Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Исследование системного времени
CVE уязвимости
БДУ ФСТЭК уязвимости
НКЦКИ уязвимости
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Исследование системного времен...
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Исследование системного времени

An adversary may gather the system time and/or time zone settings from a local or remote system. The system time is set and stored by services, such as the Windows Time Service on Windows or systemsetup on macOS.(Citation: MSDN System Time)(Citation: Technet Windows Time Service)(Citation: systemsetup mac time) These time settings may also be synchronized between systems and services in an enterprise network, typically accomplished with a network time server within a domain.(Citation: Mac Time Sync)(Citation: linux system time) System time information may be gathered in a number of ways, such as with Net on Windows by performing net time \\hostname to gather the system time on a remote system. The victim's time zone may also be inferred from the current system time or gathered by using w32tm /tz.(Citation: Technet Windows Time Service) In addition, adversaries can discover device uptime through functions such as GetTickCount() to determine how long it has been since the system booted up.(Citation: Virtualization/Sandbox Evasion) On network devices, Network Device CLI commands such as `show clock detail` can be used to see the current time configuration.(Citation: show_clock_detail_cisco_cmd) In addition, system calls – such as time() – have been used to collect the current time on Linux devices.(Citation: MAGNET GOBLIN) On macOS systems, adversaries may use commands such as systemsetup -gettimezone or timeIntervalSinceNow to gather current time zone information or current date and time.(Citation: System Information Discovery Technique)(Citation: ESET DazzleSpy Jan 2022) This information could be useful for performing other techniques, such as executing a file with a Scheduled Task/Job(Citation: RSA EU12 They're Inside), or to discover locality information based on time zone to assist in victim targeting (i.e. System Location Discovery). Adversaries may also use knowledge of system time as part of a time bomb, or delaying execution until a specified date/time.(Citation: AnyRun TimeBomb)

ID: T1124
Тактика(-и): Discovery
Платформы: Linux, macOS, Network, Windows
Источники данных: Command: Command Execution, Process: OS API Execution, Process: Process Creation
Версия: 1.4
Дата создания: 31 May 2017
Последнее изменение: 16 Apr 2024

Примеры процедур
Название Описание
Shamoon

Shamoon obtains the system time and will only activate if it is greater than a preset date.(Citation: Palo Alto Shamoon Nov 2016)(Citation: Unit 42 Shamoon3 2018)
Astaroth

Astaroth collects the timestamp from the infected machine. (Citation: Cofense Astaroth Sept 2018)
Zebrocy

Zebrocy gathers the current time zone and date information from the system.(Citation: ESET Zebrocy Nov 2018)(Citation: CISA Zebrocy Oct 2020)
ShadowPad

ShadowPad has collected the current date and time of the victim system.(Citation: Kaspersky ShadowPad Aug 2017)
Taidoor

Taidoor can use GetLocalTime and GetSystemTime to collect system time.(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)
EvilBunny

EvilBunny has used the API calls NtQuerySystemTime, GetSystemTimeAsFileTime, and GetTickCount to gather time metrics as part of its checks to see if the malware is running in a sandbox.(Citation: Cyphort EvilBunny Dec 2014)
T9000

T9000 gathers and beacons the system time during installation.(Citation: Palo Alto T9000 Feb 2016)
KEYPLUG

KEYPLUG can obtain the current tick count of an infected computer.(Citation: Mandiant APT41)
Sidewinder

Sidewinder has used tools to obtain the current system time.(Citation: ATT Sidewinder January 2021)
Net

The net time command can be used in Net to determine the local or remote system time.(Citation: TechNet Net Time)
SombRAT

SombRAT can execute getinfo to discover the current time on a compromised host.(Citation: BlackBerry CostaRicto November 2020)(Citation: CISA AR21-126A FIVEHANDS May 2021)
Epic

Epic uses the net time command to get the system time from the machine and collect the current date and time zone information.(Citation: Kaspersky Turla)
Torisma

Torisma can collect the current time on a victim machine.(Citation: McAfee Lazarus Nov 2020)

During Operation CuckooBees, the threat actors used the `net time` command as part of their advanced reconnaissance.(Citation: Cybereason OperationCuckooBees May 2022)
UPPERCUT

UPPERCUT has the capability to obtain the time zone information and current timestamp of the victim’s machine.(Citation: FireEye APT10 Sept 2018)
Operation Wocao

Operation Wocao has used the time command to retrieve the current time of a compromised system.(Citation: FoxIT Wocao December 2019)
GoldMax

GoldMax can check the current date-time value of the compromised system, comparing it to the hardcoded execution trigger and can send the current timestamp to the C2 server.(Citation: MSTIC NOBELIUM Mar 2021)(Citation: FireEye SUNSHUTTLE Mar 2021)

Conficker

Conficker uses the current UTC victim system date for domain generation and connects to time servers to determine the current date.(Citation: SANS Conficker)(Citation: Trend Micro Conficker)

During Operation Wocao, threat actors used the `time` command to retrieve the current time of a compromised system.(Citation: FoxIT Wocao December 2019)
GravityRAT

GravityRAT can obtain the date and time of a system.(Citation: Talos GravityRAT)
Agent Tesla

Agent Tesla can collect the timestamp from the victim’s machine.(Citation: DigiTrust Agent Tesla Jan 2017)
ccf32

ccf32 can determine the local time on targeted machines.(Citation: Bitdefender FunnyDream Campaign November 2020)
BADHATCH

BADHATCH can obtain the `DATETIME` and `UPTIME` from a compromised machine.(Citation: BitDefender BADHATCH Mar 2021)

GRIFFON

GRIFFON has used a reconnaissance module that can be used to retrieve the date and time of the system.(Citation: SecureList Griffon May 2019)

Volt Typhoon

Volt Typhoon has obtained the victim's system timezone.(Citation: CISA AA24-038A PRC Critical Infrastructure February 2024)
QakBot

QakBot can identify the system time on a targeted host.(Citation: Kaspersky QakBot September 2021)
Carbon

Carbon uses the command net time \\127.0.0.1 to get information the system’s time.(Citation: GovCERT Carbon May 2016)
Higaisa

Higaisa used a function to gather the current time.(Citation: Zscaler Higaisa 2020)
Egregor

Egregor contains functionality to query the local/system time.(Citation: JoeSecurity Egregor 2020)
Crimson

Crimson has the ability to determine the date and time on a compromised host.(Citation: Kaspersky Transparent Tribe August 2020)
Metamorfo

Metamorfo uses JavaScript to get the system time.(Citation: Medium Metamorfo Apr 2020)

RTM

RTM can obtain the victim time zone.(Citation: ESET RTM Feb 2017)
NOKKI

NOKKI can collect the current timestamp of the victim's machine.(Citation: Unit 42 NOKKI Sept 2018)
Grandoreiro

Grandoreiro can determine the time on the victim machine via IPinfo.(Citation: ESET Grandoreiro April 2020)
DarkWatchman

DarkWatchman can collect time zone information and system `UPTIME`.(Citation: Prevailion DarkWatchman 2021)
DRATzarus

DRATzarus can use the `GetTickCount` and `GetSystemTimeAsFileTime` API calls to inspect system time.(Citation: ClearSky Lazarus Aug 2020)
StoneDrill

StoneDrill can obtain the current date and time of the victim machine.(Citation: Kaspersky StoneDrill 2017)

SUNBURST

SUNBURST collected device `UPTIME`.(Citation: FireEye SUNBURST Backdoor December 2020)(Citation: Microsoft Analyzing Solorigate Dec 2020)
build_downer

build_downer has the ability to determine the local time to ensure malware installation only happens during the hours that the infected system is active.(Citation: Trend Micro Tick November 2019)
ZIRCONIUM

ZIRCONIUM has used a tool to capture the time on a compromised host in order to register it with C2.(Citation: Zscaler APT31 Covid-19 October 2020)
Raccoon Stealer

Raccoon Stealer gathers victim machine timezone information.(Citation: S2W Racoon 2022)(Citation: Sekoia Raccoon2 2022)
TajMahal

TajMahal has the ability to determine local time on a compromised host.(Citation: Kaspersky TajMahal April 2019)
DCSrv

DCSrv can compare the current time on an infected host with a configuration value to determine when to start the encryption process.(Citation: Checkpoint MosesStaff Nov 2021)
SILENTTRINITY

SILENTTRINITY can collect start time information from a compromised host.(Citation: GitHub SILENTTRINITY Modules July 2019)
PowerDuke

PowerDuke has commands to get the time the machine was built, the time, and the time zone.(Citation: Volexity PowerDuke November 2016)
BRONZE BUTLER

BRONZE BUTLER has used net time to check the local time on a target system.(Citation: Secureworks BRONZE BUTLER Oct 2017)
Bazar

Bazar can collect the time on the compromised host.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020)
MoonWind

MoonWind obtains the victim's current time.(Citation: Palo Alto MoonWind March 2017)
BISCUIT

BISCUIT has a command to collect the system `UPTIME`.(Citation: Mandiant APT1)
CURIUM

CURIUM deployed mechanisms to check system time information following strategic website compromise attacks.(Citation: PWC Yellow Liderc 2023)
FunnyDream

FunnyDream can check system time to help determine when changes were made to specified files.(Citation: Bitdefender FunnyDream Campaign November 2020)
Turla

Turla surveys a system upon check-in to discover the system time by using the net time command.(Citation: Kaspersky Turla)
FELIXROOT

FELIXROOT gathers the time zone information from the victim’s machine.(Citation: ESET GreyEnergy Oct 2018)
StrifeWater

StrifeWater can collect the time zone from the victim's machine.(Citation: Cybereason StrifeWater Feb 2022)
Nightdoor

Nightdoor can identify the system local time information.(Citation: ESET EvasivePanda 2024)
Darkhotel

Darkhotel malware can obtain system time from a compromised host.(Citation: Lastline DarkHotel Just In Time Decryption Nov 2015)
SVCReady

SVCReady can collect time zone information.(Citation: HP SVCReady Jun 2022)
Zeus Panda

Zeus Panda collects the current system time (UTC) and sends it back to the C2 server.(Citation: GDATA Zeus Panda June 2017)
PipeMon

PipeMon can send time zone information from a compromised host to C2.(Citation: ESET PipeMon May 2020)
Chimera

Chimera has used time /t and net time \\ip/hostname for system time discovery.(Citation: NCC Group Chimera January 2021)
Azorult

Azorult can collect the time zone information from the system.(Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)
Cannon

Cannon can collect the current time zone information from the victim’s machine.(Citation: Unit42 Cannon Nov 2018)
DarkGate

DarkGate creates a log file for capturing keylogging, clipboard, and related data using the victim host's current date for the filename.(Citation: Ensilo Darkgate 2018) DarkGate queries victim system epoch time during execution.(Citation: Ensilo Darkgate 2018) DarkGate captures system time information as part of automated profiling on initial installation.(Citation: Trellix Darkgate 2023)
DEADWOOD

DEADWOOD will set a timestamp value to determine when wiping functionality starts. When the timestamp is met on the system, a trigger file is created on the operating system allowing for execution to proceed. If the timestamp is in the past, the wiper will execute immediately.(Citation: SentinelOne Agrius 2021)
Clambling

Clambling can determine the current time.(Citation: Trend Micro DRBControl February 2020)
DUSTTRAP

DUSTTRAP reads the infected system's current time and writes it to a log file during execution.(Citation: Google Cloud APT41 2024)
TAINTEDSCRIBE

TAINTEDSCRIBE can execute GetLocalTime for time discovery.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)

During C0015, the threat actors used the command `net view /all time` to gather the local time of a compromised network.(Citation: DFIR Conti Bazar Nov 2021)
ComRAT

ComRAT has checked the victim system's date and time to perform tasks during business hours (9 to 5, Monday to Friday).(Citation: CISA ComRAT Oct 2020)

BendyBear

BendyBear has the ability to determine local time on a compromised host.(Citation: Unit42 BendyBear Feb 2021)

Stuxnet

Stuxnet collects the time and date of a system when it is infected.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
Lazarus Group

A Destover-like implant used by Lazarus Group can obtain the current system time and send it to the C2 server.(Citation: McAfee GhostSecret)
HOPLIGHT

HOPLIGHT has been observed collecting system time from victim machines.(Citation: US-CERT HOPLIGHT Apr 2019)
BLUELIGHT

BLUELIGHT can collect the local time on a compromised host.(Citation: Volexity InkySquid BLUELIGHT August 2021)
Proxysvc

As part of the data reconnaissance phase, Proxysvc grabs the system time to send back to the control server.(Citation: McAfee GhostSecret)
OopsIE

OopsIE checks to see if the system is configured with "Daylight" time and checks for a specific region to be set for the timezone.(Citation: Unit 42 OilRig Sept 2018)
InvisiMole

InvisiMole gathers the local system time from the victim’s machine.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)
SHARPSTATS

SHARPSTATS has the ability to identify the current date and time on the compromised host.(Citation: TrendMicro POWERSTATS V3 June 2019)
Green Lambert

Green Lambert can collect the date and time from a compromised host.(Citation: Objective See Green Lambert for OSX Oct 2021)(Citation: Glitch-Cat Green Lambert ATTCK Oct 2021)
Okrum

Okrum can obtain the date and time of the compromised system.(Citation: ESET Okrum July 2019)
Bisonal

Bisonal can check the system time set on the infected host.(Citation: Kaspersky CactusPete Aug 2020)
AppleSeed

AppleSeed can pull a timestamp from the victim's machine.(Citation: Malwarebytes Kimsuky June 2021)
AvosLocker

AvosLocker has checked the system time before and after encryption.(Citation: Malwarebytes AvosLocker Jul 2021)
The White Company

The White Company has checked the current date on the victim system.(Citation: Cylance Shaheen Nov 2018)
WindTail

WindTail has the ability to generate the current date and time.(Citation: objective-see windtail1 dec 2018)

Контрмеры
Контрмера Описание
System Time Discovery Mitigation

Benign software uses legitimate processes to gather system time. Efforts should be focused on preventing unwanted or unknown code from executing on a system. Some common tools, such as net.exe, may be blocked by policy to prevent common ways of acquiring remote system time. Identify unnecessary system utilities or potentially malicious software that may be used to acquire system time information, and audit and/or block them by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Обнаружение

Command-line interface monitoring may be useful to detect instances of net.exe or other command-line utilities being used to gather system time or time zone. Methods of detecting API use for gathering this information are likely less useful due to how often they may be used by legitimate software. For network infrastructure devices, collect AAA logging to monitor `show` commands being run by non-standard users from non-standard locations.

Ссылки

  1. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  2. Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019.
  3. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  4. YUCEEL, Huseyin Can. Picus Labs. (2022, June 9). Virtualization/Sandbox Evasion - How Attackers Avoid Malware Analysis. Retrieved December 26, 2023.
  5. YUCEEL, Huseyin Can. Picus Labs. (2022, June 9). The System Information Discovery Technique Explained - MITRE ATT&CK T1082. Retrieved March 27, 2024.
  6. Rivner, U., Schwartz, E. (2012). They’re Inside… Now What?. Retrieved November 25, 2016.
  7. Microsoft. (n.d.). System Time. Retrieved November 25, 2016.
  8. Mathers, B. (2016, September 30). Windows Time Service Tools and Settings. Retrieved November 25, 2016.
  9. Malicious History. (2020, September 17). Time Bombs: Malware With Delayed Execution. Retrieved April 22, 2021.
  10. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
  11. Cone, Matt. (2021, January 14). Synchronize your Mac's Clock with a Time Server. Retrieved March 27, 2024.
  12. Cisco. (2023, March 6). show clock detail - Cisco IOS Security Command Reference: Commands S to Z . Retrieved July 13, 2022.
  13. Check Point Research. (2024, March 8). MAGNET GOBLIN TARGETS PUBLICLY FACING SERVERS USING 1-DAY VULNERABILITIES. Retrieved March 27, 2024.
  14. ArchLinux. (2024, February 1). System Time. Retrieved March 27, 2024.
  15. Apple Support. (n.d.). About systemsetup in Remote Desktop. Retrieved March 27, 2024.
  16. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024.
  17. CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020.
  18. ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
  19. Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021.
  20. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
  21. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  22. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
  23. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  24. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
  25. Microsoft. (n.d.). Net time. Retrieved November 25, 2016.
  26. CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021.
  27. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  28. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  29. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
  30. Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022.
  31. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  32. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
  33. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  34. Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021.
  35. Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021.
  36. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  37. Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
  38. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
  39. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  40. Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021.
  41. Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
  42. CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024.
  43. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  44. GovCERT. (2016, May 23). Technical Report about the Espionage Case at RUAG. Retrieved November 7, 2018.
  45. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
  46. Joe Security. (n.d.). Analysis Report fasm.dll. Retrieved January 6, 2021.
  47. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  48. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  49. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  50. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  51. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  52. Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
  53. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  54. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  55. MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
  56. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  57. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  58. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
  59. S2W TALON. (2022, June 16). Raccoon Stealer is Back with a New Version. Retrieved August 1, 2024.
  60. Pierre Le Bourhis, Quentin Bourgue, & Sekoia TDR. (2022, June 29). Raccoon Stealer v2 - Part 2: In-depth analysis. Retrieved August 1, 2024.
  61. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  62. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  63. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  64. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  65. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  66. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  67. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  68. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  69. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  70. PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.
  71. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  72. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
  73. Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024.
  74. Arunpreet Singh, Clemens Kolbitsch. (2015, November 5). Defeating Darkhotel Just-In-Time Decryption. Retrieved April 15, 2021.
  75. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
  76. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  77. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  78. Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024.
  79. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.
  80. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  81. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  82. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.
  83. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  84. Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
  85. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  86. Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
  87. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  88. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  89. CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020.
  90. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.
  91. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
  92. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  93. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  94. Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
  95. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  96. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  97. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  98. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  99. Sandvik, Runa. (2021, October 18). Green Lambert and ATT&CK. Retrieved March 21, 2022.
  100. Sandvik, Runa. (2021, October 1). Made In America: Green Lambert for OS X. Retrieved March 21, 2022.
  101. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  102. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
  103. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  104. Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023.
  105. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  106. Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.