Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Захват видеоданных

An adversary can leverage a computer's peripheral devices (e.g., integrated cameras or webcams) or applications (e.g., video call services) to capture video recordings for the purpose of gathering information. Images may also be captured from devices or applications, potentially in specified intervals, in lieu of video files. Malware or scripts may be used to interact with the devices through an available API provided by the operating system or an application to capture video or images. Video or image files may be written to disk and exfiltrated later. This technique differs from Screen Capture due to use of specific devices or applications for video recording rather than capturing the victim's screen. In macOS, there are a few different malware samples that record the user's webcam such as FruitFly and Proton. (Citation: objective-see 2017 review)

ID: T1125
Тактика(-и): Collection
Платформы: Linux, macOS, Windows
Требуемые разрешения: User
Источники данных: Command: Command Execution, Process: OS API Execution
Версия: 1.1
Дата создания: 31 May 2017
Последнее изменение: 15 Mar 2022

Примеры процедур

Название Описание
Empire

Empire can capture webcam data on Windows and macOS systems.(Citation: Github PowerShell Empire)

Clambling

Clambling can record screen content in AVI format.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020)

Crimson

Crimson can capture webcam video on targeted systems.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020)

TajMahal

TajMahal has the ability to capture webcam video.(Citation: Kaspersky TajMahal April 2019)

Cobian RAT

Cobian RAT has a feature to access the webcam on the victim’s machine.(Citation: Zscaler Cobian Aug 2017)

NanoCore

NanoCore can access the victim's webcam and capture data.(Citation: DigiTrust NanoCore Jan 2017)(Citation: PaloAlto NanoCore Feb 2016)

jRAT

jRAT has the capability to capture video from a webcam.(Citation: jRAT Symantec Aug 2018)(Citation: Kaspersky Adwind Feb 2016)

Machete

Machete takes photos from the computer’s web camera.(Citation: Securelist Machete Aug 2014)(Citation: Cylance Machete Mar 2017)(Citation: 360 Machete Sep 2020)

Revenge RAT

Revenge RAT has the ability to access the webcam.(Citation: Cylance Shaheen Nov 2018)(Citation: Cofense RevengeRAT Feb 2019)

DarkComet

DarkComet can access the victim’s webcam to take pictures.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018)

njRAT

njRAT can access the victim's webcam.(Citation: Fidelis njRAT June 2013)(Citation: Citizen Lab Group5)

Agent Tesla

Agent Tesla can access the victim’s webcam and record video.(Citation: DigiTrust Agent Tesla Jan 2017)(Citation: Talos Agent Tesla Oct 2018)

PoetRAT

PoetRAT has used a Python tool named Bewmac to record the webcam on compromised hosts.(Citation: Talos PoetRAT April 2020)

Silence

Silence has been observed making videos of victims to observe bank employees day to day activities.(Citation: SecureList Silence Nov 2017)(Citation: Group IB Silence Sept 2018)

Imminent Monitor

Imminent Monitor has a remote webcam monitoring capability.(Citation: Imminent Unit42 Dec2019)(Citation: QiAnXin APT-C-36 Feb2019)

ConnectWise

ConnectWise can record video on remote hosts.(Citation: Anomali Static Kitten February 2021)

EvilGrab

EvilGrab has the capability to capture video from a victim machine.(Citation: PWC Cloud Hopper Technical Annex April 2017)

Kazuar

Kazuar captures images from the webcam.(Citation: Unit 42 Kazuar May 2017)

SDBbot

SDBbot has the ability to record video on a compromised host.(Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020)

FIN7

FIN7 created a custom video recording capability that could be used to monitor operations in the victim's environment.(Citation: FireEye FIN7 Aug 2018)(Citation: DOJ FIN7 Aug 2018)

ZxShell

ZxShell has a command to perform video device spying.(Citation: Talos ZxShell Oct 2014)

WarzoneRAT

WarzoneRAT can access the webcam on a victim's machine.(Citation: Check Point Warzone Feb 2020)(Citation: Uptycs Warzone UAC Bypass November 2020)

Pupy

Pupy can access a connected webcam and capture pictures.(Citation: GitHub Pupy)

Bandook

Bandook has modules that are capable of capturing video from a victim's webcam.(Citation: EFF Manul Aug 2016)

Remcos

Remcos can access a system’s webcam and take pictures.(Citation: Fortinet Remcos Feb 2017)

InvisiMole

InvisiMole can remotely activate the victim’s webcam to capture content.(Citation: ESET InvisiMole June 2018)(Citation: ESET InvisiMole June 2020)

Derusbi

Derusbi is capable of capturing video.(Citation: FireEye Periscope March 2018)

ObliqueRAT

ObliqueRAT can capture images from webcams on compromised hosts.(Citation: Talos Oblique RAT March 2021)

T9000

T9000 uses the Skype API to record audio and video calls. It writes encrypted data to %APPDATA%\Intel\Skype.(Citation: Palo Alto T9000 Feb 2016)

QuasarRAT

QuasarRAT can perform webcam viewing.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)

PcShare

PcShare can capture camera video as part of its collection process.(Citation: Bitdefender FunnyDream Campaign November 2020)

Контрмеры

Контрмера Описание
Video Capture Mitigation

Mitigating this technique specifically may be difficult as it requires fine-grained API control. Efforts should be focused on preventing unwanted or unknown code from executing on a system. Identify and block potentially malicious software that may be used to capture video and images by using whitelisting (Citation: Beechey 2010) tools, like AppLocker, (Citation: Windows Commands JPCERT) (Citation: NSA MS AppLocker) or Software Restriction Policies (Citation: Corio 2008) where appropriate. (Citation: TechNet Applocker vs SRP)

Обнаружение

Detection of this technique may be difficult due to the various APIs that may be used. Telemetry data regarding API use may not be useful depending on how a system is normally used, but may provide context to other potentially malicious activity occurring on a system. Behavior that could indicate technique use include an unknown or unusual process accessing APIs associated with devices or software that interact with the video camera, recording devices, or recording software, and a process periodically writing files to disk that contain video or camera image data.

Ссылки

  1. Patrick Wardle. (n.d.). Retrieved March 20, 2018.
  2. Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
  3. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  4. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
  5. Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022.
  6. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  7. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  8. Unit 42. (2019, December 2). Imminent Monitor – a RAT Down Under. Retrieved May 5, 2020.
  9. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  10. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  11. GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.
  12. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
  13. Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016.
  14. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  15. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
  16. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  17. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
  18. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  19. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  20. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  21. Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
  22. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
  23. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  24. kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020.
  25. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  26. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  27. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  28. Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018.
  29. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  30. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  31. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  32. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
  33. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  34. Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018.
  35. Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
  36. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  37. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  38. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  39. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  40. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  41. GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
  42. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  43. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019.
  44. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  45. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
  46. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  47. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  48. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  49. Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.