Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Исследование системы

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Tools such as Systeminfo can be used to gather detailed system information. If running with privileged access, a breakdown of system data can be gathered through the systemsetup configuration tool on macOS. As an example, adversaries with user-level access can execute the df -aH command to obtain currently mounted disks and associated freely available space. Adversaries may also leverage a Network Device CLI on network devices to gather detailed system information (e.g. show version).(Citation: US-CERT-TA18-106A) System Information Discovery combined with information gathered from other forms of discovery and reconnaissance can drive payload development and concealment.(Citation: OSX.FairyTale)(Citation: 20 macOS Common Tools and Techniques) Infrastructure as a Service (IaaS) cloud providers such as AWS, GCP, and Azure allow access to instance and virtual machine information via APIs. Successful authenticated API calls can return data such as the operating system platform and status of a particular instance or the model view of a virtual machine.(Citation: Amazon Describe Instance)(Citation: Google Instances Resource)(Citation: Microsoft Virutal Machine API)

ID: T1082
Тактика(-и): Discovery
Платформы: IaaS, Linux, macOS, Network, Windows
Источники данных: Command: Command Execution, Process: OS API Execution, Process: Process Creation
Версия: 2.5
Дата создания: 31 May 2017
Последнее изменение: 06 Sep 2022

Примеры процедур

Название Описание
Micropsia

Micropsia gathers the hostname and OS version from the victim’s machine.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)

njRAT

njRAT enumerates the victim operating system and computer name during the initial infection.(Citation: Fidelis njRAT June 2013)

TrickBot

TrickBot gathers the OS version, machine name, CPU type, amount of RAM available, and UEFI/BIOS firmware information from the victim’s machine.(Citation: S2 Grupo TrickBot June 2017)(Citation: Fidelis TrickBot Oct 2016)(Citation: Cyberreason Anchor December 2019)(Citation: Eclypsium Trickboot December 2020)

MoleNet

MoleNet can collect information about the about the system.(Citation: Cybereason Molerats Dec 2020)

YAHOYAH

YAHOYAH checks for the system’s Windows OS version and hostname.(Citation: TrendMicro TropicTrooper 2015)

SYSCON

SYSCON has the ability to use Systeminfo to identify system information.(Citation: Unit 42 CARROTBAT January 2020)

Unknown Logger

Unknown Logger can obtain information about the victim computer name, physical memory, country, and date.(Citation: Forcepoint Monsoon)

Bumblebee

Bumblebee can enumerate the OS version and domain on a targeted system.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)

GravityRAT

GravityRAT collects the MAC address, computer name, and CPU information.(Citation: Talos GravityRAT)

Linfo

Linfo creates a backdoor through which remote attackers can retrieve system information.(Citation: Symantec Linfo May 2012)

Koadic

Koadic can obtain the OS version and build, computer name, and processor architecture from a compromised host.(Citation: MalwareBytes LazyScripter Feb 2021)

EnvyScout

EnvyScout can determine whether the ISO payload was received by a Windows or iOS device.(Citation: MSTIC Nobelium Toolset May 2021)

CharmPower

CharmPower can enumerate the OS version and computer name on a targeted system.(Citation: Check Point APT35 CharmPower January 2022)

Cuba

Cuba can enumerate local drives, disk type, and disk free space.(Citation: McAfee Cuba April 2021)

Stuxnet

Stuxnet collects system information including computer and domain names, OS version, and S7P paths.(Citation: Symantec W.32 Stuxnet Dossier)

Windigo

Windigo has used a script to detect which Linux distribution and version is currently installed on the system.(Citation: ESET ForSSHe December 2018)

PLAINTEE

PLAINTEE collects general system enumeration data about the infected machine and checks the OS version.(Citation: Rancor Unit42 June 2018)

ADVSTORESHELL

ADVSTORESHELL can run Systeminfo to gather information about the victim.(Citation: ESET Sednit Part 2)(Citation: Bitdefender APT28 Dec 2015)

SpeakUp

SpeakUp uses the cat /proc/cpuinfo | grep -c “cpu family” 2>&1 command to gather system information. (Citation: CheckPoint SpeakUp Feb 2019)

CARROTBAT

CARROTBAT has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture.(Citation: Unit 42 CARROTBAT November 2018)(Citation: Unit 42 CARROTBAT January 2020)

Torisma

Torisma can use `GetlogicalDrives` to get a bitmask of all drives available on a compromised system. It can also use `GetDriveType` to determine if a new drive is a CD-ROM drive.(Citation: McAfee Lazarus Nov 2020)

KeyBoy

KeyBoy can gather extended system information, such as information about the operating system, disks, and memory.(Citation: PWC KeyBoys Feb 2017)(Citation: Rapid7 KeyBoy Jun 2013)

OilRig

OilRig has run hostname and systeminfo on a victim.(Citation: Palo Alto OilRig May 2016)(Citation: Palo Alto OilRig Oct 2016)(Citation: FireEye APT34 July 2019)(Citation: Check Point APT34 April 2021)

Maze

Maze has checked the language of the infected system using the "GetUSerDefaultUILanguage" function.(Citation: McAfee Maze March 2020)

Rifdoor

Rifdoor has the ability to identify the Windows version on the compromised host.(Citation: Carbon Black HotCroissant April 2020)

FlawedAmmyy

FlawedAmmyy can collect the victim's operating system and computer name during the initial infection.(Citation: Proofpoint TA505 Mar 2018)

ZIRCONIUM

ZIRCONIUM has used a tool to capture the processor architecture of a compromised host in order to register it with C2.(Citation: Zscaler APT31 Covid-19 October 2020)

Brave Prince

Brave Prince collects hard drive content and system configuration information.(Citation: McAfee Gold Dragon)

Squirrelwaffle

Squirrelwaffle has gathered victim computer information and configurations.(Citation: ZScaler Squirrelwaffle Sep 2021)

More_eggs

More_eggs has the capability to gather the OS version and computer name.(Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019)

BlackMould

BlackMould can enumerate local drives on a compromised host.(Citation: Microsoft GALLIUM December 2019)

BLINDINGCAN

BLINDINGCAN has collected from a victim machine the system name, processor information, OS version, and disk information, including type and free space available.(Citation: US-CERT BLINDINGCAN Aug 2020)

STARWHALE

STARWHALE can gather the computer name of an infected host.(Citation: Mandiant UNC3313 Feb 2022)(Citation: DHS CISA AA22-055A MuddyWater February 2022)

SLOWDRIFT

SLOWDRIFT collects and sends system information to its C2.(Citation: FireEye APT37 Feb 2018)

Bundlore

Bundlore will enumerate the macOS version to determine which follow-on behaviors to execute using /usr/bin/sw_vers -productVersion.(Citation: MacKeeper Bundlore Apr 2019)(Citation: 20 macOS Common Tools and Techniques)

LiteDuke

LiteDuke can enumerate the CPUID and BIOS version on a compromised system.(Citation: ESET Dukes October 2019)

Elise

Elise executes systeminfo after initial communication is made to the remote server.(Citation: Lotus Blossom Jun 2015)

SUNBURST

SUNBURST collected hostname, OS version, and device uptime.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Analyzing Solorigate Dec 2020)

GoldenSpy

GoldenSpy has gathered operating system information.(Citation: Trustwave GoldenSpy June 2020)

down_new

down_new has the ability to identify the system volume information of a compromised host.(Citation: Trend Micro Tick November 2019)

MacMa

MacMa can collect information about a compromised computer, including: Hardware UUID, Mac serial number, macOS version, and disk sizes.(Citation: ESET DazzleSpy Jan 2022)

CozyCar

A system info module in CozyCar gathers information on the victim host’s configuration.(Citation: F-Secure CozyDuke)

BACKSPACE

During its initial execution, BACKSPACE extracts operating system information from the infected host.(Citation: FireEye APT30)

ZxxZ

ZxxZ has collected the host name and operating system product name from a compromised machine.(Citation: Cisco Talos Bitter Bangladesh May 2022)

KONNI

KONNI can gather the OS version, architecture information, connected drives, hostname, RAM size, and disk space information from the victim’s machine and has used cmd /c systeminfo command to get a snapshot of the current system state of the target machine.(Citation: Talos Konni May 2017)(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021)

PowerShower

PowerShower has collected system information on the infected host.(Citation: Unit 42 Inception November 2018)

TajMahal

TajMahal has the ability to identify hardware information, the computer name, and OS information on an infected host.(Citation: Kaspersky TajMahal April 2019)

During Frankenstein, the threat actors used Empire to obtain the compromised machine's name.(Citation: Talos Frankenstein June 2019)

Dtrack

Dtrack can collect the victim's computer name, hostname and adapter information to create a unique identifier.(Citation: Securelist Dtrack)(Citation: CyberBit Dtrack)

Blue Mockingbird

Blue Mockingbird has collected hardware details for the victim's system, including CPU and memory information.(Citation: RedCanary Mockingbird May 2020)

Netwalker

Netwalker can determine the system architecture it is running on to choose which version of the DLL to use.(Citation: TrendMicro Netwalker May 2020)

BLUELIGHT

BLUELIGHT has collected the computer name and OS version from victim machines.(Citation: Volexity InkySquid BLUELIGHT August 2021)

Milan

Milan can enumerate the targeted machine's name and GUID.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)

HEXANE

HEXANE has collected the hostname of a compromised machine.(Citation: Kaspersky Lyceum October 2021)

PowerDuke

PowerDuke has commands to get information about the victim's name, build, version, serial number, and memory usage.(Citation: Volexity PowerDuke November 2016)

During Operation CuckooBees, the threat actors used the `systeminfo` command to gather details about a compromised system.(Citation: Cybereason OperationCuckooBees May 2022)

ZxShell

ZxShell can collect the local hostname, operating system details, CPU speed, and total physical memory.(Citation: Talos ZxShell Oct 2014)

Shark

Shark can collect the GUID of a targeted machine.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)

Nebulae

Nebulae can discover logical drive information including the drive type, free space, and volume information.(Citation: Bitdefender Naikon April 2021)

KillDisk

KillDisk retrieves the hard disk name by calling the CreateFileA to \\.\PHYSICALDRIVE0 API.(Citation: Trend Micro KillDisk 1)

MURKYTOP

MURKYTOP has the capability to retrieve information about the OS.(Citation: FireEye Periscope March 2018)

Anchor

Anchor can determine the hostname and linux version on a compromised host.(Citation: Medium Anchor DNS July 2020)

Orz

Orz can gather the victim OS version and whether it is 64 or 32 bit.(Citation: Proofpoint Leviathan Oct 2017)

PipeMon

PipeMon can collect and send OS version and computer name as a part of its C2 beacon.(Citation: ESET PipeMon May 2020)

Shamoon

Shamoon obtains the victim's operating system version and keyboard layout and sends the information to the C2 server.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)

4H RAT

4H RAT sends an OS version identifier in its beacons.(Citation: CrowdStrike Putter Panda)

Denis

Denis collects OS information and the computer name from the victim’s machine.(Citation: Securelist Denis April 2017)(Citation: Cybereason Cobalt Kitty 2017)

Astaroth

Astaroth collects the machine name and keyboard language from the system. (Citation: Cofense Astaroth Sept 2018)(Citation: Cybereason Astaroth Feb 2019)

Kevin

Kevin can enumerate the OS version and hostname of a targeted machine.(Citation: Kaspersky Lyceum October 2021)

Darkhotel

Darkhotel has collected the hostname, OS version, service pack version, and the processor architecture from the victim’s machine.(Citation: Securelist Darkhotel Aug 2015)(Citation: Microsoft DUBNIUM July 2016)

WinMM

WinMM collects the system name, OS version including service pack, and system install date and sends the information to the C2 server.(Citation: Baumgartner Naikon 2015)

MiniDuke

MiniDuke can gather the hostname on a compromised machine.(Citation: ESET Dukes October 2019)

ZLib

ZLib has the ability to enumerate system information.(Citation: Cylance Dust Storm)

Rocke

Rocke has used uname -m to collect the name and information about the infected system's kernel.(Citation: Anomali Rocke March 2019)

InnaputRAT

InnaputRAT gathers volume drive information and system information.(Citation: ASERT InnaputRAT April 2018)

Bonadan

Bonadan has discovered the OS version, CPU model, and RAM size of the system it has been installed on.(Citation: ESET ForSSHe December 2018)

Cyclops Blink

Cyclops Blink has the ability to query device information.(Citation: NCSC Cyclops Blink February 2022)

Volgmer

Volgmer can gather system information, the computer name, OS version, drive and serial information from the victim's machine.(Citation: US-CERT Volgmer Nov 2017)(Citation: US-CERT Volgmer 2 Nov 2017)(Citation: Symantec Volgmer Aug 2014)

Gamaredon Group

A Gamaredon Group file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: CERT-EE Gamaredon January 2021)

WarzoneRAT

WarzoneRAT can collect compromised host information, including OS version, PC name, RAM size, and CPU details.(Citation: Check Point Warzone Feb 2020)

DownPaper

DownPaper collects the victim host name and serial number, and then sends the information to the C2 server.(Citation: ClearSky Charming Kitten Dec 2017)

Empire

Empire can enumerate host system information like OS, architecture, domain name, applied patches, and more.(Citation: Github PowerShell Empire)(Citation: Talos Frankenstein June 2019)

HAWKBALL

HAWKBALL can collect the OS version, architecture information, and computer name.(Citation: FireEye HAWKBALL Jun 2019)

SynAck

SynAck gathers computer names, OS version info, and also checks installed keyboard layouts to estimate if it has been launched from a certain list of countries.(Citation: SecureList SynAck Doppelgänging May 2018)

APT37

APT37 collects the computer name, the BIOS model, and execution path.(Citation: Talos Group123)

EVILNUM

EVILNUM can obtain the computer name from the victim's system.(Citation: Prevailion EvilNum May 2020)

SHUTTERSPEED

SHUTTERSPEED can collect system information.(Citation: FireEye APT37 Feb 2018)

KOMPROGO

KOMPROGO is capable of retrieving information about the infected system.(Citation: FireEye APT32 May 2017)

APT32

APT32 has collected the OS version and computer name from victims. One of the group's backdoors can also query the Windows Registry to gather system information, and another macOS backdoor performs a fingerprint of the machine on its first connection to the C&C server. APT32 executed shellcode to identify the name of the infected host.(Citation: ESET OceanLotus)(Citation: ESET OceanLotus Mar 2019)(Citation: ESET OceanLotus macOS April 2019)(Citation: FireEye APT32 April 2020)

SpicyOmelette

SpicyOmelette can identify the system name of a compromised host.(Citation: Secureworks GOLD KINGSWOOD September 2018)

MirageFox

MirageFox can collect CPU and architecture information from the victim’s machine.(Citation: APT15 Intezer June 2018)

QuasarRAT

QuasarRAT can gather system information from the victim’s machine including the OS type.(Citation: GitHub QuasarRAT)

T9000

T9000 gathers and beacons the operating system build number and CPU Architecture (32-bit/64-bit) during installation.(Citation: Palo Alto T9000 Feb 2016)

Green Lambert

Green Lambert can use `uname` to identify the operating system name, version, and processor type.(Citation: Objective See Green Lambert for OSX Oct 2021)(Citation: Glitch-Cat Green Lambert ATTCK Oct 2021)

Kasidet

Kasidet has the ability to obtain a victim's system name and operating system version.(Citation: Zscaler Kasidet)

Emissary

Emissary has the capability to execute ver and systeminfo commands.(Citation: Emissary Trojan Feb 2016)

SMOKEDHAM

SMOKEDHAM has used the systeminfo command on a compromised host.(Citation: FireEye SMOKEDHAM June 2021)

Inception

Inception has used a reconnaissance module to gather information about the operating system and hardware on the infected host.(Citation: Symantec Inception Framework March 2018)

FELIXROOT

FELIXROOT collects the victim’s computer name, processor architecture, OS version, volume serial number, and system type.(Citation: FireEye FELIXROOT July 2018)(Citation: ESET GreyEnergy Oct 2018)

Hydraq

Hydraq creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed.(Citation: Symantec Hydraq Jan 2010)

Crimson

Crimson contains a command to collect the victim PC name, disk drive information, and operating system.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)

PingPull

PingPull can retrieve the hostname of a compromised host.(Citation: Unit 42 PingPull Jun 2022)

jRAT

jRAT collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor.(Citation: Symantec Frutas Feb 2013)

POWERSTATS

POWERSTATS can retrieve OS name/architecture and computer/domain name information from compromised hosts.(Citation: FireEye MuddyWater Mar 2018)(Citation: TrendMicro POWERSTATS V3 June 2019)

Saint Bot

Saint Bot can identify the OS version, CPU, and other details from a victim's machine.(Citation: Malwarebytes Saint Bot April 2021)

Lazarus Group

Several Lazarus Group malware families collect information on the type and version of the victim OS, as well as the victim computer name and CPU information. A Destover-like variant used by Lazarus Group also collects disk space information and sends it to its C2 server.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret)(Citation: Lazarus APT January 2022)

FatDuke

FatDuke can collect the user name, Windows version, computer name, and available space on discs from a compromised host.(Citation: ESET Dukes October 2019)

BadPatch

BadPatch collects the OS system, OS version, MAC address, and the computer name from the victim’s machine.(Citation: Unit 42 BadPatch Oct 2017)

Chrommme

Chrommme has the ability to list drives and obtain the computer name of a compromised host.(Citation: ESET Gelsemium June 2021)

CORESHELL

CORESHELL collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server.(Citation: FireEye APT28)

Moses Staff

Moses Staff collected information about the infected host, including the machine names and OS architecture.(Citation: Checkpoint MosesStaff Nov 2021)

ThreatNeedle

ThreatNeedle can collect system profile information from a compromised host.(Citation: Kaspersky ThreatNeedle Feb 2021)

Sys10

Sys10 collects the computer name, OS versioning information, and OS install date and sends the information to the C2.(Citation: Baumgartner Naikon 2015)

Bankshot

Bankshot gathers system information, network addresses, disk type, disk free space, and the operation system version.(Citation: McAfee Bankshot)(Citation: US-CERT Bankshot Dec 2017)

KOCTOPUS

KOCTOPUS has checked the OS version using `wmic.exe` and the `find` command.(Citation: MalwareBytes LazyScripter Feb 2021)

KEYMARBLE

KEYMARBLE has the capability to collect the computer name, language settings, the OS version, CPU information, disk devices, and time elapsed since system start.(Citation: US-CERT KEYMARBLE Aug 2018)

OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D collects processor information, memory information, computer name, hardware UUID, serial number, and operating system version. OSX_OCEANLOTUS.D has used the ioreg command to gather some of this information.(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020)(Citation: 20 macOS Common Tools and Techniques)

REvil

REvil can identify the username, machine name, system language, keyboard layout, OS version, and system drive information on a compromised host.(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Group IB Ransomware May 2020)(Citation: Secureworks REvil September 2019)

PoshC2

PoshC2 contains modules, such as Get-ComputerInfo, for enumerating common system information.(Citation: GitHub PoshC2)

Trojan.Karagany

Trojan.Karagany can capture information regarding the victim's OS, security, and hardware configuration.(Citation: Secureworks Karagany July 2019)

Honeybee

Honeybee gathers computer name and information using the systeminfo command.(Citation: McAfee Honeybee)

Rising Sun

Rising Sun can detect the computer name, operating system, and drive information, including drive type, total number of bytes on disk, total number of free bytes on disk, and name of a specified volume.(Citation: McAfee Sharpshooter December 2018)

SOUNDBITE

SOUNDBITE is capable of gathering system information.(Citation: FireEye APT32 May 2017)

Derusbi

Derusbi gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system.(Citation: Fidelis Turbo)

FALLCHILL

FALLCHILL can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim.(Citation: US-CERT FALLCHILL Nov 2017)

WellMess

WellMess can identify the computer name of a compromised host.(Citation: PWC WellMess July 2020)(Citation: CISA WellMess July 2020)

Ixeshe

Ixeshe collects the computer name of the victim's system during the initial infection.(Citation: Trend Micro IXESHE 2012)

zwShell

zwShell can obtain the victim PC name and OS version.(Citation: McAfee Night Dragon)

ServHelper

ServHelper will attempt to enumerate Windows version and system architecture.(Citation: Proofpoint TA505 Jan 2019)

Aria-body

Aria-body has the ability to identify the hostname, computer name, Windows version, processor speed, machine GUID, and disk information on a compromised host.(Citation: CheckPoint Naikon May 2020)

Operation Wocao

Operation Wocao has discovered the local disks attached to the system and their hardware information including manufacturer and model, as well as the OS versions of systems connected to a targeted network.(Citation: FoxIT Wocao December 2019)

Zebrocy

Zebrocy collects the OS version, computer name and serial number for the storage volume C:\. Zebrocy also runs the systeminfo command to gather system information. (Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: ESET Zebrocy Nov 2018)(Citation: Unit42 Sofacy Dec 2018)(Citation: ESET Zebrocy May 2019)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: CISA Zebrocy Oct 2020)

DarkComet

DarkComet can collect the computer name, RAM used, and operating system version from the victim’s machine.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018)

BADFLICK

BADFLICK has captured victim computer name, memory space, and CPU details.(Citation: Accenture MUDCARP March 2019)

Higaisa

Higaisa collected the system volume serial number, GUID, and computer name.(Citation: PTSecurity Higaisa 2020)(Citation: Malwarebytes Higaisa 2020)

Epic

Epic collects the OS version, hardware information, computer name, available system memory status, disk space information, and system and user language settings.(Citation: Kaspersky Turla Aug 2014)

GRIFFON

GRIFFON has used a reconnaissance module that can be used to retrieve information about a victim's computer, including the resolution of the workstation .(Citation: SecureList Griffon May 2019)

Revenge RAT

Revenge RAT collects the CPU information, OS information, and system language.(Citation: Cylance Shaheen Nov 2018)

HAPPYWORK

can collect system information, including computer name, system manufacturer, IsDebuggerPresent state, and execution path.(Citation: FireEye APT37 Feb 2018)

Grandoreiro

Grandoreiro can collect the computer name and OS version from a compromised host.(Citation: ESET Grandoreiro April 2020)

Heyoka Backdoor

Heyoka Backdoor can enumerate drives on a compromised host.(Citation: SentinelOne Aoqin Dragon June 2022)

SodaMaster

SodaMaster can enumerate the host name and OS version on a target system.(Citation: Securelist APT10 March 2021)

BISCUIT

BISCUIT has a command to collect the processor type, operation system, computer name, uptime, and whether the system is a laptop or PC.(Citation: Mandiant APT1 Appendix)

OopsIE

OopsIE checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks.(Citation: Unit 42 OilRig Sept 2018)

CaddyWiper

CaddyWiper can use `DsRoleGetPrimaryDomainInformation` to determine the role of the infected machine. CaddyWiper can also halt execution if the compromised host is identified as a domain controller.(Citation: Cisco CaddyWiper March 2022)(Citation: Malwarebytes IssacWiper CaddyWiper March 2022 )

Kessel

Kessel has collected the system architecture, OS version, and MAC address information.(Citation: ESET ForSSHe December 2018)

Okrum

Okrum can collect computer name, locale information, and information about the OS and architecture.(Citation: ESET Okrum July 2019)

Skidmap

Skidmap has the ability to check whether the infected system’s OS is Debian or RHEL/CentOS to determine which cryptocurrency miner it should use.(Citation: Trend Micro Skidmap)

AppleJeus

AppleJeus has collected the victim host information after infection.(Citation: CISA AppleJeus Feb 2021)

Naid

Naid collects a unique identifier (UID) from a compromised host.(Citation: Symantec Naid June 2012)

LightNeuron

LightNeuron gathers the victim computer name using the Win32 API call GetComputerName.(Citation: ESET LightNeuron May 2019)

macOS.OSAMiner

macOS.OSAMiner can gather the device serial number and has checked to ensure there is enough disk space using the Unix utility `df`.(Citation: SentinelLabs reversing run-only applescripts 2021)

MoonWind

MoonWind can obtain the victim hostname, Windows version, RAM amount, number of drives, and screen resolution.(Citation: Palo Alto MoonWind March 2017)

WINDSHIELD

WINDSHIELD can gather the victim computer name.(Citation: FireEye APT32 May 2017)

cmd

cmd can be used to find information about the operating system.(Citation: TechNet Dir)

OSInfo

OSInfo discovers information about the infected machine.(Citation: Symantec Buckeye)

Octopus

Octopus can collect system drive information, the computer name, the size of the disk, OS version, and OS architecture information.(Citation: Securelist Octopus Oct 2018)

SoreFang

SoreFang can collect the hostname, operating system configuration, product ID, and disk space on victim machines by executing Systeminfo.(Citation: CISA SoreFang July 2016)

Kerrdown

Kerrdown has the ability to determine if the compromised host is running a 32 or 64 bit OS architecture.(Citation: Unit 42 KerrDown February 2019)

BoomBox

BoomBox can enumerate the hostname, domain, and IP of a compromised host.(Citation: MSTIC Nobelium Toolset May 2021)

PoetRAT

PoetRAT has the ability to gather information about the compromised host.(Citation: Talos PoetRAT April 2020)

StreamEx

StreamEx has the ability to enumerate system information.(Citation: Cylance Shell Crew Feb 2017)

AppleSeed

AppleSeed can identify the OS version of a targeted system.(Citation: Malwarebytes Kimsuky June 2021)

ObliqueRAT

ObliqueRAT has the ability to check for blocklisted computer names on infected endpoints.(Citation: Talos Oblique RAT March 2021)

NDiskMonitor

NDiskMonitor obtains the victim computer name and encrypts the information to send over its C2 channel.(Citation: TrendMicro Patchwork Dec 2017)

MarkiRAT

MarkiRAT can obtain the computer name from a compromised host.(Citation: Kaspersky Ferocious Kitten Jun 2021)

Prikormka

A module in Prikormka collects information from the victim about Windows OS version, computer name, battery info, and physical memory.(Citation: ESET Operation Groundbait)

HOPLIGHT

HOPLIGHT has been observed collecting victim machine information like OS version, drivers, volume information and more.(Citation: US-CERT HOPLIGHT Apr 2019)

PinchDuke

PinchDuke gathers system configuration information.(Citation: F-Secure The Dukes)

Valak

Valak can determine the Windows version and computer name on a compromised host.(Citation: Cybereason Valak May 2020)(Citation: SentinelOne Valak June 2020)

ZeroT

ZeroT gathers the victim's computer name, Windows version, and system language, and then sends it to its C2 server.(Citation: Proofpoint ZeroT Feb 2017)

APT29

APT29 used fsutil to check available free space before executing actions that might create large files on disk.(Citation: Microsoft Deep Dive Solorigate January 2021)

Pupy

Pupy can grab a system’s information including the OS version, architecture, etc.(Citation: GitHub Pupy)

Spark

Spark can collect the hostname, keyboard layout, and language from the system.(Citation: Unit42 Molerat Mar 2020)

S-Type

The initial beacon packet for S-Type contains the operating system version and file system of the victim.(Citation: Cylance Dust Storm)

Hildegard

Hildegard has collected the host's OS, CPU, and memory information.(Citation: Unit 42 Hildegard Malware)

Confucius

Confucius has used a file stealer that can examine system drives, including those other than the C drive.(Citation: TrendMicro Confucius APT Aug 2021)

Ramsay

Ramsay can detect system information--including disk names, total space, and remaining space--to create a hardware profile GUID which acts as a system identifier for operators.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)

Fysbis

Fysbis has used the command ls /etc | egrep -e"fedora\*|debian\*|gentoo\*|mandriva\*|mandrake\*|meego\*|redhat\*|lsb-\*|sun-\*|SUSE\*|release" to determine which Linux OS version is running.(Citation: Fysbis Palo Alto Analysis)

Final1stspy

Final1stspy obtains victim Microsoft Windows version information and CPU architecture.(Citation: Unit 42 Nokki Oct 2018)

SDBbot

SDBbot has the ability to identify the OS version, OS bit information and computer name.(Citation: Proofpoint TA505 October 2019)(Citation: Korean FSI TA505 2020)

Pay2Key

Pay2Key has the ability to gather the hostname of the victim machine.(Citation: Check Point Pay2Key November 2020)

Gelsemium

Gelsemium can determine the operating system and whether a targeted machine has a 32 or 64 bit architecture.(Citation: ESET Gelsemium June 2021)

APT38

APT38 has attempted to get detailed information about a compromised host, including the operating system, version, patches, hotfixes, and service packs.(Citation: CISA AA20-239A BeagleBoyz August 2020)

KARAE

KARAE can collect system information.(Citation: FireEye APT37 Feb 2018)

BackConfig

BackConfig has the ability to gather the victim's computer name.(Citation: Unit 42 BackConfig May 2020)

HermeticWiper

HermeticWiper can determine the OS version, bitness, and enumerate physical drives on a targeted host.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Crowdstrike DriveSlayer February 2022)(Citation: ESET Hermetic Wizard March 2022)(Citation: Qualys Hermetic Wiper March 2022)

Misdat

The initial beacon packet for Misdat contains the operating system version of the victim.(Citation: Cylance Dust Storm)

Mustang Panda

Mustang Panda has gathered system information using systeminfo.(Citation: Avira Mustang Panda January 2020)

BADCALL

BADCALL collects the computer name and host name on the compromised system.(Citation: US-CERT BADCALL)

OceanSalt

OceanSalt can collect the computer name from the system.(Citation: McAfee Oceansalt Oct 2018)

SysUpdate

SysUpdate can determine whether a system has a 32 bit or 64 bit architecture.(Citation: Trend Micro Iron Tiger April 2021)

NavRAT

NavRAT uses systeminfo on a victim’s machine.(Citation: Talos NavRAT May 2018)

Metamorfo

Metamorfo has collected the hostname and operating system version from the compromised host.(Citation: FireEye Metamorfo Apr 2018)(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019)

Clambling

Clambling can discover the hostname, computer name, and Windows version of a targeted machine.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)

During Operation Honeybee, the threat actors collected the computer name, OS, and other system information using `cmd /c systeminfo > %temp%\ temp.ini`.(Citation: McAfee Honeybee)

Kazuar

Kazuar gathers information on the system and local drives.(Citation: Unit 42 Kazuar May 2017)

Pony

Pony has collected the Service Pack, language, and region information to send to the C2.(Citation: Malwarebytes Pony April 2016)

UPPERCUT

UPPERCUT has the capability to gather the system’s hostname and OS version.(Citation: FireEye APT10 Sept 2018)

Winnti for Windows

Winnti for Windows can determine if the OS on a compromised host is newer than Windows XP.(Citation: Novetta Winnti April 2015)

BabyShark

BabyShark has executed the ver command.(Citation: Unit42 BabyShark Feb 2019)

InvisiMole

InvisiMole can gather information on the mapped drives, OS version, computer name, DEP policy, memory size, and system volume serial number.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

StoneDrill

StoneDrill has the capability to discover the system OS, Windows version, architecture and environment.(Citation: Kaspersky StoneDrill 2017)

Proxysvc

Proxysvc collects the OS version, country name, MAC address, computer name, physical memory statistics, and volume information for all drives on the system.(Citation: McAfee GhostSecret)

Kimsuky

Kimsuky has enumerated drives, OS type, OS version, and other information using a script or the "systeminfo" command.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)

AuTo Stealer

AuTo Stealer has the ability to collect the hostname and OS information from an infected host.(Citation: MalwareBytes SideCopy Dec 2021)

HELLOKITTY

HELLOKITTY can enumerate logical drives on a target system.(Citation: FireEye FiveHands April 2021)

Remsec

Remsec can obtain the OS version information, computer name, processor architecture, machine role, and OS edition.(Citation: Kaspersky ProjectSauron Technical Analysis)

StrifeWater

StrifeWater can collect the OS version, architecture, and machine name to create a unique token for the infected host.(Citation: Cybereason StrifeWater Feb 2022)

Get2

Get2 has the ability to identify the computer name and Windows version of an infected host.(Citation: Proofpoint TA505 October 2019)

MuddyWater

MuddyWater has used malware that can collect the victim’s OS version and machine name.(Citation: Securelist MuddyWater Oct 2018)(Citation: Talos MuddyWater May 2019)(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021)(Citation: Talos MuddyWater Jan 2022)

Ryuk

Ryuk has called GetLogicalDrives to emumerate all mounted drives, and GetDriveTypeW to determine the drive type.(Citation: CrowdStrike Ryuk January 2019)

OSX/Shlayer

OSX/Shlayer has collected the IOPlatformUUID, session UID, and the OS version using the command sw_vers -productVersion.(Citation: Carbon Black Shlayer Feb 2019)(Citation: sentinelone shlayer to zshlayer)

Dridex

Dridex has collected the computer name and OS architecture information from the system.(Citation: Checkpoint Dridex Jan 2021)

LoudMiner

LoudMiner has monitored CPU usage.(Citation: ESET LoudMiner June 2019)

SharpStage

SharpStage has checked the system settings to see if Arabic is the configured language.(Citation: BleepingComputer Molerats Dec 2020)

TURNEDUP

TURNEDUP is capable of gathering system information.(Citation: FireEye APT33 Sept 2017)

Felismus

Felismus collects the system information, including hostname and OS version, and sends it to the C2 server.(Citation: Forcepoint Felismus Mar 2017)

MobileOrder

MobileOrder has a command to upload to its C2 server victim mobile device information, including IMEI, IMSI, SIM card serial number, phone number, Android version, and other information.(Citation: Scarlet Mimic Jan 2016)

ChChes

ChChes collects the victim hostname, window resolution, and Microsoft Windows version.(Citation: Palo Alto menuPass Feb 2017)(Citation: PWC Cloud Hopper Technical Annex April 2017)

TeamTNT

TeamTNT has searched for system version, architecture, disk partition, logical volume, and hostname information.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group)

Amadey

Amadey has collected the computer name and OS version from a compromised machine.(Citation: Korean FSI TA505 2020)(Citation: BlackBerry Amadey 2020)

StrongPity

StrongPity can identify the hard disk volume serial number on a compromised host.(Citation: Talos Promethium June 2020)

build_downer

build_downer has the ability to send system volume information to C2.(Citation: Trend Micro Tick November 2019)

POWRUNER

POWRUNER may collect information about the system by running hostname and systeminfo on a victim.(Citation: FireEye APT34 Dec 2017)

Kwampirs

Kwampirs collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands systeminfo, net config workstation, hostname, ver, set, and date /t.(Citation: Symantec Orangeworm April 2018)

RedLeaves

RedLeaves can gather extended system information including the hostname, OS version number, platform, memory information, time elapsed since system startup, and CPU information.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Accenture Hogfish April 2018)

Lokibot

Lokibot has the ability to discover the computer name and Windows product name/version.(Citation: FSecure Lokibot November 2019)

Lizar

Lizar can collect the computer name from the machine,.(Citation: BiZone Lizar May 2021)

yty

yty gathers the computer name, the serial number of the main disk volume, CPU information, Microsoft Windows version, and runs the command systeminfo.(Citation: ASERT Donot March 2018)

JPIN

JPIN can obtain system information such as OS version and disk space.(Citation: Microsoft PLATINUM April 2016)

Lucifer

Lucifer can collect the computer name, system architecture, default language, and processor frequency of a compromised host.(Citation: Unit 42 Lucifer June 2020)

Mis-Type

The initial beacon packet for Mis-Type contains the operating system version and file system of the victim.(Citation: Cylance Dust Storm)

gh0st RAT

gh0st RAT has gathered system architecture, processor, OS configuration, and installed hardware information.(Citation: Gh0stRAT ATT March 2019)

APT3

APT3 has a tool that can obtain information about the local system.(Citation: Symantec Buckeye)(Citation: evolution of pirpi)

RunningRAT

RunningRAT gathers the OS version, logical drives information, processor information, and volume information.(Citation: McAfee Gold Dragon)

Comnie

Comnie collects the hostname of the victim machine.(Citation: Palo Alto Comnie)

Sidewinder

Sidewinder has used tools to collect the computer name, OS version, installed hotfixes, as well as information regarding the memory and processor on a compromised host.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder COVID-19 June 2020)

Bandook

Bandook can collect information about the drives available on the system.(Citation: CheckPoint Bandook Nov 2020)

Agent Tesla

Agent Tesla can collect the system's computer name and also has the capability to collect information on the processor, memory, OS, and video card from the system.(Citation: Fortinet Agent Tesla April 2018)(Citation: Fortinet Agent Tesla June 2017)(Citation: Malwarebytes Agent Tesla April 2020)

WhisperGate

WhisperGate has the ability to enumerate fixed logical drives on a targeted system.(Citation: Cisco Ukraine Wipers January 2022)

Magic Hound

Magic Hound malware has used a PowerShell command to check the victim system architecture to determine if it is an x64 machine. Other malware has obtained the OS version, UUID, and computer/host name to send to the C2 server.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Report APT35 ProxyShell March 2022)

Caterpillar WebShell

Caterpillar WebShell has a module to gather information from the compromrised asset, including the computer version, computer name, IIS version, and more.(Citation: ClearSky Lebanese Cedar Jan 2021)

Ursnif

Ursnif has used Systeminfo to gather system information.(Citation: TrendMicro Ursnif Mar 2015)

UNC2452

UNC2452 used fsutil to check available free space before executing actions that might create large files on disk.(Citation: Microsoft Deep Dive Solorigate January 2021)

During Operation Wocao, threat actors discovered the local disks attached to the system and their hardware information including manufacturer and model, as well as the OS versions of systems connected to a targeted network.(Citation: FoxIT Wocao December 2019)

Zox

Zox can enumerate attached drives.(Citation: Novetta-Axiom)

DustySky

DustySky extracts basic information about the operating system.(Citation: DustySky)

Explosive

Explosive has collected the computer name from the infected host.(Citation: CheckPoint Volatile Cedar March 2015)

Systeminfo

Systeminfo can be used to gather information about the operating system.(Citation: TechNet Systeminfo)

Neoichor

Neoichor can collect the OS version and computer name from a compromised host.(Citation: Microsoft NICKEL December 2021)

Gold Dragon

Gold Dragon collects endpoint information using the systeminfo command.(Citation: McAfee Gold Dragon)

Dyre

Dyre has the ability to identify the computer name, OS version, and hardware configuration on a compromised host.(Citation: Malwarebytes Dyreza November 2015)

SideCopy

SideCopy has identified the OS version of a compromised host.(Citation: MalwareBytes SideCopy Dec 2021)

Chimera

Chimera has used `fsutil fsinfo drives`, `systeminfo`, and `vssadmin list shadows` for system information including shadow volumes and drive information.(Citation: NCC Group Chimera January 2021)

Meteor

Meteor has the ability to discover the hostname of a compromised host.(Citation: Check Point Meteor Aug 2021)

APT19

APT19 collected system architecture information. APT19 used an HTTP malware variant and a Port 22 malware variant to gather the hostname and CPU information from the victim’s machine.(Citation: FireEye APT19)(Citation: Unit 42 C0d0so0 Jan 2016)

CrackMapExec

CrackMapExec can enumerate the system drives and associated system name.(Citation: CME Github September 2018)

APT18

APT18 can collect system information from the victim’s machine.(Citation: PaloAlto DNS Requests May 2016)

Pasam

Pasam creates a backdoor through which remote attackers can retrieve information such as hostname and free disk space.(Citation: Symantec Pasam May 2012)

Cardinal RAT

Cardinal RAT can collect the hostname, Microsoft Windows version, and processor architecture from a victim machine.(Citation: PaloAlto CardinalRat Apr 2017)

Ferocious

Ferocious can use GET.WORKSPACE in Microsoft Excel to determine the OS version of the compromised host.(Citation: Kaspersky WIRTE November 2021)

ShimRatReporter

ShimRatReporter gathered the operating system name and specific Windows version of an infected machine.(Citation: FOX-IT May 2016 Mofang)

RTM

RTM can obtain the computer name, OS version, and default language identifier.(Citation: ESET RTM Feb 2017)

Action RAT

Action RAT has the ability to collect the hostname, OS version, and OS architecture of an infected host.(Citation: MalwareBytes SideCopy Dec 2021)

IceApple

The IceApple Server Variable Dumper module iterates over all server variables present for the current request and returns them to the adversary.(Citation: CrowdStrike IceApple May 2022)

XCSSET

XCSSET identifies the macOS version and uses ioreg to determine serial number.(Citation: trendmicro xcsset xcode project 2020)

Diavol

Diavol can collect the computer name and OS version from the system.(Citation: Fortinet Diavol July 2021)

Tropic Trooper

Tropic Trooper has detected a target system’s OS version and system volume information.(Citation: TrendMicro TropicTrooper 2015)(Citation: TrendMicro Tropic Trooper May 2020)

Bisonal

Bisonal has used commands and API calls to gather system information.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)

Aquatic Panda

Aquatic Panda has used native OS commands to understand privilege levels and system details.(Citation: CrowdStrike AQUATIC PANDA December 2021)

ROKRAT

ROKRAT can gather the hostname and the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems.(Citation: Talos ROKRAT)(Citation: Talos ROKRAT 2)(Citation: Securelist ScarCruft May 2019)(Citation: NCCGroup RokRat Nov 2018)(Citation: Volexity InkySquid RokRAT August 2021)(Citation: Malwarebytes RokRAT VBA January 2021)

Industroyer

Industroyer collects the victim machine’s Windows GUID.(Citation: Dragos Crashoverride 2017)

TYPEFRAME

TYPEFRAME can gather the disk volume information.(Citation: US-CERT TYPEFRAME June 2018)

ShadowPad

ShadowPad has discovered system information including memory status, CPU frequency, OS versions, and volume serial numbers.(Citation: Kaspersky ShadowPad Aug 2017)

Mongall

Mongall can identify drives on compromised hosts and retrieve the hostname via `gethostbyname`.(Citation: SentinelOne Aoqin Dragon June 2022)

QakBot

QakBot can collect system information including the OS version and domain on a compromised host.(Citation: Crowdstrike Qakbot October 2020)(Citation: ATT QakBot April 2021)(Citation: Group IB Ransomware September 2020)

HALFBAKED

HALFBAKED can obtain information about the OS, processor, and BIOS.(Citation: FireEye FIN7 April 2017)

SideTwist

SideTwist can collect the computer name of a targeted system.(Citation: Check Point APT34 April 2021)

RCSession

RCSession can gather system information from a compromised host.(Citation: Profero APT27 December 2020)

Cadelspy

Cadelspy has the ability to discover information about the compromised host.(Citation: Symantec Chafer Dec 2015)

Machete

Machete collects the hostname of the target computer.(Citation: ESET Machete July 2019)

RogueRobin

RogueRobin gathers BIOS versions and manufacturers, the number of CPU cores, the total physical memory, and the computer name.(Citation: Unit 42 DarkHydrus July 2018)

Turian

Turian can retrieve system information including OS version, memory usage, local hostname, and system adapter information.(Citation: ESET BackdoorDiplomacy Jun 2021)

Zeus Panda

Zeus Panda collects the OS version, system architecture, computer name, product ID, install date, and information on the keyboard mapping to determine the language used on the system.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017)

Carberp

Carberp has collected the operating system version from the infected system.(Citation: Prevx Carberp March 2011)

FinFisher

FinFisher checks if the victim OS is 32 or 64-bit.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)

KGH_SPY

KGH_SPY can collect drive information from a compromised host.(Citation: Cybereason Kimsuky November 2020)

SHARPSTATS

SHARPSTATS has the ability to identify the IP address, machine name, and OS of the compromised host.(Citation: TrendMicro POWERSTATS V3 June 2019)

Babuk

Babuk can enumerate disk volumes, get disk information, and query service status.(Citation: McAfee Babuk February 2021)

DropBook

DropBook has checked for the presence of Arabic language in the infected machine's settings.(Citation: Cybereason Molerats Dec 2020)

JHUHUGIT

JHUHUGIT obtains a build identifier as well as victim hard drive information from Windows registry key HKLM\SYSTEM\CurrentControlSet\Services\Disk\Enum. Another JHUHUGIT variant gathers the victim storage volume serial number and the storage device name.(Citation: ESET Sednit Part 1)(Citation: Unit 42 Sofacy Feb 2018)

TAINTEDSCRIBE

TAINTEDSCRIBE can use DriveList to retrieve drive information.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)

Sowbug

Sowbug obtained OS version and hardware configuration from a victim.(Citation: Symantec Sowbug Nov 2017)

Wizard Spider

Wizard Spider has used “systeminfo” and similar commands to acquire detailed configuration information of a victim machine.(Citation: DFIR Ryuk's Return October 2020)

Turla

Turla surveys a system upon check-in to discover operating system configuration details using the systeminfo and set commands.(Citation: Kaspersky Turla)(Citation: ESET ComRAT May 2020)

Penquin

Penquin can report the file system type and disk space of a compromised host to C2.(Citation: Leonardo Turla Penquin May 2020)

NETWIRE

NETWIRE can discover and collect victim system information.(Citation: McAfee Netwire Mar 2015)

HotCroissant

HotCroissant has the ability to determine if the current user is an administrator, Windows product name, processor name, screen resolution, and physical RAM of the infected host.(Citation: US-CERT HOTCROISSANT February 2020)

Azorult

Azorult can collect the machine information, system architecture, the OS version, computer name, Windows product name, the number of CPU cores, video card information, and the system language.(Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)

DEATHRANSOM

DEATHRANSOM can enumerate logical drives on a target system.(Citation: FireEye FiveHands April 2021)

Patchwork

Patchwork collected the victim computer name, OS version, and architecture type and sent the information to its C2 server. Patchwork also enumerated all available drives on the victim's machine.(Citation: Cymmetria Patchwork)(Citation: TrendMicro Patchwork Dec 2017)

Windshift

Windshift has used malware to identify the computer name of a compromised host.(Citation: BlackBerry Bahamut)

BUBBLEWRAP

BUBBLEWRAP collects system information, including the operating system version and hostname.(Citation: FireEye admin@338)

VERMIN

VERMIN collects the OS name, machine name, and architecture information.(Citation: Unit 42 VERMIN Jan 2018)

admin@338

admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about the OS: ver >> %temp%\download systeminfo >> %temp%\download(Citation: FireEye admin@338)

XAgentOSX

XAgentOSX contains the getInstalledAPP function to run ls -la /Applications to gather what applications are installed.(Citation: XAgentOSX 2017)

NanHaiShu

NanHaiShu can gather the victim computer name and serial number.(Citation: Proofpoint Leviathan Oct 2017)

PUNCHBUGGY

PUNCHBUGGY can gather system information such as computer names.(Citation: Morphisec ShellTea June 2019)

DarkWatchman

DarkWatchman can collect the OS version, system architecture, uptime, and computer name.(Citation: Prevailion DarkWatchman 2021)

WINERACK

WINERACK can gather information about the host.(Citation: FireEye APT37 Feb 2018)

Pisloader

Pisloader has a command to collect victim system information, including the system name and OS version.(Citation: Palo Alto DNS Requests)

Reaver

Reaver collects system information from the victim, including CPU speed, computer name, volume serial number, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information.(Citation: Palo Alto Reaver Nov 2017)

Chaes

Chaes has collected system information, including the machine name and OS version.(Citation: Cybereason Chaes Nov 2020)

GrimAgent

GrimAgent can collect the OS, and build version on a compromised host.(Citation: Group IB GrimAgent July 2021)

NOKKI

NOKKI can gather information on drives and the operating system on the victim’s machine.(Citation: Unit 42 NOKKI Sept 2018)

BlackEnergy

BlackEnergy has used Systeminfo to gather the OS version, as well as information on the system configuration, BIOS, the motherboard, and the processor.(Citation: F-Secure BlackEnergy 2014)(Citation: Securelist BlackEnergy Nov 2014)

Stealth Falcon

Stealth Falcon malware gathers system information via WMI, including the system directory, build number, serial number, version, manufacturer, model, and total physical memory.(Citation: Citizen Lab Stealth Falcon May 2016)

Kobalos

Kobalos can record the hostname and kernel version of the target machine.(Citation: ESET Kobalos Jan 2021)

Egregor

Egregor can perform a language check of the infected system and can query the CPU information (cupid).(Citation: JoeSecurity Egregor 2020)(Citation: NHS Digital Egregor Nov 2020)

FunnyDream

FunnyDream can enumerate all logical drives on a targeted machine.(Citation: Bitdefender FunnyDream Campaign November 2020)

POORAIM

POORAIM can identify system information, including battery status.(Citation: FireEye APT37 Feb 2018)

Backdoor.Oldrea

Backdoor.Oldrea collects information about the OS and computer name.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021)

IcedID

IcedID has the ability to identify the computer name and OS version on a compromised host.(Citation: IBM IcedID November 2017)

RATANKBA

RATANKBA gathers information about the OS architecture, OS name, and OS version/Service pack.(Citation: Lazarus RATANKBA)(Citation: RATANKBA)

Bazar

Bazar can fingerprint architecture, computer name, and OS version on the compromised host. Bazar can also check if the Russian language is installed on the infected machine and terminate if it is found.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)

Sandworm Team

Sandworm Team used a backdoor to enumerate information about the infected system's operating system.(Citation: ESET Telebots July 2017)(Citation: US District Court Indictment GRU Unit 74455 October 2020)

Ke3chang

Ke3chang performs operating system information discovery using systeminfo and has used implants to identify the system language and computer name.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: NCC Group APT15 Alive and Strong)(Citation: Microsoft NICKEL December 2021)

SLOTHFULMEDIA

SLOTHFULMEDIA has collected system name, OS version, adapter information, memory usage, and disk information from a victim machine.(Citation: CISA MAR SLOTHFULMEDIA October 2020)

Frankenstein

Frankenstein has enumerated hosts, looking for the system's machine name.(Citation: Talos Frankenstein June 2019)

LitePower

LitePower has the ability to list local drives and enumerate the OS architecture.(Citation: Kaspersky WIRTE November 2021)

Cannon

Cannon can gather system information from the victim’s machine such as the OS version, machine name, and drive information.(Citation: Unit42 Cannon Nov 2018)(Citation: Unit42 Sofacy Dec 2018)

Attor

Attor monitors the free disk space on the system.(Citation: ESET Attor Oct 2019)

SILENTTRINITY

SILENTTRINITY can collect information related to a compromised host, including OS version and a list of drives.(Citation: GitHub SILENTTRINITY Modules July 2019)

SslMM

SslMM sends information to its hard-coded C2, including OS version, service pack information, processor speed, system name, and OS install date.(Citation: Baumgartner Naikon 2015)

Avenger

Avenger has the ability to identify the host volume ID and the OS architecture on a compromised host.(Citation: Trend Micro Tick November 2019)

During FunnyDream, the threat actors used Systeminfo to collect information on targeted hosts.(Citation: Bitdefender FunnyDream Campaign November 2020)

Wingbird

Wingbird checks the victim OS version after executing to determine where to drop files based on whether the victim is 32-bit or 64-bit.(Citation: Microsoft SIR Vol 21)

SombRAT

SombRAT can execute getinfo to enumerate the computer name and OS version of a compromised system.(Citation: BlackBerry CostaRicto November 2020)

Контрмеры

Контрмера Описание
System Information Discovery Mitigation

Identify unnecessary system utilities or potentially malicious software that may be used to acquire information about the operating system and underlying hardware, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Обнаружение

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Further, Network Device CLI commands may also be used to gather detailed system information with built-in features native to the network device platform. Monitor CLI activity for unexpected or unauthorized use commands being run by non-standard users from non-standard locations. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. In cloud-based systems, native logging can be used to identify access to certain APIs and dashboards that may contain system information. Depending on how the environment is used, that data alone may not be useful due to benign use during normal operations.

Ссылки

  1. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  2. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  3. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  4. US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
  5. Phile Stokes. (2018, September 20). On the Trail of OSX.FairyTale | Adware Playing at Malware. Retrieved August 24, 2021.
  6. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
  7. Microsoft. (2019, March 1). Virtual Machines - Get. Retrieved October 8, 2019.
  8. Google. (n.d.). Rest Resource: instance. Retrieved March 3, 2020.
  9. Amazon. (n.d.). describe-instance-information. Retrieved March 3, 2020.
  10. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  11. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
  12. Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022.
  13. FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
  14. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  15. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
  16. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  17. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  18. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.
  19. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  20. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  21. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  22. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  23. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  24. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  25. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  26. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
  27. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  28. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  29. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  30. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.
  31. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
  32. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  33. Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
  34. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  35. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  36. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  37. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  38. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  39. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  40. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  41. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  42. Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018.
  43. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  44. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  45. Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017.
  46. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  47. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  48. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
  49. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  50. McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.
  51. NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020.
  52. Joe Security. (n.d.). Analysis Report fasm.dll. Retrieved January 6, 2021.
  53. McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.
  54. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.
  55. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  56. Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019.
  57. Grunzweig, J. and Falcone, R.. (2016, October 4). OilRig Malware Campaign Updates Toolset and Expands Targets. Retrieved May 3, 2017.
  58. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  59. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
  60. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  61. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  62. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  63. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  64. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  65. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  66. Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.
  67. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  68. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
  69. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  70. Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.
  71. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  72. Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
  73. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
  74. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
  75. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  76. FinFisher. (n.d.). Retrieved December 20, 2017.
  77. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  78. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  79. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  80. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  81. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
  82. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
  83. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  84. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  85. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.
  86. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  87. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  88. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  89. Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018.
  90. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  91. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  92. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  93. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  94. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  95. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  96. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.
  97. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  98. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.
  99. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
  100. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  101. Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
  102. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  103. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  104. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  105. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  106. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  107. Shulmin, A., Yunakovsky, S. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved November 5, 2018.
  108. CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.
  109. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.
  110. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  111. Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019.
  112. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  113. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  114. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  115. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  116. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  117. Bryan Lee and Rob Downs. (2016, February 12). A Look Into Fysbis: Sofacy’s Linux Backdoor. Retrieved September 10, 2017.
  118. Check Point. (2020, November 6). Ransomware Alert: Pay2Key. Retrieved January 4, 2021.
  119. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
  120. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  121. Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  122. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  123. Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021.
  124. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  125. Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020.
  126. Zhang, X. (2017, June 28). In-Depth Analysis of A New Variant of .NET Malware AgentTesla. Retrieved November 5, 2018.
  127. Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
  128. Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.
  129. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  130. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  131. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  132. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
  133. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  134. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  135. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022.
  136. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
  137. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  138. Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
  139. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  140. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  141. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  142. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  143. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  144. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  145. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  146. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  147. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  148. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  149. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  150. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
  151. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  152. Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
  153. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  154. Eclypsium, Advanced Intelligence. (2020, December 1). TRICKBOT NOW OFFERS ‘TRICKBOOT’: PERSIST, BRICK, PROFIT. Retrieved March 15, 2021.
  155. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  156. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
  157. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  158. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
  159. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  160. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  161. Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021.
  162. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
  163. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.
  164. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  165. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  166. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  167. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  168. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  169. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  170. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  171. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  172. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  173. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  174. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  175. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.
  176. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
  177. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
  178. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  179. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
  180. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  181. Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
  182. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  183. ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
  184. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  185. Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021.
  186. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
  187. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  188. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  189. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
  190. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  191. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  192. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  193. M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021.
  194. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  195. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  196. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.
  197. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  198. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
  199. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
  200. Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
  201. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  202. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  203. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.
  204. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  205. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  206. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  207. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  208. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  209. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  210. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  211. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  212. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  213. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
  214. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  215. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  216. US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020.
  217. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  218. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  219. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  220. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.
  221. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  222. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  223. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  224. Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
  225. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  226. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  227. Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020.
  228. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  229. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  230. Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021.
  231. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
  232. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.
  233. Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.
  234. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  235. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.
  236. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  237. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  238. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  239. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
  240. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  241. Microsoft. (n.d.). Dir. Retrieved April 18, 2016.
  242. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  243. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  244. Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
  245. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  246. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  247. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  248. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
  249. hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.
  250. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  251. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  252. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  253. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  254. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  255. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
  256. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  257. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  258. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
  259. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
  260. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  261. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  262. Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020.
  263. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  264. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  265. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  266. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
  267. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
  268. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  269. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  270. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
  271. Microsoft. (n.d.). Systeminfo. Retrieved April 8, 2016.
  272. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
  273. Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020.
  274. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  275. Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.
  276. The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020.
  277. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  278. Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020.
  279. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  280. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  281. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  282. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  283. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  284. Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.
  285. Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019.
  286. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  287. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  288. Henderson, S., et al. (2020, April 22). Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage. Retrieved April 28, 2020.
  289. Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
  290. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  291. Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018.
  292. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
  293. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
  294. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  295. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
  296. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
  297. Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022.
  298. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  299. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
  300. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  301. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  302. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
  303. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  304. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  305. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  306. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  307. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  308. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  309. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
  310. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  311. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  312. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  313. Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.
  314. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
  315. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  316. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  317. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  318. Mercer, W., Rascagneres, P. (2017, November 28). ROKRAT Reloaded. Retrieved May 21, 2018.
  319. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
  320. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  321. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
  322. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
  323. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.
  324. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
  325. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
  326. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  327. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  328. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
  329. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
  330. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  331. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
  332. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  333. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  334. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  335. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.
  336. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
  337. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
  338. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  339. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  340. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
  341. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  342. Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020.
  343. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  344. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  345. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  346. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  347. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  348. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  349. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  350. Threat Intelligence Team. (2022, March 18). Double header: IsaacWiper and CaddyWiper . Retrieved April 11, 2022.
  351. Malhotra, A. (2022, March 15). Threat Advisory: CaddyWiper. Retrieved March 23, 2022.
  352. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  353. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  354. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  355. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  356. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
  357. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  358. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  359. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.
  360. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
  361. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  362. Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.
  363. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  364. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  365. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
  366. Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019.
  367. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
  368. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  369. The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
  370. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  371. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
  372. Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
  373. PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021.
  374. Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
  375. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
  376. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  377. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  378. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  379. AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.
  380. Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020.
  381. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  382. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
  383. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  384. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  385. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  386. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  387. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  388. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  389. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
  390. Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.
  391. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
  392. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  393. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
  394. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  395. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
  396. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  397. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  398. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  399. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  400. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  401. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  402. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  403. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  404. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.