Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Encrypted/Encoded File
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Encrypted/Encoded File
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Obfuscated Files or Information:  Encrypted/Encoded File

ID Название
.001 Добавление в бинарный файл незначащих данных
.002 Упаковка ПО
.003 Стеганография
.004 Компиляция после доставки
.005 Удаление индикаторов компрометации из вредоносных инструментов
.006 Скрытая передача через HTML
.007 Динамическое разрешение API
.008 Перевод полезных нагрузок в трудночитаемый формат
.009 Встроенные полезные нагрузки
.010 Command Obfuscation
.011 Fileless Storage
.012 LNK Icon Smuggling
.013 Encrypted/Encoded File
.014 Polymorphic Code

Adversaries may encrypt or encode files to obfuscate strings, bytes, and other specific patterns to impede detection. Encrypting and/or encoding file content aims to conceal malicious artifacts within a file used in an intrusion. Many other techniques, such as Software Packing, Steganography, and Embedded Payloads, share this same broad objective. Encrypting and/or encoding files could lead to a lapse in detection of static signatures, only for this malicious content to be revealed (i.e., Deobfuscate/Decode Files or Information) at the time of execution/use. This type of file obfuscation can be applied to many file artifacts present on victim hosts, such as malware log/configuration and payload files.(Citation: File obfuscation) Files can be encrypted with a hardcoded or user-supplied key, as well as otherwise obfuscated using standard encoding/compression schemes such as Base64. The entire content of a file may be obfuscated, or just specific functions or values (such as C2 addresses). Encryption and encoding may also be applied in redundant layers for additional protection. For example, adversaries may abuse password-protected Word documents or self-extracting (SFX) archives as a method of encrypting/encoding a file such as a Phishing payload. These files typically function by attaching the intended archived content to a decompressor stub that is executed when the file is invoked (e.g., User Execution).(Citation: SFX - Encrypted/Encoded File) Adversaries may also abuse file-specific as well as custom encoding schemes. For example, Byte Order Mark (BOM) headers in text files may be abused to manipulate and obfuscate file content until Command and Scripting Interpreter execution.

ID: T1027.013
Относится к технике:  T1027
Тактика(-и): Defense Evasion
Платформы: Linux, macOS, Windows
Источники данных: File: File Creation, File: File Metadata
Дата создания: 29 Mar 2024
Последнее изменение: 15 Oct 2024

Примеры процедур
Название Описание
DEADEYE

DEADEYE has encrypted its payload.(Citation: Mandiant APT41)
Torisma

Torisma has been Base64 encoded and AES encrypted.(Citation: McAfee Lazarus Nov 2020)
OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.(Citation: TrendMicro MacOS April 2018)
Inception

Inception has encrypted malware payloads dropped on victim machines with AES and RC4 encryption.(Citation: Kaspersky Cloud Atlas December 2014)
USBStealer

Most strings in USBStealer are encrypted using 3DES and XOR and reversed.(Citation: ESET Sednit USBStealer 2014)
Emissary

Variants of Emissary encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the "srand" and "rand" functions.(Citation: Lotus Blossom Dec 2015)(Citation: Emissary Trojan Feb 2016)
Cuckoo Stealer

Cuckoo Stealer strings are XOR-encrypted.(Citation: Kandji Cuckoo April 2024)(Citation: SentinelOne Cuckoo Stealer May 2024)
Kessel

Kessel's configuration is hardcoded and RC4 encrypted within the binary.(Citation: ESET ForSSHe December 2018)
Raindrop

Raindrop encrypted its payload using a simple XOR algorithm with a single-byte key.(Citation: Symantec RAINDROP January 2021)(Citation: Microsoft Deep Dive Solorigate January 2021)
Rifdoor

Rifdoor has encrypted strings with a single byte XOR algorithm.(Citation: Carbon Black HotCroissant April 2020)
Dark Caracal

Dark Caracal has obfuscated strings in Bandook by base64 encoding, and then encrypting them.(Citation: Lookout Dark Caracal Jan 2018)
Elderwood

Elderwood has encrypted documents and malicious executables.(Citation: Symantec Elderwood Sept 2012)
Shark

Shark can use encrypted and encoded files for C2 configuration.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)
Ursnif

Ursnif has used an XOR-based algorithm to encrypt Tor clients dropped to disk.(Citation: ProofPoint Ursnif Aug 2016) Ursnif droppers have also been delivered as password-protected zip files that execute base64 encoded PowerShell commands.(Citation: Bromium Ursnif Mar 2017)
ROADSWEEP

The ROADSWEEP binary contains RC4 encrypted embedded scripts.(Citation: Mandiant ROADSWEEP August 2022)(Citation: CISA Iran Albanian Attacks September 2022)(Citation: Microsoft Albanian Government Attacks September 2022)
Darkhotel

Darkhotel has obfuscated code using RC4, XOR, and RSA.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016)
Transparent Tribe

Transparent Tribe has dropped encoded executables on compromised hosts.(Citation: Proofpoint Operation Transparent Tribe March 2016)
Ninja

The Ninja payload is XOR encrypted and compressed.(Citation: Kaspersky ToddyCat Check Logs October 2023) Ninja has also XORed its configuration data with a constant value of `0xAA` and compressed it with the LZSS algorithm.(Citation: Kaspersky ToddyCat June 2022)(Citation: Kaspersky ToddyCat Check Logs October 2023)
APT28

APT28 encrypted a .dll payload using RTL and a custom encryption algorithm. APT28 has also obfuscated payloads with base64, XOR, and RC4.(Citation: Bitdefender APT28 Dec 2015)(Citation: Unit 42 Sofacy Feb 2018)(Citation: Palo Alto Sofacy 06-2018)(Citation: Talos Seduploader Oct 2017)(Citation: Accenture SNAKEMACKEREL Nov 2018)
HAWKBALL

HAWKBALL has encrypted the payload with an XOR-based algorithm.(Citation: FireEye HAWKBALL Jun 2019)
Skidmap

Skidmap has encrypted it's main payload using 3DES.(Citation: Trend Micro Skidmap)

Astaroth

Astaroth has used an XOR-based algorithm to encrypt payloads twice with different keys.(Citation: Securelist Brazilian Banking Malware July 2020)
APT18

APT18 obfuscates strings in the payload.(Citation: PaloAlto DNS Requests May 2016)
KEYPLUG

KEYPLUG can use a hardcoded one-byte XOR encoded configuration file.(Citation: Mandiant APT41)
Sakula

Sakula uses single-byte XOR obfuscation to obfuscate many of its files.(Citation: Dell Sakula)
Zox

Zox has been encoded with Base64.(Citation: Novetta-Axiom)
Helminth

The Helminth config file is encrypted with RC4.(Citation: Palo Alto OilRig May 2016)
SamSam

SamSam has been seen using AES or DES to encrypt payloads and payload components.(Citation: Sophos SamSam Apr 2018)(Citation: Talos SamSam Jan 2018)
Prikormka

Some resources in Prikormka are encrypted with a simple XOR operation or encoded with Base64.(Citation: ESET Operation Groundbait)
NanHaiShu

NanHaiShu encodes files in Base64.(Citation: fsecure NanHaiShu July 2016)
DarkWatchman

DarkWatchman has been delivered as compressed RAR payloads in ZIP files to victims.(Citation: Prevailion DarkWatchman 2021)
metaMain

metaMain's module file has been encrypted via XOR.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)
Leviathan

Leviathan has obfuscated code using base64 and gzip compression.(Citation: Proofpoint Leviathan Oct 2017)
Bazar

Bazar has used XOR, RSA2, and RC4 encrypted files.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)(Citation: CrowdStrike Wizard Spider October 2020)
LoudMiner

LoudMiner has encrypted DMG files.(Citation: ESET LoudMiner June 2019)

Sidewinder

Sidewinder has used base64 encoding and ECDH-P256 encryption for payloads.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Cyble Sidewinder September 2020)
BLUELIGHT

BLUELIGHT has a XOR-encoded payload.(Citation: Volexity InkySquid BLUELIGHT August 2021)
PipeMon

PipeMon modules are stored encrypted on disk.(Citation: ESET PipeMon May 2020)
Woody RAT

Woody RAT has used Base64 encoded strings and scripts.(Citation: MalwareBytes WoodyRAT Aug 2022)
Molerats

Molerats has delivered compressed executables within ZIP files to victims.(Citation: Kaspersky MoleRATs April 2019)
DCSrv

DCSrv's configuration is encrypted.(Citation: Checkpoint MosesStaff Nov 2021)
APT39

APT39 has used malware to drop encrypted CAB files.(Citation: FBI FLASH APT39 September 2020)
GravityRAT

GravityRAT supports file encryption (AES with the key "lolomycin2017").(Citation: Talos GravityRAT)
Metamorfo

Metamorfo has encrypted payloads and strings.(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019)
Lazarus Group

Lazarus Group has used multiple types of encryption and encoding for their payloads, including AES, Caracachs, RC4, XOR, Base64, and other tricks such as creating aliases in code for Native API function names.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: TrendMicro macOS Dacls May 2020)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)
Saint Bear

Saint Bear initial payloads included encoded follow-on payloads located in the resources file of the first-stage loader.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
APT33

APT33 has used base64 to encode payloads.(Citation: FireEye APT33 Guardrail)

During Night Dragon, threat actors used a DLL that included an XOR-encoded section.(Citation: McAfee Night Dragon)
LightNeuron

LightNeuron encrypts its configuration files with AES-256.(Citation: ESET LightNeuron May 2019)
DanBot

DanBot can Base64 encode its payload.(Citation: SecureWorks August 2019)
FELIXROOT

FELIXROOT encrypts strings in the backdoor using a custom XOR algorithm.(Citation: FireEye FELIXROOT July 2018)(Citation: ESET GreyEnergy Oct 2018)
Remsec

Some data in Remsec is encrypted using RC5 in CBC mode, AES-CBC with a hardcoded key, RC4, or Salsa20. Some data is also base64-encoded.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Technical Analysis)
SocGholish

The SocGholish JavaScript payload has been delivered within a compressed ZIP archive.(Citation: Red Canary SocGholish March 2024)(Citation: Secureworks Gold Prelude Profile) SocGholish has also single or double Base-64 encoded references to its second-stage server URLs.(Citation: SentinelOne SocGholish Infrastructure November 2022)
DUSTTRAP

DUSTTRAP begins with an initial launcher that decrypts an AES-128-CFB encrypted file on disk and executes it in memory.(Citation: Google Cloud APT41 2024)

During Operation Honeybee, the threat actors used Base64 to encode files with a custom key.(Citation: McAfee Honeybee)
WindTail

WindTail can be delivered as a compressed, encrypted, and encoded payload.(Citation: objective-see windtail2 jan 2019)
Grandoreiro

The Grandoreiro payload has been delivered encrypted with a custom XOR-based algorithm and also as a base64-encoded ZIP file.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: ESET Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020)
Milan

Milan can encode files containing information about the targeted system.(Citation: ClearSky Siamesekitten August 2021)(Citation: Kaspersky Lyceum October 2021)
BLINDINGCAN

BLINDINGCAN has obfuscated code using Base64 encoding.(Citation: US-CERT BLINDINGCAN Aug 2020)
KONNI

KONNI is heavily obfuscated and includes encrypted configuration files.(Citation: Malwarebytes Konni Aug 2021)
TINYTYPHON

TINYTYPHON has used XOR with 0x90 to obfuscate its configuration file.(Citation: Forcepoint Monsoon)
BITTER

BITTER has used a RAR SFX dropper to deliver malware.(Citation: Forcepoint BITTER Pakistan Oct 2016)
WhisperGate

WhisperGate can Base64 encode strings, store downloaded files in reverse byte order, and use the Eazfuscator tool to obfuscate its third stage.(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)(Citation: RecordedFuture WhisperGate Jan 2022)
ZxxZ

ZxxZ has been encoded to avoid detection from static analysis tools.(Citation: Cisco Talos Bitter Bangladesh May 2022)
PcShare

PcShare has been encrypted with XOR using different 32-long Base16 strings and compressed with LZW algorithm.(Citation: Bitdefender FunnyDream Campaign November 2020)
DarkGate

DarkGate drops an encrypted PE file, pe.bin, and decrypts it during installation.(Citation: Ensilo Darkgate 2018) DarkGate also uses custom base64 encoding schemas in later variations to obfuscate payloads.(Citation: Trellix Darkgate 2023)
Reaver

Reaver encrypts some of its files with XOR.(Citation: Palo Alto Reaver Nov 2017)
BOOSTWRITE

BOOSTWRITE has encoded its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector (IV) to evade detection.(Citation: FireEye FIN7 Oct 2019)
Fysbis

Fysbis has been encrypted using XOR and RC4.(Citation: Fysbis Dr Web Analysis)

TA505

TA505 has password-protected malicious Word documents.(Citation: Proofpoint TA505 Sep 2017)
Stuxnet

Stuxnet uses encrypted configuration blocks and writes encrypted files to disk.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
Higaisa

Higaisa used Base64 encoded compressed payloads.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)
BitPaymer

BitPaymer has used RC4-encrypted strings and string hashes to avoid identifiable strings within the binary.(Citation: Crowdstrike Indrik November 2018)
Kwampirs

Kwampirs downloads additional files that are base64-encoded and encrypted with another cipher.(Citation: Symantec Security Center Trojan.Kwampirs)
Remexi

Remexi obfuscates its configuration data with XOR.(Citation: Securelist Remexi Jan 2019)
TYPEFRAME

APIs and strings in some TYPEFRAME variants are RC4 encrypted. Another variant is encoded with XOR.(Citation: US-CERT TYPEFRAME June 2018)
FoggyWeb

FoggyWeb has been XOR-encoded.(Citation: MSTIC FoggyWeb September 2021)
APT19

APT19 used Base64 to obfuscate payloads.(Citation: FireEye APT19)
StrongPity

StrongPity has used encrypted strings in its dropper component.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)
Fox Kitten

Fox Kitten has base64 encoded payloads to avoid detection.(Citation: CISA AA20-259A Iran-Based Actor September 2020)
VersaMem

VersaMem encrypted captured credentials with AES then Base64 encoded them before writing to local storage.(Citation: Lumen Versa 2024)
Bisonal

Bisonal's DLL file and non-malicious decoy file are encrypted with RC4 and some function name strings are obfuscated.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020)
Raccoon Stealer

Raccoon Stealer uses RC4 encryption for strings and command and control addresses to evade static detection.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon1 2022)(Citation: Sekoia Raccoon2 2022)
Threat Group-3390

A Threat Group-3390 tool can encrypt payloads using XOR. Threat Group-3390 malware is also obfuscated using Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.(Citation: Nccgroup Emissary Panda May 2018)(Citation: Securelist LuckyMouse June 2018)(Citation: Unit42 Emissary Panda May 2019)
RedLeaves

A RedLeaves configuration file is encrypted with a simple XOR key, 0x53.(Citation: PWC Cloud Hopper Technical Annex April 2017)
FlawedGrace

FlawedGrace encrypts its C2 configuration files with AES in CBC mode.(Citation: Proofpoint TA505 Jan 2019)
More_eggs

More_eggs's payload has been encrypted with a key that has the hostname and processor family information appended to the end.(Citation: ESET EvilNum July 2020)
Elise

Elise encrypts several of its files, including configuration files.(Citation: Lotus Blossom Jun 2015)
Avenger

Avenger has the ability to XOR encrypt files to be sent to C2.(Citation: Trend Micro Tick November 2019)
EnvyScout

EnvyScout can Base64 encode payloads.(Citation: MSTIC Nobelium Toolset May 2021)
Rising Sun

Configuration data used by Rising Sun has been encrypted using an RC4 stream algorithm.(Citation: McAfee Sharpshooter December 2018)

LunarMail

LunarMail has used RC4 and AES to encrypt strings and its exfiltration configuration respectively.(Citation: ESET Turla Lunar toolset May 2024)
Mispadu

Mispadu uses a custom algorithm to obfuscate its internal strings and uses hardcoded keys.(Citation: ESET Security Mispadu Facebook Ads 2019) Mispadu also uses encoded configuration files and has encoded payloads using Base64.(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: SCILabs Malteiro 2021)(Citation: SCILabs Malteiro Threat Overlap 2023)
Dacls

Dacls can encrypt its configuration file with AES CBC.(Citation: TrendMicro macOS Dacls May 2020)
njRAT

njRAT has included a base64 encoded executable.(Citation: Trend Micro njRAT 2018)
TA2541

TA2541 has used compressed and char-encoded scripts in operations.(Citation: Cisco Operation Layover September 2021)

IPsec Helper

IPsec Helper contains an embedded XML configuration file with an encrypted list of command and control servers. These are written to an external configuration file during execution.(Citation: SentinelOne Agrius 2021)
DUSTPAN

DUSTPAN decrypts an embedded payload.(Citation: Google Cloud APT41 2024)(Citation: Google Cloud APT41 2022)
PS1

PS1 is distributed as a set of encrypted files and scripts.(Citation: BlackBerry CostaRicto November 2020)
KeyBoy

In one version of KeyBoy, string obfuscation routines were used to hide many of the critical values referenced in the malware.(Citation: CitizenLab KeyBoy Nov 2016)
RainyDay

RainyDay has downloaded as a XOR-encrypted payload.(Citation: Bitdefender Naikon April 2021)
Sliver

Sliver can encrypt strings at compile time.(Citation: Bishop Fox Sliver Framework August 2019)(Citation: GitHub Sliver C2)
Waterbear

Waterbear has used RC4 encrypted shellcode and encrypted functions.(Citation: Trend Micro Waterbear December 2019)
Malteiro

Malteiro has used scripts encoded in Base64 certificates to distribute malware to victims.(Citation: SCILabs Malteiro Threat Overlap 2023)
Winnti for Linux

Winnti for Linux can encode its configuration file with single-byte XOR encoding.(Citation: Chronicle Winnti for Linux May 2019)
Magic Hound

Magic Hound malware has used base64-encoded files and has also encrypted embedded strings with AES.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: Microsoft Iranian Threat Actor Trends November 2021)
Seasalt

Seasalt obfuscates configuration data.(Citation: Mandiant APT1 Appendix)
StoneDrill

StoneDrill has obfuscated its module with an alphabet-based table or XOR encryption.(Citation: Kaspersky StoneDrill 2017)
IcedID

IcedID has utilzed encrypted binaries and base64 encoded strings.(Citation: Juniper IcedID June 2020)
Blue Mockingbird

Blue Mockingbird has obfuscated the wallet address in the payload binary.(Citation: RedCanary Mockingbird May 2020)
DEADWOOD

DEADWOOD contains an embedded, AES-encrypted resource named METADATA that contains configuration information for follow-on execution.(Citation: SentinelOne Agrius 2021)
Tropic Trooper

Tropic Trooper has encrypted configuration files.(Citation: TrendMicro Tropic Trooper Mar 2018)(Citation: TrendMicro Tropic Trooper May 2020)
SysUpdate

SysUpdate can encrypt and encode its configuration file.(Citation: Trend Micro Iron Tiger April 2021)
Chrommme

Chrommme can encrypt sections of its code to evade detection.(Citation: ESET Gelsemium June 2021)
LunarWeb

The LunarWeb install files have been encrypted with AES-256.(Citation: ESET Turla Lunar toolset May 2024)
Attor

Strings in Attor's components are encrypted with a XOR cipher, using a hardcoded key and the configuration data, log files and plugins are encrypted using a hybrid encryption scheme of Blowfish-OFB combined with RSA.(Citation: ESET Attor Oct 2019)
REvil

REvil has used encrypted strings and configuration files.(Citation: G Data Sodinokibi June 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)(Citation: Picus Sodinokibi January 2020)(Citation: Secureworks REvil September 2019)
Mofang

Mofang has compressed the ShimRat executable within malicious email attachments. Mofang has also encrypted payloads before they are downloaded to victims.(Citation: FOX-IT May 2016 Mofang)
HOMEFRY

Some strings in HOMEFRY are obfuscated with XOR x56.(Citation: FireEye Periscope March 2018)
Smoke Loader

Smoke Loader uses a simple one-byte XOR method to obfuscate values in the malware.(Citation: Malwarebytes SmokeLoader 2016)(Citation: Talos Smoke Loader July 2018)
Aria-body

Aria-body has used an encrypted configuration file for its loader.(Citation: CheckPoint Naikon May 2020)
Mosquito

Mosquito’s installer is obfuscated with a custom crypter to obfuscate the installer.(Citation: ESET Turla Mosquito Jan 2018)
CozyCar

The payload of CozyCar is encrypted with simple XOR with a rotating key. The CozyCar configuration file has been encrypted with RC4 keys.(Citation: F-Secure CozyDuke)
YAHOYAH

YAHOYAH encrypts its configuration file using a simple algorithm.(Citation: TrendMicro TropicTrooper 2015)
ThreatNeedle

ThreatNeedle has been compressed and obfuscated using RC4, AES, or XOR.(Citation: Kaspersky ThreatNeedle Feb 2021)
BADHATCH

BADHATCH can be compressed with the ApLib algorithm.(Citation: BitDefender BADHATCH Mar 2021)

APT41 DUST used encrypted payloads decrypted and executed in memory.(Citation: Google Cloud APT41 2024)
Whitefly

Whitefly has encrypted the payload used for C2.(Citation: Symantec Whitefly March 2019)

menuPass

menuPass has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40.(Citation: Accenture Hogfish April 2018)(Citation: FireEye APT10 Sept 2018)(Citation: Symantec Cicada November 2020)
BendyBear

BendyBear has encrypted payloads using RC4 and XOR.(Citation: Unit42 BendyBear Feb 2021)
PyDCrypt

PyDCrypt has been compiled and encrypted with PyInstaller, specifically using the --key flag during the build phase.(Citation: Checkpoint MosesStaff Nov 2021)
VERMIN

VERMIN is obfuscated using the obfuscation tool called ConfuserEx.(Citation: Unit 42 VERMIN Jan 2018)
HermeticWiper

HermeticWiper can compress 32-bit and 64-bit driver files with the Lempel-Ziv algorithm.(Citation: Symantec Ukraine Wipers February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: Qualys Hermetic Wiper March 2022)
Micropsia

Micropsia obfuscates the configuration with a custom Base64 and XOR.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)

During Operation Dust Storm, the threat actors encoded some payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key; other payloads were Base64-encoded.(Citation: Cylance Dust Storm)
Kevin

Kevin has Base64-encoded its configuration file.(Citation: Kaspersky Lyceum October 2021)
Moses Staff

Moses Staff has used obfuscated web shells in their operations.(Citation: Checkpoint MosesStaff Nov 2021)
TeamTNT

TeamTNT has encrypted its binaries via AES and encoded files using Base64.(Citation: Trend Micro TeamTNT)(Citation: Aqua TeamTNT August 2020)
JHUHUGIT

Many strings in JHUHUGIT are obfuscated with a XOR algorithm.(Citation: F-Secure Sofacy 2015)(Citation: ESET Sednit Part 1)(Citation: Talos Seduploader Oct 2017)
GoldMax

GoldMax has written AES-encrypted and Base64-encoded configuration files to disk.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)
Chinoxy

Chinoxy has encrypted its configuration file.(Citation: Bitdefender FunnyDream Campaign November 2020)
DOGCALL

DOGCALL is encrypted using single-byte XOR.(Citation: Unit 42 Nokki Oct 2018)
RCSession

RCSession can compress and obfuscate its strings to evade detection on a compromised host.(Citation: Trend Micro DRBControl February 2020)
Heyoka Backdoor

Heyoka Backdoor can encrypt its payload.(Citation: SentinelOne Aoqin Dragon June 2022)
Metador

Metador has encrypted their payloads.(Citation: SentinelLabs Metador Sept 2022)
FIVEHANDS

The FIVEHANDS payload is encrypted with AES-128.(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021)(Citation: NCC Group Fivehands June 2021)
Zeus Panda

Zeus Panda encrypts strings with XOR. Zeus Panda also encrypts all configuration and settings in AES and RC4.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)
Squirrelwaffle

Squirrelwaffle has been obfuscated with a XOR-based algorithm.(Citation: ZScaler Squirrelwaffle Sep 2021)(Citation: Netskope Squirrelwaffle Oct 2021)
HyperBro

HyperBro can be delivered encrypted to a compromised host.(Citation: Trend Micro DRBControl February 2020)
STARWHALE

STARWHALE has been obfuscated with hex-encoded strings.(Citation: DHS CISA AA22-055A MuddyWater February 2022)
HotCroissant

HotCroissant has encrypted strings with single-byte XOR and base64 encoded RC4.(Citation: Carbon Black HotCroissant April 2020)
Group5

Group5 disguised its malicious binaries with several layers of obfuscation, including encrypting the files.(Citation: Citizen Lab Group5)

During Operation Dream Job, Lazarus Group encrypted malware such as DRATzarus with XOR and DLL files with base64.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020)(Citation: McAfee Lazarus Jul 2020)(Citation: McAfee Lazarus Nov 2020)
KGH_SPY

KGH_SPY has used encrypted strings in its installer.(Citation: Cybereason Kimsuky November 2020)
SUPERNOVA

SUPERNOVA contained Base64-encoded strings.(Citation: CISA Supernova Jan 2021)
Carberp

Carberp has used XOR-based encryption to mask C2 server locations within the trojan.(Citation: Prevx Carberp March 2011)
Putter Panda

Droppers used by Putter Panda use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 – 0xAF to obfuscate payloads.(Citation: CrowdStrike Putter Panda)
Emotet

Emotet uses obfuscated URLs to download a ZIP file.(Citation: emotet_trendmicro_mar2023)
SpeakUp

SpeakUp encodes its second-stage payload with Base64. (Citation: CheckPoint SpeakUp Feb 2019)
OilRig

OilRig has encrypted and encoded data in its malware, including by using base64.(Citation: FireEye APT34 Dec 2017)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Unit42 OilRig Playbook 2023)(Citation: Crowdstrike Helix Kitten Nov 2018)(Citation: Unit42 OilRig Nov 2018)
Mafalda

Mafalda has been obfuscated and contains encrypted functions.(Citation: SentinelLabs Metador Sept 2022)
Hi-Zor

Hi-Zor uses various XOR techniques to obfuscate its components.(Citation: Fidelis INOCNATION)
HiddenWasp

HiddenWasp encrypts its configuration and payload.(Citation: Intezer HiddenWasp Map 2019)
Latrodectus

Latrodectus has used a pseudo random number generator (PRNG) algorithm and a rolling XOR key to obfuscate strings.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)
GoldenSpy

GoldenSpy's uninstaller has base64-encoded its variables. (Citation: Trustwave GoldenSpy2 June 2020)
Taidoor

Taidoor can use encrypted string blocks for obfuscation.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)
WastedLocker

The WastedLocker payload includes encrypted strings stored within the .bss section of the binary file.(Citation: NCC Group WastedLocker June 2020)

For Operation Spalax, the threat actors used XOR-encrypted payloads.(Citation: ESET Operation Spalax Jan 2021)
Winnti for Windows

Winnti for Windows has the ability to encrypt and compress its payload.(Citation: Novetta Winnti April 2015)
Exaramel for Linux

Exaramel for Linux uses RC4 for encrypting the configuration.(Citation: ESET TeleBots Oct 2018)(Citation: ANSSI Sandworm January 2021)
APT32

APT32 has performed code obfuscation, including encoding payloads using Base64 and using a framework called "Dont-Kill-My-Cat (DKMC). APT32 also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.(Citation: FireEye APT32 May 2017)(Citation: GitHub Invoke-Obfuscation)(Citation: ESET OceanLotus)(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019)(Citation: ESET OceanLotus macOS April 2019)
HermeticWizard

HermeticWizard has the ability to encrypt PE files with a reverse XOR loop.(Citation: ESET Hermetic Wizard March 2022)
Gazer

Gazer logs its actions into files that are encrypted with 3DES. It also uses RSA to encrypt resources.(Citation: Securelist WhiteBear Aug 2017)

During Cutting Edge, threat actors used a Base64-encoded Python script to write a patched version of the Ivanti Connect Secure `dsls` binary.(Citation: Mandiant Cutting Edge Part 2 January 2024)
Hildegard

Hildegard has encrypted an ELF file.(Citation: Unit 42 Hildegard Malware)
Gelsemium

Gelsemium has the ability to compress its components.(Citation: ESET Gelsemium June 2021)
Volgmer

A Volgmer variant is encoded using a simple XOR cipher.(Citation: US-CERT Volgmer 2 Nov 2017)
IronNetInjector

IronNetInjector can obfuscate variable names, encrypt strings, as well as base64 encode and Rijndael encrypt payloads.(Citation: Unit 42 IronNetInjector February 2021 )
TrickBot

TrickBot uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.(Citation: S2 Grupo TrickBot June 2017)
RAPIDPULSE

RAPIDPULSE has the ability to RC4 encrypt and base64 encode decrypted files on compromised servers prior to writing them to stdout.(Citation: Mandiant Pulse Secure Update May 2021)
Uroburos

Uroburos can use AES and CAST-128 encryption to obfuscate resources.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
FunnyDream

FunnyDream can Base64 encode its C2 address stored in a template binary with the `xyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_-` or `xyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_=` character sets.(Citation: Bitdefender FunnyDream Campaign November 2020)
AuditCred

AuditCred encrypts the configuration.(Citation: TrendMicro Lazarus Nov 2018)
Penquin

Penquin has encrypted strings in the binary for obfuscation.(Citation: Leonardo Turla Penquin May 2020)
Moonstone Sleet

Moonstone Sleet has used encrypted payloads within files for follow-on execution and defense evasion.(Citation: Microsoft Moonstone Sleet 2024)
GreyEnergy

GreyEnergy encrypts its configuration files with AES-256 and also encrypts its strings.(Citation: ESET GreyEnergy Oct 2018)
CARROTBAT

CARROTBAT has the ability to download a base64 encoded payload.(Citation: Unit 42 CARROTBAT November 2018)
ZeroT

ZeroT has encrypted its payload with RC4.(Citation: Proofpoint ZeroT Feb 2017)
Cardinal RAT

Cardinal RAT encodes many of its artifacts and is encrypted (AES-128) when downloaded.(Citation: PaloAlto CardinalRat Apr 2017)

Контрмеры
Контрмера Описание
Antivirus/Antimalware

Use signatures or heuristics to detect malicious software.
Behavior Prevention on Endpoint

Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior.

Ссылки

  1. Jai Minton. (2023, March 31). How Falcon OverWatch Investigates Malicious Self-Extracting Archives, Decoy Files and Their Hidden Payloads. Retrieved March 29, 2024.
  2. Aspen Lindblom, Joseph Goodwin, and Chris Sheldon. (2021, July 19). Shlayer Malvertising Campaigns Still Using Flash Update Disguise. Retrieved March 29, 2024.
  3. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  4. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
  5. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  6. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.
  7. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  8. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  9. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
  10. Stokes, P. (2024, May 9). macOS Cuckoo Stealer | Ensuring Detection and Defense as New Samples Rapidly Emerge. Retrieved August 20, 2024.
  11. Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024.
  12. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  13. Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021.
  14. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  15. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  16. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  17. O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
  18. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  19. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
  20. Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
  21. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
  22. MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
  23. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  24. CISA. (2022, September 23). AA22-264A Iranian State Actors Conduct Cyber Operations Against the Government of Albania. Retrieved August 6, 2024.
  25. Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021.
  26. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
  27. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  28. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  29. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  30. Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
  31. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  32. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  33. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  34. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  35. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
  36. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  37. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  38. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
  39. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  40. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  41. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  42. Ventura, V. (2018, January 22). SamSam - The Evolution Continues Netting Over $325,000 in 4 Weeks. Retrieved April 16, 2019.
  43. Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019.
  44. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  45. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.
  46. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  47. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  48. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  49. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
  50. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  51. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  52. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
  53. Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021.
  54. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  55. Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.
  56. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  57. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  58. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
  59. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  60. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  61. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  62. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  63. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  64. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  65. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  66. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  67. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  68. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  69. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
  70. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  71. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
  72. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  73. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  74. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  75. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  76. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
  77. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  78. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  79. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  80. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  81. Secureworks. (n.d.). GOLD PRELUDE . Retrieved March 22, 2024.
  82. Red Canary. (2024, March). Red Canary 2024 Threat Detection Report: SocGholish. Retrieved March 22, 2024.
  83. Milenkoski, A. (2022, November 7). SocGholish Diversifies and Expands Its Malware Staging Infrastructure to Counter Defenders. Retrieved March 22, 2024.
  84. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  85. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  86. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
  87. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  88. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  89. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  90. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
  91. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  92. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
  93. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.
  94. Insikt Group. (2020, January 28). WhisperGate Malware Corrupts Computers in Ukraine. Retrieved September 16, 2024.
  95. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
  96. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
  97. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  98. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.
  99. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  100. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
  101. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
  102. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.
  103. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  104. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
  105. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
  106. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
  107. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  108. Moench, B. and Aboud, E. (2016, August 23). Trojan.Kwampirs. Retrieved May 10, 2018.
  109. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  110. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  111. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  112. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  113. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  114. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  115. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  116. Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024.
  117. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  118. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  119. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024.
  120. Quentin Bourgue, Pierre le Bourhis, & Sekoia TDR. (2022, June 28). Raccoon Stealer v2 - Part 1: The return of the dead. Retrieved August 1, 2024.
  121. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
  122. Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
  123. Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
  124. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  125. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  126. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  127. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
  128. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  129. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  130. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  131. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  132. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  133. SCILabs. (2023, October 8). URSA/Mispadu: Overlap analysis with other threats. Retrieved March 13, 2024.
  134. SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.
  135. ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
  136. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  137. Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
  138. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  139. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman & John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved September 16, 2024.
  140. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  141. Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
  142. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  143. Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021.
  144. BishopFox. (n.d.). Sliver. Retrieved September 15, 2021.
  145. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
  146. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
  147. MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
  148. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  149. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  150. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  151. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
  152. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  153. Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018.
  154. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  155. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  156. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  157. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  158. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  159. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
  160. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  161. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  162. Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020.
  163. Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020.
  164. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  165. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  166. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  167. Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.
  168. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
  169. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  170. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  171. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  172. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
  173. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  174. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
  175. Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020.
  176. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  177. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  178. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  179. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.
  180. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  181. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
  182. Symantec Threat Hunter Team. (2022, February 24). Ukraine: Disk-wiping Attacks Precede Russian Invasion. Retrieved March 25, 2022.
  183. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
  184. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  185. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
  186. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  187. Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021.
  188. Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
  189. F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016.
  190. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  191. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
  192. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  193. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  194. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  195. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
  196. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  197. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
  198. Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021.
  199. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
  200. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  201. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.
  202. Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022.
  203. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.
  204. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  205. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  206. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  207. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
  208. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  209. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  210. CISA. (2021, January 27). Malware Analysis Report (AR21-027A). Retrieved February 22, 2021.
  211. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024.
  212. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  213. Kenefick, I. (2023, March 13). Emotet Returns, Now Adopts Binary Padding for Evasion. Retrieved June 19, 2024.
  214. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
  215. Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.
  216. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  217. Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.
  218. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  219. Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019.
  220. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  221. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  222. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
  223. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
  224. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
  225. Trustwave SpiderLabs. (2020, June 26). GoldenSpy: Chapter Two – The Uninstaller. Retrieved July 23, 2020.
  226. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
  227. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  228. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
  229. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  230. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  231. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  232. Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
  233. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
  234. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  235. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  236. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  237. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  238. Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017.
  239. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  240. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  241. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
  242. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  243. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  244. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.
  245. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  246. Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024.
  247. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  248. Microsoft. (2024, March 4). Attack surface reduction rules reference. Retrieved March 29, 2024.
  249. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  250. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  251. Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024.
  252. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.
  253. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  254. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.