Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Modify Registry

Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution. Access to specific areas of the Registry depends on account permissions, some requiring administrator-level access. The built-in Windows command-line utility Reg may be used for local or remote Registry modification. (Citation: Microsoft Reg) Other tools may also be used, such as a remote access tool, which may contain functionality to interact with the Registry through the Windows API. Registry modifications may also include actions to hide keys, such as prepending key names with a null character, which will cause an error and/or be ignored when read via Reg or other utilities using the Win32 API. (Citation: Microsoft Reghide NOV 2006) Adversaries may abuse these pseudo-hidden keys to conceal payloads/commands used to maintain persistence. (Citation: TrendMicro POWELIKS AUG 2014) (Citation: SpectorOps Hiding Reg Jul 2017) The Registry of a remote system may be modified to aid in execution of files as part of lateral movement. It requires the remote Registry service to be running on the target system. (Citation: Microsoft Remote) Often Valid Accounts are required, along with access to the remote system's SMB/Windows Admin Shares for RPC communication.

ID: T1112
Tactic(s): Defense Evasion
Platforms: Windows
Permissions Required: Administrator, SYSTEM, User
Data Sources: Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Version: 1.2
Created: 31 May 2017
Last Modified: 13 Aug 2020

Procedure Examples

Name Description
CharmPower

CharmPower can remove persistence-related artifacts from the Registry.(Citation: Check Point APT35 CharmPower January 2022)

PlugX

PlugX has a module to create, delete, or modify Registry keys.(Citation: CIRCL PlugX March 2013)

ShadowPad

ShadowPad maintains a configuration block and virtual file system in the Registry.(Citation: Kaspersky ShadowPad Aug 2017)(Citation: TrendMicro EarthLusca 2022)

Netwalker

Netwalker can add the following registry entry: HKEY_CURRENT_USER\SOFTWARE\{8 random characters}.(Citation: TrendMicro Netwalker May 2020)

Valak

Valak has the ability to modify the Registry key HKCU\Software\ApplicationContainer\Appsw64 to store information regarding the C2 server and downloads.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)

ROKRAT

ROKRAT can modify the `HKEY_CURRENT_USER\Software\Microsoft\Office\` registry key so it can bypass the VB object model (VBOM) on a compromised host.(Citation: Malwarebytes RokRAT VBA January 2021)

APT38

APT38 uses a tool called CLEANTOAD that has the capability to modify Registry keys.(Citation: FireEye APT38 Oct 2018)

HOPLIGHT

HOPLIGHT has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system.(Citation: US-CERT HOPLIGHT Apr 2019)

Catchamas

Catchamas creates three Registry keys to establish persistence by adding a Windows Service.(Citation: Symantec Catchamas April 2018)

gh0st RAT

gh0st RAT has altered the InstallTime subkey.(Citation: Gh0stRAT ATT March 2019)

SynAck

SynAck can manipulate Registry keys.(Citation: SecureList SynAck Doppelgänging May 2018)

SLOTHFULMEDIA

SLOTHFULMEDIA can add, modify, and/or delete registry keys. It has changed the proxy configuration of a victim system by modifying the HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap registry.(Citation: CISA MAR SLOTHFULMEDIA October 2020)

Conficker

Conficker adds keys to the Registry at HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and various other Registry locations.(Citation: SANS Conficker)(Citation: Trend Micro Conficker)

DCSrv

DCSrv has created Registry keys for persistence.(Citation: Checkpoint MosesStaff Nov 2021)

SUNBURST

SUNBURST had commands that allow an attacker to write or delete registry keys, and was observed stopping services by setting their HKLM\SYSTEM\CurrentControlSet\services\\[service_name]\\Start registry entries to value 4.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Analyzing Solorigate Dec 2020) It also deleted previously-created Image File Execution Options (IFEO) Debugger registry values and registry keys related to HTTP proxy to clean up traces of its activity.(Citation: Microsoft Deep Dive Solorigate January 2021)

Patchwork

A Patchwork payload deletes Resiliency Registry keys created by Microsoft Office applications in an apparent effort to trick users into thinking there were no issues during application runs.(Citation: TrendMicro Patchwork Dec 2017)

Explosive

Explosive has a function to write itself to Registry values.(Citation: CheckPoint Volatile Cedar March 2015)

PolyglotDuke

PolyglotDuke can write encrypted JSON configuration files to the Registry.(Citation: ESET Dukes October 2019)

DarkWatchman

DarkWatchman can store configuration strings, keylogger, and output of components in the Registry.(Citation: Prevailion DarkWatchman 2021)

PoisonIvy

PoisonIvy creates a Registry subkey that registers a new system device.(Citation: Symantec Darkmoon Aug 2005)

KOCTOPUS

KOCTOPUS has added and deleted keys from the Registry.(Citation: MalwareBytes LazyScripter Feb 2021)

Honeybee

Honeybee uses a batch file that modifies Registry keys to launch a DLL into the svchost.exe process.(Citation: McAfee Honeybee)

LoJax

LoJax has modified the Registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’ from ‘autocheck autochk *’ to ‘autocheck autoche *’.(Citation: ESET LoJax Sept 2018)

PHOREAL

PHOREAL is capable of manipulating the Registry.(Citation: FireEye APT32 May 2017)

PoetRAT

PoetRAT has made registry modifications to alter its behavior upon execution.(Citation: Talos PoetRAT April 2020)

REvil

REvil can save encryption parameters and system information to the Registry.(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019)

BACKSPACE

BACKSPACE is capable of deleting Registry keys, sub-keys, and values on a victim system.(Citation: FireEye APT30)

Grandoreiro

Grandoreiro can store its configuration in the Registry at HKCU\Software\ under frequently changing names including %USERNAME% and ToolTech-RM.(Citation: ESET Grandoreiro April 2020)

Taidoor

Taidoor has the ability to modify the Registry on compromised hosts using RegDeleteValueA and RegCreateKeyExA.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)

Stuxnet

Stuxnet can create registry keys to load driver files.(Citation: Symantec W.32 Stuxnet Dossier)

TinyTurla

TinyTurla can set its configuration parameters in the Registry.(Citation: Talos TinyTurla September 2021)

FELIXROOT

FELIXROOT deletes the Registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open.(Citation: FireEye FELIXROOT July 2018)

SMOKEDHAM

SMOKEDHAM has modified registry keys for persistence, to enable credential caching for credential access, and to facilitate lateral movement via RDP.(Citation: FireEye SMOKEDHAM June 2021)

Pillowmint

Pillowmint has stored its malicious payload in the registry key HKLM\SOFTWARE\Microsoft\DRM.(Citation: Trustwave Pillowmint June 2020)

PipeMon

PipeMon has stored its encrypted payload in the Registry.(Citation: ESET PipeMon May 2020)

Ember Bear

Ember Bear has used an open source batch script to modify Windows Defender registry keys.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Silence

Silence can create, delete, or modify a specified Registry key or value.(Citation: Group IB Silence Sept 2018)

TA505

TA505 has used malware to disable Windows Defender through modification of the Registry.(Citation: Korean FSI TA505 2020)

CHOPSTICK

CHOPSTICK may store RC4 encrypted configuration information in the Windows Registry.(Citation: FireEye APT28)

HermeticWiper

HermeticWiper has the ability to modify Registry keys to disable crash dumps, colors for compressed files, and pop-up information about folders and desktop items.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Qualys Hermetic Wiper March 2022)

WarzoneRAT

WarzoneRAT can create `HKCU\Software\Classes\Folder\shell\open\command` as a new registry key during privilege escalation.(Citation: Uptycs Warzone UAC Bypass November 2020)(Citation: Check Point Warzone Feb 2020)

Cobalt Strike

Cobalt Strike can modify Registry values within HKEY_CURRENT_USER\Software\Microsoft\Office\\Excel\Security\AccessVBOM\ to enable the execution of additional code.(Citation: Talos Cobalt Strike September 2020)

APT19

APT19 uses a Port 22 malware variant to modify several Registry keys.(Citation: Unit 42 C0d0so0 Jan 2016)

Dragonfly 2.0

Dragonfly 2.0 modified the Registry to perform multiple techniques through the use of Reg.(Citation: US-CERT TA18-074A)

CSPY Downloader

CSPY Downloader can write to the Registry under the %windir% variable to execute tasks.(Citation: Cybereason Kimsuky November 2020)

Gelsemium

Gelsemium has the ability to store its components in the Registry.(Citation: ESET Gelsemium June 2021)

WastedLocker

WastedLocker can modify registry values within the Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap registry key.(Citation: NCC Group WastedLocker June 2020)

QuasarRAT

QuasarRAT has a command to edit the Registry on the victim’s machine.(Citation: GitHub QuasarRAT)(Citation: CISA AR18-352A Quasar RAT December 2018)

Hydraq

Hydraq creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. Hydraq's backdoor also enables remote attackers to modify and delete subkeys.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)

PLAINTEE

PLAINTEE uses reg add to add a Registry Run key for persistence.(Citation: Rancor Unit42 June 2018)

Gamaredon Group

Gamaredon Group has removed security settings for VBA macro execution by changing registry values HKCU\Software\Microsoft\Office\<version>\<product>\Security\VBAWarnings and HKCU\Software\Microsoft\Office\<version>\<product>\Security\AccessVBOM.(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)

SILENTTRINITY

SILENTTRINITY can modify registry keys, including to enable or disable Remote Desktop Protocol (RDP).(Citation: GitHub SILENTTRINITY Modules July 2019)

Waterbear

Waterbear has deleted certain values from the Registry to load a malicious DLL.(Citation: Trend Micro Waterbear December 2019)

SOUNDBITE

SOUNDBITE is capable of modifying the Registry.(Citation: FireEye APT32 May 2017)

During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and manipulate the Registry.(Citation: McAfee Night Dragon)

Remcos

Remcos has full control of the Registry, including the ability to modify it.(Citation: Riskiq Remcos Jan 2018)

InvisiMole

InvisiMole has a command to create, set, copy, or delete a specified Registry key or value.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

Metamorfo

Metamorfo has written process names to the Registry, disabled IE browser features, deleted Registry keys, and changed the ExtendedUIHoverTime key.(Citation: Medium Metamorfo Apr 2020)(Citation: Fortinet Metamorfo Feb 2020)(Citation: FireEye Metamorfo Apr 2018)(Citation: ESET Casbaneiro Oct 2019)

Mosquito

Mosquito stores configuration values under the Registry key HKCU\Software\Microsoft\[dllname] and modifies Registry keys under HKCR\CLSID\...\InprocServer32with a path to the launcher.(Citation: ESET Turla Mosquito Jan 2018)

TEARDROP

TEARDROP modified the Registry to create a Windows service for itself on a compromised host.(Citation: Check Point Sunburst Teardrop December 2020)

StreamEx

StreamEx has the ability to modify the Registry.(Citation: Cylance Shell Crew Feb 2017)

Attor

Attor's dispatcher can modify the Run registry key.(Citation: ESET Attor Oct 2019)

Lokibot

Lokibot has modified the Registry as part of its UAC bypass process.(Citation: Talos Lokibot Jan 2021)

ZxShell

ZxShell can create Registry entries to enable services to run.(Citation: Talos ZxShell Oct 2014)

KONNI

KONNI has modified registry keys of ComSysApp, Svchost, and xmlProv on the machine to gain persistence.(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021)

Wizard Spider

Wizard Spider has modified the Registry key HKLM\System\CurrentControlSet\Control\SecurityProviders\WDigest by setting the UseLogonCredential registry value to 1 in order to force credentials to be stored in clear text in memory.(Citation: CrowdStrike Grim Spider May 2019)

APT32

APT32's backdoor has modified the Windows Registry to store the backdoor's configuration. (Citation: ESET OceanLotus Mar 2019)

Pysa

Pysa has modified the registry key “SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System” and added the ransom note.(Citation: CERT-FR PYSA April 2020)

During Operation Honeybee, the threat actors used batch files that modified registry keys.(Citation: McAfee Honeybee)

BADCALL

BADCALL modifies the firewall Registry key SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfileGloballyOpenPorts\\List.(Citation: US-CERT BADCALL)

Operation Wocao

Operation Wocao has enabled Wdigest by changing the registry value from 0 to 1.(Citation: FoxIT Wocao December 2019)

Earth Lusca

Earth Lusca modified the registry using the command reg add “HKEY_CURRENT_USER\Environment” /v UserInitMprLogonScript /t REG_SZ /d “[file path]” for persistence.(Citation: TrendMicro EarthLusca 2022)

MegaCortex

MegaCortex has added entries to the Registry for ransom contact information.(Citation: IBM MegaCortex)

Blue Mockingbird

Blue Mockingbird has used Windows Registry modifications to specify a DLL payload.(Citation: RedCanary Mockingbird May 2020)

Neoichor

Neoichor has the ability to configure browser settings by modifying Registry entries under `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer`.(Citation: Microsoft NICKEL December 2021)

Tarrask

Tarrask is able to delete the Security Descriptor (`SD`) registry subkey in order to “hide” scheduled tasks.(Citation: Tarrask scheduled task)

Caterpillar WebShell

Caterpillar WebShell has a command to modify a Registry key.(Citation: ClearSky Lebanese Cedar Jan 2021)

Bisonal

Bisonal has deleted Registry keys to clean up its prior activity.(Citation: Talos Bisonal Mar 2020)

TajMahal

TajMahal can set the KeepPrintedJobs attribute for configured printers in SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Print\\Printers to enable document stealing.(Citation: Kaspersky TajMahal April 2019)

HyperStack

HyperStack can add the name of its communication pipe to HKLM\SYSTEM\\CurrentControlSet\\Services\\lanmanserver\\parameters\NullSessionPipes.(Citation: Accenture HyperStack October 2020)

Crimson

Crimson can set a Registry key to determine how long it has been installed and possibly to indicate the version number.(Citation: Proofpoint Operation Transparent Tribe March 2016)

Orz

Orz can perform Registry operations.(Citation: Proofpoint Leviathan Oct 2017)

RTM

RTM can delete all Registry entries created during its execution.(Citation: ESET RTM Feb 2017)

During Operation Wocao, the threat actors enabled Wdigest by changing the `HKLM\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\WDigest` registry value from 0 (disabled) to 1 (enabled).(Citation: FoxIT Wocao December 2019)

Dragonfly

Dragonfly has modified the Registry to perform multiple techniques through the use of Reg.(Citation: US-CERT TA18-074A)

CrackMapExec

CrackMapExec can create a registry key using wdigest.(Citation: CME Github September 2018)

RegDuke

RegDuke can store its encryption key in the Registry.(Citation: ESET Dukes October 2019)

Gorgon Group

Gorgon Group malware can deactivate security mechanisms in Microsoft Office by editing several keys and values under HKCU\Software\Microsoft\Office\.(Citation: Unit 42 Gorgon Group Aug 2018)

zwShell

zwShell can modify the Registry.(Citation: McAfee Night Dragon)

NanoCore

NanoCore has the capability to edit the Registry.(Citation: DigiTrust NanoCore Jan 2017)(Citation: PaloAlto NanoCore Feb 2016)

Clop

Clop can make modifications to Registry keys.(Citation: Cybereason Clop Dec 2020)

ThreatNeedle

ThreatNeedle can save its configuration data as the following RC4-encrypted Registry key: `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\GameCon`.(Citation: Kaspersky ThreatNeedle Feb 2021)

Ursnif

Ursnif has used Registry modifications as part of its installation routine.(Citation: TrendMicro BKDR_URSNIF.SM)(Citation: ProofPoint Ursnif Aug 2016)

PowerShower

PowerShower has added a registry key so future powershell.exe instances are spawned off-screen by default, and has removed all registry entries that are left behind during the dropper process.(Citation: Unit 42 Inception November 2018)

ADVSTORESHELL

ADVSTORESHELL is capable of setting and deleting Registry values.(Citation: Bitdefender APT28 Dec 2015)

EVILNUM

EVILNUM can make modifications to the Regsitry for persistence.(Citation: Prevailion EvilNum May 2020)

Zeus Panda

Zeus Panda modifies several Registry keys under HKCU\Software\Microsoft\Internet Explorer\ PhishingFilter\ to disable phishing filters.(Citation: GDATA Zeus Panda June 2017)

Exaramel for Windows

Exaramel for Windows adds the configuration to the Registry in XML format.(Citation: ESET TeleBots Oct 2018)

Naid

Naid creates Registry entries that store information about a created service and point to a malicious DLL dropped to disk.(Citation: Symantec Naid June 2012)

Shamoon

Once Shamoon has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\LocalAccountTokenFilterPolicy to 1.(Citation: FireEye Shamoon Nov 2016)(Citation: Palo Alto Shamoon Nov 2016)(Citation: McAfee Shamoon December 2018)

SysUpdate

SysUpdate can write its configuration file to Software\Classes\scConfig in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER.(Citation: Trend Micro Iron Tiger April 2021)

njRAT

njRAT can create, delete, or modify a specified Registry key or value.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018)

Mori

Mori can write data to `HKLM\Software\NFC\IPA` and `HKLM\Software\NFC\` and delete Registry values.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: CYBERCOM Iranian Intel Cyber January 2022)

Chaes

Chaes stored its instructions in a config file in the Registry.(Citation: Cybereason Chaes Nov 2020)

GreyEnergy

GreyEnergy modifies conditions in the Registry and adds keys.(Citation: ESET GreyEnergy Oct 2018)

Reg

Reg may be used to interact with and modify the Windows Registry of a local or remote system at the command-line interface.(Citation: Microsoft Reg)

Rover

Rover has functionality to remove Registry Run key persistence as a cleanup procedure.(Citation: Palo Alto Rover)

Turla

Turla has used the Registry to store encrypted payloads.(Citation: ESET Turla PowerShell May 2019)(Citation: Symantec Waterbug Jun 2019)

Volgmer

Volgmer stores the encoded configuration file in the Registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security.(Citation: US-CERT Volgmer 2 Nov 2017)(Citation: Symantec Volgmer Aug 2014)

Clambling

Clambling can set and delete Registry keys.(Citation: Trend Micro DRBControl February 2020)

QakBot

QakBot can store its configuration information in a randomly named subkey under HKCU\Software\Microsoft.(Citation: Red Canary Qbot)(Citation: Group IB Ransomware September 2020)

Bankshot

Bankshot writes data into the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Pniumj.(Citation: US-CERT Bankshot Dec 2017)

Kimsuky

Kimsuky has modified Registry settings for default file associations to enable all macros and for persistence.(Citation: CISA AA20-301A Kimsuky)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)

ComRAT

ComRAT has encrypted and stored its orchestrator code in the Registry as well as a PowerShell script into the WsqmCons Registry key.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020)

Avaddon

Avaddon modifies several registry keys for persistence and UAC bypass.(Citation: Arxiv Avaddon Feb 2021)

Amadey

Amadey has overwritten registry keys for persistence.(Citation: BlackBerry Amadey 2020)

TrickBot

TrickBot can modify registry entries.(Citation: Trend Micro Trickbot Nov 2018)

APT41

APT41 used a malware variant called GOODLUCK to modify the registry in order to steal credentials.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021)

DarkComet

DarkComet adds a Registry value for its installation routine to the Registry Key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System Enable LUA=”0” and HKEY_CURRENT_USER\Software\DC3_FEXEC.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018)

Magic Hound

Magic Hound has modified Registry settings for security tools.(Citation: DFIR Report APT35 ProxyShell March 2022)

TYPEFRAME

TYPEFRAME can install encrypted configuration data under the Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Applications\laxhost.dll and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\PrintConfigs.(Citation: US-CERT TYPEFRAME June 2018)

PcShare

PcShare can delete its persistence mechanisms from the registry.(Citation: Bitdefender FunnyDream Campaign November 2020)

KEYMARBLE

KEYMARBLE has a command to create Registry entries for storing data under HKEY_CURRENT_USER\SOFTWARE\Microsoft\WABE\DataPath.(Citation: US-CERT KEYMARBLE Aug 2018)

Ferocious

Ferocious has the ability to add a Class ID in the current user Registry hive to enable persistence mechanisms.(Citation: Kaspersky WIRTE November 2021)

Cardinal RAT

Cardinal RAT sets HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load to point to its executable.(Citation: PaloAlto CardinalRat Apr 2017)

Agent Tesla

Agent Tesla can achieve persistence by modifying Registry key entries.(Citation: SentinelLabs Agent Tesla Aug 2020)

QUADAGENT

QUADAGENT modifies an HKCU Registry key to store a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications.(Citation: Unit 42 QUADAGENT July 2018)

NETWIRE

NETWIRE stores its configuration file within the Registry.(Citation: Red Canary NETWIRE January 2020)

Sibot

Sibot has installed a second-stage script in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\sibot registry key.(Citation: MSTIC NOBELIUM Mar 2021)

BitPaymer

BitPaymer can set values in the Registry to help in execution.(Citation: Crowdstrike Indrik November 2018)

RCSession

RCSession can write its configuration file to the Registry.(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020)

Lazarus Group

Lazarus Group has modified registry keys using the reg windows utility for its custom backdoor implants.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)

Nerex

Nerex creates a Registry subkey that registers a new service.(Citation: Symantec Nerex May 2012)

ShimRat

ShimRat has registered two registry keys for shim databases.(Citation: FOX-IT May 2016 Mofang)

Threat Group-3390

A Threat Group-3390 tool has created new Registry keys under `HKEY_CURRENT_USER\Software\Classes\` and `HKLM\SYSTEM\CurrentControlSet\services`.(Citation: Nccgroup Emissary Panda May 2018)(Citation: Trend Micro Iron Tiger April 2021)

FIN8

FIN8 has deleted Registry keys during post compromise cleanup activities.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

AADInternals

AADInternals can modify registry keys as part of setting a new pass-through authentication agent.(Citation: AADInternals Documentation)

Regin

Regin appears to have functionality to modify remote Registry information.(Citation: Kaspersky Regin)

Pandora

Pandora can write an encrypted token to the Registry to enable processing of remote commands.(Citation: Trend Micro Iron Tiger April 2021)

Mitigations

Mitigation Description
Restrict Registry Permissions

Restrict the ability to modify certain hives or keys in the Windows Registry.

Modify Registry Mitigation

Misconfiguration of permissions in the Registry may lead to opportunities for an adversary to execute code, like through Service Registry Permissions Weakness. Ensure proper permissions are set for Registry hives to prevent users from modifying keys for system components that may lead to privilege escalation. Identify and block unnecessary system utilities or potentially malicious software that may be used to modify the Registry by using whitelisting (Citation: Beechey 2010) tools like AppLocker (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Detection

Modifications to the Registry are normal and occur throughout typical use of the Windows operating system. Consider enabling Registry Auditing on specific keys to produce an alertable event (Event ID 4657) whenever a value is changed (though this may not trigger when values are created with Reghide or other evasive methods). (Citation: Microsoft 4657 APR 2017) Changes to Registry entries that load software on Windows startup that do not correlate with known software, patch cycles, etc., are suspicious, as are additions or changes to files within the startup folder. Changes could also include new services and modification of existing binary paths to point to malicious files. If a change to a service-related entry occurs, then it will likely be followed by a local or remote service start or restart to execute the file. Monitor processes and command-line arguments for actions that could be taken to change or delete information in the Registry. Remote access tools with built-in features may interact directly with the Windows API to gather information. The Registry may also be modified through Windows system management tools such as Windows Management Instrumentation and PowerShell, which may require additional logging features to be configured in the operating system to collect necessary information for analysis. Monitor for processes, command-line arguments, and API calls associated with concealing Registry keys, such as Reghide. (Citation: Microsoft Reghide NOV 2006) Inspect and cleanup malicious hidden Registry entries using Native Windows API calls and/or tools such as Autoruns (Citation: SpectorOps Hiding Reg Jul 2017) and RegDelNull (Citation: Microsoft RegDelNull July 2016).

References

  1. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  2. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  3. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  4. F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
  5. Russinovich, M. & Sharkey, K. (2016, July 4). RegDelNull v1.11. Retrieved August 10, 2018.
  6. Miroshnikov, A. & Hall, J. (2017, April 18). 4657(S): A registry value was modified. Retrieved August 9, 2018.
  7. Microsoft. (n.d.). Enable the Remote Registry Service. Retrieved May 1, 2015.
  8. Reitz, B. (2017, July 14). Hiding Registry keys with PSReflect. Retrieved August 9, 2018.
  9. Santos, R. (2014, August 1). POWELIKS: Malware Hides In Windows Registry. Retrieved August 9, 2018.
  10. Russinovich, M. & Sharkey, K. (2006, January 10). Reghide. Retrieved August 9, 2018.
  11. Microsoft. (2012, April 17). Reg. Retrieved May 1, 2015.
  12. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  13. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  14. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  15. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  16. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
  17. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  18. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  19. CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021.
  20. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  21. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  22. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  23. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
  24. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  25. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  26. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  27. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  28. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
  29. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  30. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  31. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  32. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
  33. Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.
  34. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  35. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  36. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  37. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  38. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
  39. Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
  40. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  41. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.
  42. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  43. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  44. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  45. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  46. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  47. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  48. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  49. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  50. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  51. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  52. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  53. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  54. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.
  55. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  56. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  57. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
  58. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
  59. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  60. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  61. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  62. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  63. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  64. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  65. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
  66. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  67. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  68. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
  69. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  70. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  71. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  72. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  73. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  74. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  75. Ladley, F. (2012, May 15). Backdoor.Nerex. Retrieved February 23, 2018.
  76. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  77. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  78. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  79. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
  80. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  81. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  82. Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
  83. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
  84. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
  85. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  86. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
  87. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.
  88. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  89. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  90. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  91. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  92. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.
  93. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
  94. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  95. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.
  96. Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.
  97. Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
  98. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  99. Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021.
  100. Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.
  101. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  102. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
  103. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  104. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
  105. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  106. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  107. Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020.
  108. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
  109. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
  110. Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022.
  111. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  112. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  113. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  114. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  115. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  116. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  117. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  118. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  119. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.
  120. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  121. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  122. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  123. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
  124. Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
  125. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  126. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  127. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  128. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  129. Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022.
  130. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  131. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  132. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
  133. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  134. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  135. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  136. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  137. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.
  138. Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020.
  139. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  140. FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017.
  141. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  142. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  143. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
  144. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  145. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  146. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  147. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  148. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  149. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  150. Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.
  151. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  152. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
  153. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  154. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
  155. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
  156. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.
  157. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  158. Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.
  159. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  160. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  161. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  162. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  163. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  164. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  165. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
  166. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  167. ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.
  168. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  169. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
  170. Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018.
  171. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
  172. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  173. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  174. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.