Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Obfuscated Files or Information

Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016) Adversaries may also abuse Command Obfuscation to obscure commands executed from payloads or directly via Command and Scripting Interpreter. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017)

ID: T1027
Tactic(s): Defense Evasion
Platforms: Linux, macOS, Network, Windows
Data Sources: Application Log: Application Log Content, Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, Windows Registry: Windows Registry Key Creation, WMI: WMI Creation
Version: 1.6
Created: 31 May 2017
Last Modified: 16 Apr 2024

Procedure Examples

Name Description
BackdoorDiplomacy

BackdoorDiplomacy has obfuscated tools and malware it uses with VMProtect.(Citation: ESET BackdoorDiplomacy Jun 2021)

Ryuk

Ryuk can use anti-disassembly and code transformation obfuscation techniques.(Citation: CrowdStrike Wizard Spider October 2020)

RedCurl

RedCurl has used malware with string encryption.(Citation: therecord_redcurl) RedCurl has also encrypted data and has encoded PowerShell commands using Base64.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) RedCurl has used `PyArmor` to obfuscate code execution of LaZagne. (Citation: group-ib_redcurl1) Additionally, RedCurl has obfuscated downloaded files by renaming them as commonly used tools and has used `echo`, instead of file names themselves, to execute files.(Citation: trendmicro_redcurl)

DarkTortilla

DarkTortilla has been obfuscated with the DeepSea .NET and ConfuserEx code obfuscators.(Citation: Secureworks DarkTortilla Aug 2022)

Machete

Machete employed some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis.(Citation: Cylance Machete Mar 2017)

Operation Wocao

Operation Wocao has executed PowerShell commands which were encoded or compressed using Base64, zlib, and XOR.(Citation: FoxIT Wocao December 2019)

Lokibot

Lokibot has obfuscated strings with base64 encoding.(Citation: Infoblox Lokibot January 2019)

SVCReady

SVCReady can encrypt victim data with an RC4 cipher.(Citation: HP SVCReady Jun 2022)

PowerStallion

PowerStallion uses a XOR cipher to encrypt command output written to its OneDrive C2 server.(Citation: ESET Turla PowerShell May 2019)

SynAck

SynAck payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering.(Citation: SecureList SynAck Doppelgänging May 2018)(Citation: Kaspersky Lab SynAck May 2018)

Amadey

Amadey has obfuscated strings such as antivirus vendor names, domains, files, and others.(Citation: BlackBerry Amadey 2020)

PolyglotDuke

PolyglotDuke can custom encrypt strings.(Citation: ESET Dukes October 2019)

CHIMNEYSWEEP

CHIMNEYSWEEP can use a custom Base64 alphabet to encode an API decryption key.(Citation: Mandiant ROADSWEEP August 2022)

PUNCHTRACK

PUNCHTRACK is loaded and executed by a highly obfuscated launcher.(Citation: FireEye Fin8 May 2016)

ECCENTRICBANDWAGON

ECCENTRICBANDWAGON has encrypted strings with RC4.(Citation: CISA EB Aug 2020)

Drovorub

Drovorub has used XOR encrypted payloads in WebSocket client to server messages.(Citation: NSA/FBI Drovorub August 2020)

Valak

Valak has the ability to base64 encode and XOR encrypt strings.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)

Rocke

Rocke has modified UPX headers after packing files to break unpackers.(Citation: Anomali Rocke March 2019)

PoisonIvy

PoisonIvy hides any strings related to its own indicators of compromise.(Citation: Symantec Darkmoon Aug 2005)

Out1

Out1 has the ability to encode data.(Citation: Trend Micro Muddy Water March 2021)

HTTPBrowser

HTTPBrowser's code may be obfuscated through structured exception handling and return-oriented programming.(Citation: Dell TG-3390)

Trojan.Karagany

Trojan.Karagany can base64 encode and AES-128-CBC encrypt data prior to transmission.(Citation: Secureworks Karagany July 2019)

APT29

APT29 has used encoded PowerShell commands.(Citation: FireEye APT29 Nov 2018)

GALLIUM

GALLIUM used a modified version of HTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection.(Citation: Cybereason Soft Cell June 2019)

Gallmaker

Gallmaker obfuscated shellcode used during execution.(Citation: Symantec Gallmaker Oct 2018)

Saint Bot

Saint Bot has been obfuscated to help avoid detection.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

NanoCore

NanoCore’s plugins were obfuscated with Eazfuscater.NET 3.3.(Citation: PaloAlto NanoCore Feb 2016)

SHOTPUT

SHOTPUT is obscured using XOR encoding and appended to a valid GIF file.(Citation: FireEye Clandestine Wolf)(Citation: Palo Alto CVE-2015-3113 July 2015)

SodaMaster

SodaMaster can use "stackstrings" for obfuscation.(Citation: Securelist APT10 March 2021)

CoinTicker

CoinTicker initially downloads a hidden encoded file.(Citation: CoinTicker 2019)

Turian

Turian can use VMProtect for obfuscation.(Citation: ESET BackdoorDiplomacy Jun 2021)

Snip3

Snip3 has the ability to obfuscate strings using XOR encryption.(Citation: Morphisec Snip3 May 2021)

ComRAT

ComRAT has encrypted its virtual file system using AES-256 in XTS mode.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)

Final1stspy

Final1stspy obfuscates strings with base64 encoding.(Citation: Unit 42 Nokki Oct 2018)

DustySky

The DustySky dropper uses a function to obfuscate the name of functions and other parts of the malware.(Citation: DustySky)

SUNSPOT

SUNSPOT encrypted log entries it collected with the stream cipher RC4 using a hard-coded key. It also uses AES128-CBC encrypted blobs for SUNBURST source code and data extracted from the SolarWinds Orion process.(Citation: CrowdStrike SUNSPOT Implant January 2021)

Pillowmint

Pillowmint has been compressed and stored within a registry key. Pillowmint has also obfuscated the AES key used for encryption.(Citation: Trustwave Pillowmint June 2020)

Donut

Donut can generate encrypted, compressed/encoded, or otherwise obfuscated code modules.(Citation: Donut Github)

H1N1

H1N1 uses multiple techniques to obfuscate strings, including XOR.(Citation: Cisco H1N1 Part 1)

Kazuar

Kazuar is obfuscated using the open source ConfuserEx protector. Kazuar also obfuscates the name of created files/folders/mutexes and encrypts debug messages written to log files using the Rijndael cipher.(Citation: Unit 42 Kazuar May 2017)

NETWIRE

NETWIRE has used a custom obfuscation algorithm to hide strings including Registry keys, APIs, and DLL names.(Citation: FireEye NETWIRE March 2019)

SombRAT

SombRAT can encrypt strings with XOR-based routines and use a custom AES storage format for plugins, configuration, C2 domains, and harvested data.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021)

BlackOasis

BlackOasis's first stage shellcode contains a NOP sled with alternative instructions that was likely designed to bypass antivirus tools.(Citation: Securelist BlackOasis Oct 2017)

Pony

Pony attachments have been delivered via compressed archive files. Pony also obfuscates the memory flow by adding junk instructions when executing to make analysis more difficult.(Citation: Malwarebytes Pony April 2016)

Agent Tesla

Agent Tesla has had its code obfuscated in an apparent attempt to make analysis difficult.(Citation: Fortinet Agent Tesla April 2018) Agent Tesla has used the Rijndael symmetric encryption algorithm to encrypt strings.(Citation: Malwarebytes Agent Tesla April 2020)

TrickBot

TrickBot uses non-descriptive names to hide functionality.(Citation: S2 Grupo TrickBot June 2017)

InnaputRAT

InnaputRAT uses an 8-byte XOR key to obfuscate API names and other strings contained in the payload.(Citation: ASERT InnaputRAT April 2018)

MiniDuke

MiniDuke can use control flow flattening to obscure code.(Citation: ESET Dukes October 2019)

APT3

APT3 obfuscates files or information to help evade defensive measures.(Citation: Symantec Buckeye)

TEARDROP

TEARDROP created and read from a file with a fake JPG header, and its payload was encrypted with a simple rotating XOR cipher.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Check Point Sunburst Teardrop December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021)

Matryoshka

Matryoshka obfuscates API function names using a substitute cipher combined with Base64 encoding.(Citation: CopyKittens Nov 2015)

Clambling

The Clambling executable has been obfuscated when dropped on a compromised host.(Citation: Trend Micro DRBControl February 2020)

Brute Ratel C4

Brute Ratel C4 has used encrypted payload files and maintains an encrypted configuration structure in memory.(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)

Shamoon

Shamoon contains base64-encoded strings.(Citation: Palo Alto Shamoon Nov 2016)

Hydraq

Hydraq uses basic obfuscation in the form of spaghetti code.(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Trojan.Hydraq Jan 2010)

QakBot

QakBot has hidden code within Excel spreadsheets by turning the font color to white and splitting it across multiple cells.(Citation: Cyberint Qakbot May 2021)

Ember Bear

Ember Bear has obfuscated malware and malicious scripts to help avoid detection.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

DarkGate

DarkGate uses a hard-coded string as a seed, along with the victim machine hardware identifier and input text, to generate a unique string used as an internal mutex value to evade static detection based on mutexes.(Citation: Trellix Darkgate 2023)

Flagpro

Flagpro has been delivered within ZIP or RAR password-protected archived files.(Citation: NTT Security Flagpro new December 2021)

During C0017, APT41 broke malicious binaries, including DEADEYE and KEYPLUG, into multiple sections on disk to evade detection.(Citation: Mandiant APT41)

Cuba

Cuba has used multiple layers of obfuscation to avoid analysis, including its Base64 encoded payload.(Citation: McAfee Cuba April 2021)

Dridex

Dridex's strings are obfuscated using RC4.(Citation: Checkpoint Dridex Jan 2021)

Goopy

Goopy's decrypter have been inflated with junk code in between legitimate API functions, and also included infinite loops to avoid analysis.(Citation: Cybereason Cobalt Kitty 2017)

Ecipekac

Ecipekac can use XOR, AES, and DES to encrypt loader shellcode.(Citation: Securelist APT10 March 2021)

NOKKI

NOKKI uses Base64 encoding for strings.(Citation: Unit 42 NOKKI Sept 2018)

POSHSPY

POSHSPY appends a file signature header (randomly selected from six file types) to encrypted data prior to upload or download.(Citation: FireEye POSHSPY April 2017)

SUNBURST

SUNBURST strings were compressed and encoded in Base64.(Citation: Microsoft Analyzing Solorigate Dec 2020) SUNBURST also obfuscated collected system information using a FNV-1a + XOR algorithm.(Citation: FireEye SUNBURST Backdoor December 2020)

Remcos

Remcos uses RC4 and base64 to obfuscate data, including Registry entries and file paths.(Citation: Talos Remcos Aug 2018)

Kerrdown

Kerrdown can encrypt, encode, and compress multiple layers of shellcode.(Citation: Unit 42 KerrDown February 2019)

UNC2452

UNC2452 used encoded PowerShell commands.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)

Frankenstein

Frankenstein has run encoded commands from the command line.(Citation: Talos Frankenstein June 2019)

FatDuke

FatDuke can use base64 encoding, string stacking, and opaque predicates for obfuscation.(Citation: ESET Dukes October 2019)

APT-C-36

APT-C-36 has used ConfuserEx to obfuscate its variant of Imminent Monitor, compressed payload and RAT packages, and password protected encrypted email attachments to avoid detection.(Citation: QiAnXin APT-C-36 Feb2019)

Carbanak

Carbanak encrypts strings to make analysis more difficult.(Citation: FireEye CARBANAK June 2017)

Action RAT

Action RAT's commands, strings, and domains can be Base64 encoded within the payload.(Citation: MalwareBytes SideCopy Dec 2021)

Small Sieve

Small Sieve has the ability to use a custom hex byte swapping encoding scheme combined with an obfuscated Base64 function to protect program strings and Telegram credentials.(Citation: NCSC GCHQ Small Sieve Jan 2022)

Night Dragon

A Night Dragon DLL included an XOR-encoded section.(Citation: McAfee Night Dragon)

During the 2016 Ukraine Electric Power Attack, Sandworm Team used heavily obfuscated code with Industroyer in its Windows Notepad backdoor.(Citation: ESET Industroyer)

Dust Storm

Dust Storm has encoded payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key.(Citation: Cylance Dust Storm)

Bundlore

Bundlore has obfuscated data with base64, AES, RC4, and bz2.(Citation: MacKeeper Bundlore Apr 2019)

KillDisk

KillDisk uses VMProtect to make reverse engineering the malware more difficult.(Citation: Trend Micro KillDisk 1)

ROKRAT

ROKRAT can encrypt data prior to exfiltration by using an RSA public key.(Citation: Volexity InkySquid RokRAT August 2021)(Citation: Malwarebytes RokRAT VBA January 2021)

P.A.S. Webshell

P.A.S. Webshell can use encryption and base64 encoding to hide strings and to enforce access control once deployed.(Citation: ANSSI Sandworm January 2021)

OLDBAIT

OLDBAIT obfuscates internal strings and unpacks them at startup.(Citation: FireEye APT28)

Anchor

Anchor has obfuscated code with stack strings and string encryption.(Citation: Cyberreason Anchor December 2019)

Daserf

Daserf uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher.(Citation: Trend Micro Daserf Nov 2017)

Pandora

Pandora has the ability to compress stings with QuickLZ.(Citation: Trend Micro Iron Tiger April 2021)

Windshift

Windshift has used string encoding with floating point calculations.(Citation: BlackBerry Bahamut)

Ke3chang

Ke3chang has used Base64-encoded shellcode strings.(Citation: Microsoft NICKEL December 2021)

Ebury

Ebury has obfuscated its strings with a simple XOR encryption with a static key.(Citation: ESET Ebury Feb 2014)

Conti

Conti can use compiler-based obfuscation for its code, encrypt DLLs, and hide Windows API calls.(Citation: CarbonBlack Conti July 2020)(Citation: Cybereason Conti Jan 2021)(Citation: CrowdStrike Wizard Spider October 2020)

Kobalos

Kobalos encrypts all strings using RC4 and bundles all functionality into a single function call.(Citation: ESET Kobalos Feb 2021)

APT37

APT37 obfuscates strings and payloads.(Citation: Talos Group123)(Citation: Securelist ScarCruft May 2019)(Citation: Volexity InkySquid RokRAT August 2021)

InvisiMole

InvisiMole avoids analysis by encrypting all strings, internal files, configuration data and by using a custom executable format.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

Bumblebee

Bumblebee has been delivered as password-protected zipped ISO files and used control-flow-flattening to obfuscate the flow of functions.(Citation: Proofpoint Bumblebee April 2022)(Citation: Cybereason Bumblebee August 2022)(Citation: Medium Ali Salem Bumblebee April 2022)

ISMInjector

ISMInjector is obfuscated with the off-the-shelf SmartAssembly .NET obfuscator created by red-gate.com.(Citation: OilRig New Delivery Oct 2017)

Kimsuky

Kimsuky has obfuscated binary strings including the use of XOR encryption and Base64 encoding.(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019) Kimsuky has also modified the first byte of DLL implants targeting victims to prevent recognition of the executable file format.(Citation: Talos Kimsuky Nov 2021)

Dtrack

Dtrack has used a dropper that embeds an encrypted payload as extra data.(Citation: Securelist Dtrack)

Moonstone Sleet

Moonstone Sleet delivers encrypted payloads in pieces that are then combined together to form a new portable executable (PE) file during installation.(Citation: Microsoft Moonstone Sleet 2024)

Green Lambert

Green Lambert has encrypted strings.(Citation: Objective See Green Lambert for OSX Oct 2021)(Citation: Glitch-Cat Green Lambert ATTCK Oct 2021)

During C0015, the threat actors used Base64-encoded strings.(Citation: DFIR Conti Bazar Nov 2021)

Carbon

Carbon encrypts configuration files and tasks for the malware to complete using CAST-128 algorithm.(Citation: ESET Carbon Mar 2017)(Citation: Accenture HyperStack October 2020)

Diavol

Diavol has Base64 encoded the RSA public key used for encrypting files.(Citation: Fortinet Diavol July 2021)

MCMD

MCMD can Base64 encode output strings prior to sending to C2.(Citation: Secureworks MCMD July 2019)

ShimRat

ShimRat has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat file.(Citation: FOX-IT May 2016 Mofang)

Honeybee

Honeybee drops files with base64-encoded data.(Citation: McAfee Honeybee)

AppleSeed

AppleSeed has the ability to Base64 encode its payload and custom encrypt API calls.(Citation: Malwarebytes Kimsuky June 2021)

BoxCaon

BoxCaon used the "StackStrings" obfuscation technique to hide malicious functionalities.(Citation: Checkpoint IndigoZebra July 2021)

ADVSTORESHELL

Most of the strings in ADVSTORESHELL are encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed. API function names are also reversed, presumably to avoid detection in memory.(Citation: Kaspersky Sofacy)(Citation: Bitdefender APT28 Dec 2015)

Conficker

Conficker has obfuscated its code to prevent its removal from host machines.(Citation: Trend Micro Conficker)

Siloscape

Siloscape itself is obfuscated and uses obfuscated API calls.(Citation: Unit 42 Siloscape Jun 2021)

BPFDoor

BPFDoor can require a password to activate the backdoor and uses RC4 encryption or static library encryption `libtomcrypt`.(Citation: Sandfly BPFDoor 2022)

Mustang Panda

Mustang Panda has delivered initial payloads hidden using archives and encoding measures.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 November 2020)(Citation: Proofpoint TA416 Europe March 2022)

ShadowPad

ShadowPad has encrypted its payload, a virtual file system, and various files.(Citation: Securelist ShadowPad Aug 2017)(Citation: TrendMicro EarthLusca 2022)

EKANS

EKANS uses encoded strings in its process kill list.(Citation: FireEye Ransomware Feb 2020)

RegDuke

RegDuke can use control-flow flattening or the commercially available .NET Reactor for obfuscation.(Citation: ESET Dukes October 2019)

NightClub

NightClub can obfuscate strings using the congruential generator `(LCG): staten+1 = (690069 × staten + 1) mod 232`.(Citation: MoustachedBouncer ESET August 2023)

Sandworm Team

Sandworm Team has used Base64 encoding within malware variants.(Citation: iSight Sandworm Oct 2014)

Imminent Monitor

Imminent Monitor has encrypted the spearphish attachments to avoid detection from email gateways; the debugger also encrypts information before sending to the C2.(Citation: QiAnXin APT-C-36 Feb2019)

Earth Lusca

Earth Lusca used Base64 to encode strings.(Citation: TrendMicro EarthLusca 2022)

SoreFang

SoreFang has the ability to encode and RC6 encrypt data sent to C2.(Citation: CISA SoreFang July 2016)

Hancitor

Hancitor has used Base64 to encode malicious links. Hancitor has also delivered compressed payloads in ZIP files to victims.(Citation: Threatpost Hancitor)(Citation: FireEye Hancitor)

Pisloader

Pisloader obfuscates files by splitting strings into smaller sub-strings and including "garbage" strings that are never used. The malware also uses return-oriented programming (ROP) technique and single-byte XOR to obfuscate data.(Citation: Palo Alto DNS Requests)

Avaddon

Avaddon has used encrypted strings.(Citation: Arxiv Avaddon Feb 2021)

JPIN

A JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer.(Citation: Microsoft PLATINUM April 2016)

RTM

RTM strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm. RTM has also been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)

CARROTBALL

CARROTBALL has used a custom base64 alphabet to decode files.(Citation: Unit 42 CARROTBAT January 2020)

Sardonic

Sardonic can use certain ConfuserEx features for obfuscation and can be encoded in a base64 string.(Citation: Symantec FIN8 Jul 2023)

Raspberry Robin

Raspberry Robin uses mixed-case letters for filenames and commands to evade detection.(Citation: RedCanary RaspberryRobin 2022)

Gamaredon Group

Gamaredon Group has delivered self-extracting 7z archive files within malicious document attachments.(Citation: ESET Gamaredon June 2020)

AppleJeus

AppleJeus has XOR-encrypted collected system information prior to sending to a C2. AppleJeus has also used the open source ADVObfuscation library for its components.(Citation: CISA AppleJeus Feb 2021)

DRATzarus

DRATzarus can be partly encrypted with XOR.(Citation: ClearSky Lazarus Aug 2020)

AvosLocker

AvosLocker has used XOR-encoded strings.(Citation: Malwarebytes AvosLocker Jul 2021)

PoetRAT

PoetRAT has used a custom encryption scheme for communication between scripts.(Citation: Talos PoetRAT April 2020)

Ramsay

Ramsay has base64-encoded its portable executable and hidden itself under a JPG header. Ramsay can also embed information within document footers.(Citation: Eset Ramsay May 2020)

PUNCHBUGGY

PUNCHBUGGY has hashed most its code's functions and encrypted payloads with base64 and XOR.(Citation: Morphisec ShellTea June 2019)

COATHANGER

COATHANGER can store obfuscated configuration information in the last 56 bytes of the file `/date/.bd.key/preload.so`.(Citation: NCSC-NL COATHANGER Feb 2024)

Maze

Maze has decrypted strings and other important information during the encryption process. Maze also calls certain functions dynamically to hinder analysis.(Citation: McAfee Maze March 2020)

Gootloader

The Gootloader first stage script is obfuscated using random alpha numeric strings.(Citation: Sophos Gootloader)(Citation: SentinelOne Gootloader June 2021)

Epic

Epic heavily obfuscates its code to make analysis more difficult.(Citation: Kaspersky Turla)

CORESHELL

CORESHELL obfuscates strings using a custom stream cipher.(Citation: FireEye APT28)

PlugX

PlugX can use API hashing and modify the names of strings to evade detection.(Citation: Trend Micro DRBControl February 2020)(Citation: Proofpoint TA416 Europe March 2022)

XTunnel

A version of XTunnel introduced in July 2015 obfuscated the binary using opaque predicates and other techniques in a likely attempt to obfuscate it and bypass security products.(Citation: ESET Sednit Part 2)

jRAT

jRAT’s Java payload is encrypted with AES.(Citation: jRAT Symantec Aug 2018) Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of jRAT also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool.(Citation: Symantec Frutas Feb 2013)

OopsIE

OopsIE uses the Confuser protector to obfuscate an embedded .Net Framework assembly used for C2. OopsIE also encodes collected data in hexadecimal format before writing to files on disk and obfuscates strings.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 OilRig Sept 2018)

GrimAgent

GrimAgent has used Rotate on Right (RoR) and Rotate on Left (RoL) functionality to encrypt strings.(Citation: Group IB GrimAgent July 2021)

ShimRatReporter

ShimRatReporter encrypted gathered information with a combination of shifting and XOR using a static key.(Citation: FOX-IT May 2016 Mofang)

StreamEx

StreamEx obfuscates some commands by using statically programmed fragments of strings when starting a DLL. It also uses a one-byte xor against 0x91 to encode configuration data.(Citation: Cylance Shell Crew Feb 2017)

APT41

APT41 used VMProtected binaries in multiple intrusions.(Citation: FireEye APT41 March 2020)

SDBbot

SDBbot has the ability to XOR the strings for its installer component with a hardcoded 128 byte key.(Citation: Proofpoint TA505 October 2019)

SLOWPULSE

SLOWPULSE can hide malicious code in the padding regions between legitimate functions in the Pulse Secure `libdsplibs.so` file.(Citation: Mandiant Pulse Secure Zero-Day April 2021)

TajMahal

TajMahal has used an encrypted Virtual File System to store plugins.(Citation: Kaspersky TajMahal April 2019)

Denis

Denis obfuscates its code and encrypts the API names.(Citation: Cybereason Cobalt Kitty 2017)

FinFisher

FinFisher is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)

Samurai

Samurai can encrypt the names of requested APIs and deliver its final payload as a compressed, encrypted and base64 encoded blob.(Citation: Kaspersky ToddyCat June 2022)

Orz

Some Orz strings are base64 encoded, such as the embedded DLL known as MockDll.(Citation: Proofpoint Leviathan Oct 2017)

BUSHWALK

BUSHWALK can encrypt the resulting data generated from C2 commands with RC4.(Citation: Mandiant Cutting Edge Part 2 January 2024)

BoomBox

BoomBox can encrypt data using AES prior to exfiltration.(Citation: MSTIC Nobelium Toolset May 2021)

Cobalt Strike

Cobalt Strike can hash functions to obfuscate calls to the Windows API and use a public/private key pair to encrypt Beacon session metadata.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)

Industroyer

Industroyer uses heavily obfuscated code in its Windows Notepad backdoor.(Citation: ESET Industroyer)

Comnie

Comnie uses RC4 and Base64 to obfuscate strings.(Citation: Palo Alto Comnie)

TRITON

TRITON encoded the two inject.bin and imain.bin payloads.(Citation: FireEye TRITON 2017)

Mitigations

Mitigation Description
Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

Behavior Prevention on Endpoint

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

User Training

Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction.

Antivirus/Antimalware

Use signatures or heuristics to detect malicious software.

Detection

Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system). Flag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files/payloads. (Citation: GitHub Revoke-Obfuscation) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: GitHub Office-Crackros Aug 2016) Obfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection. The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.

References

  1. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  2. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  3. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
  4. MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.
  5. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  6. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  7. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  8. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
  9. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  10. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  11. Johnson, B, et. al. (2017, December 14). Attackers Deploy New ICS Attack Framework "TRITON" and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021.
  12. White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018.
  13. Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.
  14. Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017.
  15. Carr, N. (2016, August 14). OfficeCrackros. Retrieved February 12, 2018.
  16. Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved February 12, 2018.
  17. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
  18. Bohannon, D. (2017, July 27). Revoke-Obfuscation. Retrieved February 12, 2018.
  19. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  20. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  21. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  22. Tancio et al. (2024, March 6). Unveiling Earth Kapre aka RedCurl’s Cyberespionage Tactics With Trend Micro MDR, Threat Intelligence. Retrieved August 9, 2024.
  23. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
  24. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  25. Antoniuk, D. (2023, July 17). RedCurl hackers return to spy on 'major Russian bank,' Australian company. Retrieved August 9, 2024.
  26. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  27. Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.
  28. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
  29. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  30. Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018.
  31. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  32. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
  33. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  34. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  35. Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
  36. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.
  37. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
  38. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  39. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
  40. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  41. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  42. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  43. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  44. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  45. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  46. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  47. Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018.
  48. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  49. Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016.
  50. Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
  51. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  52. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  53. Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
  54. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  55. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
  56. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  57. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  58. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  59. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  60. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  61. Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016.
  62. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  63. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  64. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
  65. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
  66. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  67. Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.
  68. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  69. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.
  70. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
  71. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  72. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  73. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  74. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  75. Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.
  76. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  77. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  78. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  79. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  80. Chell, D. PART 3: How I Met Your Beacon – Brute Ratel. Retrieved February 6, 2023.
  81. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  82. Choi, S. (2015, August 6). Obfuscated API Functions in Modern Packers. Retrieved August 22, 2022.
  83. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  84. O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
  85. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
  86. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.
  87. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
  88. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  89. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  90. Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.
  91. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  92. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  93. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  94. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  95. Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018.
  96. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021.
  97. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  98. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  99. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  100. NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
  101. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
  102. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  103. Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.
  104. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
  105. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  106. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  107. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  108. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  109. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  110. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  111. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
  112. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  113. M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
  114. Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021.
  115. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
  116. M.Leveille, M., Sanmillan, I. (2021, February 2). Kobalos – A complex Linux threat to high performance computing infrastructure. Retrieved August 24, 2021.
  117. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  118. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  119. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  120. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  121. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
  122. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  123. Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
  124. Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.
  125. ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.
  126. Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.
  127. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  128. Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024.
  129. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022.
  130. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
  131. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  132. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  133. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  134. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
  135. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
  136. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  137. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  138. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  139. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  140. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  141. Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021.
  142. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
  143. The Sandfly Security Team. (2022, May 11). BPFDoor - An Evasive Linux Backdoor Technical Analysis. Retrieved September 29, 2023.
  144. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  145. Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021.
  146. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
  147. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  148. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
  149. Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
  150. Jason (jxb5151). (2021, January 28). findapihash.py. Retrieved August 22, 2022.
  151. Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August 22, 2022.
  152. GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021.
  153. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  154. Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.
  155. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  156. Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved June 10, 2020.
  157. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
  158. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.
  159. Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020.
  160. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  161. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
  162. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  163. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  164. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  165. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  166. McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.
  167. Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
  168. Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024.
  169. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  170. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  171. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  172. Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023.
  173. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  174. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  175. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  176. Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024.
  177. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  178. Szappanos, G. & Brandt, A. (2021, March 1). “Gootloader” expands its payload delivery options. Retrieved September 30, 2022.
  179. Pirozzi, A. (2021, June 16). Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets. Retrieved May 28, 2024.
  180. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  181. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  182. Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019.
  183. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  184. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  185. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  186. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
  187. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  188. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  189. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  190. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
  191. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  192. FinFisher. (n.d.). Retrieved September 12, 2024.
  193. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  194. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  195. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  196. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
  197. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  198. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  199. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
  200. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  201. Microsoft. (2015, June 9). Windows 10 to offer application developers new malware defenses. Retrieved February 12, 2018.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.