User Execution: Вредоносная ссылка
Other sub-techniques of User Execution (3)
ID | Название |
---|---|
.001 | Вредоносная ссылка |
.002 | Вредоносный файл |
.003 | Вредоносный образ |
An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Link. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File.
Примеры процедур |
|
Название | Описание |
---|---|
FIN7 |
FIN7 has used malicious links to lure victims into downloading malware.(Citation: CrowdStrike Carbon Spider August 2021) |
BlackTech |
BlackTech has used e-mails with malicious links to lure victims into installing malware.(Citation: TrendMicro BlackTech June 2017) |
Grandoreiro |
Grandoreiro has used malicious links to gain execution on victim machines.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020) |
Bazar |
Bazar can gain execution after a user clicks on a malicious link to decoy landing pages hosted on Google Docs.(Citation: Cybereason Bazar July 2020)(Citation: Zscaler Bazar September 2020)(Citation: CrowdStrike Wizard Spider October 2020) |
Dragonfly 2.0 |
Dragonfly 2.0 has used various forms of spearphishing in attempts to get users to open links.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017) |
During Night Dragon, threat actors enticed users to click on links in spearphishing emails to download malware.(Citation: McAfee Night Dragon) |
|
Mustang Panda |
Mustang Panda has sent malicious links including links directing victims to a Google Drive folder.(Citation: Crowdstrike MUSTANG PANDA June 2018)(Citation: McAfee Dianxun March 2021)(Citation: Proofpoint TA416 Europe March 2022) |
Molerats |
Molerats has sent malicious links via email trick users into opening a RAR archive and running an executable.(Citation: Kaspersky MoleRATs April 2019)(Citation: Unit42 Molerat Mar 2020) |
Windshift |
Windshift has used links embedded in e-mails to lure victims into executing malicious code.(Citation: SANS Windshift August 2018) |
OutSteel |
OutSteel has relied on a user to click a malicious link within a spearphishing email.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
Kimsuky |
Kimsuky has lured victims into clicking malicious links.(Citation: KISA Operation Muzabi) |
LazyScripter |
LazyScripter has relied upon users clicking on links to malicious files.(Citation: MalwareBytes LazyScripter Feb 2021) |
Confucius |
Confucius has lured victims into clicking on a malicious link sent through spearphishing.(Citation: TrendMicro Confucius APT Aug 2021) |
Saint Bear |
Saint Bear has, in addition to email-based phishing attachments, used malicious websites masquerading as legitimate entities to host links to malicious files for user execution.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 )(Citation: Cadet Blizzard emerges as novel threat actor) |
During Operation Spalax, the threat actors relied on a victim to click on a malicious link distributed via phishing emails.(Citation: ESET Operation Spalax Jan 2021) |
|
During Operation Dust Storm, the threat actors relied on a victim clicking on a malicious link sent via email.(Citation: Cylance Dust Storm) |
|
Lazarus Group |
Lazarus Group has sent spearphishing emails in an attempt to lure users to click on a malicious link.(Citation: ESET Lazarus Jun 2020)(Citation: ClearSky Lazarus Aug 2020) |
NETWIRE |
NETWIRE has been executed through convincing victims into clicking malicious links.(Citation: FireEye NETWIRE March 2019)(Citation: Unit 42 NETWIRE April 2020) |
During Operation Dream Job, Lazarus Group lured users into executing a malicious link to disclose private account information or provide initial access.(Citation: ClearSky Lazarus Aug 2020)(Citation: ESET Lazarus Jun 2020) |
|
Squirrelwaffle |
Squirrelwaffle has relied on victims to click on a malicious link send via phishing campaigns.(Citation: ZScaler Squirrelwaffle Sep 2021) |
QakBot |
QakBot has gained execution through users opening malicious links.(Citation: Trend Micro Qakbot May 2020)(Citation: Kroll Qakbot June 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: ATT QakBot April 2021)(Citation: Kaspersky QakBot September 2021)(Citation: Group IB Ransomware September 2020)(Citation: Trend Micro Black Basta October 2022) |
Latrodectus |
Latrodectus has been executed through malicious links distributed in email campaigns.(Citation: Latrodectus APR 2024)(Citation: Bleeping Computer Latrodectus April 2024) |
Hancitor |
Hancitor has relied upon users clicking on a malicious link delivered through phishing.(Citation: Threatpost Hancitor) |
Javali |
Javali has achieved execution through victims clicking links to malicious websites.(Citation: Securelist Brazilian Banking Malware July 2020) |
During C0021, the threat actors lured users into clicking a malicious link which led to the download of a ZIP archive containing a malicious .LNK file.(Citation: FireEye APT29 Nov 2018) |
|
Water Curupira Pikabot Distribution distributed a PDF attachment containing a malicious link to a Pikabot installer.(Citation: TrendMicro Pikabot 2024) |
|
SMOKEDHAM |
SMOKEDHAM has relied upon users clicking on a malicious link delivered through phishing.(Citation: FireEye Shining A Light on DARKSIDE May 2021) |
FIN8 |
FIN8 has used emails with malicious links to lure victims into installing malware.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: FireEye Know Your Enemy FIN8 Aug 2016) |
TA2541 |
TA2541 has used malicious links to cloud and web services to gain execution on victim machines.(Citation: Proofpoint TA2541 February 2022)(Citation: FireEye NETWIRE March 2019) |
APT29 |
APT29 has used various forms of spearphishing attempting to get a user to click on a malicious link.(Citation: MSTIC NOBELIUM May 2021)(Citation: Secureworks IRON RITUAL USAID Phish May 2021) |
Patchwork |
Patchwork has used spearphishing with links to try to get users to click, download and open malicious files.(Citation: Symantec Patchwork)(Citation: TrendMicro Patchwork Dec 2017)(Citation: Volexity Patchwork June 2018)(Citation: Unit 42 BackConfig May 2020) |
APT3 |
APT3 has lured victims into clicking malicious links delivered through spearphishing.(Citation: FireEye Clandestine Wolf) |
Evilnum |
Evilnum has sent spearphishing emails designed to trick the recipient into opening malicious shortcut links which downloads a .LNK file.(Citation: ESET EvilNum July 2020) |
Snip3 |
Snip3 has been executed through luring victims into clicking malicious links.(Citation: Telefonica Snip3 December 2021) |
TA505 |
TA505 has used lures to get users to click links in emails and attachments. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. (Citation: Proofpoint TA505 Sep 2017)(Citation: Proofpoint TA505 June 2018)(Citation: Proofpoint TA505 Jan 2019)(Citation: Cybereason TA505 April 2019)(Citation: ProofPoint SettingContent-ms July 2018)(Citation: Proofpoint TA505 Mar 2018)(Citation: Trend Micro TA505 June 2019)(Citation: Proofpoint TA505 October 2019) |
LuminousMoth |
LuminousMoth has lured victims into clicking malicious Dropbox download links delivered through spearphishing.(Citation: Kaspersky LuminousMoth July 2021) |
ObliqueRAT |
ObliqueRAT has gained execution on targeted systems through luring users to click on links to malicious URLs.(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021) |
Magic Hound |
Magic Hound has attempted to lure victims into opening malicious links embedded in emails.(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021) |
APT39 |
APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious link.(Citation: FireEye APT39 Jan 2019)(Citation: FBI FLASH APT39 September 2020) |
APT32 |
APT32 has lured targets to download a Cobalt Strike beacon by including a malicious link within spearphishing emails.(Citation: Cybereason Cobalt Kitty 2017)(Citation: Volexity Ocean Lotus November 2020)(Citation: Amnesty Intl. Ocean Lotus February 2021) |
Mofang |
Mofang's spearphishing emails required a user to click the link to connect to a compromised website.(Citation: FOX-IT May 2016 Mofang) |
Gootloader |
Gootloader has been executed through malicious links presented to users as internet search results.(Citation: Sophos Gootloader)(Citation: SentinelOne Gootloader June 2021) |
During C0011, Transparent Tribe relied on student targets to click on a malicious link sent via email.(Citation: Cisco Talos Transparent Tribe Education Campaign July 2022) |
|
Night Dragon |
Night Dragon enticed users to click on links in spearphishing emails to download malware.(Citation: McAfee Night Dragon) |
FIN4 |
FIN4 has lured victims to click malicious links delivered via spearphishing emails (often sent from compromised accounts).(Citation: FireEye Hacking FIN4 Dec 2014)(Citation: FireEye Hacking FIN4 Video Dec 2014) |
RedCurl |
RedCurl has used malicious links to infect the victim machines.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
Sandworm Team |
Sandworm Team has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.(Citation: US District Court Indictment GRU Unit 74455 October 2020) |
Elderwood |
Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links.(Citation: Symantec Elderwood Sept 2012)(Citation: CSM Elderwood Sept 2012) |
Turla |
Turla has used spearphishing via a link to get users to download and run their malware.(Citation: ESET Turla Mosquito Jan 2018) |
TA578 |
TA578 has placed malicious links in contact forms on victim sites, often spoofing a copyright complaint, to redirect users to malicious file downloads.(Citation: Latrodectus APR 2024) |
Daggerfly |
Daggerfly has used strategic website compromise to deliver a malicious link requiring user interaction.(Citation: ESET EvasivePanda 2024) |
Emotet |
Emotet has relied upon users clicking on a malicious link delivered through spearphishing.(Citation: Trend Micro Banking Malware Jan 2019)(Citation: Carbon Black Emotet Apr 2019) |
OilRig |
OilRig has delivered malicious links to achieve execution on the target system.(Citation: Unit 42 OopsIE! Feb 2018)(Citation: Unit 42 QUADAGENT July 2018)(Citation: Crowdstrike Helix Kitten Nov 2018) |
Gamaredon Group |
Gamaredon Group has attempted to get users to click on a link pointing to a malicious HTML file leading to follow-on malicious content.(Citation: unit42_gamaredon_dec2022) |
EXOTIC LILY |
EXOTIC LILY has used malicious links to lure users into executing malicious payloads.(Citation: Google EXOTIC LILY March 2022) |
Cobalt Group |
Cobalt Group has sent emails containing malicious links that require users to execute a file or macro to infect the victim machine.(Citation: Talos Cobalt Group July 2018)(Citation: Unit 42 Cobalt Gang Oct 2018)(Citation: Secureworks GOLD KINGSWOOD September 2018) |
Pony |
Pony has attempted to lure targets into clicking links in spoofed emails from legitimate banks.(Citation: Malwarebytes Pony April 2016) |
SocGholish |
SocGholish has lured victims into interacting with malicious links on compromised websites for execution.(Citation: SocGholish-update) |
PLEAD |
PLEAD has been executed via malicious links in e-mails.(Citation: TrendMicro BlackTech June 2017) |
KOCTOPUS |
KOCTOPUS has relied on victims clicking on a malicious link delivered via email.(Citation: MalwareBytes LazyScripter Feb 2021) |
ZIRCONIUM |
ZIRCONIUM has used malicious links in e-mails to lure victims into downloading malware.(Citation: Google Election Threats October 2020)(Citation: Zscaler APT31 Covid-19 October 2020) |
Transparent Tribe |
Transparent Tribe has directed users to open URLs hosting malicious content.(Citation: Talos Oblique RAT March 2021)(Citation: Talos Transparent Tribe May 2021) |
SpicyOmelette |
SpicyOmelette has been executed through malicious links within spearphishing emails.(Citation: Secureworks GOLD KINGSWOOD September 2018) |
MuddyWater |
MuddyWater has distributed URLs in phishing e-mails that link to lure documents.(Citation: Anomali Static Kitten February 2021)(Citation: Trend Micro Muddy Water March 2021)(Citation: Proofpoint TA450 Phishing March 2024) |
Wizard Spider |
Wizard Spider has lured victims into clicking a malicious link delivered through spearphishing.(Citation: DHS/CISA Ransomware Targeting Healthcare October 2020) |
GuLoader |
GuLoader has relied upon users clicking on links to malicious documents.(Citation: Unit 42 NETWIRE April 2020) |
Machete |
Machete has has relied on users opening malicious links delivered through spearphishing to execute malware.(Citation: Cylance Machete Mar 2017)(Citation: Securelist Machete Aug 2014)(Citation: ESET Machete July 2019) |
Bumblebee |
Bumblebee has relied upon a user downloading a file from a OneDrive link for execution.(Citation: Proofpoint Bumblebee April 2022)(Citation: Cybereason Bumblebee August 2022) |
Mustard Tempest |
Mustard Tempest has lured users into downloading malware through malicious links in fake advertisements and spearphishing emails.(Citation: Microsoft Ransomware as a Service)(Citation: SocGholish-update) |
TSCookie |
TSCookie has been executed via malicious links embedded in e-mails spoofing the Ministries of Education, Culture, Sports, Science and Technology of Japan.(Citation: JPCert TSCookie March 2018) |
Sidewinder |
Sidewinder has lured targets to click on malicious links to gain execution in the target environment.(Citation: ATT Sidewinder January 2021)(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020)(Citation: Cyble Sidewinder September 2020) |
Melcoz |
Melcoz has gained execution through victims opening malicious links.(Citation: Securelist Brazilian Banking Malware July 2020) |
APT28 |
APT28 has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.(Citation: US District Court Indictment GRU Oct 2018)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017) |
TA577 |
TA577 has lured users into executing malicious JavaScript files by sending malicious links via email.(Citation: Latrodectus APR 2024) |
Winter Vivern |
Winter Vivern has mimicked legitimate government-related domains to deliver malicious webpages containing links to documents or other content for user execution.(Citation: SentinelOne WinterVivern 2023)(Citation: CERT-UA WinterVivern 2023) |
Kerrdown |
Kerrdown has gained execution through victims opening malicious links.(Citation: Amnesty Intl. Ocean Lotus February 2021) |
Saint Bot |
Saint Bot has relied on users to click on a malicious link delivered via a spearphishing.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
BackConfig |
BackConfig has compromised victims via links to URLs hosting malicious content.(Citation: Unit 42 BackConfig May 2020) |
APT33 |
APT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails.(Citation: FireEye APT33 Sept 2017)(Citation: Symantec Elfin Mar 2019) |
Leviathan |
Leviathan has sent spearphishing email links attempting to get a user to click.(Citation: Proofpoint Leviathan Oct 2017)(Citation: CISA AA21-200A APT40 July 2021) |
Ember Bear |
Ember Bear has attempted to lure users to click on a malicious link within a spearphishing email.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
AppleJeus |
AppleJeus's spearphishing links required user interaction to navigate to the malicious website.(Citation: CISA AppleJeus Feb 2021) |
Earth Lusca |
Earth Lusca has sent spearphishing emails that required the user to click on a malicious link and subsequently open a decoy document with a malicious loader.(Citation: TrendMicro EarthLusca 2022) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Network Intrusion Prevention |
Use intrusion detection signatures to block traffic at network boundaries. |
User Training |
Train users to be aware of access or manipulation attempts by an adversary to reduce the risk of successful spearphishing, social engineering, and other techniques that involve user interaction. |
Restrict Web-Based Content |
Restrict use of certain websites, block downloads/attachments, block Javascript, restrict browser extensions, etc. |
Обнаружение
Inspect network traffic for indications that a user visited a malicious site, such as links included in phishing campaigns directed at your organization. Anti-virus can potentially detect malicious documents and files that are downloaded from a link and executed on the user's computer.
Ссылки
- US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
- Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
- McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
- Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
- Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
- Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
- ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
- Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
- Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021.
- Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020.
- Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
- McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
- Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
- Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021.
- Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021.
- Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020.
- GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
- Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020.
- KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
- Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
- Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.
- Microsoft Threat Intelligence. (2023, June 14). Cadet Blizzard emerges as a novel and distinct Russian threat actor. Retrieved July 10, 2023.
- M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
- Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
- Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021.
- Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.
- Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021.
- Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021.
- Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
- Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
- Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
- Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023.
- Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
- Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
- Abrams, L. (2024, April 30). New Latrodectus malware attacks use Microsoft, Cloudflare themes. Retrieved September 13, 2024.
- Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020.
- GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
- Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
- Shinji Robert Arasawa, Joshua Aquino, Charles Steven Derion, Juhn Emmanuel Atanque, Francisrey Joshua Castillo, John Carlo Marquez, Henry Salcedo, John Rainier Navato, Arianne Dela Cruz, Raymart Yambot & Ian Kenefick. (2024, January 9). Black Basta-Affiliated Water Curupira’s Pikabot Spam Campaign. Retrieved July 17, 2024.
- FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021.
- Kizhakkinan, D., et al. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
- Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
- Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018.
- Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
- Secureworks CTU. (2021, May 28). USAID-Themed Phishing Campaign Leverages U.S. Elections Lure. Retrieved February 24, 2022.
- Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021.
- Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
- Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
- Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
- Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016.
- Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016.
- Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
- Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.
- Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
- Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020.
- Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
- Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.
- Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
- Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
- Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.
- Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
- Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
- Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.
- Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
- ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021.
- Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021.
- FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020.
- Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
- Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021.
- Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
- Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
- Szappanos, G. & Brandt, A. (2021, March 1). “Gootloader” expands its payload delivery options. Retrieved September 30, 2022.
- Pirozzi, A. (2021, June 16). Gootloader: ‘Initial Access as a Service’ Platform Expands Its Search for High Value Targets. Retrieved May 28, 2024.
- N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.
- Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
- Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
- Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
- Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
- Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
- Clayton, M.. (2012, September 14). Stealing US business secrets: Experts ID two huge cyber 'gangs' in China. Retrieved February 15, 2018.
- O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018.
- ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
- Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024.
- Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.
- Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019.
- Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018.
- Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
- Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
- Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024.
- Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
- CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021.
- Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018.
- Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
- hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
- Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024.
- Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
- Huntley, S. (2020, October 16). How We're Tackling Evolving Online Threats. Retrieved March 24, 2021.
- Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
- Miller, J. et al. (2024, March 21). Security Brief: TA450 Uses Embedded Links in PDF Attachments in Latest Campaign. Retrieved March 27, 2024.
- Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021.
- DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
- ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
- Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
- The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
- Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
- Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022.
- Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
- Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
- Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.
- Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021.
- Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021.
- Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021.
- Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022.
- Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
- Tom Hegel. (2023, March 16). Winter Vivern | Uncovering a Wave of Global Espionage. Retrieved July 29, 2024.
- CERT-UA. (2023, February 1). UAC-0114 aka Winter Vivern to target Ukrainian and Polish GOV entities (CERT-UA#5909). Retrieved July 29, 2024.
- Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
- O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
- CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
- Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
- Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
- Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.