Obfuscated Files or Information: Упаковка ПО
Other sub-techniques of Obfuscated Files or Information (14)
Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)
Примеры процедур |
|
Название | Описание |
---|---|
Night Dragon |
Night Dragon is known to use software packing in its tools.(Citation: McAfee Night Dragon) |
GoldMax |
GoldMax has been packed for obfuscation.(Citation: FireEye SUNSHUTTLE Mar 2021) |
Lokibot |
Lokibot has used several packing methods for obfuscation.(Citation: Infoblox Lokibot January 2019) |
Cuba |
Cuba has a packed payload when delivered.(Citation: McAfee Cuba April 2021) |
VERMIN |
VERMIN is initially packed.(Citation: Unit 42 VERMIN Jan 2018) |
China Chopper |
China Chopper's client component is packed with UPX.(Citation: Lee 2013) |
During C0017, APT41 used VMProtect to slow the reverse engineering of malicious binaries.(Citation: Mandiant APT41) |
|
Raspberry Robin |
Raspberry Robin contains multiple payloads that are packed for defense evasion purposes and unpacked on runtime.(Citation: TrendMicro RaspberryRobin 2022) |
Lazarus Group |
Lazarus Group has used Themida to pack malicious DLLs and other files.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Nov 2020) |
Raindrop |
Raindrop used a custom packer for its Cobalt Strike payload, which was compressed using the LZMA algorithm.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021) |
The White Company |
The White Company has obfuscated their payloads through packing.(Citation: Cylance Shaheen Nov 2018) |
Uroburos |
Uroburos uses a custom packer.(Citation: Symantec Waterbug)(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023) |
Spark |
Spark has been packed with Enigma Protector to obfuscate its contents.(Citation: Unit42 Molerat Mar 2020) |
TA2541 |
TA2541 has used a .NET packer to obfuscate malicious files.(Citation: Cisco Operation Layover September 2021) |
NETWIRE |
NETWIRE has used .NET packer tools to evade detection.(Citation: Red Canary NETWIRE January 2020) |
Machete |
Machete has been packed with NSIS.(Citation: ESET Machete July 2019) |
AppleSeed |
AppleSeed has used UPX packers for its payload DLL.(Citation: Malwarebytes Kimsuky June 2021) |
Daserf |
A version of Daserf uses the MPRESS packer.(Citation: Trend Micro Daserf Nov 2017) |
APT41 |
APT41 uses packers such as Themida to obfuscate malicious files.(Citation: Rostovcev APT41 2021) |
Dok |
Dok is packed with an UPX executable packer.(Citation: hexed osx.dok analysis 2019) |
Dark Caracal |
Dark Caracal has used UPX to pack Bandook.(Citation: Lookout Dark Caracal Jan 2018) |
KONNI |
KONNI has been packed for obfuscation.(Citation: Malwarebytes KONNI Evolves Jan 2022) |
During Night Dragon, threat actors used software packing in its tools.(Citation: McAfee Night Dragon) |
|
For Operation Spalax, the threat actors used a variety of packers, including CyaX, to obfuscate malicious executables.(Citation: ESET Operation Spalax Jan 2021) |
|
Astaroth |
Astaroth uses a software packer called Pe123\RPolyCryptor.(Citation: Cybereason Astaroth Feb 2019) |
Aoqin Dragon |
Aoqin Dragon has used the Themida packer to obfuscate malicious payloads.(Citation: SentinelOne Aoqin Dragon June 2022) |
Trojan.Karagany |
Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.(Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019) |
MoustachedBouncer |
MoustachedBouncer has used malware plugins packed with Themida.(Citation: MoustachedBouncer ESET August 2023) |
FinFisher |
A FinFisher variant uses a custom packer.(Citation: FinFisher Citation)(Citation: Securelist BlackOasis Oct 2017) |
APT39 |
APT39 has packed tools with UPX, and has repacked a modified version of Mimikatz to thwart anti-virus detection.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020) |
Babuk |
Versions of Babuk have been packed.(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAfee Babuk February 2021)(Citation: Medium Babuk February 2021) |
Hildegard |
Hildegard has packed ELF files into other binaries.(Citation: Unit 42 Hildegard Malware) |
Egregor |
Egregor's payloads are custom-packed, archived and encrypted to prevent analysis.(Citation: NHS Digital Egregor Nov 2020)(Citation: Cyble Egregor Oct 2020) |
TA505 |
TA505 has used UPX to obscure malicious code.(Citation: IBM TA505 April 2020) |
For Operation Dust Storm, the threat actors used UPX to pack some payloads.(Citation: Cylance Dust Storm) |
|
Volt Typhoon |
Volt Typhoon has used the Ultimate Packer for Executables (UPX) to obfuscate the FRP client files BrightmetricAgent.exe and SMSvcService.ex) and the port scanning utility ScanLine.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024) |
TrickBot |
TrickBot leverages a custom packer to obfuscate its functionality.(Citation: S2 Grupo TrickBot June 2017) |
Lucifer |
Lucifer has used UPX packed binaries.(Citation: Unit 42 Lucifer June 2020) |
GALLIUM |
GALLIUM packed some payloads using different types of packers, both known and custom.(Citation: Cybereason Soft Cell June 2019) |
Donut |
Donut can generate packed code modules.(Citation: Donut Github) |
TeamTNT |
TeamTNT has used UPX and Ezuri packer to pack its binaries.(Citation: Trend Micro TeamTNT) |
APT38 |
APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.(Citation: FireEye APT38 Oct 2018) |
SDBbot |
SDBbot has used a packed installer file.(Citation: IBM TA505 April 2020) |
Tomiris |
Tomiris has been packed with UPX.(Citation: Kaspersky Tomiris Sep 2021) |
CostaBricks |
CostaBricks can implement a custom-built virtual machine mechanism to obfuscate its code.(Citation: BlackBerry CostaRicto November 2020) |
Latrodectus |
The Latrodectus payload has been packed for obfuscation.(Citation: Elastic Latrodectus May 2024) |
Clop |
Clop has been packed to help avoid detection.(Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020) |
FatDuke |
FatDuke has been regularly repacked by its operators to create large binaries and evade detection.(Citation: ESET Dukes October 2019) |
Saint Bot |
Saint Bot has been packed using a dark market crypter.(Citation: Malwarebytes Saint Bot April 2021) |
Torisma |
Torisma has been packed with Iz4 compression.(Citation: McAfee Lazarus Nov 2020) |
HotCroissant |
HotCroissant has used the open source UPX executable packer.(Citation: Carbon Black HotCroissant April 2020) |
BLINDINGCAN |
BLINDINGCAN has been packed with the UPX packer.(Citation: US-CERT BLINDINGCAN Aug 2020) |
Rocke |
Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)(Citation: Anomali Rocke March 2019) |
OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D has a variant that is packed with UPX.(Citation: ESET OceanLotus macOS April 2019) |
Ember Bear |
Ember Bear has packed malware to help avoid detection.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
Patchwork |
A Patchwork payload was packed with UPX.(Citation: Securelist Dropping Elephant) |
jRAT |
jRAT payloads have been packed.(Citation: Kaspersky Adwind Feb 2016) |
Zebrocy |
Zebrocy's Delphi variant was packed with UPX.(Citation: Unit42 Sofacy Dec 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018) |
SeaDuke |
SeaDuke has been packed with the UPX packer.(Citation: Unit 42 SeaDuke 2015) |
Lazarus Group |
Lazarus Group has used Themida to pack at least two separate backdoor implants.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020) |
COATHANGER |
The first stage of COATHANGER is delivered as a packed file.(Citation: NCSC-NL COATHANGER Feb 2024) |
HyperBro |
HyperBro has the ability to pack its payload.(Citation: Trend Micro Iron Tiger April 2021) |
S-Type |
Some S-Type samples have been packed with UPX.(Citation: Cylance Dust Storm) |
LiteDuke |
LiteDuke has been packed with multiple layers of encryption.(Citation: ESET Dukes October 2019) |
H1N1 |
H1N1 uses a custom packing algorithm.(Citation: Cisco H1N1 Part 1) |
During the 2016 Ukraine Electric Power Attack, Sandworm Team used UPX to pack a copy of Mimikatz.(Citation: Dragos Crashoverride 2018) |
|
Valak |
Valak has used packed DLL payloads.(Citation: SentinelOne Valak June 2020) |
DRATzarus |
DRATzarus's dropper can be packed with UPX.(Citation: ClearSky Lazarus Aug 2020) |
Kimsuky |
Kimsuky has packed malware with UPX.(Citation: Malwarebytes Kimsuky June 2021) |
ShimRat |
ShimRat's loader has been packed with the compressed ShimRat core DLL and the legitimate DLL for it to hijack.(Citation: FOX-IT May 2016 Mofang) |
ZIRCONIUM |
ZIRCONIUM has used multi-stage packers for exploit code.(Citation: Check Point APT31 February 2021) |
Bisonal |
Bisonal has used the MPRESS packer and similar tools for obfuscation.(Citation: Talos Bisonal Mar 2020) |
During Operation Dream Job, Lazarus Group packed malicious .db files with Themida to evade detection.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: McAfee Lazarus Nov 2020) |
|
ZeroT |
Some ZeroT DLL files have been packed with UPX.(Citation: Proofpoint ZeroT Feb 2017) |
Squirrelwaffle |
Squirrelwaffle has been packed with a custom packer to hide payloads.(Citation: ZScaler Squirrelwaffle Sep 2021)(Citation: Netskope Squirrelwaffle Oct 2021) |
DarkComet |
DarkComet has the option to compress its payload using UPX or MPRESS.(Citation: Malwarebytes DarkComet March 2018) |
GreyEnergy |
GreyEnergy is packed for obfuscation.(Citation: ESET GreyEnergy Oct 2018) |
Dyre |
Dyre has been delivered with encrypted resources and must be unpacked for execution.(Citation: Malwarebytes Dyreza November 2015) |
Melcoz |
Melcoz has been packed with VMProtect and Themida.(Citation: Securelist Brazilian Banking Malware July 2020) |
Metamorfo |
Metamorfo has used VMProtect to pack and protect files.(Citation: Fortinet Metamorfo Feb 2020) |
Threat Group-3390 |
Threat Group-3390 has packed malware and tools, including using VMProtect.(Citation: Trend Micro DRBControl February 2020)(Citation: Trend Micro Iron Tiger April 2021) |
yty |
yty packs a plugin with UPX.(Citation: ASERT Donot March 2018) |
Emotet |
Emotet has used custom packers to protect its payloads.(Citation: Trend Micro Emotet Jan 2019) |
OopsIE |
OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2.(Citation: Unit 42 OopsIE! Feb 2018) |
Saint Bear |
Saint Bear clones .NET assemblies from other .NET binaries as well as cloning code signing certificates from other software to obfuscate the initial loader payload.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
CSPY Downloader |
CSPY Downloader has been packed with UPX.(Citation: Cybereason Kimsuky November 2020) |
SysUpdate |
SysUpdate has been packed with VMProtect.(Citation: Trend Micro Iron Tiger April 2021)(Citation: Lunghi Iron Tiger Linux) |
Sandworm Team |
Sandworm Team used UPX to pack a copy of Mimikatz.(Citation: Dragos Crashoverride 2018) |
Mongall |
Mongall has been packed with Themida.(Citation: SentinelOne Aoqin Dragon June 2022) |
Misdat |
Misdat was typically packed using UPX.(Citation: Cylance Dust Storm) |
FYAnti |
FYAnti has used ConfuserEx to pack its .NET module.(Citation: Securelist APT10 March 2021) |
QakBot |
QakBot can encrypt and pack malicious payloads.(Citation: Cyberint Qakbot May 2021) |
IcedID |
IcedID has packed and encrypted its loader module.(Citation: Juniper IcedID June 2020) |
APT3 |
APT3 has been known to pack their tools.(Citation: APT3 Adversary Emulation Plan)(Citation: FireEye Clandestine Wolf) |
Anchor |
Anchor has come with a packed payload.(Citation: Cyberreason Anchor December 2019) |
Elderwood |
Elderwood has packed malware payloads before delivery to victims.(Citation: Symantec Elderwood Sept 2012) |
Bazar |
Bazar has a variant with a packed payload.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020) |
APT29 |
APT29 used UPX to pack files.(Citation: Mandiant No Easy Breach) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Antivirus/Antimalware |
Use signatures or heuristics to detect malicious software. |
Обнаружение
Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.
Ссылки
- McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
- F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
- Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
- ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
- Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
- Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
- Kafka, F. (2018, January). ESET's Guide to Deobfuscating and Devirtualizing FinFisher. Retrieved August 12, 2019.
- Alexandre D'Hondt. (n.d.). Awesome Executable Packing. Retrieved March 11, 2022.
- Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
- Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.
- Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
- Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
- Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
- Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
- Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.
- MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
- Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
- Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
- Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
- FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
- Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
- Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
- Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
- ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
- Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
- Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
- Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024.
- fluffybunny. (2019, July 9). OSX.Dok Analysis. Retrieved October 4, 2021.
- Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
- Santos, R. (2022, January 26). KONNI evolves into stealthier RAT. Retrieved April 13, 2022.
- McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
- M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
- Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
- Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
- Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
- Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
- Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.
- FinFisher. (n.d.). Retrieved September 12, 2024.
- Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
- Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
- Sebdraven. (2021, February 8). Babuk is distributed packed. Retrieved August 11, 2021.
- Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.
- Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021.
- Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
- Cybleinc. (2020, October 31). Egregor Ransomware – A Deep Dive Into Its Activities and Techniques. Retrieved December 29, 2020.
- NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020.
- Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
- CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
- Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
- Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
- Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
- TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
- Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
- FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
- Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021.
- The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
- Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
- Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.
- Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.
- Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
- Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
- Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
- US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
- Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
- Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020.
- Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
- Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
- Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
- Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
- Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
- Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
- Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
- Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024.
- Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
- Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016.
- Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
- Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
- Itkin, E. and Cohen, I. (2021, February 22). The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day. Retrieved March 24, 2021.
- Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
- Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
- Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
- Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022.
- Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.
- Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
- Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
- hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.
- GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
- Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
- Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
- Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
- Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
- Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
- Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
- Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
- GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
- Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
- Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
- Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
- Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018.
- Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
- O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
- Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.
- Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.