Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Упаковка ПО
Сертификаты СЗИ
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Упаковка ПО
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Obfuscated Files or Information:  Упаковка ПО

ID Название
.001 Добавление в бинарный файл незначащих данных
.002 Упаковка ПО
.003 Стеганография
.004 Компиляция после доставки
.005 Удаление индикаторов компрометации из вредоносных инструментов
.006 Скрытая передача через HTML
.007 Динамическое разрешение API
.008 Перевод полезных нагрузок в трудночитаемый формат
.009 Встроенные полезные нагрузки
.010 Command Obfuscation
.011 Fileless Storage
.012 LNK Icon Smuggling
.013 Encrypted/Encoded File
.014 Polymorphic Code
.015 Compression
.016 Junk Code Insertion
.017 SVG Smuggling

Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.(Citation: ESET FinFisher Jan 2018) Utilities used to perform software packing are called packers. Example packers are MPRESS and UPX. A more comprehensive list of known packers is available, but adversaries may create their own packing techniques that do not leave the same artifacts as well-known packers to evade defenses.(Citation: Awesome Executable Packing)

ID: T1027.002
Относится к технике:  T1027
Тактика(-и): Defense Evasion
Платформы: Linux, macOS, Windows
Источники данных: File: File Metadata
Версия: 1.3
Дата создания: 05 Feb 2020
Последнее изменение: 16 Apr 2025

Примеры процедур
Название Описание
Night Dragon

Night Dragon is known to use software packing in its tools.(Citation: McAfee Night Dragon)
GoldMax

GoldMax has been packed for obfuscation.(Citation: FireEye SUNSHUTTLE Mar 2021)
Lokibot

Lokibot has used several packing methods for obfuscation.(Citation: Infoblox Lokibot January 2019)
Cuba

Cuba has a packed payload when delivered.(Citation: McAfee Cuba April 2021)

VERMIN

VERMIN is initially packed.(Citation: Unit 42 VERMIN Jan 2018)
China Chopper

China Chopper's client component is packed with UPX.(Citation: Lee 2013)

During C0017, APT41 used VMProtect to slow the reverse engineering of malicious binaries.(Citation: Mandiant APT41)
Raspberry Robin

Raspberry Robin contains multiple payloads that are packed for defense evasion purposes and unpacked on runtime.(Citation: TrendMicro RaspberryRobin 2022)
Lazarus Group

Lazarus Group has used Themida to pack malicious DLLs and other files.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Nov 2020)
Raindrop

Raindrop used a custom packer for its Cobalt Strike payload, which was compressed using the LZMA algorithm.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)
Troll Stealer

Troll Stealer has been delivered as a VMProtect-packed binary.(Citation: S2W Troll Stealer 2024)(Citation: ASEC Troll Stealer 2024)
The White Company

The White Company has obfuscated their payloads through packing.(Citation: Cylance Shaheen Nov 2018)
Uroburos

Uroburos uses a custom packer.(Citation: Symantec Waterbug)(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
Spark

Spark has been packed with Enigma Protector to obfuscate its contents.(Citation: Unit42 Molerat Mar 2020)

TA2541

TA2541 has used a .NET packer to obfuscate malicious files.(Citation: Cisco Operation Layover September 2021)
NETWIRE

NETWIRE has used .NET packer tools to evade detection.(Citation: Red Canary NETWIRE January 2020)
Machete

Machete has been packed with NSIS.(Citation: ESET Machete July 2019)

AppleSeed

AppleSeed has used UPX packers for its payload DLL.(Citation: Malwarebytes Kimsuky June 2021)
Daserf

A version of Daserf uses the MPRESS packer.(Citation: Trend Micro Daserf Nov 2017)
APT41

APT41 uses packers such as Themida to obfuscate malicious files.(Citation: Rostovcev APT41 2021)
Dok

Dok is packed with an UPX executable packer.(Citation: hexed osx.dok analysis 2019)
Dark Caracal

Dark Caracal has used UPX to pack Bandook.(Citation: Lookout Dark Caracal Jan 2018)
KONNI

KONNI has been packed for obfuscation.(Citation: Malwarebytes KONNI Evolves Jan 2022)
LockBit 3.0

LockBit 3.0 can use code packing to hinder analysis.(Citation: Sentinel Labs LockBit 3.0 JUL 2022)(Citation: INCIBE-CERT LockBit MAR 2024)

During Night Dragon, threat actors used software packing in its tools.(Citation: McAfee Night Dragon)

For Operation Spalax, the threat actors used a variety of packers, including CyaX, to obfuscate malicious executables.(Citation: ESET Operation Spalax Jan 2021)
Astaroth

Astaroth uses a software packer called Pe123\RPolyCryptor.(Citation: Cybereason Astaroth Feb 2019)
Aoqin Dragon

Aoqin Dragon has used the Themida packer to obfuscate malicious payloads.(Citation: SentinelOne Aoqin Dragon June 2022)
Trojan.Karagany

Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.(Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)
MoustachedBouncer

MoustachedBouncer has used malware plugins packed with Themida.(Citation: MoustachedBouncer ESET August 2023)
FinFisher

A FinFisher variant uses a custom packer.(Citation: FinFisher Citation)(Citation: Securelist BlackOasis Oct 2017)
APT39

APT39 has packed tools with UPX, and has repacked a modified version of Mimikatz to thwart anti-virus detection.(Citation: FireEye APT39 Jan 2019)(Citation: BitDefender Chafer May 2020)
Babuk

Versions of Babuk have been packed.(Citation: Sogeti CERT ESEC Babuk March 2021)(Citation: McAfee Babuk February 2021)(Citation: Medium Babuk February 2021)
StrelaStealer

StrelaStealer variants have used packers to obfuscate payloads and make analysis more difficult.(Citation: PaloAlto StrelaStealer 2024)
Hildegard

Hildegard has packed ELF files into other binaries.(Citation: Unit 42 Hildegard Malware)
Egregor

Egregor's payloads are custom-packed, archived and encrypted to prevent analysis.(Citation: NHS Digital Egregor Nov 2020)(Citation: Cyble Egregor Oct 2020)
TA505

TA505 has used UPX to obscure malicious code.(Citation: IBM TA505 April 2020)

For Operation Dust Storm, the threat actors used UPX to pack some payloads.(Citation: Cylance Dust Storm)
Volt Typhoon

Volt Typhoon has used the Ultimate Packer for Executables (UPX) to obfuscate the FRP client files BrightmetricAgent.exe and SMSvcService.ex) and the port scanning utility ScanLine.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)
TrickBot

TrickBot leverages a custom packer to obfuscate its functionality.(Citation: S2 Grupo TrickBot June 2017)
Lucifer

Lucifer has used UPX packed binaries.(Citation: Unit 42 Lucifer June 2020)
GALLIUM

GALLIUM packed some payloads using different types of packers, both known and custom.(Citation: Cybereason Soft Cell June 2019)
Donut

Donut can generate packed code modules.(Citation: Donut Github)

TeamTNT

TeamTNT has used UPX and Ezuri packer to pack its binaries.(Citation: Trend Micro TeamTNT)
APT38

APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium, to pack their implants.(Citation: FireEye APT38 Oct 2018)
SDBbot

SDBbot has used a packed installer file.(Citation: IBM TA505 April 2020)
Tomiris

Tomiris has been packed with UPX.(Citation: Kaspersky Tomiris Sep 2021)
Sagerunex

Sagerunex has used VMProtect to pack and obscure itself.(Citation: Cisco LotusBlossom 2025)
CostaBricks

CostaBricks can implement a custom-built virtual machine mechanism to obfuscate its code.(Citation: BlackBerry CostaRicto November 2020)
Latrodectus

The Latrodectus payload has been packed for obfuscation.(Citation: Elastic Latrodectus May 2024)
Clop

Clop has been packed to help avoid detection.(Citation: Mcafee Clop Aug 2019)(Citation: Cybereason Clop Dec 2020)
FatDuke

FatDuke has been regularly repacked by its operators to create large binaries and evade detection.(Citation: ESET Dukes October 2019)
Saint Bot

Saint Bot has been packed using a dark market crypter.(Citation: Malwarebytes Saint Bot April 2021)
Torisma

Torisma has been packed with Iz4 compression.(Citation: McAfee Lazarus Nov 2020)
HotCroissant

HotCroissant has used the open source UPX executable packer.(Citation: Carbon Black HotCroissant April 2020)
BLINDINGCAN

BLINDINGCAN has been packed with the UPX packer.(Citation: US-CERT BLINDINGCAN Aug 2020)
Rocke

Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.(Citation: Talos Rocke August 2018)(Citation: Unit 42 Rocke January 2019)(Citation: Anomali Rocke March 2019)
OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D has a variant that is packed with UPX.(Citation: ESET OceanLotus macOS April 2019)
Ember Bear

Ember Bear has packed malware to help avoid detection.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Patchwork

A Patchwork payload was packed with UPX.(Citation: Securelist Dropping Elephant)
jRAT

jRAT payloads have been packed.(Citation: Kaspersky Adwind Feb 2016)
Zebrocy

Zebrocy's Delphi variant was packed with UPX.(Citation: Unit42 Sofacy Dec 2018)(Citation: Accenture SNAKEMACKEREL Nov 2018)
SeaDuke

SeaDuke has been packed with the UPX packer.(Citation: Unit 42 SeaDuke 2015)
Lazarus Group

Lazarus Group has used Themida to pack at least two separate backdoor implants.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)
COATHANGER

The first stage of COATHANGER is delivered as a packed file.(Citation: NCSC-NL COATHANGER Feb 2024)
HyperBro

HyperBro has the ability to pack its payload.(Citation: Trend Micro Iron Tiger April 2021)
S-Type

Some S-Type samples have been packed with UPX.(Citation: Cylance Dust Storm)
LiteDuke

LiteDuke has been packed with multiple layers of encryption.(Citation: ESET Dukes October 2019)
H1N1

H1N1 uses a custom packing algorithm.(Citation: Cisco H1N1 Part 1)

During the 2016 Ukraine Electric Power Attack, Sandworm Team used UPX to pack a copy of Mimikatz.(Citation: Dragos Crashoverride 2018)
Valak

Valak has used packed DLL payloads.(Citation: SentinelOne Valak June 2020)
DRATzarus

DRATzarus's dropper can be packed with UPX.(Citation: ClearSky Lazarus Aug 2020)
Kimsuky

Kimsuky has packed malware with UPX.(Citation: Malwarebytes Kimsuky June 2021)
ShimRat

ShimRat's loader has been packed with the compressed ShimRat core DLL and the legitimate DLL for it to hijack.(Citation: FOX-IT May 2016 Mofang)
ZIRCONIUM

ZIRCONIUM has used multi-stage packers for exploit code.(Citation: Check Point APT31 February 2021)
Bisonal

Bisonal has used the MPRESS packer and similar tools for obfuscation.(Citation: Talos Bisonal Mar 2020)

During Operation Dream Job, Lazarus Group packed malicious .db files with Themida to evade detection.(Citation: ClearSky Lazarus Aug 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: McAfee Lazarus Nov 2020)
ZeroT

Some ZeroT DLL files have been packed with UPX.(Citation: Proofpoint ZeroT Feb 2017)
Squirrelwaffle

Squirrelwaffle has been packed with a custom packer to hide payloads.(Citation: ZScaler Squirrelwaffle Sep 2021)(Citation: Netskope Squirrelwaffle Oct 2021)
DarkComet

DarkComet has the option to compress its payload using UPX or MPRESS.(Citation: Malwarebytes DarkComet March 2018)
GreyEnergy

GreyEnergy is packed for obfuscation.(Citation: ESET GreyEnergy Oct 2018)
Dyre

Dyre has been delivered with encrypted resources and must be unpacked for execution.(Citation: Malwarebytes Dyreza November 2015)
Melcoz

Melcoz has been packed with VMProtect and Themida.(Citation: Securelist Brazilian Banking Malware July 2020)
Metamorfo

Metamorfo has used VMProtect to pack and protect files.(Citation: Fortinet Metamorfo Feb 2020)

Threat Group-3390

Threat Group-3390 has packed malware and tools, including using VMProtect.(Citation: Trend Micro DRBControl February 2020)(Citation: Trend Micro Iron Tiger April 2021)
yty

yty packs a plugin with UPX.(Citation: ASERT Donot March 2018)
Emotet

Emotet has used custom packers to protect its payloads.(Citation: Trend Micro Emotet Jan 2019)
OopsIE

OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2.(Citation: Unit 42 OopsIE! Feb 2018)
Saint Bear

Saint Bear clones .NET assemblies from other .NET binaries as well as cloning code signing certificates from other software to obfuscate the initial loader payload.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
CSPY Downloader

CSPY Downloader has been packed with UPX.(Citation: Cybereason Kimsuky November 2020)
SysUpdate

SysUpdate has been packed with VMProtect.(Citation: Trend Micro Iron Tiger April 2021)(Citation: Lunghi Iron Tiger Linux)
Sandworm Team

Sandworm Team used UPX to pack a copy of Mimikatz.(Citation: Dragos Crashoverride 2018)

Mongall

Mongall has been packed with Themida.(Citation: SentinelOne Aoqin Dragon June 2022)
Misdat

Misdat was typically packed using UPX.(Citation: Cylance Dust Storm)
XLoader

XLoader uses various packers, including CyaX, to obfuscate malicious executables.(Citation: Netskope XLoader 2022)
FYAnti

FYAnti has used ConfuserEx to pack its .NET module.(Citation: Securelist APT10 March 2021)
QakBot

QakBot can encrypt and pack malicious payloads.(Citation: Cyberint Qakbot May 2021)
IcedID

IcedID has packed and encrypted its loader module.(Citation: Juniper IcedID June 2020)
APT3

APT3 has been known to pack their tools.(Citation: APT3 Adversary Emulation Plan)(Citation: FireEye Clandestine Wolf)

Anchor

Anchor has come with a packed payload.(Citation: Cyberreason Anchor December 2019)
Elderwood

Elderwood has packed malware payloads before delivery to victims.(Citation: Symantec Elderwood Sept 2012)
Bazar

Bazar has a variant with a packed payload.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)
APT29

APT29 used UPX to pack files.(Citation: Mandiant No Easy Breach)

Контрмеры
Контрмера Описание
Antivirus/Antimalware

Antivirus/Antimalware solutions utilize signatures, heuristics, and behavioral analysis to detect, block, and remediate malicious software, including viruses, trojans, ransomware, and spyware. These solutions continuously monitor endpoints and systems for known malicious patterns and suspicious behaviors that indicate compromise. Antivirus/Antimalware software should be deployed across all devices, with automated updates to ensure protection against the latest threats. This mitigation can be implemented through the following measures: Signature-Based Detection: - Implementation: Use predefined signatures to identify known malware based on unique patterns such as file hashes, byte sequences, or command-line arguments. This method is effective against known threats. - Use Case: When malware like "Emotet" is detected, its signature (such as a specific file hash) matches a known database of malicious software, triggering an alert and allowing immediate quarantine of the infected file. Heuristic-Based Detection: - Implementation: Deploy heuristic algorithms that analyze behavior and characteristics of files and processes to identify potential malware, even if it doesn’t match a known signature. - Use Case: If a program attempts to modify multiple critical system files or initiate suspicious network communications, heuristic analysis may flag it as potentially malicious, even if no specific malware signature is available. Behavioral Detection (Behavior Prevention): - Implementation: Use behavioral analysis to detect patterns of abnormal activities, such as unusual system calls, unauthorized file encryption, or attempts to escalate privileges. - Use Case: Behavioral analysis can detect ransomware attacks early by identifying behavior like mass file encryption, even before a specific ransomware signature has been identified. Real-Time Scanning: - Implementation: Enable real-time scanning to automatically inspect files and network traffic for signs of malware as they are accessed, downloaded, or executed. - Use Case: When a user downloads an email attachment, the antivirus solution scans the file in real-time, checking it against both signatures and heuristics to detect any malicious content before it can be opened. Cloud-Assisted Threat Intelligence: - Implementation: Use cloud-based threat intelligence to ensure the antivirus solution can access the latest malware definitions and real-time threat feeds from a global database of emerging threats. - Use Case: Cloud-assisted antivirus solutions quickly identify newly discovered malware by cross-referencing against global threat databases, providing real-time protection against zero-day attacks. **Tools for Implementation**: - Endpoint Security Platforms: Use solutions such as EDR for comprehensive antivirus/antimalware protection across all systems. - Centralized Management: Implement centralized antivirus management consoles that provide visibility into threat activity, enable policy enforcement, and automate updates. - Behavioral Analysis Tools: Leverage solutions with advanced behavioral analysis capabilities to detect malicious activity patterns that don’t rely on known signatures.

Обнаружение

Use file scanning to look for known software packers or artifacts of packing techniques. Packing is not a definitive indicator of malicious activity, because legitimate software may use packing techniques to reduce binary size or to protect proprietary code.

Ссылки

  1. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  2. F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
  3. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
  4. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  5. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  6. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  7. Kafka, F. (2018, January). ESET's Guide to Deobfuscating and Devirtualizing FinFisher. Retrieved August 12, 2019.
  8. Alexandre D'Hondt. (n.d.). Awesome Executable Packing. Retrieved March 11, 2022.
  9. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
  10. Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.
  11. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  12. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  13. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
  14. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  15. Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.
  16. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  17. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
  18. Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
  19. AhnLab ASEC. (2024, February 16). TrollAgent That Infects Systems Upon Security Program Installation Process (Kimsuky Group). Retrieved January 17, 2025.
  20. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  21. Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
  22. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  23. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
  24. Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
  25. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  26. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  27. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  28. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  29. Nikita Rostovcev. (2022, August 18). APT41 World Tour 2021 on a tight schedule. Retrieved February 22, 2024.
  30. fluffybunny. (2019, July 9). OSX.Dok Analysis. Retrieved November 17, 2024.
  31. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  32. Santos, R. (2022, January 26). KONNI evolves into stealthier RAT. Retrieved April 13, 2022.
  33. Walter, J. (2022, July 21). LockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques. Retrieved February 5, 2025.
  34. INCIBE-CERT. (2024, March 14). LockBit: response and recovery actions. Retrieved February 5, 2025.
  35. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  36. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
  37. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  38. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
  39. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  40. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  41. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  42. Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018.
  43. FinFisher. (n.d.). Retrieved September 12, 2024.
  44. Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
  45. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  46. Sebdraven. (2021, February 8). Babuk is distributed packed. Retrieved August 11, 2021.
  47. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.
  48. Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021.
  49. Benjamin Chang, Goutam Tripathy, Pranay Kumar Chhaparwal, Anmol Maurya & Vishwa Thothathri, Palo Alto Networks. (2024, March 22). Large-Scale StrelaStealer Campaign in Early 2024. Retrieved December 31, 2024.
  50. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  51. Cybleinc. (2020, October 31). Egregor Ransomware – A Deep Dive Into Its Activities and Techniques. Retrieved December 29, 2020.
  52. NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020.
  53. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
  54. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  55. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  56. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  57. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
  58. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  59. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  60. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
  61. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 17, 2024.
  62. Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021.
  63. Joey Chen, Cisco Talos. (2025, February 27). Lotus Blossom espionage group targets multiple industries with different versions of Sagerunex and hacking tools. Retrieved March 15, 2025.
  64. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  65. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
  66. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.
  67. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.
  68. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  69. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
  70. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  71. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  72. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  73. Xingyu, J.. (2019, January 17). Malware Used by Rocke Group Evolves to Evade Detection by Cloud Security Products. Retrieved May 26, 2020.
  74. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  75. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
  76. Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
  77. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  78. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  79. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
  80. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
  81. Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024.
  82. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  83. Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016.
  84. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
  85. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  86. Itkin, E. and Cohen, I. (2021, February 22). The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day. Retrieved March 24, 2021.
  87. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  88. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
  89. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  90. Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022.
  91. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.
  92. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  93. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  94. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.
  95. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  96. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  97. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  98. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  99. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
  100. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  101. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  102. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
  103. Gustavo Palazolo, Netskope. (2022, March 11). New Formbook Campaign Delivered Through Phishing Emails. Retrieved March 11, 2025.
  104. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  105. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
  106. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
  107. Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
  108. Korban, C, et al. (2017, September). APT3 Adversary Emulation Plan. Retrieved January 16, 2018.
  109. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  110. O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024.
  111. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.
  112. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  113. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.