Передача инструментов из внешней сети
Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer).
Files can also be transferred using various Web Services as well as native or otherwise present tools on the victim system.(Citation: PTSecurity Cobalt Dec 2016)
On Windows, adversaries may use various utilities to download tools, such as `copy`, `finger`, and PowerShell commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. On Linux and macOS systems, a variety of utilities also exist, such as `curl`, `scp`, `sftp`, `tftp`, `rsync`, `finger`, and `wget`.(Citation: t1105_lolbas)
Примеры процедур |
|
| Название | Описание |
|---|---|
| Frankenstein |
Frankenstein has uploaded and downloaded files to utilize additional plugins.(Citation: Talos Frankenstein June 2019) |
| Fox Kitten |
Fox Kitten has downloaded additional tools including PsExec directly to endpoints.(Citation: CISA AA20-259A Iran-Based Actor September 2020) |
| EvilBunny |
EvilBunny has downloaded additional Lua scripts from the C2.(Citation: Cyphort EvilBunny Dec 2014) |
| Pandora |
Pandora can load additional drivers and files onto a victim machine.(Citation: Trend Micro Iron Tiger April 2021) |
| ShimRat |
ShimRat can download additional files.(Citation: FOX-IT May 2016 Mofang) |
| SodaMaster |
SodaMaster has the ability to download additional payloads from C2 to the targeted system.(Citation: Securelist APT10 March 2021) |
| BITTER |
BITTER has downloaded additional malware and tools onto a compromised host.(Citation: Cisco Talos Bitter Bangladesh May 2022)(Citation: Forcepoint BITTER Pakistan Oct 2016) |
| Shark |
Shark can download additional files from its C2 via HTTP or DNS.(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021) |
| More_eggs |
More_eggs can download and launch additional payloads.(Citation: Talos Cobalt Group July 2018)(Citation: Security Intelligence More Eggs Aug 2019) |
| SEASHARPEE |
SEASHARPEE can download remote files onto victims.(Citation: FireEye APT34 Webinar Dec 2017) |
| WellMail |
WellMail can receive data and executable scripts from C2.(Citation: CISA WellMail July 2020) |
| HAFNIUM |
HAFNIUM has downloaded malware and tools--including Nishang and PowerCat--onto a compromised host.(Citation: Microsoft HAFNIUM March 2020) |
| Cobalt Group |
Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers.(Citation: PTSecurity Cobalt Group Aug 2017)(Citation: PTSecurity Cobalt Dec 2016) The group's JavaScript backdoor is also capable of downloading files.(Citation: Morphisec Cobalt Gang Oct 2018) |
| DDKONG |
DDKONG downloads and uploads files on the victim’s machine.(Citation: Rancor Unit42 June 2018) |
| macOS.OSAMiner |
macOS.OSAMiner has used `curl` to download a Stripped Payloads from a public facing adversary-controlled webpage. |
| SoreFang |
SoreFang can download additional payloads from C2.(Citation: CISA SoreFang July 2016)(Citation: NCSC APT29 July 2020) |
| ZxxZ |
ZxxZ can download and execute additional files.(Citation: Cisco Talos Bitter Bangladesh May 2022) |
| Ursnif |
Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads.(Citation: TrendMicro PE_URSNIF.A2)(Citation: TrendMicro BKDR_URSNIF.SM) |
| HTTPBrowser |
HTTPBrowser is capable of writing a file to the compromised system from the C2 server.(Citation: Dell TG-3390) |
| Action RAT |
Action RAT has the ability to download additional payloads onto an infected machine.(Citation: MalwareBytes SideCopy Dec 2021) |
| Vasport |
Vasport can download files.(Citation: Symantec Vasport May 2012) |
| down_new |
down_new has the ability to download files to the compromised host.(Citation: Trend Micro Tick November 2019) |
| Tropic Trooper |
Tropic Trooper has used a delivered trojan to download additional files.(Citation: TrendMicro Tropic Trooper May 2020) |
| BendyBear |
BendyBear is designed to download an implant from a C2 server.(Citation: Unit42 BendyBear Feb 2021) |
| Wiarp |
Wiarp creates a backdoor through which remote attackers can download files.(Citation: Symantec Wiarp May 2012) |
| Nerex |
Nerex creates a backdoor through which remote attackers can download files onto a compromised host.(Citation: Symantec Ristol May 2012) |
| PS1 |
CostaBricks can download additional payloads onto a compromised host.(Citation: BlackBerry CostaRicto November 2020) |
| NanoCore |
NanoCore has the capability to download and activate additional modules for execution.(Citation: DigiTrust NanoCore Jan 2017)(Citation: PaloAlto NanoCore Feb 2016) |
| StoneDrill |
StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine.(Citation: Kaspersky StoneDrill 2017) |
| UNC2452 |
UNC2452 downloaded additional tools, such as TEARDROP malware and Cobalt Strike, to the compromised host following initial compromise.(Citation: FireEye SUNBURST Backdoor December 2020) |
| Lazarus Group |
Lazarus Group has downloaded files, malware, and tools from its C2 onto a compromised host.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: Novetta Blockbuster Loaders)(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020)(Citation: ClearSky Lazarus Aug 2020)(Citation: Kaspersky ThreatNeedle Feb 2021)(Citation: McAfee Lazarus Jul 2020)(Citation: ESET Lazarus Jun 2020)(Citation: Google TAG Lazarus Jan 2021)(Citation: Lazarus APT January 2022)(Citation: Qualys LolZarus)(Citation: ESET Twitter Ida Pro Nov 2021) |
| Anchor |
Anchor can download additional payloads.(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020) |
| Denis |
Denis deploys additional backdoors and hacking tools to the system.(Citation: Cybereason Cobalt Kitty 2017) |
| TURNEDUP |
TURNEDUP is capable of downloading additional files.(Citation: FireEye APT33 Sept 2017) |
| PLATINUM |
PLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.(Citation: Microsoft PLATINUM June 2017) |
| ShimRatReporter |
ShimRatReporter had the ability to download additional payloads.(Citation: FOX-IT May 2016 Mofang) |
| Elise |
Elise can download additional files from the C2 server for execution.(Citation: Accenture Dragonfish Jan 2018) |
| Okrum |
Okrum has built-in commands for uploading, downloading, and executing files to the system.(Citation: ESET Okrum July 2019) |
| Pupy |
Pupy can upload and download to/from a victim machine.(Citation: GitHub Pupy) |
| Ke3chang |
Ke3chang has used tools to download files to compromised machines.(Citation: Microsoft NICKEL December 2021) |
| Nebulae |
Nebulae can download files from C2.(Citation: Bitdefender Naikon April 2021) |
| Exaramel for Linux |
Exaramel for Linux has a command to download a file from and to a remote C2 server.(Citation: ESET TeleBots Oct 2018)(Citation: ANSSI Sandworm January 2021) |
| QuietSieve |
QuietSieve can download and execute payloads on a target host.(Citation: Microsoft Actinium February 2022) |
| Sharpshooter |
Sharpshooter downloaded additional payloads after a target was infected with a first-stage downloader.(Citation: McAfee Sharpshooter December 2018) |
| njRAT |
njRAT can download files to the victim’s machine.(Citation: Fidelis njRAT June 2013)(Citation: Trend Micro njRAT 2018) |
|
During CostaRicto, the threat actors downloaded malware and tools onto a compromised host.(Citation: BlackBerry CostaRicto November 2020) |
|
| Seth-Locker |
Seth-Locker has the ability to download and execute files on a compromised host.(Citation: Trend Micro Ransomware February 2021) |
| YAHOYAH |
YAHOYAH uses HTTP GET requests to download other files that are executed in memory.(Citation: TrendMicro TropicTrooper 2015) |
| Hi-Zor |
Hi-Zor has the ability to upload and download files from its C2 server.(Citation: Fidelis INOCNATION) |
| Whitefly |
Whitefly has the ability to download additional tools from the C2.(Citation: Symantec Whitefly March 2019) |
| BabyShark |
BabyShark has downloaded additional files from the C2.(Citation: Unit42 BabyShark Apr 2019)(Citation: CISA AA20-301A Kimsuky) |
| APT37 |
APT37 has downloaded second stage malware from compromised websites.(Citation: FireEye APT37 Feb 2018)(Citation: Securelist ScarCruft May 2019)(Citation: Volexity InkySquid BLUELIGHT August 2021)(Citation: Volexity InkySquid RokRAT August 2021) |
| BackConfig |
BackConfig can download and execute additional payloads on a compromised host.(Citation: Unit 42 BackConfig May 2020) |
| SILENTTRINITY |
SILENTTRINITY can load additional files and tools, including Mimikatz.(Citation: GitHub SILENTTRINITY Modules July 2019) |
| Bisonal |
Bisonal has the capability to download files to execute on the victim’s machine.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020) |
| BLINDINGCAN |
BLINDINGCAN has downloaded files to a victim machine.(Citation: US-CERT BLINDINGCAN Aug 2020) |
| SpeakUp |
SpeakUp downloads and executes additional files from a remote server. (Citation: CheckPoint SpeakUp Feb 2019) |
| SQLRat |
SQLRat can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk.(Citation: Flashpoint FIN 7 March 2019) |
| SideCopy |
SideCopy has delivered trojanized executables via spearphishing emails that contacts actor-controlled servers to download malicious payloads.(Citation: MalwareBytes SideCopy Dec 2021) |
| TSCookie |
TSCookie has the ability to upload and download files to and from the infected host.(Citation: JPCert TSCookie March 2018) |
| Skidmap |
Skidmap has the ability to download files on an infected host.(Citation: Trend Micro Skidmap) |
| Revenge RAT |
Revenge RAT has the ability to upload and download files.(Citation: Cylance Shaheen Nov 2018) |
| Kimsuky |
Kimsuky has downloaded additional scripts, tools, and malware onto victim systems.(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021) |
| Meteor |
Meteor has the ability to download additional files for execution on the victim's machine.(Citation: Check Point Meteor Aug 2021) |
| ZLib |
ZLib has the ability to download files.(Citation: Cylance Dust Storm) |
| Turla |
Turla has used shellcode to download Meterpreter after compromising a victim.(Citation: ESET Turla Mosquito May 2018) |
| Grandoreiro |
Grandoreiro can download its second stage from a hardcoded URL within the loader's code.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020) |
| BLUELIGHT |
BLUELIGHT can download additional files onto the host.(Citation: Volexity InkySquid BLUELIGHT August 2021) |
| RogueRobin |
RogueRobin can save a new file to the system from the C2 server.(Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019) |
| Kazuar |
Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary.(Citation: Unit 42 Kazuar May 2017) |
| Neoichor |
Neoichor can download additional files onto a compromised host.(Citation: Microsoft NICKEL December 2021) |
| BoxCaon |
BoxCaon can download files.(Citation: Checkpoint IndigoZebra July 2021) |
| Daserf |
Daserf can download remote files.(Citation: Trend Micro Daserf Nov 2017)(Citation: Secureworks BRONZE BUTLER Oct 2017) |
| Zebrocy |
Zebrocy obtains additional code to execute on the victim's machine, including the downloading of a secondary payload.(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit42 Cannon Nov 2018)(Citation: ESET Zebrocy May 2019)(Citation: Accenture SNAKEMACKEREL Nov 2018) |
| Gamaredon Group |
Gamaredon Group has downloaded additional malware and tools onto a compromised host.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Microsoft Actinium February 2022) |
| LOWBALL |
LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.(Citation: FireEye admin@338) |
| Kessel |
Kessel can download additional modules from the C2 server.(Citation: ESET ForSSHe December 2018) |
| Leviathan |
Leviathan has downloaded additional scripts and files from adversary-controlled servers.(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018) |
| PolyglotDuke |
PolyglotDuke can retrieve payloads from the C2 server.(Citation: ESET Dukes October 2019) |
| Dipsind |
Dipsind can download remote files.(Citation: Microsoft PLATINUM April 2016) |
| Peppy |
Peppy can download and execute remote files.(Citation: Proofpoint Operation Transparent Tribe March 2016) |
| cmd |
cmd can be used to copy files to/from a remotely connected external system.(Citation: TechNet Copy) |
| menuPass |
menuPass has installed updates and new malware on victims.(Citation: PWC Cloud Hopper April 2017)(Citation: District Court of NY APT10 Indictment December 2018) |
| RainyDay |
RainyDay can download files to a compromised host.(Citation: Bitdefender Naikon April 2021) |
| Cardinal RAT |
Cardinal RAT can download and execute additional payloads.(Citation: PaloAlto CardinalRat Apr 2017) |
| WarzoneRAT |
WarzoneRAT can download and execute additional files.(Citation: Check Point Warzone Feb 2020) |
| MarkiRAT |
MarkiRAT can download additional files and tools from its C2 server, including through the use of BITSAdmin.(Citation: Kaspersky Ferocious Kitten Jun 2021) |
| KARAE |
KARAE can upload and download files, including second-stage malware.(Citation: FireEye APT37 Feb 2018) |
| Molerats |
Molerats used executables to download malicious files from different sources.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020) |
| Small Sieve |
Small Sieve has the ability to download files.(Citation: NCSC GCHQ Small Sieve Jan 2022) |
| China Chopper |
China Chopper's server component can download remote files.(Citation: FireEye Periscope March 2018)(Citation: Lee 2013)(Citation: NCSC Joint Report Public Tools) |
| XCSSET |
XCSSET downloads browser specific AppleScript modules using a constructed URL with the |
| KEYMARBLE |
KEYMARBLE can upload files to the victim’s machine and can download additional payloads.(Citation: US-CERT KEYMARBLE Aug 2018) |
| Carberp |
Carberp can download and execute new plugins from the C2 server. (Citation: Prevx Carberp March 2011)(Citation: Trusteer Carberp October 2010) |
| Unknown Logger |
Unknown Logger is capable of downloading remote files.(Citation: Forcepoint Monsoon) |
| Lucifer |
Lucifer can download and execute a replica of itself using certutil.(Citation: Unit 42 Lucifer June 2020) |
| Sakula |
Sakula has the capability to download files.(Citation: Dell Sakula) |
| PoetRAT |
PoetRAT has the ability to copy files and download/upload files into C2 channels using FTP and HTTPS.(Citation: Talos PoetRAT April 2020)(Citation: Talos PoetRAT October 2020) |
| gh0st RAT |
gh0st RAT can download files to the victim’s machine.(Citation: Nccgroup Gh0st April 2018)(Citation: Gh0stRAT ATT March 2019) |
| BoomBox |
BoomBox has the ability to download next stage malware components to a compromised system.(Citation: MSTIC Nobelium Toolset May 2021) |
| RegDuke |
RegDuke can download files from C2.(Citation: ESET Dukes October 2019) |
| NDiskMonitor |
NDiskMonitor can download and execute a file from given URL.(Citation: TrendMicro Patchwork Dec 2017) |
| LitePower |
LitePower has the ability to download payloads containing system commands to a compromised host.(Citation: Kaspersky WIRTE November 2021) |
| Pteranodon |
Pteranodon can download and execute additional files.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: Symantec Shuckworm January 2022)(Citation: Unit 42 Gamaredon February 2022) |
| Briba |
Briba downloads files onto infected hosts.(Citation: Symantec Briba May 2012) |
| Dacls |
Dacls can download its payload from a C2 server.(Citation: SentinelOne Lazarus macOS July 2020)(Citation: TrendMicro macOS Dacls May 2020) |
| Saint Bot |
Saint Bot can download additional files onto a compromised host.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
| FYAnti |
FYAnti can download additional payloads to a compromised host.(Citation: Securelist APT10 March 2021) |
| APT29 |
APT29 has downloaded additional tools, such as TEARDROP malware and Cobalt Strike, to a compromised host following initial access.(Citation: FireEye SUNBURST Backdoor December 2020) |
| Hancitor |
Hancitor has the ability to download additional files from C2.(Citation: Threatpost Hancitor) |
| Shamoon |
Shamoon can download an executable to run on the victim.(Citation: Palo Alto Shamoon Nov 2016) |
| Rocke |
Rocke used malware to download additional malicious files to the target system.(Citation: Talos Rocke August 2018) |
| PipeMon |
PipeMon can install additional modules via C2 commands.(Citation: ESET PipeMon May 2020) |
| Pony |
Pony can download additional files onto the infected system.(Citation: Malwarebytes Pony April 2016) |
| Kevin |
Kevin can download files to the compromised host.(Citation: Kaspersky Lyceum October 2021) |
| Sidewinder |
Sidewinder has used LNK files to download remote files to the victim's network.(Citation: ATT Sidewinder January 2021)(Citation: Cyble Sidewinder September 2020) |
| Calisto |
Calisto has the capability to upload and download files to the victim's machine.(Citation: Symantec Calisto July 2018) |
| Agent Tesla |
Agent Tesla can download additional files for execution on the victim’s machine.(Citation: Talos Agent Tesla Oct 2018)(Citation: DigiTrust Agent Tesla Jan 2017) |
| Koadic |
Koadic can download additional files and tools.(Citation: Github Koadic)(Citation: MalwareBytes LazyScripter Feb 2021) |
| Mis-Type |
Mis-Type has downloaded additional malware and files onto a compromised host.(Citation: Cylance Dust Storm) |
| Chrommme |
Chrommme can download its code from C2.(Citation: ESET Gelsemium June 2021) |
| TYPEFRAME |
TYPEFRAME can upload and download files to the victim’s machine.(Citation: US-CERT TYPEFRAME June 2018) |
| ServHelper |
ServHelper may download additional files to execute.(Citation: Proofpoint TA505 Jan 2019)(Citation: Deep Instinct TA505 Apr 2019) |
| Nidiran |
Nidiran can download and execute files.(Citation: Symantec Backdoor.Nidiran) |
| SMOKEDHAM |
SMOKEDHAM has used Powershell to download UltraVNC and Ngrok from third-party file sharing sites.(Citation: FireEye SMOKEDHAM June 2021) |
| Gold Dragon |
Gold Dragon can download additional components from the C2 server.(Citation: McAfee Gold Dragon) |
| Bandook |
Bandook can download files to the system.(Citation: CheckPoint Bandook Nov 2020) |
| Dyre |
Dyre has a command to download and executes additional files.(Citation: Symantec Dyre June 2015) |
| Magic Hound |
Magic Hound has downloaded additional code and files from servers onto victims.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Report APT35 ProxyShell March 2022) |
| NanHaiShu |
NanHaiShu can download additional files from URLs.(Citation: Proofpoint Leviathan Oct 2017) |
| CostaBricks |
CostaBricks has been used to load SombRAT onto a compromised host.(Citation: BlackBerry CostaRicto November 2020) |
| Operation Wocao |
Operation Wocao can download additional files to the infected system.(Citation: FoxIT Wocao December 2019) |
| GrimAgent |
GrimAgent has the ability to download and execute additional payloads.(Citation: Group IB GrimAgent July 2021) |
| QuasarRAT |
QuasarRAT can download files to the victim’s machine and execute them.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018) |
| S-Type |
S-Type can download additional files onto a compromised host.(Citation: Cylance Dust Storm) |
| Smoke Loader |
Smoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins.(Citation: Malwarebytes SmokeLoader 2016) |
| PowerLess |
PowerLess can download additional payloads to a compromised host.(Citation: Cybereason PowerLess February 2022) |
| RARSTONE |
RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.(Citation: Aquino RARSTONE) |
| Zeus Panda |
Zeus Panda can download additional malware plug-in modules and execute them on the victim’s machine.(Citation: GDATA Zeus Panda June 2017) |
|
During Frankenstein, the threat actors downloaded files and tools onto a victim machine.(Citation: Talos Frankenstein June 2019) |
|
| SLOWDRIFT |
SLOWDRIFT downloads additional payloads.(Citation: FireEye APT37 Feb 2018) |
| AuditCred |
AuditCred can download files and additional malware.(Citation: TrendMicro Lazarus Nov 2018) |
| Milan |
Milan has received files from C2 and stored them in log folders beginning with the character sequence `a9850d2f`.(Citation: ClearSky Siamesekitten August 2021) |
| ThreatNeedle |
ThreatNeedle can download additional tools to enable lateral movement.(Citation: Kaspersky ThreatNeedle Feb 2021) |
| Industroyer |
Industroyer downloads a shellcode payload from a remote C2 server and loads it into memory.(Citation: ESET Industroyer) |
| Aquatic Panda |
Aquatic Panda has downloaded additional malware onto compromised hosts.(Citation: CrowdStrike AQUATIC PANDA December 2021) |
| APT38 |
APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.(Citation: FireEye APT38 Oct 2018) |
| Zox |
Zox can download files to a compromised machine.(Citation: Novetta-Axiom) |
| Dragonfly 2.0 |
Dragonfly 2.0 copied and installed tools for operations once in the victim environment.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017) |
| MobileOrder |
MobileOrder has a command to download a file from the C2 server to the victim mobile device's SD card.(Citation: Scarlet Mimic Jan 2016) |
| BBK |
BBK has the ability to download files from C2 to the infected host.(Citation: Trend Micro Tick November 2019) |
| Attor |
Attor can download additional plugins, updates and other files. (Citation: ESET Attor Oct 2019) |
| Melcoz |
Melcoz has the ability to download additional files to a compromised host.(Citation: Securelist Brazilian Banking Malware July 2020) |
| SeaDuke |
SeaDuke is capable of uploading and downloading files.(Citation: Unit 42 SeaDuke 2015) |
| NavRAT |
NavRAT can download files remotely.(Citation: Talos NavRAT May 2018) |
| Linfo |
Linfo creates a backdoor through which remote attackers can download files onto compromised hosts.(Citation: Symantec Linfo May 2012) |
| Waterbear |
Waterbear can receive and load executables from remote C2 servers.(Citation: Trend Micro Waterbear December 2019) |
| OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.(Citation: TrendMicro MacOS April 2018)(Citation: Trend Micro MacOS Backdoor November 2020) |
| Hydraq |
Hydraq creates a backdoor through which remote attackers can download files and additional malware components.(Citation: Symantec Trojan.Hydraq Jan 2010)(Citation: Symantec Hydraq Jan 2010) |
| SombRAT |
SombRAT has the ability to download and execute additional payloads.(Citation: BlackBerry CostaRicto November 2020)(Citation: FireEye FiveHands April 2021)(Citation: CISA AR21-126A FIVEHANDS May 2021) |
| Gorgon Group |
Gorgon Group malware can download additional files from C2 servers.(Citation: Unit 42 Gorgon Group Aug 2018) |
| DnsSystem |
DnsSystem can download files to compromised systems after receiving a command with the string `downloaddd`.(Citation: Zscaler Lyceum DnsSystem June 2022) |
| APT39 |
APT39 has downloaded tools to compromised hosts.(Citation: Symantec Chafer February 2018)(Citation: FBI FLASH APT39 September 2020) |
| WellMess |
WellMess can write files to a compromised host.(Citation: PWC WellMess July 2020)(Citation: CISA WellMess July 2020) |
| CSPY Downloader |
CSPY Downloader can download additional tools to a compromised host.(Citation: Cybereason Kimsuky November 2020) |
| Cuba |
Cuba can download files from its C2 server.(Citation: McAfee Cuba April 2021) |
| KOCTOPUS |
KOCTOPUS has executed a PowerShell command to download a file to the system.(Citation: MalwareBytes LazyScripter Feb 2021) |
| APT28 |
APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.(Citation: Bitdefender APT28 Dec 2015)(Citation: Unit 42 Playbook Dec 2017)(Citation: Accenture SNAKEMACKEREL Nov 2018)(Citation: TrendMicro Pawn Storm Dec 2020)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021) |
| NOKKI |
NOKKI has downloaded a remote module for execution.(Citation: Unit 42 NOKKI Sept 2018) |
| Taidoor |
Taidoor has downloaded additional files onto a compromised host.(Citation: TrendMicro Taidoor) |
| Squirrelwaffle |
Squirrelwaffle has downloaded and executed additional encoded payloads.(Citation: ZScaler Squirrelwaffle Sep 2021)(Citation: Netskope Squirrelwaffle Oct 2021) |
| DRATzarus |
DRATzarus can deploy additional tools onto an infected machine.(Citation: ClearSky Lazarus Aug 2020) |
| RCSession |
RCSession has the ability to drop additional files to an infected machine.(Citation: Profero APT27 December 2020) |
| MiniDuke |
MiniDuke can download additional encrypted backdoors onto the victim via GIF files.(Citation: Securelist MiniDuke Feb 2013)(Citation: ESET Dukes October 2019) |
|
During C0015, the threat actors downloaded additional tools and files onto a compromised network.(Citation: DFIR Conti Bazar Nov 2021) |
|
| Threat Group-3390 |
Threat Group-3390 has downloaded additional malware and tools, including through the use of `certutil`, onto a compromised host .(Citation: Dell TG-3390)(Citation: Trend Micro DRBControl February 2020) |
| Doki |
Doki has downloaded scripts from C2.(Citation: Intezer Doki July 20) |
| SideTwist |
SideTwist has the ability to download additional files.(Citation: Check Point APT34 April 2021) |
| Bundlore |
Bundlore can download and execute new versions of itself.(Citation: MacKeeper Bundlore Apr 2019) |
| DanBot |
DanBot can download additional files to a targeted system.(Citation: SecureWorks August 2019) |
| Mosquito |
Mosquito can upload and download files to the victim.(Citation: ESET Turla Mosquito Jan 2018) |
| CARROTBALL |
CARROTBALL has the ability to download and install a remote payload.(Citation: Unit 42 CARROTBAT January 2020) |
| Azorult |
Azorult can download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes.(Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018) |
| Bumblebee |
Bumblebee can download and execute additional payloads including through the use of a `Dex` command.(Citation: Google EXOTIC LILY March 2022)(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022) |
| Volgmer |
Volgmer can download remote files and additional payloads to the victim's machine.(Citation: US-CERT Volgmer Nov 2017)(Citation: US-CERT Volgmer 2 Nov 2017)(Citation: Symantec Volgmer Aug 2014) |
| Trojan.Karagany |
Trojan.Karagany can upload, download, and execute files on the victim.(Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019) |
| Penquin |
Penquin can execute the command code |
| HAPPYWORK |
can download and execute a second-stage payload.(Citation: FireEye APT37 Feb 2018) |
| SharpStage |
SharpStage has the ability to download and execute additional payloads via a DropBox API.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020) |
| TinyTurla |
TinyTurla has the ability to act as a second-stage dropper used to infect the system with additional malware.(Citation: Talos TinyTurla September 2021) |
| jRAT |
jRAT can download and execute files.(Citation: jRAT Symantec Aug 2018)(Citation: Kaspersky Adwind Feb 2016)(Citation: Symantec Frutas Feb 2013) |
| CHOPSTICK |
CHOPSTICK is capable of performing remote file transmission.(Citation: Crowdstrike DNC June 2016) |
| Orz |
Orz can download files onto the victim.(Citation: Proofpoint Leviathan Oct 2017) |
| certutil |
certutil can be used to download files from a given URL.(Citation: TechNet Certutil)(Citation: LOLBAS Certutil) |
| Rancor |
Rancor has downloaded additional malware, including by using certutil.(Citation: Rancor Unit42 June 2018) |
| JPIN |
JPIN can download files and upgrade itself.(Citation: Microsoft PLATINUM April 2016) |
| SysUpdate |
SysUpdate has the ability to download files to a compromised host.(Citation: Trend Micro Iron Tiger April 2021) |
| Seasalt |
Seasalt has a command to download additional files.(Citation: Mandiant APT1 Appendix)(Citation: Mandiant APT1 Appendix) |
| DarkComet |
DarkComet can load any files onto the infected machine to execute.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018) |
| Ixeshe |
Ixeshe can download and execute additional files.(Citation: Trend Micro IXESHE 2012) |
| DEATHRANSOM |
DEATHRANSOM can download files to a compromised host.(Citation: FireEye FiveHands April 2021) |
| PlugX |
PlugX has a module to download and execute files on the compromised machine.(Citation: CIRCL PlugX March 2013)(Citation: Proofpoint TA416 Europe March 2022) |
| Micropsia |
Micropsia can download and execute an executable from the C2 server.(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018) |
| SDBbot |
SDBbot has the ability to download a DLL from C2 to a compromised host.(Citation: Proofpoint TA505 October 2019) |
| CookieMiner |
CookieMiner can download additional scripts from a web server.(Citation: Unit42 CookieMiner Jan 2019) |
| SpicyOmelette |
SpicyOmelette can download malicious files from threat actor controlled AWS URL's.(Citation: Secureworks GOLD KINGSWOOD September 2018) |
| CloudDuke |
CloudDuke downloads and executes additional malware from either a Web address or a Microsoft OneDrive account.(Citation: F-Secure The Dukes) |
| Pasam |
Pasam creates a backdoor through which remote attackers can upload files.(Citation: Symantec Pasam May 2012) |
| Xbash |
Xbash can download additional malicious files from its C2 server.(Citation: Unit42 Xbash Sept 2018) |
| LightNeuron |
LightNeuron has the ability to download and execute additional files.(Citation: ESET LightNeuron May 2019) |
| Remsec |
Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.(Citation: Symantec Remsec IOCs)(Citation: Kaspersky ProjectSauron Technical Analysis) |
| Flagpro |
Flagpro can download additional malware from the C2 server.(Citation: NTT Security Flagpro new December 2021) |
| MuddyWater |
MuddyWater has used malware that can upload additional files to the victim’s machine.(Citation: Securelist MuddyWater Oct 2018)(Citation: ClearSky MuddyWater Nov 2018)(Citation: Reaqta MuddyWater November 2017)(Citation: Trend Micro Muddy Water March 2021) |
| Emissary |
Emissary has the capability to download files from the C2 server.(Citation: Lotus Blossom Dec 2015) |
| DropBook |
DropBook can download and execute additional files.(Citation: Cybereason Molerats Dec 2020)(Citation: BleepingComputer Molerats Dec 2020) |
| Helminth |
Helminth can download additional files.(Citation: Palo Alto OilRig May 2016) |
| Valak |
Valak has downloaded a variety of modules and payloads to the compromised host, including IcedID and NetSupport Manager RAT-based malware.(Citation: Unit 42 Valak July 2020)(Citation: Cybereason Valak May 2020) |
| Egregor |
Egregor has the ability to download files from its C2 server.(Citation: Cybereason Egregor Nov 2020)(Citation: Intrinsec Egregor Nov 2020) |
| KONNI |
KONNI can download files and execute them on the victim’s machine.(Citation: Talos Konni May 2017)(Citation: Malwarebytes Konni Aug 2021) |
| PowerPunch |
PowerPunch can download payloads from adversary infrastructure.(Citation: Microsoft Actinium February 2022) |
| APT18 |
APT18 can upload a file to the victim’s machine.(Citation: PaloAlto DNS Requests May 2016) |
| KeyBoy |
KeyBoy has a download and upload functionality.(Citation: PWC KeyBoys Feb 2017)(Citation: Rapid7 KeyBoy Jun 2013) |
| VaporRage |
VaporRage has the ability to download malicious shellcode to compromised systems.(Citation: MSTIC Nobelium Toolset May 2021) |
| TeamTNT |
TeamTNT has the |
| Gazer |
Gazer can execute a task to download a file.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017) |
| PUNCHBUGGY |
PUNCHBUGGY can download additional files and payloads to compromised hosts.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Morphisec ShellTea June 2019) |
| OilRig |
OilRig can download remote files onto victims.(Citation: FireEye APT34 Dec 2017) |
| PowerDuke |
PowerDuke has a command to download a file.(Citation: Volexity PowerDuke November 2016) |
| SHARPSTATS |
SHARPSTATS has the ability to upload and download files.(Citation: TrendMicro POWERSTATS V3 June 2019) |
| DOGCALL |
DOGCALL can download and execute additional payloads.(Citation: Unit 42 Nokki Oct 2018) |
| LoudMiner |
LoudMiner used SCP to update the miner from the C2.(Citation: ESET LoudMiner June 2019) |
| KGH_SPY |
KGH_SPY has the ability to download and execute code from remote servers.(Citation: Cybereason Kimsuky November 2020) |
| Sibot |
Sibot can download and execute a payload onto a compromised system.(Citation: MSTIC NOBELIUM Mar 2021) |
| PLEAD |
PLEAD has the ability to upload and download files to and from an infected host.(Citation: JPCert PLEAD Downloader June 2018) |
| Winnti for Linux |
Winnti for Linux has the ability to deploy modules directly from command and control (C2) servers, possibly for remote command execution, file exfiltration, and socks5 proxying on the infected host. (Citation: Chronicle Winnti for Linux May 2019) |
| BadPatch |
BadPatch can download and execute or update malware.(Citation: Unit 42 BadPatch Oct 2017) |
| ROKRAT |
ROKRAT can retrieve additional malicious payloads from its C2 server.(Citation: Talos ROKRAT)(Citation: NCCGroup RokRat Nov 2018)(Citation: Volexity InkySquid RokRAT August 2021)(Citation: Malwarebytes RokRAT VBA January 2021) |
| LazyScripter |
LazyScripter had downloaded additional tools to a compromised host.(Citation: MalwareBytes LazyScripter Feb 2021) |
| ChChes |
ChChes is capable of downloading files, including additional modules.(Citation: Palo Alto menuPass Feb 2017)(Citation: JPCERT ChChes Feb 2017)(Citation: FireEye APT10 April 2017) |
| Kivars |
Kivars has the ability to download and execute files.(Citation: TrendMicro BlackTech June 2017) |
| APT32 |
APT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.(Citation: Volexity OceanLotus Nov 2017) |
| Silence |
Silence has downloaded additional modules and malware to victim’s machines.(Citation: Group IB Silence Sept 2018) |
| Sliver |
Sliver can upload files from the C2 server to the victim machine using the |
| Gelsemium |
Gelsemium can download additional plug-ins to a compromised host.(Citation: ESET Gelsemium June 2021) |
| Confucius |
Confucius has downloaded additional files and payloads onto a compromised host following initial access.(Citation: Uptycs Confucius APT Jan 2021)(Citation: TrendMicro Confucius APT Aug 2021) |
| HotCroissant |
HotCroissant has the ability to upload a file from the command and control (C2) server to the victim machine.(Citation: Carbon Black HotCroissant April 2020) |
| P8RAT |
P8RAT can download additional payloads to a target system.(Citation: Securelist APT10 March 2021) |
| Avenger |
Avenger has the ability to download files from C2 to a compromised host.(Citation: Trend Micro Tick November 2019) |
|
During FunnyDream, the threat actors downloaded additional droppers and backdoors onto a compromised system.(Citation: Bitdefender FunnyDream Campaign November 2020) |
|
| OopsIE |
OopsIE can download files from its C2 server to the victim's machine.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 OilRig Sept 2018) |
| Backdoor.Oldrea |
Backdoor.Oldrea can download additional modules from C2.(Citation: Gigamon Berserk Bear October 2021) |
| TAINTEDSCRIBE |
TAINTEDSCRIBE can download additional modules from its C2 server.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020) |
| Machete |
Machete can download additional files for execution on the victim’s machine.(Citation: ESET Machete July 2019) |
| FoggyWeb |
FoggyWeb can receive additional malicious components from an actor controlled C2 server and execute them on a compromised AD FS server.(Citation: MSTIC FoggyWeb September 2021) |
| SLOTHFULMEDIA |
SLOTHFULMEDIA has downloaded files onto a victim machine.(Citation: CISA MAR SLOTHFULMEDIA October 2020) |
| CoinTicker |
CoinTicker executes a Python script to download its second stage.(Citation: CoinTicker 2019) |
| Kwampirs |
Kwampirs downloads additional files from C2 servers.(Citation: Symantec Security Center Trojan.Kwampirs) |
| GuLoader |
GuLoader can download further malware for execution on the victim's machine.(Citation: Medium Eli Salem GuLoader April 2021) |
| FunnyDream |
FunnyDream can download additional files onto a compromised host.(Citation: Bitdefender FunnyDream Campaign November 2020) |
| Downdelph |
After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.(Citation: ESET Sednit Part 3) |
| Ember Bear |
Ember Bear has used tools to download malicious code.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
| Tomiris |
Tomiris can download files and execute them on a victim's system.(Citation: Kaspersky Tomiris Sep 2021) |
| CARROTBAT |
CARROTBAT has the ability to download and execute a remote file via certutil.(Citation: Unit 42 CARROTBAT November 2018) |
| BITSAdmin |
BITSAdmin can be used to create BITS Jobs to upload and/or download files.(Citation: Microsoft BITSAdmin) |
| FlawedAmmyy |
FlawedAmmyy can transfer files from C2.(Citation: Korean FSI TA505 2020) |
| Kerrdown |
Kerrdown can download specific payloads to a compromised host based on OS architecture.(Citation: Unit 42 KerrDown February 2019) |
| ABK |
ABK has the ability to download files from C2.(Citation: Trend Micro Tick November 2019) |
| Crimson |
Crimson contains a command to retrieve files from its C2 server.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022) |
| APT33 |
APT33 has downloaded additional files and programs from its C2 server.(Citation: Symantec Elfin Mar 2019)(Citation: Microsoft Holmium June 2020) |
| Bankshot |
Bankshot uploads files and secondary payloads to the victim's machine.(Citation: US-CERT Bankshot Dec 2017) |
| Lizar |
Lizar can download additional plugins, files, and tools.(Citation: BiZone Lizar May 2021) |
| Psylo |
Psylo has a command to download a file to the system from its C2 server.(Citation: Scarlet Mimic Jan 2016) |
| GreyEnergy |
GreyEnergy can download additional modules and payloads.(Citation: ESET GreyEnergy Oct 2018) |
| UPPERCUT |
UPPERCUT can download and upload files to and from the victim’s machine.(Citation: FireEye APT10 Sept 2018) |
| Amadey |
Amadey can download and execute files to further infect a host machine with additional malware.(Citation: BlackBerry Amadey 2020) |
| WEBC2 |
WEBC2 can download and execute a file.(Citation: Mandiant APT1) |
| LiteDuke |
LiteDuke has the ability to download files.(Citation: ESET Dukes October 2019) |
| Explosive |
Explosive has a function to download a file to the infected system.(Citation: CheckPoint Volatile Cedar March 2015) |
| H1N1 |
H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.(Citation: Cisco H1N1 Part 2) |
| IcedID |
IcedID has the ability to download additional modules and a configuration file from C2.(Citation: IBM IcedID November 2017)(Citation: Juniper IcedID June 2020) |
| REvil |
REvil can download a copy of itself from an attacker controlled IP address to the victim machine.(Citation: Talos Sodinokibi April 2019)(Citation: McAfee Sodinokibi October 2019)(Citation: Picus Sodinokibi January 2020) |
| QakBot |
QakBot has the ability to download additional components and malware.(Citation: Trend Micro Qakbot May 2020)(Citation: Crowdstrike Qakbot October 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Cyberint Qakbot May 2021)(Citation: Kaspersky QakBot September 2021)(Citation: Group IB Ransomware September 2020) |
| Volatile Cedar |
Volatile Cedar can deploy additional tools.(Citation: ClearSky Lebanese Cedar Jan 2021) |
| RDAT |
RDAT can download files via DNS.(Citation: Unit42 RDAT July 2020) |
| Mongall |
Mongall can download files to targeted systems.(Citation: SentinelOne Aoqin Dragon June 2022) |
| CreepyDrive |
CreepyDrive can download files to the compromised host.(Citation: Microsoft POLONIUM June 2022) |
| Evilnum |
Evilnum can deploy additional components or tools as needed.(Citation: ESET EvilNum July 2020) |
| Winnti for Windows |
The Winnti for Windows dropper can place malicious payloads on targeted systems.(Citation: Novetta Winnti April 2015) |
| Astaroth |
Astaroth uses certutil and BITSAdmin to download additional malware. (Citation: Cofense Astaroth Sept 2018)(Citation: Cybereason Astaroth Feb 2019)(Citation: Securelist Brazilian Banking Malware July 2020) |
| Remcos |
Remcos can upload and download files to and from the victim’s machine.(Citation: Riskiq Remcos Jan 2018) |
| Misdat |
Misdat is capable of downloading files from the C2.(Citation: Cylance Dust Storm) |
| PoisonIvy |
PoisonIvy creates a backdoor through which remote attackers can upload files.(Citation: Symantec Darkmoon Aug 2005) |
| xCaon |
xCaon has a command to download files to the victim's machine.(Citation: Checkpoint IndigoZebra July 2021) |
| TDTESS |
TDTESS has a command to download and execute an additional file.(Citation: ClearSky Wilted Tulip July 2017) |
| BISCUIT |
BISCUIT has a command to download a file from the C2 server.(Citation: Mandiant APT1 Appendix) |
| FIN7 |
FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.(Citation: FireEye FIN7 April 2017)(Citation: DOJ FIN7 Aug 2018) |
| TA505 |
TA505 has downloaded additional malware to execute on victim systems.(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)(Citation: ProofPoint SettingContent-ms July 2018) |
| RemoteCMD |
RemoteCMD copies a file over to the remote system before execution.(Citation: Symantec Buckeye) |
| EVILNUM |
EVILNUM can download and upload files to the victim's computer.(Citation: ESET EvilNum July 2020)(Citation: Prevailion EvilNum May 2020) |
| BADNEWS |
BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.(Citation: Forcepoint Monsoon)(Citation: PaloAlto Patchwork Mar 2018)(Citation: TrendMicro Patchwork Dec 2017) |
| APT41 |
APT41 used certutil to download additional files.(Citation: FireEye APT41 March 2020)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Group IB APT 41 June 2021) |
| HOPLIGHT |
HOPLIGHT has the ability to connect to a remote host in order to upload and download files.(Citation: US-CERT HOPLIGHT Apr 2019) |
| Nomadic Octopus |
Nomadic Octopus has used malicious macros to download additional files to the victim's machine.(Citation: ESET Nomadic Octopus 2018) |
| BackdoorDiplomacy |
BackdoorDiplomacy has downloaded additional files and tools onto a compromised host.(Citation: ESET BackdoorDiplomacy Jun 2021) |
| GoldenSpy |
GoldenSpy constantly attempts to download and execute files from the remote C2, including GoldenSpy itself if not found on the system.(Citation: Trustwave GoldenSpy June 2020) |
| InvisiMole |
InvisiMole can upload files to the victim's machine for operations.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020) |
|
During C0010, UNC3890 actors downloaded tools and malware onto a compromised host.(Citation: Mandiant UNC3890 Aug 2022) |
|
| MechaFlounder |
MechaFlounder has the ability to upload and download files to and from a compromised host.(Citation: Unit 42 MechaFlounder March 2019) |
|
During Operation Sharpshooter, additional payloads were downloaded after a target was infected with a first-stage downloader.(Citation: McAfee Sharpshooter December 2018) |
|
| BlackMould |
BlackMould has the ability to download files to the victim's machine.(Citation: Microsoft GALLIUM December 2019) |
| GoldMax |
GoldMax can download and execute additional files.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021) |
| ftp |
ftp may be abused by adversaries to transfer tools or files from an external system into a compromised environment.(Citation: Microsoft FTP)(Citation: Linux FTP) |
| esentutl |
esentutl can be used to copy files from a given URL.(Citation: LOLBAS Esentutl) |
| HEXANE |
HEXANE has downloaded additional payloads and malicious scripts onto a compromised host.(Citation: Kaspersky Lyceum October 2021) |
| OSX/Shlayer |
OSX/Shlayer can download payloads, and extract bytes from files. OSX/Shlayer uses the |
| CallMe |
CallMe has the capability to download a file to the victim from the C2 server.(Citation: Scarlet Mimic Jan 2016) |
| POSHSPY |
POSHSPY downloads and executes additional PowerShell code and Windows binaries.(Citation: FireEye POSHSPY April 2017) |
| HiddenWasp |
HiddenWasp downloads a tar compressed archive from a download server to the system.(Citation: Intezer HiddenWasp Map 2019) |
| Turian |
Turian can download additional files and tools from its C2.(Citation: ESET BackdoorDiplomacy Jun 2021) |
| ZeroT |
ZeroT can download additional payloads onto the victim.(Citation: Proofpoint ZeroT Feb 2017) |
| BADFLICK |
BADFLICK has download files from its C2 server.(Citation: Accenture MUDCARP March 2019) |
| Winnti Group |
Winnti Group has downloaded an auxiliary program named ff.exe to infected machines.(Citation: Kaspersky Winnti April 2013) |
| Kasidet |
Kasidet has the ability to download and execute additional files.(Citation: Zscaler Kasidet) |
| APT-C-36 |
APT-C-36 has downloaded binary data from a specified domain after the malicious document is opened.(Citation: QiAnXin APT-C-36 Feb2019) |
| FIN8 |
FIN8 has used remote code execution to download subsequent payloads.(Citation: FireEye Fin8 May 2016)(Citation: Bitdefender FIN8 July 2021) |
| Windshift |
Windshift has used tools to deploy additional payloads to compromised hosts.(Citation: BlackBerry Bahamut) |
| TA551 |
TA551 has retrieved DLLs and installer binaries for malware execution from C2.(Citation: Unit 42 TA551 Jan 2021) |
| SHUTTERSPEED |
SHUTTERSPEED can download and execute an arbitary executable.(Citation: FireEye APT37 Feb 2018) |
| POWRUNER |
POWRUNER can download or upload files from its C2 server.(Citation: FireEye APT34 Dec 2017) |
| Mustang Panda |
Mustang Panda has downloaded additional executables following the initial infection stage.(Citation: Recorded Future REDDELTA July 2020) |
| Bazar |
Bazar can download and deploy additional payloads, including ransomware and post-exploitation frameworks such as Cobalt Strike.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)(Citation: NCC Group Team9 June 2020)(Citation: CrowdStrike Wizard Spider October 2020) |
| Donut |
Donut can download and execute previously staged shellcode payloads.(Citation: Donut Github) |
| Octopus |
Octopus can download additional files and tools onto the victim’s machine.(Citation: Securelist Octopus Oct 2018)(Citation: Security Affairs DustSquad Oct 2018)(Citation: ESET Nomadic Octopus 2018) |
| StrongPity |
StrongPity can download files to specified targets.(Citation: Bitdefender StrongPity June 2020) |
| RTM |
RTM can download additional files.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019) |
| HyperBro |
HyperBro has the ability to download additional files.(Citation: Unit42 Emissary Panda May 2019) |
|
During Operation Honeybee, the threat actors downloaded additional malware and malicious scripts onto a compromised host.(Citation: McAfee Honeybee) |
|
| Cyclops Blink |
Cyclops Blink has the ability to download files to target systems.(Citation: NCSC Cyclops Blink February 2022)(Citation: Trend Micro Cyclops Blink March 2022) |
| Dragonfly |
Dragonfly has copied and installed tools for operations once in the victim environment.(Citation: US-CERT TA18-074A) |
| Aria-body |
Aria-body has the ability to download additional payloads from C2.(Citation: CheckPoint Naikon May 2020) |
| MoleNet |
MoleNet can download additional payloads from the C2.(Citation: Cybereason Molerats Dec 2020) |
| Hildegard |
Hildegard has downloaded additional scripts that build and run Monero cryptocurrency miners.(Citation: Unit 42 Hildegard Malware) |
| Moses Staff |
Moses Staff has downloaded and installed web shells to following path |
| Darkhotel |
Darkhotel has used first-stage payloads that download additional malware from C2 servers.(Citation: Microsoft DUBNIUM June 2016) |
| Pisloader |
Pisloader has a command to upload a file to the victim machine.(Citation: Palo Alto DNS Requests) |
| POWERSTATS |
POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server.(Citation: FireEye MuddyWater Mar 2018) |
| MCMD |
MCMD can upload additional files to a compromised host.(Citation: Secureworks MCMD July 2019) |
| Cobalt Strike |
Cobalt Strike can deliver additional payloads to victim machines.(Citation: Talos Cobalt Strike September 2020)(Citation: Cobalt Strike Manual 4.3 November 2020) |
| WIRTE |
WIRTE has downloaded PowerShell code from the C2 server to be executed.(Citation: Lab52 WIRTE Apr 2019) |
| POWERSOURCE |
POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims.(Citation: FireEye FIN7 March 2017) |
| Caterpillar WebShell |
Caterpillar WebShell has a module to download and upload files to the system.(Citation: ClearSky Lebanese Cedar Jan 2021) |
| Diavol |
Diavol can receive configuration updates and additional payloads including wscpy.exe from C2.(Citation: Fortinet Diavol July 2021) |
| VERMIN |
VERMIN can download and upload files to the victim's machine.(Citation: Unit 42 VERMIN Jan 2018) |
| Mivast |
Mivast has the capability to download and execute .exe files.(Citation: Symantec Backdoor.Mivast) |
| BRONZE BUTLER |
BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).(Citation: Secureworks BRONZE BUTLER Oct 2017) |
| build_downer |
build_downer has the ability to download files from C2 to the infected host.(Citation: Trend Micro Tick November 2019) |
| RATANKBA |
RATANKBA uploads and downloads information.(Citation: Lazarus RATANKBA)(Citation: RATANKBA) |
| TrickBot |
TrickBot downloads several additional files and saves them to the victim's machine.(Citation: Trend Micro Totbrick Oct 2016)(Citation: Bitdefender Trickbot VNC module Whitepaper 2021) |
| Indrik Spider |
Indrik Spider has downloaded additional scripts, malware, and tools onto a compromised host.(Citation: Crowdstrike Indrik November 2018)(Citation: Symantec WastedLocker June 2020) |
| Patchwork |
Patchwork payloads download additional files from the C2 server.(Citation: Securelist Dropping Elephant)(Citation: TrendMicro Patchwork Dec 2017) |
| Bonadan |
Bonadan can download additional modules from the C2 server.(Citation: ESET ForSSHe December 2018) |
| Cryptoistic |
Cryptoistic has the ability to send and receive files.(Citation: SentinelOne Lazarus macOS July 2020) |
| Kinsing |
Kinsing has downloaded additional lateral movement scripts from C2.(Citation: Aqua Kinsing April 2020) |
| BONDUPDATER |
BONDUPDATER can download or upload files from its C2 server.(Citation: Palo Alto OilRig Sep 2018) |
| ZIRCONIUM |
ZIRCONIUM has used tools to download malicious files to compromised hosts.(Citation: Zscaler APT31 Covid-19 October 2020) |
| Metamorfo |
Metamorfo has used MSI files to download additional files to execute.(Citation: Medium Metamorfo Apr 2020)(Citation: FireEye Metamorfo Apr 2018)(Citation: Fortinet Metamorfo Feb 2020)(Citation: ESET Casbaneiro Oct 2019) |
| CharmPower |
CharmPower has the ability to download additional modules to a compromised host.(Citation: Check Point APT35 CharmPower January 2022) |
| GALLIUM |
GALLIUM dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN.(Citation: Cybereason Soft Cell June 2019)(Citation: Microsoft GALLIUM December 2019) |
| OutSteel |
OutSteel can download files from its C2 server.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
| MacMa |
MacMa has downloaded additional files, including an exploit for used privilege escalation.(Citation: ESET DazzleSpy Jan 2022)(Citation: Objective-See MacMa Nov 2021) |
| RemoteUtilities |
RemoteUtilities can upload and download files to and from a target machine.(Citation: Trend Micro Muddy Water March 2021) |
| Chaes |
Chaes can download additional files onto an infected machine.(Citation: Cybereason Chaes Nov 2020) |
| CORESHELL |
CORESHELL downloads another dropper from its C2 server.(Citation: FireEye APT28) |
| FELIXROOT |
FELIXROOT downloads and uploads files to and from the victim’s machine.(Citation: FireEye FELIXROOT July 2018)(Citation: ESET GreyEnergy Oct 2018) |
| SUNBURST |
SUNBURST delivered different payloads, including TEARDROP in at least one instance.(Citation: FireEye SUNBURST Backdoor December 2020) |
| Felismus |
Felismus can download files from remote servers.(Citation: Forcepoint Felismus Mar 2017) |
| ThiefQuest |
ThiefQuest can download and execute payloads in-memory or from disk.(Citation: wardle evilquest partii) |
| Sandworm Team |
Sandworm Team has pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data.(Citation: ESET Telebots Dec 2016)(Citation: US District Court Indictment GRU Unit 74455 October 2020) |
| UBoatRAT |
UBoatRAT can upload and download files to the victim’s machine.(Citation: PaloAlto UBoatRAT Nov 2017) |
| Netwalker |
Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload.(Citation: Sophos Netwalker May 2020) |
| Ecipekac |
Ecipekac can download additional payloads to a compromised host.(Citation: Securelist APT10 March 2021) |
| RGDoor |
RGDoor uploads and downloads files to and from the victim’s machine.(Citation: Unit 42 RGDoor Jan 2018) |
|
During Night Dragon, threat actors used administrative utilities to deliver Trojan components to remote systems.(Citation: McAfee Night Dragon) |
|
|
During Operation Wocao, threat actors downloaded additional files to the infected system.(Citation: FoxIT Wocao December 2019) |
|
| Dtrack |
Dtrack’s can download and upload a file to the victim’s computer.(Citation: Securelist Dtrack)(Citation: CyberBit Dtrack) |
| Andariel |
Andariel has downloaded additional tools and malware onto compromised hosts.(Citation: AhnLab Andariel Subgroup of Lazarus June 2018) |
| Ajax Security Team |
Ajax Security Team has used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.(Citation: Check Point Rocket Kitten) |
| Empire |
Empire can upload and download to and from a victim machine.(Citation: Github PowerShell Empire) |
| WhisperGate |
WhisperGate can download additional stages of malware from a Discord CDN channel.(Citation: Microsoft WhisperGate January 2022)(Citation: Unit 42 WhisperGate January 2022)(Citation: Cisco Ukraine Wipers January 2022)(Citation: Medium S2W WhisperGate January 2022) |
| Elderwood |
The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location.(Citation: Symantec Ristol May 2012) |
| StrifeWater |
StrifeWater can download updates and auxiliary modules.(Citation: Cybereason StrifeWater Feb 2022) |
| Cannon |
Cannon can download a payload for execution.(Citation: Unit42 Cannon Nov 2018) |
| JHUHUGIT |
JHUHUGIT can retrieve an additional payload from its C2 server.(Citation: ESET Sednit Part 1)(Citation: Unit 42 Sofacy Feb 2018) JHUHUGIT has a command to download files to the victim’s machine.(Citation: Talos Seduploader Oct 2017) |
| Drovorub |
Drovorub can download files to a compromised host.(Citation: NSA/FBI Drovorub August 2020) |
| RedLeaves |
RedLeaves is capable of downloading a file from a specified URL.(Citation: PWC Cloud Hopper Technical Annex April 2017) |
| JSS Loader |
JSS Loader has the ability to download malicious executables to a compromised host.(Citation: CrowdStrike Carbon Spider August 2021) |
| NETWIRE |
NETWIRE can downloaded payloads from C2 to the compromised host.(Citation: FireEye NETWIRE March 2019)(Citation: Proofpoint NETWIRE December 2020) |
| APT3 |
APT3 has a tool that can copy files to remote machines.(Citation: FireEye Clandestine Fox) |
| ShadowPad |
ShadowPad has downloaded code from a C2 server.(Citation: Securelist ShadowPad Aug 2017) |
| Lokibot |
Lokibot downloaded several staged items onto the victim's machine.(Citation: Talos Lokibot Jan 2021) |
| P.A.S. Webshell |
P.A.S. Webshell can upload and download files to and from compromised hosts.(Citation: ANSSI Sandworm January 2021) |
| Chimera |
Chimera has remotely copied tools and malware onto targeted systems.(Citation: Cycraft Chimera April 2020) |
| Conficker |
Conficker downloads an HTTP server to the infected machine.(Citation: SANS Conficker) |
| Hikit |
Hikit has the ability to download files to a compromised host.(Citation: Novetta-Axiom) |
| Tonto Team |
Tonto Team has downloaded malicious DLLs which served as a ShadowPad loader.(Citation: ESET Exchange Mar 2021) |
| Agent.btz |
Agent.btz attempts to download an encrypted binary from a specified domain.(Citation: ThreatExpert Agent.btz) |
| PLAINTEE |
PLAINTEE has downloaded and executed additional plugins.(Citation: Rancor Unit42 June 2018) |
| VBShower |
VBShower has the ability to download VBS files to the target computer.(Citation: Kaspersky Cloud Atlas August 2019) |
| Javali |
Javali can download payloads from remote C2 servers.(Citation: Securelist Brazilian Banking Malware July 2020) |
| IndigoZebra |
IndigoZebra has downloaded additional files and tools from its C2 server.(Citation: Checkpoint IndigoZebra July 2021) |
| ZxShell |
ZxShell has a command to transfer files from a remote host.(Citation: Talos ZxShell Oct 2014) |
Контрмеры |
|
| Контрмера | Описание |
|---|---|
| Network Intrusion Prevention |
Use intrusion detection signatures to block traffic at network boundaries. |
| Remote File Copy Mitigation |
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. (Citation: University of Birmingham C2) |
Обнаружение
Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as ftp, that does not normally occur may also be suspicious.
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Specifically, for the finger utility on Windows and Linux systems, monitor command line or terminal execution for the finger command. Monitor network activity for TCP port 79, which is used by the finger utility, and Windows netsh interface portproxy modifications to well-known ports such as 80 and 443. Furthermore, monitor file system for the download/creation and execution of suspicious files, which may indicate adversary-downloaded payloads. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)
Ссылки
- Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
- Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
- LOLBAS. (n.d.). LOLBAS Mapped to T1105. Retrieved March 11, 2022.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
- Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
- Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021.
- Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
- Cybereason Nocturnus. (2022, February 1). PowerLess Trojan: Iranian APT Phosphorus Adds New PowerShell Backdoor for Espionage. Retrieved June 1, 2022.
- Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
- ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
- Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
- Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
- Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
- Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
- The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
- Kaplan, D, et al. (2017, June 7). PLATINUM continues to evolve, find ways to maintain invisibility. Retrieved February 19, 2018.
- Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
- CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
- Lim, M.. (2019, April 26). BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019.
- ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
- FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
- MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
- Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
- Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
- Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
- DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
- Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
- Magisa, L. (2020, November 27). New MacOS Backdoor Connected to OceanLotus Surfaces. Retrieved December 2, 2020.
- Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
- CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
- McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021.
- Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022.
- Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.
- Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
- Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
- Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
- Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
- Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
- Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
- Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.
- Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
- Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
- Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021.
- Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
- Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
- Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021.
- Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
- Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
- Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
- Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
- National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
- CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
- Weidemann, A. (2021, January 25). New campaign targeting security researchers. Retrieved December 20, 2021.
- Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
- Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
- Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
- Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
- Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
- ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
- Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved March 2, 2022.
- Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
- Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
- Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020.
- Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
- Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
- Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
- Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
- Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
- Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
- ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
- Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
- Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
- Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
- Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.
- Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
- Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
- ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
- Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
- Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
- US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
- Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
- Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
- Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
- Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
- Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
- ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
- Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
- Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
- Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
- McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
- ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021.
- Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.
- Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
- Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.
- Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
- Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021.
- Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
- Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
- USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
- DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
- Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
- Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.
- Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
- Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
- Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
- Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021.
- CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.
- Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
- Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
- Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
- Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
- Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
- NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
- Haquebord, F. et al. (2022, March 17). Cyclops Blink Sets Sights on Asus Routers. Retrieved March 17, 2022.
- Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.
- CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
- Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.
- Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.
- ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
- Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
- Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
- Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
- CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.
- Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
- Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
- Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
- Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
- Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
- GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
- Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
- Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
- Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
- Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
- US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
- Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
- MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
- Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
- Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
- Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
- DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
- Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
- Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
- Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021.
- Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
- Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
- Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
- CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
- Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
- Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
- Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
- Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.
- Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
- FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
- GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
- Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
- FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
- Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020.
- Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
- Ray, V. and Hayashi, K. (2019, February 1). Tracking OceanLotus’ new Downloader, KerrDown. Retrieved October 1, 2021.
- Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
- Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
- Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
- Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
- TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
- Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
- MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021.
- Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
- Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.
- GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
- Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
- Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
- Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
- Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
- GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
- US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
- Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
- Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
- Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
- The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
- Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
- Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
- Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
- Sponchioni, R.. (2016, March 11). Backdoor.Nidiran. Retrieved August 3, 2016.
- Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
- Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
- Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
- Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
- Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
- Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
- Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
- Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.
- Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
- Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
- Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
- AhnLab. (2018, June 23). Targeted attacks by Andariel Threat Group, a subgroup of the Lazarus. Retrieved September 29, 2021.
- Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
- Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
- Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
- ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
- Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
- Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
- Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020.
- GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
- Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.
- Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.
- Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.
- Kaspersky Lab's Global Research & Analysis Team. (2013, February 27). The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor. Retrieved April 5, 2017.
- F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
- ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
- N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.
- Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
- Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.
- Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
- N/A. (n.d.). ftp(1) - Linux man page. Retrieved February 25, 2022.
- Microsoft. (2021, July 21). ftp. Retrieved February 25, 2022.
- NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
- Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
- CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
- Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018.
- Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
- The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
- Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
- Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
- FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
- Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
- Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
- Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
- Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
- Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
- TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
- Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
- Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
- Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
- Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
- Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
- Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
- Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021.
- Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
- Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021.
- Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021.
- S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022.
- Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
- Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
- MSTIC. (2022, January 15). Destructive malware targeting Ukrainian organizations. Retrieved March 10, 2022.
- Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
- Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
- Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
- ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
- Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
- Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
- Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.
- Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
- Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
- Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019.
- Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
- Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
- LOLBAS. (n.d.). Certutil.exe. Retrieved July 31, 2019.
- Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017.
- Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
- Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021.
- Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022.
- Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
- Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
- Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
- Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
- Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
- Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.
- Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
- Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
- Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
- Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
- Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
- Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019.
- Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018.
- Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
- Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
- Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
- Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
- US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
- hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
- Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.
- Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
- Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
- Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.
- Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
- Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021.
- Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
- Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
- Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
- Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
- Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
- FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
- Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
- Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
- Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
- Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
- Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.
- Ladley, F. (2012, May 15). Backdoor.Ritsol. Retrieved February 23, 2018.
- Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016.
- Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
- Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
- Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
- Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.
- Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
- Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
- GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
- Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
- Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
- Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.
- Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.
- Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
- Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
- LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.
- Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
- CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
- Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
- Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
- Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021.
- Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
- Singer, G. (2020, April 3). Threat Alert: Kinsing Malware Attacks Targeting Container Environments. Retrieved April 1, 2021.
- Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
- Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
- Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
- Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
- US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
- Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
- Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020.
- Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Bichet, J. (2020, November 12). Egregor – Prolock: Fraternal Twins ?. Retrieved January 6, 2021.
- Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020.
- ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
- Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021.
- Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
- Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
- Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
- Faou, M., Tartare, M., Dupuy, T. (2021, March 10). Exchange servers under siege from at least 10 APT groups. Retrieved May 21, 2021.
- MSTIC. (2021, March 2). HAFNIUM targeting Exchange Servers with 0-day exploits. Retrieved March 3, 2021.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
- MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
- Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021.
- Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
- NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
- Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
- Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
- Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022.
- Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021.
- ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
- Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
- Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
- Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
- Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
- Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
- Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021.
- Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.
- Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
- QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
- FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
- Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
- Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
- BishopFox. (n.d.). Sliver Upload. Retrieved September 16, 2021.
- Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
- McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
- Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.
- ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
- Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
- The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
- Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
- Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
- Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.
- Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
- Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
- Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
- Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
- Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
- Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
- Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
- Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
- Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
- Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
- Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
- Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
- Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
- Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.
- Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
- Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021.
- ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
- Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
- Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
- Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
- Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
- Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
- Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
- Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
- Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
- CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
- PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
- SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
- Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
- Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
- Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
- Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
- S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
- Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
- Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022.
- M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
- Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.
- GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021.
- Microsoft. (n.d.). Copy. Retrieved April 26, 2016.
- Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020.
- Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.
- Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
- Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
- FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
- Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
- Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
- Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
- Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
- Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
- Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
- Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
- Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
- Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
- Phil Stokes. (2020, September 8). Coming Out of Your Shell: From Shlayer to ZShlayer. Retrieved September 13, 2021.
- Patrick Wardle. (2020, August 30). Apple Approved Malware malicious code ...now notarized!? #2020. Retrieved September 13, 2021.
- Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
- Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
- Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
- Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
- O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
- Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
- An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
- The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
- Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
- NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
- Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
- Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.
- Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
- US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
- US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
- Moench, B. and Aboud, E. (2016, August 23). Trojan.Kwampirs. Retrieved May 10, 2018.
- Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021.
- BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
- US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
- Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
- Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
- Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021.
- Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.