Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Technique Native API
RU
Риски
Каталоги
MITRE ATT&CK
Техника
Native API
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Native API

Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.(Citation: NT API Windows)(Citation: Linux Kernel API) These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations. Adversaries may abuse these OS API functions as a means of executing behaviors. Similar to Command and Scripting Interpreter, the native API and its hierarchy of interfaces provide mechanisms to interact with and utilize various components of a victimized system. Native API functions (such as NtCreateProcess) may be directed invoked via system calls / syscalls, but these features are also often exposed to user-mode applications via interfaces and libraries.(Citation: OutFlank System Calls)(Citation: CyberBit System Calls)(Citation: MDSec System Calls) For example, functions such as the Windows API CreateProcess() or GNU fork() will allow programs and scripts to start other processes.(Citation: Microsoft CreateProcess)(Citation: GNU Fork) This may allow API callers to execute a binary, run a CLI command, load modules, etc. as thousands of similar API functions exist for various system operations.(Citation: Microsoft Win32)(Citation: LIBC)(Citation: GLIBC) Higher level software frameworks, such as Microsoft .NET and macOS Cocoa, are also available to interact with native APIs. These frameworks typically provide language wrappers/abstractions to API functionalities and are designed for ease-of-use/portability of code.(Citation: Microsoft NET)(Citation: Apple Core Services)(Citation: MACOS Cocoa)(Citation: macOS Foundation) Adversaries may use assembly to directly or in-directly invoke syscalls in an attempt to subvert defensive sensors and detection signatures such as user mode API-hooks.(Citation: Redops Syscalls) Adversaries may also attempt to tamper with sensors and defensive tools associated with API monitoring, such as unhooking monitored functions via Disable or Modify Tools.

ID: T1106
Tactic(s): Execution
Platforms: Linux, Windows, macOS
Data Sources: Module: Module Load, Process: OS API Execution
Version: 2.3
Created: 31 May 2017
Last Modified: 15 Apr 2025

Procedure Examples
Name Description
TrickBot

TrickBot uses the Windows API call, CreateProcessW(), to manage execution flow.(Citation: S2 Grupo TrickBot June 2017) TrickBot has also used Nt* API functions to perform Process Injection.(Citation: Joe Sec Trickbot)
Ninja

The Ninja loader can call Windows APIs for discovery, process injection, and payload decryption.(Citation: Kaspersky ToddyCat June 2022)(Citation: Kaspersky ToddyCat Check Logs October 2023)
Pikabot

Pikabot uses native Windows APIs to determine if the process is being debugged and analyzed, such as `CheckRemoteDebuggerPresent`, `NtQueryInformationProcess`, `ProcessDebugPort`, and `ProcessDebugFlags`.(Citation: Zscaler Pikabot 2023) Other Pikabot variants populate a global list of Windows API addresses from the `NTDLL` and `KERNEL32` libraries, and references these items instead of calling the API items to obfuscate execution.(Citation: Elastic Pikabot 2024)
RCSession

RCSession can use WinSock API for communication including WSASend and WSARecv.(Citation: Profero APT27 December 2020)
SynAck

SynAck parses the export tables of system DLLs to locate and call various Windows API functions.(Citation: SecureList SynAck Doppelgänging May 2018)(Citation: Kaspersky Lab SynAck May 2018)
Bumblebee

Bumblebee can use multiple Native APIs.(Citation: Proofpoint Bumblebee April 2022)(Citation: Medium Ali Salem Bumblebee April 2022)
Amadey

Amadey has used a variety of Windows API calls, including `GetComputerNameA`, `GetUserNameA`, and `CreateProcessA`.(Citation: BlackBerry Amadey 2020)
RDFSNIFFER

RDFSNIFFER has used several Win32 API functions to interact with the victim machine.(Citation: FireEye FIN7 Oct 2019)
BloodHound

BloodHound can use .NET API calls in the SharpHound ingestor component to pull Active Directory data.(Citation: GitHub Bloodhound)
Torisma

Torisma has used various Windows API calls.(Citation: McAfee Lazarus Nov 2020)
Stuxnet

Stuxnet uses the SetSecurityDescriptorDacl API to reduce object integrity levels.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
RotaJakiro

When executing with non-root permissions, RotaJakiro uses the the `shmget` API to create shared memory between other known RotaJakiro processes. RotaJakiro also uses the `execvp` API to help its dead process "resurrect".(Citation: RotaJakiro 2021 netlab360 analysis)
AvosLocker

AvosLocker has used a variety of Windows API calls, including `NtCurrentPeb` and `GetLogicalDrives`.(Citation: Malwarebytes AvosLocker Jul 2021)
Sardonic

Sardonic has the ability to call Win32 API functions to determine if `powershell.exe` is running.(Citation: Bitdefender Sardonic Aug 2021)

WindTail

WindTail can invoke Apple APIs contentsOfDirectoryAtPath, pathExtension, and (string) compare.(Citation: objective-see windtail2 jan 2019)
Misdat

Misdat has used Windows APIs, including `ExitWindowsEx` and `GetKeyboardType`.(Citation: Cylance Dust Storm)

ShimRatReporter

ShimRatReporter used several Windows API functions to gather information from the infected system.(Citation: FOX-IT May 2016 Mofang)
SILENTTRINITY

SILENTTRINITY has the ability to leverage API including `GetProcAddress` and `LoadLibrary`.(Citation: GitHub SILENTTRINITY Modules July 2019)
HAWKBALL

HAWKBALL has leveraged several Windows API calls to create processes, gather disk information, and detect debugger activity.(Citation: FireEye HAWKBALL Jun 2019)
Ursnif

Ursnif has used CreateProcessW to create child processes.(Citation: FireEye Ursnif Nov 2017)
Prestige

Prestige has used the `Wow64DisableWow64FsRedirection()` and `Wow64RevertWow64FsRedirection()` functions to disable and restore file system redirection.(Citation: Microsoft Prestige ransomware October 2022)

Bankshot

Bankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA().(Citation: McAfee Bankshot)
SharpDisco

SharpDisco can leverage Native APIs through plugins including `GetLogicalDrives`.(Citation: MoustachedBouncer ESET August 2023)
xCaon

xCaon has leveraged native OS function calls to retrieve victim's network adapter's information using GetAdapterInfo() API.(Citation: Checkpoint IndigoZebra July 2021)

Pony

Pony has used several Windows functions for various purposes.(Citation: Malwarebytes Pony April 2016)

Nebulae

Nebulae has the ability to use CreateProcess to execute a process.(Citation: Bitdefender Naikon April 2021)
RainyDay

The file collection tool used by RainyDay can utilize native API including ReadDirectoryChangeW for folder monitoring.(Citation: Bitdefender Naikon April 2021)
AppleSeed

AppleSeed has the ability to use multiple dynamically resolved API calls.(Citation: Malwarebytes Kimsuky June 2021)
NETWIRE

NETWIRE can use Native API including CreateProcess GetProcessById, and WriteProcessMemory.(Citation: FireEye NETWIRE March 2019)
TinyTurla

TinyTurla has used `WinHTTP`, `CreateProcess`, and other APIs for C2 communications and other functions.(Citation: Talos TinyTurla September 2021)
HyperStack

HyperStack can use Windows API's ConnectNamedPipe and WNetAddConnection2 to detect incoming connections and connect to remote shares.(Citation: Accenture HyperStack October 2020)
Bad Rabbit

Bad Rabbit has used various Windows API calls.(Citation: ESET Bad Rabbit)
IMAPLoader

IMAPLoader imports native Windows APIs such as `GetConsoleWindow` and `ShowWindow`.(Citation: PWC Yellow Liderc 2023)
Aria-body

Aria-body has the ability to launch files using ShellExecute.(Citation: CheckPoint Naikon May 2020)
Emotet

Emotet has used `CreateProcess` to create a new process to run its executable and `WNetEnumResourceW` to enumerate non-hidden shares.(Citation: Binary Defense Emotes Wi-Fi Spreader)
Empire

Empire contains a variety of enumeration modules that have an option to use API calls to carry out tasks.(Citation: Github PowerShell Empire)
BADHATCH

BADHATCH can utilize Native API functions such as, `ToolHelp32` and `Rt1AdjustPrivilege` to enable `SeDebugPrivilege` on a compromised machine.(Citation: Gigamon BADHATCH Jul 2019)
PcShare

PcShare has used a variety of Windows API functions.(Citation: Bitdefender FunnyDream Campaign November 2020)
Woody RAT

Woody RAT can use multiple native APIs, including `WriteProcessMemory`, `CreateProcess`, and `CreateRemoteThread` for process injection.(Citation: MalwareBytes WoodyRAT Aug 2022)

Mafalda

Mafalda can use a variety of API calls.(Citation: SentinelLabs Metador Sept 2022)
PolyglotDuke

PolyglotDuke can use LoadLibraryW and CreateProcess to load and execute code.(Citation: ESET Dukes October 2019)
SombRAT

SombRAT has the ability to respawn itself using ShellExecuteW and CreateProcessW.(Citation: BlackBerry CostaRicto November 2020)
ODAgent

ODAgent can pass commands using native APIs.(Citation: ESET OilRig Downloaders DEC 2023)
GuLoader

GuLoader can use a number of different APIs for discovery and execution.(Citation: Medium Eli Salem GuLoader April 2021)
WastedLocker

WastedLocker's custom crypter, CryptOne, leveraged the VirtualAlloc() API function to help execute the payload.(Citation: NCC Group WastedLocker June 2020)
InvisiMole

InvisiMole can use winapiexec tool for indirect execution of ShellExecuteW and CreateProcessA.(Citation: ESET InvisiMole June 2020)
Volgmer

Volgmer executes payloads using the Windows API call CreateProcessW().(Citation: US-CERT Volgmer 2 Nov 2017)
WhisperGate

WhisperGate has used the `ExitWindowsEx` to flush file buffers to disk and stop running processes and other API calls.(Citation: Cisco Ukraine Wipers January 2022)(Citation: RecordedFuture WhisperGate Jan 2022)
Conti

Conti has used API calls during execution.(Citation: Cybereason Conti Jan 2021)(Citation: CarbonBlack Conti July 2020)

Mispadu

Mispadu has used a variety of Windows API calls, including ShellExecute and WriteProcessMemory.(Citation: Segurança Informática URSA Sophisticated Loader 2020)(Citation: SCILabs Malteiro 2021)
Diavol

Diavol has used several API calls like `GetLogicalDriveStrings`, `SleepEx`, `SystemParametersInfoAPI`, `CryptEncrypt`, and others to execute parts of its attack.(Citation: Fortinet Diavol July 2021)
Siloscape

Siloscape makes various native API calls.(Citation: Unit 42 Siloscape Jun 2021)
IcedID

IcedID has called ZwWriteVirtualMemory, ZwProtectVirtualMemory, ZwQueueApcThread, and NtResumeThread to inject itself into a remote process.(Citation: Juniper IcedID June 2020)
MarkiRAT

MarkiRAT can run the ShellExecuteW API via the Windows Command Shell.(Citation: Kaspersky Ferocious Kitten Jun 2021)
CHIMNEYSWEEP

CHIMNEYSWEEP can use Windows APIs including `LoadLibrary` and `GetProcAddress`.(Citation: Mandiant ROADSWEEP August 2022)
FatDuke

FatDuke can call ShellExecuteW to open the default browser on the URL localhost.(Citation: ESET Dukes October 2019)
DCSrv

DCSrv has used various Windows API functions, including `DeviceIoControl`, as part of its encryption process.(Citation: Checkpoint MosesStaff Nov 2021)
DRATzarus

DRATzarus can use various API calls to see if it is running in a sandbox.(Citation: ClearSky Lazarus Aug 2020)
Rising Sun

Rising Sun used dynamic API resolutions to various Windows APIs by leveraging `LoadLibrary()` and `GetProcAddress()`.(Citation: McAfee Sharpshooter December 2018)
ShimRat

ShimRat has used Windows API functions to install the service and shim.(Citation: FOX-IT May 2016 Mofang)

Chrommme

Chrommme can use Windows API including `WinExec` for execution.(Citation: ESET Gelsemium June 2021)
Avaddon

Avaddon has used the Windows Crypto API to generate an AES key.(Citation: Hornet Security Avaddon June 2020)
Flagpro

Flagpro can use Native API to enable obfuscation including `GetLastError` and `GetTickCount`.(Citation: NTT Security Flagpro new December 2021)
XAgentOSX

XAgentOSX contains the execFile function to execute a specified file on the system using the NSTask:launch method.(Citation: XAgentOSX 2017)
CostaBricks

CostaBricks has used a number of API calls, including `VirtualAlloc`, `VirtualFree`, `LoadLibraryA`, `GetProcAddress`, and `ExitProcess`.(Citation: BlackBerry CostaRicto November 2020)

HyperBro

HyperBro has the ability to run an application (CreateProcessW) or script/file (ShellExecuteW) via API.(Citation: Unit42 Emissary Panda May 2019)
Pteranodon

Pteranodon has used various API calls.(Citation: Microsoft Actinium February 2022)
DarkTortilla

DarkTortilla can use a variety of API calls for persistence and defense evasion.(Citation: Secureworks DarkTortilla Aug 2022)
ROKRAT

ROKRAT can use a variety of API calls to execute shellcode.(Citation: Malwarebytes RokRAT VBA January 2021)
Babuk

Babuk can use multiple Windows API calls for actions on compromised hosts including discovery and execution.(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAfee Babuk February 2021)(Citation: Medium Babuk February 2021)
Exbyte

Exbyte calls `ShellExecuteW` with the `IpOperation` parameter `RunAs` to launch `explorer.exe` with elevated privileges.(Citation: Microsoft BlackByte 2023)
PlugX

PlugX can use the Windows API functions `GetProcAddress`, `LoadLibrary`, and `CreateProcess` to execute another process.(Citation: Lastline PlugX Analysis)(Citation: Proofpoint TA416 Europe March 2022)
Bisonal

Bisonal has used the Windows API to communicate with the Service Control Manager to execute a thread.(Citation: Talos Bisonal Mar 2020)
S-Type

S-Type has used Windows APIs, including `GetKeyboardType`, `NetUserAdd`, and `NetUserDel`.(Citation: Cylance Dust Storm)
Explosive

Explosive has a function to call the OpenClipboard wrapper.(Citation: CheckPoint Volatile Cedar March 2015)

AsyncRAT

AsyncRAT has the ability to use OS APIs including `CheckRemoteDebuggerPresent`.(Citation: Telefonica Snip3 December 2021)
LightNeuron

LightNeuron is capable of starting a process using CreateProcess.(Citation: ESET LightNeuron May 2019)
Cuba

Cuba has used several built-in API functions for discovery like GetIpNetTable and NetShareEnum.(Citation: McAfee Cuba April 2021)

Akira

Akira executes native Windows functions such as GetFileAttributesW and `GetSystemInfo`.(Citation: Kersten Akira 2023)
DarkGate

DarkGate uses the native Windows API CallWindowProc() to decode and launch encoded shellcode payloads during execution.(Citation: Trellix Darkgate 2023) DarkGate can call kernel mode functions directly to hide the use of process hollowing methods during execution.(Citation: Ensilo Darkgate 2018) DarkGate has also used the `CreateToolhelp32Snapshot`, `GetFileAttributesA` and `CreateProcessA` functions to obtain a list of running processes, to check for security products and to execute its malware.(Citation: Rapid7 BlackBasta 2024)

LockBit 3.0

LockBit 3.0 has the ability to directly call native Windows API items during execution.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)(Citation: INCIBE-CERT LockBit MAR 2024)
SVCReady

SVCReady can use Windows API calls to gather information from an infected host.(Citation: HP SVCReady Jun 2022)
ThiefQuest

ThiefQuest uses various API to perform behaviors such as executing payloads and performing local enumeration.(Citation: wardle evilquest partii)
FoggyWeb

FoggyWeb's loader can use API functions to load the FoggyWeb backdoor into the same Application Domain within which the legitimate AD FS managed code is executed.(Citation: MSTIC FoggyWeb September 2021)
Netwalker

Netwalker can use Windows API functions to inject the ransomware DLL.(Citation: TrendMicro Netwalker May 2020)
Brute Ratel C4

Brute Ratel C4 can call multiple Windows APIs for execution, to share memory, and defense evasion.(Citation: Palo Alto Brute Ratel July 2022)(Citation: MDSec Brute Ratel August 2022)
Latrodectus

Latrodectus has used multiple Windows API post exploitation including `GetAdaptersInfo`, `CreateToolhelp32Snapshot`, and `CreateProcessW`.(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)
Saint Bot

Saint Bot has used different API calls, including `GetProcAddress`, `VirtualAllocEx`, `WriteProcessMemory`, `CreateProcessA`, and `SetThreadContext`.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Chaes

Chaes used the CreateFileW() API function with read permissions to access downloaded payloads.(Citation: Cybereason Chaes Nov 2020)

Sagerunex

Sagerunex calls the `WaitForSingleObject` API function as part of time-check logic.(Citation: Cisco LotusBlossom 2025)
Royal

Royal can use multiple APIs for discovery, communication, and execution.(Citation: Cybereason Royal December 2022)
BendyBear

BendyBear can load and execute modules and Windows Application Programming (API) calls using standard shellcode API hashing.(Citation: Unit42 BendyBear Feb 2021)
Uroburos

Uroburos can use native Windows APIs including `GetHostByName`.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
Metamorfo

Metamorfo has used native WINAPI calls.(Citation: Medium Metamorfo Apr 2020)(Citation: Fortinet Metamorfo Feb 2020)
Bandook

Bandook has used the ShellExecuteW() function call.(Citation: CheckPoint Bandook Nov 2020)

PipeMon

PipeMon's first stage has been executed by a call to CreateProcess with the decryption password in an argument. PipeMon has used a call to LoadLibrary to load its installer.(Citation: ESET PipeMon May 2020)
KONNI

KONNI has hardcoded API calls within its functions to use on the victim's machine.(Citation: Malwarebytes Konni Aug 2021)

gh0st RAT

gh0st RAT has used the `InterlockedExchange`, `SeShutdownPrivilege`, and `ExitWindowsEx` Windows API functions.(Citation: Gh0stRAT ATT March 2019)
Black Basta

Black Basta has the ability to use native APIs for numerous functions including discovery and defense evasion.(Citation: Minerva Labs Black Basta May 2022)(Citation: Cyble Black Basta May 2022)(Citation: Avertium Black Basta June 2022)(Citation: Check Point Black Basta October 2022)(Citation: Trend Micro Black Basta May 2022)

ZeroCleare

ZeroCleare can call the `GetSystemDirectoryW` API to locate the system directory.(Citation: Mandiant ROADSWEEP August 2022)
Attor

Attor's dispatcher has used CreateProcessW API for execution.(Citation: ESET Attor Oct 2019)
Imminent Monitor

Imminent Monitor has leveraged CreateProcessW() call to execute the debugger.(Citation: QiAnXin APT-C-36 Feb2019)
LitePower

LitePower can use various API calls.(Citation: Kaspersky WIRTE November 2021)
MegaCortex

After escalating privileges, MegaCortex calls TerminateProcess(), CreateRemoteThread, and other Win32 APIs.(Citation: IBM MegaCortex)
BoxCaon

BoxCaon has used Windows API calls to obtain information about the compromised host.(Citation: Checkpoint IndigoZebra July 2021)
NightClub

NightClub can use multiple native APIs including `GetKeyState`, `GetForegroundWindow`, `GetWindowThreadProcessId`, and `GetKeyboardLayout`.(Citation: MoustachedBouncer ESET August 2023)
Mosquito

Mosquito leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions.(Citation: ESET Turla Mosquito Jan 2018)
RTM

RTM can use the FindNextUrlCacheEntryA and FindFirstUrlCacheEntryA functions to search for specific strings within browser history.(Citation: ESET RTM Feb 2017)
QUIETCANARY

QUIETCANARY can call `System.Net.HttpWebRequest` to identify the default proxy configured on the victim computer.(Citation: Mandiant Suspected Turla Campaign February 2023)
BlackByte Ransomware

BlackByte Ransomware uses the `SetThreadExecutionState` API to prevent the victim system from entering sleep.(Citation: Trustwave BlackByte 2021)
SodaMaster

SodaMaster can use RegOpenKeyW to access the Registry.(Citation: Securelist APT10 March 2021)
Grandoreiro

Grandoreiro can execute through the WinExec API.(Citation: ESET Grandoreiro April 2020)
ZxxZ

ZxxZ has used API functions such as `Process32First`, `Process32Next`, and `ShellExecuteA`.(Citation: Cisco Talos Bitter Bangladesh May 2022)
Bazar

Bazar can use various APIs to allocate memory and facilitate code execution/injection.(Citation: Cybereason Bazar July 2020)
XLoader

XLoader uses the native Windows API for functionality, including defense evasion.(Citation: Zscaler XLoader 2025)
Ryuk

Ryuk has used multiple native APIs including ShellExecuteW to run executables,GetWindowsDirectoryW to create folders, and VirtualAlloc, WriteProcessMemory, and CreateRemoteThread for process injection.(Citation: CrowdStrike Ryuk January 2019)
HermeticWiper

HermeticWiper can call multiple Windows API functions used for privilege escalation, service execution, and to overwrite random bites of data.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wizard March 2022)(Citation: Qualys Hermetic Wiper March 2022)
Kapeka

Kapeka utilizes WinAPI calls to gather victim system information.(Citation: WithSecure Kapeka 2024)
Cobalt Strike

Cobalt Strike's "beacon" payload is capable of running shell commands without cmd.exe and PowerShell commands without powershell.exe(Citation: cobaltstrike manual)
Cobalt Strike

Cobalt Strike's Beacon payload is capable of running shell commands without cmd.exe and PowerShell commands without powershell.exe(Citation: cobaltstrike manual)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)
Donut

Donut code modules use various API functions to load and inject code.(Citation: Donut Github)

EvilBunny

EvilBunny has used various API calls as part of its checks to see if the malware is running in a sandbox.(Citation: Cyphort EvilBunny Dec 2014)

HotCroissant

HotCroissant can perform dynamic DLL importing and API lookups using LoadLibrary and GetProcAddress on obfuscated strings.(Citation: US-CERT HOTCROISSANT February 2020)
REvil

REvil can use Native API for execution and to retrieve active services.(Citation: Secureworks REvil September 2019)(Citation: Intel 471 REvil March 2020)
Samurai

Samurai has the ability to call Windows APIs.(Citation: Kaspersky ToddyCat June 2022)
Milan

Milan can use the API `DnsQuery_A` for DNS resolution.(Citation: Kaspersky Lyceum October 2021)
OilBooster

OilBooster has used the `ShowWindow` and `CreateProcessW` APIs.(Citation: ESET OilRig Downloaders DEC 2023)
Taidoor

Taidoor has the ability to use native APIs for execution including GetProcessHeap, GetProcAddress, and LoadLibrary.(Citation: TrendMicro Taidoor)(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)
CaddyWiper

CaddyWiper has the ability to dynamically resolve and use APIs, including `SeTakeOwnershipPrivilege`.(Citation: Cisco CaddyWiper March 2022)
Cyclops Blink

Cyclops Blink can use various Linux API functions including those for execution and discovery.(Citation: NCSC Cyclops Blink February 2022)
PLEAD

PLEAD can use `ShellExecute` to execute applications.(Citation: TrendMicro BlackTech June 2017)
GoldenSpy

GoldenSpy can execute remote commands in the Windows command shell using the WinExec() API.(Citation: Trustwave GoldenSpy June 2020)

Ramsay

Ramsay can use Windows API functions such as WriteFile, CloseHandle, and GetCurrentHwProfile during its collection and file storage operations. Ramsay can execute its embedded components via CreateProcessA and ShellExecute.(Citation: Eset Ramsay May 2020)
Carberp

Carberp has used the NtQueryDirectoryFile and ZwQueryDirectoryFile functions to hide files and directories.(Citation: Trusteer Carberp October 2010)
Pillowmint

Pillowmint has used multiple native Windows APIs to execute and conduct process injections.(Citation: Trustwave Pillowmint June 2020)
MacMa

MacMa has used macOS API functions to perform tasks.(Citation: ESET DazzleSpy Jan 2022)(Citation: Objective-See MacMa Nov 2021)
FunnyDream

FunnyDream can use Native API for defense evasion, discovery, and collection.(Citation: Bitdefender FunnyDream Campaign November 2020)
SUNSPOT

SUNSPOT used Windows API functions such as MoveFileEx and NtQueryInformationProcess as part of the SUNBURST injection process.(Citation: CrowdStrike SUNSPOT Implant January 2021)

SysUpdate

SysUpdate can call the `GetNetworkParams` API as part of its C2 establishment process.(Citation: Lunghi Iron Tiger Linux)
BackConfig

BackConfig can leverage API functions such as ShellExecuteA and HttpOpenRequestA in the process of downloading and executing files.(Citation: Unit 42 BackConfig May 2020)
DEADEYE

DEADEYE can execute the `GetComputerNameA` and `GetComputerNameExA` WinAPI functions.(Citation: Mandiant APT41)
Mango

Mango has the ability to use Native APIs.(Citation: ESET OilRig Campaigns Sep 2023)
InnaputRAT

InnaputRAT uses the API call ShellExecuteW for execution.(Citation: ASERT InnaputRAT April 2018)
GrimAgent

GrimAgent can use Native API including GetProcAddress and ShellExecuteW.(Citation: Group IB GrimAgent July 2021)
Clop

Clop has used built-in API functions such as WNetOpenEnumW(), WNetEnumResourceW(), WNetCloseEnum(), GetProcAddress(), and VirtualAlloc().(Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020)
Lokibot

Lokibot has used LoadLibrary(), GetProcAddress() and CreateRemoteThread() API functions to execute its shellcode.(Citation: Talos Lokibot Jan 2021)
Egregor

Egregor has used the Windows API to make detection more difficult.(Citation: Cyble Egregor Oct 2020)

StealBit

StealBit can use native APIs including `LoadLibraryExA` for execution and `NtSetInformationProcess` for defense evasion purposes.(Citation: Cybereason StealBit Exfiltration Tool)
ZxShell

ZxShell can leverage native API including RegisterServiceCtrlHandler to register a service.RegisterServiceCtrlHandler

build_downer

build_downer has the ability to use the WinExec API to execute malware on a compromised host.(Citation: Trend Micro Tick November 2019)
Winnti for Windows

Winnti for Windows can use Native API to create a new process and to start services.(Citation: Novetta Winnti April 2015)
Meteor

Meteor can use `WinAPI` to remove a victim machine from an Active Directory domain.(Citation: Check Point Meteor Aug 2021)
njRAT

njRAT has used the ShellExecute() function within a script.(Citation: Trend Micro njRAT 2018)
Maze

Maze has used several Windows API functions throughout the encryption process including IsDebuggerPresent, TerminateProcess, Process32FirstW, among others.(Citation: McAfee Maze March 2020)

ComRAT

ComRAT can load a PE file from memory or the file system and execute it with CreateProcessW.(Citation: ESET ComRAT May 2020)
metaMain

metaMain can execute an operator-provided Windows command by leveraging functions such as `WinExec`, `WriteFile`, and `ReadFile`.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)
SideTwist

SideTwist can use GetUserNameW, GetComputerNameW, and GetComputerNameExW to gather information.(Citation: Check Point APT34 April 2021)
KOCTOPUS

KOCTOPUS can use the `LoadResource` and `CreateProcessW` APIs for execution.(Citation: MalwareBytes LazyScripter Feb 2021)
Mis-Type

Mis-Type has used Windows API calls, including `NetUserAdd` and `NetUserDel`.(Citation: Cylance Dust Storm)
KillDisk

KillDisk has called the Windows API to retrieve the hard disk handle and shut down the machine.(Citation: Trend Micro KillDisk 1)
Kevin

Kevin can use the `ShowWindow` API to avoid detection.(Citation: Kaspersky Lyceum October 2021)
BADNEWS

BADNEWS has a command to download an .exe and execute it via CreateProcess API. It can also run with ShellExecute.(Citation: Forcepoint Monsoon)(Citation: TrendMicro Patchwork Dec 2017)
Goopy

Goopy has the ability to enumerate the infected system's user name via GetUserNameW.(Citation: Cybereason Cobalt Kitty 2017)
QakBot

QakBot can use GetProcAddress to help delete malicious strings from memory.(Citation: ATT QakBot April 2021)
Hancitor

Hancitor has used CallWindowProc and EnumResourceTypesA to interpret and execute shellcode.(Citation: FireEye Hancitor)
Gelsemium

Gelsemium has the ability to use various Windows API functions to perform tasks.(Citation: ESET Gelsemium June 2021)
Dridex

Dridex has used the OutputDebugStringW function to avoid malware analysis as part of its anti-debugging technique.(Citation: Checkpoint Dridex Jan 2021)

BBK

BBK has the ability to use the CreatePipe API to add a sub-process for execution via cmd.(Citation: Trend Micro Tick November 2019)
Denis

Denis used the IsDebuggerPresent, OutputDebugString, and SetLastError APIs to avoid debugging. Denis used GetProcAddress and LoadLibrary to dynamically resolve APIs. Denis also used the Wow64SetThreadContext API as part of a process hollowing process.(Citation: Cybereason Cobalt Kitty 2017)

INC Ransomware

INC Ransomware can use the API `DeviceIoControl` to resize the allocated space for and cause the deletion of volume shadow copy snapshots.(Citation: Cybereason INC Ransomware November 2023)
Waterbear

Waterbear can leverage API functions for execution.(Citation: Trend Micro Waterbear December 2019)
Lizar

Lizar has used various Windows API functions on a victim's machine.(Citation: BiZone Lizar May 2021)

BitPaymer

BitPaymer has used dynamic API resolution to avoid identifiable strings within the binary, including RegEnumKeyW.(Citation: Crowdstrike Indrik November 2018)
ADVSTORESHELL

ADVSTORESHELL is capable of starting a process using CreateProcess.(Citation: Bitdefender APT28 Dec 2015)
StrifeWater

StrifeWater can use a variety of APIs for execution.(Citation: Cybereason StrifeWater Feb 2022)
WarzoneRAT

WarzoneRAT can use a variety of API calls on a compromised host.(Citation: Uptycs Warzone UAC Bypass November 2020)
HermeticWizard

HermeticWizard can connect to remote shares using `WNetAddConnection2W`.(Citation: ESET Hermetic Wizard March 2022)
Turla

Turla and its RPC backdoors have used APIs calls for various tasks related to subverting AMSI and accessing then executing commands through RPC and/or named pipes.(Citation: ESET Turla PowerShell May 2019)
Tropic Trooper

Tropic Trooper has used multiple Windows APIs including HttpInitialize, HttpCreateHttpHandle, and HttpAddUrl.(Citation: TrendMicro Tropic Trooper May 2020)
Operation Wocao

Operation Wocao has used the CreateProcessA and ShellExecute API function to launch commands after being injected into a selected process.(Citation: FoxIT Wocao December 2019)
Lazarus Group

Lazarus Group has used the Windows API ObtainUserAgentString to obtain the User-Agent from a compromised host to connect to a C2 server.(Citation: McAfee Lazarus Jul 2020) Lazarus Group has also used various, often lesser known, functions to perform various types of Discovery and Process Injection.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)
Gamaredon Group

Gamaredon Group malware has used CreateProcess to launch additional malicious components.(Citation: ESET Gamaredon June 2020)
APT38

APT38 has used the Windows API to execute code within a victim's system.(Citation: CISA AA20-239A BeagleBoyz August 2020)

SideCopy

SideCopy has executed malware by calling the API function `CreateProcessW`.(Citation: MalwareBytes SideCopy Dec 2021)
Silence

Silence has leveraged the Windows API, including using CreateProcess() or ShellExecute(), to perform a variety of tasks.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)
Higaisa

Higaisa has called various native OS APIs.(Citation: Zscaler Higaisa 2020)
APT37

APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection.(Citation: Talos Group123)
Chimera

Chimera has used direct Windows system calls by leveraging Dumpert.(Citation: Cycraft Chimera April 2020)
Sandworm Team

Sandworm Team uses Prestige to disable and restore file system redirection by using the following functions: `Wow64DisableWow64FsRedirection()` and `Wow64RevertWow64FsRedirection()`.(Citation: Microsoft Prestige ransomware October 2022)
Sharpshooter

Sharpshooter's first-stage downloader resolved various Windows libraries and APIs, including LoadLibraryA(), GetProcAddress(), and CreateProcessA().(Citation: McAfee Sharpshooter December 2018)

menuPass

menuPass has used native APIs including GetModuleFileName, lstrcat, CreateFile, and ReadFile.(Citation: Symantec Cicada November 2020)
ToddyCat

ToddyCat has used `WinExec` to execute commands received from C2 on compromised hosts.(Citation: Kaspersky ToddyCat Check Logs October 2023)
BlackTech

BlackTech has used built-in API functions.(Citation: IronNet BlackTech Oct 2021)
Gorgon Group

Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution.(Citation: Unit 42 Gorgon Group Aug 2018)
TA505

TA505 has deployed payloads that use Windows API calls on a compromised host.(Citation: Korean FSI TA505 2020)

Mitigations
Mitigation Description
Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures: Application Control: - Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`) Script Blocking: - Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`) Executable Blocking: - Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories. Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.
Behavior Prevention on Endpoint

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack. This mitigation can be implemented through the following measures: Suspicious Process Behavior: - Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts. - Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action. Unauthorized File Access: - Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization. - Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it. Abnormal API Calls: - Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities. - Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like `OpenProcess` and `WriteProcessMemory` and terminates the offending process. Exploit Prevention: - Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access. - Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.

Detection

Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient. Utilization of the Windows APIs may involve processes loading/accessing system DLLs associated with providing called functions (ex: ntdll.dll, kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity.

References

  1. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.
  2. Cybleinc. (2020, October 31). Egregor Ransomware – A Deep Dive Into Its Activities and Techniques. Retrieved December 29, 2020.
  3. Gavriel, H. (2018, November 27). Malware Mitigation when Direct System Calls are Used. Retrieved September 29, 2021.
  4. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
  5. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  6. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  7. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  8. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  9. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  10. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  11. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  12. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
  13. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  14. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  15. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  16. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  17. Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
  18. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  19. M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021.
  20. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
  21. Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021.
  22. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  23. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  24. Demboski, M., et al. (2021, October 26). China cyber attacks: the current threat landscape. Retrieved March 25, 2022.
  25. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  26. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.
  27. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  28. Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023.
  29. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  30. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  31. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  32. Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved September 12, 2024.
  33. Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019.
  34. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  35. glibc developer community. (2020, February 1). The GNU C Library (glibc). Retrieved June 25, 2020.
  36. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  37. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  38. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  39. Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.
  40. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
  41. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  42. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  43. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  44. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
  45. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  46. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  47. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  48. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  49. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  50. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  51. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  52. Cybereason Global SOC Team. (n.d.). THREAT ANALYSIS REPORT: Inside the LockBit Arsenal - The StealBit Exfiltration Tool. Retrieved January 29, 2025.
  53. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  54. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  55. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
  56. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
  57. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  58. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
  59. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  60. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020..
  61. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
  62. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  63. Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021.
  64. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
  65. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  66. Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024.
  67. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  68. Gonzalez, I., Chavez I., et al. (2022, May 9). Examining the Black Basta Ransomware’s Infection Routine. Retrieved March 7, 2023.
  69. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  70. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  71. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  72. Gorzelany, A., Hall, J., Poggemeyer, L.. (2019, January 7). Windows Defender Application Control. Retrieved July 16, 2019.
  73. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
  74. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
  75. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  76. Microsoft. (n.d.). Programming reference for the Win32 API. Retrieved March 15, 2020.
  77. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.
  78. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
  79. Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.
  80. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  81. MDSec Research. (2020, December). Bypassing User-Mode Hooks and Direct Invocation of System Calls for Red Teams. Retrieved September 29, 2021.
  82. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  83. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  84. Sebdraven. (2021, February 8). Babuk is distributed packed. Retrieved August 11, 2021.
  85. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  86. Mohammad Kazem Hassan Nejad, WithSecure. (2024, April 17). KAPEKA A novel backdoor spotted in Eastern Europe. Retrieved January 6, 2025.
  87. Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022.
  88. Linux Kernel Organization, Inc. (n.d.). The Linux Kernel API. Retrieved June 25, 2020.
  89. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  90. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  91. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  92. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  93. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  94. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  95. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  96. US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020.
  97. PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.
  98. Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023.
  99. Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.
  100. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  101. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  102. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  103. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  104. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.
  105. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
  106. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  107. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  108. GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.
  109. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
  110. Microsoft. (n.d.). CreateProcess function. Retrieved September 12, 2024.
  111. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
  112. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.
  113. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  114. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  115. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  116. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  117. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.
  118. Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021.
  119. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  120. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
  121. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  122. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  123. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.
  124. Apple. (2015, September 16). Cocoa Application Layer. Retrieved June 25, 2020.
  125. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  126. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  127. Microsoft Incident Response. (2023, July 6). The five-day job: A BlackByte ransomware intrusion case study. Retrieved December 16, 2024.
  128. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
  129. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  130. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  131. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  132. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
  133. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
  134. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.
  135. Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020.
  136. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
  137. Feichter, D. (2023, June 30). Direct Syscalls vs Indirect Syscalls. Retrieved September 27, 2023.
  138. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
  139. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
  140. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  141. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  142. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  143. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  144. Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023.
  145. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
  146. Insikt Group. (2020, January 28). WhisperGate Malware Corrupts Computers in Ukraine. Retrieved September 16, 2024.
  147. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  148. Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023.
  149. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
  150. Chell, D. PART 3: How I Met Your Beacon – Brute Ratel. Retrieved February 6, 2023.
  151. Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024.
  152. Pedro Tavares (Segurança Informática). (2020, September 15). Threat analysis: The emergent URSA trojan impacts many countries using a sophisticated loader. Retrieved March 13, 2024.
  153. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.
  154. The NTinterlnals.net team. (n.d.). Nowak, T. Retrieved June 25, 2020.
  155. Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022.
  156. Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022.
  157. Microsoft. (n.d.). What is .NET Framework?. Retrieved March 15, 2020.
  158. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  159. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
  160. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  161. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
  162. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
  163. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
  164. Zscaler Threatlabz. (2025, January 27). Technical Analysis of Xloader Versions 6 and 7 | Part 1. Retrieved March 11, 2025.
  165. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  166. McGraw, T. (2024, December 4). Black Basta Ransomware Campaign Drops Zbot, DarkGate, and Custom Malware. Retrieved December 9, 2024.
  167. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  168. Apple. (n.d.). Foundation. Retrieved July 1, 2020.
  169. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  170. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  171. SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.
  172. Walter, J. (2022, July 21). LockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques. Retrieved February 5, 2025.
  173. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
  174. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  175. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  176. Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.
  177. Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018.
  178. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
  179. Apple. (n.d.). Core Services. Retrieved June 25, 2020.
  180. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  181. Kerrisk, M. (2016, December 12). libc(7) — Linux manual page. Retrieved June 25, 2020.
  182. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  183. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  184. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  185. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  186. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
  187. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  188. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
  189. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
  190. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  191. INCIBE-CERT. (2024, March 14). LockBit: response and recovery actions. Retrieved February 5, 2025.
  192. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
  193. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  194. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  195. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  196. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  197. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  198. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
  199. Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023.
  200. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
  201. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
  202. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
  203. Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.
  204. Joe Security. (2020, July 13). TrickBot's new API-Hammering explained. Retrieved September 30, 2021.
  205. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  206. Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved November 17, 2024.
  207. Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021.
  208. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  209. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  210. Malhotra, A. (2022, March 15). Threat Advisory: CaddyWiper. Retrieved March 23, 2022.
  211. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
  212. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
  213. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  214. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  215. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
  216. Free Software Foundation, Inc.. (2020, June 18). Creating a Process. Retrieved June 25, 2020.
  217. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
  218. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  219. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.
  220. Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024.
  221. Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.
  222. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  223. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  224. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  225. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
  226. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
  227. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
  228. Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023.
  229. Security Lab. (2020, June 5). Avaddon: From seeking affiliates to in-the-wild in 2 days. Retrieved August 19, 2021.
  230. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  231. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  232. de Plaa, C. (2019, June 19). Red Team Tactics: Combining Direct System Calls and sRDI to bypass AV/EDR. Retrieved September 29, 2021.
  233. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.