba Briba creates run key Registry entries pointing to malicious DLLs dropped to disk.[46]
G0060 BRONZE BUTLER BRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence.[47]
S0471 build_downer build_downer has the ability to add itself to the Registry Run key for persistence.[48]
S0030 Carbanak Carbanak stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.[49]
S0484 Carberp Carberp has maintained persistence by placing itself inside the current user's startup folder.[50]
S0348 Cardinal RAT Cardinal RAT establishes Persistence by setting the HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load Registry key to point to its executable.[51]
S0631 Chaes Chaes has added persistence via the Registry key software\\microsoft\\windows\\currentversion\\run\\microsoft windows html help.[52]
S0144 ChChes ChChes establishes persistence by adding a Registry Run key.[53]
S0660 Clambling Clambling can establish persistence by adding a Registry run key.[54][55]
G0080 Cobalt Group Cobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike.[56]
S0338 Cobian RAT Cobian RAT creates an autostart Registry key to ensure persistence.[57]
S0244 Comnie Comnie achieves persistence by adding a shortcut of itself to the startup path in the Registry.[58]
S0608 Conficker Conficker adds Registry Run keys to establish persistence.[59]
G0142 Confucius Confucius has dropped malicious files into the startup folder %AppData%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup on a compromised host in order to maintain persistence.[60]
S0137 CORESHELL CORESHELL has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder.[61]
S0046 CozyCar One persistence mechanism used by CozyCar is to set itself to be executed at system startup by adding a Registry value under one of the following Registry keys:
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\
HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run
HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run[62]
S0115 Crimson Crimson can add Registry run keys for persistence.[63][64]
S0235 CrossRAT CrossRAT uses run keys for persistence on Windows
G0070 Dark Caracal Dark Caracal's version of Bandook adds a registry key to HKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for persistence.[65]
S0334 DarkComet DarkComet adds several Registry entries to enable automatic execution at every system startup.[66][67]
G0012 Darkhotel Darkhotel has been known to establish persistence by adding programs to the Run Registry key.[68]
S0186 DownPaper DownPaper uses PowerShell to add a Registry Run key in order to establish persistence.[69]
G0035 Dragonfly Dragonfly has added the registry value ntdll to the Registry Run key to establish persistence.[70]
S0062 DustySky DustySky achieves persistence by creating a Registry entry in HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run.[71]
S0081 Elise If establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\svchost : %APPDATA%\\Microsoft\\Network\\svchost.exe. Other variants have set the following Registry keys for persistence: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\imejp : [self] and HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\IAStorD.[72][73]
S0082 Emissary Variants of Emissary have added Run Registry keys to establish persistence.[74]
S0367 Emotet Emotet has been observed adding the downloaded payload to the HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key to maintain persistence.[75][76][77]
S0363 Empire Empire can modify the registry run keys HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run and HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for persistence.[78]
S0396 EvilBunny EvilBunny has created Registry keys for persistence in [HKLM|HKCU]\\\u2026\\CurrentVersion\\Run.[79]
S0152 EvilGrab EvilGrab adds a Registry Run key for ctfmon.exe to establish persistence.[53]
S0568 EVILNUM EVILNUM can achieve persistence through the Registry Run key.[80][81]
S0512 FatDuke FatDuke has used HKLM\\SOFTWARE\\Microsoft\\CurrentVersion\\Run to establish persistence.[82]
S0267 FELIXROOT FELIXROOT adds a shortcut file to the startup folder for persistence.[83]
G0051 FIN10 FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.[84][78]
G0037 FIN6 FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.[85]
G0046 FIN7 FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.[86][87]
S0355 Final1stspy Final1stspy creates a Registry Run key to establish persistence.[88]
S0182 FinFisher FinFisher establishes persistence by creating the Registry key HKCU\\Software\\Microsoft\\Windows\\Run.[89][90]
S0696 Flagpro Flagpro has dropped an executable file to the startup directory.[91]
S0036 FLASHFLOOD FLASHFLOOD achieves persistence by making an entry in the Registry's Run key.[36]
G0047 Gamaredon Group Gamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence.[92][93][94]
S0168 Gazer Gazer can establish persistence by creating a .lnk file in the Start menu.[95][96]
S0666 Gelsemium Gelsemium can set persistence with a Registry run key.[97]
S0032 gh0st RAT gh0st RAT has added a Registry Run key to establish persistence.[98][99]
S0249 Gold Dragon Gold Dragon establishes persistence in the Startup folder.[100]
G0078 Gorgon Group Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.[101]
S0531 Grandoreiro Grandoreiro can use run keys and create link files in the startup folder for persistence.[102][103]
S0417 GRIFFON GRIFFON has used a persistence module that stores the implant inside the Registry, which executes at logon.[104]
S0632 GrimAgent GrimAgent can set persistence with a Registry run key.[105]
S0561 GuLoader GuLoader can establish persistence via the Registry under HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce.[106]
S0499 Hancitor Hancitor has added Registry Run keys to establish persistence.[107]
S0170 Helminth Helminth establishes persistence by creating a shortcut in the Start Menu folder.[108]
S0087 Hi-Zor Hi-Zor creates a Registry Run key to establish persistence.[109]
G0126 Higaisa Higaisa added a spoofed binary to the start-up folder for persistence.[110][111]
G0072 Honeybee Honeybee uses a batch file that configures the ComSysApp service to autostart in order to establish persistence.[112]
S0070 HTTPBrowser HTTPBrowser has established persistence by setting the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key value for wdm to the path of the executable. It has also used the Registry entry HKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run vpdn \u201c%ALLUSERPROFILE%\\%APPDATA%\\vpdn\\VPDN_LU.exe\u201d to establish persistence.[113][114]
S0483 IcedID IcedID has established persistence by creating a Registry run key.[115]
G0100 Inception Inception has maintained persistence by modifying Registry run key value HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\.[116]
S0259 InnaputRAT Some InnaputRAT variants establish persistence by modifying the Registry key HKU\\\\Software\\Microsoft\\Windows\\CurrentVersion\\Run:%appdata%\\NeutralApp\\NeutralApp.exe.[117]
S0260 InvisiMole InvisiMole can place a lnk file in the Startup Folder to achieve persistence.[118]
S0015 Ixeshe Ixeshe can achieve persistence by adding itself to the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run Registry key.[119]
S0389 JCry JCry has created payloads in the Startup directory to maintain persistence. [120]
S0044 JHUHUGIT JHUHUGIT has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process.[121]
S0088 Kasidet Kasidet creates a Registry Run key to establish persistence.[122][123]
S0265 Kazuar Kazuar adds a sub-key under several Registry run keys.[124]
G0004 Ke3chang Several Ke3chang backdoors achieved persistence by adding a Run key.[125]
G0094 Kimsuky Kimsuky has placed scripts in the startup folder for persistence and modified the HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce Registry key.[126][33][127][128][129]
S0250 Koadic Koadic has added persistence to the HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run Registry key.[130]
S0669 KOCTOPUS KOCTOPUS can set the AutoRun Registry key with a PowerShell command.[130]
S0356 KONNI A version of KONNI has dropped a Windows shortcut into the Startup folder to establish persistence.[131]
G0032 Lazarus Group Lazarus Group has maintained persistence by loading malicious code into a startup folder or by adding a Registry Run key.[132][133][134][135][136]
G0140 LazyScripter LazyScripter has achieved persistence via writing a PowerShell script to the autorun registry key.[130]
G0065 Leviathan Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[137][138]
S0513 LiteDuke LiteDuke can create persistence by adding a shortcut in the CurrentVersion\\Run Registry key.[82]
S0397 LoJax LoJax has modified the Registry key \u2018HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\BootExecute\u2019 from \u2018autocheck autochk \u2019 to \u2018autocheck autoche
\u2019 in order to execute its payload during Windows startup.[139] S0582 LookBack LookBack sets up a Registry Run key to establish a persistence mechanism.[140] S0532 Lucifer Lucifer can persist by setting Registry key values HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic and HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic.[141] S0409 Machete Machete used the startup folder for persistence.[142][143] G0059 Magic Hound Magic Hound malware has used Registry Run keys to establish persistence.[144] S0652 MarkiRAT MarkiRAT can drop its payload into the Startup directory to ensure it automatically runs when the compromised system is started.[145] S0167 Matryoshka Matryoshka can establish persistence by adding Registry Run keys.[146][147] S0449 Maze Maze has created a file named \"startup_vrun.bat\" in the Startup folder of a virtual machine to establish persistence.[148] S0500 MCMD MCMD can use Registry Run Keys for persistence.[149] S0455 Metamorfo Metamorfo has configured persistence to the Registry ket HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run, Spotify =% APPDATA%\\Spotify\\Spotify.exe and used .LNK files in the startup folder to achieve persistence.[150][151][152][153] S0080 Mivast Mivast creates the following Registry entry: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Micromedia.[154] S0553 MoleNet MoleNet can achieve persitence on the infected machine by setting the Registry run key.[155] G0021 Molerats Molerats saved malicious files within the AppData and Startup folders to maintain persistence.[156] S0256 Mosquito Mosquito establishes persistence under the Registry key HKCU\\Software\\Run auto_update.[157] G0069 MuddyWater MuddyWater has added Registry Run key KCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\SystemTextEncoding to establish persistence.[158][159][160][161][162] G0129 Mustang Panda Mustang Panda has created the registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Run\\AdobelmdyU to maintain persistence.[163] G0019 Naikon Naikon has modified a victim's Windows Run registry to establish persistence.[164] S0228 NanHaiShu NanHaiShu modifies the %regrun% Registry to point itself to an autostart mechanism.[165] S0336 NanoCore NanoCore creates a RunOnce key in the Registry to execute its VBS scripts each time the user logs on to the machine.[166] S0247 NavRAT NavRAT creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence.[167] S0630 Nebulae Nebulae can achieve persistence through a Registry Run key.[164] S0034 NETEAGLE The \"SCOUT\" variant of NETEAGLE achieves persistence by adding itself to the HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run Registry key.[36] S0198 NETWIRE NETWIRE creates a Registry start-up entry to establish persistence.[168][169][106][170] S0385 njRAT njRAT has added persistence via the Registry key HKCU\\Software\\Microsoft\\CurrentVersion\\Run\\ and dropped a shortcut in %STARTUP%.[171][172] S0353 NOKKI NOKKI has established persistence by writing the payload to the Registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run.[173] S0644 ObliqueRAT ObliqueRAT can gain persistence by a creating a shortcut in the infected user's Startup directory.[174] S0340 Octopus Octopus achieved persistence by placing a malicious executable in the startup directory and has added the HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key to the Registry.[175] S0439 Okrum Okrum establishes persistence by creating a .lnk shortcut to itself in the Startup folder.[176] G0040 Patchwork Patchwork has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key.[177][178] S0124 Pisloader Pisloader establishes persistence via a Registry Run key.[179] S0254 PLAINTEE PLAINTEE gains persistence by adding the Registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce.[180] S0013 PlugX PlugX adds Run key entries in the Registry to establish persistence.[181][53][182] S0428 PoetRAT PoetRAT has added a registry key in the hive for persistence.[183] S0012 PoisonIvy PoisonIvy creates run key Registry entries pointing to a malicious executable dropped to disk.[184] S0139 PowerDuke PowerDuke achieves persistence by using various Registry Run keys.[185] S0441 PowerShower PowerShower sets up persistence with a Registry run key.[186] S0145 POWERSOURCE POWERSOURCE achieves persistence by setting a Registry Run key, with the path depending on whether the victim account has user or administrator access.[187] S0194 PowerSploit PowerSploit's New-UserPersistenceOption Persistence argument can be used to establish via the HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run Registry key.[188][189] S0371 POWERTON POWERTON can install a Registry Run key for persistence.[190] S0113 Prikormka Prikormka adds itself to a Registry Run key with the name guidVGA or guidVSA.[191] G0056 PROMETHIUM PROMETHIUM has used Registry run keys to establish persistence.[192] S0147 Pteranodon Pteranodon copies itself to the Startup folder to establish persistence.[193] S0196 PUNCHBUGGY PUNCHBUGGY has been observed using a Registry Run key.[194][195] S0192 Pupy Pupy adds itself to the startup folder or adds itself to the Registry key SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run for persistence.[196] G0024 Putter Panda A dropper used by Putter Panda installs itself into the ASEP Registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run with a value named McUpdate.[197] S0650 QakBot QakBot can maintain persistence by creating an auto-run Registry key.[198][199][200][201] S0458 Ramsay Ramsay has created Registry Run keys to establish persistence.[202] S0662 RCSession RCSession has the ability to modify a Registry Run key to establish persistence.[54][203] S0172 Reaver Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.[204] S0153 RedLeaves RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys.[53][205] S0332 Remcos Remcos can add itself to the Registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for persistence.[206] S0375 Remexi Remexi utilizes Run Registry keys in the HKLM hive as a persistence mechanism.[207] S0379 Revenge RAT Revenge RAT creates a Registry key at HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell to survive a system reboot.[208] S0433 Rifdoor Rifdoor has created a new registry entry at HKEY_CURRENT_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Graphics with a value of C:\\ProgramData\\Initech\\Initech.exe /run.[209] G0106 Rocke Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.[210] S0270 RogueRobin RogueRobin created a shortcut in the Windows startup folder to launch a PowerShell script each time the user logs in to establish persistence.[211] S0090 Rover Rover persists by creating a Registry entry in HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\.[212] G0048 RTM RTM has used Registry run keys to establish persistence for the RTM Trojan and other tools, such as a modified version of TeamViewer remote desktop software.[213][214] S0148 RTM RTM tries to add a Registry Run key under the name \"Windows Update\" to establish persistence.[213] S0253 RunningRAT RunningRAT adds itself to the Registry key Software\\Microsoft\\Windows\\CurrentVersion\\Run to establish persistence upon reboot.[100] S0446 Ryuk Ryuk has used the Windows command line to create a Registry entry under HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run to establish persistence.[215] S0085 S-Type S-Type may create a .lnk file to itself that is saved in the Start menu folder. It may also create the Registry key HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ IMJPMIJ8.1{3 characters of Unique Identifier}.[216] S0074 Sakula Most Sakula samples maintain persistence by setting the Registry Run key SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ in the HKLM or HKCU hive, with the Registry value and file name varying by sample.[217] S0461 SDBbot SDBbot has the ability to add a value to the Registry Run key to establish persistence if it detects it is running with regular user privilege. [218][219] S0053 SeaDuke SeaDuke is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory.[220] S0345 Seasalt Seasalt creates a Registry entry to ensure infection after reboot under HKLM\\Software\\Microsoft\\Windows\\currentVersion\\Run.[221] S0382 ServHelper ServHelper may attempt to establish persistence via the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ run key.[222] G0104 Sharpshooter Sharpshooter's first-stage downloader installed Rising Sun to the startup folder %Startup%\\mssync.exe.[223] S0546 SharpStage SharpStage has the ability to create persistence for the malware using the Registry autorun key and startup folder.[155] S0444 ShimRat ShimRat has installed a registry based start-up key HKCU\\Software\\microsoft\\windows\\CurrentVersion\\Run to maintain persistence should other methods fail.[224] S0028 SHIPSHAPE SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.[36] G0121 Sidewinder Sidewinder has added paths to executables in the Registry to establish persistence.[225][226][227] G0091 Silence Silence has used HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run, HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run, and the Startup folder to establish persistence.[228] S0692 SILENTTRINITY SILENTTRINITY can establish a LNK file in the startup folder for persistence.[229] S0226 Smoke Loader Smoke Loader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.[230] S0649 SMOKEDHAM SMOKEDHAM has used reg.exe to create a Registry Run key.[231] S0159 SNUGRIDE SNUGRIDE establishes persistence through a Registry Run key.[232] S0035 SPACESHIP SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.[36] S0058 SslMM To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an \u201cOffice Start,\u201d \u201cYahoo Talk,\u201d \u201cMSN Gaming Z0ne,\u201d or \u201cMSN Talk\u201d shortcut.[233] S0491 StrongPity StrongPity can use the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run Registry key for persistence.[192] S0018 Sykipot Sykipot has been known to establish persistence by adding programs to the Run Registry key.[234] S0663 SysUpdate SysUpdate can use a Registry Run key to establish persistence.[235] S0011 Taidoor Taidoor has modified the HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run key for persistence.[236] S0586 TAINTEDSCRIBE TAINTEDSCRIBE can copy itself into the current user\u2019s Startup folder as \u201cNarrator.exe\u201d for persistence.[237] G0139 TeamTNT TeamTNT has added batch scripts to the startup folder.[238] G0027 Threat Group-3390 A Threat Group-3390 tool can add the binary\u2019s path to the Registry key Software\\Microsoft\\Windows\\CurrentVersion\\Run to add persistence.[239] S0665 ThreatNeedle ThreatNeedle can be loaded into the Startup folder (%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\OneDrives.lnk) as a Shortcut file for persistence.[240] S0131 TINYTYPHON TINYTYPHON installs itself under Registry Run key to establish persistence.[37] S0004 TinyZBot TinyZBot can create a shortcut in the Windows startup folder for persistence.[241] S0266 TrickBot TrickBot establishes persistence in the Startup folder.[242] S0094 Trojan.Karagany Trojan.Karagany can create a link to itself in the Startup folder to automatically start itself upon system restart.[34][243] G0081 Tropic Trooper Tropic Trooper has created shortcuts in the Startup folder to establish persistence.[244][245] S0178 Truvasys Truvasys adds a Registry Run key to establish persistence.[246] S0647 Turian Turian can establish persistence by adding Registry Run keys.[247] G0010 Turla A Turla Javascript backdoor added a local_update_check value under the Registry key HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run to establish persistence. Additionally, a Turla custom executable containing Metasploit shellcode is saved to the Startup folder to gain persistence.[157][248] S0199 TURNEDUP TURNEDUP is capable of writing to a Registry Run key to establish.[249] S0386 Ursnif Ursnif has used Registry Run keys to establish automatic execution at system startup.[250][251] S0136 USBStealer USBStealer registers itself under a Registry Run key with the name \"USB Disk Security.\"[252] S0207 Vasport Vasport copies itself to disk and creates an associated run key Registry entry to establish.[253] S0442 VBShower VBShower used HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\[a-f0-9A-F]{8} to maintain persistence.[254] S0670 WarzoneRAT WarzoneRAT can add itself to the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run and HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UIF2IS20VK Registry keys.[255] G0112 Windshift Windshift has created LNK files in the Startup folder to establish persistence.[256] S0141 Winnti for Windows Winnti for Windows can add a service named wind0ws to the Registry to achieve persistence after reboot.[257] G0102 Wizard Spider Wizard Spider has established persistence via the Registry key HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run and a shortcut within the startup folder.[258][259] S0341 Xbash Xbash can create a Startup item for persistence if it determines it is on a Windows system.[260] S0251 Zebrocy Zebrocy creates an entry in a Registry Run key for the malware to execute on startup.[261][262][263] S0330 Zeus Panda Zeus Panda adds persistence by creating Registry Run keys.[264][265] G0128 ZIRCONIUM ZIRCONIUM has created a Registry Run key named Dropbox Update Setup to establish persistence for a malicious Python binary.[266]

Detection

Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. [267] Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data.

\n

Changes to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

References

1. Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved November 12, 2014.

2. Microsoft. (2018, May 31). 32-bit and 64-bit Application Data in the Registry. Retrieved August 3, 2020.

3. Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved August 3, 2020.

4. Microsoft. (2018, August 20). Description of the RunOnceEx Registry Key. Retrieved June 29, 2018.

5. Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden from Autoruns.exe. Retrieved June 29, 2018.

6. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.

7. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.

8. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.

9. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.

10. Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020.

11. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.

12. Shelmire, A. (2015, July 06). Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. Retrieved November 15, 2018.

13. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.

14. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.

15. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm\u2019s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.

16. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.

17. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.

18. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.

19. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.

20. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.

21. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.

22. Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.

23. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.

24. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.

25. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.

26. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.

27. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.

28. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.

29. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.

30. Doaty, J., Garrett, P.. (2018, September 10). We\u2019re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.

31. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.

32. Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.

33. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.

34. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.

35. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE\u2019S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.

36. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.

37. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.

38. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.

39. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9\u2019S DEVELOPMENT CYCLES. Retrieved November 18, 2020.

40. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.

41. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.

42. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.

43. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.

44. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.

45. MSTIC. (2021, May 28). Breaking down NOBELIUM\u2019s latest early-stage toolset. Retrieved August 4, 2021.

46. Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.

47. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.

48. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.

49. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.

50. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.

51. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.

52. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.

53. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.

54. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.

55. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.

56. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.

57. Yadav, A., et al. (2017, August 31). Cobian RAT \u2013 A backdoored RAT. Retrieved November 13, 2018.

58. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.

59. Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021.

60. Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021.

61. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.

62. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.

63. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.

64. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.

65. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.

66. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.

67. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.

68. Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014.

69. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.

70. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.

71. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.

72. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.

73. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS\u2019 MEETING AND ASSOCIATES. Retrieved November 14, 2018.

74. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.

75. Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.

76. US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.

77. \u00d6zarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.

78. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.

79. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.

80. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.

81. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.

82. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.

83. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.

84. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.

85. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.

86. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.

87. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.

88. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.

89. FinFisher. (n.d.). Retrieved December 20, 2017.

90. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher\u2019s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.

91. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.

92. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.

93. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.

94. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.

95. ESET. (2017, August). Gazing at Gazer: Turla\u2019s new second stage backdoor. Retrieved September 14, 2017.

96. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.

97. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.

98. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.

99. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.

100. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.

101. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.

102. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.

103. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.

104. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig \u201cFIN7\u201d continues its activities. Retrieved October 11, 2019.

105. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.

106. Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021.

107. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.

108. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.

109. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.

110. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.

111. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.

112. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.

113. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.

114. Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.

115. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.

116. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.

117. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.

118. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.

119. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.

120. Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.

121. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.

122. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.

123. Manuel, J. and Plantado, R.. (2015, August 9). Win32/Kasidet. Retrieved March 24, 2016.

124. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.

125. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.

126. Tarakanov , D.. (2013, September 11). The \u201cKimsuky\u201d Operation: A North Korean APT?. Retrieved August 13, 2019.

127. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.

128. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.

129. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.

130. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.

131. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.

132. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.

133. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.

134. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.

135. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.

136. Saini, A. and Hossein, J. (2022, January 27). North Korea\u2019s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.

137. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.

138. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.

139. ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.

140. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.

141. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.

142. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.

143. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.

144. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.

145. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.

146. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.

147. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.

148. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.

149. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.

150. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.

151. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.

152. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.

153. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.

154. Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.

155. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.

156. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.

157. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.

158. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.

159. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.

160. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.

161. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.

162. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.

163. Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021.

164. Vrabie, V. (2021, April 23). NAIKON \u2013 Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.

165. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.

166. Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved November 9, 2018.

167. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.

168. McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.

169. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.

170. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.

171. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: \"njRAT\" Uncovered. Retrieved June 4, 2019.

172. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.

173. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.

174. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.

175. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.

176. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.

177. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.

178. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.

179. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.

180. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.

181. Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.

182. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.

183. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.

184. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.

185. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.

186. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.

187. Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.

188. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.

189. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.

190. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.

191. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.

192. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.

193. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.

194. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.

195. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.

196. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.

197. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.

198. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.

199. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.

200. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021.

201. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.

202. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.

203. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.

204. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.

205. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.

206. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.

207. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.

208. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.

209. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.

210. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.

211. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.

212. Ray, V., Hayashi, K. (2016, February 29). New Malware \u2018Rover\u2019 Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.

213. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.

214. Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020.

215. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.

216. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.

217. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.

218. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.

219. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.

220. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.

221. Sherstobitoff, R., Malhotra, A. (2018, October 18). \u2018Operation Oceansalt\u2019 Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.

222. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.

223. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.

224. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.

225. Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021.

226. Rewterz. (2020, June 22). Analysis on Sidewinder APT Group \u2013 COVID-19. Retrieved January 29, 2021.

227. Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.

228. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.

229. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.

230. Hasherezade. (2016, September 12). Smoke Loader \u2013 downloader with a smokescreen still alive. Retrieved March 20, 2018.

231. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate\u2019s Supply Chain Software Compromise. Retrieved September 22, 2021.

232. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.

233. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.

234. Blasco, J. (2013, March 21). New Sykipot developments [Blog]. Retrieved November 12, 2014.

235. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.

236. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.

237. USG. (2020, May 12). MAR-10288834-2.v1 \u2013 North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.

238. AT&T; Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.

239. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda \u2013 A potential new malicious tool. Retrieved June 25, 2018.

240. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.

241. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.

242. Boutin, J. (2020, October 12). ESET takes part in global operation to disrupt Trickbot. Retrieved March 15, 2021.

243. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.

244. Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020.

245. Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.

246. Microsoft. (2017, September 15). Backdoor:Win32/Truvasys.A!dha. Retrieved November 30, 2017.

247. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021

248. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.

249. Gavriel, H. & Erbesfeld, B. (2018, April 11). New \u2018Early Bird\u2019 Code Injection Technique Discovered. Retrieved May 24, 2018.

250. Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019.

251. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.

252. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.

253. Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018.

254. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.

255. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.

256. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.

257. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.

258. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.

259. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.

260. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.

261. ESET. (2018, November 20). Sednit: What\u2019s going on with Zebrocy?. Retrieved February 12, 2019.

262. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.

263. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.

264. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.

265. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.

266. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.

267. Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.


Original source: T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
", "external_references": [ { "source_name": "TechNet Autoruns", "url": "https://technet.microsoft.com/en-us/sysinternals/bb963902" }, { "source_name": "Oddvar Moe RunOnceEx Mar 2018", "url": "https://oddvar.moe/2018/03/21/persistence-using-runonceex-hidden-from-autoruns-exe/" }, { "source_name": "Microsoft RunOnceEx APR 2018", "url": "https://support.microsoft.com/help/310593/description-of-the-runonceex-registry-key" }, { "source_name": "Malwarebytes Wow6432Node 2016", "url": "https://blog.malwarebytes.com/cybercrime/2013/10/hiding-in-plain-sight/" }, { "source_name": "Microsoft Wow6432Node 2018", "url": "https://docs.microsoft.com/en-us/windows/win32/sysinfo/32-bit-and-64-bit-application-data-in-the-registry" }, { "source_name": "Microsoft Run Key", "url": "http://msdn.microsoft.com/en-us/library/aa376977" }, { "source_name": "capec (CAPEC-270)", "url": "https://capec.mitre.org/data/definitions/270.html" }, { "source_name": "mitre-attack (T1547.001)", "url": "https://attack.mitre.org/techniques/T1547/001" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--35c10f89-4bbf-44ae-832a-fd912d9f1751", "created": "2022-11-08T14:37:13.723768Z", "modified": "2022-11-08T14:37:13.723768Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--9efb1ea7-c37b-4595-9640-b7680cd84279" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1", "created": "2021-05-26T16:37:11.334056Z", "modified": "2022-10-05T17:53:02.318035Z", "name": "T1082 - System Information Discovery", "description": "

T1082 - System Information Discovery

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.

\n

Tools such as Systeminfo can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a Network Device CLI on network devices to gather detailed system information.[1] System Information Discovery combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.[2][3]

\n

Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.[4][5][6]

Procedure Examples

ID Name Description
S0065 4H RAT 4H RAT sends an OS version identifier in its beacons.[7]
G0018 admin@338 admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS: ver >> %temp%\\download systeminfo >> %temp%\\download[8]
S0045 ADVSTORESHELL ADVSTORESHELL can run Systeminfo to gather information about the victim.[9][10]
S0331 Agent Tesla Agent Tesla can collect the system's computer name and also has the capability to collect information on the processor, memory, OS, and video card from the system.[11][12][13]
S0504 Anchor Anchor can determine the hostname and linux version on a compromised host.[14]
S0584 AppleJeus AppleJeus has collected the victim host information after infection.[15]
S0622 AppleSeed AppleSeed can identify the OS version of a targeted system.[16]
G0026 APT18 APT18 can collect system information from the victim\u2019s machine.[17]
G0073 APT19 APT19 collected system architecture information. APT19 used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim\u2019s machine.[18][19]
G0016 APT29 APT29 used fsutil to check available free space before executing actions that might create large files on disk.[20]
G0022 APT3 APT3 has a tool that can obtain information about the local system.[21][22]
G0050 APT32 APT32 has collected the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server. APT32 executed shellcode to identify the name of the infected host.[23][24][25][26]
G0067 APT37 APT37 collects the computer name, the BIOS model, and execution path.[27]
G0082 APT38 APT38 has attempted to get detailed information about a compromised host, including the operating system, version, patches, hotfixes, and service packs.[28]
G0143 Aquatic Panda Aquatic Panda has used native OS commands to understand privilege levels and system details.[29]
S0456 Aria-body Aria-body has the ability to identify the hostname, computer name, Windows version, processor speed, machine GUID, and disk information on a compromised host.[30]
S0373 Astaroth Astaroth collects the machine name and keyboard language from the system. [31][32]
S0438 Attor Attor monitors the free disk space on the system.[33]
S0473 Avenger Avenger has the ability to identify the host volume ID and the OS architecture on a compromised host.[34]
S0344 Azorult Azorult can collect the machine information, system architecture, the OS version, computer name, Windows product name, the number of CPU cores, video card information, and the system language.[35][36]
S0638 Babuk Babuk can enumerate disk volumes, get disk information, and query service status.[37]
S0414 BabyShark BabyShark has executed the ver command.[38]
S0475 BackConfig BackConfig has the ability to gather the victim's computer name.[39]
S0093 Backdoor.Oldrea Backdoor.Oldrea collects information about the OS and computer name.[40][41]
S0031 BACKSPACE During its initial execution, BACKSPACE extracts operating system information from the infected host.[42]
S0245 BADCALL BADCALL collects the computer name and host name on the compromised system.[43]
S0642 BADFLICK BADFLICK has captured victim computer name, memory space, and CPU details.[44]
S0337 BadPatch BadPatch collects the OS system, OS version, MAC address, and the computer name from the victim\u2019s machine.[45]
S0234 Bandook Bandook can collect information about the drives available on the system.[46]
S0239 Bankshot Bankshot gathers system information, network addresses, disk type, disk free space, and the operation system version.[47][48]
S0534 Bazar Bazar can fingerprint architecture, computer name, and OS version on the compromised host. Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found.[49][50]
S0017 BISCUIT BISCUIT has a command to collect the processor type, operation system, computer name, uptime, and whether the system is a laptop or PC.[51]
S0268 Bisonal Bisonal has used commands and API calls to gather system information.[52][53][54]
S0089 BlackEnergy BlackEnergy has used Systeminfo to gather the OS version, as well as information on the system configuration, BIOS, the motherboard, and the processor.[55][56]
S0564 BlackMould BlackMould can enumerate local drives on a compromised host.[57]
S0520 BLINDINGCAN BLINDINGCAN has collected from a victim machine the system name, processor information, OS version, and disk information, including type and free space available.[58]
G0108 Blue Mockingbird Blue Mockingbird has collected hardware details for the victim's system, including CPU and memory information.[59]
S0657 BLUELIGHT BLUELIGHT has collected the computer name and OS version from victim machines.[60]
S0486 Bonadan Bonadan has discovered the OS version, CPU model, and RAM size of the system it has been installed on.[61]
S0635 BoomBox BoomBox can enumerate the hostname, domain, and IP of a compromised host.[62]
S0252 Brave Prince Brave Prince collects hard drive content and system configuration information.[63]
S0043 BUBBLEWRAP BUBBLEWRAP collects system information, including the operating system version and hostname.[8]
S0471 build_downer build_downer has the ability to send system volume information to C2.[34]
S0482 Bundlore Bundlore will enumerate the macOS version to determine which follow-on behaviors to execute using /usr/bin/sw_vers -productVersion.[64][3]
S0693 CaddyWiper CaddyWiper can use DsRoleGetPrimaryDomainInformation to determine the role of the infected machine. CaddyWiper can also halt execution if the compromised host is identified as a domain controller.[65][66]
S0454 Cadelspy Cadelspy has the ability to discover information about the compromised host.[67]
S0351 Cannon Cannon can gather system information from the victim\u2019s machine such as the OS version, machine name, and drive information.[68][69]
S0484 Carberp Carberp has collected the operating system version from the infected system.[70]
S0348 Cardinal RAT Cardinal RAT can collect the hostname, Microsoft Windows version, and processor architecture from a victim machine.[71]
S0462 CARROTBAT CARROTBAT has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture.[72][73]
S0572 Caterpillar WebShell Caterpillar WebShell has a module to gather information from the compromrised asset, including the computer version, computer name, IIS version, and more.[74]
S0631 Chaes Chaes has collected system information, including the machine name and OS version.[75]
S0674 CharmPower CharmPower can enumerate the OS version and computer name on a targeted system.[76]
S0144 ChChes ChChes collects the victim hostname, window resolution, and Microsoft Windows version.[77][78]
G0114 Chimera Chimera has used fsutil fsinfo drives, systeminfo, and vssadmin list shadows for system information including shadow volumes and drive information.[79]
S0667 Chrommme Chrommme has the ability to list drives.[80]
S0660 Clambling Clambling can discover the hostname, computer name, and Windows version of a targeted machine.[81][82]
S0106 cmd cmd can be used to find information about the operating system.[83]
S0244 Comnie Comnie collects the hostname of the victim machine.[84]
G0142 Confucius Confucius has used a file stealer that can examine system drives, including those other than the C drive.[85]
S0137 CORESHELL CORESHELL collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server.[86]
S0046 CozyCar A system info module in CozyCar gathers information on the victim host\u2019s configuration.[87]
S0488 CrackMapExec CrackMapExec can enumerate the system drives and associated system name.[88]
S0115 Crimson Crimson contains a command to collect the victim PC name, disk drive information, and operating system.[89][90]
S0625 Cuba Cuba can enumerate local drives, disk type, and disk free space.[91]
S0687 Cyclops Blink Cyclops Blink has the ability to query device information.[92]
S0334 DarkComet DarkComet can collect the computer name, RAM used, and operating system version from the victim\u2019s machine.[93][94]
G0012 Darkhotel Darkhotel has collected the hostname, OS version, service pack version, and the processor architecture from the victim\u2019s machine.[95][96]
S0673 DarkWatchman DarkWatchman can collect the OS version, system architecture, uptime, and computer name.[97]
S0616 DEATHRANSOM DEATHRANSOM can enumerate logical drives on a target system.[98]
S0354 Denis Denis collects OS information and the computer name from the victim\u2019s machine.[99][100]
S0021 Derusbi Derusbi gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system.[101]
S0659 Diavol Diavol can collect the computer name and OS version from the system.[102]
S0472 down_new down_new has the ability to identify the system volume information of a compromised host.[34]
S0186 DownPaper DownPaper collects the victim host name and serial number, and then sends the information to the C2 server.[103]
S0384 Dridex Dridex has collected the computer name and OS architecture information from the system.[104]
S0547 DropBook DropBook has checked for the presence of Arabic language in the infected machine's settings.[105]
S0567 Dtrack Dtrack can collect the victim's computer name, hostname and adapter information to create a unique identifier.[106][107]
S0062 DustySky DustySky extracts basic information about the operating system.[108]
S0024 Dyre Dyre has the ability to identify the computer name, OS version, and hardware configuration on a compromised host.[109]
S0554 Egregor Egregor can perform a language check of the infected system and can query the CPU information (cupid).[110][111]
S0081 Elise Elise executes systeminfo after initial communication is made to the remote server.[112]
S0082 Emissary Emissary has the capability to execute ver and systeminfo commands.[113]
S0363 Empire Empire can enumerate host system information like OS, architecture, applied patches, and more.[114]
S0634 EnvyScout EnvyScout can determine whether the ISO payload was received by a Windows or iOS device.[62]
S0091 Epic Epic collects the OS version, hardware information, computer name, available system memory status, disk space information, and system and user language settings.[115]
S0568 EVILNUM EVILNUM can obtain the computer name from the victim's system.[116]
S0569 Explosive Explosive has collected the computer name from the infected host.[117]
S0181 FALLCHILL FALLCHILL can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim.[118]
S0512 FatDuke FatDuke can collect the user name, Windows version, computer name, and available space on discs from a compromised host.[119]
S0171 Felismus Felismus collects the system information, including hostname and OS version, and sends it to the C2 server.[120]
S0267 FELIXROOT FELIXROOT collects the victim\u2019s computer name, processor architecture, OS version, volume serial number, and system type.[121][122]
S0679 Ferocious Ferocious can use GET.WORKSPACE in Microsoft Excel to determine the OS version of the compromised host.[123]
S0355 Final1stspy Final1stspy obtains victim Microsoft Windows version information and CPU architecture.[124]
S0182 FinFisher FinFisher checks if the victim OS is 32 or 64-bit.[125][126]
S0381 FlawedAmmyy FlawedAmmyy beacons out the victim operating system and computer name during the initial infection.[127]
G0101 Frankenstein Frankenstein has enumerated hosts, looking for the system's machine name.[128]
S0410 Fysbis Fysbis has used the command ls /etc | egrep -e\"fedora*|debian*|gentoo*|mandriva*|mandrake*|meego*|redhat*|lsb-*|sun-*|SUSE*|release\" to determine which Linux OS version is running.[129]
G0047 Gamaredon Group A Gamaredon Group file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.[130][131][132]
S0666 Gelsemium Gelsemium can determine the operating system and whether a targeted machine has a 32 or 64 bit architecture.[80]
S0460 Get2 Get2 has the ability to identify the computer name and Windows version of an infected host.[133]
S0032 gh0st RAT gh0st RAT has gathered system architecture, processor, OS configuration, and installed hardware information.[134]
S0249 Gold Dragon Gold Dragon collects endpoint information using the systeminfo command.[63]
S0493 GoldenSpy GoldenSpy has gathered operating system information.[135]
S0531 Grandoreiro Grandoreiro can collect the computer name and OS version from a compromised host.[136]
S0237 GravityRAT GravityRAT collects the MAC address, computer name, and CPU information.[137]
S0690 Green Lambert Green Lambert can use uname to identify the operating system name, version, and processor type.[138][139]
S0417 GRIFFON GRIFFON has used a reconnaissance module that can be used to retrieve information about a victim's computer, including the resolution of the workstation .[140]
S0632 GrimAgent GrimAgent can collect the OS, and build version on a compromised host.[141]
S0151 HALFBAKED HALFBAKED can obtain information about the OS, processor, and BIOS.[142]
S0214 HAPPYWORK can collect system information, including computer name, system manufacturer, IsDebuggerPresent state, and execution path.[143]
S0391 HAWKBALL HAWKBALL can collect the OS version, architecture information, and computer name.[144]
S0617 HELLOKITTY HELLOKITTY can enumerate logical drives on a target system.[98]
S0697 HermeticWiper HermeticWiper can determine the OS version, bitness, and enumerate physical drives on a targeted host.[145][146][147][148]
G0126 Higaisa Higaisa collected the system volume serial number, GUID, and computer name.[149][150]
S0601 Hildegard Hildegard has collected the host's OS, CPU, and memory information.[151]
G0072 Honeybee Honeybee gathers computer name and information using the systeminfo command.[152]
S0376 HOPLIGHT HOPLIGHT has been observed collecting victim machine information like OS version, drivers, volume information and more.[153]
S0431 HotCroissant HotCroissant has the ability to determine if the current user is an administrator, Windows product name, processor name, screen resolution, and physical RAM of the infected host.[154]
S0203 Hydraq Hydraq creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed.[155]
S0483 IcedID IcedID has the ability to identify the computer name and OS version on a compromised host.[156]
G0100 Inception Inception has used a reconnaissance module to gather information about the operating system and hardware on the infected host.[157]
S0604 Industroyer Industroyer collects the victim machine\u2019s Windows GUID.[158]
S0259 InnaputRAT InnaputRAT gathers volume drive information and system information.[159]
S0260 InvisiMole InvisiMole can gather information on the mapped drives, OS version, computer name, DEP policy, memory size, and system volume serial number.[160][161]
S0015 Ixeshe Ixeshe collects the computer name of the victim's system during the initial infection.[162]
S0044 JHUHUGIT JHUHUGIT obtains a build identifier as well as victim hard drive information from Windows registry key HKLM\\SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum. Another JHUHUGIT variant gathers the victim storage volume serial number and the storage device name.[163][164]
S0201 JPIN JPIN can obtain system information such as OS version and disk space.[165]
S0283 jRAT jRAT collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor.[166]
S0215 KARAE KARAE can collect system information.[143]
S0088 Kasidet Kasidet has the ability to obtain a victim's system name and operating system version.[167]
S0265 Kazuar Kazuar gathers information on the system and local drives.[168]
G0004 Ke3chang Ke3chang performs operating system information discovery using systeminfo and has used implants to identify the system language and computer name.[169][170][171]
S0585 Kerrdown Kerrdown has the ability to determine if the compromised host is running a 32 or 64 bit OS architecture.[172]
S0487 Kessel Kessel has collected the system architecture, OS version, and MAC address information.[61]
S0387 KeyBoy KeyBoy can gather extended system information, such as information about the operating system, disks, and memory.[173][174]
S0271 KEYMARBLE KEYMARBLE has the capability to collect the computer name, language settings, the OS version, CPU information, disk devices, and time elapsed since system start.[175]
S0526 KGH_SPY KGH_SPY can collect drive information from a compromised host.[176]
S0607 KillDisk KillDisk retrieves the hard disk name by calling the CreateFileA to \\.\\PHYSICALDRIVE0 API.[177]
G0094 Kimsuky Kimsuky has enumerated drives, OS type, OS version, and other information using a script or the \"systeminfo\" command.[178][179]
S0250 Koadic Koadic can obtain the OS version and build, computer name, and processor architecture from a compromised host.[180]
S0641 Kobalos Kobalos can record the hostname and kernel version of the target machine.[181]
S0669 KOCTOPUS KOCTOPUS has checked the OS version using wmic.exe and the find command.[180]
S0156 KOMPROGO KOMPROGO is capable of retrieving information about the infected system.[182]
S0356 KONNI KONNI can gather the OS version, architecture information, connected drives, hostname, RAM size, and disk space information from the victim\u2019s machine and has used cmd /c systeminfo command to get a snapshot of the current system state of the target machine.[183][184][185]
S0236 Kwampirs Kwampirs collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands systeminfo, net config workstation, hostname, ver, set, and date /t.[186]
G0032 Lazarus Group Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by Lazarus Group also collects disk space information and sends it to its C2 server.[187][188][189][190][191][192]
S0395 LightNeuron LightNeuron gathers the victim computer name using the Win32 API call GetComputerName.[193]
S0211 Linfo Linfo creates a backdoor through which remote attackers can retrieve system information.[194]
S0513 LiteDuke LiteDuke can enumerate the CPUID and BIOS version on a compromised system.[119]
S0680 LitePower LitePower has the ability to list local drives and enumerate the OS architecture.[123]
S0681 Lizar Lizar can collect the computer name from the machine,.[195]
S0447 Lokibot Lokibot has the ability to discover the computer name and Windows product name/version.[196]
S0451 LoudMiner LoudMiner has monitored CPU usage.[197]
S0532 Lucifer Lucifer can collect the computer name, system architecture, default language, and processor frequency of a compromised host.[198]
S0409 Machete Machete collects the hostname of the target computer.[199]
G0059 Magic Hound Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.[200]
S0652 MarkiRAT MarkiRAT can obtain the computer name from a compromised host.[201]
S0449 Maze Maze has checked the language of the infected system using the \"GetUSerDefaultUILanguage\" function.[202]
S0455 Metamorfo Metamorfo has collected the hostname and operating system version from the compromised host.[203][204][205]
S0688 Meteor Meteor has the ability to discover the hostname of a compromised host.[206]
S0339 Micropsia Micropsia gathers the hostname and OS version from the victim\u2019s machine.[207][208]
S0051 MiniDuke MiniDuke can gather the hostname on a compromised machine.[119]
S0280 MirageFox MirageFox can collect CPU and architecture information from the victim\u2019s machine.[209]
S0084 Mis-Type The initial beacon packet for Mis-Type contains the operating system version and file system of the victim.[210]
S0083 Misdat The initial beacon packet for Misdat contains the operating system version of the victim.[210]
S0079 MobileOrder MobileOrder has a command to upload to its C2 server victim mobile device information, including IMEI, IMSI, SIM card serial number, phone number, Android version, and other information.[211]
S0553 MoleNet MoleNet can collect information about the about the system.[105]
S0149 MoonWind MoonWind can obtain the victim hostname, Windows version, RAM amount, number of drives, and screen resolution.[212]
S0284 More_eggs More_eggs has the capability to gather the OS version and computer name.[213][214]
G0069 MuddyWater MuddyWater has used malware that can collect the victim\u2019s OS version and machine name.[215][216][217][218]
S0233 MURKYTOP MURKYTOP has the capability to retrieve information about the OS.[219]
G0129 Mustang Panda Mustang Panda has gathered system information using systeminfo.[220]
S0205 Naid Naid collects a unique identifier (UID) from a compromised host.[221]
S0228 NanHaiShu NanHaiShu can gather the victim computer name and serial number.[222]
S0247 NavRAT NavRAT uses systeminfo on a victim\u2019s machine.[223]
S0272 NDiskMonitor NDiskMonitor obtains the victim computer name and encrypts the information to send over its C2 channel.[224]
S0630 Nebulae Nebulae can discover logical drive information including the drive type, free space, and volume information.[225]
S0691 Neoichor Neoichor can collect the OS version and computer name from a compromised host.[171]
S0457 Netwalker Netwalker can determine the system architecture it is running on to choose which version of the DLL to use.[226]
S0198 NETWIRE NETWIRE can discover and collect victim system information.[227]
S0385 njRAT njRAT enumerates the victim operating system and computer name during the initial infection.[228]
S0353 NOKKI NOKKI can gather information on drives and the operating system on the victim\u2019s machine.[229]
S0644 ObliqueRAT ObliqueRAT has the ability to check for blocklisted computer names on infected endpoints.[230]
S0346 OceanSalt OceanSalt can collect the computer name from the system.[231]
S0340 Octopus Octopus can collect system drive information, the computer name, the size of the disk, OS version, and OS architecture information.[232]
G0049 OilRig OilRig has run hostname and systeminfo on a victim.[233][234][235][236]
S0439 Okrum Okrum can collect computer name, locale information, and information about the OS and architecture.[237]
S0264 OopsIE OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks.[238]
G0116 Operation Wocao Operation Wocao has discovered the local disks attached to the system and their hardware information including manufacturer and model, as well as the OS versions of systems connected to a targeted network.[239]
S0229 Orz Orz can gather the victim OS version and whether it is 64 or 32 bit.[222]
S0165 OSInfo OSInfo discovers information about the infected machine.[21]
S0402 OSX/Shlayer OSX/Shlayer collects the IOPlatformUUID, session UID, and the OS version using the command sw_vers -productVersion.[240][241]
S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D collects processor information, memory information, computer name, hardware UUID, serial number, and operating system version. OSX_OCEANLOTUS.D has used the ioreg command to gather some of this information.[242][243][3]
S0208 Pasam Pasam creates a backdoor through which remote attackers can retrieve information such as hostname and free disk space.[244]
G0040 Patchwork Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server. Patchwork also enumerated all available drives on the victim's machine.[245][224]
S0556 Pay2Key Pay2Key has the ability to gather the hostname of the victim machine.[246]
S0587 Penquin Penquin can report the file system type and disk space of a compromised host to C2.[247]
S0048 PinchDuke PinchDuke gathers system configuration information.[248]
S0501 PipeMon PipeMon can collect and send OS version and computer name as a part of its C2 beacon.[249]
S0124 Pisloader Pisloader has a command to collect victim system information, including the system name and OS version.[250]
S0254 PLAINTEE PLAINTEE collects general system enumeration data about the infected machine and checks the OS version.[251]
S0428 PoetRAT PoetRAT has the ability to gather information about the compromised host.[252]
S0453 Pony Pony has collected the Service Pack, language, and region information to send to the C2.[253]
S0216 POORAIM POORAIM can identify system information, including battery status.[143]
S0378 PoshC2 PoshC2 contains modules, such as Get-ComputerInfo, for enumerating common system information.[254]
S0139 PowerDuke PowerDuke has commands to get information about the victim's name, build, version, serial number, and memory usage.[255]
S0441 PowerShower PowerShower has collected system information on the infected host.[256]
S0223 POWERSTATS POWERSTATS can retrieve OS name/architecture and computer/domain name information from compromised hosts.[257][258]
S0184 POWRUNER POWRUNER may collect information about the system by running hostname and systeminfo on a victim.[259]
S0113 Prikormka A module in Prikormka collects information from the victim about Windows OS version, computer name, battery info, and physical memory.[260]
S0238 Proxysvc Proxysvc collects the OS version, country name, MAC address, computer name, physical memory statistics, and volume information for all drives on the system.[191]
S0196 PUNCHBUGGY PUNCHBUGGY can gather system information such as computer names.[261]
S0192 Pupy Pupy can grab a system\u2019s information including the OS version, architecture, etc.[262]
S0650 QakBot QakBot can collect system information including the OS version and domain on a compromised host.[263][264][265]
S0262 QuasarRAT QuasarRAT has a command to gather system information from the victim\u2019s machine.[266]
S0458 Ramsay Ramsay can detect system information--including disk names, total space, and remaining space--to create a hardware profile GUID which acts as a system identifier for operators.[267][268]
S0241 RATANKBA RATANKBA gathers information about the OS architecture, OS name, and OS version/Service pack.[269][270]
S0662 RCSession RCSession can gather system information from a compromised host.[271]
S0172 Reaver Reaver collects system information from the victim, including CPU speed, computer name, volume serial number, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information.[272]
S0153 RedLeaves RedLeaves can gather extended system information including the hostname, OS version number, platform, memory information, time elapsed since system startup, and CPU information.[78][273]
S0125 Remsec Remsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition.[274]
S0379 Revenge RAT Revenge RAT collects the CPU information, OS information, and system language.[275]
S0496 REvil REvil can identify the username, machine name, system language, keyboard layout, OS version, and system drive information on a compromised host.[276][277][278][279][279][280][281][282]
S0433 Rifdoor Rifdoor has the ability to identify the Windows version on the compromised host.[283]
S0448 Rising Sun Rising Sun can detect the computer name, operating system, and other native system information.[284]
G0106 Rocke Rocke has used uname -m to collect the name and information about the infected system's kernel.[285]
S0270 RogueRobin RogueRobin gathers BIOS versions and manufacturers, the number of CPU cores, the total physical memory, and the computer name.[286]
S0240 ROKRAT ROKRAT can gather the hostname and the OS version to ensure it doesn\u2019t run on a Windows XP or Windows Server 2003 systems.[287][288][289][290][291][292]
S0148 RTM RTM can obtain the computer name, OS version, and default language identifier.[293]
S0253 RunningRAT RunningRAT gathers the OS version, logical drives information, processor information, and volume information.[63]
S0446 Ryuk Ryuk has called GetLogicalDrives to emumerate all mounted drives, and GetDriveTypeW to determine the drive type.[294]
S0085 S-Type The initial beacon packet for S-Type contains the operating system version and file system of the victim.[210]
G0034 Sandworm Team Sandworm Team used a backdoor to enumerate information about the infected system's operating system.[295][296]
S0461 SDBbot SDBbot has the ability to identify the OS version, country code, and computer name.[133]
S0382 ServHelper ServHelper will attempt to enumerate Windows version and system architecture.[297]
S0596 ShadowPad ShadowPad has discovered system information including memory status, CPU frequency, OS versions, and volume serial numbers.[298]
S0140 Shamoon Shamoon obtains the victim's operating system version and keyboard layout and sends the information to the C2 server.[299][300]
S0546 SharpStage SharpStage has checked the system settings to see if Arabic is the configured language.[301]
S0450 SHARPSTATS SHARPSTATS has the ability to identify the IP address, machine name, and OS of the compromised host.[258]
S0445 ShimRatReporter ShimRatReporter gathered the operating system name and specific Windows version of an infected machine.[302]
S0217 SHUTTERSPEED SHUTTERSPEED can collect system information.[143]
S0610 SideTwist SideTwist can collect the computer name of a targeted system.[236]
G0121 Sidewinder Sidewinder has used tools to collect the computer name, OS version, installed hotfixes, as well as information regarding the memory and processor on a compromised host.[303][304]
S0692 SILENTTRINITY SILENTTRINITY can collect information related to a compromised host, including OS version and a list of drives.[305]
S0468 Skidmap Skidmap has the ability to check whether the infected system\u2019s OS is Debian or RHEL/CentOS to determine which cryptocurrency miner it should use.[306]
S0533 SLOTHFULMEDIA SLOTHFULMEDIA has collected system name, OS version, adapter information, memory usage, and disk information from a victim machine.[307]
S0218 SLOWDRIFT SLOWDRIFT collects and sends system information to its C2.[143]
S0649 SMOKEDHAM SMOKEDHAM has used the systeminfo command on a compromised host.[308]
S0627 SodaMaster SodaMaster can enumerate the host name and OS version on a target system.[309]
S0615 SombRAT SombRAT can execute getinfo to enumerate the computer name and OS version of a compromised system.[310]
S0516 SoreFang SoreFang can collect the hostname, operating system configuration, product ID, and disk space on victim machines by executing Systeminfo.[311]
S0157 SOUNDBITE SOUNDBITE is capable of gathering system information.[182]
G0054 Sowbug Sowbug obtained OS version and hardware configuration from a victim.[312]
S0543 Spark Spark can collect the hostname, keyboard layout, and language from the system.[313]
S0374 SpeakUp SpeakUp uses the cat /proc/cpuinfo | grep -c \u201ccpu family\u201d 2>&1 command to gather system information. [314]
S0646 SpicyOmelette SpicyOmelette can identify the system name of a compromised host.[315]
S0058 SslMM SslMM sends information to its hard-coded C2, including OS version, service pack information, processor speed, system name, and OS install date.[316]
G0038 Stealth Falcon Stealth Falcon malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory.[317]
S0380 StoneDrill StoneDrill has the capability to discover the system OS, Windows version, architecture and environment.[318]
S0142 StreamEx StreamEx has the ability to enumerate system information.[319]
S0491 StrongPity StrongPity can identify the hard disk volume serial number on a compromised host.[320]
S0603 Stuxnet Stuxnet collects system information including computer and domain names, OS version, and S7P paths.[321]
S0559 SUNBURST SUNBURST collected hostname, OS version, and device uptime.[322][323]
S0242 SynAck SynAck gathers computer names, OS version info, and also checks installed keyboard layouts to estimate if it has been launched from a certain list of countries.[324]
S0060 Sys10 Sys10 collects the computer name, OS versioning information, and OS install date and sends the information to the C2.[316]
S0464 SYSCON SYSCON has the ability to use Systeminfo to identify system information.[73]
S0096 Systeminfo Systeminfo can be used to gather information about the operating system.[325]
S0663 SysUpdate SysUpdate can determine whether a system has a 32 bit or 64 bit architecture.[326]
S0098 T9000 T9000 gathers and beacons the operating system build number and CPU Architecture (32-bit/64-bit) during installation.[327]
S0586 TAINTEDSCRIBE TAINTEDSCRIBE can use DriveList to retrieve drive information.[328]
S0467 TajMahal TajMahal has the ability to identify hardware information, the computer name, and OS information on an infected host.[329]
G0139 TeamTNT TeamTNT has searched for system version and architecture information.[330]
S0665 ThreatNeedle ThreatNeedle can collect system profile information from a compromised host.[331]
S0678 Torisma Torisma can use GetlogicalDrives to get a bitmask of all drives available on a compromised system. It can also use GetDriveType to determine if a new drive is a CD-ROM drive.[332]
S0266 TrickBot TrickBot gathers the OS version, machine name, CPU type, amount of RAM available, and UEFI/BIOS firmware information from the victim\u2019s machine.[333][334][335][336]
S0094 Trojan.Karagany Trojan.Karagany can capture information regarding the victim's OS, security, and hardware configuration.[337]
G0081 Tropic Trooper Tropic Trooper has detected a target system\u2019s OS version and system volume information.[338][339]
S0647 Turian Turian can retrieve system information including OS version, memory usage, local hostname, and system adapter information.[340]
G0010 Turla Turla surveys a system upon check-in to discover operating system configuration details using the systeminfo and set commands.[341][342]
S0199 TURNEDUP TURNEDUP is capable of gathering system information.[343]
S0263 TYPEFRAME TYPEFRAME can gather the disk volume information.[344]
G0118 UNC2452 UNC2452 used fsutil to check available free space before executing actions that might create large files on disk.[20]
S0130 Unknown Logger Unknown Logger can obtain information about the victim computer name, physical memory, country, and date.[345]
S0275 UPPERCUT UPPERCUT has the capability to gather the system\u2019s hostname and OS version.[346]
S0386 Ursnif Ursnif has used Systeminfo to gather system information.[347]
S0476 Valak Valak can determine the Windows version and computer name on a compromised host.[348][349]
S0257 VERMIN VERMIN collects the OS name, machine name, and architecture information.[350]
S0180 Volgmer Volgmer can gather system information, the computer name, OS version, drive and serial information from the victim's machine.[351][352][353]
S0670 WarzoneRAT WarzoneRAT can collect compromised host information, including OS version, PC name, RAM size, and CPU details.[354]
S0514 WellMess WellMess can identify the computer name of a compromised host.[355][356]
S0689 WhisperGate WhisperGate has the ability to enumerate fixed logical drives on a targeted system.[357]
G0124 Windigo Windigo has used a script to detect which Linux distribution and version is currently installed on the system.[61]
S0155 WINDSHIELD WINDSHIELD can gather the victim computer name.[182]
G0112 Windshift Windshift has used malware to identify the computer name of a compromised host.[358]
S0219 WINERACK WINERACK can gather information about the host.[143]
S0176 Wingbird Wingbird checks the victim OS version after executing to determine where to drop files based on whether the victim is 32-bit or 64-bit.[359]
S0059 WinMM WinMM collects the system name, OS version including service pack, and system install date and sends the information to the C2 server.[316]
S0141 Winnti for Windows Winnti for Windows can determine if the OS on a compromised host is newer than Windows XP.[360]
G0102 Wizard Spider Wizard Spider has used \u201csysteminfo\u201d and similar commands to acquire detailed configuration information of a victim machine.[361]
S0161 XAgentOSX XAgentOSX contains the getInstalledAPP function to run ls -la /Applications to gather what applications are installed.[362]
S0658 XCSSET XCSSET identifies the macOS version and uses ioreg to determine serial number.[363]
S0388 YAHOYAH YAHOYAH checks for the system\u2019s Windows OS version and hostname.[338]
S0248 yty yty gathers the computer name, the serial number of the main disk volume, CPU information, Microsoft Windows version, and runs the command systeminfo.[364]
S0251 Zebrocy Zebrocy collects the OS version, computer name and serial number for the storage volume C:. Zebrocy also runs the systeminfo command to gather system information. [365][68][366][69][367][368][369]
S0230 ZeroT ZeroT gathers the victim's computer name, Windows version, and system language, and then sends it to its C2 server.[370]
S0330 Zeus Panda Zeus Panda collects the OS version, system architecture, computer name, product ID, install date, and information on the keyboard mapping to determine the language used on the system.[371][372]
G0128 ZIRCONIUM ZIRCONIUM has used a tool to capture the processor architecture of a compromised host in order to register it with C2.[373]
S0086 ZLib ZLib has the ability to enumerate system information.[210]
S0672 Zox Zox can enumerate attached drives.[374]
S0350 zwShell zwShell can obtain the victim PC name and OS version.[375]
S0412 ZxShell ZxShell can collect the local hostname, operating system details, CPU speed, and total physical memory.[376]

Mitigations

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.

\n

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, Network Device CLI commands may also be used to gather detailed system information with built-in features native to the network device platform. Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

\n

In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.

References

1. US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.

2. Phile Stokes. (2018, September 20). On the Trail of OSX.FairyTale | Adware Playing at Malware. Retrieved August 24, 2021.

3. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.

4. Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020.

5. Google. (n.d.). Rest Resource: instance. Retrieved March 3, 2020.

6. Microsoft. (2019, March 1). Virtual Machines - Get. Retrieved October 8, 2019.

7. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.

8. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.

9. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.

10. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.

11. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.

12. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.

13. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.

14. Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020.

15. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea\u2019s Cryptocurrency Malware. Retrieved March 1, 2021.

16. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.

17. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.

18. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.

19. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.

20. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.

21. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.

22. Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017.

23. Folt\u00fdn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.

24. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.

25. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.

26. Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020.

27. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.

28. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.

29. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.

30. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.

31. Doaty, J., Garrett, P.. (2018, September 10). We\u2019re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.

32. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.

33. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.

34. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.

35. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.

36. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.

37. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.

38. Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.

39. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.

40. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.

41. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE\u2019S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.

42. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.

43. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.

44. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.

45. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.

46. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.

47. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.

48. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.

49. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9\u2019S DEVELOPMENT CYCLES. Retrieved November 18, 2020.

50. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.

51. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.

52. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.

53. Zykov, K. (2020, August 13). CactusPete APT group\u2019s updated Bisonal backdoor. Retrieved May 5, 2021.

54. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.

55. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.

56. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.

57. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.

58. US-CERT. (2020, August 19). MAR-10295134-1.v1 \u2013 North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.

59. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.

60. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.

61. Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.

62. MSTIC. (2021, May 28). Breaking down NOBELIUM\u2019s latest early-stage toolset. Retrieved August 4, 2021.

63. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.

64. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.

65. Malhotra, A. (2022, March 15). Threat Advisory: CaddyWiper. Retrieved March 23, 2022.

66. Threat Intelligence Team. (2022, March 18). Double header: IsaacWiper and CaddyWiper . Retrieved April 11, 2022.

67. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.

68. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New \u2018Cannon\u2019 Trojan. Retrieved November 26, 2018.

69. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group\u2019s Global Campaign. Retrieved April 19, 2019.

70. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.

71. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.

72. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.

73. McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.

74. ClearSky Cyber Security. (2021, January). \u201cLebanese Cedar\u201d APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.

75. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.

76. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.

77. Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.

78. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.

79. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.

80. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.

81. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.

82. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.

83. Microsoft. (n.d.). Dir. Retrieved April 18, 2016.

84. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.

85. Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.

86. FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.

87. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.

88. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.

89. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.

90. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.

91. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.

92. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.

93. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.

94. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.

95. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.

96. Microsoft. (2016, July 14). Reverse engineering DUBNIUM \u2013 Stage 2 payload analysis . Retrieved March 31, 2021.

97. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.

98. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.

99. Shulmin, A., Yunakovsky, S. (2017, April 28). Use of DNS Tunneling for C&C; Communications. Retrieved November 5, 2018.

100. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.

101. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.

102. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.

103. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.

104. Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.

105. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.

106. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.

107. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.

108. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.

109. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.

110. Joe Security. (n.d.). Analysis Report fasm.dll. Retrieved January 6, 2021.

111. NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020.

112. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.

113. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.

114. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.

115. Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.

116. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.

117. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.

118. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA \u2013 North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.

119. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.

120. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.

121. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.

122. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.

123. Yamout, M. (2021, November 29). WIRTE\u2019s campaign in the Middle East \u2018living off the land\u2019 since at least 2019. Retrieved February 1, 2022.

124. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.

125. FinFisher. (n.d.). Retrieved December 20, 2017.

126. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher\u2019s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.

127. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.

128. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.

129. Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy\u2019s Linux Backdoor. Retrieved September 10, 2017.

130. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.

131. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.

132. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.

133. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.

134. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.

135. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.

136. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.

137. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.

138. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.

139. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK.; Retrieved March 21, 2022.

140. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig \u201cFIN7\u201d continues its activities. Retrieved October 11, 2019.

141. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.

142. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.

143. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.

144. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.

145. Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022.

146. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.

147. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.

148. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.

149. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.

150. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.

151. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.

152. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.

153. US-CERT. (2019, April 10). MAR-10135536-8 \u2013 North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.

154. US-CERT. (2020, February 20). MAR-10271944-1.v1 \u2013 North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020.

155. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.

156. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.

157. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.

158. Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.

159. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.

160. Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.

161. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.

162. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.

163. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.

164. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.

165. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.

166. Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019.

167. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.

168. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.

169. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION \u201cKE3CHANG\u201d: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.

170. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.

171. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.

172. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus\u2019 new Downloader, KerrDown. Retrieved October 1, 2021.

173. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.

174. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.

175. US-CERT. (2018, August 09). MAR-10135536-17 \u2013 North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.

176. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.

177. Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.

178. Tarakanov , D.. (2013, September 11). The \u201cKimsuky\u201d Operation: A North Korean APT?. Retrieved August 13, 2019.

179. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.

180. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.

181. M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021.

182. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.

183. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.

184. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.

185. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.

186. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.

187. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.

188. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.

189. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.

190. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.

191. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.

192. Saini, A. and Hossein, J. (2022, January 27). North Korea\u2019s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.

193. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.

194. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.

195. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker\u2019s toolkit. Retrieved February 2, 2022.

196. Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020.

197. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.

198. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.

199. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.

200. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.

201. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.

202. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.

203. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.

204. Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.

205. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.

206. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.

207. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.

208. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.

209. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.

210. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.

211. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.

212. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.

213. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.

214. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.

215. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.

216. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.

217. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.

218. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.

219. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.

220. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.

221. Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018.

222. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.

223. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.

224. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.

225. Vrabie, V. (2021, April 23). NAIKON \u2013 Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.

226. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.

227. McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.

228. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: \"njRAT\" Uncovered. Retrieved June 4, 2019.

229. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.

230. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.

231. Sherstobitoff, R., Malhotra, A. (2018, October 18). \u2018Operation Oceansalt\u2019 Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.

232. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.

233. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.

234. Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.

235. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34\u2019s Invite to Join Their Professional Network. Retrieved August 26, 2019.

236. Check Point. (2021, April 8). Iran\u2019s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.

237. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.

238. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.

239. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China\u2019s hidden hacking groups. Retrieved October 8, 2020.

240. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.

241. Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021.

242. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.

243. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.

244. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.

245. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.

246. Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.

247. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA \u201cPenquin_x64\u201d. Retrieved March 11, 2021.

248. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.

249. Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020.

250. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.

251. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.

252. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.

253. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.

254. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.

255. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.

256. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.

257. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.

258. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.

259. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.

260. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.

261. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.

262. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.

263. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.

264. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.

265. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.

266. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.

267. Sanmillan, I.. (2020, May 13). Ramsay: A cyber\u2011espionage toolkit tailored for air\u2011gapped networks. Retrieved May 27, 2020.

268. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.

269. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.

270. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.

271. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.

272. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.

273. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.

274. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.

275. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.

276. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.

277. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.

278. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.

279. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service \u2013 What The Code Tells Us. Retrieved August 4, 2020.

280. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service \u2013 An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.

281. Group IB. (2020, May). Ransomware Uncovered: Attackers\u2019 Latest Methods. Retrieved August 5, 2020.

282. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.

283. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.

284. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.

285. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.

286. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.

287. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.

288. Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018.

289. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.

290. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.

291. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.

292. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.

293. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.

294. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.

295. Cherepanov, A.. (2017, July 4). Analysis of TeleBots\u2019 cunning backdoor . Retrieved June 11, 2020.

296. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.

297. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.

298. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.

299. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.

300. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.

301. Ilascu, I. (2020, December 14). Hacking group\u2019s new malware abuses Google and Facebook services. Retrieved December 28, 2020.

302. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.

303. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.

304. Rewterz. (2020, June 22). Analysis on Sidewinder APT Group \u2013 COVID-19. Retrieved January 29, 2021.

305. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.

306. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.

307. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 \u2013 Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.

308. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate\u2019s Supply Chain Software Compromise. Retrieved September 22, 2021.

309. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.

310. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.

311. CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020.

312. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.

313. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.

314. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.

315. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.

316. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.

317. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don\u2019t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.

318. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.

319. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV\u2019s Radar. Retrieved February 15, 2017.

320. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.

321. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.

322. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.

323. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.

324. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelg\u00e4nging technique. Retrieved May 22, 2018.

325. Microsoft. (n.d.). Systeminfo. Retrieved April 8, 2016.

326. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.

327. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.

328. USG. (2020, May 12). MAR-10288834-2.v1 \u2013 North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.

329. GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019.

330. AT&T; Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.

331. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.

332. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.

333. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.

334. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.

335. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.

336. Eclypsium, Advanced Intelligence. (2020, December 1). TRICKBOT NOW OFFERS \u2018TRICKBOOT\u2019: PERSIST, BRICK, PROFIT. Retrieved March 15, 2021.

337. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.

338. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.

339. Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.

340. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021

341. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.

342. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.

343. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.

344. US-CERT. (2018, June 14). MAR-10135536-12 \u2013 North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.

345. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.

346. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.

347. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.

348. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.

349. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.

350. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.

351. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA \u2013 North Korean Trojan: Volgmer. Retrieved December 7, 2017.

352. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.

353. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.

354. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.

355. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.

356. CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020.

357. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.

358. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.

359. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.

360. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.

361. The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.

362. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.

363. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.

364. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.

365. Lee, B., Falcone, R. (2018, June 06). Sofacy Group\u2019s Parallel Attacks. Retrieved June 18, 2018.

366. ESET. (2018, November 20). Sednit: What\u2019s going on with Zebrocy?. Retrieved February 12, 2019.

367. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.

368. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.

369. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.

370. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.

371. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.

372. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.

373. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.

374. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.

375. McAfee\u00ae Foundstone\u00ae Professional Services and McAfee Labs\u2122. (2011, February 10). Global Energy Cyberattacks: \u201cNight Dragon\u201d. Retrieved February 19, 2018.

376. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.


Original source: T1082 - System Information Discovery
", "external_references": [ { "source_name": "Microsoft Virutal Machine API", "url": "https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/get" }, { "source_name": "Google Instances Resource", "url": "https://cloud.google.com/compute/docs/reference/rest/v1/instances" }, { "source_name": "Amazon Describe Instance", "url": "https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html" }, { "source_name": "capec (CAPEC-312)", "url": "https://capec.mitre.org/data/definitions/312.html" }, { "source_name": "mitre-attack (T1082)", "url": "https://attack.mitre.org/techniques/T1082" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f5a158ed-5ae6-4732-891c-f8ceb40f1edd", "created": "2022-11-08T14:37:13.732827Z", "modified": "2022-11-08T14:37:13.732827Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--354a7f88-63fb-41b5-a801-ce3b377b36f1" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0", "created": "2021-05-26T17:42:36.005558Z", "modified": "2022-05-30T23:28:22.2028Z", "name": "T1016 - System Network Configuration Discovery", "description": "

T1016 - System Network Configuration Discovery

Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp, ipconfig/ifconfig, nbtstat, and route.

\n

Adversaries may also leverage a Network Device CLI on network devices to gather information about configurations and settings, such as IP addresses of configured interfaces and static/dynamic routes.[1][2]

\n

Adversaries may use the information from System Network Configuration Discovery during automated discovery to shape follow-on behaviors, including determining certain access within the target network and what actions to do next.

Sub-techniques (1)

ID Name
T1016.001 Internet Connection Discovery

Procedure Examples

ID Name Description
S0552 AdFind AdFind can extract subnet information from Active Directory.[3][4][5]
G0018 admin@338 admin@338 actors used the following command after exploiting a machine with LOWBALL malware to acquire information about local networks: ipconfig /all >> %temp%\\download[6]
S0331 Agent Tesla Agent Tesla can collect the IP address of the victim machine and spawn instances of netsh.exe to enumerate wireless settings.[7][8]
S0092 Agent.btz Agent.btz collects the network adapter\u2019s IP and MAC address as well as IP addresses of the network adapter\u2019s default gateway, primary/secondary WINS, DHCP, and DNS servers, and saves them into a log file.[9]
S0504 Anchor Anchor can determine the public IP and location of a compromised host.[10]
S0622 AppleSeed AppleSeed can identify the IP of a targeted system.[11]
G0006 APT1 APT1 used the ipconfig /all command to gather network configuration information.[12]
G0073 APT19 APT19 used an HTTP malware variant and a Port 22 malware variant to collect the MAC address and IP address from the victim\u2019s machine.[13]
G0022 APT3 A keylogging tool used by APT3 gathers network information from the victim, including the MAC address, IP address, WINS, DHCP server, and gateway.[14][15]
G0050 APT32 APT32 used the ipconfig /all command to gather the IP address from the system.[16]
G0096 APT41 APT41 collected MAC addresses from victim machines.[17][18]
S0456 Aria-body Aria-body has the ability to identify the location, public IP address, and domain name on a compromised host.[19]
S0099 Arp Arp can be used to display ARP configuration information on the host.[20]
S0373 Astaroth Astaroth collects the external IP address from the system. [21]
S0640 Avaddon Avaddon can collect the external IP address of the victim.[22]
S0473 Avenger Avenger can identify the domain of the compromised host.[23]
S0344 Azorult Azorult can collect host IP information from the victim\u2019s machine.[24]
S0414 BabyShark BabyShark has executed the ipconfig /all command.[25]
S0093 Backdoor.Oldrea Backdoor.Oldrea collects information about the Internet adapter configuration.[26][27]
S0245 BADCALL BADCALL collects the network adapter information.[28]
S0642 BADFLICK BADFLICK has captured victim IP address details.[29]
S0234 Bandook Bandook has a command to get the public IP address from a system.[30]
S0534 Bazar Bazar can collect the IP address and NetBIOS name of an infected machine.[31]
S0268 Bisonal Bisonal can execute ipconfig on the victim\u2019s machine.[32][33][34]
S0089 BlackEnergy BlackEnergy has gathered information about network IP configurations using ipconfig.exe and about routing tables using route.exe.[35][36]
S0520 BLINDINGCAN BLINDINGCAN has collected the victim machine's local IP address information and MAC address.[37]
S0657 BLUELIGHT BLUELIGHT can collect IP information from the victim\u2019s machine.[38]
S0486 Bonadan Bonadan can find the external IP address of the infected host.[39]
S0651 BoxCaon BoxCaon can collect the victim's MAC address by using the GetAdaptersInfo API.[40]
S0252 Brave Prince Brave Prince gathers network configuration information as well as the ARP cache.[41]
S0274 Calisto Calisto runs the ifconfig command to obtain the IP address from the victim\u2019s machine.[42]
S0335 Carbon Carbon can collect the IP address of the victims and other computers on the network using the commands: ipconfig -all nbtstat -n, and nbtstat -s.[43][44]
S0261 Catchamas Catchamas gathers the Mac address, IP address, and the network adapter information from the victim\u2019s machine.[45]
S0572 Caterpillar WebShell Caterpillar WebShell can gather the IP address from the victim's machine using the IP config command.[46]
S0674 CharmPower CharmPower has the ability to use ipconfig to enumerate system network settings.[47]
G0114 Chimera Chimera has used ipconfig, Ping, and tracert to enumerate the IP address and network environment and settings of the local host.[48]
S0667 Chrommme Chrommme can enumerate the IP address of a compromised host.[49]
S0660 Clambling Clambling can enumerate the IP address of a compromised machine.[50][51]
S0154 Cobalt Strike Cobalt Strike can determine the NetBios name and the IP addresses of targets machines including domain controllers.[52][53]
S0244 Comnie Comnie uses ipconfig /all and route PRINT to identify network adapter and interface information.[54]
S0575 Conti Conti can retrieve the ARP cache from the local system by using the GetIpNetTable() API call and check to ensure IP addresses it connects to are for local, non-Internet, systems.[55]
S0488 CrackMapExec CrackMapExec can collect DNS information from the targeted system.[56]
S0115 Crimson Crimson contains a command to collect the victim MAC address and LAN IP.[57][58]
S0625 Cuba Cuba can retrieve the ARP cache from the local system by using GetIpNetTable.[59]
S0687 Cyclops Blink Cyclops Blink can use the Linux API if_nameindex to gather network interface names.[60][61]
G0012 Darkhotel Darkhotel has collected the IP address and network adapter information from the victim\u2019s machine.[62][63]
S0354 Denis Denis uses ipconfig to gather the IP address from the system.[16]
S0659 Diavol Diavol can enumerate victims' local and external IPs when registering with C2.[64]
S0472 down_new down_new has the ability to identify the MAC address of a compromised host.[23]
G0035 Dragonfly Dragonfly has used batch scripts to enumerate network information, including information about trusts, zones, and the domain.[65]
S0567 Dtrack Dtrack can collect the host's IP addresses using the ipconfig command.[66][67]
S0038 Duqu The reconnaissance modules used with Duqu can collect information on network configuration.[68]
S0024 Dyre Dyre has the ability to identify network settings on a compromised host.[69]
S0605 EKANS EKANS can determine the domain of a compromised host.[70]
S0081 Elise Elise executes ipconfig /all after initial communication is made to the remote server.[71][72]
S0082 Emissary Emissary has the capability to execute the command ipconfig /all.[73]
S0363 Empire Empire can acquire network configuration information like DNS servers and network proxies used by a host.[74]
S0091 Epic Epic uses the nbtstat -n and nbtstat -s commands on the victim\u2019s machine.[75]
S0569 Explosive Explosive has collected the MAC address from the victim's machine.[76]
S0181 FALLCHILL FALLCHILL collects MAC address and local IP address information from the victim.[77]
S0512 FatDuke FatDuke can identify the MAC address on the target computer.[78]
S0171 Felismus Felismus collects the victim LAN IP address and sends it to the C2 server.[79]
S0267 FELIXROOT FELIXROOT collects information about the network including the IP address and DHCP server.[80]
S0696 Flagpro Flagpro has been used to execute the ipconfig /all command on a victim system.[81]
G0101 Frankenstein Frankenstein has enumerated hosts, looking for the public IP address of the system.[82]
G0093 GALLIUM GALLIUM used ipconfig /all to obtain information about the victim network configuration. The group also ran a modified version of NBTscan to identify available NetBIOS name servers.[83]
S0049 GeminiDuke GeminiDuke collects information on network settings and Internet proxy settings from the victim.[84]
S0588 GoldMax GoldMax retrieved a list of the system's network interface after execution.[85]
S0531 Grandoreiro Grandoreiro can determine the IP and physical location of the compromised host via IPinfo.[86]
S0237 GravityRAT GravityRAT collects the victim IP address, MAC address, as well as the victim account domain name.[87]
S0690 Green Lambert Green Lambert can obtain proxy information from a victim's machine using system environment variables.[88][89]
S0632 GrimAgent GrimAgent can enumerate the IP and domain of a target system.[90]
G0126 Higaisa Higaisa used ipconfig to gather network configuration information.[91][92]
S0431 HotCroissant HotCroissant has the ability to identify the IP address of the compromised machine.[93]
S0203 Hydraq Hydraq creates a backdoor through which remote attackers can retrieve IP addresses of compromised machines.[94][95]
S0101 ifconfig ifconfig can be used to display adapter configuration on Unix systems, including information for TCP/IP, DNS, and DHCP.
S0278 iKitten iKitten will look for the current IP address.[96]
S0604 Industroyer Industroyer\u2019s 61850 payload component enumerates connected network adapters and their corresponding IP addresses.[97]
S0260 InvisiMole InvisiMole gathers information on the IP forwarding table, MAC address, configured proxy, and network SSID.[98][99]
S0100 ipconfig ipconfig can be used to display adapter configuration on Windows systems, including information for TCP/IP, DNS, and DHCP.
S0015 Ixeshe Ixeshe enumerates the IP address, network proxy settings, and domain name from a victim's system.[100]
S0044 JHUHUGIT A JHUHUGIT variant gathers network interface card information.[101]
S0201 JPIN JPIN can obtain network information, including DNS, IP, and proxies.[102]
S0283 jRAT jRAT can gather victim internal and external IPs.[103]
S0265 Kazuar Kazuar gathers information about network adapters.[104]
G0004 Ke3chang Ke3chang has performed local network configuration discovery using ipconfig.[105][106][107]
S0487 Kessel Kessel has collected the DNS address of the infected host.[39]
S0387 KeyBoy KeyBoy can determine the public or WAN IP address for the system.[108]
S0271 KEYMARBLE KEYMARBLE gathers the MAC address of the victim\u2019s machine.[109]
G0094 Kimsuky Kimsuky has used ipconfig/all to gather network configuration information.[110]
S0250 Koadic Koadic can retrieve the contents of the IP routing table as well as information about the Windows domain.[111][112]
S0641 Kobalos Kobalos can record the IP address of the target machine.[113]
S0356 KONNI KONNI can collect the IP address from the victim\u2019s machine.[114]
S0236 Kwampirs Kwampirs collects network adapter and interface information by using the commands ipconfig /all, arp -a and route print. It also collects the system's MAC address with getmac and domain configuration with net config workstation.[115]
G0032 Lazarus Group Lazarus Group malware IndiaIndia obtains and sends to its C2 server information about the first network interface card\u2019s configuration, including IP address, gateways, subnet mask, DHCP information, and whether WINS is available.[116][117]
S0395 LightNeuron LightNeuron gathers information about network adapters using the Win32 API call GetAdaptersInfo.[118]
S0513 LiteDuke LiteDuke has the ability to discover the proxy configuration of Firefox and/or Opera.[78]
S0681 Lizar Lizar can retrieve network information from a compromised host.[119]
S0447 Lokibot Lokibot has the ability to discover the domain name of the infected host.[120]
S0451 LoudMiner LoudMiner used a script to gather the IP address of the infected machine before sending to the C2.[121]
S0532 Lucifer Lucifer can collect the IP address of a compromised host.[122]
S0409 Machete Machete collects the MAC address of the target computer and other network configuration information.[123][124]
G0059 Magic Hound Magic Hound malware gathers the victim's local IP address, MAC address, and external IP address.[125]
G0045 menuPass menuPass has used several tools to scan for open NetBIOS nameservers and enumerate NetBIOS sessions.[126]
S0084 Mis-Type Mis-Type may create a file containing the results of the command cmd.exe /c ipconfig /all.[127]
S0149 MoonWind MoonWind obtains the victim IP address.[128]
S0284 More_eggs More_eggs has the capability to gather the IP address from the victim's machine.[129]
S0256 Mosquito Mosquito uses the ipconfig command.[130]
G0069 MuddyWater MuddyWater has used malware to collect the victim\u2019s IP address and domain name.[131]
G0129 Mustang Panda Mustang Panda has used ipconfig and arp to determine network configuration information.[132]
S0205 Naid Naid collects the domain name from a compromised host.[133]
G0019 Naikon Naikon uses commands such as netsh interface show to discover network interface settings.[134]
S0228 NanHaiShu NanHaiShu can gather information about the victim proxy server.[135]
S0336 NanoCore NanoCore gathers the IP address from the victim\u2019s machine.[136]
S0590 NBTscan NBTscan can be used to collect MAC addresses.[137][138]
S0102 nbtstat nbtstat can be used to discover local NetBIOS domain names.
S0691 Neoichor Neoichor can gather the IP address from an infected host.[107]
S0198 NETWIRE NETWIRE can collect the IP address of a compromised host.[139][140]
S0359 Nltest Nltest may be used to enumerate the parent domain of a local machine using /parentdomain.[141]
S0353 NOKKI NOKKI can gather information on the victim IP address.[142]
S0346 OceanSalt OceanSalt can collect the victim\u2019s IP address.[143]
S0340 Octopus Octopus can collect the host IP address from the victim\u2019s machine.[144]
G0049 OilRig OilRig has run ipconfig /all on a victim.[145][146]
S0439 Okrum Okrum can collect network information, including the host IP address, DNS, and proxy information.[147]
S0365 Olympic Destroyer Olympic Destroyer uses API calls to enumerate the infected system's ARP table.[148]
G0116 Operation Wocao Operation Wocao has discovered the local network configuration with ipconfig.[149]
S0229 Orz Orz can gather victim proxy information.[135]
S0165 OSInfo OSInfo discovers the current domain information.[14]
S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D can collect the network interface MAC address on the infected host.[150][151]
S0556 Pay2Key Pay2Key can identify the IP and MAC addresses of the compromised host.[152]
S0587 Penquin Penquin can report the IP of the compromised host to attacker controlled infrastructure.[153]
S0501 PipeMon PipeMon can collect and send the local IP address, RDP information, and the network adapter physical address as a part of its C2 beacon.[154]
S0124 Pisloader Pisloader has a command to collect the victim's IP address.[155]
S0254 PLAINTEE PLAINTEE uses the ipconfig /all command to gather the victim\u2019s IP address.[156]
S0378 PoshC2 PoshC2 can enumerate network adapter information.[157]
S0139 PowerDuke PowerDuke has a command to get the victim's domain and NetBIOS name.[158]
S0441 PowerShower PowerShower has the ability to identify the current Windows domain of the infected host.[159]
S0223 POWERSTATS POWERSTATS can retrieve IP, network adapter configuration information, and domain from compromised hosts.[160][161]
S0184 POWRUNER POWRUNER may collect network configuration data by running ipconfig /all on a victim.[162]
S0113 Prikormka A module in Prikormka collects information from the victim about its IP addresses and MAC addresses.[163]
S0238 Proxysvc Proxysvc collects the network adapter information and domain/username information based on current remote sessions.[164]
S0192 Pupy Pupy has built in commands to identify a host\u2019s IP address and find out other network configuration settings by viewing connected sessions.[165]
S0583 Pysa Pysa can perform network reconnaissance using the Advanced IP Scanner tool.[166]
S0650 QakBot QakBot can use net config workstation, arp -a, and ipconfig /all to gather network configuration information.[167][168][169]
S0269 QUADAGENT QUADAGENT gathers the current domain the victim system belongs to.[170]
S0458 Ramsay Ramsay can use ipconfig and Arp to collect network configuration information, including routing information and ARP tables.[171]
S0241 RATANKBA RATANKBA gathers the victim\u2019s IP address via the ipconfig -all command.[172][173]
S0172 Reaver Reaver collects the victim's IP address.[174]
S0153 RedLeaves RedLeaves can obtain information about network parameters.[126]
S0125 Remsec Remsec can obtain information about network configuration, including the routing table, ARP cache, and DNS cache.[175]
S0379 Revenge RAT Revenge RAT collects the IP address and MAC address from the system.[176]
S0433 Rifdoor Rifdoor has the ability to identify the IP address of the compromised host.[177]
S0448 Rising Sun Rising Sun can detect network adapter and IP address information.[178]
S0270 RogueRobin RogueRobin gathers the IP address and domain from the victim\u2019s machine.[179]
S0103 route route can be used to discover routing configuration information.
S0446 Ryuk Ryuk has called GetIpNetTable in attempt to identify all mounted drives and hosts that have Address Resolution Protocol (ARP) entries.[180][181]
G0034 Sandworm Team Sandworm Team checks for connectivity to other resources in the network.[182]
S0461 SDBbot SDBbot has the ability to determine the domain name and whether a proxy is configured on a compromised host.[183]
S0596 ShadowPad ShadowPad has collected the domain name of the victim system.[184]
S0140 Shamoon Shamoon obtains the target's IP address and local network segment.[185][186]
S0450 SHARPSTATS SHARPSTATS has the ability to identify the domain of the compromised host.[161]
S0445 ShimRatReporter ShimRatReporter gathered the local proxy, domain, IP, routing tables, mac address, gateway, DNS servers, and DHCP status information from an infected host.[187]
S0589 Sibot Sibot checked if the compromised system is configured to use proxies.[85]
S0610 SideTwist SideTwist has the ability to collect the domain name on a compromised host.[188]
G0121 Sidewinder Sidewinder has used malware to collect information on network interfaces, including the MAC address.[189]
S0633 Sliver Sliver has the ability to gather network configuration information.[190]
S0516 SoreFang SoreFang can collect the TCP/IP, DNS, DHCP, and network adapter configuration on a compromised host via ipconfig.exe /all.[191]
S0374 SpeakUp SpeakUp uses the ifconfig -a command. [192]
S0646 SpicyOmelette SpicyOmelette can identify the IP of a compromised system.[193]
G0038 Stealth Falcon Stealth Falcon malware gathers the Address Resolution Protocol (ARP) table from the victim.[194]
S0491 StrongPity StrongPity can identify the IP address of a compromised host.[195]
S0603 Stuxnet Stuxnet collects the IP address of a compromised system.[196]
S0559 SUNBURST SUNBURST collected all network interface MAC addresses that are up and not loopback devices, as well as IP address, DHCP configuration, and domain information.[197]
S0018 Sykipot Sykipot may use ipconfig /all to gather system network configuration details.[198]
S0060 Sys10 Sys10 collects the local IP address of the victim and sends it to the C2.[134]
S0098 T9000 T9000 gathers and beacons the MAC and IP addresses during installation.[199]
S0011 Taidoor Taidoor has collected the MAC address of a compromised host; it can also use GetAdaptersInfo to identify network adapters.[200][201]
S0467 TajMahal TajMahal has the ability to identify the MAC address on an infected host.[202]
G0139 TeamTNT TeamTNT looks for the host machine\u2019s IP address.[203]
G0027 Threat Group-3390 Threat Group-3390 actors use NBTscan to discover vulnerable systems.[204]
S0678 Torisma Torisma can collect the local MAC address using GetAdaptersInfo as well as the system's IP address.[205]
S0266 TrickBot TrickBot obtains the IP address, location, and other relevant network information from the victim\u2019s machine.[206][207][52]
S0094 Trojan.Karagany Trojan.Karagany can gather information on the network configuration of a compromised host.[208]
G0081 Tropic Trooper Tropic Trooper has used scripts to collect the host's network topology.[209]
S0436 TSCookie TSCookie has the ability to identify the IP of the infected host.[210]
S0647 Turian Turian can retrieve the internal IP address of a compromised host.[211]
G0010 Turla Turla surveys a system upon check-in to discover network configuration details using the arp -a, nbtstat -n, net config, ipconfig /all, and route commands, as well as NBTscan.[75][212][213] Turla RPC backdoors have also retrieved registered RPC interface information from process memory.[214]
S0130 Unknown Logger Unknown Logger can obtain information about the victim's IP address.[215]
S0275 UPPERCUT UPPERCUT has the capability to gather the victim's proxy information.[216]
S0452 USBferry USBferry can detect the infected machine's network topology using ipconfig and arp.[209]
S0476 Valak Valak has the ability to identify the domain and the MAC and IP addresses of an infected machine.[217]
S0257 VERMIN VERMIN gathers the local IP address.[218]
S0180 Volgmer Volgmer can gather the IP address from the victim's machine.[219]
S0366 WannaCry WannaCry will attempt to determine the local network segment it is a part of.[220]
S0515 WellMail WellMail can identify the IP address of the victim system.[221]
S0514 WellMess WellMess can identify the IP address and user domain on the target machine.[222][223]
G0102 Wizard Spider Wizard Spider has used \"ipconfig\" to identify the network configuration of a victim machine.[224]
S0341 Xbash Xbash can collect IP addresses and local intranet information from a victim\u2019s machine.[225]
S0653 xCaon xCaon has used the GetAdaptersInfo() API call to get the victim's MAC address.[40]
S0248 yty yty runs ipconfig /all and collects the domain name.[226]
S0251 Zebrocy Zebrocy runs the ipconfig /all command.[227]
S0230 ZeroT ZeroT gathers the victim's IP address and domain information, and then sends it to its C2 server.[228]
G0128 ZIRCONIUM ZIRCONIUM has used a tool to enumerate proxy settings in the target environment.[229]
S0350 zwShell zwShell can obtain the victim IP address.[230]

Mitigations

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about a system's network configuration, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Detection

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Lateral Movement, based on the information obtained.

\n

Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, {{LinkById|T1059.008} commands may also be used to gather system and network information with built-in features native to the network device platform. Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.

References

1. US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.

2. Gyler, C.,Perez D.,Jones, S.,Miller, S.. (2021, February 25). This is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved February 17, 2022.

3. Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020.

4. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.

5. Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.

6. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.

7. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.

8. Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020.

9. Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016.

10. Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020.

11. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.

12. Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.

13. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.

14. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.

15. Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017.

16. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.

17. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.

18. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.

19. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.

20. Microsoft. (n.d.). Arp. Retrieved April 17, 2016.

21. Doaty, J., Garrett, P.. (2018, September 10). We\u2019re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.

22. Gahlot, A. (n.d.). Threat Hunting for Avaddon Ransomware. Retrieved August 19, 2021.

23. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.

24. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.

25. Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.

26. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.

27. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE\u2019S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.

28. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.

29. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.

30. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.

31. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9\u2019S DEVELOPMENT CYCLES. Retrieved November 18, 2020.

32. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.

33. Zykov, K. (2020, August 13). CactusPete APT group\u2019s updated Bisonal backdoor. Retrieved May 5, 2021.

34. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.

35. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.

36. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.

37. US-CERT. (2020, August 19). MAR-10295134-1.v1 \u2013 North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.

38. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.

39. Dumont, R., M.L\u00e9veill\u00e9, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.

40. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.

41. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.

42. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.

43. ESET. (2017, March 30). Carbon Paper: Peering into Turla\u2019s second stage backdoor. Retrieved November 7, 2018.

44. GovCERT. (2016, May 23). Technical Report about the Espionage Case at RUAG. Retrieved November 7, 2018.

45. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.

46. ClearSky Cyber Security. (2021, January). \u201cLebanese Cedar\u201d APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.

47. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.

48. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.

49. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.

50. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.

51. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.

52. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.

53. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.

54. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.

55. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.

56. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.

57. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.

58. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.

59. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.

60. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.

61. Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.

62. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.

63. Microsoft. (2016, July 14). Reverse engineering DUBNIUM \u2013 Stage 2 payload analysis . Retrieved March 31, 2021.

64. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.

65. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.

66. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.

67. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.

68. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.

69. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.

70. Singleton, C. and Kiefer, C. (2020, September 28). Ransomware 2020: Attack Trends Affecting Organizations Worldwide. Retrieved September 20, 2021.

71. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.

72. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS\u2019 MEETING AND ASSOCIATES. Retrieved November 14, 2018.

73. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.

74. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.

75. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.

76. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.

77. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA \u2013 North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.

78. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.

79. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.

80. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.

81. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.

82. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.

83. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.

84. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.

85. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM\u2019s layered persistence. Retrieved March 8, 2021.

86. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.

87. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.

88. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.

89. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK.; Retrieved March 21, 2022.

90. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.

91. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.

92. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.

93. US-CERT. (2020, February 20). MAR-10271944-1.v1 \u2013 North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020.

94. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.

95. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.

96. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.

97. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.

98. Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.

99. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.

100. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.

101. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.

102. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.

103. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.

104. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.

105. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION \u201cKE3CHANG\u201d: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.

106. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.

107. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.

108. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.

109. US-CERT. (2018, August 09). MAR-10135536-17 \u2013 North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.

110. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.

111. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.

112. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.

113. M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021.

114. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.

115. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.

116. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.

117. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.

118. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.

119. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker\u2019s toolkit. Retrieved February 2, 2022.

120. Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020.

121. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.

122. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.

123. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.

124. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries \u2014 HpReact campaign. Retrieved November 20, 2020.

125. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.

126. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.

127. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.

128. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.

129. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.

130. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.

131. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.

132. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.

133. Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018.

134. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.

135. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.

136. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.

137. Bezroutchko, A. (2019, November 19). NBTscan man page. Retrieved March 17, 2021.

138. SecTools. (2003, June 11). NBTscan. Retrieved March 17, 2021.

139. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.

140. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.

141. ss64. (n.d.). NLTEST.exe - Network Location Test. Retrieved February 14, 2019.

142. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.

143. Sherstobitoff, R., Malhotra, A. (2018, October 18). \u2018Operation Oceansalt\u2019 Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.

144. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.

145. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.

146. Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.

147. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.

148. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.

149. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China\u2019s hidden hacking groups. Retrieved October 8, 2020.

150. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.

151. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.

152. Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.

153. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA \u201cPenquin_x64\u201d. Retrieved March 11, 2021.

154. Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020.

155. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.

156. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.

157. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.

158. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.

159. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.

160. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.

161. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.

162. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.

163. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.

164. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.

165. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.

166. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.

167. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.

168. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.

169. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.

170. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.

171. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.

172. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.

173. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.

174. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.

175. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.

176. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.

177. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.

178. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.

179. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.

180. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.

181. Abrams, L. (2021, January 14). Ryuk Ransomware Uses Wake-on-Lan To Encrypt Offline Devices. Retrieved February 11, 2021.

182. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.

183. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.

184. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.

185. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.

186. Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020.

187. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.

188. Check Point. (2021, April 8). Iran\u2019s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.

189. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.

190. BishopFox. (n.d.). Sliver Ifconfig. Retrieved September 16, 2021.

191. CISA. (2020, July 16). MAR-10296782-1.v1 \u2013 SOREFANG. Retrieved September 29, 2020.

192. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.

193. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.

194. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don\u2019t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.

195. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.

196. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.

197. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.

198. Blasco, J. (2011, December 12). Another Sykipot sample likely targeting US federal agencies. Retrieved March 28, 2016.

199. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.

200. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.

201. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 \u2013 Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.

202. GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019.

203. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.

204. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.

205. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.

206. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.

207. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.

208. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.

209. Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.

210. Tomonaga, S.. (2018, March 6). Malware \u201cTSCookie\u201d. Retrieved May 6, 2020.

211. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021

212. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.

213. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.

214. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.

215. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.

216. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.

217. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.

218. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.

219. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.

220. Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019.

221. CISA. (2020, July 16). MAR-10296782-3.v1 \u2013 WELLMAIL. Retrieved September 29, 2020.

222. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.

223. CISA. (2020, July 16). MAR-10296782-2.v1 \u2013 WELLMESS. Retrieved September 24, 2020.

224. Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They\u2019re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020.

225. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.

226. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.

227. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.

228. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.

229. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.

230. McAfee\u00ae Foundstone\u00ae Professional Services and McAfee Labs\u2122. (2011, February 10). Global Energy Cyberattacks: \u201cNight Dragon\u201d. Retrieved February 19, 2018.


Original source: T1016 - System Network Configuration Discovery
", "external_references": [ { "source_name": "capec (CAPEC-309)", "url": "https://capec.mitre.org/data/definitions/309.html" }, { "source_name": "mitre-attack (T1016)", "url": "https://attack.mitre.org/techniques/T1016" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--1da97195-c756-4cff-8d66-425cd9d84602", "created": "2022-11-08T14:37:13.739881Z", "modified": "2022-11-08T14:37:13.739881Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--707399d6-ab3e-4963-9315-d9d3818cd6a0" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8", "created": "2021-05-26T17:48:25.447612Z", "modified": "2022-05-30T23:40:54.350443Z", "name": "T1555.003 - Credentials from Password Stores: Credentials From Web Browsers", "description": "

T1555.003 - Credentials from Password Stores: Credentials From Web Browsers

Adversaries may acquire credentials from web browsers by reading files specific to the target browser.[1] Web browsers commonly save credentials such as website usernames and passwords so that they do not need to be entered manually in the future. Web browsers typically store the credentials in an encrypted format within a credential store; however, methods exist to extract plaintext credentials from web browsers.

\n

For example, on Windows systems, encrypted credentials may be obtained from Google Chrome by reading a database file, AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data and executing a SQL query: SELECT action_url, username_value, password_value FROM logins;. The plaintext password can then be obtained by passing the encrypted credentials to the Windows API function CryptUnprotectData, which uses the victim\u2019s cached logon credentials as the decryption key.[2]

\n

Adversaries have executed similar procedures for common web browsers such as FireFox, Safari, Edge, etc.[3][4] Windows stores Internet Explorer and Microsoft Edge credentials in Credential Lockers managed by the Windows Credential Manager.

\n

Adversaries may also acquire credentials by searching web browser process memory for patterns that commonly match credentials.[5]

\n

After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary's objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).

Other sub-techniques of User Execution (5)

ID Name
T1555.001 Keychain
T1555.002 Securityd Memory
T1555.003 Credentials from Web Browsers
T1555.004 Windows Credential Manager
T1555.005 Password Managers

Procedure Examples

ID Name Description
S0331 Agent Tesla Agent Tesla can gather credentials from a number of browsers.[6]
G0130 Ajax Security Team Ajax Security Team has used FireMalv custom-developed malware, which collected passwords from the Firefox browser storage.[7]
G0016 APT29 APT29 has stolen user's saved passwords from Chrome.[8]
G0022 APT3 APT3 has used tools to dump passwords from browsers.[9]
G0064 APT33 APT33 has used a variety of publicly available tools like LaZagne to gather credentials.[10][11]
G0067 APT37 APT37 has used a credential stealer known as ZUMKONG that can harvest usernames and passwords stored in browsers.[12]
S0344 Azorult Azorult can steal credentials from the victim's browser.[13]
S0093 Backdoor.Oldrea Some Backdoor.Oldrea samples contain a publicly available Web browser password recovery tool.[14]
S0089 BlackEnergy BlackEnergy has used a plug-in to gather credentials from web browsers including FireFox, Google Chrome, and Internet Explorer.[15][16]
S0657 BLUELIGHT BLUELIGHT can collect passwords stored in web browers, including Internet Explorer, Edge, Chrome, and Naver Whale.[17]
S0484 Carberp Carberp's passw.plug plugin can gather passwords saved in Opera, Internet Explorer, Safari, Firefox, and Chrome.[18]
S0631 Chaes Chaes can steal login credentials and stored financial information from the browser.[19]
S0144 ChChes ChChes steals credentials stored inside Internet Explorer.[20]
S0492 CookieMiner CookieMiner can steal saved usernames and passwords in Chrome as well as credit card credentials.[21]
S0050 CosmicDuke CosmicDuke collects user credentials, including passwords, for various programs including Web browsers.[22]
S0115 Crimson Crimson contains a module to steal credentials from Web browsers on the victim machine.[23][24]
S0367 Emotet Emotet has been observed dropping browser password grabber modules. [25][26]
S0363 Empire Empire can use modules that extract passwords from common web browsers such as Firefox and Chrome.[27]
G0037 FIN6 FIN6 has used the Stealer One credential stealer to target web browsers.[28]
S0531 Grandoreiro Grandoreiro can steal cookie data and credentials from Google Chrome.[29][30]
S0132 H1N1 H1N1 dumps usernames and passwords from Firefox, Internet Explorer, and Outlook.[31]
S0434 Imminent Monitor Imminent Monitor has a PasswordRecoveryPacket module for recovering browser passwords.[32]
G0100 Inception Inception used a browser plugin to steal passwords and sessions from Internet Explorer, Chrome, Opera, Firefox, Torch, and Yandex.[33]
S0528 Javali Javali can capture login credentials from open browsers including Firefox, Chrome, Internet Explorer, and Edge.[34]
S0283 jRAT jRAT can capture passwords from common web browsers such as Internet Explorer, Google Chrome, and Firefox.[35]
S0387 KeyBoy KeyBoy attempts to collect passwords from browsers.[36]
S0526 KGH_SPY KGH_SPY has the ability to steal data from the Chrome, Edge, Firefox, Thunderbird, and Opera browsers.[37]
G0094 Kimsuky Kimsuky has used browser extensions including Google Chrome to steal passwords and cookies from browsers. Kimsuky has also used Nirsoft's WebBrowserPassView tool to dump the passwords obtained from victims.[38][39][40][41]
S0356 KONNI KONNI can steal profiles (containing credential information) from Firefox, Chrome, and Opera.[42]
S0349 LaZagne LaZagne can obtain credentials from web browsers such as Google Chrome, Internet Explorer, and Firefox.[43]
G0077 Leafminer Leafminer used several tools for retrieving login and password information, including LaZagne.[44]
S0681 Lizar Lizar has a module to collect usernames and passwords stored in browsers.[45]
S0447 Lokibot Lokibot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and the Chromium and Mozilla Firefox-based web browsers.[46]
S0409 Machete Machete collects stored credentials from several web browsers.[47]
S0530 Melcoz Melcoz has the ability to steal credentials from web browsers.[34]
S0002 Mimikatz Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways, including from DPAPI.[48][49][50][51]
G0021 Molerats Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.[52]
G0069 MuddyWater MuddyWater has run tools including Browser64 to steal passwords saved in victim web browsers.[53][54]
S0198 NETWIRE NETWIRE has the ability to steal credentials from web browsers including Internet Explorer, Opera, Yandex, and Chrome.[55][56][57]
S0385 njRAT njRAT has a module that steals passwords saved in victim web browsers.[58][59][60]
G0049 OilRig OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.[61][62][63][64] OilRig has also used tool named PICKPOCKET to dump passwords from web browsers.[64]
S0138 OLDBAIT OLDBAIT collects credentials from Internet Explorer, Mozilla Firefox, and Eudora.[65]
S0365 Olympic Destroyer Olympic Destroyer contains a module that tries to obtain stored credentials from web browsers.[1]
G0040 Patchwork Patchwork dumped the login data database from \\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data.[66]
S0048 PinchDuke PinchDuke steals credentials from compromised hosts. PinchDuke's credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as Netscape Navigator, Mozilla Firefox, Mozilla Thunderbird, and Internet Explorer. [22]
S0435 PLEAD PLEAD can harvest saved credentials from browsers such as Google Chrome, Microsoft Internet Explorer, and Mozilla Firefox.[67][68]
S0428 PoetRAT PoetRAT has used a Python tool named Browdec.exe to steal browser credentials.[69]
S0113 Prikormka A module in Prikormka gathers logins and passwords stored in applications on the victims, including Google Chrome, Mozilla Firefox, and several other browsers.[70]
S0279 Proton Proton gathers credentials for Google Chrome.[71]
S0192 Pupy Pupy can use Lazagne for harvesting credentials.[72]
S0650 QakBot QakBot has collected usernames and passwords from Firefox and Chrome.[73]
S0262 QuasarRAT QuasarRAT can obtain passwords from common web browsers.[74][75]
S0629 RainyDay RainyDay can use tools to collect credentials from web browsers.[76]
S0153 RedLeaves RedLeaves can gather browser usernames and passwords.[77]
S0240 ROKRAT ROKRAT can steal credentials stored in Web browsers by querying the sqlite database.[78]
G0034 Sandworm Team Sandworm Team's CredRaptor tool can collect saved passwords from various internet browsers.[79]
S0692 SILENTTRINITY SILENTTRINITY can collect clear text web credentials for Internet Explorer/Edge.[80]
S0226 Smoke Loader Smoke Loader searches for credentials stored from web browsers.[81]
G0038 Stealth Falcon Stealth Falcon malware gathers passwords from multiple sources, including Internet Explorer, Firefox, and Chrome.[82]
G0086 Stolen Pencil Stolen Pencil has used tools that are capable of obtaining credentials from web browsers.[40]
G0092 TA505 TA505 has used malware to gather credentials from Internet Explorer.[83]
S0266 TrickBot TrickBot can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using esentutl.[84][85][86]
S0094 Trojan.Karagany Trojan.Karagany can steal data and credentials from browsers.[87]
S0436 TSCookie TSCookie has the ability to steal saved passwords from the Internet Explorer, Edge, Firefox, and Chrome browsers.[88]
S0130 Unknown Logger Unknown Logger is capable of stealing usernames and passwords from browsers on the victim machine.[89]
S0670 WarzoneRAT WarzoneRAT has the capability to grab passwords from numerous web browsers as well as from Outlook and Thunderbird email clients.[90][91]
S0161 XAgentOSX XAgentOSX contains the getFirefoxPassword function to attempt to locate Firefox passwords.[92]
S0251 Zebrocy Zebrocy has the capability to upload dumper tools that extract credentials from web browsers and store them in database files.[93]
G0128 ZIRCONIUM ZIRCONIUM has used a tool to steal credentials from installed web browsers including Microsoft Internet Explorer and Google Chrome.[94]

Mitigations

ID Mitigation Description
M1027 Password Policies Organizations may consider weighing the risk of storing credentials in web browsers. If web browser credential disclosure is a significant concern, technical controls, policy, and user training may be used to prevent storage of credentials in web browsers.

Detection

Identify web browser files that contain credentials such as Google Chrome\u2019s Login Data database file: AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data. Monitor file read events of web browser files that contain credentials, especially when the reading process is unrelated to the subject web browser. Monitor process execution logs to include PowerShell Transcription focusing on those that perform a combination of behaviors including reading web browser process memory, utilizing regular expressions, and those that contain numerous keywords for common web applications (Gmail, Twitter, Office365, etc.).

References

1. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.

2. Microsoft. (2018, April 12). CryptUnprotectData function. Retrieved June 18, 2019.

3. Proofpoint. (2018, May 10). New Vega Stealer shines brightly in targeted campaign . Retrieved June 18, 2019.

4. Swapnil Patil, Yogesh Londhe. (2017, July 25). HawkEye Credential Theft Malware Distributed in Recent Phishing Campaign. Retrieved June 18, 2019.

5. Jamieson O'Reilly (putterpanda). (2016, July 4). mimikittenz. Retrieved June 20, 2019.

6. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.

7. Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.

8. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.

9. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.

10. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.

11. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.

12. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.

13. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.

14. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.

15. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.

16. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.

17. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.

18. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.

19. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.

20. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.

21. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges\u2019 Cookies. Retrieved July 22, 2020.

22. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.

23. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.

24. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.

25. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.

26. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.

27. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.

28. Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.

29. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.

30. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.

31. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities \u2013 part 2. Retrieved September 26, 2016.

32. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.

33. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.

34. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.

35. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.

36. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.

37. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.

38. Cimpanu, C.. (2018, December 5). Cyber-espionage group uses Chrome extension to infect victims. Retrieved August 26, 2019.

39. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.

40. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.

41. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.

42. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.

43. Zanni, A. (n.d.). The LaZagne Project !!!. Retrieved December 14, 2018.

44. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.

45. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker\u2019s toolkit. Retrieved February 2, 2022.

46. Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.

47. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.

48. Deply, B. (n.d.). Mimikatz. Retrieved September 29, 2015.

49. Deply, B., Le Toux, V. (2016, June 5). module ~ lsadump. Retrieved August 7, 2017.

50. Grafnetter, M. (2015, October 26). Retrieving DPAPI Backup Keys from Active Directory. Retrieved December 19, 2017.

51. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.

52. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.

53. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.

54. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.

55. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.

56. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.

57. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.

58. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: \"njRAT\" Uncovered. Retrieved June 4, 2019.

59. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.

60. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.

61. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.

62. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.

63. Mandiant. (2018). Mandiant M-Trends 2018. Retrieved July 9, 2018.

64. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34\u2019s Invite to Join Their Professional Network. Retrieved August 26, 2019.

65. FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.

66. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.

67. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020.

68. Cherepanov, A.. (2018, July 9). Certificates stolen from Taiwanese tech\u2011companies misused in Plead malware campaign. Retrieved May 6, 2020.

69. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.

70. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.

71. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.

72. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.

73. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.

74. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.

75. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.

76. Vrabie, V. (2021, April 23). NAIKON \u2013 Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.

77. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.

78. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.

79. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.

80. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.

81. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.

82. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don\u2019t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.

83. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.

84. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.

85. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.

86. Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot\u2019s Ever-Improving VNC Module. Retrieved September 28, 2021.

87. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.

88. Tomonaga, S.. (2018, March 6). Malware \u201cTSCookie\u201d. Retrieved May 6, 2020.

89. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.

90. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.

91. Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022.

92. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.

93. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.

94. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.


Original source: T1555.003 - Credentials from Password Stores: Credentials From Web Browsers
", "external_references": [ { "source_name": "GitHub Mimikittenz July 2016", "url": "https://github.com/putterpanda/mimikittenz" }, { "source_name": "FireEye HawkEye Malware July 2017", "url": "https://www.fireeye.com/blog/threat-research/2017/07/hawkeye-malware-distributed-in-phishing-campaign.html" }, { "source_name": "Proofpoint Vega Credential Stealer May 2018", "url": "https://www.proofpoint.com/us/threat-insight/post/new-vega-stealer-shines-brightly-targeted-campaign" }, { "source_name": "Microsoft CryptUnprotectData April 2018", "url": "https://docs.microsoft.com/en-us/windows/desktop/api/dpapi/nf-dpapi-cryptunprotectdata" }, { "source_name": "Talos Olympic Destroyer 2018", "url": "https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" }, { "source_name": "mitre-attack (T1555.003)", "url": "https://attack.mitre.org/techniques/T1555/003" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--bd5d796f-428b-49cd-9949-e60bdc1e44c3", "created": "2022-11-08T14:37:13.745653Z", "modified": "2022-11-08T14:37:13.745653Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--58a3e6aa-4453-4cc8-a51f-4befe80b31a8" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7", "created": "2021-05-26T17:48:53.159123Z", "modified": "2022-05-30T23:25:32.071296Z", "name": "T1566.002 - Phishing: Spearphishing Link", "description": "

T1566.002 - Phishing: Spearphishing Link

Adversaries may send spearphishing emails with a malicious link in an attempt to gain access to victim systems. Spearphishing with a link is a specific variant of spearphishing. It is different from other forms of spearphishing in that it employs the use of links to download malware contained in email, instead of attaching malicious files to the email itself, to avoid defenses that may inspect email attachments. Spearphishing may also involve social engineering techniques, such as posing as a trusted source.

\n

All forms of spearphishing are electronically delivered social engineering targeted at a specific individual, company, or industry. In this case, the malicious emails contain links. Generally, the links will be accompanied by social engineering text and require the user to actively click or copy and paste a URL into a browser, leveraging User Execution. The visited website may compromise the web browser using an exploit, or the user will be prompted to download applications, documents, zip files, or even executables depending on the pretext for the email in the first place. Adversaries may also include links that are intended to interact directly with an email reader, including embedded images intended to exploit the end system directly or verify the receipt of an email (i.e. web bugs/web beacons).

\n

Adversaries may also utilize links to perform consent phishing, typically with OAuth 2.0 request URLs that when accepted by the user provide permissions/access for malicious applications, allowing adversaries to Steal Application Access Tokens.[1] These stolen access tokens allow the adversary to perform various actions on behalf of the user via API calls. [2]

Other sub-techniques of User Execution (3)

ID Name
T1566.001 Spearphishing Attachment
T1566.002 Spearphishing Link
T1566.003 Spearphishing via Service

Procedure Examples

ID Name Description
S0677 AADInternals AADInternals can send \"consent phishing\" emails containing malicious links designed to steal users\u2019 access tokens.[3]
S0584 AppleJeus AppleJeus has been distributed via spearphishing link.[4]
G0006 APT1 APT1 has sent spearphishing emails containing hyperlinks to malicious files.[5]
G0007 APT28 APT28 sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites.[6][7][8][9]
G0016 APT29 APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.[10][11][12]
G0022 APT3 APT3 has sent spearphishing emails containing malicious links.[13]
G0050 APT32 APT32 has sent spearphishing emails containing malicious links.[14][15][16][17][18]
G0064 APT33 APT33 has sent spearphishing emails containing links to .hta files.[19][20]
G0087 APT39 APT39 leveraged spearphishing emails with malicious links to initially compromise victims.[21][22]
S0534 Bazar Bazar has been spread via emails with embedded malicious links.[23][24][25]
G0098 BlackTech BlackTech has used spearphishing e-mails with links to cloud services to deliver malware.[26]
G0080 Cobalt Group Cobalt Group has sent emails with URLs pointing to malicious documents.[27][28]
G0142 Confucius Confucius has sent malicious links to victims through email campaigns.[29]
G0066 Elderwood Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server.[30][31]
S0367 Emotet Emotet has been delivered by phishing emails containing links. [32][33][34][35][36][37][38][38][39]
G0120 Evilnum Evilnum has sent spearphishing emails containing a link to a zip file hosted on Google Drive.[40]
G0085 FIN4 FIN4 has used spearphishing emails (often sent from compromised accounts) containing malicious links.[41][42]
G0046 FIN7 FIN7 has conducted broad phishing campaigns using malicious links.[43]
G0061 FIN8 FIN8 has distributed targeted emails containing links to malicious documents with embedded macros.[44]
S0531 Grandoreiro Grandoreiro has been spread via malicious links embedded in e-mails.[45][46]
S0561 GuLoader GuLoader has been spread in phishing campaigns using malicious web links.[47]
S0499 Hancitor Hancitor has been delivered via phishing emails which contained malicious links.[48]
S0528 Javali Javali has been delivered via malicious links embedded in e-mails.[49]
S0585 Kerrdown Kerrdown has been distributed via e-mails containing a malicious link.[18]
G0094 Kimsuky Kimsuky has sent spearphishing emails containing a link to a document that contained malicious macros or took the victim to an actor-controlled domain.[50][51][52]
S0669 KOCTOPUS KOCTOPUS has been distributed as a malicious link within an email.[53]
G0032 Lazarus Group Lazarus Group has sent malicious links to victims via email.[54][55][56]
G0140 LazyScripter LazyScripter has used spam emails that contain a link that redirects the victim to download a malicious document.[53]
G0065 Leviathan Leviathan has sent spearphishing emails with links, often using a fraudulent lookalike domain and stolen branding.[57][58]
G0095 Machete Machete has sent phishing emails that contain a link to an external server with ZIP and RAR archives.[59][60]
G0059 Magic Hound Magic Hound has sent malicious URL links through email to victims. In some cases the URLs were shortened or linked to Word documents with malicious macros that executed PowerShells scripts to download Pupy.[61][62][63]
S0530 Melcoz Melcoz has been spread through malicious links embedded in e-mails.[49]
G0103 Mofang Mofang delivered spearphishing emails with malicious links included.[64]
G0021 Molerats Molerats has sent phishing emails with malicious links included.[65]
G0069 MuddyWater MuddyWater has sent targeted spearphishing e-mails with malicious links.[66][67]
G0129 Mustang Panda Mustang Panda has delivered web bugs and malicious links to their intended targets.[68][69]
S0198 NETWIRE NETWIRE has been spread via e-mail campaigns utilizing malicious links.[47]
G0014 Night Dragon Night Dragon sent spearphishing emails containing links to compromised websites where malware was downloaded.[70]
G0049 OilRig OilRig has sent spearphising emails with malicious links to potential victims.[71]
G0040 Patchwork Patchwork has used spearphishing with links to deliver files with exploits to initial victims. The group has also used embedded image tags (known as web bugs) with unique, per-recipient tracking links in their emails for the purpose of identifying which recipients opened messages.[72][73][74][75]
S0453 Pony Pony has been delivered via spearphishing emails which contained malicious links.[76]
S0650 QakBot QakBot has spread through emails with malicious links.[77][78][79][80][81][82]
G0034 Sandworm Team Sandworm Team has crafted phishing emails containing malicious hyperlinks.[83]
G0121 Sidewinder Sidewinder has sent e-mails with malicious links often crafted for specific targets.[84][85]
S0646 SpicyOmelette SpicyOmelette has been distributed via emails containing a malicious link that appears to be a PDF document.[28]
G0086 Stolen Pencil Stolen Pencil sent spearphishing emails containing links to domains controlled by the threat actor.[51]
G0092 TA505 TA505 has sent spearphishing emails containing malicious links.[86][87][88][89]
G0134 Transparent Tribe Transparent Tribe has embedded links to malicious downloads in e-mails.[90][91]
S0266 TrickBot TrickBot has been delivered via malicious links in phishing e-mails.[92]
G0010 Turla Turla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.[93]
S0476 Valak Valak has been delivered via malicious links in e-mail.[94]
G0112 Windshift Windshift has sent spearphishing emails with links to harvest credentials and deliver malware.[95]
G0102 Wizard Spider Wizard Spider has sent phishing emails containing a link to an actor-controlled Google Drive document or other free online file hosting services.[96][97]
G0128 ZIRCONIUM ZIRCONIUM has used malicious links and web beacons in e-mails for malware download and to track hits to attacker-controlled URL's.[98][99][100]

Mitigations

ID Mitigation Description
M1047 Audit Audit applications and their permissions to ensure access to data and resources are limited based upon necessity and principle of least privilege.
M1021 Restrict Web-Based Content Determine if certain websites that can be used for spearphishing are necessary for business operations and consider blocking access if activity cannot be monitored well or if it poses a significant risk.
M1054 Software Configuration Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.[101][102]
M1018 User Account Management Azure AD Administrators apply limitations upon the ability for users to grant consent to unfamiliar or unverified third-party applications.
M1017 User Training Users can be trained to identify social engineering techniques and spearphishing emails with malicious links which includes phishing for consent with OAuth 2.0

Detection

URL inspection within email (including expanding shortened links) can help detect links leading to known malicious sites as well as links redirecting to adversary infrastructure based by upon suspicious OAuth patterns with unusual TLDs.[2]. Detonation chambers can be used to detect these links and either automatically go to these sites to determine if they're potentially malicious, or wait and capture the content if a user visits the link.

\n

Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[101][102]

\n

Because this technique usually involves user interaction on the endpoint, many of the possible detections take place once User Execution occurs.

References

1. Hacquebord, F.. (2017, April 25). Pawn Storm Abuses Open Authentication in Advanced Social Engineering Attacks. Retrieved October 4, 2019.

2. Microsoft 365 Defender Threat Intelligence Team. (2021, June 14). Microsoft delivers comprehensive solution to battle rise in consent phishing emails. Retrieved December 13, 2021.

3. Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.

4. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea\u2019s Cryptocurrency Malware. Retrieved March 1, 2021.

5. Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.

6. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.

7. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.

8. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.

9. Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.

10. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.

11. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.

12. Secureworks CTU. (2021, May 28). USAID-Themed Phishing Campaign Leverages U.S. Elections Lure. Retrieved February 24, 2022.

13. Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf \u2013 Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.

14. Folt\u00fdn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.

15. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.

16. Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020.

17. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.

18. Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.

19. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.

20. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.

21. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.

22. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.

23. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9\u2019S DEVELOPMENT CYCLES. Retrieved November 18, 2020.

24. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.

25. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.

26. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech\u2019s Cyber Espionage Campaigns. Retrieved May 5, 2020.

27. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.

28. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.

29. Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.

30. O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.

31. Clayton, M.. (2012, September 14). Stealing US business secrets: Experts ID two huge cyber 'gangs' in China. Retrieved February 15, 2018.

32. Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.

33. Shulmin, A. . (2015, April 9). The Banking Trojan Emotet: Detailed Analysis. Retrieved March 25, 2019.

34. CIS. (2017, April 28). Emotet Changes TTPs and Arrives in United States. Retrieved January 17, 2019.

35. Smith, A.. (2017, December 22). Protect your network from Emotet Trojan with Malwarebytes Endpoint Security. Retrieved January 17, 2019.

36. Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.

37. US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.

38. Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.

39. \u00d6zarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.

40. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.

41. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.

42. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.

43. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.

44. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.

45. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.

46. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.

47. Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021.

48. Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020.

49. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.

50. Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.

51. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.

52. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.

53. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.

54. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.

55. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.

56. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.

57. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.

58. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory \u2013 Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China\u2019s MSS Hainan State Security Department.. Retrieved August 12, 2021.

59. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.

60. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.

61. Counter Threat Unit Research Team. (2017, February 15). Iranian PupyRAT Bites Middle Eastern Organizations. Retrieved December 27, 2017.

62. ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021.

63. Certfa Labs. (2021, January 8). Charming Kitten\u2019s Christmas Gift. Retrieved May 3, 2021.

64. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.

65. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.

66. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.

67. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.

68. Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021.

69. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.

70. McAfee\u00ae Foundstone\u00ae Professional Services and McAfee Labs\u2122. (2011, February 10). Global Energy Cyberattacks: \u201cNight Dragon\u201d. Retrieved February 19, 2018.

71. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.

72. Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.

73. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.

74. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.

75. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.

76. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.

77. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.

78. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.

79. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021.

80. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.

81. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.

82. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.

83. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.

84. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.

85. Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.

86. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.

87. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.

88. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group\u2019s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.

89. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.

90. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.

91. Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.

92. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.

93. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.

94. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.

95. Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020.

96. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.

97. The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020.

98. Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021.

99. Huntley, S. (2020, October 16). How We're Tackling Evolving Online Threats. Retrieved March 24, 2021.

100. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.

101. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.

102. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.


Original source: T1566.002 - Phishing: Spearphishing Link
", "external_references": [ { "source_name": "ACSC Email Spoofing", "url": "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" }, { "source_name": "Microsoft Anti Spoofing", "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" }, { "source_name": "Trend Micro Pawn Storm OAuth 2017", "url": "https://blog.trendmicro.com/trendlabs-security-intelligence/pawn-storm-abuses-open-authentication-advanced-social-engineering-attacks" }, { "source_name": "capec (CAPEC-163)", "url": "https://capec.mitre.org/data/definitions/163.html" }, { "source_name": "mitre-attack (T1566.002)", "url": "https://attack.mitre.org/techniques/T1566/002" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--b6966023-738c-461c-a149-62aacba5afa6", "created": "2022-11-08T14:37:13.751453Z", "modified": "2022-11-08T14:37:13.751453Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--2b742742-28c3-4e1b-bab7-8350d6300fa7" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62", "created": "2021-05-26T17:49:05.153823Z", "modified": "2022-05-30T23:37:07.170635Z", "name": "T1059.003 - Command and Scripting Interpreter: Windows Command Shell", "description": "

T1059.003 - Command and Scripting Interpreter: Windows Command Shell

Adversaries may abuse the Windows command shell for execution. The Windows command shell (cmd) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. The command prompt can be invoked remotely via Remote Services such as SSH.[1]

\n

Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.

\n

Adversaries may leverage cmd to execute various commands and payloads. Common uses include cmd to execute a single command, or abusing cmd interactively with input and output forwarded over a command and control channel.

Other sub-techniques of User Execution (8)

ID Name
T1059.001 PowerShell
T1059.002 AppleScript
T1059.003 Windows Command Shell
T1059.004 Unix Shell
T1059.005 Visual Basic
T1059.006 Python
T1059.007 JavaScript
T1059.008 Network Device CLI

Procedure Examples

ID Name Description
S0065 4H RAT 4H RAT has the capability to create a remote shell.[2]
S0469 ABK ABK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.[3]
S0202 adbupd adbupd can run a copy of cmd.exe.[4]
G0018 admin@338 Following exploitation with LOWBALL malware, admin@338 actors created a file containing a list of commands to be executed on the compromised computer.[5]
S0045 ADVSTORESHELL ADVSTORESHELL can create a remote shell and run a given command.[6][7]
S0504 Anchor Anchor has used cmd.exe to run its self deletion routine.[8]
G0006 APT1 APT1 has used the Windows command shell to execute commands, and batch scripting to automate execution.[9]
G0026 APT18 APT18 uses cmd.exe to execute commands on the victim\u2019s machine.[10][11]
G0007 APT28 An APT28 loader Trojan uses a cmd.exe and batch script to run its payload.[12] The group has also used macros to execute payloads.[13][14][15][16]
G0016 APT29 APT29 used cmd.exe to execute commands on remote machines.[17][18]
G0022 APT3 An APT3 downloader uses the Windows command \"cmd.exe\" /C whoami. The group also uses a tool to execute commands on remote computers.[19][20]
G0050 APT32 APT32 has used cmd.exe for execution.[21]
G0067 APT37 APT37 has used the command-line interface.[22][23]
G0082 APT38 APT38 has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim\u2019s machine.[24]
G0096 APT41 APT41 used cmd.exe /c to execute commands on remote machines.[25]APT41 used a batch file to install persistence for the Cobalt Strike BEACON loader.[26]
G0143 Aquatic Panda Aquatic Panda has attempted and failed to run Bash commands on a Windows host by passing them to cmd /C.[27]
S0373 Astaroth Astaroth spawns a CMD process to execute commands. [28]
S0347 AuditCred AuditCred can open a reverse shell on the system to execute commands.[29]
S0638 Babuk Babuk has the ability to use the command line to control execution on compromised hosts.[30][31]
S0414 BabyShark BabyShark has used cmd.exe to execute commands.[32]
S0475 BackConfig BackConfig can download and run batch files to execute commands on a compromised host.[33]
S0031 BACKSPACE Adversaries can direct BACKSPACE to execute from the command line on infected hosts, or have BACKSPACE create a reverse shell.[34]
S0128 BADNEWS BADNEWS is capable of executing commands via cmd.exe.[35][36]
S0234 Bandook Bandook is capable of spawning a Windows command shell.[37][38]
S0239 Bankshot Bankshot uses the command-line interface to execute arbitrary commands.[39][40]
S0534 Bazar Bazar can launch cmd.exe to perform reconnaissance commands.[41][42]
S0470 BBK BBK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.[3]
S0017 BISCUIT BISCUIT has a command to launch a command shell on the system.[43]
S0268 Bisonal Bisonal has launched cmd.exe and used the ShellExecuteW() API function to execute commands on the system.[44][45][46]
S0069 BLACKCOFFEE BLACKCOFFEE has the capability to create a reverse shell.[47]
S0564 BlackMould BlackMould can run cmd.exe with parameters.[48]
S0520 BLINDINGCAN BLINDINGCAN has executed commands via cmd.exe.[49]
G0108 Blue Mockingbird Blue Mockingbird has used batch script files to automate execution and deployment of payloads.[50]
S0360 BONDUPDATER BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe.[51]
S0651 BoxCaon BoxCaon can execute arbitrary commands and utilize the \"ComSpec\" environment variable.[52]
G0060 BRONZE BUTLER BRONZE BUTLER has used batch scripts and the command-line interface for execution.[53]
S0025 CALENDAR CALENDAR has a command to run cmd.exe to execute commands.[43]
S0030 Carbanak Carbanak has a command to create a reverse shell.[54]
S0348 Cardinal RAT Cardinal RAT can execute commands.[55]
S0462 CARROTBAT CARROTBAT has the ability to execute command line arguments on a compromised host.[56]
S0572 Caterpillar WebShell Caterpillar WebShell can run commands on the compromised asset with CMD functions.[57]
S0631 Chaes Chaes has used cmd to execute tasks on the system.[58]
S0674 CharmPower The C# implementation of the CharmPower command execution module can use cmd.[59]
G0114 Chimera Chimera has used the Windows Command Shell and batch scripts for execution on compromised hosts.[60]
S0020 China Chopper China Chopper's server component is capable of opening a command terminal.[61][62][63]
S0660 Clambling Clambling can use cmd.exe for command execution.[64]
S0611 Clop Clop can use cmd.exe to help execute commands on the system.[65]
S0106 cmd cmd is used to execute programs and other actions at the command-line interface.[66]
G0080 Cobalt Group Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands.[67] The group has used an exploit toolkit known as Threadkit that launches .bat files.[68][69][70][67][71][72]
S0154 Cobalt Strike Cobalt Strike uses a command-line interface to interact with systems.[73][74][75]
S0338 Cobian RAT Cobian RAT can launch a remote command shell interface for executing commands.[76]
S0369 CoinTicker CoinTicker executes a bash script to establish a reverse shell.[77]
S0244 Comnie Comnie executes BAT scripts.[78]
S0126 ComRAT ComRAT has used cmd.exe to execute commands.[79]
S0575 Conti Conti can utilize command line options to allow an attacker control over how it scans and encrypts files.[80]
S0046 CozyCar A module in CozyCar allows arbitrary commands to be executed by invoking C:\\Windows\\System32\\cmd.exe.[81]
S0115 Crimson Crimson has the ability to execute commands with the COMSPEC environment variable.[82]
S0625 Cuba Cuba has used cmd.exe /c and batch files for execution.[83]
G0070 Dark Caracal Dark Caracal has used macros in Word documents that would download a second stage if executed.[84]
S0334 DarkComet DarkComet can launch a remote shell to execute commands on the victim\u2019s machine.[85]
G0012 Darkhotel Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.[86]
S0673 DarkWatchman DarkWatchman can use cmd.exe to execute commands.[87]
S0187 Daserf Daserf can execute shell commands.[88][53]
S0243 DealersChoice DealersChoice makes modifications to open-source scripts from GitHub and executes them on the victim\u2019s machine.[89]
S0354 Denis Denis can launch a remote shell to execute arbitrary commands on the victim\u2019s machine.[90][21]
S0200 Dipsind Dipsind can spawn remote shells.[4]
S0186 DownPaper DownPaper uses the command line.[91]
G0035 Dragonfly Dragonfly has used various types of scripting to perform operations, including batch scripts.[92]
S0547 DropBook DropBook can execute arbitrary shell commands on the victims' machines.[93][94]
S0567 Dtrack Dtrack has used cmd.exe to add a persistent service.[95]
S0593 ECCENTRICBANDWAGON ECCENTRICBANDWAGON can use cmd to execute commands on a victim\u2019s machine.[96]
S0554 Egregor Egregor has used batch files for execution and can launch Internet Explorer from cmd.exe.[97][98]
S0082 Emissary Emissary has the capability to create a remote shell and execute specified commands.[99]
S0367 Emotet Emotet has used cmd.exe to run a PowerShell script. [100]
S0363 Empire Empire has modules for executing scripts.[101]
S0634 EnvyScout EnvyScout can use cmd.exe to execute malicious files on compromised hosts.[102]
S0396 EvilBunny EvilBunny has an integrated scripting engine to download and execute Lua scripts.[103]
S0343 Exaramel for Windows Exaramel for Windows has a command to launch a remote shell and executes commands on the victim\u2019s machine.[104]
S0171 Felismus Felismus uses command line for execution.[105]
S0267 FELIXROOT FELIXROOT executes batch scripts on the victim\u2019s machine, and can launch a reverse shell for command execution.[106][107]
G0051 FIN10 FIN10 has executed malicious .bat files containing PowerShell commands.[108]
G0037 FIN6 FIN6 has used kill.bat script to disable security tools.[109]
G0046 FIN7 FIN7 used the command prompt to launch commands on the victim\u2019s machine.[110][111]
G0061 FIN8 FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities.[112] FIN8 has also executed commands remotely via cmd.[113][114]
S0696 Flagpro Flagpro can use cmd.exe to execute commands received from C2.[115]
G0117 Fox Kitten Fox Kitten has used cmd.exe likely as a password changing mechanism.[116]
G0101 Frankenstein Frankenstein has run a command script to set up persistence as a scheduled task named \"WinUpdate\", as well as other encoded commands from the command-line.[117]
G0093 GALLIUM GALLIUM used the Windows command shell to execute commands.[118]
G0047 Gamaredon Group Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gamaredon Group's backdoor malware has also been written to a batch file.[119][120][121][122]
S0249 Gold Dragon Gold Dragon uses cmd.exe to execute commands for discovery.[123]
S0493 GoldenSpy GoldenSpy can execute remote commands via the command-line interface.[124]
S0588 GoldMax GoldMax can spawn a command shell, and execute native commands.[125][126]
S0477 Goopy Goopy has the ability to use cmd.exe to execute commands passed from an Outlook C2 channel.[21]
G0078 Gorgon Group Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.[127]
S0237 GravityRAT GravityRAT executes commands remotely on the infected host.[128]
S0342 GreyEnergy GreyEnergy uses cmd.exe to execute itself in-memory.[107]
S0632 GrimAgent GrimAgent can use the Windows Command Shell to execute commands, including its own removal.[129]
S0132 H1N1 H1N1 kills and disables services by using cmd.exe.[130]
S0246 HARDRAIN HARDRAIN uses cmd.exe to execute netshcommands.[131]
S0391 HAWKBALL HAWKBALL has created a cmd.exe reverse shell, executed commands, and uploaded output via the command line.[132]
S0071 hcdLoader hcdLoader provides command-line access to the compromised system.[133]
S0170 Helminth Helminth can provide a remote shell. One version of Helminth uses batch scripting.[134]
S0697 HermeticWiper HermeticWiper can use cmd.exe /Q/c move CSIDL_SYSTEM_DRIVE\\temp\\sys.tmp1 CSIDL_WINDOWS\\policydefinitions\\postgresql.exe 1> \\\\127.0.0.1\\ADMIN$\\_1636727589.6007507 2>&1 to deploy on an infected system.[135]
S0698 HermeticWizard HermeticWizard can use cmd.exe for execution on compromised hosts.[135]
S0087 Hi-Zor Hi-Zor has the ability to create a reverse shell.[136]
S0394 HiddenWasp HiddenWasp uses a script to automate tasks on the victim's machine and to assist in execution.[137]
G0126 Higaisa Higaisa used cmd.exe for execution.[138][139][140]
S0009 Hikit Hikit has the ability to create a remote shell and run given commands.[141]
S0232 HOMEFRY HOMEFRY uses a command-line interface.[142]
G0072 Honeybee Several commands are supported by the Honeybee's implant via the command-line interface and there\u2019s also a utility to execute any custom command on an infected endpoint.[143] Honeybee used batch scripting.[143]
S0376 HOPLIGHT HOPLIGHT can launch cmd.exe to execute commands on the system.[144]
S0431 HotCroissant HotCroissant can remotely open applications on the infected host with the ShellExecuteA command.[145]
S0070 HTTPBrowser HTTPBrowser is capable of spawning a reverse shell on a victim.[146]
S0068 httpclient httpclient opens cmd.exe on the victim.[2]
G0119 Indrik Spider Indrik Spider has used batch scripts on victim's machines.[147]
S0259 InnaputRAT InnaputRAT launches a shell to execute commands on the victim\u2019s machine.[148]
S0260 InvisiMole InvisiMole can launch a remote shell to execute commands.[149][150]
S0015 Ixeshe Ixeshe is capable of executing commands via cmd.[151]
S0389 JCry JCry has used cmd.exe to launch PowerShell.[152]
S0044 JHUHUGIT JHUHUGIT uses a .bat file to execute a .dll.[13]
S0201 JPIN JPIN can use the command-line utility cacls.exe to change file permissions.[4]
S0283 jRAT jRAT has command line access.[153]
S0088 Kasidet Kasidet can execute commands using cmd.exe.[154]
S0265 Kazuar Kazuar uses cmd.exe to execute commands on the victim\u2019s machine.[155]
G0004 Ke3chang Ke3chang has used batch scripts in its malware to install persistence mechanisms.[156]
S0387 KeyBoy KeyBoy can launch interactive shells for communicating with the victim machine.[157][158]
S0271 KEYMARBLE KEYMARBLE can execute shell commands using cmd.exe.[159]
S0526 KGH_SPY KGH_SPY has the ability to set a Registry key to run a cmd.exe command.[160]
G0094 Kimsuky Kimsuky has executed Windows commands by using cmd and running batch scripts.[161][162]
S0250 Koadic Koadic can open an interactive command-shell to perform command line functions on victim machines. Koadic performs most of its operations using Windows Script Host (Jscript) and to run arbitrary shellcode.[163][164]
S0669 KOCTOPUS KOCTOPUS has used cmd.exe and batch files for execution.[164]
S0156 KOMPROGO KOMPROGO is capable of creating a reverse shell.[165]
S0356 KONNI KONNI has used cmd.exe to execute arbitrary commands on the infected host across different stages of the infection chain.[166][167][168]
G0032 Lazarus Group Lazarus Group malware uses cmd.exe to execute commands on a compromised host.[169][170][171][172][173] A Destover-like variant used by Lazarus Group uses a batch file mechanism to delete its binaries from the system.[174]
G0140 LazyScripter LazyScripter has used batch files to deploy open-source and multi-stage RATs.[164]
S0395 LightNeuron LightNeuron is capable of executing commands via cmd.exe.[175]
S0211 Linfo Linfo creates a backdoor through which remote attackers can start a remote shell.[176]
S0681 Lizar Lizar has a command to open the command-line on the infected system.[177][178]
S0447 Lokibot Lokibot has used cmd /c commands embedded within batch scripts.[179]
S0582 LookBack LookBack executes the cmd.exe command.[180]
S0451 LoudMiner LoudMiner used a batch script to run the Linux virtual machine as a service.[181]
S0532 Lucifer Lucifer can issue shell commands to download and execute additional payloads.[182]
G0095 Machete Machete has used batch files to initiate additional downloads of malicious files.[183]
G0059 Magic Hound Magic Hound has used the command-line interface.[184]
S0652 MarkiRAT MarkiRAT can utilize cmd.exe to execute commands in a victim's environment.[185]
S0449 Maze The Maze encryption process has used batch scripts with various commands.[186][187]
S0500 MCMD MCMD can launch a console process (cmd.exe) with redirected standard input and output.[188]
S0459 MechaFlounder MechaFlounder has the ability to run commands on a compromised host.[189]
S0576 MegaCortex MegaCortex has used .cmd scripts on the victim's system.[190]
G0045 menuPass menuPass executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.[191][192][193][194] menuPass has used malicious macros embedded inside Office documents to execute files.[195][194]
S0455 Metamorfo Metamorfo has used cmd.exe /c to execute files.[196]
S0688 Meteor Meteor can run set.bat, update.bat, cache.bat, bcd.bat, msrun.bat, and similar scripts.[197]
S0339 Micropsia Micropsia creates a command-line shell using cmd.exe.[198]
S0280 MirageFox MirageFox has the capability to execute commands using cmd.exe.[199]
S0084 Mis-Type Mis-Type uses cmd.exe to run commands for enumerating the host.[200]
S0083 Misdat Misdat is capable of providing shell functionality to the attacker to execute commands.[200]
S0080 Mivast Mivast has the capability to open a remote shell and run basic commands.[201]
S0553 MoleNet MoleNet can execute commands via the command line utility.[93]
S0149 MoonWind MoonWind can execute commands via an interactive command shell.[202] MoonWind uses batch scripts for various purposes, including to restart and uninstall itself.[202]
S0284 More_eggs More_eggs has used cmd.exe for execution.[203][204]
S0256 Mosquito Mosquito executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server.[205]
G0069 MuddyWater MuddyWater has used a custom tool for creating reverse shells.[206]
S0233 MURKYTOP MURKYTOP uses the command-line interface.[142]
G0129 Mustang Panda Mustang Panda has executed HTA files via cmd.exe, and used batch scripts for collection.[207][208]
S0336 NanoCore NanoCore can open a remote command-line interface and execute commands.[209] NanoCore uses JavaScript files.[210]
S0247 NavRAT NavRAT leverages cmd.exe to perform discovery techniques.[211] NavRAT loads malicious shellcode and executes it in memory.[211]
S0630 Nebulae Nebulae can use CMD to execute a process.[212]
S0034 NETEAGLE NETEAGLE allows adversaries to execute shell commands on the infected host.[34]
S0457 Netwalker Operators deploying Netwalker have used batch scripts to retrieve the Netwalker payload.[213]
S0198 NETWIRE NETWIRE can issue commands using cmd.exe.[214][215]
S0385 njRAT njRAT can launch a command shell interface for executing commands.[216]
G0133 Nomadic Octopus Nomadic Octopus used cmd.exe /c within a malicious macro.[217]
S0346 OceanSalt OceanSalt can create a reverse shell on the infected endpoint using cmd.exe.[218] OceanSalt has been executed via malicious macros.[218]
G0049 OilRig OilRig has used macros to deliver malware such as QUADAGENT and OopsIE.[219][220][221][222][223] OilRig has used batch scripts.[219][220][221][222][223]
S0439 Okrum Okrum's backdoor has used cmd.exe to execute arbitrary commands as well as batch scripts to update itself to a newer version.[224]
S0264 OopsIE OopsIE uses the command prompt to execute commands on the victim's machine.[221][225]
G0116 Operation Wocao Operation Wocao has spawned a new cmd.exe process to execute commands.[226]
S0229 Orz Orz can execute shell commands.[227] Orz can execute commands with JavaScript.[227]
S0594 Out1 Out1 can use native command line for execution.[228]
G0040 Patchwork Patchwork ran a reverse shell with Meterpreter.[229] Patchwork used JavaScript code and .SCT files on victim machines.[36][230]
S0643 Peppy Peppy has the ability to execute shell commands.[231]
S0158 PHOREAL PHOREAL is capable of creating reverse shell.[165]
S0124 Pisloader Pisloader uses cmd.exe to set the Registry Run key value. It also has a command to spawn a command shell.[232]
S0254 PLAINTEE PLAINTEE uses cmd.exe to execute commands on the victim\u2019s machine.[233]
S0435 PLEAD PLEAD has the ability to execute shell commands on the compromised host.[234]
S0013 PlugX PlugX allows actors to spawn a reverse shell on a victim.[146][235]
S0428 PoetRAT PoetRAT has called cmd through a Word document macro.[236]
S0012 PoisonIvy PoisonIvy creates a backdoor through which remote attackers can open a command-line interface.[237]
S0453 Pony Pony has used batch scripts to delete itself after execution.[238]
S0139 PowerDuke PowerDuke runs cmd.exe /c and sends the output to its C2.[239]
S0184 POWRUNER POWRUNER can execute commands from its C2 server.[219]
S0238 Proxysvc Proxysvc executes a binary on the system and logs the results into a temp file by using: cmd.exe /c \" > %temp%\\PM* .tmp 2>&1\".[174]
S0147 Pteranodon Pteranodon can use cmd.exe for execution on victim systems.[119][240]
S0650 QakBot QakBot can use cmd.exe to launch itself and to execute multiple C2 commands.[241][242][243]
S0269 QUADAGENT QUADAGENT uses cmd.exe to execute scripts and commands on the victim\u2019s machine.[222]
S0262 QuasarRAT QuasarRAT can launch a remote shell to execute commands on the victim\u2019s machine.[244]
S0481 Ragnar Locker Ragnar Locker has used cmd.exe and batch scripts to execute commands.[245]
S0629 RainyDay RainyDay can use the Windows Command Shell for execution.[212]
G0075 Rancor Rancor has used cmd.exe to execute commmands.[233]
S0241 RATANKBA RATANKBA uses cmd.exe to execute commands.[246][247]
S0662 RCSession RCSession can use cmd.exe for execution on compromised hosts.[64]
S0495 RDAT RDAT has executed commands using cmd.exe /c.[248]
S0153 RedLeaves RedLeaves can receive and execute commands with cmd.exe. It can also provide a reverse shell.[192][249]
S0332 Remcos Remcos can launch a remote command line to execute commands on the victim\u2019s machine.[250]
S0375 Remexi Remexi silently executes received commands with cmd.exe.[251]
S0379 Revenge RAT Revenge RAT uses cmd.exe to execute commands and run scripts on the victim's machine.[252]
S0496 REvil REvil can use the Windows command line to delete volume shadow copies and disable recovery.[253][254][255][256]
S0258 RGDoor RGDoor uses cmd.exe to execute commands on the victim\u2019s machine.[257]
S0448 Rising Sun Rising Sun executed commands using cmd.exe.[258]
S0400 RobbinHood RobbinHood uses cmd.exe on the victim's computer.[259]
S0270 RogueRobin RogueRobin uses Windows Script Components.[260][261]
S0148 RTM RTM uses the command line and rundll32.exe to execute.[262]
S0253 RunningRAT RunningRAT uses a batch file to kill a security program task and then attempts to remove itself.[123]
S0446 Ryuk Ryuk has used cmd.exe to create a Registry entry to establish persistence.[263]
S0074 Sakula Sakula calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. Sakula also has the capability to invoke a reverse shell.[264]
S0370 SamSam SamSam uses custom batch scripts to execute some of its components.[265]
G0034 Sandworm Team Sandworm Team has run the xp_cmdshell command in MS-SQL.[266]
S0461 SDBbot SDBbot has the ability to use the command shell to execute commands on a compromised host.[267]
S0053 SeaDuke SeaDuke is capable of executing commands.[268]
S0345 Seasalt Seasalt uses cmd.exe to create a reverse shell on the infected endpoint.[43]
S0185 SEASHARPEE SEASHARPEE can execute commands on victims.[269]
S0382 ServHelper ServHelper can execute shell commands against cmd.[270][271]
S0639 Seth-Locker Seth-Locker can execute commands via the command line shell.[272]
S0546 SharpStage SharpStage can execute arbitrary commands with the command line.[93][94]
S0444 ShimRat ShimRat can be issued a command shell function from the C2.[273]
S0610 SideTwist SideTwist can execute shell commands on a compromised host.[274]
G0091 Silence Silence has used Windows command-line to run commands.[275][276][277]
S0692 SILENTTRINITY SILENTTRINITY can use cmd.exe to enable lateral movement using DCOM.[278]
S0623 Siloscape Siloscape can run cmd through an IRC channel.[279]
S0533 SLOTHFULMEDIA SLOTHFULMEDIA can open a command line to execute commands.[280]
S0159 SNUGRIDE SNUGRIDE is capable of executing commands and spawning a reverse shell.[249]
G0054 Sowbug Sowbug has used command line during its intrusions.[281]
S0543 Spark Spark can use cmd.exe to run commands.[282]
S0390 SQLRat SQLRat has used SQL to execute JavaScript and VB scripts on the host system.[111]
S0142 StreamEx StreamEx has the ability to remotely execute commands.[283]
G0039 Suckfly Several tools used by Suckfly have been command-line driven.[284]
S0464 SYSCON SYSCON has the ability to execute commands through cmd on a compromised host.[56]
G0092 TA505 TA505 has executed commands using cmd.exe.[285]
G0127 TA551 TA551 has used cmd.exe to execute commands.[286]
S0011 Taidoor Taidoor can copy cmd.exe into the system temp folder.[287]
S0586 TAINTEDSCRIBE TAINTEDSCRIBE can enable Windows CLI access and execute files.[288]
S0164 TDTESS TDTESS provides a reverse shell on the victim.[289]
G0139 TeamTNT TeamTNT has used batch scripts to download tools and executing cryptocurrency miners.[290]
S0146 TEXTMATE TEXTMATE executes cmd.exe to provide a reverse shell to adversaries.[291][292]
G0028 Threat Group-1314 Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.[293]
G0027 Threat Group-3390 Threat Group-3390 has used command-line interfaces for execution.[61][294]
S0668 TinyTurla TinyTurla has been installed using a .bat file.[295]
S0004 TinyZBot TinyZBot supports execution from the command-line.[296]
S0266 TrickBot TrickBot has used macros in Excel documents to download and deploy the malware on the user\u2019s machine.[297]
S0094 Trojan.Karagany Trojan.Karagany can perform reconnaissance commands on a victim machine via a cmd.exe process.[298]
G0081 Tropic Trooper Tropic Trooper has used Windows command scripts.[299]
S0436 TSCookie TSCookie has the ability to execute shell commands on the infected host.[300]
S0647 Turian Turian can create a remote shell and execute commands using cmd.[301]
G0010 Turla Turla RPC backdoors have used cmd.exe to execute commands.[302][303]
S0199 TURNEDUP TURNEDUP is capable of creating a reverse shell.[304]
S0263 TYPEFRAME TYPEFRAME can uninstall malware components using a batch script.[305] TYPEFRAME can execute commands using a shell.[305]
S0333 UBoatRAT UBoatRAT can start a command shell.[306]
S0221 Umbreon Umbreon provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet[307]
G0118 UNC2452 UNC2452 used cmd.exe to execute commands on remote machines.[17][18]
S0275 UPPERCUT UPPERCUT uses cmd.exe to execute commands on the victim\u2019s machine.[194]
S0452 USBferry USBferry can execute various Windows commands.[299]
S0180 Volgmer Volgmer can execute commands on the victim's machine.[308][309]
S0670 WarzoneRAT WarzoneRAT can use cmd.exe to execute malicious code.[310]
S0612 WastedLocker WastedLocker has used cmd to execute commands on the system.[311]
S0109 WEBC2 WEBC2 can open an interactive command shell.[9]
S0514 WellMess WellMess can execute command line scripts received from C2.[312]
S0689 WhisperGate WhisperGate can use cmd.exe to execute commands.[313]
S0206 Wiarp Wiarp creates a backdoor through which remote attackers can open a command line interface.[314]
G0102 Wizard Spider Wizard Spider has used cmd.exe to execute commands on a victim's machine.[315]
S0653 xCaon xCaon has a command to start an interactive shell.[52]
S0117 XTunnel XTunnel has been used to execute remote commands.[316]
S0251 Zebrocy Zebrocy uses cmd.exe to execute commands on the system.[317][318]
S0330 Zeus Panda Zeus Panda can launch an interface where it can execute several commands on the victim\u2019s PC.[319]
G0128 ZIRCONIUM ZIRCONIUM has used a tool to open a Windows Command Shell on a remote host.[320]
S0086 ZLib ZLib has the ability to execute shell commands.[200]
S0350 zwShell zwShell can launch command-line shells.[321]
S0412 ZxShell ZxShell can launch a reverse command shell.[25][322][323]

Mitigations

ID Mitigation Description
M1038 Execution Prevention Use application control where appropriate.

Detection

Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

\n

Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.

References

1. Microsoft. (2020, May 19). Tutorial: SSH in Windows Terminal. Retrieved July 26, 2021.

2. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.

3. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.

4. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.

5. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.

6. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.

7. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.

8. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.

9. Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.

10. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.

11. Shelmire, A. (2015, July 06). Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. Retrieved November 15, 2018.

12. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.

13. Mercer, W., et al. (2017, October 22). \"Cyber Conflict\" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.

14. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New \u2018Cannon\u2019 Trojan. Retrieved November 26, 2018.

15. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.

16. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm\u2019s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.

17. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.

18. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.

19. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.

20. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.

21. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.

22. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.

23. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.

24. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.

25. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.

26. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.

27. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.

28. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.

29. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.

30. Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021.

31. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.

32. Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.

33. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.

34. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.

35. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.

36. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.

37. Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018.

38. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.

39. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.

40. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.

41. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9\u2019S DEVELOPMENT CYCLES. Retrieved November 18, 2020.

42. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.

43. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.

44. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.

45. Zykov, K. (2020, August 13). CactusPete APT group\u2019s updated Bisonal backdoor. Retrieved May 5, 2021.

46. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.

47. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.

48. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.

49. US-CERT. (2020, August 19). MAR-10295134-1.v1 \u2013 North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.

50. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.

51. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.

52. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.

53. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.

54. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.

55. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.

56. McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.

57. ClearSky Cyber Security. (2021, January). \u201cLebanese Cedar\u201d APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.

58. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.

59. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.

60. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.

61. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.

62. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.

63. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.

64. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.

65. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.

66. Microsoft. (n.d.). Cmd. Retrieved April 18, 2016.

67. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.

68. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.

69. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.

70. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.

71. Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018.

72. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.

73. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.

74. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.

75. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.

76. Yadav, A., et al. (2017, August 31). Cobian RAT \u2013 A backdoored RAT. Retrieved November 13, 2018.

77. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.

78. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.

79. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.

80. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.

81. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.

82. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.

83. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.

84. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.

85. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.

86. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.

87. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.

88. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER\u2019s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.

89. Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.

90. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.

91. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.

92. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.

93. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.

94. Ilascu, I. (2020, December 14). Hacking group\u2019s new malware abuses Google and Facebook services. Retrieved December 28, 2020.

95. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.

96. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.

97. Joe Security. (n.d.). Analysis Report fasm.dll. Retrieved January 6, 2021.

98. Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020.

99. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.

100. \u00d6zarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.

101. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.

102. MSTIC. (2021, May 28). Breaking down NOBELIUM\u2019s latest early-stage toolset. Retrieved August 4, 2021.

103. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.

104. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.

105. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.

106. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.

107. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.

108. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.

109. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.

110. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.

111. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.

112. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.

113. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.

114. Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.

115. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.

116. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.

117. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.

118. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.

119. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.

120. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.

121. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.

122. Unit 42. (2022, February 3). Russia\u2019s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.

123. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims\u2019 Systems. Retrieved June 6, 2018.

124. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.

125. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM\u2019s layered persistence. Retrieved March 8, 2021.

126. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.

127. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.

128. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.

129. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.

130. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities \u2013 part 2. Retrieved September 26, 2016.

131. US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.

132. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.

133. Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016.

134. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.

135. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.

136. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.

137. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.

138. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.

139. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.

140. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.

141. Glyer, C., Kazanciyan, R. (2012, August 22). The \u201cHikit\u201d Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020.

142. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.

143. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.

144. US-CERT. (2019, April 10). MAR-10135536-8 \u2013 North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.

145. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.

146. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.

147. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.

148. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.

149. Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.

150. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.

151. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.

152. Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.

153. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.

154. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.

155. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.

156. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.

157. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.

158. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.

159. US-CERT. (2018, August 09). MAR-10135536-17 \u2013 North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.

160. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.

161. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.

162. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.

163. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.

164. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.

165. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.

166. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.

167. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.

168. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.

169. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.

170. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.

171. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.

172. US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018.

173. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.

174. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.

175. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.

176. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.

177. Seals, T.. (2021, May 14). FIN7 Backdoor Masquerades as Ethical Hacking Tool. Retrieved February 2, 2022.

178. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker\u2019s toolkit. Retrieved February 2, 2022.

179. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.

180. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.

181. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.

182. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.

183. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries \u2014 HpReact campaign. Retrieved November 20, 2020.

184. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.

185. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.

186. Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.

187. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.

188. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.

189. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.

190. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.

191. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.

192. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.

193. Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017.

194. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.

195. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.

196. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.

197. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.

198. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.

199. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.

200. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.

201. Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.

202. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.

203. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.

204. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.

205. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.

206. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.

207. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.

208. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.

209. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.

210. Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved November 9, 2018.

211. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.

212. Vrabie, V. (2021, April 23). NAIKON \u2013 Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.

213. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.

214. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.

215. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.

216. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: \"njRAT\" Uncovered. Retrieved June 4, 2019.

217. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.

218. Sherstobitoff, R., Malhotra, A. (2018, October 18). \u2018Operation Oceansalt\u2019 Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.

219. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.

220. Falcone, R. and Lee, B. (2017, July 27). OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group. Retrieved January 8, 2018.

221. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.

222. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.

223. Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig\u2019s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019.

224. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.

225. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.

226. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China\u2019s hidden hacking groups. Retrieved October 8, 2020.

227. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.

228. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.

229. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.

230. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.

231. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.

232. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.

233. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.

234. Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.

235. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.

236. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.

237. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.

238. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.

239. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.

240. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.

241. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.

242. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.

243. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.

244. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.

245. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.

246. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.

247. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.

248. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.

249. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.

250. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.

251. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.

252. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019.

253. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.

254. Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.

255. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.

256. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.

257. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.

258. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.

259. Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019.

260. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.

261. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.

262. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.

263. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.

264. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.

265. Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019.

266. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.

267. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.

268. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.

269. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.

270. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.

271. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.

272. Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021.

273. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.

274. Check Point. (2021, April 8). Iran\u2019s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.

275. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019.

276. GReAT. (2017, November 1). Silence \u2013 a new Trojan attacking financial organizations. Retrieved May 24, 2019.

277. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.

278. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.

279. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.

280. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 \u2013 Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.

281. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.

282. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.

283. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV\u2019s Radar. Retrieved February 15, 2017.

284. DiMaggio, J.. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016.

285. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group\u2019s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.

286. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.

287. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 \u2013 Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.

288. USG. (2020, May 12). MAR-10288834-2.v1 \u2013 North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.

289. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.

290. AT&T; Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.

291. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.

292. Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.

293. Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016.

294. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.

295. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.

296. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.

297. Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.

298. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.

299. Chen, J.. (2020, May 12). Tropic Trooper\u2019s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.

300. Tomonaga, S.. (2018, March 6). Malware \u201cTSCookie\u201d. Retrieved May 6, 2020.

301. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021

302. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.

303. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.

304. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.

305. US-CERT. (2018, June 14). MAR-10135536-12 \u2013 North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.

306. Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.

307. Fernando Merc\u00eas. (2016, September 5). Pok\u00e9mon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018.

308. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA \u2013 North Korean Trojan: Volgmer. Retrieved December 7, 2017.

309. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.

310. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.

311. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.

312. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.

313. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.

314. Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.

315. The DFIR Report. (2020, October 8). Ryuk\u2019s Return. Retrieved October 9, 2020.

316. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.

317. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.

318. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.

319. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.

320. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.

321. McAfee\u00ae Foundstone\u00ae Professional Services and McAfee Labs\u2122. (2011, February 10). Global Energy Cyberattacks: \u201cNight Dragon\u201d. Retrieved February 19, 2018.

322. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.

323. Counter Threat Unit Research Team. (2019, February 27). A Peek into BRONZE UNION\u2019s Toolbox. Retrieved September 24, 2019.


Original source: T1059.003 - Command and Scripting Interpreter: Windows Command Shell
", "external_references": [ { "source_name": "mitre-attack (T1059.003)", "url": "https://attack.mitre.org/techniques/T1059/003" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--0a6ddb65-57cf-4821-9d01-920a3e7ee9b7", "created": "2022-11-08T14:37:13.759425Z", "modified": "2022-11-08T14:37:13.759425Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3", "created": "2021-05-26T17:50:55.858569Z", "modified": "2022-05-30T23:39:05.126049Z", "name": "T1583.001 - Acquire Infrastructure: Domains", "description": "

T1583.001 - Acquire Infrastructure: Domains

Adversaries may purchase domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.

\n

Adversaries can use purchased domains for a variety of purposes, including for Phishing, Drive-by Compromise, and Command and Control.[1] Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).[2][3] Typosquatting may be used to aid in delivery of payloads via Drive-by Compromise. Adversaries can also use internationalized domain names (IDNs) to create visually similar lookalike domains for use in operations.[4]

\n

Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.[5]

Other sub-techniques of User Execution (6)

ID Name
T1583.001 Domains
T1583.002 DNS Server
T1583.003 Virtual Private Server
T1583.004 Server
T1583.005 Botnet
T1583.006 Web Services

Procedure Examples

ID Name Description
G0006 APT1 APT1 has registered hundreds of domains for use in operations.[5]
G0007 APT28 APT28 registered domains imitating NATO, OSCE security websites, Caucasus information resources, and other organizations.[2][6][7]
G0016 APT29 APT29 has acquired C2 domains, sometimes through resellers.[8][9][10]
G0050 APT32 APT32 has set up and operated websites to gather information and deliver malware.[11]
G0035 Dragonfly Dragonfly has registered domains for targeting intended victims.[12]
G0137 Ferocious Kitten Ferocious Kitten has acquired domains imitating legitimate sites.[13]
G0046 FIN7 FIN7 has registered look-alike domains for use in phishing campaigns.[14]
G0047 Gamaredon Group Gamaredon Group has registered multiple domains to facilitate payload staging and C2.[15][16]
G0136 IndigoZebra IndigoZebra has established domains, some of which were designed to look like official government domains, for their operations.[17]
G0094 Kimsuky Kimsuky has registered domains to spoof targeted organizations and trusted third parties.[18][19][20][21][22][23]
G0032 Lazarus Group Lazarus Group has acquired domains related to their campaigns to act as distribution points and C2 channels.[24][25][26]
G0140 LazyScripter LazyScripter has used dynamic DNS providers to create legitimate-looking subdomains for C2.[27]
G0065 Leviathan Leviathan has established domains that impersonate legitimate entities to use for targeting efforts. [28][29]
G0059 Magic Hound Magic Hound has registered fraudulent domains such as \"mail-newyorker.com\" and \"news12.com.recover-session-service.site\" to target specific victims with phishing attacks.[30]
G0045 menuPass menuPass has registered malicious domains for use in intrusion campaigns.[31][32]
G0129 Mustang Panda Mustang Panda have acquired C2 domains prior to operations.[33][34][35]
G0034 Sandworm Team Sandworm Team has registered domain names and created URLs that are often designed to mimic or spoof legitimate websites, such as email login pages, online file sharing and storage websites, and password reset pages.[36]
G0122 Silent Librarian Silent Librarian has acquired domains to establish credential harvesting pages, often spoofing the target organization and using free top level domains .TK, .ML, .GA, .CF, and .GQ.[37][38][39][40][41][42]
G0139 TeamTNT TeamTNT has obtained domains to host their payloads.[43]
G0134 Transparent Tribe Transparent Tribe has registered domains to mimic file sharing, government, defense, and research websites for use in targeted campaigns.[44][45]
G0118 UNC2452 UNC2452 has acquired C2 domains through resellers.[8][9]
G0044 Winnti Group Winnti Group has registered domains for C2 that mimicked sites of their intended targets.[46]
G0128 ZIRCONIUM ZIRCONIUM has purchased domains for use in targeted campaigns.[47]

Mitigations

ID Mitigation Description
M1056 Pre-compromise Organizations may intentionally register similar domains to their own to deter adversaries from creating typosquatting domains. Other facets of this technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

Domain registration information is, by design, captured in public registration logs. Consider use of services that may aid in tracking of newly acquired domains, such as WHOIS databases and/or passive DNS. In some cases it may be possible to pivot on known pieces of domain registration information to uncover other infrastructure purchased by the adversary. Consider monitoring for domains created with a similar structure to your own, including under a different TLD. Though various tools and services exist to track, query, and monitor domain name registration information, tracking across multiple DNS infrastructures can require multiple tools/services or more advanced analytics.[48]

\n

Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.

References

1. CISA. (2020, September 14). Alert (AA20-258A): Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity. Retrieved October 1, 2020.

2. FireEye. (2015). APT28: A WINDOW INTO RUSSIA\u2019S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.

3. Bob Sullivan. (2000, July 24). PayPal alert! Beware the 'PaypaI' scam. Retrieved March 2, 2017.

4. CISA. (2019, September 27). Security Tip (ST05-016): Understanding Internationalized Domain Names. Retrieved October 20, 2020.

5. Mandiant. (n.d.). APT1 Exposing One of China\u2019s Cyber Espionage Units. Retrieved July 18, 2016.

6. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.

7. Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022.

8. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM\u2019s layered persistence. Retrieved March 8, 2021.

9. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.

10. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.

11. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.

12. CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.

13. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.

14. eSentire. (2021, July 21). Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels\u2019 Owner, Brown-Forman Inc.. Retrieved September 20, 2021.

15. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.

16. Unit 42. (2022, February 3). Russia\u2019s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.

17. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.

18. ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.

19. Cimpanu, C. (2020, September 30). North Korea has tried to hack 11 officials of the UN Security Council. Retrieved November 4, 2020.

20. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.

21. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.

22. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.

23. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.

24. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea\u2019s Cryptocurrency Malware. Retrieved March 1, 2021.

25. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.

26. Weidemann, A. (2021, January 25). New campaign targeting security researchers. Retrieved December 20, 2021.

27. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.

28. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory \u2013 Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China\u2019s MSS Hainan State Security Department.. Retrieved August 12, 2021.

29. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.

30. Certfa Labs. (2021, January 8). Charming Kitten\u2019s Christmas Gift. Retrieved May 3, 2021.

31. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.

32. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.

33. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.

34. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP \u2018REDDELTA\u2019 TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.

35. Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021.

36. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.

37. DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021.

38. Hassold, Crane. (2018, March 26). Silent Librarian: More to the Story of the Iranian Mabna Institute Indictment. Retrieved February 3, 2021.

39. Counter Threat Unit Research Team. (2018, August 24). Back to School: COBALT DICKENS Targets Universities. Retrieved February 3, 2021.

40. Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021.

41. Counter Threat Unit Research Team. (2019, September 11). COBALT DICKENS Goes Back to School\u2026Again. Retrieved February 3, 2021.

42. Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021.

43. Quist, N. (2020, October 5). Black-T: New Cryptojacking Variant from TeamTNT. Retrieved September 22, 2021.

44. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.

45. Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.

46. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.

47. Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021.

48. ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.


Original source: T1583.001 - Acquire Infrastructure: Domains
", "external_references": [ { "source_name": "Mandiant APT1", "url": "https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" }, { "source_name": "CISA IDN ST05-016", "url": "https://us-cert.cisa.gov/ncas/tips/ST05-016" }, { "source_name": "PaypalScam", "url": "https://www.zdnet.com/article/paypal-alert-beware-the-paypai-scam-5000109103/" }, { "source_name": "FireEye APT28", "url": "https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" }, { "source_name": "CISA MSS Sep 2020", "url": "https://us-cert.cisa.gov/ncas/alerts/aa20-258a" }, { "source_name": "capec (CAPEC-630)", "url": "https://capec.mitre.org/data/definitions/630.html" }, { "source_name": "mitre-attack (T1583.001)", "url": "https://attack.mitre.org/techniques/T1583/001" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--539c9e81-91fd-4628-be36-f41a7ed25533", "created": "2022-11-08T14:37:13.764859Z", "modified": "2022-11-08T14:37:13.764859Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--40f5caa0-4cb7-4117-89fc-d421bb493df3" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54", "created": "2021-05-26T17:51:22.284793Z", "modified": "2022-05-30T23:39:26.798925Z", "name": "T1583.006 - Acquire Infrastructure: Web Services", "description": "

T1583.006 - Acquire Infrastructure: Web Services

Adversaries may register for web services\u00a0that can be used during targeting. A variety of popular websites exist for adversaries to register for a web-based service that can be abused during later stages of the adversary lifecycle, such as during Command and Control (Web Service) or Exfiltration Over Web Service. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. By utilizing a web service, adversaries can make it difficult to physically tie back operations to them.

Other sub-techniques of User Execution (6)

ID Name
T1583.001 Domains
T1583.002 DNS Server
T1583.003 Virtual Private Server
T1583.004 Server
T1583.005 Botnet
T1583.006 Web Services

Procedure Examples

ID Name Description
G0025 APT17 APT17 has created profile pages in Microsoft TechNet that were used as C2 infrastructure.[1]
G0007 APT28 APT28 has used newly-created Blogspot pages for credential harvesting operations.[2]
G0016 APT29 APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware, such as HAMMERTOSS.[3][4]
G0050 APT32 APT32 has set up Dropbox, Amazon S3, and Google Drive to host malicious downloads.[5]
G0142 Confucius Confucius has obtained cloud storage service accounts to host stolen data.[6]
G0125 HAFNIUM HAFNIUM has acquired web services for use in C2 and exfiltration.[7]
G0136 IndigoZebra IndigoZebra created Dropbox accounts for their operations.[8][9]
G0094 Kimsuky Kimsuky has hosted content used for targeting efforts via web services such as Blogspot.[10]
G0032 Lazarus Group Lazarus Group has hosted malicious downloads on Github and Dropbox.[11][12]
G0140 LazyScripter LazyScripter has established GitHub accounts to host its toolsets.[13]
G0059 Magic Hound Magic Hound has acquired Amazon S3 buckets to use in C2.[14]
G0069 MuddyWater MuddyWater has used file sharing services including OneHub to distribute tools.[15][16]
G0010 Turla Turla has created web accounts including Dropbox and GitHub for C2 and document exfiltration.[17]
G0128 ZIRCONIUM ZIRCONIUM has used GitHub to host malware linked in spearphishing e-mails.[18][19]

Mitigations

ID Mitigation Description
M1056 Pre-compromise This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

Once adversaries leverage the web service as infrastructure (ex: for command and control), it may be possible to look for unique characteristics associated with adversary software, if known.[20]

\n

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Command and Control (Web Service) or Exfiltration Over Web Service.

References

1. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.

2. Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022.

3. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.

4. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.

5. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.

6. Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group's Cyberespionage Operations. Retrieved December 26, 2021.

7. MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.

8. Lakshmanan, R.. (2021, July 1). IndigoZebra APT Hacking Campaign Targets the Afghan Government. Retrieved September 24, 2021.

9. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.

10. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.

11. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea\u2019s Cryptocurrency Malware. Retrieved March 1, 2021.

12. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.

13. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.

14. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.

15. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.

16. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala \u2013 MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.

17. Faou, M. (2020, December 2). Turla Crutch: Keeping the \u201cback door\u201d open. Retrieved December 4, 2020.

18. Huntley, S. (2020, October 16). How We're Tackling Evolving Online Threats. Retrieved March 24, 2021.

19. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.

20. ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.


Original source: T1583.006 - Acquire Infrastructure: Web Services
", "external_references": [ { "source_name": "mitre-attack (T1583.006)", "url": "https://attack.mitre.org/techniques/T1583/006" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--36a0e4fe-47d4-4a45-8759-3074f180f026", "created": "2022-11-08T14:37:13.769732Z", "modified": "2022-11-08T14:37:13.769732Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--88d31120-5bc7-4ce3-a9c0-7cf147be8e54" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--cca0ccb6-a068-4574-a722-b1556f86833a", "created": "2021-05-26T17:54:01.860168Z", "modified": "2022-05-30T23:35:47.624763Z", "name": "T1598 - Phishing For Information", "description": "

T1598 - Phishing For Information

Adversaries may send phishing messages to elicit sensitive information that can be used during targeting. Phishing for information is an attempt to trick targets into divulging information, frequently credentials or other actionable information. Phishing for information is different from Phishing in that the objective is gathering data from the victim rather than executing malicious code.

\n

All forms of phishing are electronically delivered social engineering. Phishing can be targeted, known as spearphishing. In spearphishing, a specific individual, company, or industry will be targeted by the adversary. More generally, adversaries can conduct non-targeted phishing, such as in mass credential harvesting campaigns.

\n

Adversaries may also try to obtain information directly through the exchange of emails, instant messages, or other electronic conversation means.[1][2][3][4][5] Phishing for information frequently involves social engineering techniques, such as posing as a source with a reason to collect information (ex: Establish Accounts or Compromise Accounts) and/or sending multiple, seemingly urgent messages.

Sub-techniques (3)

ID Name
T1598.001 Spearphishing Service
T1598.002 Spearphishing Attachment
T1598.003 Spearphishing Link

Procedure Examples

ID Name Description
G0007 APT28 APT28 has used spearphishing to compromise credentials.[6][7]
G0128 ZIRCONIUM ZIRCONIUM targeted presidential campaign staffers with credential phishing e-mails.[8]

Mitigations

ID Mitigation Description
M1054 Software Configuration Use anti-spoofing and email authentication mechanisms to filter messages based on validity checks of the sender domain (using SPF) and integrity of messages (using DKIM). Enabling these mechanisms within an organization (through policies such as DMARC) may enable recipients (intra-org and cross domain) to perform similar message filtering and validation.[9][10]
M1017 User Training Users can be trained to identify social engineering techniques and spearphishing attempts.

Detection

Depending on the specific method of phishing, the detections can vary. Monitor for suspicious email activity, such as numerous accounts receiving messages from a single unusual/unknown sender. Filtering based on DKIM+SPF or header analysis can help detect when the email sender is spoofed.[9][10]

\n

When it comes to following links, monitor for references to uncategorized or known-bad sites. URL inspection within email (including expanding shortened links) can also help detect links leading to known malicious sites.

\n

Monitor social media traffic for suspicious activity, including messages requesting information as well as abnormal file or data transfers (especially those involving unknown, or otherwise suspicious accounts).

References

1. O'Donnell, L. (2020, October 20). Facebook: A Top Launching Pad For Phishing Attacks. Retrieved October 20, 2020.

2. Babon, P. (2020, September 3). Tricky 'Forms' of Phishing. Retrieved October 20, 2020.

3. Kan, M. (2019, October 24). Hackers Try to Phish United Nations Staffers With Fake Login Pages. Retrieved October 20, 2020.

4. Ducklin, P. (2020, October 2). Serious Security: Phishing without links \u2013 when phishers bring along their own web pages. Retrieved October 20, 2020.

5. Ryan Hanson. (2016, September 24). phishery. Retrieved October 23, 2020.

6. Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021.

7. Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.

8. Huntley, S. (2020, October 16). How We're Tackling Evolving Online Threats. Retrieved March 24, 2021.

9. Microsoft. (2020, October 13). Anti-spoofing protection in EOP. Retrieved October 19, 2020.

10. Australian Cyber Security Centre. (2012, December). Mitigating Spoofed Emails Using Sender Policy Framework. Retrieved October 19, 2020.


Original source: T1598 - Phishing For Information
", "external_references": [ { "source_name": "ACSC Email Spoofing", "url": "https://www.cyber.gov.au/sites/default/files/2019-03/spoof_email_sender_policy_framework.pdf" }, { "source_name": "Microsoft Anti Spoofing", "url": "https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/anti-spoofing-protection?view=o365-worldwide" }, { "source_name": "GitHub Phishery", "url": "https://github.com/ryhanson/phishery" }, { "source_name": "Sophos Attachment", "url": "https://nakedsecurity.sophos.com/2020/10/02/serious-security-phishing-without-links-when-phishers-bring-along-their-own-web-pages/" }, { "source_name": "PCMag FakeLogin", "url": "https://www.pcmag.com/news/hackers-try-to-phish-united-nations-staffers-with-fake-login-pages" }, { "source_name": "TrendMictro Phishing", "url": "https://www.trendmicro.com/en_us/research/20/i/tricky-forms-of-phishing.html" }, { "source_name": "ThreatPost Social Media Phishing", "url": "https://threatpost.com/facebook-launching-pad-phishing-attacks/160351/" }, { "source_name": "mitre-attack (T1598)", "url": "https://attack.mitre.org/techniques/T1598" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--59f87480-e0a7-4057-9801-e7a494a9f25a", "created": "2022-11-08T14:37:13.774946Z", "modified": "2022-11-08T14:37:13.774946Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--cca0ccb6-a068-4574-a722-b1556f86833a" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839", "created": "2021-05-26T17:58:21.19111Z", "modified": "2022-05-30T23:36:24.465915Z", "name": "T1068 - Exploitation For Privilege Escalation", "description": "

T1068 - Exploitation For Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges. Exploitation of a software vulnerability occurs when an adversary takes advantage of a programming error in a program, service, or within the operating system software or kernel itself to execute adversary-controlled code. Security constructs such as permission levels will often hinder access to information and use of certain techniques, so adversaries will likely need to perform privilege escalation to include use of software exploitation to circumvent those restrictions.

\n

When initially gaining access to a system, an adversary may be operating within a lower privileged process which will prevent them from accessing certain resources on the system. Vulnerabilities may exist, usually in operating system components and software commonly running at higher permissions, that can be exploited to gain higher levels of access on the system. This could enable someone to move from unprivileged or user level permissions to SYSTEM or root permissions depending on the component that is vulnerable. This could also enable an adversary to move from a virtualized environment, such as within a virtual machine or container, onto the underlying host. This may be a necessary step for an adversary compromising an endpoint system that has been properly configured and limits other privilege escalation methods.

\n

Adversaries may bring a signed vulnerable driver onto a compromised machine so that they can exploit the vulnerability to execute code in kernel mode. This process is sometimes referred to as Bring Your Own Vulnerable Driver (BYOVD).[1][2] Adversaries may include the vulnerable driver with files delivered during Initial Access or download it to a compromised system via Ingress Tool Transfer or Lateral Tool Transfer.

Procedure Examples

ID Name Description
G0007 APT28 APT28 has exploited CVE-2014-4076, CVE-2015-2387, CVE-2015-1701, CVE-2017-0263 to escalate privileges.[3][4][5]
G0016 APT29 APT29 has exploited CVE-2021-36934 to escalate privileges on a compromised host.[6]
G0050 APT32 APT32 has used CVE-2016-7255 to escalate privileges.[7]
G0064 APT33 APT33 has used a publicly available exploit for CVE-2017-0213 to escalate privileges on a local system.[8]
S0484 Carberp Carberp has exploited multiple Windows vulnerabilities (CVE-2010-2743, CVE-2010-3338, CVE-2010-4398, CVE-2008-1084) and a .NET Runtime Optimization vulnerability for privilege escalation.[9][10]
G0080 Cobalt Group Cobalt Group has used exploits to increase their levels of rights and privileges.[11]
S0154 Cobalt Strike Cobalt Strike can exploit vulnerabilities such as MS14-058.[12][13]
S0050 CosmicDuke CosmicDuke attempts to exploit privilege escalation vulnerabilities CVE-2010-0232 or CVE-2010-4398.[14]
S0363 Empire Empire can exploit vulnerabilities such as MS16-032 and MS16-135.[15]
G0037 FIN6 FIN6 has used tools to exploit Windows vulnerabilities in order to escalate privileges. The tools targeted CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398, all of which could allow local users to access kernel-level privileges.[16]
G0061 FIN8 FIN8 has exploited the CVE-2016-0167 local vulnerability.[17][18]
S0601 Hildegard Hildegard has used the BOtB tool which exploits CVE-2019-5736.[19]
S0260 InvisiMole InvisiMole has exploited CVE-2007-5633 vulnerability in the speedfan.sys driver to obtain kernel mode privileges.[1]
S0044 JHUHUGIT JHUHUGIT has exploited CVE-2015-1701 and CVE-2015-2387 to escalate privileges.[20][21]
S0664 Pandora Pandora can use CVE-2017-15303 to bypass Windows Driver Signature Enforcement (DSE) protection and load its driver.[22]
G0068 PLATINUM PLATINUM has leveraged a zero-day vulnerability to escalate privileges.[23]
S0378 PoshC2 PoshC2 contains modules for local privilege escalation exploits such as CVE-2016-9192 and CVE-2016-0099.[24]
S0654 ProLock ProLock can use CVE-2019-0859 to escalate privileges on a compromised host.[25]
S0125 Remsec Remsec has a plugin to drop and execute vulnerable Outpost Sandbox or avast! Virtualization drivers in order to gain kernel mode privileges.[26]
S0623 Siloscape Siloscape has leveraged a vulnerability in Windows containers to perform an Escape to Host.[27]
S0603 Stuxnet Stuxnet used MS10-073 and an undisclosed Task Scheduler vulnerability to escalate privileges on local Windows machines.[28]
G0027 Threat Group-3390 Threat Group-3390 has used CVE-2014-6324 and CVE-2017-0213 to escalate privileges.[29][30]
G0131 Tonto Team Tonto Team has exploited CVE-2019-0803 and MS16-032 to escalate privileges.[31]
G0010 Turla Turla has exploited vulnerabilities in the VBoxDrv.sys driver to obtain kernel mode privileges.[2]
G0107 Whitefly Whitefly has used an open-source tool to exploit a known Windows privilege escalation vulnerability (CVE-2016-0051) on unpatched computers.[32]
S0176 Wingbird Wingbird exploits CVE-2016-4117 to allow an executable to gain escalated privileges.[33]
S0658 XCSSET XCSSET has used a zero-day exploit in the ssh launchdaemon to elevate privileges and bypass SIP.[34]
G0128 ZIRCONIUM ZIRCONIUM has exploited CVE-2017-0005 for local privilege escalation.[35]
S0672 Zox Zox has the ability to leverage local and remote exploits to escalate privileges.[36]

Mitigations

ID Mitigation Description
M1048 Application Isolation and Sandboxing Make it difficult for adversaries to advance their operation through exploitation of undiscovered or unpatched vulnerabilities by using sandboxing. Other types of virtualization and application microsegmentation may also mitigate the impact of some types of exploitation. Risks of additional exploits and weaknesses in these systems may still exist. [37]
M1038 Execution Prevention Consider blocking the execution of known vulnerable drivers that adversaries may exploit to execute code in kernel mode. Validate driver block rules in audit mode to ensure stability prior to production deployment.[38]
M1050 Exploit Protection Security applications that look for behavior used during exploitation such as Windows Defender Exploit Guard (WDEG) and the Enhanced Mitigation Experience Toolkit (EMET) can be used to mitigate some exploitation behavior. [39] Control flow integrity checking is another way to potentially identify and stop a software exploit from occurring. [40] Many of these protections depend on the architecture and target application binary for compatibility and may not work for software components targeted for privilege escalation.
M1019 Threat Intelligence Program Develop a robust cyber threat intelligence capability to determine what types and levels of threat may use software exploits and 0-days against a particular organization.
M1051 Update Software Update software regularly by employing patch management for internal enterprise endpoints and servers.

Detection

Detecting software exploitation may be difficult depending on the tools available. Software exploits may not always succeed or may cause the exploited process to become unstable or crash. Also look for behavior on the endpoint system that might indicate successful compromise, such as abnormal behavior of the processes. This could include suspicious files written to disk, evidence of Process Injection for attempts to hide execution or evidence of Discovery. Consider monitoring for the presence or loading (ex: Sysmon Event ID 6) of known vulnerable drivers that adversaries may drop and exploit to execute code in kernel mode.[38]

\n

Higher privileges are often necessary to perform additional actions such as some methods of OS Credential Dumping. Look for additional activity that may indicate an adversary has gained higher privileges.

References

1. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.

2. Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021.

3. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.

4. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.

5. Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.

6. ESET. (2022, February). THREAT REPORT T3 2021. Retrieved February 10, 2022.

7. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.

8. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.

9. Matrosov, A., Rodionov, E., Volkov, D., Harley, D. (2012, March 2). Win32/Carberp When You\u2019re in a Black Hole, Stop Digging. Retrieved July 15, 2020.

10. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.

11. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.

12. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.

13. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.

14. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.

15. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.

16. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.

17. Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.

18. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.

19. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.

20. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.

21. ESET Research. (2015, July 10). Sednit APT Group Meets Hacking Team. Retrieved March 1, 2017.

22. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.

23. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.

24. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.

25. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.

26. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.

27. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.

28. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.

29. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.

30. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.

31. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.

32. Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020.

33. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.

34. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.

35. Itkin, E. and Cohen, I. (2021, February 22). The Story of Jian \u2013 How APT31 Stole and Used an Unknown Equation Group 0-Day. Retrieved March 24, 2021.

36. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.

37. Goodin, D. (2017, March 17). Virtual machine escape fetches $105,000 at Pwn2Own hacking contest - updated. Retrieved March 12, 2018.

38. Microsoft. (2020, October 15). Microsoft recommended driver block rules. Retrieved March 16, 2021.

39. Nunez, N. (2017, August 9). Moving Beyond EMET II \u2013 Windows Defender Exploit Guard. Retrieved March 12, 2018.

40. Wikipedia. (2018, January 11). Control-flow integrity. Retrieved March 12, 2018.


Original source: T1068 - Exploitation For Privilege Escalation
", "external_references": [ { "source_name": "Microsoft Driver Block Rules", "url": "https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules" }, { "source_name": "Unit42 AcidBox June 2020", "url": "https://unit42.paloaltonetworks.com/acidbox-rare-malware/" }, { "source_name": "ESET InvisiMole June 2020", "url": "https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" }, { "source_name": "mitre-attack (T1068)", "url": "https://attack.mitre.org/techniques/T1068" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--f1017cfe-cf3b-4e83-b064-8441013fadc3", "created": "2022-11-08T14:37:13.78025Z", "modified": "2022-11-08T14:37:13.78025Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--b21c3b2d-02e6-45b1-980b-e69051040839" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077", "created": "2021-05-26T17:59:19.361668Z", "modified": "2022-05-30T23:36:29.981439Z", "name": "T1124 - System Time Discovery", "description": "

T1124 - System Time Discovery

An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network. [1] [2]

\n

System time information may be gathered in a number of ways, such as with Net on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz. [2]

\n

This information could be useful for performing other techniques, such as executing a file with a Scheduled Task/Job [3], or to discover locality information based on time zone to assist in victim targeting (i.e. System Location Discovery). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.[4]

Procedure Examples

ID Name Description
S0331 Agent Tesla Agent Tesla can collect the timestamp from the victim\u2019s machine.[5]
S0622 AppleSeed AppleSeed can pull a timestamp from the victim's machine.[6]
S0373 Astaroth Astaroth collects the timestamp from the infected machine. [7]
S0344 Azorult Azorult can collect the time zone information from the system.[8][9]
S0534 Bazar Bazar can collect the time on the compromised host.[10][11]
S0574 BendyBear BendyBear has the ability to determine local time on a compromised host.[12]
S0268 Bisonal Bisonal can check the system time set on the infected host.[13]
S0657 BLUELIGHT BLUELIGHT can collect the local time on a compromised host.[14]
G0060 BRONZE BUTLER BRONZE BUTLER has used net time to check the local time on a target system.[15]
S0471 build_downer build_downer has the ability to determine the local time to ensure malware installation only happens during the hours that the infected system is active.[16]
S0351 Cannon Cannon can collect the current time zone information from the victim\u2019s machine.[17]
S0335 Carbon Carbon uses the command net time \\127.0.0.1 to get information the system\u2019s time.[18]
G0114 Chimera Chimera has used time /t and net time \\ip/hostname for system time discovery.[19]
S0660 Clambling Clambling can determine the current time.[20]
S0126 ComRAT ComRAT has checked the victim system's date and time to perform tasks during business hours (9 to 5, Monday to Friday).[21]
S0608 Conficker Conficker uses the current UTC victim system date for domain generation and connects to time servers to determine the current date.[22][23]
S0115 Crimson Crimson has the ability to determine the date and time on a compromised host.[24]
G0012 Darkhotel Darkhotel malware can obtain system time from a compromised host.[25]
S0673 DarkWatchman DarkWatchman can collect the time zone information from the system.[26]
S0694 DRATzarus DRATzarus can use the GetTickCount and GetSystemTimeAsFileTime API calls to inspect system time.[27]
S0554 Egregor Egregor contains functionality to query the local/system time.[28]
S0091 Epic Epic uses the net time command to get the system time from the machine and collect the current date and time zone information.[29]
S0396 EvilBunny EvilBunny has used the API calls NtQuerySystemTime, GetSystemTimeAsFileTime, and GetTickCount to gather time metrics as part of its checks to see if the malware is running in a sandbox.[30]
S0267 FELIXROOT FELIXROOT gathers the time zone information from the victim\u2019s machine.[31]
S0588 GoldMax GoldMax can check the current date-time value of the compromised system, comparing it to the hardcoded execution trigger and can send the current timestamp to the C2 server.[32][33]
S0531 Grandoreiro Grandoreiro can determine the time on the victim machine via IPinfo.[34]
S0237 GravityRAT GravityRAT can obtain the date and time of a system.[35]
S0690 Green Lambert Green Lambert can collect the date and time from a compromised host.[36][37]
S0417 GRIFFON GRIFFON has used a reconnaissance module that can be used to retrieve the date and time of the system.[38]
G0126 Higaisa Higaisa used a function to gather the current time.[39]
S0376 HOPLIGHT HOPLIGHT has been observed collecting system time from victim machines.[40]
S0260 InvisiMole InvisiMole gathers the local system time from the victim\u2019s machine.[41][42]
G0032 Lazarus Group A Destover-like implant used by Lazarus Group can obtain the current system time and send it to the C2 server.[43]
S0455 Metamorfo Metamorfo uses JavaScript to get the system time.[44]
S0149 MoonWind MoonWind obtains the victim's current time.[45]
S0039 Net The net time command can be used in Net to determine the local or remote system time.[46]
S0353 NOKKI NOKKI can collect the current timestamp of the victim's machine.[47]
S0439 Okrum Okrum can obtain the date and time of the compromised system.[48]
S0264 OopsIE OopsIE checks to see if the system is configured with \"Daylight\" time and checks for a specific region to be set for the timezone.[49]
G0116 Operation Wocao Operation Wocao has used the time command to retrieve the current time of a compromised system.[50]
S0501 PipeMon PipeMon can send time zone information from a compromised host to C2.[51]
S0139 PowerDuke PowerDuke has commands to get the time the machine was built, the time, and the time zone.[52]
S0238 Proxysvc As part of the data reconnaissance phase, Proxysvc grabs the system time to send back to the control server.[43]
S0650 QakBot QakBot can identify the system time on a targeted host.[53]
S0148 RTM RTM can obtain the victim time zone.[54]
S0596 ShadowPad ShadowPad has collected the current date and time of the victim system.[55]
S0140 Shamoon Shamoon obtains the system time and will only activate if it is greater than a preset date.[56][57]
S0450 SHARPSTATS SHARPSTATS has the ability to identify the current date and time on the compromised host.[58]
G0121 Sidewinder Sidewinder has used tools to obtain the current system time.[59]
S0692 SILENTTRINITY SILENTTRINITY can collect start time information from a compromised host.[60]
S0615 SombRAT SombRAT can execute getinfo to discover the current time on a compromised host.[61][62]
S0380 StoneDrill StoneDrill can obtain the current date and time of the victim machine.[63]
S0603 Stuxnet Stuxnet collects the time and date of a system when it is infected.[64]
S0098 T9000 T9000 gathers and beacons the system time during installation.[65]
S0011 Taidoor Taidoor can use GetLocalTime and GetSystemTime to collect system time.[66]
S0586 TAINTEDSCRIBE TAINTEDSCRIBE can execute GetLocalTime for time discovery.[67]
S0467 TajMahal TajMahal has the ability to determine local time on a compromised host.[68]
G0089 The White Company The White Company has checked the current date on the victim system.[69]
S0678 Torisma Torisma can collect the current time on a victim machine.[70]
G0010 Turla Turla surveys a system upon check-in to discover the system time by using the net time command.[29]
S0275 UPPERCUT UPPERCUT has the capability to obtain the time zone information and current timestamp of the victim\u2019s machine.[71]
S0466 WindTail WindTail has the ability to generate the current date and time.[72]
S0251 Zebrocy Zebrocy gathers the current time zone and date information from the system.[73][74]
S0330 Zeus Panda Zeus Panda collects the current system time (UTC) and sends it back to the C2 server.[75]
G0128 ZIRCONIUM ZIRCONIUM has used a tool to capture the time on a compromised host in order to register it with C2.[76]

Mitigations

Benign software uses legitimate processes to gather system time. Efforts should be focused on preventing unwanted or unknown code from executing on a system. Some common tools, such as net.exe, may be blocked by policy to prevent common ways of acquiring remote system time.\n\nIdentify unnecessary system utilities or potentially malicious software that may be used to acquire system time information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Detection

Command-line interface monitoring may be useful to detect instances of net.exe or other command-line utilities being used to gather system time or time zone. Methods of detecting API use for gathering this information are likely less useful due to how often they may be used by legitimate software.

References

1. Microsoft. (n.d.). System Time. Retrieved November 25, 2016.

2. Mathers, B. (2016, September 30). Windows Time Service Tools and Settings. Retrieved November 25, 2016.

3. Rivner, U., Schwartz, E. (2012). They\u2019re Inside\u2026 Now What?. Retrieved November 25, 2016.

4. Malicious History. (2020, September 17). Time Bombs: Malware With Delayed Execution. Retrieved April 22, 2021.

5. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.

6. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.

7. Doaty, J., Garrett, P.. (2018, September 10). We\u2019re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.

8. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.

9. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.

10. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9\u2019S DEVELOPMENT CYCLES. Retrieved November 18, 2020.

11. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.

12. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.

13. Zykov, K. (2020, August 13). CactusPete APT group\u2019s updated Bisonal backdoor. Retrieved May 5, 2021.

14. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.

15. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.

16. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.

17. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New \u2018Cannon\u2019 Trojan. Retrieved November 26, 2018.

18. GovCERT. (2016, May 23). Technical Report about the Espionage Case at RUAG. Retrieved November 7, 2018.

19. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.

20. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.

21. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.

22. Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.

23. Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021.

24. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.

25. Arunpreet Singh, Clemens Kolbitsch. (2015, November 5). Defeating Darkhotel Just-In-Time Decryption. Retrieved April 15, 2021.

26. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.

27. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.

28. Joe Security. (n.d.). Analysis Report fasm.dll. Retrieved January 6, 2021.

29. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.

30. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.

31. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.

32. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM\u2019s layered persistence. Retrieved March 8, 2021.

33. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.

34. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.

35. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.

36. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.

37. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK.; Retrieved March 21, 2022.

38. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig \u201cFIN7\u201d continues its activities. Retrieved October 11, 2019.

39. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.

40. US-CERT. (2019, April 10). MAR-10135536-8 \u2013 North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.

41. Hromcov\u00e1, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.

42. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.

43. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.

44. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.

45. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.

46. Microsoft. (n.d.). Net time. Retrieved November 25, 2016.

47. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.

48. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.

49. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.

50. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China\u2019s hidden hacking groups. Retrieved October 8, 2020.

51. Tartare, M. et al. (2020, May 21). No \u201cGame over\u201d for the Winnti Group. Retrieved August 24, 2020.

52. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.

53. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.

54. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.

55. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.

56. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.

57. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.

58. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.

59. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.

60. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.

61. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.

62. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.

63. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.

64. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.

65. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.

66. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 \u2013 Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.

67. USG. (2020, May 12). MAR-10288834-2.v1 \u2013 North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.

68. GReAT. (2019, April 10). Project TajMahal \u2013 a sophisticated new APT framework. Retrieved October 14, 2019.

69. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.

70. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.

71. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.

72. Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.

73. ESET. (2018, November 20). Sednit: What\u2019s going on with Zebrocy?. Retrieved February 12, 2019.

74. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.

75. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.

76. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.


Original source: T1124 - System Time Discovery
", "external_references": [ { "source_name": "AnyRun TimeBomb", "url": "https://any.run/cybersecurity-blog/time-bombs-malware-with-delayed-execution/" }, { "source_name": "RSA EU12 They're Inside", "url": "https://www.rsaconference.com/writable/presentations/file_upload/ht-209_rivner_schwartz.pdf" }, { "source_name": "Technet Windows Time Service", "url": "https://technet.microsoft.com/windows-server-docs/identity/ad-ds/get-started/windows-time-service/windows-time-service-tools-and-settings" }, { "source_name": "MSDN System Time", "url": "https://msdn.microsoft.com/ms724961.aspx" }, { "source_name": "capec (CAPEC-295)", "url": "https://capec.mitre.org/data/definitions/295.html" }, { "source_name": "mitre-attack (T1124)", "url": "https://attack.mitre.org/techniques/T1124" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--a9b6b261-59bc-496f-b167-618b9a45f82d", "created": "2022-11-08T14:37:13.785903Z", "modified": "2022-11-08T14:37:13.785903Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--f3c544dc-673c-4ef3-accb-53229f1ae077" }, { "type": "attack-pattern", "spec_version": "2.1", "id": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c", "created": "2021-05-26T17:59:32.173066Z", "modified": "2022-05-30T23:40:03.351676Z", "name": "T1036.004 - Masquerading: Masquerade Task Or Service", "description": "

T1036.004 - Masquerading: Masquerade Task Or Service

Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.[1][2] Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones.

\n

Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.[3][4]

Other sub-techniques of User Execution (7)

ID Name
T1036.001 Invalid Code Signature
T1036.002 Right-to-Left Override
T1036.003 Rename System Utilities
T1036.004 Masquerade Task or Service
T1036.005 Match Legitimate Name or Location
T1036.006 Space after Filename
T1036.007 Double File Extension

Procedure Examples

ID Name Description
G0099 APT-C-36 APT-C-36 has disguised its scheduled tasks as those used by Google.[5]
G0016 APT29 APT29 named tasks \\Microsoft\\Windows\\SoftwareProtectionPlatform\\EventCacheManager in order to appear legitimate.[6]
G0050 APT32 APT32 has used hidden or non-printing characters to help masquerade service names, such as appending a Unicode no-break space character to a legitimate service name. APT32 has also impersonated the legitimate Flash installer file name \"install_flashplayer.exe\".[7]
G0096 APT41 APT41 has created services to appear as benign system tools.[8]
S0438 Attor Attor's dispatcher disguises itself as a legitimate task (i.e., the task name and description appear legitimate).[9]
G0135 BackdoorDiplomacy BackdoorDiplomacy has disguised their backdoor droppers with naming conventions designed to blend into normal operations.[10]
S0534 Bazar Bazar can create a task named to appear benign.[11]
S0471 build_downer build_downer has added itself to the Registry Run key as \"NVIDIA\" to appear legitimate.[12]
G0008 Carbanak Carbanak has copied legitimate service names to use for malicious services.[13]
S0261 Catchamas Catchamas adds a new service named NetAdapter in an apparent attempt to masquerade as a legitimate service.[14]
S0126 ComRAT ComRAT has used a task name associated with Windows SQM Consolidator.[15]
S0538 Crutch Crutch has established persistence with a scheduled task impersonating the Outlook item finder.[16]
S0527 CSPY Downloader CSPY Downloader has attempted to appear as a legitimate Windows service with a fake description claiming it is used to support packed applications.[17]
S0554 Egregor Egregor has masqueraded the svchost.exe process to exfiltrate data.[18]
S0343 Exaramel for Windows The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description \u201cWindows Check AV\u201d in an apparent attempt to masquerade as a legitimate service.[19]
G0037 FIN6 FIN6 has renamed the \"psexec\" service name to \"mstdc\" to masquerade as a legitimate Windows service.[20]
G0046 FIN7 FIN7 has created a scheduled task named \u201cAdobeFlashSync\u201d to establish persistence.[21]
G0117 Fox Kitten Fox Kitten has named the task for a reverse proxy lpupdate to appear legitimate.[22]
S0410 Fysbis Fysbis has masqueraded as the rsyncd and dbus-inotifier services.[4]
S0588 GoldMax GoldMax has impersonated systems management software to avoid detection.[23]
S0690 Green Lambert Green Lambert has created a new executable named Software Update Check to appear legitimate.[24][25]
G0126 Higaisa Higaisa named a shellcode loader binary svchast.exe to spoof the legitimate svchost.exe.[26][27]
S0601 Hildegard Hildegard has disguised itself as a known Linux process.[28]
S0259 InnaputRAT InnaputRAT variants have attempted to appear legitimate by adding a new service named OfficeUpdateService.[29]
S0260 InvisiMole InvisiMole has attempted to disguise itself by registering under a seemingly legitimate service name.[30]
S0581 IronNetInjector IronNetInjector has been disguised as a legitimate service using the name PythonUpdateSrvc.[31]
S0607 KillDisk KillDisk registers as a service under the Plug-And-Play Support name.[32]
G0094 Kimsuky Kimsuky has disguised services to appear as benign software or related to operating system functions.[33]
S0356 KONNI KONNI has pretended to be the xmlProv Network Provisioning service.[34]
S0236 Kwampirs Kwampirs establishes persistence by adding a new service with the display name \"WMI Performance Adapter Extension\" in an attempt to masquerade as a legitimate WMI service.[35]
G0032 Lazarus Group Lazarus Group has used a scheduled task named SRCheck to mask the execution of a malicious .dll.[36]
S0409 Machete Machete renamed task names to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python tasks.[37]
S0449 Maze Maze operators have created scheduled tasks masquerading as \"Windows Update Security\", \"Windows Update Security Patches\", and \"Google Chrome Security Update\" designed to launch the ransomware.[38]
S0688 Meteor Meteor has been disguised as the Windows Power Efficiency Diagnostics report tool.[39]
G0019 Naikon Naikon renamed a malicious service taskmgr to appear to be a legitimate version of Task Manager.[40]
S0630 Nebulae Nebulae has created a service named \"Windows Update Agent1\" to appear legitimate.[40]
S0118 Nidiran Nidiran can create a new service named msamger (Microsoft Security Accounts Manager), which mimics the legitimate Microsoft database by the same name.[41][42]
S0439 Okrum Okrum can establish persistence by adding a new service NtmsSvc with the display name Removable Storage to masquerade as a legitimate Removable Storage Manager.[43]
S0352 OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D has disguised its app bundle by adding special characters to the filename and using the icon for legitimate Word documents.[44]
S0013 PlugX In one instance, menuPass added PlugX as a service with a display name of \"Corel Writing Tools Utility.\"[45]
S0223 POWERSTATS POWERSTATS has created a scheduled task named \"MicrosoftEdge\" to establish persistence.[46]
G0056 PROMETHIUM PROMETHIUM has named services to appear legitimate.[47][48]
S0629 RainyDay RainyDay has named services and scheduled tasks to appear benign including \"ChromeCheck\" and \"googleupdate.\"[40]
S0169 RawPOS New services created by RawPOS are made to appear like legitimate Windows services, with names such as \"Windows Management Help Service\", \"Microsoft Support\", and \"Windows Advanced Task Manager\".[49][50][51]
S0495 RDAT RDAT has used Windows Video Service as a name for malicious services.[52]
S0148 RTM RTM has named the scheduled task it creates \"Windows Update\".[53]
S0345 Seasalt Seasalt has masqueraded as a service called \"SaSaut\" with a display name of \"System Authorization Service\" in an apparent attempt to masquerade as a legitimate service.[54]
S0140 Shamoon Shamoon creates a new service named \u201cntssrv\u201d that attempts to appear legitimate; the service's display name is \u201cMicrosoft Network Realtime Inspection Service\u201d and its description is \u201cHelps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols.\u201d Newer versions create the \"MaintenaceSrv\" service, which misspells the word \"maintenance.\"[3][55]
S0444 ShimRat ShimRat can impersonate Windows services and antivirus products to avoid detection on compromised systems.[56]
S0533 SLOTHFULMEDIA SLOTHFULMEDIA has named a service it establishes on victim machines as \"TaskFrame\" to hide its malicious purpose.[57]
S0491 StrongPity StrongPity has named services to appear legitimate.[47][48]
S0668 TinyTurla TinyTurla has mimicked an existing Windows service by being installed as Windows Time Service.[58]
S0178 Truvasys To establish persistence, Truvasys adds a Registry Run key with a value \"TaskMgr\" in an attempt to masquerade as the legitimate Windows Task Manager.[59]
S0647 Turian Turian can disguise as a legitimate service to blend into normal operations.[10]
G0118 UNC2452 UNC2452 named tasks \\Microsoft\\Windows\\SoftwareProtectionPlatform\\EventCacheManager in order to appear legitimate.[6]
S0180 Volgmer Some Volgmer variants add new services with display names generated by a list of hard-coded strings such as Application, Background, Security, and Windows, presumably as a way to masquerade as a legitimate service.[60][61]
G0102 Wizard Spider Wizard Spider has used scheduled tasks to install TrickBot, using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf.[62] It has also used common document file names for other malware binaries.[63]
G0128 ZIRCONIUM ZIRCONIUM has created a run key named Dropbox Update Setup to mask a persistence mechanism for a malicious binary.[64]

Detection

Look for changes to tasks and services that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks or services may show up as outlier processes that have not been seen before when compared against historical data. Monitor processes and command-line arguments for actions that could be taken to create tasks or services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

References

1. Microsoft. (n.d.). Schtasks. Retrieved April 28, 2016.

2. Freedesktop.org. (n.d.). systemd.service \u2014 Service unit configuration. Retrieved March 16, 2020.

3. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.

4. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.

5. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.

6. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.

7. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.

8. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.

9. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.

10. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021

11. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9\u2019S DEVELOPMENT CYCLES. Retrieved November 18, 2020.

12. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK\u2019s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.

13. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.

14. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.

15. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.

16. Faou, M. (2020, December 2). Turla Crutch: Keeping the \u201cback door\u201d open. Retrieved December 4, 2020.

17. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.

18. Bichet, J. (2020, November 12). Egregor \u2013 Prolock: Fraternal Twins ?. Retrieved January 6, 2021.

19. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.

20. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.

21. Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.

22. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.

23. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM\u2019s layered persistence. Retrieved March 8, 2021.

24. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.

25. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK.; Retrieved March 21, 2022.

26. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.

27. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.

28. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.

29. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.

30. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.

31. Reichel, D. (2021, February 19). IronNetInjector: Turla\u2019s New Malware Loading Tool. Retrieved February 24, 2021.

32. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.

33. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.

34. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.

35. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.

36. Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved March 2, 2022.

37. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.

38. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.

39. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.

40. Vrabie, V. (2021, April 23). NAIKON \u2013 Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.

41. Sponchioni, R.. (2016, March 11). Backdoor.Nidiran. Retrieved August 3, 2016.

42. Microsoft. (2006, October 30). How to use the SysKey utility to secure the Windows Security Accounts Manager database. Retrieved August 3, 2016.

43. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.

44. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.

45. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.

46. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.

47. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.

48. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.

49. Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder\u2019s Toolkit. Retrieved October 4, 2017.

50. TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017.

51. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.

52. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.

53. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.

54. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.

55. Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020.

56. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.

57. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 \u2013 Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.

58. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.

59. Microsoft. (2017, September 15). Backdoor:Win32/Truvasys.A!dha. Retrieved November 30, 2017.

60. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.

61. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.

62. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK; Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.

63. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.

64. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.


Original source: T1036.004 - Masquerading: Masquerade Task Or Service
", "external_references": [ { "source_name": "Fysbis Dr Web Analysis", "url": "https://vms.drweb.com/virus/?i=4276269" }, { "source_name": "Palo Alto Shamoon Nov 2016", "url": "http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/" }, { "source_name": "Systemd Service Units", "url": "https://www.freedesktop.org/software/systemd/man/systemd.service.html" }, { "source_name": "TechNet Schtasks", "url": "https://technet.microsoft.com/en-us/library/bb490996.aspx" }, { "source_name": "mitre-attack (T1036.004)", "url": "https://attack.mitre.org/techniques/T1036/004" } ], "object_marking_refs": [ "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9" ] }, { "type": "relationship", "spec_version": "2.1", "id": "relationship--d3b46b32-e193-4c3f-8cc6-4d638787b91d", "created": "2022-11-08T14:37:13.791428Z", "modified": "2022-11-08T14:37:13.791428Z", "relationship_type": "uses", "source_ref": "threat-actor--2b1a9d77-a978-4817-a866-e441a555d42b", "target_ref": "attack-pattern--7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c" }, { "type": "marking-definition", "id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "definition": { "tlp": "white" } }, { "type": "marking-definition", "id": "marking-definition--f88d31f6-486f-44da-b317-01333bde0b82", "created": "2017-01-20T00:00:00.000Z", "definition_type": "tlp", "definition": { "tlp": "amber" } } ] }