Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Исследование файлов и каталогов

Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions. Many command shell utilities can be used to obtain this information. Examples include dir, tree, ls, find, and locate.(Citation: Windows Commands JPCERT) Custom tools may also be used to gather file and directory information and interact with the Native API. Adversaries may also leverage a Network Device CLI on network devices to gather file and directory information (e.g. dir, show flash, and/or nvram).(Citation: US-CERT-TA18-106A)

ID: T1083
Тактика(-и): Discovery
Платформы: Linux, macOS, Network, Windows
Источники данных: Command: Command Execution, Process: OS API Execution, Process: Process Creation
Версия: 1.5
Дата создания: 31 May 2017
Последнее изменение: 06 Sep 2022

Примеры процедур

Название Описание
BLACKCOFFEE

BLACKCOFFEE has the capability to enumerate files.(Citation: FireEye APT17)

Orz

Orz can gather victim drive information.(Citation: Proofpoint Leviathan Oct 2017)

Attor

Attor has a plugin that enumerates files with specific extensions on all hard disk drives and stores file information in encrypted log files.(Citation: ESET Attor Oct 2019)

USBStealer

USBStealer searches victim drives for files matching certain extensions (“.skr”,“.pkr” or “.key”) or names.(Citation: ESET Sednit USBStealer 2014)(Citation: Kaspersky Sofacy)

SDBbot

SDBbot has the ability to get directory listings or drive information on a compromised host.(Citation: Proofpoint TA505 October 2019)

Kinsing

Kinsing has used the find command to search for specific files.(Citation: Aqua Kinsing April 2020)

Amadey

Amadey has searched for folders associated with antivirus software.(Citation: Korean FSI TA505 2020)

Ebury

Ebury can list directory entries.(Citation: ESET Ebury Oct 2017)

PlugX

PlugX has a module to enumerate drives and find files recursively.(Citation: CIRCL PlugX March 2013)(Citation: Proofpoint TA416 Europe March 2022)

Volgmer

Volgmer can list directories on a victim.(Citation: US-CERT Volgmer Nov 2017)

P.A.S. Webshell

P.A.S. Webshell has the ability to list files and file characteristics including extension, size, ownership, and permissions.(Citation: ANSSI Sandworm January 2021)

Bazar

Bazar can enumerate the victim's desktop.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)

Crimson

Crimson contains commands to list files and directories, as well as search for files matching certain extensions from a defined list.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022)

SynAck

SynAck checks its directory location in an attempt to avoid launching in a sandbox.(Citation: SecureList SynAck Doppelgänging May 2018)(Citation: Kaspersky Lab SynAck May 2018)

Patchwork

A Patchwork payload has searched all fixed drives on the victim for files matching a specified list of extensions.(Citation: Cymmetria Patchwork)(Citation: TrendMicro Patchwork Dec 2017)

Sowbug

Sowbug identified and extracted all Word documents on a server by using a command containing * .doc and *.docx. The actors also searched for documents based on a specific date range and attempted to identify all installed software on a victim.(Citation: Symantec Sowbug Nov 2017)

yty

yty gathers information on victim’s drives and has a plugin for document listing.(Citation: ASERT Donot March 2018)

TAINTEDSCRIBE

TAINTEDSCRIBE can use DirectoryList to enumerate files in a specified directory.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)

ELMER

ELMER is capable of performing directory listings.(Citation: FireEye EPS Awakens Part 2)

SUGARDUMP

SUGARDUMP can search for and collect data from specific Chrome, Opera, Microsoft Edge, and Firefox files, including any folders that have the string `Profile` in its name.(Citation: Mandiant UNC3890 Aug 2022)

During C0015, the threat actors conducted a file listing discovery against multiple hosts to ensure locker encryption was successful.(Citation: DFIR Conti Bazar Nov 2021)

Fysbis

Fysbis has the ability to search for files.(Citation: Fysbis Dr Web Analysis)

Remsec

Remsec is capable of listing contents of folders on the victim. Remsec also searches for custom network encryption software on victims.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Full Report)(Citation: Kaspersky ProjectSauron Technical Analysis)

KillDisk

KillDisk has used the FindNextFile command as part of its file deletion process.(Citation: Trend Micro KillDisk 2)

During Operation Honeybee, the threat actors used a malicious DLL to search for files with specific keywords.(Citation: McAfee Honeybee)

WinMM

WinMM sets a WH_CBT Windows hook to search for and capture files on the victim.(Citation: Baumgartner Naikon 2015)

Gamaredon Group

Gamaredon Group macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. Gamaredon Group has also used its backdoors to automatically list interesting files (such as Office documents) found on a system.(Citation: ESET Gamaredon June 2020)(Citation: Unit 42 Gamaredon February 2022)

Turian

Turian can search for specific files and list directories.(Citation: ESET BackdoorDiplomacy Jun 2021)

POORAIM

POORAIM can conduct file browsing.(Citation: FireEye APT37 Feb 2018)

Micropsia

Micropsia can perform a recursive directory listing for all volume drives available on the victim's machine and can also fetch specific files by their paths.(Citation: Radware Micropsia July 2018)

Misdat

Misdat is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives.(Citation: Cylance Dust Storm)

Winnti for Windows

Winnti for Windows can check for the presence of specific files prior to moving to the next phase of execution.(Citation: Novetta Winnti April 2015)

GeminiDuke

GeminiDuke collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user's home folder, files and folders present in any user's My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs.(Citation: F-Secure The Dukes)

BoxCaon

BoxCaon has searched for files on the system, such as documents located in the desktop folder.(Citation: Checkpoint IndigoZebra July 2021)

During Operation CuckooBees, the threat actors used `dir c:\\` to search for files.(Citation: Cybereason OperationCuckooBees May 2022)

njRAT

njRAT can browse file systems using a file manager module.(Citation: Fidelis njRAT June 2013)

PinchDuke

PinchDuke searches for files created within a certain timeframe and whose file extension matches a predefined list.(Citation: F-Secure The Dukes)

WindTail

WindTail has the ability to enumerate the users home directory and the path to its own application bundle.(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)

Dragonfly

Dragonfly has used a batch script to gather folder and file names from victim hosts.(Citation: US-CERT TA18-074A)(Citation: Gigamon Berserk Bear October 2021)(Citation: CISA AA20-296A Berserk Bear December 2020)

AuditCred

AuditCred can search through folders and files on the system.(Citation: TrendMicro Lazarus Nov 2018)

Diavol

Diavol has a command to traverse the files and directories in a given path.(Citation: Fortinet Diavol July 2021)

Sliver

Sliver can enumerate files on a target system.(Citation: GitHub Sliver File System August 2021)

PowerDuke

PowerDuke has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space.(Citation: Volexity PowerDuke November 2016)

BackConfig

BackConfig has the ability to identify folders and files related to previous infections.(Citation: Unit 42 BackConfig May 2020)

Bankshot

Bankshot searches for files on the victim's machine.(Citation: US-CERT Bankshot Dec 2017)

PingPull

PingPull can enumerate storage volumes and folder contents of a compromised host.(Citation: Unit 42 PingPull Jun 2022)

4H RAT

4H RAT has the capability to obtain file and directory listings.(Citation: CrowdStrike Putter Panda)

FALLCHILL

FALLCHILL can search files on a victim.(Citation: US-CERT FALLCHILL Nov 2017)

MarkiRAT

MarkiRAT can look for files carrying specific extensions such as: .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, .txt, .gpg, .pkr, .kdbx, .key, and .jpb.(Citation: Kaspersky Ferocious Kitten Jun 2021)

Epic

Epic recursively searches for all .doc files on the system and collects a directory listing of the Desktop, %TEMP%, and %WINDOWS%\Temp directories.(Citation: Kaspersky Turla)(Citation: Kaspersky Turla Aug 2014)

Clambling

Clambling can browse directories on a compromised host.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)

down_new

down_new has the ability to list the directories on a compromised host.(Citation: Trend Micro Tick November 2019)

Ryuk

Ryuk has enumerated files and folders on all mounted drives.(Citation: CrowdStrike Ryuk January 2019)

QakBot

QakBot can identify whether it has been run previously on a host by checking for a specified folder.(Citation: ATT QakBot April 2021)

PoetRAT

PoetRAT has the ability to list files upon receiving the ls command from C2.(Citation: Talos PoetRAT April 2020)

WhisperGate

WhisperGate can locate files based on hardcoded file extensions.(Citation: Microsoft WhisperGate January 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022)

cmd

cmd can be used to find files and directories with native functionality such as dir commands.(Citation: TechNet Dir)

Seasalt

Seasalt has the capability to identify the drive type on a victim.(Citation: McAfee Oceansalt Oct 2018)

APT38

APT38 have enumerated files and directories, or searched in specific locations within a compromised host.(Citation: CISA AA20-239A BeagleBoyz August 2020)

APT28

APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection. The group also searched a compromised DCCC computer for specific terms.(Citation: Überwachung APT28 Forfiles June 2015)(Citation: DOJ GRU Indictment Jul 2018)

KEYMARBLE

KEYMARBLE has a command to search for files on the victim’s machine.(Citation: US-CERT KEYMARBLE Aug 2018)

Operation Wocao

Operation Wocao has gathered a recursive directory listing to find files and directories of interest.(Citation: FoxIT Wocao December 2019)

SHOTPUT

SHOTPUT has a command to obtain a directory listing.(Citation: Palo Alto CVE-2015-3113 July 2015)

WINERACK

WINERACK can enumerate files and directories.(Citation: FireEye APT37 Feb 2018)

Cardinal RAT

Cardinal RAT checks its current working directory upon execution and also contains watchdog functionality that ensures its executable is located in the correct path (else it will rewrite the payload).(Citation: PaloAlto CardinalRat Apr 2017)

OwaAuth

OwaAuth has a command to list its directory and logical drives.(Citation: Dell TG-3390)

RARSTONE

RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.(Citation: Camba RARSTONE)

Kivars

Kivars has the ability to list drives on the infected host.(Citation: TrendMicro BlackTech June 2017)

BlackEnergy

BlackEnergy gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry. BlackEnergy has searched for given file types.(Citation: F-Secure BlackEnergy 2014)(Citation: Securelist BlackEnergy Nov 2014)

WannaCry

WannaCry searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive/compression format, and key and certificate files.(Citation: LogRhythm WannaCry)(Citation: FireEye WannaCry 2017)

UNC2452

UNC2452 obtained information about the configured Exchange virtual directory using Get-WebServicesVirtualDirectory.(Citation: Volexity SolarWinds)

SoreFang

SoreFang has the ability to list directories.(Citation: CISA SoreFang July 2016)

AutoIt backdoor

AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.(Citation: Forcepoint Monsoon)

Caterpillar WebShell

Caterpillar WebShell can search for files in directories.(Citation: ClearSky Lebanese Cedar Jan 2021)

APT29

APT29 obtained information about the configured Exchange virtual directory using Get-WebServicesVirtualDirectory.(Citation: Volexity SolarWinds)

Inception

Inception used a file listing plugin to collect information about file and directories both on local and remote drives.(Citation: Symantec Inception Framework March 2018)

USBferry

USBferry can detect the victim's file or folder list.(Citation: TrendMicro Tropic Trooper May 2020)

Avaddon

Avaddon has searched for specific files prior to encryption.(Citation: Arxiv Avaddon Feb 2021)

Rclone

Rclone can list files and directories with the `ls`, `lsd`, and `lsl` commands.(Citation: Rclone)

SideTwist

SideTwist has the ability to search for specific files.(Citation: Check Point APT34 April 2021)

GrimAgent

GrimAgent has the ability to enumerate files and directories on a compromised host.(Citation: Group IB GrimAgent July 2021)

Skidmap

Skidmap has checked for the existence of specific files including /usr/sbin/setenforce and /etc/selinux/config. It also has the ability to monitor the cryptocurrency miner file and process. (Citation: Trend Micro Skidmap)

zwShell

zwShell can browse the file system.(Citation: McAfee Night Dragon)

ZxShell

ZxShell has a command to open a file manager and explorer on the system.(Citation: Talos ZxShell Oct 2014)

DropBook

DropBook can collect the names of all files and folders in the Program Files directories.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020)

TSCookie

TSCookie has the ability to discover drive information on the infected host.(Citation: JPCert TSCookie March 2018)

Kwampirs

Kwampirs collects a list of files and directories in C:\ with the command dir /s /a c:\ >> "C:\windows\TEMP\[RANDOM].tmp".(Citation: Symantec Orangeworm April 2018)

JPIN

JPIN can enumerate drives and their types. It can also change file permissions using cacls.exe.(Citation: Microsoft PLATINUM April 2016)

ZLib

ZLib has the ability to enumerate files and drives.(Citation: Cylance Dust Storm)

FLASHFLOOD

FLASHFLOOD searches for interesting files (either a default or customized set of file extensions) on the local system and removable media.(Citation: FireEye APT30)

Lokibot

Lokibot can search for specific files on an infected host.(Citation: Talos Lokibot Jan 2021)

HOPLIGHT

HOPLIGHT has been observed enumerating system drives and partitions.(Citation: US-CERT HOPLIGHT Apr 2019)

Chimera

Chimera has utilized multiple commands to identify data of interest in file and directory listings.(Citation: NCC Group Chimera January 2021)

BadPatch

BadPatch searches for files with specific file extensions.(Citation: Unit 42 BadPatch Oct 2017)

NETEAGLE

NETEAGLE allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information.(Citation: FireEye APT30)

SysUpdate

SysUpdate can search files on a compromised host.(Citation: Trend Micro Iron Tiger April 2021)

BabyShark

BabyShark has used dir to search for "programfiles" and "appdata".(Citation: Unit42 BabyShark Feb 2019)

admin@338

admin@338 actors used the following commands after exploiting a machine with LOWBALL malware to obtain information about files and directories: dir c:\ >> %temp%\download dir "c:\Documents and Settings" >> %temp%\download dir "c:\Program Files\" >> %temp%\download dir d:\ >> %temp%\download(Citation: FireEye admin@338)

MoonWind

MoonWind has a command to return a directory listing for a specified directory.(Citation: Palo Alto MoonWind March 2017)

Ke3chang

Ke3chang uses command-line interaction to search files and directories.(Citation: Mandiant Operation Ke3chang November 2014)(Citation: Microsoft NICKEL December 2021)

MegaCortex

MegaCortex can parse the available drives and directories to determine which files to encrypt.(Citation: IBM MegaCortex)

Pteranodon

Pteranodon identifies files matching certain file extension and copies them to subdirectories it created.(Citation: Palo Alto Gamaredon Feb 2017)

CookieMiner

CookieMiner has looked for files in the user's home directory with "wallet" in their name using find.(Citation: Unit42 CookieMiner Jan 2019)

CrossRAT

CrossRAT can list all files on a system.

DEATHRANSOM

DEATHRANSOM can use loop operations to enumerate directories on a compromised host.(Citation: FireEye FiveHands April 2021)

InnaputRAT

InnaputRAT enumerates directories and obtains file attributes on a system.(Citation: ASERT InnaputRAT April 2018)

SUNBURST

SUNBURST had commands to enumerate files and directories.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Analyzing Solorigate Dec 2020)

Cuba

Cuba can enumerate files by using a variety of functions.(Citation: McAfee Cuba April 2021)

Linfo

Linfo creates a backdoor through which remote attackers can list contents of drives and search for files.(Citation: Symantec Linfo May 2012)

CosmicDuke

CosmicDuke searches attached and mounted drives for file extensions and keywords that match a predefined list.(Citation: F-Secure Cosmicduke)

Sandworm Team

Sandworm Team has enumerated files on a compromised host.(Citation: US District Court Indictment GRU Unit 74455 October 2020)(Citation: Dragos Crashoverride 2018)

Kazuar

Kazuar finds a specified directory, lists the files and metadata about those files.(Citation: Unit 42 Kazuar May 2017)

XAgentOSX

XAgentOSX contains the readFiles function to return a detailed listing (sometimes recursive) of a specified directory.(Citation: XAgentOSX 2017) XAgentOSX contains the showBackupIosFolder function to check for IOS device backups by running ls -la ~/Library/Application\ Support/MobileSync/Backup/.(Citation: XAgentOSX 2017)

HermeticWiper

HermeticWiper can enumerate common folders such as My Documents, Desktop, and AppData.(Citation: SentinelOne Hermetic Wiper February 2022)(Citation: Qualys Hermetic Wiper March 2022)

Cyclops Blink

Cyclops Blink can use the Linux API `statvfs` to enumerate the current working directory.(Citation: NCSC Cyclops Blink February 2022)(Citation: Trend Micro Cyclops Blink March 2022)

FIVEHANDS

FIVEHANDS has the ability to enumerate files on a compromised host in order to encrypt files with specific extensions.(Citation: CISA AR21-126A FIVEHANDS May 2021)(Citation: NCC Group Fivehands June 2021)

Cobalt Strike

Cobalt Strike can explore files on a compromised system.(Citation: Cobalt Strike Manual 4.3 November 2020)

DarkWatchman

DarkWatchman has the ability to enumerate file and folder names.(Citation: Prevailion DarkWatchman 2021)

Industroyer

Industroyer’s data wiper component enumerates specific files on all the Windows drives.(Citation: ESET Industroyer)

Brave Prince

Brave Prince gathers file and directory information from the victim’s machine.(Citation: McAfee Gold Dragon)

OceanSalt

OceanSalt can extract drive information from the endpoint and search files on the system.(Citation: McAfee Oceansalt Oct 2018)

NETWIRE

NETWIRE has the ability to search for files on the compromised host.(Citation: Proofpoint NETWIRE December 2020)

Sidewinder

Sidewinder has used malware to collect information on files and directories.(Citation: ATT Sidewinder January 2021)

TINYTYPHON

TINYTYPHON searches through the drive containing the OS, then all drive letters C through to Z, for documents matching certain extensions.(Citation: Forcepoint Monsoon)

Octopus

Octopus can collect information on the Windows directory and searches for compressed RAR files on the host.(Citation: Securelist Octopus Oct 2018)(Citation: Security Affairs DustSquad Oct 2018)(Citation: ESET Nomadic Octopus 2018)

SUNSPOT

SUNSPOT enumerated the Orion software Visual Studio solution directory path.(Citation: CrowdStrike SUNSPOT Implant January 2021)

Zox

Zox can enumerate files on a compromised host.(Citation: Novetta-Axiom)

Elise

A variant of Elise executes dir C:\progra~1 when initially run.(Citation: Lotus Blossom Jun 2015)(Citation: Accenture Dragonfish Jan 2018)

Honeybee

Honeybee's service-based DLL implant traverses the FTP server’s directories looking for files with keyword matches for computer names or certain keywords.(Citation: McAfee Honeybee)

Bisonal

Bisonal can retrieve a file listing from the system.(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)

MiniDuke

MiniDuke can enumerate local drives.(Citation: ESET Dukes October 2019)

Conti

Conti can discover files on a local system.(Citation: CarbonBlack Conti July 2020)

SLOTHFULMEDIA

SLOTHFULMEDIA can enumerate files and directories.(Citation: CISA MAR SLOTHFULMEDIA October 2020)

ADVSTORESHELL

ADVSTORESHELL can list files and directories.(Citation: ESET Sednit Part 2)(Citation: Bitdefender APT28 Dec 2015)

FinFisher

FinFisher enumerates directories and scans for certain files.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)

Avenger

Avenger has the ability to browse files in directories such as Program Files and the Desktop.(Citation: Trend Micro Tick November 2019)

CharmPower

CharmPower can enumerate drives and list the contents of the C: drive on a victim's computer.(Citation: Check Point APT35 CharmPower January 2022)

REvil

REvil has the ability to identify specific files and directories that are not to be encrypted.(Citation: Kaspersky Sodin July 2019)(Citation: Cylance Sodinokibi July 2019)(Citation: Secureworks GandCrab and REvil September 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Intel 471 REvil March 2020)(Citation: Secureworks REvil September 2019)

Empire

Empire includes various modules for finding files of interest on hosts and network shares.(Citation: Github PowerShell Empire)

Pupy

Pupy can walk through directories and recursively search for strings in files.(Citation: GitHub Pupy)

Gelsemium

Gelsemium can retrieve data from specific Windows directories, as well as open random files as part of Virtualization/Sandbox Evasion.(Citation: ESET Gelsemium June 2021)

Aoqin Dragon

Aoqin Dragon has run scripts to identify file formats including Microsoft Word.(Citation: SentinelOne Aoqin Dragon June 2022)

Proxysvc

Proxysvc lists files in directories.(Citation: McAfee GhostSecret)

Tropic Trooper

Tropic Trooper has monitored files' modified time.(Citation: TrendMicro Tropic Trooper May 2020)

Dark Caracal

Dark Caracal collected file listings of all default Windows directories.(Citation: Lookout Dark Caracal Jan 2018)

GravityRAT

GravityRAT collects the volumes mapped on the system, and also steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.(Citation: Talos GravityRAT)

Bandook

Bandook has a command to list files on a system.(Citation: CheckPoint Bandook Nov 2020)

MuddyWater

MuddyWater has used malware that checked if the ProgramData folder had folders or files with the keywords "Kasper," "Panda," or "ESET."(Citation: Securelist MuddyWater Oct 2018)

Trojan.Karagany

Trojan.Karagany can enumerate files and directories on a compromised host.(Citation: Secureworks Karagany July 2019)

PoshC2

PoshC2 can enumerate files on the local file system and includes a module for enumerating recently accessed files.(Citation: GitHub PoshC2)

3PARA RAT

3PARA RAT has a command to retrieve metadata for files on disk as well as a command to list the current working directory.(Citation: CrowdStrike Putter Panda)

NotPetya

NotPetya searches for files ending with dozens of different file extensions prior to encryption.(Citation: US District Court Indictment GRU Unit 74455 October 2020)

ThreatNeedle

ThreatNeedle can obtain file and directory information.(Citation: Kaspersky ThreatNeedle Feb 2021)

BoomBox

BoomBox can search for specific files and directories on a machine.(Citation: MSTIC Nobelium Toolset May 2021)

jRAT

jRAT can browse file systems.(Citation: Kaspersky Adwind Feb 2016)(Citation: Symantec Frutas Feb 2013)

Clop

Clop has searched folders and subfolders for files to encrypt.(Citation: Mcafee Clop Aug 2019)

GoldenSpy

GoldenSpy has included a program "ExeProtector", which monitors for the existence of GoldenSpy on the infected system and redownloads if necessary.(Citation: Trustwave GoldenSpy June 2020)

OutSteel

OutSteel can search for specific file extensions, including zipped files.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

FYAnti

FYAnti can search the C:\Windows\Microsoft.NET\ directory for files of a specified size.(Citation: Securelist APT10 March 2021)

BADFLICK

BADFLICK has searched for files on the infected host.(Citation: Accenture MUDCARP March 2019)

CaddyWiper

CaddyWiper can enumerate all files and directories on a compromised host.(Citation: Malwarebytes IssacWiper CaddyWiper March 2022 )

Dragonfly 2.0

Dragonfly 2.0 used a batch script to gather folder and file names from victim hosts.(Citation: US-CERT TA18-074A)

Stuxnet

Stuxnet uses a driver to scan for specific filesystem driver objects.(Citation: Symantec W.32 Stuxnet Dossier)

CHOPSTICK

An older version of CHOPSTICK has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.(Citation: ESET Sednit Part 2)

Zebrocy

Zebrocy searches for files that are 60mb and less and contain the following extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .exe, .zip, and .rar. Zebrocy also runs the echo %APPDATA% command to list the contents of the directory.(Citation: Securelist Sofacy Feb 2018)(Citation: ESET Zebrocy Nov 2018)(Citation: ESET Zebrocy May 2019) Zebrocy can obtain the current execution path as well as perform drive enumeration.(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: CISA Zebrocy Oct 2020)

Magic Hound

Magic Hound malware can list a victim's logical drives and the type, as well the total/free space of the fixed devices. Other malware can list a directory's contents.(Citation: Unit 42 Magic Hound Feb 2017)

PLEAD

PLEAD has the ability to list drives and files on the compromised host.(Citation: TrendMicro BlackTech June 2017)(Citation: JPCert PLEAD Downloader June 2018)

Okrum

Okrum has used DriveLetterView to enumerate drive information.(Citation: ESET Okrum July 2019)

ObliqueRAT

ObliqueRAT has the ability to recursively enumerate files on an infected endpoint.(Citation: Talos Oblique RAT March 2021)

BBSRAT

BBSRAT can list file and directory information.(Citation: Palo Alto Networks BBSRAT)

StrongPity

StrongPity can parse the hard drive on a compromised host to identify specific file extensions.(Citation: Talos Promethium June 2020)

QuietSieve

QuietSieve can search files on the target host by extension, including doc, docx, xls, rtf, odt, txt, jpg, pdf, rar, zip, and 7z.(Citation: Microsoft Actinium February 2022)

ROKRAT

ROKRAT has the ability to gather a list of files and directories on the infected system.(Citation: Securelist ScarCruft May 2019)(Citation: NCCGroup RokRat Nov 2018)(Citation: Volexity InkySquid RokRAT August 2021)

TeamTNT

TeamTNT has used a script that checks `/proc/*/environ` for environment variables related to AWS.(Citation: Cisco Talos Intelligence Group)

HotCroissant

HotCroissant has the ability to retrieve a list of files in a given directory as well as drives and drive types.(Citation: Carbon Black HotCroissant April 2020)

Peppy

Peppy can identify specific files for exfiltration.(Citation: Proofpoint Operation Transparent Tribe March 2016)

Psylo

Psylo has commands to enumerate all storage devices and to find all files that start with a particular string.(Citation: Scarlet Mimic Jan 2016)

Doki

Doki has resolved the path of a process PID to use as a script argument.(Citation: Intezer Doki July 20)

Koadic

Koadic can obtain a list of directories.(Citation: MalwareBytes LazyScripter Feb 2021)

BlackMould

BlackMould has the ability to find files on the targeted system.(Citation: Microsoft GALLIUM December 2019)

CreepyDrive

CreepyDrive can specify the local file path to upload files from.(Citation: Microsoft POLONIUM June 2022)

During Operation Wocao, threat actors gathered a recursive directory listing to find files and directories of interest.(Citation: FoxIT Wocao December 2019)

POWRUNER

POWRUNER may enumerate user directories on a victim.(Citation: FireEye APT34 Dec 2017)

KeyBoy

KeyBoy has a command to launch a file browser or explorer on the system.(Citation: PWC KeyBoys Feb 2017)

Dtrack

Dtrack can list files on available disk volumes.(Citation: Securelist Dtrack)(Citation: CyberBit Dtrack)

BACKSPACE

BACKSPACE allows adversaries to search for files.(Citation: FireEye APT30)

DDKONG

DDKONG lists files on the victim’s machine.(Citation: Rancor Unit42 June 2018)

Denis

Denis has several commands to search directories for files.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)

OSX/Shlayer

OSX/Shlayer has used the command appDir="$(dirname $(dirname "$currentDir"))" and $(dirname "$(pwd -P)") to construct installation paths.(Citation: sentinelone shlayer to zshlayer)(Citation: 20 macOS Common Tools and Techniques)

Heyoka Backdoor

Heyoka Backdoor has the ability to search the compromised host for files.(Citation: SentinelOne Aoqin Dragon June 2022)

Forfiles

Forfiles can be used to locate certain types of files/directories in a system.(ex: locate all files with a specific extension, name, and/or age)(Citation: Überwachung APT28 Forfiles June 2015)

Cryptoistic

Cryptoistic can scan a directory to identify files for deletion.(Citation: SentinelOne Lazarus macOS July 2020)

CORALDECK

CORALDECK searches for specified files.(Citation: FireEye APT37 Feb 2018)

HTTPBrowser

HTTPBrowser is capable of listing files, folders, and drives on a victim.(Citation: Dell TG-3390)(Citation: ZScaler Hacking Team)

ChChes

ChChes collects the victim's %TEMP% directory path and version of Internet Explorer.(Citation: FireEye APT10 April 2017)

APT3

APT3 has a tool that looks for files and directories on the local file system.(Citation: FireEye Clandestine Fox)(Citation: evolution of pirpi)

APT32

APT32's backdoor possesses the capability to list files and directories on a machine. (Citation: ESET OceanLotus Mar 2019)

Mustang Panda

Mustang Panda has searched the entire target system for DOC, DOCX, PPT, PPTX, XLS, XLSX, and PDF files.(Citation: Avira Mustang Panda January 2020)

Pasam

Pasam creates a backdoor through which remote attackers can retrieve lists of files.(Citation: Symantec Pasam May 2012)

RainyDay

RainyDay can use a file exfiltration tool to collect recently changed files with specific extensions.(Citation: Bitdefender Naikon April 2021)

InvisiMole

InvisiMole can list information about files in a directory and recently opened or used documents. InvisiMole can also search for specific files by supplied file mask.(Citation: ESET InvisiMole June 2018)

Dust Storm

Dust Storm has used Android backdoors capable of enumerating specific files on the infected devices.(Citation: Cylance Dust Storm)

During Night Dragon, threat actors used zwShell to establish full remote control of the connected machine and browse the victim file system.(Citation: McAfee Night Dragon)

Gold Dragon

Gold Dragon lists the directories for Desktop, program files, and the user’s recently accessed files.(Citation: McAfee Gold Dragon)

AppleSeed

AppleSeed has the ability to search for .txt, .ppt, .hwp, .pdf, and .doc files in specified directories.(Citation: Malwarebytes Kimsuky June 2021)

CrackMapExec

CrackMapExec can discover specified filetypes and log files on a targeted system.(Citation: CME Github September 2018)

FoggyWeb

FoggyWeb's loader can check for the FoggyWeb backdoor .pri file on a compromised AD FS server.(Citation: MSTIC FoggyWeb September 2021)

Cannon

Cannon can obtain victim drive information as well as a list of folders in C:\Program Files.(Citation: Unit42 Cannon Nov 2018)

KGH_SPY

KGH_SPY can enumerate files and directories on a compromised host.(Citation: Cybereason Kimsuky November 2020)

WastedLocker

WastedLocker can enumerate files and directories just prior to encryption.(Citation: NCC Group WastedLocker June 2020)

NDiskMonitor

NDiskMonitor can obtain a list of all files and directories as well as logical drives.(Citation: TrendMicro Patchwork Dec 2017)

Ixeshe

Ixeshe can list file and directory information.(Citation: Trend Micro IXESHE 2012)

Backdoor.Oldrea

Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.(Citation: Symantec Dragonfly)

Derusbi

Derusbi is capable of obtaining directory, file, and drive listings.(Citation: Fidelis Turbo)(Citation: FireEye Periscope March 2018)

Siloscape

Siloscape searches for the Kubernetes config file and other related files using a regular expression.(Citation: Unit 42 Siloscape Jun 2021)

APT39

APT39 has used tools with the ability to search for files on a compromised host.(Citation: FBI FLASH APT39 September 2020)

StrifeWater

StrifeWater can enumerate files on a compromised host.(Citation: Cybereason StrifeWater Feb 2022)

MobileOrder

MobileOrder has a command to upload to its C2 server information about files on the victim mobile device, including SD card size, installed app list, SMS content, contacts, and calling history.(Citation: Scarlet Mimic Jan 2016)

BLUELIGHT

BLUELIGHT can enumerate files and collect associated metadata.(Citation: Volexity InkySquid BLUELIGHT August 2021)

ccf32

ccf32 can parse collected files to identify specific file extensions.(Citation: Bitdefender FunnyDream Campaign November 2020)

Lazarus Group

Several Lazarus Group has conducted word searches on compromised machines to identify specific documents of interest. Lazarus Group malware can use a common function to identify target files by their extension, and some also enumerate files and directories, including a Destover-like variant that lists files and gathers information for all drives.(Citation: Novetta Blockbuster)(Citation: McAfee GhostSecret)(Citation: ClearSky Lazarus Aug 2020)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)

SILENTTRINITY

SILENTTRINITY has several modules, such as `ls.py`, `pwd.py`, and `recentFiles.py`, to enumerate directories and files.(Citation: GitHub SILENTTRINITY Modules July 2019)

Darkhotel

Darkhotel has used malware that searched for files with specific patterns.(Citation: Microsoft DUBNIUM July 2016)

TajMahal

TajMahal has the ability to index files from drives, user profiles, and removable drives.(Citation: Kaspersky TajMahal April 2019)

SOUNDBITE

SOUNDBITE is capable of enumerating and manipulating files and directories.(Citation: FireEye APT32 May 2017)

RemoteUtilities

RemoteUtilities can enumerate files and directories on a target machine.(Citation: Trend Micro Muddy Water March 2021)

Hydraq

Hydraq creates a backdoor through which remote attackers can check for the existence of files, including its own components, as well as retrieve a list of logical drives.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010)

StreamEx

StreamEx has the ability to enumerate drive types.(Citation: Cylance Shell Crew Feb 2017)

Taidoor

Taidoor can search for specific files.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)

menuPass

menuPass has searched compromised systems for folders of interest including those related to HR, audit and expense, and meeting memos.(Citation: Symantec Cicada November 2020)

BLINDINGCAN

BLINDINGCAN can search, read, write, move, and execute files.(Citation: US-CERT BLINDINGCAN Aug 2020)(Citation: NHS UK BLINDINGCAN Aug 2020)

TrickBot

TrickBot searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information.(Citation: S2 Grupo TrickBot June 2017)(Citation: Trend Micro Trickbot Nov 2018)

Remcos

Remcos can search for files on the infected machine.(Citation: Riskiq Remcos Jan 2018)

LookBack

LookBack can retrieve file listings from the victim machine.(Citation: Proofpoint LookBack Malware Aug 2019)

Aria-body

Aria-body has the ability to gather metadata from a file and to search for file and directory names.(Citation: CheckPoint Naikon May 2020)

Kasidet

Kasidet has the ability to search for a given filename on a victim.(Citation: Zscaler Kasidet)

Kimsuky

Kimsuky has the ability to enumerate all files and directories on an infected system.(Citation: Securelist Kimsuky Sept 2013)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi)

Ramsay

Ramsay can collect directory and file lists.(Citation: Eset Ramsay May 2020)(Citation: Antiy CERT Ramsay April 2020)

IceApple

The IceApple Directory Lister module can list information about files and directories including creation time, last write time, name, and size.(Citation: CrowdStrike IceApple May 2022)

Action RAT

Action RAT has the ability to collect drive and file information on an infected machine.(Citation: MalwareBytes SideCopy Dec 2021)

Rising Sun

Rising Sun can enumerate information about files from the infected system, including file size, attributes, creation time, last access time, and write time. Rising Sun can enumerate the compilation timestamp of Windows executable files.(Citation: McAfee Sharpshooter December 2018)

SPACESHIP

SPACESHIP identifies files and directories for collection by searching for specific file extensions or file modification time.(Citation: FireEye APT30)

Penquin

Penquin can use the command code do_vslist to send file names, size, and status to C2.(Citation: Leonardo Turla Penquin May 2020)

Machete

Machete produces file listings in order to search for files to be exfiltrated.(Citation: ESET Machete July 2019)(Citation: Cylance Machete Mar 2017)(Citation: 360 Machete Sep 2020)

RTM

RTM can check for specific files and directories associated with virtualization and malware analysis.(Citation: Unit42 Redaman January 2019)

KONNI

A version of KONNI searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together.(Citation: Talos Konni May 2017)

RedLeaves

RedLeaves can enumerate and search for files and directories.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: FireEye APT10 April 2017)

Confucius

Confucius has used a file stealer that checks the Document, Downloads, Desktop, and Picture folders for documents and images with specific extensions.(Citation: TrendMicro Confucius APT Aug 2021)

WarzoneRAT

WarzoneRAT can enumerate directories on a compromise host.(Citation: Check Point Warzone Feb 2020)

APT41

APT41 has executed file /bin/pwd on exploited victims, perhaps to return architecture related information.(Citation: FireEye APT41 March 2020)

Winnti Group

Winnti Group has used a program named ff.exe to search for specific documents on compromised hosts.(Citation: Kaspersky Winnti April 2013)

Saint Bot

Saint Bot can search a compromised host for specific files.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )

Nebulae

Nebulae can list files and directories on a compromised host.(Citation: Bitdefender Naikon April 2021)

FruitFly

FruitFly looks for specific files and file types.(Citation: objsee mac malware 2017)

XCSSET

XCSSET has used `mdfind` to enumerate a list of apps known to grant screen sharing permissions.(Citation: Application Bundle Manipulation Brandon Dalton)

Azorult

Azorult can recursively search for files in folders and collects files from the desktop with certain extensions.(Citation: Unit42 Azorult Nov 2018)

Remexi

Remexi searches for files on the system. (Citation: Securelist Remexi Jan 2019)

Windigo

Windigo has used a script to check for the presence of files created by OpenSSH backdoors.(Citation: ESET ForSSHe December 2018)

SombRAT

SombRAT can execute enum to enumerate files in storage on a compromised system.(Citation: BlackBerry CostaRicto November 2020)

APT18

APT18 can list files information for specific directories.(Citation: PaloAlto DNS Requests May 2016)

Prikormka

A module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file.(Citation: ESET Operation Groundbait)

Dacls

Dacls can scan directories on a compromised host.(Citation: TrendMicro macOS Dacls May 2020)

Imminent Monitor

Imminent Monitor has a dynamic debugging feature to check whether it is located in the %TEMP% directory, otherwise it copies itself there.(Citation: QiAnXin APT-C-36 Feb2019)

Zeus Panda

Zeus Panda searches for specific directories on the victim’s machine.(Citation: GDATA Zeus Panda June 2017)

Rover

Rover automatically searches for files on local drives based on a predefined list of file extensions.(Citation: Palo Alto Rover)

FatDuke

FatDuke can enumerate directories on target machines.(Citation: ESET Dukes October 2019)

ShimRat

ShimRat can list directories.(Citation: FOX-IT May 2016 Mofang)

Pisloader

Pisloader has commands to list drives on the victim machine and to list file information for a given directory.(Citation: Palo Alto DNS Requests)

Fox Kitten

Fox Kitten has used WizTree to obtain network files and directory listings.(Citation: CISA AA20-259A Iran-Based Actor September 2020)

MacMa

MacMa can search for a specific file on the compromised computer and can enumerate files in Desktop, Downloads, and Documents folders.(Citation: ESET DazzleSpy Jan 2022)

Metamorfo

Metamorfo has searched the Program Files directories for specific folders and has searched for strings related to its mutexes.(Citation: Medium Metamorfo Apr 2020)(Citation: Fortinet Metamorfo Feb 2020)(Citation: FireEye Metamorfo Apr 2018)

Smoke Loader

Smoke Loader recursively searches through directories for files.(Citation: Talos Smoke Loader July 2018)

UPPERCUT

UPPERCUT has the capability to gather the victim's current directory.(Citation: FireEye APT10 Sept 2018)

BADNEWS

BADNEWS identifies files with certain extensions from USB devices, then copies them to a predefined directory.(Citation: TrendMicro Patchwork Dec 2017)

Leafminer

Leafminer used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files.(Citation: Symantec Leafminer July 2018)

DustySky

DustySky scans the victim for files that contain certain keywords and document types including PDF, DOC, DOCX, XLS, and XLSX, from a list that is obtained from the C2 as a text file. It can also identify logical drives for the infected machine.(Citation: DustySky)(Citation: Kaspersky MoleRATs April 2019)

MESSAGETAP

MESSAGETAP checks for the existence of two configuration files (keyword_parm.txt and parm.txt) and attempts to read the files every 30 seconds.(Citation: FireEye MESSAGETAP October 2019)

Turla

Turla surveys a system upon check-in to discover files in specific locations on the hard disk %TEMP% directory, the current user's desktop, the Program Files directory, and Recent.(Citation: Kaspersky Turla)(Citation: ESET ComRAT May 2020) Turla RPC backdoors have also searched for files matching the lPH*.dll pattern.(Citation: ESET Turla PowerShell May 2019)

Babuk

Babuk has the ability to enumerate files on a targeted system.(Citation: McAfee Babuk February 2021)(Citation: Trend Micro Ransomware February 2021)

China Chopper

China Chopper's server component can list directory contents.(Citation: FireEye Periscope March 2018)

FunnyDream

FunnyDream can identify files with .doc, .docx, .ppt, .pptx, .xls, .xlsx, and .pdf extensions and specific timestamps for collection.(Citation: Bitdefender FunnyDream Campaign November 2020)

BRONZE BUTLER

BRONZE BUTLER has collected a list of files from the victim and uploaded it to its C2 server, and then created a new list of specific files to steal.(Citation: Secureworks BRONZE BUTLER Oct 2017)

TYPEFRAME

TYPEFRAME can search directories for files on the victim’s machine.(Citation: US-CERT TYPEFRAME June 2018)

Контрмеры

Контрмера Описание
File and Directory Discovery Mitigation

File system activity is a common part of an operating system, so it is unlikely that mitigation would be appropriate for this technique. It may still be beneficial to identify and block unnecessary system utilities or potentially malicious software by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Обнаружение

System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as Collection and Exfiltration, based on the information obtained. Monitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell. Further, Network Device CLI commands may also be used to gather file and directory information with built-in features native to the network device platform. Monitor CLI activity for unexpected or unauthorized use of commands being run by non-standard users from non-standard locations.

Ссылки

  1. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  2. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  3. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  4. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  5. US-CERT. (2018, April 20). Alert (TA18-106A) Russian State-Sponsored Cyber Actors Targeting Network Infrastructure Devices. Retrieved October 19, 2020.
  6. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  7. Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019.
  8. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  9. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  10. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  11. Camba, A. (2013, February 27). BKDR_RARSTONE: New RAT to Watch Out For. Retrieved January 8, 2016.
  12. Baumgartner, K. and Garnaeva, M.. (2014, November 3). BE2 custom plugins, router abuse, and target profiles. Retrieved March 24, 2016.
  13. F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
  14. Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
  15. McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
  16. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  17. Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.
  18. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  19. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  20. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  21. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  22. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.
  23. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  24. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  25. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  26. Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
  27. Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.
  28. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  29. Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021.
  30. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
  31. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  32. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  33. Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020.
  34. Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
  35. Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
  36. FinFisher. (n.d.). Retrieved December 20, 2017.
  37. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  38. Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
  39. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  40. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
  41. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  42. Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
  43. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
  44. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  45. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  46. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  47. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  48. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  49. Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
  50. CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
  51. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  52. Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
  53. Winters, R. (2015, December 20). The EPS Awakens - Part 2. Retrieved January 22, 2016.
  54. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  55. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  56. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
  57. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  58. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  59. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  60. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  61. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  62. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
  63. Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020.
  64. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  65. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  66. Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
  67. Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
  68. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  69. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  70. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  71. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  72. Microsoft. (n.d.). Dir. Retrieved April 18, 2016.
  73. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  74. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  75. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  76. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  77. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  78. Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020.
  79. Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020.
  80. Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020.
  81. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  82. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  83. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  84. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
  85. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  86. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.
  87. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
  88. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  89. Matthews, M. and Backhouse, W. (2021, June 15). Handy guide to a new Fivehands ransomware variant. Retrieved June 24, 2021.
  90. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
  91. Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
  92. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  93. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  94. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  95. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  96. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  97. Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018.
  98. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  99. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  100. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Retrieved August 17, 2016.
  101. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  102. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
  103. CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.
  104. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  105. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  106. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  107. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  108. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  109. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  110. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  111. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  112. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  113. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  114. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  115. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
  116. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  117. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.
  118. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  119. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  120. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  121. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  122. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  123. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  124. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021.
  125. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  126. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  127. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018.
  128. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  129. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
  130. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  131. Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  132. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  133. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  134. NHS Digital . (2020, August 20). BLINDINGCAN Remote Access Trojan. Retrieved August 20, 2020.
  135. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  136. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  137. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  138. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  139. Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020.
  140. Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
  141. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
  142. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  143. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  144. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  145. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  146. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  147. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  148. BishopFox. (2021, August 18). Sliver Filesystem. Retrieved September 22, 2021.
  149. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  150. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  151. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  152. Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
  153. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  154. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  155. Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020.
  156. Gilbert Sison, Rheniel Ramos, Jay Yaneza, Alfredo Oliveira. (2018, January 15). KillDisk Variant Hits Latin American Financial Groups. Retrieved January 12, 2021.
  157. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  158. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  159. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  160. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  161. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  162. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  163. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  164. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  165. Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
  166. Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
  167. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  168. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  169. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021.
  170. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  171. Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018.
  172. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  173. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  174. Brandon Dalton. (2022, August 9). A bundle of nerves: Tweaking macOS security controls to thwart application bundle manipulation. Retrieved September 27, 2022.
  175. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  176. Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019.
  177. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
  178. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  179. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  180. MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
  181. Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014.
  182. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  183. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  184. Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021.
  185. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.
  186. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  187. Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
  188. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  189. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  190. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
  191. Kaspersky Lab's Global Research & Analysis Team. (2014, August 06). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroboros. Retrieved November 7, 2018.
  192. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  193. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  194. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  195. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  196. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  197. MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
  198. Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
  199. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  200. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
  201. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  202. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
  203. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
  204. Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021.
  205. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  206. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  207. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  208. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
  209. byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020.
  210. Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
  211. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022.
  212. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  213. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  214. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
  215. Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  216. Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
  217. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
  218. Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.
  219. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  220. Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
  221. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
  222. Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022.
  223. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  224. Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
  225. FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016.
  226. Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
  227. S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.
  228. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
  229. Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
  230. MSTIC. (2022, January 15). Destructive malware targeting Ukrainian organizations. Retrieved March 10, 2022.
  231. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  232. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  233. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  234. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  235. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  236. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  237. Threat Intelligence Team. (2022, March 18). Double header: IsaacWiper and CaddyWiper . Retrieved April 11, 2022.
  238. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  239. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  240. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  241. Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017.
  242. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  243. Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016.
  244. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
  245. Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
  246. Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
  247. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
  248. DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
  249. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  250. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  251. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  252. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  253. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  254. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
  255. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
  256. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
  257. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  258. Mueller, R. (2018, July 13). Indictment - United States of America vs. VIKTOR BORISOVICH NETYKSHO, et al. Retrieved September 13, 2018.
  259. Guarnieri, C. (2015, June 19). Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag. Retrieved January 22, 2018.
  260. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  261. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.
  262. Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
  263. Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021.
  264. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  265. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  266. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
  267. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  268. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  269. Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
  270. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  271. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  272. Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
  273. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
  274. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
  275. Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
  276. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  277. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  278. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  279. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  280. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  281. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  282. Nick Craig-Wood. (n.d.). Rclone syncs your files to cloud storage. Retrieved August 30, 2022.
  283. Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.
  284. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  285. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  286. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  287. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  288. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
  289. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  290. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  291. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  292. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  293. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  294. Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.
  295. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  296. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
  297. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  298. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  299. ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
  300. Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
  301. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  302. Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019.
  303. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.
  304. Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
  305. Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021.
  306. Yates, M. (2017, June 18). APT3 Uncovered: The code evolution of Pirpi. Retrieved September 28, 2017.
  307. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  308. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  309. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
  310. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  311. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  312. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  313. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  314. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  315. Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.
  316. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  317. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
  318. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  319. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  320. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  321. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.