Обфусцированные файлы или данные
Sub-techniques (9)
Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and Deobfuscate/Decode Files or Information for User Execution. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. (Citation: Volexity PowerDuke November 2016) Adversaries may also use compressed or archived scripts, such as JavaScript. Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. (Citation: Linux/Cdorked.A We Live Security Analysis) Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. (Citation: Carbon Black Obfuscation Sept 2016) Adversaries may also obfuscate commands executed from payloads or directly via a Command and Scripting Interpreter. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. (Citation: FireEye Obfuscation June 2017) (Citation: FireEye Revoke-Obfuscation July 2017)(Citation: PaloAlto EncodedCommand March 2017)
Примеры процедур |
|
Название | Описание |
---|---|
Torisma |
Torisma has been Base64 encoded and AES encrypted.(Citation: McAfee Lazarus Nov 2020) |
Aquatic Panda |
Aquatic Panda has encoded commands in Base64.(Citation: CrowdStrike AQUATIC PANDA December 2021) |
OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.(Citation: TrendMicro MacOS April 2018) |
Inception |
Inception has encrypted malware payloads dropped on victim machines with AES and RC4 encryption.(Citation: Kaspersky Cloud Atlas December 2014) |
USBStealer |
Most strings in USBStealer are encrypted using 3DES and XOR and reversed.(Citation: ESET Sednit USBStealer 2014) |
Emissary |
Variants of Emissary encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the "srand" and "rand" functions.(Citation: Lotus Blossom Dec 2015)(Citation: Emissary Trojan Feb 2016) |
Kessel |
Kessel's configuration is hardcoded and RC4 encrypted within the binary.(Citation: ESET ForSSHe December 2018) |
BackdoorDiplomacy |
BackdoorDiplomacy has obfuscated tools and malware it uses with VMProtect.(Citation: ESET BackdoorDiplomacy Jun 2021) |
Raindrop |
Raindrop encrypted its payload using a simple XOR algorithm with a single-byte key.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021) |
HEXANE |
HEXANE has used Base64-encoded scripts.(Citation: Kaspersky Lyceum October 2021) |
Ryuk |
Ryuk can use anti-disassembly and code transformation obfuscation techniques.(Citation: CrowdStrike Wizard Spider October 2020) |
Rifdoor |
Rifdoor has encrypted strings with a single byte XOR algorithm.(Citation: Carbon Black HotCroissant April 2020) |
Dark Caracal |
Dark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them.(Citation: Lookout Dark Caracal Jan 2018) |
Elderwood |
Elderwood has encrypted documents and malicious executables.(Citation: Symantec Elderwood Sept 2012) |
Machete |
Machete employed some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis.(Citation: Cylance Machete Mar 2017) |
Operation Wocao |
Operation Wocao has executed PowerShell commands which were encoded or compressed using Base64, zlib, and XOR.(Citation: FoxIT Wocao December 2019) |
Lokibot |
Lokibot has obfuscated strings with base64 encoding.(Citation: Infoblox Lokibot January 2019) |
Leafminer |
Leafminer obfuscated scripts that were used on victim machines.(Citation: Symantec Leafminer July 2018) |
Cobalt Group |
Cobalt Group obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR and RC4.(Citation: Talos Cobalt Group July 2018)(Citation: Morphisec Cobalt Gang Oct 2018) |
Shark |
Shark can use encrypted and encoded files for C2 configuration.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021) |
Ursnif |
Ursnif has used an XOR-based algorithm to encrypt Tor clients dropped to disk.(Citation: ProofPoint Ursnif Aug 2016) Ursnif droppers have also been delivered as password-protected zip files that execute base64 encoded PowerShell commands.(Citation: Bromium Ursnif Mar 2017) |
PowerStallion |
PowerStallion uses a XOR cipher to encrypt command output written to its OneDrive C2 server.(Citation: ESET Turla PowerShell May 2019) |
Darkhotel |
Darkhotel has obfuscated code using RC4, XOR, and RSA.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016) |
SynAck |
SynAck payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering.(Citation: SecureList SynAck Doppelgänging May 2018)(Citation: Kaspersky Lab SynAck May 2018) |
Empire |
Empire has the ability to obfuscate commands using |
Transparent Tribe |
Transparent Tribe has dropped encoded executables on compromised hosts.(Citation: Proofpoint Operation Transparent Tribe March 2016) |
Amadey |
Amadey has obfuscated strings such as antivirus vendor names, domains, files, and others.(Citation: BlackBerry Amadey 2020) |
IceApple |
IceApple can use Base64 and "junk" JavaScript code to obfuscate information.(Citation: CrowdStrike IceApple May 2022) |
PolyglotDuke |
PolyglotDuke can custom encrypt strings.(Citation: ESET Dukes October 2019) |
PowerPunch |
PowerPunch can use Base64-encoded scripts.(Citation: Microsoft Actinium February 2022) |
APT28 |
APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4.(Citation: Bitdefender APT28 Dec 2015)(Citation: Unit 42 Sofacy Feb 2018)(Citation: Palo Alto Sofacy 06-2018)(Citation: Talos Seduploader Oct 2017)(Citation: Accenture SNAKEMACKEREL Nov 2018) |
PUNCHTRACK |
PUNCHTRACK is loaded and executed by a highly obfuscated launcher.(Citation: FireEye Fin8 May 2016) |
ECCENTRICBANDWAGON |
ECCENTRICBANDWAGON has encrypted strings with RC4.(Citation: CISA EB Aug 2020) |
Drovorub |
Drovorub has used XOR encrypted payloads in WebSocket client to server messages.(Citation: NSA/FBI Drovorub August 2020) |
HAWKBALL |
HAWKBALL has encrypted the payload with an XOR-based algorithm.(Citation: FireEye HAWKBALL Jun 2019) |
Skidmap |
Skidmap has encrypted it's main payload using 3DES.(Citation: Trend Micro Skidmap) |
Astaroth |
Astaroth obfuscates its JScript code, and has used an XOR-based algorithm to encrypt payloads twice with different keys.(Citation: Cybereason Astaroth Feb 2019)(Citation: Securelist Brazilian Banking Malware July 2020) |
APT18 |
APT18 obfuscates strings in the payload.(Citation: PaloAlto DNS Requests May 2016) |
Valak |
Valak has the ability to base64 encode and XOR encrypt strings.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020) |
Sakula |
Sakula uses single-byte XOR obfuscation to obfuscate many of its files.(Citation: Dell Sakula) |
Zox |
Zox has been encoded with Base64.(Citation: Novetta-Axiom) |
Rocke |
Rocke has modified UPX headers after packing files to break unpackers.(Citation: Anomali Rocke March 2019) |
PoisonIvy |
PoisonIvy hides any strings related to its own indicators of compromise.(Citation: Symantec Darkmoon Aug 2005) |
Helminth |
The Helminth config file is encrypted with RC4.(Citation: Palo Alto OilRig May 2016) |
Out1 |
Out1 has the ability to encode data.(Citation: Trend Micro Muddy Water March 2021) |
SamSam |
SamSam has been seen using AES or DES to encrypt payloads and payload components.(Citation: Sophos SamSam Apr 2018)(Citation: Talos SamSam Jan 2018) |
Prikormka |
Some resources in Prikormka are encrypted with a simple XOR operation or encoded with Base64.(Citation: ESET Operation Groundbait) |
HTTPBrowser |
HTTPBrowser's code may be obfuscated through structured exception handling and return-oriented programming.(Citation: Dell TG-3390) |
NanHaiShu |
NanHaiShu encodes files in Base64.(Citation: fsecure NanHaiShu July 2016) |
During Frankenstein, the threat actors ran encoded commands from the command line.(Citation: Talos Frankenstein June 2019) |
|
DarkWatchman |
DarkWatchman has used Base64 to encode PowerShell commands. DarkWatchman has been delivered as compressed RAR payloads in ZIP files to victims.(Citation: Prevailion DarkWatchman 2021) |
Trojan.Karagany |
Trojan.Karagany can base64 encode and AES-128-CBC encrypt data prior to transmission.(Citation: Secureworks Karagany July 2019) |
APT29 |
APT29 has used encoded PowerShell commands.(Citation: FireEye APT29 Nov 2018) |
GALLIUM |
GALLIUM used a modified version of HTRAN in which they obfuscated strings such as debug messages in an apparent attempt to evade detection.(Citation: Cybereason Soft Cell June 2019) |
Leviathan |
Leviathan has obfuscated code using base64 and gzip compression.(Citation: Proofpoint Leviathan Oct 2017) |
FIN6 |
FIN6 has used encoded PowerShell commands.(Citation: Visa FIN6 Feb 2019) |
Bazar |
Bazar has used XOR, RSA2, and RC4 encrypted files.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)(Citation: CrowdStrike Wizard Spider October 2020) |
Gallmaker |
Gallmaker obfuscated shellcode used during execution.(Citation: Symantec Gallmaker Oct 2018) |
Saint Bot |
Saint Bot has been obfuscated to help avoid detection.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
NanoCore |
NanoCore’s plugins were obfuscated with Eazfuscater.NET 3.3.(Citation: PaloAlto NanoCore Feb 2016) |
LoudMiner |
LoudMiner has obfuscated various scripts and encrypted DMG files.(Citation: ESET LoudMiner June 2019) |
SHOTPUT |
SHOTPUT is obscured using XOR encoding and appended to a valid GIF file.(Citation: FireEye Clandestine Wolf)(Citation: Palo Alto CVE-2015-3113 July 2015) |
SodaMaster |
SodaMaster can use "stackstrings" for obfuscation.(Citation: Securelist APT10 March 2021) |
Sidewinder |
Sidewinder has used base64 encoding and ECDH-P256 encryption for scripts and files.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Cyble Sidewinder September 2020) |
CoinTicker |
CoinTicker initially downloads a hidden encoded file.(Citation: CoinTicker 2019) |
BLUELIGHT |
BLUELIGHT has a XOR-encoded payload.(Citation: Volexity InkySquid BLUELIGHT August 2021) |
PipeMon |
PipeMon modules are stored encrypted on disk.(Citation: ESET PipeMon May 2020) |
Molerats |
Molerats has delivered compressed executables within ZIP files to victims.(Citation: Kaspersky MoleRATs April 2019) |
DCSrv |
DCSrv's configuration is encrypted.(Citation: Checkpoint MosesStaff Nov 2021) |
Turian |
Turian can use VMProtect for obfuscation.(Citation: ESET BackdoorDiplomacy Jun 2021) |
APT39 |
APT39 has used malware to drop encrypted CAB files.(Citation: FBI FLASH APT39 September 2020) |
GravityRAT |
GravityRAT supports file encryption (AES with the key "lolomycin2017").(Citation: Talos GravityRAT) |
Metamorfo |
Metamorfo has encrypted payloads and strings.(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019) |
ComRAT |
ComRAT has used encryption and base64 to obfuscate its orchestrator code in the Registry. ComRAT has encrypted its virtual file system using AES-256 in XTS mode and has encoded PowerShell scripts.(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020) |
Lazarus Group |
Lazarus Group has used multiple types of encryption and encoding for their payloads, including AES, Caracachs, RC4, XOR, Base64, and other tricks such as creating aliases in code for Native API function names.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: TrendMicro macOS Dacls May 2020)(Citation: ESET Lazarus Jun 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: McAfee Lazarus Nov 2020)(Citation: ClearSky Lazarus Aug 2020)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus) |
Final1stspy |
Final1stspy obfuscates strings with base64 encoding.(Citation: Unit 42 Nokki Oct 2018) |
APT33 |
APT33 has used base64 to encode payloads.(Citation: FireEye APT33 Guardrail) |
DustySky |
The DustySky dropper uses a function to obfuscate the name of functions and other parts of the malware.(Citation: DustySky) |
SUNSPOT |
SUNSPOT encrypted log entries it collected with the stream cipher RC4 using a hard-coded key. It also uses AES128-CBC encrypted blobs for SUNBURST source code and data extracted from the SolarWinds Orion |
During Night Dragon, threat actors used a DLL that included an XOR-encoded section.(Citation: McAfee Night Dragon) |
|
LightNeuron |
LightNeuron encrypts its configuration files with AES-256.(Citation: ESET LightNeuron May 2019) |
Pillowmint |
Pillowmint has been compressed and stored within a registry key. Pillowmint has also obfuscated the AES key used for encryption.(Citation: Trustwave Pillowmint June 2020) |
DanBot |
DanBot can Base64 encode its payload.(Citation: SecureWorks August 2019) |
FELIXROOT |
FELIXROOT encrypts strings in the backdoor using a custom XOR algorithm.(Citation: FireEye FELIXROOT July 2018)(Citation: ESET GreyEnergy Oct 2018) |
Remsec |
Some data in Remsec is encrypted using RC5 in CBC mode, AES-CBC with a hardcoded key, RC4, or Salsa20. Some data is also base64-encoded.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Technical Analysis) |
Donut |
Donut can generate encrypted, compressed/encoded, or otherwise obfuscated code modules.(Citation: Donut Github) |
H1N1 |
H1N1 uses multiple techniques to obfuscate strings, including XOR.(Citation: Cisco H1N1 Part 1) |
During Operation Honeybee, the threat actors used Base64 to encode files with a custom key.(Citation: McAfee Honeybee) |
|
Sibot |
Sibot has obfuscated scripts used in execution.(Citation: MSTIC NOBELIUM Mar 2021) |
WindTail |
WindTail can be delivered as a compressed, encrypted, and encoded payload.(Citation: objective-see windtail2 jan 2019) |
Kazuar |
Kazuar is obfuscated using the open source ConfuserEx protector. Kazuar also obfuscates the name of created files/folders/mutexes and encrypts debug messages written to log files using the Rijndael cipher.(Citation: Unit 42 Kazuar May 2017) |
Grandoreiro |
The Grandoreiro payload has been delivered encrypted with a custom XOR-based algorithm and also as a base64-encoded ZIP file.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: ESET Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020) |
Milan |
Milan can encode files containing information about the targeted system.(Citation: ClearSky Siamesekitten August 2021)(Citation: Kaspersky Lyceum October 2021) |
BLINDINGCAN |
BLINDINGCAN has obfuscated code using Base64 encoding.(Citation: US-CERT BLINDINGCAN Aug 2020) |
KONNI |
KONNI is heavily obfuscated and includes encrypted configuration files.(Citation: Malwarebytes Konni Aug 2021) |
NETWIRE |
NETWIRE has used a custom obfuscation algorithm to hide strings including Registry keys, APIs, and DLL names.(Citation: FireEye NETWIRE March 2019) |
SombRAT |
SombRAT can encrypt strings with XOR-based routines and use a custom AES storage format for plugins, configuration, C2 domains, and harvested data.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021) |
BlackOasis |
BlackOasis's first stage shellcode contains a NOP sled with alternative instructions that was likely designed to bypass antivirus tools.(Citation: Securelist BlackOasis Oct 2017) |
TINYTYPHON |
TINYTYPHON has used XOR with 0x90 to obfuscate its configuration file.(Citation: Forcepoint Monsoon) |
Pony |
Pony attachments have been delivered via compressed archive files. Pony also obfuscates the memory flow by adding junk instructions when executing to make analysis more difficult.(Citation: Malwarebytes Pony April 2016) |
BITTER |
BITTER has used a RAR SFX dropper to deliver malware.(Citation: Forcepoint BITTER Pakistan Oct 2016) |
WhisperGate |
WhisperGate can Base64 encode strings, store downloaded files in reverse byte order, and use the Eazfuscator tool to obfuscate its third stage.(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022) |
Agent Tesla |
Agent Tesla has had its code obfuscated in an apparent attempt to make analysis difficult.(Citation: Fortinet Agent Tesla April 2018) Agent Tesla has used the Rijndael symmetric encryption algorithm to encrypt strings.(Citation: Malwarebytes Agent Tesla April 2020) |
PowerSploit |
PowerSploit contains a collection of ScriptModification modules that compress and encode scripts and payloads.(Citation: GitHub PowerSploit May 2012)(Citation: PowerSploit Documentation) |
ZxxZ |
ZxxZ has been encoded to avoid detection from static analysis tools.(Citation: Cisco Talos Bitter Bangladesh May 2022) |
PcShare |
PcShare has been encrypted with XOR using different 32-long Base16 strings and compressed with LZW algorithm.(Citation: Bitdefender FunnyDream Campaign November 2020) |
TrickBot |
TrickBot uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.(Citation: S2 Grupo TrickBot June 2017) |
Reaver |
Reaver encrypts some of its files with XOR.(Citation: Palo Alto Reaver Nov 2017) |
BOOSTWRITE |
BOOSTWRITE has encoded its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector (IV) to evade detection.(Citation: FireEye FIN7 Oct 2019) |
Fysbis |
Fysbis has been encrypted using XOR and RC4.(Citation: Fysbis Dr Web Analysis) |
TA505 |
TA505 has password-protected malicious Word documents and used base64 encoded PowerShell commands.(Citation: Proofpoint TA505 Sep 2017)(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019) |
Stuxnet |
Stuxnet uses encrypted configuration blocks and writes encrypted files to disk.(Citation: Symantec W.32 Stuxnet Dossier) |
Higaisa |
Higaisa used Base64 encoded compressed payloads.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020) |
InnaputRAT |
InnaputRAT uses an 8-byte XOR key to obfuscate API names and other strings contained in the payload.(Citation: ASERT InnaputRAT April 2018) |
BitPaymer |
BitPaymer has used RC4-encrypted strings and string hashes to avoid identifiable strings within the binary.(Citation: Crowdstrike Indrik November 2018) |
Kwampirs |
Kwampirs downloads additional files that are base64-encoded and encrypted with another cipher.(Citation: Symantec Security Center Trojan.Kwampirs) |
Remexi |
Remexi obfuscates its configuration data with XOR.(Citation: Securelist Remexi Jan 2019) |
MiniDuke |
MiniDuke can use control flow flattening to obscure code.(Citation: ESET Dukes October 2019) |
APT3 |
APT3 obfuscates files or information to help evade defensive measures.(Citation: Symantec Buckeye) |
TEARDROP |
TEARDROP created and read from a file with a fake JPG header, and its payload was encrypted with a simple rotating XOR cipher.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Check Point Sunburst Teardrop December 2020)(Citation: Microsoft Deep Dive Solorigate January 2021) |
Matryoshka |
Matryoshka obfuscates API function names using a substitute cipher combined with Base64 encoding.(Citation: CopyKittens Nov 2015) |
TYPEFRAME |
APIs and strings in some TYPEFRAME variants are RC4 encrypted. Another variant is encoded with XOR.(Citation: US-CERT TYPEFRAME June 2018) |
Clambling |
The Clambling executable has been obfuscated when dropped on a compromised host.(Citation: Trend Micro DRBControl February 2020) |
FoggyWeb |
FoggyWeb has been XOR-encoded.(Citation: MSTIC FoggyWeb September 2021) |
APT19 |
APT19 used Base64 to obfuscate commands and the payload.(Citation: FireEye APT19) |
Shamoon |
Shamoon contains base64-encoded strings.(Citation: Palo Alto Shamoon Nov 2016) |
Wizard Spider |
Wizard Spider used Base64 encoding to obfuscate an Empire service and PowerShell commands.(Citation: FireEye Ryuk and Trickbot January 2019)(Citation: DFIR Ryuk's Return October 2020) |
StrongPity |
StrongPity has used encrypted strings in its dropper component.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020) |
MuddyWater |
MuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: GitHub Invoke-Obfuscation) The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: FireEye MuddyWater Mar 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)(Citation: ClearSky MuddyWater June 2019)(Citation: Trend Micro Muddy Water March 2021)(Citation: Talos MuddyWater Jan 2022) |
Patchwork |
Patchwork has obfuscated a script with Crypto Obfuscator.(Citation: TrendMicro Patchwork Dec 2017) |
Hydraq |
Hydraq uses basic obfuscation in the form of spaghetti code.(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Trojan.Hydraq Jan 2010) |
Fox Kitten |
Fox Kitten has base64 encoded scripts and payloads to avoid detection.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
QakBot |
QakBot can use obfuscated and encoded scripts; it has also hidden code within Excel spreadsheets by turning the font color to white and splitting it across multiple cells.(Citation: Cyberint Qakbot May 2021) |
Ember Bear |
Ember Bear has obfuscated malware and malicious scripts to help avoid detection.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
Bisonal |
Bisonal's DLL file and non-malicious decoy file are encrypted with RC4 and some function name strings are obfuscated.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020) |
Threat Group-3390 |
A Threat Group-3390 tool can encrypt payloads using XOR. Threat Group-3390 malware is also obfuscated using Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.(Citation: Nccgroup Emissary Panda May 2018)(Citation: Securelist LuckyMouse June 2018)(Citation: Unit42 Emissary Panda May 2019) |
RedLeaves |
A RedLeaves configuration file is encrypted with a simple XOR key, 0x53.(Citation: PWC Cloud Hopper Technical Annex April 2017) |
Flagpro |
Flagpro has been delivered within ZIP or RAR password-protected archived files.(Citation: NTT Security Flagpro new December 2021) |
Cuba |
Cuba has used multiple layers of obfuscation to avoid analysis, including its Base64 encoded payload.(Citation: McAfee Cuba April 2021) |
FlawedGrace |
FlawedGrace encrypts its C2 configuration files with AES in CBC mode.(Citation: Proofpoint TA505 Jan 2019) |
More_eggs |
More_eggs's payload has been encrypted with a key that has the hostname and processor family information appended to the end.(Citation: ESET EvilNum July 2020) |
Elise |
Elise encrypts several of its files, including configuration files.(Citation: Lotus Blossom Jun 2015) |
Avenger |
Avenger has the ability to XOR encrypt files to be sent to C2.(Citation: Trend Micro Tick November 2019) |
EnvyScout |
EnvyScout can Base64 encode payloads.(Citation: MSTIC Nobelium Toolset May 2021) |
Dridex |
Dridex's strings are obfuscated using RC4.(Citation: Checkpoint Dridex Jan 2021) |
Rising Sun |
Configuration data used by Rising Sun has been encrypted using an RC4 stream algorithm.(Citation: McAfee Sharpshooter December 2018) |
Goopy |
Goopy's decrypter have been inflated with junk code in between legitimate API functions, and also included infinite loops to avoid analysis.(Citation: Cybereason Cobalt Kitty 2017) |
Ecipekac |
Ecipekac can use XOR, AES, and DES to encrypt loader shellcode.(Citation: Securelist APT10 March 2021) |
NOKKI |
NOKKI uses Base64 encoding for strings.(Citation: Unit 42 NOKKI Sept 2018) |
POSHSPY |
POSHSPY appends a file signature header (randomly selected from six file types) to encrypted data prior to upload or download.(Citation: FireEye POSHSPY April 2017) |
Dacls |
Dacls can encrypt its configuration file with AES CBC.(Citation: TrendMicro macOS Dacls May 2020) |
SUNBURST |
SUNBURST strings were compressed and encoded in Base64.(Citation: Microsoft Analyzing Solorigate Dec 2020) SUNBURST also obfuscated collected system information using a FNV-1a + XOR algorithm.(Citation: FireEye SUNBURST Backdoor December 2020) |
Remcos |
Remcos uses RC4 and base64 to obfuscate data, including Registry entries and file paths.(Citation: Talos Remcos Aug 2018) |
njRAT |
njRAT has included a base64 encoded executable.(Citation: Trend Micro njRAT 2018) |
Kerrdown |
Kerrdown can encrypt, encode, and compress multiple layers of shellcode.(Citation: Unit 42 KerrDown February 2019) |
UNC2452 |
UNC2452 used encoded PowerShell commands.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks) |
During Operation CuckooBees, the threat actors executed an encoded VBScript file.(Citation: Cybereason OperationCuckooBees May 2022) |
|
Frankenstein |
Frankenstein has run encoded commands from the command line.(Citation: Talos Frankenstein June 2019) |
Chimera |
Chimera has encoded PowerShell commands.(Citation: Cycraft Chimera April 2020) |
PS1 |
PS1 is distributed as a set of encrypted files and scripts.(Citation: BlackBerry CostaRicto November 2020) |
KeyBoy |
In one version of KeyBoy, string obfuscation routines were used to hide many of the critical values referenced in the malware.(Citation: CitizenLab KeyBoy Nov 2016) |
RainyDay |
RainyDay has downloaded as a XOR-encrypted payload.(Citation: Bitdefender Naikon April 2021) |
Sliver |
Sliver can encrypt strings at compile time.(Citation: Bishop Fox Sliver Framework August 2019)(Citation: GitHub Sliver C2) |
FatDuke |
FatDuke can use base64 encoding, string stacking, and opaque predicates for obfuscation.(Citation: ESET Dukes October 2019) |
Silence |
Silence has used environment variable string substitution for obfuscation.(Citation: Cyber Forensicator Silence Jan 2019) |
APT-C-36 |
APT-C-36 has used ConfuserEx to obfuscate its variant of Imminent Monitor, compressed payload and RAT packages, and password protected encrypted email attachments to avoid detection.(Citation: QiAnXin APT-C-36 Feb2019) |
QUADAGENT |
QUADAGENT was likely obfuscated using Invoke-Obfuscation.(Citation: Unit 42 QUADAGENT July 2018)(Citation: GitHub Invoke-Obfuscation) |
Waterbear |
Waterbear has used RC4 encrypted shellcode and encrypted functions.(Citation: Trend Micro Waterbear December 2019) |
Carbanak |
Carbanak encrypts strings to make analysis more difficult.(Citation: FireEye CARBANAK June 2017) |
Action RAT |
Action RAT's commands, strings, and domains can be Base64 encoded within the payload.(Citation: MalwareBytes SideCopy Dec 2021) |
Winnti for Linux |
Winnti for Linux can encode its configuration file with single-byte XOR encoding.(Citation: Chronicle Winnti for Linux May 2019) |
Small Sieve |
Small Sieve has the ability to use a custom hex byte swapping encoding scheme combined with an obfuscated Base64 function to protect program strings and Telegram credentials.(Citation: NCSC GCHQ Small Sieve Jan 2022) |
Night Dragon |
A Night Dragon DLL included an XOR-encoded section.(Citation: McAfee Night Dragon) |
Magic Hound |
Magic Hound malware has used base64-encoded commands and files, and has also encrypted embedded strings with AES.(Citation: Unit 42 Magic Hound Feb 2017) |
RogueRobin |
The PowerShell script with the RogueRobin payload was obfuscated using the COMPRESS technique in Invoke-Obfuscation.(Citation: Unit 42 DarkHydrus July 2018)(Citation: GitHub Invoke-Obfuscation) |
Seasalt |
Seasalt obfuscates configuration data.(Citation: Mandiant APT1 Appendix) |
FIN8 |
FIN8 has used environment variables and standard input (stdin) to obfuscate command-line arguments. FIN8 also obfuscates malicious macros delivered as payloads.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Bitdefender FIN8 July 2021) |
StoneDrill |
StoneDrill has obfuscated its module with an alphabet-based table or XOR encryption.(Citation: Kaspersky StoneDrill 2017) |
IcedID |
IcedID has utilzed encrypted binaries and base64 encoded strings.(Citation: Juniper IcedID June 2020) |
Blue Mockingbird |
Blue Mockingbird has obfuscated the wallet address in the payload binary.(Citation: RedCanary Mockingbird May 2020) |
Tropic Trooper |
Tropic Trooper has encrypted configuration files.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: TrendMicro Tropic Trooper May 2020) |
Dust Storm |
Dust Storm has encoded payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key.(Citation: Cylance Dust Storm) |
SysUpdate |
SysUpdate can encrypt and encode its configuration file.(Citation: Trend Micro Iron Tiger April 2021) |
Chrommme |
Chrommme can encrypt sections of its code to evade detection.(Citation: ESET Gelsemium June 2021) |
Netwalker |
Netwalker's PowerShell script has been obfuscated with multiple layers including base64 and hexadecimal encoding and XOR-encryption, as well as obfuscated PowerShell functions and variables. Netwalker's DLL has also been embedded within the PowerShell script in hex format.(Citation: TrendMicro Netwalker May 2020)(Citation: Sophos Netwalker May 2020) |
Bundlore |
Bundlore has obfuscated data with base64, AES, RC4, and bz2.(Citation: MacKeeper Bundlore Apr 2019) |
KillDisk |
KillDisk uses VMProtect to make reverse engineering the malware more difficult.(Citation: Trend Micro KillDisk 1) |
Attor |
Strings in Attor's components are encrypted with a XOR cipher, using a hardcoded key and the configuration data, log files and plugins are encrypted using a hybrid encryption scheme of Blowfish-OFB combined with RSA.(Citation: ESET Attor Oct 2019) |
ROKRAT |
ROKRAT can encrypt data prior to exfiltration by using an RSA public key.(Citation: Volexity InkySquid RokRAT August 2021)(Citation: Malwarebytes RokRAT VBA January 2021) |
REvil |
REvil has used encrypted strings and configuration files.(Citation: G Data Sodinokibi June 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019) |
Mofang |
Mofang has compressed the ShimRat executable within malicious email attachments. Mofang has also encrypted payloads before they are downloaded to victims.(Citation: FOX-IT May 2016 Mofang) |
P.A.S. Webshell |
P.A.S. Webshell can use encryption and base64 encoding to hide strings and to enforce access control once deployed.(Citation: ANSSI Sandworm January 2021) |
HOMEFRY |
Some strings in HOMEFRY are obfuscated with XOR x56.(Citation: FireEye Periscope March 2018) |
Smoke Loader |
Smoke Loader uses a simple one-byte XOR method to obfuscate values in the malware.(Citation: Malwarebytes SmokeLoader 2016)(Citation: Talos Smoke Loader July 2018) |
OLDBAIT |
OLDBAIT obfuscates internal strings and unpacks them at startup.(Citation: FireEye APT28) |
Aria-body |
Aria-body has used an encrypted configuration file for its loader.(Citation: CheckPoint Naikon May 2020) |
Mosquito |
Mosquito’s installer is obfuscated with a custom crypter to obfuscate the installer.(Citation: ESET Turla Mosquito Jan 2018) |
CozyCar |
The payload of CozyCar is encrypted with simple XOR with a rotating key. The CozyCar configuration file has been encrypted with RC4 keys.(Citation: F-Secure CozyDuke) |
Anchor |
Anchor has obfuscated code with stack strings and string encryption.(Citation: Cyberreason Anchor December 2019) |
Daserf |
Daserf uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher.(Citation: Trend Micro Daserf Nov 2017) |
YAHOYAH |
YAHOYAH encrypts its configuration file using a simple algorithm.(Citation: TrendMicro TropicTrooper 2015) |
ThreatNeedle |
ThreatNeedle has been compressed and obfuscated using RC4, AES, or XOR.(Citation: Kaspersky ThreatNeedle Feb 2021) |
Pandora |
Pandora has the ability to compress stings with QuickLZ.(Citation: Trend Micro Iron Tiger April 2021) |
Whitefly |
Whitefly has encrypted the payload used for C2.(Citation: Symantec Whitefly March 2019) |
FIN7 |
FIN7 has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye FIN7 Aug 2018)(Citation: CrowdStrike Carbon Spider August 2021) |
Windshift |
Windshift has used string encoding with floating point calculations.(Citation: BlackBerry Bahamut) |
menuPass |
menuPass has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40.(Citation: Accenture Hogfish April 2018)(Citation: FireEye APT10 Sept 2018)(Citation: Symantec Cicada November 2020) |
Ke3chang |
Ke3chang has used Base64-encoded shellcode strings.(Citation: Microsoft NICKEL December 2021) |
Ebury |
Ebury has obfuscated its strings with a simple XOR encryption with a static key.(Citation: ESET Ebury Feb 2014) |
TA551 |
TA551 has used obfuscated variable names in a JavaScript configuration file.(Citation: Unit 42 Valak July 2020) |
Conti |
Conti can use compiler-based obfuscation for its code, encrypt DLLs, and hide Windows API calls.(Citation: CarbonBlack Conti July 2020)(Citation: Cybereason Conti Jan 2021)(Citation: CrowdStrike Wizard Spider October 2020) |
BendyBear |
BendyBear has encrypted payloads using RC4 and XOR.(Citation: Unit42 BendyBear Feb 2021) |
Kobalos |
Kobalos encrypts all strings using RC4 and bundles all functionality into a single function call.(Citation: ESET Kobalos Feb 2021) |
APT37 |
APT37 obfuscates strings and payloads.(Citation: Talos Group123)(Citation: Securelist ScarCruft May 2019)(Citation: Volexity InkySquid RokRAT August 2021) |
InvisiMole |
InvisiMole avoids analysis by encrypting all strings, internal files, configuration data and by using a custom executable format.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020) |
Emotet |
Emotet has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts. (Citation: Talos Emotet Jan 2019)(Citation: Trend Micro Emotet Jan 2019)(Citation: Picus Emotet Dec 2018)(Citation: ESET Emotet Dec 2018) |
PyDCrypt |
PyDCrypt has been compiled and encrypted with PyInstaller, specifically using the --key flag during the build phase.(Citation: Checkpoint MosesStaff Nov 2021) |
Bumblebee |
Bumblebee has been delivered as password-protected zipped ISO files and used control-flow-flattening to obfuscate the flow of functions.(Citation: Proofpoint Bumblebee April 2022)(Citation: Cybereason Bumblebee August 2022)(Citation: Medium Ali Salem Bumblebee April 2022) |
ISMInjector |
ISMInjector is obfuscated with the off-the-shelf SmartAssembly .NET obfuscator created by red-gate.com.(Citation: OilRig New Delivery Oct 2017) |
VERMIN |
VERMIN is obfuscated using the obfuscation tool called ConfuserEx.(Citation: Unit 42 VERMIN Jan 2018) |
Kimsuky |
Kimsuky has obfuscated binary strings including the use of XOR encryption and Base64 encoding.(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019) Kimsuky has also modified the first byte of DLL implants targeting victims to prevent recognition of the executable file format.(Citation: Talos Kimsuky Nov 2021) |
HermeticWiper |
HermeticWiper can compress 32-bit and 64-bit driver files with the Lempel-Ziv algorithm.(Citation: Symantec Ukraine Wipers February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Qualys Hermetic Wiper March 2022) |
Micropsia |
Micropsia obfuscates the configuration with a custom Base64 and XOR.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018) |
During Operation Dust Storm, the threat actors encoded some payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key; other payloads were Base64-encoded.(Citation: Cylance Dust Storm) |
|
Dtrack |
Dtrack has used a dropper that embeds an encrypted payload as extra data.(Citation: Securelist Dtrack) |
Kevin |
Kevin has Base64-encoded its configuration file.(Citation: Kaspersky Lyceum October 2021) |
Moses Staff |
Moses Staff has used obfuscated web shells in their operations.(Citation: Checkpoint MosesStaff Nov 2021) |
TeamTNT |
TeamTNT has encrypted its binaries via AES and encoded files using Base64.(Citation: Trend Micro TeamTNT)(Citation: Aqua TeamTNT August 2020) |
Green Lambert |
Green Lambert has encrypted strings.(Citation: Objective See Green Lambert for OSX Oct 2021)(Citation: Glitch-Cat Green Lambert ATTCK Oct 2021) |
FruitFly |
FruitFly executes and stores obfuscated Perl scripts.(Citation: objsee mac malware 2017) |
During C0015, the threat actors used Base64-encoded strings.(Citation: DFIR Conti Bazar Nov 2021) |
|
Carbon |
Carbon encrypts configuration files and tasks for the malware to complete using CAST-128 algorithm.(Citation: ESET Carbon Mar 2017)(Citation: Accenture HyperStack October 2020) |
Diavol |
Diavol has Base64 encoded the RSA public key used for encrypting files.(Citation: Fortinet Diavol July 2021) |
JHUHUGIT |
Many strings in JHUHUGIT are obfuscated with a XOR algorithm.(Citation: F-Secure Sofacy 2015)(Citation: ESET Sednit Part 1)(Citation: Talos Seduploader Oct 2017) |
Turla |
Turla has used encryption (including salted 3DES via PowerSploit's |
GoldMax |
GoldMax has written AES-encrypted and Base64-encoded configuration files to disk.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021) |
MCMD |
MCMD can Base64 encode output strings prior to sending to C2.(Citation: Secureworks MCMD July 2019) |
Chinoxy |
Chinoxy has encrypted its configuration file.(Citation: Bitdefender FunnyDream Campaign November 2020) |
ShimRat |
ShimRat has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat file.(Citation: FOX-IT May 2016 Mofang) |
DOGCALL |
DOGCALL is encrypted using single-byte XOR.(Citation: Unit 42 Nokki Oct 2018) |
SQLRat |
SQLRat has used a character insertion obfuscation technique, making the script appear to contain Chinese characters.(Citation: Flashpoint FIN 7 March 2019) |
Honeybee |
Honeybee drops files with base64-encoded data.(Citation: McAfee Honeybee) |
RCSession |
RCSession can compress and obfuscate its strings to evade detection on a compromised host.(Citation: Trend Micro DRBControl February 2020) |
AppleSeed |
AppleSeed has the ability to Base64 encode its payload and custom encrypt API calls.(Citation: Malwarebytes Kimsuky June 2021) |
Heyoka Backdoor |
Heyoka Backdoor can encrypt its payload.(Citation: SentinelOne Aoqin Dragon June 2022) |
SHARPSTATS |
SHARPSTATS has used base64 encoding and XOR to obfuscate PowerShell scripts.(Citation: TrendMicro POWERSTATS V3 June 2019) |
BoxCaon |
BoxCaon used the "StackStrings" obfuscation technique to hide malicious functionalities.(Citation: Checkpoint IndigoZebra July 2021) |
ADVSTORESHELL |
Most of the strings in ADVSTORESHELL are encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed. API function names are also reversed, presumably to avoid detection in memory.(Citation: Kaspersky Sofacy)(Citation: Bitdefender APT28 Dec 2015) |
BackConfig |
BackConfig has used compressed and decimal encoded VBS scripts.(Citation: Unit 42 BackConfig May 2020) |
Conficker |
Conficker has obfuscated its code to prevent its removal from host machines.(Citation: Trend Micro Conficker) |
GOLD SOUTHFIELD |
GOLD SOUTHFIELD has executed base64 encoded PowerShell scripts on compromised hosts.(Citation: Tetra Defense Sodinokibi March 2020) |
FIVEHANDS |
The FIVEHANDS payload is encrypted with AES-128.(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021)(Citation: NCC Group Fivehands June 2021) |
POWERSTATS |
POWERSTATS uses character replacement, PowerShell environment variables, and XOR encoding to obfuscate code. POWERSTATS's backdoor code is a multi-layer obfuscated, encoded, and compressed blob. (Citation: FireEye MuddyWater Mar 2018)(Citation: ClearSky MuddyWater Nov 2018) POWERSTATS has used PowerShell code with custom string obfuscation (Citation: TrendMicro POWERSTATS V3 June 2019) |
Siloscape |
Siloscape itself is obfuscated and uses obfuscated API calls.(Citation: Unit 42 Siloscape Jun 2021) |
Zeus Panda |
Zeus Panda encrypts strings with XOR and obfuscates the macro code from the initial payload. Zeus Panda also encrypts all configuration and settings in AES and RC4.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017) |
Squirrelwaffle |
Squirrelwaffle has been obfuscated with a XOR-based algorithm.(Citation: ZScaler Squirrelwaffle Sep 2021)(Citation: Netskope Squirrelwaffle Oct 2021) |
HyperBro |
HyperBro can be delivered encrypted to a compromised host.(Citation: Trend Micro DRBControl February 2020) |
STARWHALE |
STARWHALE has been obfuscated with hex-encoded strings.(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
Mustang Panda |
Mustang Panda has delivered initial payloads hidden using archives and encoding measures.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Recorded Future REDDELTA July 2020)(Citation: Proofpoint TA416 November 2020)(Citation: Proofpoint TA416 Europe March 2022) |
ShadowPad |
ShadowPad has encrypted its payload, a virtual file system, and various files.(Citation: Securelist ShadowPad Aug 2017)(Citation: TrendMicro EarthLusca 2022) |
During Operation Wocao, threat actors executed PowerShell commands which were encoded or compressed using Base64, zlib, and XOR.(Citation: FoxIT Wocao December 2019) |
|
HotCroissant |
HotCroissant has encrypted strings with single-byte XOR and base64 encoded RC4.(Citation: Carbon Black HotCroissant April 2020) |
EKANS |
EKANS uses encoded strings in its process kill list.(Citation: FireEye Ransomware Feb 2020) |
LazyScripter |
LazyScripter has leveraged the BatchEncryption tool to perform advanced batch obfuscation and encoding techniques.(Citation: MalwareBytes LazyScripter Feb 2021) |
RegDuke |
RegDuke can use control-flow flattening or the commercially available .NET Reactor for obfuscation.(Citation: ESET Dukes October 2019) |
Sandworm Team |
Sandworm Team has used Base64 encoding within malware variants. Sandworm Team has also used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor.(Citation: iSight Sandworm Oct 2014)(Citation: ESET Telebots Dec 2016) |
Group5 |
Group5 disguised its malicious binaries with several layers of obfuscation, including encrypting the files.(Citation: Citizen Lab Group5) |
Imminent Monitor |
Imminent Monitor has encrypted the spearphish attachments to avoid detection from email gateways; the debugger also encrypts information before sending to the C2.(Citation: QiAnXin APT-C-36 Feb2019) |
KGH_SPY |
KGH_SPY has used encrypted strings in its installer.(Citation: Cybereason Kimsuky November 2020) |
SUPERNOVA |
SUPERNOVA contained Base64-encoded strings.(Citation: CISA Supernova Jan 2021) |
Earth Lusca |
Earth Lusca used Base64 to encode strings.(Citation: TrendMicro EarthLusca 2022) |
SoreFang |
SoreFang has the ability to encode and RC6 encrypt data sent to C2.(Citation: CISA SoreFang July 2016) |
Carberp |
Carberp has used XOR-based encryption to mask C2 server locations within the trojan.(Citation: Prevx Carberp March 2011) |
Hancitor |
Hancitor has used Base64 to encode malicious links. Hancitor has also delivered compressed payloads in ZIP files to victims.(Citation: Threatpost Hancitor)(Citation: FireEye Hancitor) |
Putter Panda |
Droppers used by Putter Panda use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 – 0xAF to obfuscate payloads.(Citation: CrowdStrike Putter Panda) |
SpeakUp |
SpeakUp encodes its second-stage payload with Base64. (Citation: CheckPoint SpeakUp Feb 2019) |
Pisloader |
Pisloader obfuscates files by splitting strings into smaller sub-strings and including "garbage" strings that are never used. The malware also uses return-oriented programming (ROP) technique and single-byte XOR to obfuscate data.(Citation: Palo Alto DNS Requests) |
Avaddon |
Avaddon has used encrypted strings.(Citation: Arxiv Avaddon Feb 2021) |
OilRig |
OilRig has encrypted and encoded data in its malware, including by using base64.(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Unit 42 Playbook Dec 2017)(Citation: Crowdstrike Helix Kitten Nov 2018)(Citation: Unit42 OilRig Nov 2018) |
Hi-Zor |
Hi-Zor uses various XOR techniques to obfuscate its components.(Citation: Fidelis INOCNATION) |
HiddenWasp |
HiddenWasp encrypts its configuration and payload.(Citation: Intezer HiddenWasp Map 2019) |
JPIN |
A JPIN uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer.(Citation: Microsoft PLATINUM April 2016) |
CookieMiner |
CookieMiner has used base64 encoding to obfuscate scripts on the system.(Citation: Unit42 CookieMiner Jan 2019) |
GoldenSpy |
GoldenSpy's uninstaller has base64-encoded its variables. (Citation: Trustwave GoldenSpy2 June 2020) |
KOCTOPUS |
KOCTOPUS has obfuscated scripts with the BatchEncryption tool.(Citation: MalwareBytes LazyScripter Feb 2021) |
Taidoor |
Taidoor can use encrypted string blocks for obfuscation.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021) |
RTM |
RTM strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm. RTM has also been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019) |
WastedLocker |
The WastedLocker payload includes encrypted strings stored within the .bss section of the binary file.(Citation: NCC Group WastedLocker June 2020) |
For Operation Spalax, the threat actors used XOR-encrypted payloads.(Citation: ESET Operation Spalax Jan 2021) |
|
Winnti for Windows |
Winnti for Windows has the ability to encrypt and compress its payload.(Citation: Novetta Winnti April 2015) |
CARROTBALL |
CARROTBALL has used a custom base64 alphabet to decode files.(Citation: Unit 42 CARROTBAT January 2020) |
Exaramel for Linux |
Exaramel for Linux uses RC4 for encrypting the configuration.(Citation: ESET TeleBots Oct 2018)(Citation: ANSSI Sandworm January 2021) |
APT32 |
APT32 uses the Invoke-Obfuscation framework to obfuscate their PowerShell and also performs other code obfuscation. APT32 has also encoded payloads using Base64 and a framework called "Dont-Kill-My-Cat (DKMC). APT32 also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.(Citation: FireEye APT32 May 2017)(Citation: GitHub Invoke-Obfuscation)(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: ESET OceanLotus macOS April 2019) |
HermeticWizard |
HermeticWizard has the ability to encrypt PE files with a reverse XOR loop.(Citation: ESET Hermetic Wizard March 2022) |
Gamaredon Group |
Gamaredon Group has delivered self-extracting 7z archive files within malicious document attachments, and used obfuscated or encrypted scripts.(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: CERT-EE Gamaredon January 2021)(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022) |
AppleJeus |
AppleJeus has XOR-encrypted collected system information prior to sending to a C2. AppleJeus has also used the open source ADVObfuscation library for its components.(Citation: CISA AppleJeus Feb 2021) |
Gazer |
Gazer logs its actions into files that are encrypted with 3DES. It also uses RSA to encrypt resources.(Citation: Securelist WhiteBear Aug 2017) |
DRATzarus |
DRATzarus can be partly encrypted with XOR.(Citation: ClearSky Lazarus Aug 2020) |
Hildegard |
Hildegard has encrypted an ELF file.(Citation: Unit 42 Hildegard Malware) |
PoetRAT |
PoetRAT has used a custom encryption scheme for communication between scripts and pyminifier to obfuscate scripts.(Citation: Talos PoetRAT April 2020)(Citation: Talos PoetRAT October 2020) |
Ramsay |
Ramsay has base64-encoded its portable executable and hidden itself under a JPG header. Ramsay can also embed information within document footers.(Citation: Eset Ramsay May 2020) |
PUNCHBUGGY |
PUNCHBUGGY has hashed most its code's functions and encrypted payloads with base64 and XOR.(Citation: Morphisec ShellTea June 2019) |
Maze |
Maze has decrypted strings and other important information during the encryption process. Maze also calls certain functions dynamically to hinder analysis.(Citation: McAfee Maze March 2020) |
Gelsemium |
Gelsemium has the ability to compress its components.(Citation: ESET Gelsemium June 2021) |
Volgmer |
A Volgmer variant is encoded using a simple XOR cipher.(Citation: US-CERT Volgmer 2 Nov 2017) |
Epic |
Epic heavily obfuscates its code to make analysis more difficult.(Citation: Kaspersky Turla) |
CORESHELL |
CORESHELL obfuscates strings using a custom stream cipher.(Citation: FireEye APT28) |
PlugX |
PlugX can use API hashing and modify the names of strings to evade detection.(Citation: Trend Micro DRBControl February 2020)(Citation: Proofpoint TA416 Europe March 2022) |
IronNetInjector |
IronNetInjector can obfuscate variable names, encrypt strings, as well as base64 encode and Rijndael encrypt payloads.(Citation: Unit 42 IronNetInjector February 2021 ) |
XTunnel |
A version of XTunnel introduced in July 2015 obfuscated the binary using opaque predicates and other techniques in a likely attempt to obfuscate it and bypass security products.(Citation: ESET Sednit Part 2) |
UBoatRAT |
UBoatRAT encrypts instructions in the payload using a simple XOR cipher.(Citation: PaloAlto UBoatRAT Nov 2017) |
jRAT |
jRAT’s Java payload is encrypted with AES.(Citation: jRAT Symantec Aug 2018) Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of jRAT also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool.(Citation: Symantec Frutas Feb 2013) |
OopsIE |
OopsIE uses the Confuser protector to obfuscate an embedded .Net Framework assembly used for C2. OopsIE also encodes collected data in hexadecimal format before writing to files on disk and obfuscates strings.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 OilRig Sept 2018) |
GrimAgent |
GrimAgent has used Rotate on Right (RoR) and Rotate on Left (RoL) functionality to encrypt strings.(Citation: Group IB GrimAgent July 2021) |
ShimRatReporter |
ShimRatReporter encrypted gathered information with a combination of shifting and XOR using a static key.(Citation: FOX-IT May 2016 Mofang) |
StreamEx |
StreamEx obfuscates some commands by using statically programmed fragments of strings when starting a DLL. It also uses a one-byte xor against 0x91 to encode configuration data.(Citation: Cylance Shell Crew Feb 2017) |
FunnyDream |
FunnyDream can Base64 encode its C2 address stored in a template binary with the `xyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_-` or `xyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_=` character sets.(Citation: Bitdefender FunnyDream Campaign November 2020) |
APT41 |
APT41 used VMProtected binaries in multiple intrusions.(Citation: FireEye APT41 March 2020) |
SDBbot |
SDBbot has the ability to XOR the strings for its installer component with a hardcoded 128 byte key.(Citation: Proofpoint TA505 October 2019) |
TajMahal |
TajMahal has used an encrypted Virtual File System to store plugins.(Citation: Kaspersky TajMahal April 2019) |
Denis |
Denis obfuscates its code and encrypts the API names. Denis also encodes its payload in Base64.(Citation: Securelist Denis April 2017)(Citation: Cybereason Cobalt Kitty 2017) |
FinFisher |
FinFisher is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018) |
AuditCred |
AuditCred encrypts the configuration.(Citation: TrendMicro Lazarus Nov 2018) |
Penquin |
Penquin has encrypted strings in the binary for obfuscation.(Citation: Leonardo Turla Penquin May 2020) |
Orz |
Some Orz strings are base64 encoded, such as the embedded DLL known as MockDll.(Citation: Proofpoint Leviathan Oct 2017) |
GreyEnergy |
GreyEnergy encrypts its configuration files with AES-256 and also encrypts its strings.(Citation: ESET GreyEnergy Oct 2018) |
CARROTBAT |
CARROTBAT has the ability to download a base64 encoded payload and execute obfuscated commands on the infected host.(Citation: Unit 42 CARROTBAT November 2018) |
BoomBox |
BoomBox can encrypt data using AES prior to exfiltration.(Citation: MSTIC Nobelium Toolset May 2021) |
Machete |
Machete has used pyobfuscate, zlib compression, and base64 encoding for obfuscation. Machete has also used some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis.(Citation: Cylance Machete Mar 2017)(Citation: ESET Machete July 2019) |
Cobalt Strike |
Cobalt Strike can hash functions to obfuscate calls to the Windows API and use a public/private key pair to encrypt Beacon session metadata.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020) |
Industroyer |
Industroyer uses heavily obfuscated code in its Windows Notepad backdoor.(Citation: ESET Industroyer) |
ZeroT |
ZeroT has encrypted its payload with RC4.(Citation: Proofpoint ZeroT Feb 2017) |
Comnie |
Comnie uses RC4 and Base64 to obfuscate strings.(Citation: Palo Alto Comnie) |
Cardinal RAT |
Cardinal RAT encodes many of its artifacts and is encrypted (AES-128) when downloaded.(Citation: PaloAlto CardinalRat Apr 2017) |
TRITON |
TRITON encoded the two inject.bin and imain.bin payloads.(Citation: FireEye TRITON 2017) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Behavior Prevention on Endpoint |
Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. |
Antivirus/Antimalware |
Use signatures or heuristics to detect malicious software. |
Обнаружение
Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system). Flag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files/payloads. (Citation: GitHub Revoke-Obfuscation) (Citation: FireEye Revoke-Obfuscation July 2017) (Citation: GitHub Office-Crackros Aug 2016) Obfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection. The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network.
Ссылки
- The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
- McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
- Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
- Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
- White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018.
- Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018.
- Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017.
- Carr, N. (2016, August 14). OfficeCrackros. Retrieved February 12, 2018.
- Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved February 12, 2018.
- Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
- Bohannon, D. (2017, July 27). Revoke-Obfuscation. Retrieved February 12, 2018.
- Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
- ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
- MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
- Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
- Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
- NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
- Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
- Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
- Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
- Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
- FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
- Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
- Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
- Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
- MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
- MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.
- Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021.
- Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
- Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
- Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
- Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
- Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
- Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
- Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
- Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017.
- Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
- Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
- Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
- GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
- Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
- Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
- Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
- GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
- Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
- Moench, B. and Aboud, E. (2016, August 23). Trojan.Kwampirs. Retrieved May 10, 2018.
- Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
- Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.
- Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
- Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
- Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
- Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved June 10, 2020.
- Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
- US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
- Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
- Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
- Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
- Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
- Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
- Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
- TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
- Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
- Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
- MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
- Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
- The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
- Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
- Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
- Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
- Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
- Brennan, M. (2022, February 16). Hackers No Hashing: Randomizing API Hashes to Evade Cobalt Strike Shellcode Detection. Retrieved August 22, 2022.
- Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
- Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
- Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
- Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
- Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
- F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.
- Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
- Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
- Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
- GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
- Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
- Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
- Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
- Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
- Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.
- Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019.
- Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
- Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
- Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
- CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
- Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
- Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
- Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.
- Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
- Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.
- Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021.
- Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
- Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
- Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
- Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
- Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
- Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
- Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
- Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018.
- Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
- Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.
- Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
- Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
- Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021.
- Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
- Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
- Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
- Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
- Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
- ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
- Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019.
- Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
- Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
- CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
- Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018.
- Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
- CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
- Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
- Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
- Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
- Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
- Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
- Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020.
- Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
- Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
- Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
- Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
- Symantec Threat Hunter Team. (2022, February 24). Ukraine: Disk-wiping Attacks Precede Russian Invasion. Retrieved March 25, 2022.
- Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
- ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
- F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016.
- Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
- Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021.
- Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
- FinFisher. (n.d.). Retrieved December 20, 2017.
- Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
- Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
- Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
- Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
- Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.
- Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021.
- Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
- FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
- ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
- Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
- Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
- GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
- Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
- SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
- Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
- Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
- QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
- Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
- Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
- GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
- Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
- Perez, D.. (2018, December 28). Analysis of the latest Emotet propagation campaign. Retrieved April 16, 2019.
- Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
- Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
- Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.
- Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
- Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
- Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.
- Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
- Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
- Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019.
- Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.
- Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021.
- Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
- McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
- Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
- S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.
- Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
- Choi, S. (2015, August 6). Obfuscated API Functions in Modern Packers. Retrieved August 22, 2022.
- Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
- O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
- Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018.
- Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
- Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
- Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
- Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.
- Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
- Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
- Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
- Zafra, D., et al. (2020, February 24). Ransomware Against the Machine: How Adversaries are Learning to Disrupt Industrial Production by Targeting IT and OT. Retrieved March 2, 2021.
- Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.
- Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
- Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
- Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
- Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
- Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
- hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
- Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.
- Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
- PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
- PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
- The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
- Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020.
- Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
- Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
- Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
- Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
- M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
- ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.
- Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.
- An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
- Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
- Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
- Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
- Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
- Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
- Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
- ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
- US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
- Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.
- Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
- Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
- Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
- Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
- Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
- Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
- Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018.
- Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
- Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.
- Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
- The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
- Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
- Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
- CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
- Trustwave SpiderLabs. (2020, June 26). GoldenSpy: Chapter Two – The Uninstaller. Retrieved July 23, 2020.
- Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.
- Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
- Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
- Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
- Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
- CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
- McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
- Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.
- Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
- Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
- Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
- Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
- Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
- Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
- Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
- Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
- Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
- Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
- ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
- Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
- Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
- Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
- Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.
- Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018.
- Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
- ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.
- Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
- Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
- Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
- Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
- F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
- Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022.
- Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
- Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
- ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
- Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
- Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
- ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
- Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
- Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
- Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
- Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
- Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
- Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
- Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021.
- NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
- Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
- DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
- Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022.
- Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.
- Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.
- Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020.
- Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
- M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
- Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
- Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
- Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.
- Johnson, B, et. al. (2017, December 14). Attackers Deploy New ICS Attack Framework "TRITON" and Cause Operational Disruption to Critical Infrastructure. Retrieved January 6, 2021.
- Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
- Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
- Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
- Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.
- Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
- Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
- Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
- Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
- Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
- Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
- Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
- CISA. (2021, January 27). Malware Analysis Report (AR21-027A). Retrieved February 22, 2021.
- CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
- Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
- Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
- CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.
- Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
- Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
- Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
- Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
- Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
- Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
- Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
- Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
- CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
- Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
- Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
- Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021.
- Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
- Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
- Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
- Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
- GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021.
- Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
- Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
- Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
- Shulmin, A., Yunakovsky, S. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved November 5, 2018.
- GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.
- Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
- Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
- Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
- Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
- Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
- Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
- Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
- Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
- Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
- ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
- Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
- Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
- ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
- BishopFox. (n.d.). Sliver. Retrieved September 15, 2021.
- Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021.
- Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019.
- Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
- Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020.
- Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
- Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
- Microsoft. (2015, June 9). Windows 10 to offer application developers new malware defenses. Retrieved February 12, 2018.
- Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
- ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
- Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.
- Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.
- Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
- MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
- Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Ventura, V. (2018, January 22). SamSam - The Evolution Continues Netting Over $325,000 in 4 Weeks. Retrieved April 16, 2019.
- Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019.
- Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016.
- Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
- Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016.
- Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
- Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
- US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
- CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
- Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
- Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
- Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
- CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
- Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
- Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
- ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
- Jason (jxb5151). (2021, January 28). findapihash.py. Retrieved August 22, 2022.
- Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
- McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.
- Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
- ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
- Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
- Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018.
- Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
- Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
- Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
- Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
- Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020.
- Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
- McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
- Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
- Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020.
- M.Leveille, M., Sanmillan, I. (2021, February 2). Kobalos – A complex Linux threat to high performance computing infrastructure. Retrieved August 24, 2021.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.