Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Technique Keylogging
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Keylogging
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Input Capture:  Keylogging

ID Name
.001 Keylogging
.002 GUI Input Capture
.003 Web Portal Capture
.004 Credential API Hooking

Adversaries may log user keystrokes to intercept credentials as the user types them. Keylogging is likely to be used to acquire credentials for new access opportunities when OS Credential Dumping efforts are not effective, and may require an adversary to intercept keystrokes on a system for a substantial period of time before credentials can be successfully captured. Keylogging is the most prevalent type of input capture, with many different ways of intercepting keystrokes.(Citation: Adventures of a Keystroke) Some methods include: * Hooking API callbacks used for processing keystrokes. Unlike Credential API Hooking, this focuses solely on API functions intended for processing keystroke data. * Reading raw keystroke data from the hardware buffer. * Windows Registry modifications. * Custom drivers. * Modify System Image may provide adversaries with hooks into the operating system of network devices to read raw keystrokes for login sessions.(Citation: Cisco Blog Legacy Device Attacks)

ID: T1056.001
Sub-technique of:  T1056
Tactic(s): Collection, Credential Access
Platforms: Linux, macOS, Network, Windows
Permissions Required: Administrator, root, SYSTEM, User
Data Sources: Driver: Driver Load, Process: OS API Execution, Windows Registry: Windows Registry Key Modification
Version: 1.1
Created: 11 Feb 2020
Last Modified: 21 Oct 2020

Procedure Examples
Name Description
Magic Hound

Magic Hound malware is capable of keylogging.(Citation: Unit 42 Magic Hound Feb 2017)

During Operation Wocao, threat actors obtained the password for the victim's password manager via a custom keylogger.(Citation: FoxIT Wocao December 2019)
Derusbi

Derusbi is capable of logging keystrokes.(Citation: FireEye Periscope March 2018)
PowerLess

PowerLess can use a module to log keystrokes.(Citation: Cybereason PowerLess February 2022)
Peppy

Peppy can log keystrokes on compromised hosts.(Citation: Proofpoint Operation Transparent Tribe March 2016)
WarzoneRAT

WarzoneRAT has the capability to install a live and offline keylogger, including through the use of the `GetAsyncKeyState` Windows API.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)

Duqu

Duqu can track key presses with a keylogger module.(Citation: Symantec W32.Duqu)
jRAT

jRAT has the capability to log keystrokes from the victim’s machine, both offline and online.(Citation: jRAT Symantec Aug 2018)(Citation: Kaspersky Adwind Feb 2016)
Metamorfo

Metamorfo has a command to launch a keylogger and capture keystrokes on the victim’s machine.(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019)

ADVSTORESHELL

ADVSTORESHELL can perform keylogging.(Citation: ESET Sednit Part 2)(Citation: Bitdefender APT28 Dec 2015)
APT39

APT39 has used tools for capturing keystrokes.(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020)
MoonWind

MoonWind has a keylogger.(Citation: Palo Alto MoonWind March 2017)
EvilGrab

EvilGrab has the capability to capture keystrokes.(Citation: PWC Cloud Hopper Technical Annex April 2017)
XAgentOSX

XAgentOSX contains keylogging functionality that will monitor for active application windows and write them to the log, it can handle special characters, and it will buffer by default 50 characters before sending them out over the C2 infrastructure.(Citation: XAgentOSX 2017)
Empire

Empire includes keylogging capabilities for Windows, Linux, and macOS systems.(Citation: Github PowerShell Empire)
Micropsia

Micropsia has keylogging capabilities.(Citation: Radware Micropsia July 2018)
Prikormka

Prikormka contains a keylogger module that collects keystrokes and the titles of foreground windows.(Citation: ESET Operation Groundbait)
APT38

APT38 used a Trojan called KEYLIME to capture keystrokes from the victim’s machine.(Citation: FireEye APT38 Oct 2018)
Fysbis

Fysbis can perform keylogging.(Citation: Fysbis Palo Alto Analysis)

PowerSploit

PowerSploit's Get-Keystrokes Exfiltration module can log keystrokes.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation)
Revenge RAT

Revenge RAT has a plugin for keylogging.(Citation: Cylance Shaheen Nov 2018)(Citation: Cofense RevengeRAT Feb 2019)
Matryoshka

Matryoshka is capable of keylogging.(Citation: ClearSky Wilted Tulip July 2017)(Citation: CopyKittens Nov 2015)
Ajax Security Team

Ajax Security Team has used CWoolger and MPK, custom-developed malware, which recorded all keystrokes on an infected system.(Citation: Check Point Rocket Kitten)
FlawedAmmyy

FlawedAmmyy can collect keyboard events.(Citation: Korean FSI TA505 2020)
RTM

RTM can record keystrokes from both the keyboard and virtual keyboard.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)
Cadelspy

Cadelspy has the ability to log keystrokes on the compromised host.(Citation: Symantec Chafer Dec 2015)
Dtrack

Dtrack’s dropper contains a keylogging executable.(Citation: Securelist Dtrack)
Imminent Monitor

Imminent Monitor has a keylogging module.(Citation: Imminent Unit42 Dec2019)
Catchamas

Catchamas collects keystrokes from the victim’s machine.(Citation: Symantec Catchamas April 2018)
Cobalt Strike

Cobalt Strike can track key presses with a keylogger module.(Citation: cobaltstrike manual)(Citation: Amnesty Intl. Ocean Lotus February 2021)(Citation: Cobalt Strike Manual 4.3 November 2020)
NetTraveler

NetTraveler contains a keylogger.(Citation: Kaspersky NetTraveler)
APT28

APT28 has used tools to perform keylogging.(Citation: Microsoft SIR Vol 19)(Citation: DOJ GRU Indictment Jul 2018)(Citation: TrendMicro Pawn Storm Dec 2020)
QuasarRAT

QuasarRAT has a built-in keylogger.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)
Remsec

Remsec contains a keylogger component.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Technical Analysis)
OwaAuth

OwaAuth captures and DES-encrypts credentials before writing the username and password to a log file, C:\log.txt.(Citation: Dell TG-3390)
Bandook

Bandook contains keylogging capabilities.(Citation: BH Manul Aug 2016)
ROKRAT

ROKRAT can use `SetWindowsHookEx` and `GetKeyNameText` to capture keystrokes.(Citation: Talos ROKRAT)(Citation: Volexity InkySquid RokRAT August 2021)
Darkhotel

Darkhotel has used a keylogger.(Citation: Kaspersky Darkhotel)
Regin

Regin contains a keylogger.(Citation: Kaspersky Regin)
PlugX

PlugX has a module for capturing keystrokes per process including window titles.(Citation: CIRCL PlugX March 2013)
SLOTHFULMEDIA

SLOTHFULMEDIA has a keylogging capability.(Citation: CISA MAR SLOTHFULMEDIA October 2020)
BabyShark

BabyShark has a PowerShell-based remote administration ability that can implement a PowerShell or C# based keylogger.(Citation: Unit42 BabyShark Apr 2019)
VERMIN

VERMIN collects keystrokes from the victim machine.(Citation: Unit 42 VERMIN Jan 2018)
BADNEWS

When it first starts, BADNEWS spawns a new thread to log keystrokes.(Citation: Forcepoint Monsoon)(Citation: PaloAlto Patchwork Mar 2018)(Citation: TrendMicro Patchwork Dec 2017)
PoisonIvy

PoisonIvy contains a keylogger.(Citation: FireEye Poison Ivy)(Citation: Symantec Darkmoon Aug 2005)
MarkiRAT

MarkiRAT can capture all keystrokes on a compromised host.(Citation: Kaspersky Ferocious Kitten Jun 2021)
ThiefQuest

ThiefQuest uses the CGEventTap functions to perform keylogging.(Citation: Trendmicro Evolving ThiefQuest 2020)
Cardinal RAT

Cardinal RAT can log keystrokes.(Citation: PaloAlto CardinalRat Apr 2017)
Remexi

Remexi gathers and exfiltrates keystrokes from the machine.(Citation: Securelist Remexi Jan 2019)
InvisiMole

InvisiMole can capture keystrokes on a compromised host.(Citation: ESET InvisiMole June 2020)
DOGCALL

DOGCALL is capable of logging keystrokes.(Citation: FireEye APT37 Feb 2018)(Citation: Unit 42 Nokki Oct 2018)
RunningRAT

RunningRAT captures keystrokes and sends them back to the C2 server.(Citation: McAfee Gold Dragon)
Explosive

Explosive has leveraged its keylogging capabilities to gain access to administrator accounts on target servers.(Citation: CheckPoint Volatile Cedar March 2015)(Citation: ClearSky Lebanese Cedar Jan 2021)

menuPass

menuPass has used key loggers to steal usernames and passwords.(Citation: District Court of NY APT10 Indictment December 2018)
AppleSeed

AppleSeed can use GetKeyState and GetKeyboardState to capture keystrokes on the victim’s machine.(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi)
Crimson

Crimson can use a module to perform keylogging on compromised hosts.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)
DustySky

DustySky contains a keylogger.(Citation: DustySky)
PoshC2

PoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.(Citation: GitHub PoshC2)
PcShare

PcShare has the ability to capture keystrokes.(Citation: Bitdefender FunnyDream Campaign November 2020)
Tonto Team

Tonto Team has used keylogging tools in their operations.(Citation: TrendMicro Tonto Team October 2020)
BadPatch

BadPatch has a keylogging capability.(Citation: Unit 42 BadPatch Oct 2017)
Lokibot

Lokibot has the ability to capture input on the compromised host via keylogging.(Citation: FSecure Lokibot November 2019)
Cuba

Cuba logs keystrokes via polling by using GetKeyState and VkKeyScan functions.(Citation: McAfee Cuba April 2021)
RCSession

RCSession has the ability to capture keystrokes on a compromised host.(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020)
KeyBoy

KeyBoy installs a keylogger for intercepting credentials and keystrokes.(Citation: Rapid7 KeyBoy Jun 2013)
Helminth

The executable version of Helminth has a module to log keystrokes.(Citation: Palo Alto OilRig May 2016)
Threat Group-3390

Threat Group-3390 actors installed a credential logger on Microsoft Exchange servers. Threat Group-3390 also leveraged the reconnaissance framework, ScanBox, to capture keystrokes.(Citation: Dell TG-3390)(Citation: Hacker News LuckyMouse June 2018)(Citation: Securelist LuckyMouse June 2018)
Stolen Pencil

Stolen Pencil has a tool to log keystrokes to %userprofile%\appdata\roaming\apach.{txt,log}. (Citation: Netscout Stolen Pencil Dec 2018)
CosmicDuke

CosmicDuke uses a keylogger.(Citation: F-Secure The Dukes)
Astaroth

Astaroth logs keystrokes from the victim's machine. (Citation: Cofense Astaroth Sept 2018)
SMOKEDHAM

SMOKEDHAM can continuously capture keystrokes.(Citation: FireEye Shining A Light on DARKSIDE May 2021)(Citation: FireEye SMOKEDHAM June 2021)
Trojan.Karagany

Trojan.Karagany can capture keystrokes on a compromised host.(Citation: Secureworks Karagany July 2019)
JPIN

JPIN contains a custom keylogger.(Citation: Microsoft PLATINUM April 2016)
Sykipot

Sykipot contains keylogging functionality to steal passwords.(Citation: Alienvault Sykipot DOD Smart Cards)
FunnyDream

The FunnyDream Keyrecord component can capture keystrokes.(Citation: Bitdefender FunnyDream Campaign November 2020)
Kivars

Kivars has the ability to initiate keylogging on the infected host.(Citation: TrendMicro BlackTech June 2017)
Lazarus Group

Lazarus Group malware KiloAlfa contains keylogging functionality.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Tools)
Grandoreiro

Grandoreiro can log keystrokes on the victim's machine.(Citation: ESET Grandoreiro April 2020)
Pupy

Pupy uses a keylogger to capture keystrokes it then sends back to the server after it is stopped.(Citation: GitHub Pupy)
Carbanak

Carbanak logs key strokes for configured processes and sends them back to the C2 server.(Citation: Kaspersky Carbanak)(Citation: FireEye CARBANAK June 2017)
Group5

Malware used by Group5 is capable of capturing keystrokes.(Citation: Citizen Lab Group5)
Cobian RAT

Cobian RAT has a feature to perform keylogging on the victim’s machine.(Citation: Zscaler Cobian Aug 2017)
Agent Tesla

Agent Tesla can log keystrokes on the victim’s machine.(Citation: Talos Agent Tesla Oct 2018)(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla June 2017)(Citation: Bitdefender Agent Tesla April 2020)(Citation: SentinelLabs Agent Tesla Aug 2020)
PLATINUM

PLATINUM has used several different keyloggers.(Citation: Microsoft PLATINUM April 2016)
FIN4

FIN4 has captured credentials via fake Outlook Web App (OWA) login pages and has also used a .NET based keylogger.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)
SslMM

SslMM creates a new thread implementing a keylogging facility using Windows Keyboard Accelerators.(Citation: Baumgartner Naikon 2015)
CHOPSTICK

CHOPSTICK is capable of performing keylogging.(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 2)(Citation: DOJ GRU Indictment Jul 2018)
Sandworm Team

Sandworm Team has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.(Citation: ESET Telebots Dec 2016)

Clambling

Clambling can capture keystrokes on a compromised host.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)
NavRAT

NavRAT logs the keystrokes on the targeted system.(Citation: Talos NavRAT May 2018)
Operation Wocao

Operation Wocao has obtained the password for the victim's password manager via a custom keylogger.(Citation: FoxIT Wocao December 2019)
njRAT

njRAT is capable of logging keystrokes.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)(Citation: Citizen Lab Group5)
NanoCore

NanoCore can perform keylogging on the victim’s machine.(Citation: PaloAlto NanoCore Feb 2016)
Proton

Proton uses a keylogger to capture keystrokes.(Citation: objsee mac malware 2017)
Machete

Machete logs keystrokes from the victim’s machine.(Citation: ESET Machete July 2019)(Citation: Securelist Machete Aug 2014)(Citation: Cylance Machete Mar 2017)(Citation: 360 Machete Sep 2020)
Kimsuky

Kimsuky has used a PowerShell-based keylogger as well as a tool called MECHANICAL to log keystrokes.(Citation: EST Kimsuky April 2019)(Citation: Securelist Kimsuky Sept 2013)(Citation: CISA AA20-301A Kimsuky)(Citation: Netscout Stolen Pencil Dec 2018)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)
OilRig

OilRig has used keylogging tools called KEYPUNCH and LONGWATCH.(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT34 July 2019)

Attor

One of Attor's plugins can collect user credentials via capturing keystrokes and can capture keystrokes pressed within the window of the injected process.(Citation: ESET Attor Oct 2019)
HTTPBrowser

HTTPBrowser is capable of capturing keystrokes on victims.(Citation: Dell TG-3390)
Sowbug

Sowbug has used keylogging tools.(Citation: Symantec Sowbug Nov 2017)
yty

yty uses a keylogger plugin to gather keystrokes.(Citation: ASERT Donot March 2018)
MacMa

MacMa can use Core Graphics Event Taps to intercept user keystrokes from any text input field and saves them to text files. Text input fields include Spotlight, Finder, Safari, Mail, Messages, and other apps that have text fields for passwords.(Citation: Objective-See MacMa Nov 2021)(Citation: SentinelOne MacMa Nov 2021)
BlackEnergy

BlackEnergy has run a keylogger plug-in on a victim.(Citation: Securelist BlackEnergy Nov 2014)
ECCENTRICBANDWAGON

ECCENTRICBANDWAGON can capture and store keystrokes.(Citation: CISA EB Aug 2020)
Cobalt Strike

Cobalt Strike can track key presses with a keylogger module.(Citation: cobaltstrike manual)
gh0st RAT

gh0st RAT has a keylogger.(Citation: Alintanahin 2014)(Citation: Gh0stRAT ATT March 2019)
FakeM

FakeM contains a keylogger module.(Citation: Scarlet Mimic Jan 2016)
NETWIRE

NETWIRE can perform keylogging.(Citation: McAfee Netwire Mar 2015)(Citation: FireEye APT33 Webinar Sept 2017)(Citation: FireEye NETWIRE March 2019)(Citation: Red Canary NETWIRE January 2020)(Citation: Proofpoint NETWIRE December 2020)
Remcos

Remcos has a command for keylogging.(Citation: Fortinet Remcos Feb 2017)(Citation: Talos Remcos Aug 2018)
QakBot

QakBot can capture keystrokes on a compromised host.(Citation: Kroll Qakbot June 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Kaspersky QakBot September 2021)
GreyEnergy

GreyEnergy has a module to harvest pressed keystrokes.(Citation: ESET GreyEnergy Oct 2018)
HEXANE

HEXANE has used a PowerShell-based keylogger named `kl.ps1`.(Citation: SecureWorks August 2019)(Citation: Kaspersky Lyceum October 2021)
Daserf

Daserf can log keystrokes.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017)
TinyZBot

TinyZBot contains keylogger functionality.(Citation: Cylance Cleaver)
Okrum

Okrum was seen using a keylogger tool to capture keystrokes. (Citation: ESET Okrum July 2019)
DarkComet

DarkComet has a keylogging capability.(Citation: TrendMicro DarkComet Sept 2014)
APT32

APT32 has abused the PasswordChangeNotify to monitor for and capture account password changes.(Citation: Cybereason Cobalt Kitty 2017)
DarkWatchman

DarkWatchman can track key presses with a keylogger module.(Citation: Prevailion DarkWatchman 2021)
Zeus Panda

Zeus Panda can perform keylogging on the victim’s machine by hooking the functions TranslateMessage and WM_KEYDOWN.(Citation: GDATA Zeus Panda June 2017)
BISCUIT

BISCUIT can capture keystrokes.(Citation: Mandiant APT1 Appendix)
Kasidet

Kasidet has the ability to initiate keylogging.(Citation: Zscaler Kasidet)
MacSpy

MacSpy captures keystrokes.(Citation: objsee mac malware 2017)
SILENTTRINITY

SILENTTRINITY has a keylogging capability.(Citation: GitHub SILENTTRINITY Modules July 2019)
KONNI

KONNI has the capability to perform keylogging.(Citation: Talos Konni May 2017)
KGH_SPY

KGH_SPY can perform keylogging by polling the GetAsyncKeyState() function.(Citation: Cybereason Kimsuky November 2020)
Unknown Logger

Unknown Logger is capable of recording keystrokes.(Citation: Forcepoint Monsoon)
APT3

APT3 has used a keylogging tool that records keystrokes in encrypted files.(Citation: Symantec Buckeye)
TajMahal

TajMahal has the ability to capture keystrokes on an infected host.(Citation: Kaspersky TajMahal April 2019)
ZxShell

ZxShell has a feature to capture a remote computer's keystrokes using a keylogger.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014)

Ke3chang

Ke3chang has used keyloggers.(Citation: NCC Group APT15 Alive and Strong)(Citation: Microsoft NICKEL December 2021)
Rover

Rover has keylogging functionality.(Citation: Palo Alto Rover)
APT41

APT41 used a keylogger called GEARSHIFT on a target system.(Citation: FireEye APT41 Aug 2019)
PoetRAT

PoetRAT has used a Python tool named klog.exe for keylogging.(Citation: Talos PoetRAT April 2020)

Detection

Keyloggers may take many forms, possibly involving modification to the Registry and installation of a driver, setting a hook, or polling to intercept keystrokes. Commonly used API calls include `SetWindowsHook`, `GetKeyState`, and `GetAsyncKeyState`.(Citation: Adventures of a Keystroke) Monitor the Registry and file system for such changes, monitor driver installs, and look for common keylogging API calls. API calls alone are not an indicator of keylogging, but may provide behavioral data that is useful when combined with other information such as new files written to disk and unusual processes.

References

  1. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  2. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  3. Omar Santos. (2020, October 19). Attackers Continue to Target Legacy Devices. Retrieved October 20, 2020.
  4. Tinaztepe, E. (n.d.). The Adventures of a Keystroke: An in-depth look into keyloggers on Windows. Retrieved April 27, 2016.
  5. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  6. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  7. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  8. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
  9. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.
  10. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  11. Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018.
  12. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  13. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
  14. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  15. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  16. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  17. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  18. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  19. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  20. ASERT team. (2018, December 5). STOLEN PENCIL Campaign Targets Academia. Retrieved February 5, 2019.
  21. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  22. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  23. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  24. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  25. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  26. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  27. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
  28. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  29. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  30. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  31. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  32. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  33. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019.
  34. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  35. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  36. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  37. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  38. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  39. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  40. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  41. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  42. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  43. PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
  44. PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
  45. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
  46. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  47. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  48. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  49. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  50. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  51. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.
  52. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  53. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  54. Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
  55. McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.
  56. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  57. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021.
  58. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.
  59. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  60. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  61. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  62. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  63. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  64. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  65. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  66. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  67. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
  68. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
  69. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  70. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  71. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  72. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.
  73. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  74. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  75. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
  76. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  77. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  78. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  79. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  80. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  81. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  82. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  83. FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved November 12, 2014.
  84. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  85. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  86. Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
  87. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  88. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.
  89. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
  90. FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021.
  91. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  92. Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018.
  93. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
  94. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  95. Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022.
  96. Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.
  97. Gabrielle Joyce Mabutas, Luis Magisa, Steven Du. (2020, July 17). Updates on Quickly-Evolving ThiefQuest macOS Malware. Retrieved April 26, 2021.
  98. Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020.
  99. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
  100. Khandelwal, S. (2018, June 14). Chinese Hackers Carried Out Country-Level Watering Hole Attack. Retrieved August 18, 2018.
  101. Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020.
  102. Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020.
  103. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
  104. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
  105. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  106. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  107. Alintanahin, K. (2014, March 13). Kunming Attack Leads to Gh0st RAT Variant. Retrieved November 12, 2014.
  108. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  109. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
  110. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  111. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
  112. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  113. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  114. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  115. Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.
  116. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  117. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  118. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  119. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  120. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  121. Blasco, J. (2012, January 12). Sykipot variant hijacks DOD and Windows smart cards. Retrieved January 10, 2016.
  122. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  123. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  124. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  125. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
  126. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  127. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  128. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  129. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  130. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
  131. Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014.
  132. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  133. Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017.
  134. Unit 42. (2019, December 2). Imminent Monitor – a RAT Down Under. Retrieved May 5, 2020.
  135. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  136. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  137. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
  138. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  139. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  140. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Tools Report. Retrieved March 10, 2016.
  141. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
  142. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
  143. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  144. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  145. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.
  146. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  147. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  148. Alyac. (2019, April 3). Kimsuky Organization Steals Operation Stealth Power. Retrieved August 13, 2019.
  149. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  150. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  151. Kaspersky Lab's Global Research and Analysis Team. (n.d.). The NetTraveler (aka ‘Travnet’). Retrieved November 12, 2014.
  152. Lim, M.. (2019, April 26). BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019.
  153. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  154. Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022.
  155. Stokes, P. (2021, November 15). Infect If Needed | A Deeper Dive Into Targeted Backdoor macOS.Macma. Retrieved June 30, 2022.
  156. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  157. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  158. Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022.
  159. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  160. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  161. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  162. Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
  163. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  164. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.
  165. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  166. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  167. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  168. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  169. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  170. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  171. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  172. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  173. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  174. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  175. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  176. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  177. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  178. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  179. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  180. Galperin, E., Et al.. (2016, August 4). When Governments Attack: State Sponsored Malware Attacks Against Activists, Lawyers, and Journalists. Retrieved May 23, 2018.
  181. Daniel Lughi, Jaromir Horejsi. (2020, October 2). Tonto Team - Exploring the TTPs of an advanced threat actor operating a large infrastructure. Retrieved October 17, 2021.
  182. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.
  183. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.