Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Техника Visual Basic
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Visual Basic
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Command and Scripting Interpreter:  Visual Basic

ID Название
.001 PowerShell
.002 AppleScript
.003 Командная оболочка Windows
.004 Командная оболочка Unix
.005 Visual Basic
.006 Python
.007 JavaScript/JScript
.008 Интерпретаторы командной строки сетевых устройств
.009 Cloud API
.010 AutoHotKey & AutoIT
.011 Lua
.012 Hypervisor CLI

Adversaries may abuse Visual Basic (VB) for execution. VB is a programming language created by Microsoft with interoperability with many Windows technologies such as Component Object Model and the Native API through the Windows API. Although tagged as legacy with no planned future evolutions, VB is integrated and supported in the .NET Framework and cross-platform .NET Core.(Citation: VB .NET Mar 2020)(Citation: VB Microsoft) Derivative languages based on VB have also been created, such as Visual Basic for Applications (VBA) and VBScript. VBA is an event-driven programming language built into Microsoft Office, as well as several third-party applications.(Citation: Microsoft VBA)(Citation: Wikipedia VBA) VBA enables documents to contain macros used to automate the execution of tasks and other functionality on the host. VBScript is a default scripting language on Windows hosts and can also be used in place of JavaScript on HTML Application (HTA) webpages served to Internet Explorer (though most modern browsers do not come with VBScript support).(Citation: Microsoft VBScript) Adversaries may use VB payloads to execute malicious commands. Common malicious usage includes automating execution of behaviors with VBScript or embedding VBA content into Spearphishing Attachment payloads (which may also involve Mark-of-the-Web Bypass to enable execution).(Citation: Default VBS macros Blocking )

ID: T1059.005
Относится к технике:  T1059
Тактика(-и): Execution
Платформы: Linux, Windows, macOS
Источники данных: Command: Command Execution, Module: Module Load, Process: Process Creation, Script: Script Execution
Версия: 1.5
Дата создания: 09 Mar 2020
Последнее изменение: 15 Apr 2025

Примеры процедур
Название Описание
Bumblebee

Bumblebee can create a Visual Basic script to enable persistence.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)
Exaramel for Windows

Exaramel for Windows has a command to execute VBS scripts on the victim’s machine.(Citation: ESET TeleBots Oct 2018)
Smoke Loader

Smoke Loader adds a Visual Basic script in the Startup folder to deploy the payload.(Citation: Malwarebytes SmokeLoader 2016)
TAMECAT

TAMECAT has used VBScript to query anti-virus products.(Citation: Mandiant APT42-untangling)

Ursnif

Ursnif droppers have used VBA macros to download and execute the malware's full executable payload.(Citation: Bromium Ursnif Mar 2017)
NETWIRE

NETWIRE has been executed through use of VBScripts.(Citation: FireEye NETWIRE March 2019)(Citation: Proofpoint NETWIRE December 2020)
Emotet

Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads. (Citation: Symantec Emotet Jul 2018)(Citation: Talos Emotet Jan 2019)(Citation: Trend Micro Emotet Jan 2019)(Citation: Picus Emotet Dec 2018)(Citation: Carbon Black Emotet Apr 2019)
Squirrelwaffle

Squirrelwaffle has used malicious VBA macros in Microsoft Word documents and Excel spreadsheets that execute an `AutoOpen` subroutine.(Citation: ZScaler Squirrelwaffle Sep 2021)(Citation: Netskope Squirrelwaffle Oct 2021)

ShrinkLocker

ShrinkLocker is a VisualBasic script (VBS) object that calls multiple other operating system functions during execution.(Citation: Kaspersky ShrinkLocker 2024)(Citation: Splunk ShrinkLocker 2024)
Snip3

Snip3 can use visual basic scripts for first-stage execution.(Citation: Morphisec Snip3 May 2021)(Citation: Telefonica Snip3 December 2021)
WhisperGate

WhisperGate can use a Visual Basic script to exclude the `C:\` drive from Windows Defender.(Citation: Unit 42 WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)
Mispadu

Mispadu’s dropper uses VBS files to install payloads and perform execution.(Citation: SCILabs Malteiro 2021)(Citation: ESET Security Mispadu Facebook Ads 2019)
IcedID

IcedID has used obfuscated VBA string expressions.(Citation: Juniper IcedID June 2020)
PowerShower

PowerShower has the ability to save and execute VBScript.(Citation: Unit 42 Inception November 2018)
CHIMNEYSWEEP

CHIMNEYSWEEP has executed a script named cln.vbs on compromised hosts.(Citation: Mandiant ROADSWEEP August 2022)
Flagpro

Flagpro can execute malicious VBA macros embedded in .xlsm files.(Citation: NTT Security Flagpro new December 2021)
KeyBoy

KeyBoy uses VBS scripts for installing files and performing execution.(Citation: CitizenLab KeyBoy Nov 2016)
Pteranodon

Pteranodon can use a malicious VBS file for execution.(Citation: Symantec Shuckworm January 2022)
ROKRAT

ROKRAT has used Visual Basic for execution.(Citation: Malwarebytes RokRAT VBA January 2021)
Javali

Javali has used embedded VBScript to download malicious payloads from C2.(Citation: Securelist Brazilian Banking Malware July 2020)
Bisonal

Bisonal's dropper creates VBS scripts on the victim’s machine.(Citation: Unit 42 Bisonal July 2018)(Citation: Talos Bisonal Mar 2020)

Xbash

Xbash can execute malicious VBScript payloads on the victim’s machine.(Citation: Unit42 Xbash Sept 2018)
DarkGate

DarkGate initial infection mechanisms include masquerading as pirated media that launches malicious VBScript on the victim.(Citation: Ensilo Darkgate 2018)
NanHaiShu

NanHaiShu executes additional VBScript code on the victim's machine.(Citation: fsecure NanHaiShu July 2016)
SVCReady

SVCReady has used VBA macros to execute shellcode.(Citation: HP SVCReady Jun 2022)
Ferocious

Ferocious has the ability to use Visual Basic scripts for execution.(Citation: Kaspersky WIRTE November 2021)
Saint Bot

Saint Bot has used `.vbs` scripts for execution.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )
Chaes

Chaes has used VBscript to execute malicious code.(Citation: Cybereason Chaes Nov 2020)

TYPEFRAME

TYPEFRAME has used a malicious Word document for delivery with VBA macros for execution.(Citation: US-CERT TYPEFRAME June 2018)
QUADAGENT

QUADAGENT uses VBScripts.(Citation: Unit 42 QUADAGENT July 2018)
Metamorfo

Metamorfo has used VBS code on victims’ systems.(Citation: FireEye Metamorfo Apr 2018)
Bandook

Bandook has used malicious VBA code against the target system.(Citation: CheckPoint Bandook Nov 2020)
Kerrdown

Kerrdown can use a VBS base64 decoder function published by Motobit.(Citation: Unit 42 KerrDown February 2019)
VBShower

VBShower has the ability to execute VBScript files.(Citation: Kaspersky Cloud Atlas August 2019)
StoneDrill

StoneDrill has several VBS scripts used throughout the malware's lifecycle.(Citation: Kaspersky StoneDrill 2017)

OopsIE

OopsIE creates and uses a VBScript as part of its persistent execution.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 OilRig Sept 2018)
Grandoreiro

Grandoreiro can use VBScript to execute malicious code.(Citation: Securelist Brazilian Banking Malware July 2020)(Citation: ESET Grandoreiro April 2020)
Sibot

Sibot executes commands using VBScript.(Citation: MSTIC NOBELIUM Mar 2021)

LunarMail

LunarMail has been installed using a VBA macro.(Citation: ESET Turla Lunar toolset May 2024)
Cobalt Strike

Cobalt Strike can use VBA to perform execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: CobaltStrike Daddy May 2017)
Cobalt Strike

Cobalt Strike can use VBA to perform execution.(Citation: Cobalt Strike TTPs Dec 2017)(Citation: CobaltStrike Daddy May 2017)(Citation: Talos Cobalt Strike September 2020)
Donut

Donut can generate shellcode outputs that execute via VBScript.(Citation: Donut Github)

SUNBURST

SUNBURST used VBScripts to initiate the execution of payloads.(Citation: Microsoft Deep Dive Solorigate January 2021)
JCry

JCry has used VBS scripts. (Citation: Carbon Black JCry May 2019)
REvil

REvil has used obfuscated VBA macros for execution.(Citation: G Data Sodinokibi June 2019)(Citation: Picus Sodinokibi January 2020)
OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D uses Word macros for execution.(Citation: TrendMicro MacOS April 2018)
NanoCore

NanoCore uses VBS files.(Citation: Cofense NanoCore Mar 2018)
IPsec Helper

IPsec Helper can run arbitrary Visual Basic scripts and commands passed to it.(Citation: SentinelOne Agrius 2021)
DanBot

DanBot can use a VBA macro embedded in an Excel file to drop the payload.(Citation: SecureWorks August 2019)
Ramsay

Ramsay has included embedded Visual Basic scripts in malicious documents.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)

BackConfig

BackConfig has used VBS to install its downloader component and malicious documents with VBA macro code.(Citation: Unit 42 BackConfig May 2020)
Koadic

Koadic performs most of its operations using Windows Script Host (VBScript) and runs arbitrary shellcode .(Citation: Github Koadic)
LookBack

LookBack has used VBA macros in Microsoft Word attachments to drop additional files to the host.(Citation: Proofpoint LookBack Malware Aug 2019)
Lokibot

Lokibot has used VBS scripts and XLS macros for execution.(Citation: Talos Lokibot Jan 2021)

PoetRAT

PoetRAT has used Word documents with VBScripts to execute malicious activities.(Citation: Talos PoetRAT April 2020)(Citation: Talos PoetRAT October 2020)
BabyShark

BabyShark can execute additional VisualBasic content.(Citation: Mandiant APT43 Full PDF Report)

Melcoz

Melcoz can use VBS scripts to execute malicious DLLs.(Citation: Securelist Brazilian Banking Malware July 2020)
POWERSTATS

POWERSTATS can use VBScript (VBE) code for execution.(Citation: ClearSky MuddyWater Nov 2018)(Citation: TrendMicro POWERSTATS V3 June 2019)
KOCTOPUS

KOCTOPUS has used VBScript to call wscript to execute a PowerShell command.(Citation: MalwareBytes LazyScripter Feb 2021)
STARWHALE

STARWHALE can use the VBScript function `GetRef` as part of its persistence mechanism.(Citation: Mandiant UNC3313 Feb 2022)
Goopy

Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.(Citation: Cybereason Cobalt Kitty 2017)

Remexi

Remexi uses AutoIt and VBS scripts throughout its execution process.(Citation: Securelist Remexi Jan 2019)
Astaroth

Astaroth has used malicious VBS e-mail attachments for execution.(Citation: Securelist Brazilian Banking Malware July 2020)
QakBot

QakBot can use VBS to download and execute malicious files.(Citation: Trend Micro Qakbot May 2020) (Citation: Kroll Qakbot June 2020)(Citation: Crowdstrike Qakbot October 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Cyberint Qakbot May 2021)(Citation: Group IB Ransomware September 2020)(Citation: Trend Micro Black Basta October 2022)
jRAT

jRAT has been distributed as HTA files with VBScript.(Citation: Kaspersky Adwind Feb 2016)

Helminth

One version of Helminth consists of VBScript scripts.(Citation: Palo Alto OilRig May 2016)
Comnie

Comnie executes VBS scripts.(Citation: Palo Alto Comnie)
JSS Loader

JSS Loader can download and execute VBScript files.(Citation: CrowdStrike Carbon Spider August 2021)
Frankenstein

Frankenstein has used Word documents that prompts the victim to enable macros and run a Visual Basic script.(Citation: Talos Frankenstein June 2019)
Turla

Turla has used VBS scripts throughout its operations.(Citation: Symantec Waterbug Jun 2019)

APT33

APT33 has used VBScript to initiate the delivery of payloads.(Citation: Microsoft Holmium June 2020)
Operation Wocao

Operation Wocao has used a VBScript to conduct reconnaissance on targeted systems.(Citation: FoxIT Wocao December 2019)
Lazarus Group

Lazarus Group has used VBA and embedded macros in Word documents to execute malicious code.(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)
Lazarus Group

Lazarus Group has used VBScript to gather information about a victim machine. (Citation: F-Secure Lazarus Cryptocurrency Aug 2020)
Gamaredon Group

Gamaredon Group has embedded malicious macros in document templates, which executed VBScript. Gamaredon Group has also delivered Microsoft Outlook VBA projects with embedded macros.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: Microsoft Actinium February 2022)(Citation: Secureworks IRON TILDEN Profile)
APT29

APT29 has written malware variants in Visual Basic.(Citation: Cybersecurity Advisory SVR TTP May 2021)
TA2541

TA2541 has used VBS files to execute or establish persistence for additional payloads, often using file names consistent with email themes or mimicking system functionality.(Citation: Proofpoint TA2541 February 2022)(Citation: Cisco Operation Layover September 2021)
WIRTE

WIRTE has used VBScript in its operations.(Citation: Lab52 WIRTE Apr 2019)

APT39

APT39 has utilized malicious VBS scripts in malware.(Citation: FBI FLASH APT39 September 2020)
APT38

APT38 has used VBScript to execute commands and other operational tasks.(Citation: CISA AA20-239A BeagleBoyz August 2020)(Citation: 1 - appv)
Transparent Tribe

Transparent Tribe has crafted VBS-based malicious documents.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)

MuddyWater

MuddyWater has used VBScript files to execute its POWERSTATS payload, as well as macros.(Citation: FireEye MuddyWater Mar 2018)(Citation: MuddyWater TrendMicro June 2018)(Citation: Securelist MuddyWater Oct 2018)(Citation: Symantec MuddyWater Dec 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: ClearSky MuddyWater June 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)(Citation: Talos MuddyWater Jan 2022)
Leviathan

Leviathan has used VBScript.(Citation: Proofpoint Leviathan Oct 2017)
BRONZE BUTLER

BRONZE BUTLER has used VBS and VBE scripts for execution.(Citation: Secureworks BRONZE BUTLER Oct 2017)(Citation: Trend Micro Tick November 2019)
Machete

Machete has embedded malicious macros within spearphishing attachments to download additional files.(Citation: 360 Machete Sep 2020)
Honeybee

Honeybee embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened.(Citation: McAfee Honeybee)
FIN4

FIN4 has used VBA macros to display a dialog box and collect victim credentials.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014)
Molerats

Molerats used various implants, including those built with VBScript, on target machines.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020)
SideCopy

SideCopy has sent Microsoft Office Publisher documents to victims that have embedded malicious macros that execute an hta file via calling `mshta.exe`.(Citation: MalwareBytes SideCopy Dec 2021)
Silence

Silence has used VBS scripts.(Citation: Cyber Forensicator Silence Jan 2019)
Confucius

Confucius has used VBScript to execute malicious code.(Citation: TrendMicro Confucius APT Feb 2018)
APT32

APT32 has used macros, COM scriptlets, and VBS scripts.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)

Higaisa

Higaisa has used VBScript code on the victim's machine.(Citation: PTSecurity Higaisa 2020)
Sidewinder

Sidewinder has used VBScript to drop and execute malware loaders.(Citation: ATT Sidewinder January 2021)
OilRig

OilRig has used VBScript macros for execution on compromised hosts.(Citation: Check Point APT34 April 2021)
APT37

APT37 executes shellcode and a VBA script to decode Base64 strings.(Citation: Talos Group123)
Inception

Inception has used VBScript to execute malicious commands and payloads.(Citation: Unit 42 Inception November 2018)(Citation: Kaspersky Cloud Atlas December 2014)
HEXANE

HEXANE has used a VisualBasic script named `MicrosoftUpdator.vbs` for execution of a PowerShell keylogger.(Citation: Kaspersky Lyceum October 2021)
FIN7

FIN7 used VBS scripts to help perform tasks on the victim's machine.(Citation: FireEye FIN7 Aug 2018)(Citation: Flashpoint FIN 7 March 2019)(Citation: CrowdStrike Carbon Spider August 2021)
APT-C-36

APT-C-36 has embedded a VBScript within a malicious Word document which is executed upon the document opening.(Citation: QiAnXin APT-C-36 Feb2019)
FIN13

FIN13 has used VBS scripts for code execution on comrpomised machines.(Citation: Sygnia Elephant Beetle Jan 2022)
Kimsuky

Kimsuky has used Visual Basic to download malicious payloads.(Citation: ThreatConnect Kimsuky September 2020)(Citation: VirusBulletin Kimsuky October 2019)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021) Kimsuky has also used malicious VBA macros within maldocs disguised as forms that trigger when a victim types any content into the lure.(Citation: Talos Kimsuky Nov 2021)
Sandworm Team

Sandworm Team has created VBScripts to run an SSH server.(Citation: ESET BlackEnergy Jan 2016)(Citation: ESET Telebots Dec 2016)(Citation: ESET Telebots June 2017)(Citation: Dragos Crashoverride 2018)

Sharpshooter

Sharpshooter's first-stage downloader was a VBA macro.(Citation: McAfee Sharpshooter December 2018)
Magic Hound

Magic Hound malware has used VBS scripts for execution.(Citation: Unit 42 Magic Hound Feb 2017)
Windshift

Windshift has used Visual Basic 6 (VB6) payloads.(Citation: BlackBerry Bahamut)
Patchwork

Patchwork used Visual Basic Scripts (VBS) on victim machines.(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)
Mustang Panda

Mustang Panda has embedded VBScript components in LNK files to download additional files and automate collection.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)
RedCurl

RedCurl has used VBScript to run malicious files.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2)
TA459

TA459 has a VBScript for execution.(Citation: Proofpoint TA459 April 2017)
APT42

APT42 has used a VBScript to query anti-virus products.(Citation: Mandiant APT42-untangling)

Gorgon Group

Gorgon Group has used macros in Spearphishing Attachments as well as executed VBScripts on victim machines.(Citation: Unit 42 Gorgon Group Aug 2018)
Earth Lusca

Earth Lusca used VBA scripts.(Citation: TrendMicro EarthLusca 2022)
Cobalt Group

Cobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: Group IB Cobalt Aug 2017)(Citation: Morphisec Cobalt Gang Oct 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: TrendMicro Cobalt Group Nov 2017)
Malteiro

Malteiro has utilized a dropper containing malicious VBS scripts.(Citation: SCILabs Malteiro 2021)
TA505

TA505 has used VBS for code execution.(Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Trend Micro TA505 June 2019)(Citation: IBM TA505 April 2020)
LazyScripter

LazyScripter has used VBScript to execute malicious code.(Citation: MalwareBytes LazyScripter Feb 2021)
Rancor

Rancor has used VBS scripts as well as embedded macros for execution.(Citation: Rancor Unit42 June 2018)

Контрмеры
Контрмера Описание
Disable or Remove Feature or Program

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures: Remove Legacy Software: - Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash). - Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date. Disable Unused Features: - Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required. - Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue. Control Applications Installed by Users: - Use Case: Prevent users from installing unauthorized software via group policies or other management tools. - Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment. Remove Unnecessary Services: - Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices. - Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations. Restrict Add-ons and Plugins: - Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes. - Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.

Antivirus/Antimalware

Antivirus/Antimalware solutions utilize signatures, heuristics, and behavioral analysis to detect, block, and remediate malicious software, including viruses, trojans, ransomware, and spyware. These solutions continuously monitor endpoints and systems for known malicious patterns and suspicious behaviors that indicate compromise. Antivirus/Antimalware software should be deployed across all devices, with automated updates to ensure protection against the latest threats. This mitigation can be implemented through the following measures: Signature-Based Detection: - Implementation: Use predefined signatures to identify known malware based on unique patterns such as file hashes, byte sequences, or command-line arguments. This method is effective against known threats. - Use Case: When malware like "Emotet" is detected, its signature (such as a specific file hash) matches a known database of malicious software, triggering an alert and allowing immediate quarantine of the infected file. Heuristic-Based Detection: - Implementation: Deploy heuristic algorithms that analyze behavior and characteristics of files and processes to identify potential malware, even if it doesn’t match a known signature. - Use Case: If a program attempts to modify multiple critical system files or initiate suspicious network communications, heuristic analysis may flag it as potentially malicious, even if no specific malware signature is available. Behavioral Detection (Behavior Prevention): - Implementation: Use behavioral analysis to detect patterns of abnormal activities, such as unusual system calls, unauthorized file encryption, or attempts to escalate privileges. - Use Case: Behavioral analysis can detect ransomware attacks early by identifying behavior like mass file encryption, even before a specific ransomware signature has been identified. Real-Time Scanning: - Implementation: Enable real-time scanning to automatically inspect files and network traffic for signs of malware as they are accessed, downloaded, or executed. - Use Case: When a user downloads an email attachment, the antivirus solution scans the file in real-time, checking it against both signatures and heuristics to detect any malicious content before it can be opened. Cloud-Assisted Threat Intelligence: - Implementation: Use cloud-based threat intelligence to ensure the antivirus solution can access the latest malware definitions and real-time threat feeds from a global database of emerging threats. - Use Case: Cloud-assisted antivirus solutions quickly identify newly discovered malware by cross-referencing against global threat databases, providing real-time protection against zero-day attacks. **Tools for Implementation**: - Endpoint Security Platforms: Use solutions such as EDR for comprehensive antivirus/antimalware protection across all systems. - Centralized Management: Implement centralized antivirus management consoles that provide visibility into threat activity, enable policy enforcement, and automate updates. - Behavioral Analysis Tools: Leverage solutions with advanced behavioral analysis capabilities to detect malicious activity patterns that don’t rely on known signatures.
Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures: Application Control: - Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`) Script Blocking: - Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`) Executable Blocking: - Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories. Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.
Behavior Prevention on Endpoint

Behavior Prevention on Endpoint refers to the use of technologies and strategies to detect and block potentially malicious activities by analyzing the behavior of processes, files, API calls, and other endpoint events. Rather than relying solely on known signatures, this approach leverages heuristics, machine learning, and real-time monitoring to identify anomalous patterns indicative of an attack. This mitigation can be implemented through the following measures: Suspicious Process Behavior: - Implementation: Use Endpoint Detection and Response (EDR) tools to monitor and block processes exhibiting unusual behavior, such as privilege escalation attempts. - Use Case: An attacker uses a known vulnerability to spawn a privileged process from a user-level application. The endpoint tool detects the abnormal parent-child process relationship and blocks the action. Unauthorized File Access: - Implementation: Leverage Data Loss Prevention (DLP) or endpoint tools to block processes attempting to access sensitive files without proper authorization. - Use Case: A process tries to read or modify a sensitive file located in a restricted directory, such as /etc/shadow on Linux or the SAM registry hive on Windows. The endpoint tool identifies this anomalous behavior and prevents it. Abnormal API Calls: - Implementation: Implement runtime analysis tools to monitor API calls and block those associated with malicious activities. - Use Case: A process dynamically injects itself into another process to hijack its execution. The endpoint detects the abnormal use of APIs like `OpenProcess` and `WriteProcessMemory` and terminates the offending process. Exploit Prevention: - Implementation: Use behavioral exploit prevention tools to detect and block exploits attempting to gain unauthorized access. - Use Case: A buffer overflow exploit is launched against a vulnerable application. The endpoint detects the anomalous memory write operation and halts the process.
Restrict Web-Based Content

Restricting web-based content involves enforcing policies and technologies that limit access to potentially malicious websites, unsafe downloads, and unauthorized browser behaviors. This can include URL filtering, download restrictions, script blocking, and extension control to protect against exploitation, phishing, and malware delivery. This mitigation can be implemented through the following measures: Deploy Web Proxy Filtering: - Use solutions to filter web traffic based on categories, reputation, and content types. - Enforce policies that block unsafe websites or file types at the gateway level. Enable DNS-Based Filtering: - Implement tools to restrict access to domains associated with malware or phishing campaigns. - Use public DNS filtering services to enhance protection. Enforce Content Security Policies (CSP): - Configure CSP headers on internal and external web applications to restrict script execution, iframe embedding, and cross-origin requests. Control Browser Features: - Disable unapproved browser features like automatic downloads, developer tools, or unsafe scripting. - Enforce policies through tools like Group Policy Management to control browser settings. Monitor and Alert on Web-Based Threats: - Use SIEM tools to collect and analyze web proxy logs for signs of anomalous or malicious activity. - Configure alerts for access attempts to blocked domains or repeated file download failures.

Обнаружение

Monitor for events associated with VB execution, such as Office applications spawning processes, usage of the Windows Script Host (typically cscript.exe or wscript.exe), file activity involving VB payloads or scripts, or loading of modules associated with VB languages (ex: vbscript.dll). VB execution is likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other programable post-compromise behaviors and could be used as indicators of detection leading back to the source. Understanding standard usage patterns is important to avoid a high number of false positives. If VB execution is restricted for normal users, then any attempts to enable related components running on a system would be considered suspicious. If VB execution is not commonly used on a system, but enabled, execution running out of cycle from patching or other administrator functions is suspicious. Payloads and scripts should be captured from the file system when possible to determine their actions and intent.

Ссылки

  1. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  2. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  3. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  4. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  5. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  6. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
  7. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  8. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  9. Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
  10. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  11. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  12. ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.
  13. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  14. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  15. Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved September 25, 2024.
  16. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  17. SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.
  18. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  19. F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020.
  20. Microsoft. (2019, June 11). Office VBA Reference. Retrieved June 23, 2020.
  21. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
  22. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  23. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  24. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  25. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved November 17, 2024.
  26. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  27. Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022.
  28. Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.
  29. Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
  30. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  31. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.
  32. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  33. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  34. Mandiant. (n.d.). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved October 14, 2024.
  35. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  36. Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024.
  37. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  38. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  39. Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.
  40. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
  41. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  42. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  43. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
  44. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
  45. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  46. Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
  47. NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
  48. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
  49. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  50. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  51. Splunk Threat Research Team , Teoderick Contreras. (2024, September 5). ShrinkLocker Malware: Abusing BitLocker to Lock Your Data. Retrieved December 7, 2024.
  52. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  53. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
  54. Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
  55. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
  56. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
  57. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  58. ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
  59. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
  60. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved November 17, 2024.
  61. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  62. Microsoft. (2011, April 19). What Is VBScript?. Retrieved March 28, 2020.
  63. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  64. Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.
  65. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  66. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved November 17, 2024.
  67. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  68. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  69. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  70. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  71. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  72. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  73. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  74. Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019.
  75. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  76. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.
  77. Booz Allen Hamilton. (2016). When The Lights Went Out. Retrieved December 18, 2024.
  78. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  79. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  80. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021.
  81. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  82. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  83. Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
  84. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  85. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  86. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  87. Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.
  88. Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.
  89. .NET Team. (2020, March 11). Visual Basic support planned for .NET 5.0. Retrieved June 23, 2020.
  90. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.
  91. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.
  92. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
  93. Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018.
  94. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  95. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  96. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  97. Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
  98. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  99. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  100. Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.
  101. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  102. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
  103. Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020.
  104. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
  105. ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.
  106. Microsoft. (n.d.). Visual Basic documentation. Retrieved June 23, 2020.
  107. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  108. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  109. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.
  110. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
  111. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  112. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.
  113. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
  114. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  115. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  116. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  117. Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group's Cyberespionage Operations. Retrieved December 26, 2021.
  118. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
  119. Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018.
  120. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.
  121. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  122. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  123. Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.
  124. Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iran's APT42 Operations. Retrieved October 9, 2024.
  125. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
  126. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  127. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  128. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  129. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
  130. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  131. Cristian Souza, Eduardo Ovalle, Ashley Muñoz, & Christopher Zachor. (2024, May 23). ShrinkLocker: Turning BitLocker into ransomware. Retrieved December 7, 2024.
  132. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  133. Kellie Eickmeyer. (2022, February 7). Helping users stay safe: Blocking internet macros by default in Office. Retrieved February 7, 2022.
  134. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  135. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.
  136. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  137. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
  138. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  139. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  140. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
  141. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  142. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  143. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  144. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
  145. Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.
  146. Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
  147. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
  148. Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
  149. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  150. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
  151. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.
  152. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
  153. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.
  154. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
  155. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  156. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  157. Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.
  158. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  159. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  160. Secureworks CTU. (n.d.). IRON TILDEN. Retrieved February 24, 2022.
  161. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  162. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  163. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  164. Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
  165. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  166. Cherepanov, A.. (2016, January 3). BlackEnergy by the SSHBearDoor: attacks against Ukrainian news media and electric industry . Retrieved June 10, 2020.
  167. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
  168. Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020.
  169. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
  170. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  171. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
  172. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
  173. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  174. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.
  175. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  176. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
  177. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
  178. Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
  179. Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
  180. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  181. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  182. SEONGSU PARK. (2022, December 27). BlueNoroff introduces new methods bypassing MoTW. Retrieved February 6, 2024.
  183. Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.
  184. Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.
  185. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  186. Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022.
  187. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
  188. Wikipedia. (n.d.). Visual Basic for Applications. Retrieved August 13, 2020.
  189. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  190. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  191. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved November 17, 2024.
  192. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.