Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Имитация задачи или службы
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Имитация задачи или службы
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Masquerading:  Имитация задачи или службы

ID Название
.001 Недействительная подпись кода
.002 Использование символа RLO
.003 Переименование системных утилит
.004 Имитация задачи или службы
.005 Подбор легитимного имени или расположения
.006 Пробел после имени файла
.007 Двойное расширение файла

Adversaries may attempt to manipulate the name of a task or service to make it appear legitimate or benign. Tasks/services executed by the Task Scheduler or systemd will typically be given a name and/or description.(Citation: TechNet Schtasks)(Citation: Systemd Service Units) Windows services will have a service name as well as a display name. Many benign tasks and services exist that have commonly associated names. Adversaries may give tasks or services names that are similar or identical to those of legitimate ones. Tasks or services contain other fields, such as a description, that adversaries may attempt to make appear legitimate.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Fysbis Dr Web Analysis)

ID: T1036.004
Относится к технике:  T1036
Тактика(-и): Defense Evasion
Платформы: Linux, macOS, Windows
Требуемые разрешения: Administrator, SYSTEM, User
Источники данных: Command: Command Execution, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Версия: 1.1
Дата создания: 10 Feb 2020
Последнее изменение: 18 Oct 2021

Примеры процедур
Название Описание
DCSrv

DCSrv has masqueraded its service as a legitimate svchost.exe process.(Citation: Checkpoint MosesStaff Nov 2021)
APT29

APT29 named tasks \Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager in order to appear legitimate.(Citation: Volexity SolarWinds)
PlugX

In one instance, menuPass added PlugX as a service with a display name of "Corel Writing Tools Utility."(Citation: FireEye APT10 April 2017)
Attor

Attor's dispatcher disguises itself as a legitimate task (i.e., the task name and description appear legitimate).(Citation: ESET Attor Oct 2019)
Maze

Maze operators have created scheduled tasks masquerading as "Windows Update Security", "Windows Update Security Patches", and "Google Chrome Security Update" designed to launch the ransomware.(Citation: Sophos Maze VM September 2020)

RDAT

RDAT has used Windows Video Service as a name for malicious services.(Citation: Unit42 RDAT July 2020)
Kimsuky

Kimsuky has disguised services to appear as benign software or related to operating system functions.(Citation: CISA AA20-301A Kimsuky)
Carbanak

Carbanak has copied legitimate service names to use for malicious services.(Citation: Kaspersky Carbanak)
SUGARDUMP

SUGARDUMP's scheduled task has been named `MicrosoftInternetExplorerCrashRepoeterTaskMachineUA` or `MicrosoftEdgeCrashRepoeterTaskMachineUA`, depending on the Windows OS version.(Citation: Mandiant UNC3890 Aug 2022)

POWERSTATS

POWERSTATS has created a scheduled task named "MicrosoftEdge" to establish persistence.(Citation: ClearSky MuddyWater Nov 2018)
Fysbis

Fysbis has masqueraded as the rsyncd and dbus-inotifier services.(Citation: Fysbis Dr Web Analysis)
Meteor

Meteor has been disguised as the Windows Power Efficiency Diagnostics report tool.(Citation: Check Point Meteor Aug 2021)
RawPOS

New services created by RawPOS are made to appear like legitimate Windows services, with names such as "Windows Management Help Service", "Microsoft Support", and "Windows Advanced Task Manager".(Citation: Kroll RawPOS Jan 2017)(Citation: TrendMicro RawPOS April 2015)(Citation: Mandiant FIN5 GrrCON Oct 2016)
FIN7

FIN7 has created a scheduled task named “AdobeFlashSync” to establish persistence.(Citation: Morphisec FIN7 June 2017)
RainyDay

RainyDay has named services and scheduled tasks to appear benign including "ChromeCheck" and "googleupdate."(Citation: Bitdefender Naikon April 2021)
Shamoon

Shamoon creates a new service named “ntssrv” that attempts to appear legitimate; the service's display name is “Microsoft Network Realtime Inspection Service” and its description is “Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols.” Newer versions create the "MaintenaceSrv" service, which misspells the word "maintenance."(Citation: Palo Alto Shamoon Nov 2016)(Citation: McAfee Shamoon December 2018)
ZxxZ

ZxxZ has been disguised as a Windows security update service.(Citation: Cisco Talos Bitter Bangladesh May 2022)
build_downer

build_downer has added itself to the Registry Run key as "NVIDIA" to appear legitimate.(Citation: Trend Micro Tick November 2019)
PingPull

PingPull can mimic the names and descriptions of legitimate services such as `iphlpsvc`, `IP Helper`, and `Onedrive` to evade detection.(Citation: Unit 42 PingPull Jun 2022)
StrongPity

StrongPity has named services to appear legitimate.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)
Seasalt

Seasalt has masqueraded as a service called "SaSaut" with a display name of "System Authorization Service" in an apparent attempt to masquerade as a legitimate service.(Citation: Mandiant APT1 Appendix)
KONNI

KONNI has pretended to be the xmlProv Network Provisioning service.(Citation: Malwarebytes Konni Aug 2021)

SLOTHFULMEDIA

SLOTHFULMEDIA has named a service it establishes on victim machines as "TaskFrame" to hide its malicious purpose.(Citation: CISA MAR SLOTHFULMEDIA October 2020)

APT-C-36

APT-C-36 has disguised its scheduled tasks as those used by Google.(Citation: QiAnXin APT-C-36 Feb2019)
FunnyDream

FunnyDream has used a service named `WSearch` for execution.(Citation: Bitdefender FunnyDream Campaign November 2020)
CSPY Downloader

CSPY Downloader has attempted to appear as a legitimate Windows service with a fake description claiming it is used to support packed applications.(Citation: Cybereason Kimsuky November 2020)
Okrum

Okrum can establish persistence by adding a new service NtmsSvc with the display name Removable Storage to masquerade as a legitimate Removable Storage Manager.(Citation: ESET Okrum July 2019)
ShimRat

ShimRat can impersonate Windows services and antivirus products to avoid detection on compromised systems.(Citation: FOX-IT May 2016 Mofang)
Egregor

Egregor has masqueraded the svchost.exe process to exfiltrate data.(Citation: Intrinsec Egregor Nov 2020)
Machete

Machete renamed task names to masquerade as legitimate Google Chrome, Java, Dropbox, Adobe Reader and Python tasks.(Citation: ESET Machete July 2019)

APT32

APT32 has used hidden or non-printing characters to help masquerade service names, such as appending a Unicode no-break space character to a legitimate service name. APT32 has also impersonated the legitimate Flash installer file name "install_flashplayer.exe".(Citation: FireEye APT32 May 2017)
Tarrask

Tarrask creates a scheduled task called “WinUpdate” to re-establish any dropped C2 connections.(Citation: Tarrask scheduled task)
Hildegard

Hildegard has disguised itself as a known Linux process.(Citation: Unit 42 Hildegard Malware)
Wizard Spider

Wizard Spider has used scheduled tasks to install TrickBot, using task names to appear legitimate such as WinDotNet, GoogleTask, or Sysnetsf.(Citation: CrowdStrike Grim Spider May 2019) It has also used common document file names for other malware binaries.(Citation: FireEye KEGTAP SINGLEMALT October 2020)
TinyTurla

TinyTurla has mimicked an existing Windows service by being installed as Windows Time Service.(Citation: Talos TinyTurla September 2021)
BITTER

BITTER has disguised malware as a Windows Security update service.(Citation: Cisco Talos Bitter Bangladesh May 2022)
Truvasys

To establish persistence, Truvasys adds a Registry Run key with a value "TaskMgr" in an attempt to masquerade as the legitimate Windows Task Manager.(Citation: Microsoft Win Defender Truvasys Sep 2017)
RTM

RTM has named the scheduled task it creates "Windows Update".(Citation: Unit42 Redaman January 2019)
FIN6

FIN6 has renamed the "psexec" service name to "mstdc" to masquerade as a legitimate Windows service.(Citation: FireEye FIN6 Apr 2019)

Nebulae

Nebulae has created a service named "Windows Update Agent1" to appear legitimate.(Citation: Bitdefender Naikon April 2021)
Naikon

Naikon renamed a malicious service taskmgr to appear to be a legitimate version of Task Manager.(Citation: Bitdefender Naikon April 2021)
IronNetInjector

IronNetInjector has been disguised as a legitimate service using the name PythonUpdateSrvc.(Citation: Unit 42 IronNetInjector February 2021 )
Nidiran

Nidiran can create a new service named msamger (Microsoft Security Accounts Manager), which mimics the legitimate Microsoft database by the same name.(Citation: Symantec Backdoor.Nidiran)(Citation: Microsoft SAM)
Bazar

Bazar can create a task named to appear benign.(Citation: Cybereason Bazar July 2020)
Crutch

Crutch has established persistence with a scheduled task impersonating the Outlook item finder.(Citation: ESET Crutch December 2020)
OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D has disguised its app bundle by adding special characters to the filename and using the icon for legitimate Word documents.(Citation: Trend Micro MacOS Backdoor November 2020)
Fox Kitten

Fox Kitten has named the task for a reverse proxy lpupdate to appear legitimate.(Citation: CISA AA20-259A Iran-Based Actor September 2020)
PROMETHIUM

PROMETHIUM has named services to appear legitimate.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020)
InnaputRAT

InnaputRAT variants have attempted to appear legitimate by adding a new service named OfficeUpdateService.(Citation: ASERT InnaputRAT April 2018)
Kwampirs

Kwampirs establishes persistence by adding a new service with the display name "WMI Performance Adapter Extension" in an attempt to masquerade as a legitimate WMI service.(Citation: Symantec Orangeworm April 2018)
Lazarus Group

A Lazarus Group custom backdoor implant included a custom PE loader named "Security Package" that was added into the lsass.exe process via registry key.(Citation: F-Secure Lazarus Cryptocurrency Aug 2020)

Catchamas

Catchamas adds a new service named NetAdapter in an apparent attempt to masquerade as a legitimate service.(Citation: Symantec Catchamas April 2018)

During Frankenstein, the threat actors named a malicious scheduled task "WinUpdate" for persistence.(Citation: Talos Frankenstein June 2019)
ZIRCONIUM

ZIRCONIUM has created a run key named Dropbox Update Setup to mask a persistence mechanism for a malicious binary.(Citation: Zscaler APT31 Covid-19 October 2020)
Green Lambert

Green Lambert has created a new executable named `Software Update Check` to appear legitimate.(Citation: Objective See Green Lambert for OSX Oct 2021)(Citation: Glitch-Cat Green Lambert ATTCK Oct 2021)

KillDisk

KillDisk registers as a service under the Plug-And-Play Support name.(Citation: ESET Telebots Dec 2016)
Exaramel for Windows

The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description “Windows Check AV” in an apparent attempt to masquerade as a legitimate service.(Citation: ESET TeleBots Oct 2018)
Higaisa

Higaisa named a shellcode loader binary svchast.exe to spoof the legitimate svchost.exe.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020)

Lazarus Group

Lazarus Group has used a scheduled task named `SRCheck` to mask the execution of a malicious .dll.(Citation: ESET Twitter Ida Pro Nov 2021)
UNC2452

UNC2452 named tasks \Microsoft\Windows\SoftwareProtectionPlatform\EventCacheManager in order to appear legitimate.(Citation: Volexity SolarWinds)
Volgmer

Some Volgmer variants add new services with display names generated by a list of hard-coded strings such as Application, Background, Security, and Windows, presumably as a way to masquerade as a legitimate service.(Citation: US-CERT Volgmer 2 Nov 2017)(Citation: Symantec Volgmer Aug 2014)
Turian

Turian can disguise as a legitimate service to blend into normal operations.(Citation: ESET BackdoorDiplomacy Jun 2021)
InvisiMole

InvisiMole has attempted to disguise itself by registering under a seemingly legitimate service name.(Citation: ESET InvisiMole June 2020)
GoldMax

GoldMax has impersonated systems management software to avoid detection.(Citation: MSTIC NOBELIUM Mar 2021)
ComRAT

ComRAT has used a task name associated with Windows SQM Consolidator.(Citation: ESET ComRAT May 2020)
Heyoka Backdoor

Heyoka Backdoor has been named `srvdll.dll` to appear as a legitimate service.(Citation: SentinelOne Aoqin Dragon June 2022)
BackdoorDiplomacy

BackdoorDiplomacy has disguised their backdoor droppers with naming conventions designed to blend into normal operations.(Citation: ESET BackdoorDiplomacy Jun 2021)
APT41

APT41 has created services to appear as benign system tools.(Citation: Group IB APT 41 June 2021)

Обнаружение

Look for changes to tasks and services that do not correlate with known software, patch cycles, etc. Suspicious program execution through scheduled tasks or services may show up as outlier processes that have not been seen before when compared against historical data. Monitor processes and command-line arguments for actions that could be taken to create tasks or services. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.

Ссылки

  1. F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
  2. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.
  3. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  4. Freedesktop.org. (n.d.). systemd.service — Service unit configuration. Retrieved March 16, 2020.
  5. Microsoft. (n.d.). Schtasks. Retrieved April 28, 2016.
  6. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  7. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
  8. Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021.
  9. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  10. Microsoft. (2017, September 15). Backdoor:Win32/Truvasys.A!dha. Retrieved November 30, 2017.
  11. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  12. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
  13. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  14. Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
  15. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  16. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  17. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  18. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  19. Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021.
  20. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
  21. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
  22. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  23. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  24. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  25. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  26. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  27. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  28. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  29. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
  30. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  31. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  32. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
  33. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
  34. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  35. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
  36. Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022.
  37. Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017.
  38. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  39. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  40. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  41. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  42. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  43. TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017.
  44. Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017.
  45. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  46. Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
  47. John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
  48. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  49. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
  50. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  51. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
  52. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  53. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  54. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  55. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
  56. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  57. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
  58. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  59. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  60. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  61. Microsoft. (2006, October 30). How to use the SysKey utility to secure the Windows Security Accounts Manager database. Retrieved August 3, 2016.
  62. Sponchioni, R.. (2016, March 11). Backdoor.Nidiran. Retrieved August 3, 2016.
  63. Mundo, A., Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 14). Shamoon Returns to Wipe Systems in Middle East, Europe . Retrieved May 29, 2020.
  64. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  65. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022.
  66. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
  67. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  68. Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved March 2, 2022.
  69. Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
  70. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
  71. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
  72. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  73. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.