Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Промежуточное хранение данных (локально)
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Промежуточное хранение данных...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Data Staged:  Промежуточное хранение данных (локально)

ID Название
.001 Промежуточное хранение данных (локально)
.002 Промежуточное хранение данных (удаленно)

Adversaries may stage collected data in a central location or directory on the local system prior to Exfiltration. Data may be kept in separate files or combined into one file through techniques such as Archive Collected Data. Interactive command shells may be used, and common functionality within cmd and bash may be used to copy data into a staging location. Adversaries may also stage collected data in various available formats/locations of a system, including local storage databases/repositories or the Windows Registry.(Citation: Prevailion DarkWatchman 2021)

ID: T1074.001
Относится к технике:  T1074
Тактика(-и): Collection
Платформы: Linux, macOS, Windows
Источники данных: Command: Command Execution, File: File Access, File: File Creation, Windows Registry: Windows Registry Key Modification
Версия: 1.1
Дата создания: 13 Mar 2020
Последнее изменение: 21 Apr 2022

Примеры процедур
Название Описание
OopsIE

OopsIE stages the output from command execution and collected files in specific folders before exfiltration.(Citation: Unit 42 OopsIE! Feb 2018)
AuTo Stealer

AuTo Stealer can store collected data from an infected host to a file named `Hostname_UserName.txt` prior to exfiltration.(Citation: MalwareBytes SideCopy Dec 2021)
Dtrack

Dtrack can save collected data to disk, different file formats, and network shares.(Citation: Securelist Dtrack)(Citation: CyberBit Dtrack)
Milan

Milan has saved files prior to upload from a compromised host to folders beginning with the characters `a9850d2f`.(Citation: ClearSky Siamesekitten August 2021)
NavRAT

NavRAT writes multiple outputs to a TMP file using the >> method.(Citation: Talos NavRAT May 2018)
Threat Group-3390

Threat Group-3390 has locally staged encrypted archives for later exfiltration efforts.(Citation: SecureWorks BRONZE UNION June 2017)
Sidewinder

Sidewinder has collected stolen files in a temporary folder in preparation for exfiltration.(Citation: ATT Sidewinder January 2021)
Ursnif

Ursnif has used tmp files to stage gathered information.(Citation: TrendMicro Ursnif Mar 2015)
FunnyDream

FunnyDream can stage collected information including screen captures and logged keystrokes locally.(Citation: Bitdefender FunnyDream Campaign November 2020)
Operation Wocao

Operation Wocao has staged archived files in a temporary directory prior to exfiltration.(Citation: FoxIT Wocao December 2019)

TEMP.Veles

TEMP.Veles has created staging folders in directories that were infrequently used by legitimate users or processes.(Citation: FireEye TRITON 2019)
FIN5

FIN5 scripts save memory dump data into a specific directory on hosts in the victim environment.(Citation: Mandiant FIN5 GrrCON Oct 2016)
Dyre

Dyre has the ability to create files in a TEMP folder to act as a database to store information.(Citation: Malwarebytes Dyreza November 2015)
BadPatch

BadPatch stores collected data in log files before exfiltration.(Citation: Unit 42 BadPatch Oct 2017)
DarkWatchman

DarkWatchman can stage local data in the Windows Registry.(Citation: Prevailion DarkWatchman 2021)

During Operation Honeybee, stolen data was copied into a text file using the format `From (- --).txt` prior to compression, encoding, and exfiltration.(Citation: McAfee Honeybee)

During Operation Wocao, threat actors staged archived files in a temporary directory prior to exfiltration.(Citation: FoxIT Wocao December 2019)

Patchwork

Patchwork copied all targeted files to a directory called index that was eventually uploaded to the C&C server.(Citation: TrendMicro Patchwork Dec 2017)
MacMa

MacMa has stored collected files locally before exfiltration.(Citation: Objective-See MacMa Nov 2021)
Carbon

Carbon creates a base directory that contains the files and folders that are collected.(Citation: ESET Carbon Mar 2017)
Ramsay

Ramsay can stage data prior to exfiltration in %APPDATA%\Microsoft\UserSetting and %APPDATA%\Microsoft\UserSetting\MediaCache.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)

During C0015, PowerView's file share enumeration results were stored in the file `c:\ProgramData\found_shares.txt`.(Citation: DFIR Conti Bazar Nov 2021)
TeamTNT

TeamTNT has aggregated collected credentials in text files before exfiltrating.(Citation: Cisco Talos Intelligence Group)
InvisiMole

InvisiMole determines a working directory where it stores all the gathered data about the compromised machine.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)
Indrik Spider

Indrik Spider has stored collected date in a .tmp file.(Citation: Symantec WastedLocker June 2020)
SUGARDUMP

SUGARDUMP has stored collected data under `%%\\CrashLog.txt`.(Citation: Mandiant UNC3890 Aug 2022)
ADVSTORESHELL

ADVSTORESHELL stores output from command execution in a .dat file in the %TEMP% directory.(Citation: ESET Sednit Part 2)
Lazarus Group

Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the %TEMP% directory, then compressed, encrypted, and uploaded to a C2 server.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Loaders)
Chrommme

Chrommme can store captured system information locally prior to exfiltration.(Citation: ESET Gelsemium June 2021)
Duqu

Modules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it.(Citation: Symantec W32.Duqu)
Attor

Attor has staged collected data in a central upload directory prior to exfiltration.(Citation: ESET Attor Oct 2019)
Chimera

Chimera has staged stolen data locally on compromised hosts.(Citation: NCC Group Chimera January 2021)
Honeybee

Honeybee adds collected files to a temp.zip file saved in the %temp% folder, then base64 encodes it and uploads it to control server.(Citation: McAfee Honeybee)
RainyDay

RainyDay can use a file exfiltration tool to copy files to C:\ProgramData\Adobe\temp prior to exfiltration.(Citation: Bitdefender Naikon April 2021)
Dragonfly 2.0

Dragonfly 2.0 created a directory named "out" in the user's %AppData% folder and copied files to it.(Citation: US-CERT TA18-074A)
MuddyWater

MuddyWater has stored a decoy PDF file within a victim's `%temp%` folder.(Citation: Talos MuddyWater Jan 2022)
Gold Dragon

Gold Dragon stores information gathered from the endpoint in a file named 1.hwp.(Citation: McAfee Gold Dragon)
Machete

Machete stores files and logs in a folder on the local drive.(Citation: ESET Machete July 2019)(Citation: Cylance Machete Mar 2017)
Trojan.Karagany

Trojan.Karagany can create directories to store plugin output and stage data for exfiltration.(Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019)
PoisonIvy

PoisonIvy stages collected data in a text file.(Citation: Symantec Darkmoon Aug 2005)
DustySky

DustySky created folders in temp directories to host collected files before exfiltration.(Citation: Kaspersky MoleRATs April 2019)
LightNeuron

LightNeuron can store email data in files and directories specified in its configuration, such as C:\Windows\ServiceProfiles\NetworkService\appdata\Local\Temp\.(Citation: ESET LightNeuron May 2019)
PowerLess

PowerLess can stage stolen browser data in `C:\\Windows\\Temp\\cup.tmp` and keylogger data in `C:\\Windows\\Temp\\Report.06E17A5A-7325-4325-8E5D-E172EBA7FC5BK`.(Citation: Cybereason PowerLess February 2022)
APT3

APT3 has been known to stage files for exfiltration in a single location.(Citation: aptsim)
QakBot

QakBot has stored stolen emails and other data into new folders prior to exfiltration.(Citation: Kroll Qakbot June 2020)
FrameworkPOS

FrameworkPOS can identifiy payment card track data on the victim and copy it to a local file in a subdirectory of C:\Windows\.(Citation: FireEye FIN6 April 2016)
ccf32

ccf32 can temporarily store files in a hidden directory on the local host.(Citation: Bitdefender FunnyDream Campaign November 2020)
Octopus

Octopus has stored collected information in the Application Data directory on a compromised host.(Citation: Securelist Octopus Oct 2018)(Citation: ESET Nomadic Octopus 2018)
PUNCHBUGGY

PUNCHBUGGY has saved information to a random temp file before exfil.(Citation: Morphisec ShellTea June 2019)
MoonWind

MoonWind saves information from its keylogging routine as a .zip file in the present working directory.(Citation: Palo Alto MoonWind March 2017)
Helminth

Helminth creates folders to store output from batch scripts prior to sending the information to its C2 server.(Citation: Palo Alto OilRig May 2016)
Rover

Rover copies files from removable drives to C:\system.(Citation: Palo Alto Rover)
SPACESHIP

SPACESHIP identifies files with certain extensions and copies them to a directory in the user's profile.(Citation: FireEye APT30)
Elise

Elise creates a file in AppData\Local\Microsoft\Windows\Explorer and stores all harvested data in that file.(Citation: Accenture Dragonfish Jan 2018)
SombRAT

SombRAT can store harvested data in a custom database under the %TEMP% directory.(Citation: BlackBerry CostaRicto November 2020)
Machete

Machete created their own directories to drop files into.(Citation: Cylance Machete Mar 2017)
Kimsuky

Kimsuky has staged collected data files under C:\Program Files\Common Files\System\Ole DB\.(Citation: CISA AA20-301A Kimsuky)(Citation: Talos Kimsuky Nov 2021)
APT39

APT39 has utilized tools to aggregate data prior to exfiltration.(Citation: FBI FLASH APT39 September 2020)
GALLIUM

GALLIUM compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.(Citation: Cybereason Soft Cell June 2019)
MESSAGETAP

MESSAGETAP stored targeted SMS messages that matched its target list in CSV files on the compromised system.(Citation: FireEye MESSAGETAP October 2019)
Catchamas

Catchamas stores the gathered data from the machine in .db files and .bmp files under four separate locations.(Citation: Symantec Catchamas April 2018)
RawPOS

Data captured by RawPOS is placed in a temporary file under a directory named "memdump".(Citation: Kroll RawPOS Jan 2017)
Turian

Turian can store copied files in a specific directory prior to exfiltration.(Citation: ESET BackdoorDiplomacy Jun 2021)
Leviathan

Leviathan has used C:\Windows\Debug and C:\Perflogs as staging directories.(Citation: FireEye Periscope March 2018)(Citation: CISA AA21-200A APT40 July 2021)
ObliqueRAT

ObliqueRAT can copy specific files, webcam captures, and screenshots to local directories.(Citation: Talos Oblique RAT March 2021)
menuPass

menuPass stages data prior to exfiltration in multi-part archives, often saved in the Recycle Bin.(Citation: PWC Cloud Hopper April 2017)
BackdoorDiplomacy

BackdoorDiplomacy has copied files of interest to the main drive's recycle bin.(Citation: ESET BackdoorDiplomacy Jun 2021)
Zebrocy

Zebrocy stores all collected information in a single file before exfiltration.(Citation: ESET Zebrocy Nov 2018)
NOKKI

NOKKI can collect data from the victim and stage it in LOCALAPPDATA%\MicroSoft Updatea\uplog.tmp.(Citation: Unit 42 NOKKI Sept 2018)
MarkiRAT

MarkiRAT can store collected data locally in a created .nfo file.(Citation: Kaspersky Ferocious Kitten Jun 2021)
Mustang Panda

Mustang Panda has stored collected credential files in c:\windows\temp prior to exfiltration. Mustang Panda has also stored documents for exfiltration in a hidden folder on USB drives.(Citation: Secureworks BRONZE PRESIDENT December 2019)(Citation: Avira Mustang Panda January 2020)
Pteranodon

Pteranodon creates various subdirectories under %Temp%\reports\% and copies files to those subdirectories. It also creates a folder at C:\Users\\AppData\Roaming\Microsoft\store to store screenshot JPEG files.(Citation: Palo Alto Gamaredon Feb 2017)
Exaramel for Windows

Exaramel for Windows specifies a path to store files scheduled for exfiltration.(Citation: ESET TeleBots Oct 2018)

AppleSeed

AppleSeed can stage files in a central location prior to exfiltration.(Citation: Malwarebytes Kimsuky June 2021)
BADNEWS

BADNEWS copies documents under 15MB found on the victim system to is the user's %temp%\SMB\ folder. It also copies files from USB devices to a predefined directory.(Citation: Forcepoint Monsoon)(Citation: TrendMicro Patchwork Dec 2017)
Calisto

Calisto uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration.(Citation: Securelist Calisto July 2018)(Citation: Symantec Calisto July 2018)
KGH_SPY

KGH_SPY can save collected system information to a file named "info" before exfiltration.(Citation: Cybereason Kimsuky November 2020)
Crutch

Crutch has staged stolen files in the C:\AMD\Temp directory.(Citation: ESET Crutch December 2020)
Prikormka

Prikormka creates a directory, %USERPROFILE%\AppData\Local\SKC\, which is used to store collected log files.(Citation: ESET Operation Groundbait)
Kazuar

Kazuar stages command output and collected data in files before exfiltration.(Citation: Unit 42 Kazuar May 2017)
Mis-Type

Mis-Type has temporarily stored collected information to the files `“%AppData%\{Unique Identifier}\HOSTRURKLSR”` and `“%AppData%\{Unique Identifier}\NEWERSSEMP”`.(Citation: Cylance Dust Storm)
Dragonfly

Dragonfly has created a directory named "out" in the user's %AppData% folder and copied files to it.(Citation: US-CERT TA18-074A)
BoxCaon

BoxCaon has created a working folder for collected files that it sends to the C2 server.(Citation: Checkpoint IndigoZebra July 2021)

NETWIRE

NETWIRE has the ability to write collected data to a file created in the ./LOGS directory.(Citation: FireEye NETWIRE March 2019)
FLASHFLOOD

FLASHFLOOD stages data it copies from the local system or removable drives in the "%WINDIR%\$NtUninstallKB885884$\" directory.(Citation: FireEye APT30)
APT28

APT28 has stored captured credential information in a file named pi.log.(Citation: Microsoft SIR Vol 19)
Astaroth

Astaroth collects data in a plaintext file named r1.log before exfiltration. (Citation: Cofense Astaroth Sept 2018)
STARWHALE

STARWHALE has stored collected data in a file called `stari.txt`.(Citation: Mandiant UNC3313 Feb 2022)
PUNCHTRACK

PUNCHTRACK aggregates collected data in a tmp file.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
ECCENTRICBANDWAGON

ECCENTRICBANDWAGON has stored keystrokes and screenshots within the %temp%\GoogleChrome, %temp%\Downloads, and %temp%\TrendMicroUpdate directories.(Citation: CISA EB Aug 2020)
USBStealer

USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.(Citation: ESET Sednit USBStealer 2014)(Citation: Kaspersky Sofacy)

Обнаружение

Processes that appear to be reading files from disparate locations and writing them to the same directory or file may be an indication of data being staged, especially if they are suspected of performing encryption or compression on the files, such as 7zip, RAR, ZIP, or zlib. Monitor publicly writeable directories, central locations, and commonly used staging directories (recycle bin, temp folders, etc.) to regularly check for compressed or encrypted data that may be indicative of staging. Monitor processes and command-line arguments for actions that could be taken to collect and combine files. Remote access tools with built-in features may interact directly with the Windows API to gather and copy to a location. Data may also be acquired and staged through Windows system management tools such as Windows Management Instrumentation and PowerShell. Consider monitoring accesses and modifications to local storage repositories (such as the Windows Registry), especially from suspicious processes that could be related to malicious data collection.

Ссылки

  1. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  2. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  3. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  4. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  5. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  6. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  7. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  8. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  9. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  10. Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022.
  11. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  12. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  13. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  14. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  15. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  16. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  17. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  18. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  19. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  20. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  21. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  22. Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022.
  23. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  24. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  25. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  26. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  27. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
  28. valsmith. (2012, September 21). More on APTSim. Retrieved September 28, 2017.
  29. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  30. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  31. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  32. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  33. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  34. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  35. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  36. Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
  37. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  38. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  39. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  40. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  41. Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
  42. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  43. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.
  44. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  45. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  46. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  47. Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022.
  48. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  49. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  50. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  51. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  52. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
  53. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  54. ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
  55. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  56. Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017.
  57. Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021.
  58. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  59. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  60. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  61. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  62. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  63. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
  64. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  65. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  66. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
  67. Kuzin, M., Zelensky S. (2018, July 20). Calisto Trojan for macOS. Retrieved September 7, 2018.
  68. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.
  69. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  70. Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018.
  71. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  72. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  73. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  74. Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
  75. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  76. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.
  77. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  78. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  79. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  80. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  81. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  82. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  83. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  84. Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017.
  85. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  86. Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.
  87. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  88. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018.
  89. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  90. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  91. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
  92. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  93. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  94. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
  95. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  96. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  97. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.