Virtualization/Sandbox Evasion: Системные проверки
Other sub-techniques of Virtualization/Sandbox Evasion (3)
Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from Virtualization/Sandbox Evasion during automated discovery to shape follow-on behaviors.(Citation: Deloitte Environment Awareness) Specific checks will vary based on the target and/or adversary, but may involve behaviors such as Windows Management Instrumentation, PowerShell, System Information Discovery, and Query Registry to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, hardware, and/or the Registry. Adversaries may use scripting to automate these checks into one script and then have the program exit if it determines the system to be a virtual environment. Checks could include generic system properties such as host/domain name and samples of network traffic. Adversaries may also check the network adapters addresses, CPU core count, and available memory/drive size. Once executed, malware may also use File and Directory Discovery to check if it was saved in a folder or file with unexpected or even analysis-related naming artifacts such as `malware`, `sample`, or `hash`. Other common checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017) In applications like VMWare, adversaries can also use a special I/O port to send commands and receive output. Hardware checks, such as the presence of the fan, temperature, and audio devices, could also be used to gather evidence that can be indicative a virtual environment. Adversaries may also query for specific readings from these devices.(Citation: Unit 42 OilRig Sept 2018)
Примеры процедур |
|
Название | Описание |
---|---|
QakBot |
QakBot can check the compromised host for the presence of multiple executables associated with analysis tools and halt execution if any are found.(Citation: Trend Micro Qakbot May 2020)(Citation: ATT QakBot April 2021) |
Denis |
Denis ran multiple system checks, looking for processor and register characteristics, to evade emulation and analysis.(Citation: Cybereason Cobalt Kitty 2017) |
SodaMaster |
SodaMaster can check for the presence of the Registry key |
Okrum |
Okrum's loader can check the amount of physical memory and terminates itself if the host has less than 1.5 Gigabytes of physical memory in total.(Citation: ESET Okrum July 2019) |
InvisiMole |
InvisiMole can check for artifacts of VirtualBox, Virtual PC and VMware environment, and terminate itself if they are detected.(Citation: ESET InvisiMole June 2020) |
Evilnum |
Evilnum has used a component called TerraLoader to check certain hardware and file information to detect sandboxed environments. (Citation: ESET EvilNum July 2020) |
Dyre |
Dyre can detect sandbox analysis environments by inspecting the process list and Registry.(Citation: Symantec Dyre June 2015)(Citation: Malwarebytes Dyreza November 2015) |
During Operation Dream Job, Lazarus Group used tools that conducted a variety of system checks to detect sandboxes or VMware services.(Citation: ClearSky Lazarus Aug 2020) |
|
Attor |
Attor can detect whether it is executed in some virtualized or emulated environment by searching for specific artifacts, such as communication with I/O ports and using VM-specific instructions.(Citation: ESET Attor Oct 2019) |
Bumblebee |
Bumblebee has the ability to search for designated file paths and Registry keys that indicate a virtualized environment from multiple products.(Citation: Medium Ali Salem Bumblebee April 2022) |
FinFisher |
FinFisher obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list in order to check for sandbox/virtualized environments.(Citation: Microsoft FinFisher March 2018) |
Astaroth |
Astaroth can check for Windows product ID's used by sandboxes and usernames and disk serial numbers associated with analyst environments.(Citation: Securelist Brazilian Banking Malware July 2020) |
Frankenstein |
Frankenstein has used WMI queries to check if various security applications were running, including VMWare and Virtualbox.(Citation: Talos Frankenstein June 2019) |
SynAck |
SynAck checks its directory location in an attempt to avoid launching in a sandbox.(Citation: SecureList SynAck Doppelgänging May 2018)(Citation: Kaspersky Lab SynAck May 2018) |
MegaCortex |
MegaCortex has checked the number of CPUs in the system to avoid being run in a sandbox or emulator.(Citation: IBM MegaCortex) |
OSX_OCEANLOTUS.D |
OSX_OCEANLOTUS.D checks a number of system parameters to see if it is being run on real hardware or in a virtual machine environment, such as `sysctl hw.model` and the kernel boot time.(Citation: Unit42 OceanLotus 2017)(Citation: ESET OceanLotus macOS April 2019)(Citation: 20 macOS Common Tools and Techniques) |
macOS.OSAMiner |
macOS.OSAMiner can parse the output of the native `system_profiler` tool to determine if the machine is running with 4 cores.(Citation: SentinelLabs reversing run-only applescripts 2021) |
Smoke Loader |
Smoke Loader scans processes to perform anti-VM checks. (Citation: Talos Smoke Loader July 2018) |
GuLoader |
GuLoader has the ability to perform anti-VM and anti-sandbox checks using string hashing, the API call |
EvilBunny |
EvilBunny's dropper has checked the number of processes and the length and strings of its own file name to identify if the malware is in a sandbox environment.(Citation: Cyphort EvilBunny Dec 2014) |
yty |
yty has some basic anti-sandbox detection that tries to detect Virtual PC, Sandboxie, and VMware. (Citation: ASERT Donot March 2018) |
Lucifer |
Lucifer can check for specific usernames, computer names, device drivers, DLL's, and virtual devices associated with sandboxed environments and can enter an infinite loop and stop itself if any are detected.(Citation: Unit 42 Lucifer June 2020) |
Volt Typhoon |
Volt Typhoon has run system checks to determine if they were operating in a virtualized environment.(Citation: Microsoft Volt Typhoon May 2023) |
GravityRAT |
GravityRAT uses WMI to check the BIOS and manufacturer information for strings like "VMWare", "Virtual", and "XEN" and another WMI request to get the current temperature of the hardware to determine if it's a virtual machine environment. (Citation: Talos GravityRAT) |
Lumma Stealer |
Lumma Stealer has queried system resources on the victim device to identify if it is executing in a sandbox or virtualized environments, checking usernames, conducting WMI queries for system details, checking for files commonly found in virtualized environments, searching system services, and inspecting process names.(Citation: Fortinet LummaStealer 2024) Lumma Stealer has checked system GPU configurations for sandbox detection.(Citation: TrendMicro LummaStealer 2025) |
BadPatch |
BadPatch attempts to detect if it is being run in a Virtual Machine (VM) using a WMI query for disk drive name, BIOS, and motherboard information. (Citation: Unit 42 BadPatch Oct 2017) |
PoetRAT |
PoetRAT checked the size of the hard drive to determine if it was being run in a sandbox environment. In the event of sandbox detection, it would delete itself by overwriting the malware scripts with the contents of "License.txt" and exiting.(Citation: Talos PoetRAT April 2020) |
WastedLocker |
WastedLocker checked if UCOMIEnumConnections and IActiveScriptParseProcedure32 Registry keys were detected as part of its anti-analysis technique.(Citation: NCC Group WastedLocker June 2020) |
OopsIE |
OopsIE performs several anti-VM and sandbox checks on the victim's machine. One technique the group has used was to perform a WMI query |
DarkTortilla |
DarkTortilla can search a compromised system's running processes and services to detect Hyper-V, QEMU, Virtual PC, Virtual Box, and VMware, as well as Sandboxie.(Citation: Secureworks DarkTortilla Aug 2022) |
UBoatRAT |
UBoatRAT checks for virtualization software such as VMWare, VirtualBox, or QEmu on the compromised machine.(Citation: PaloAlto UBoatRAT Nov 2017) |
WhisperGate |
WhisperGate can stop its execution when it recognizes the presence of certain monitoring tools.(Citation: Unit 42 WhisperGate January 2022) |
AsyncRAT |
AsyncRAT can identify strings such as Virtual, vmware, or VirtualBox to detect virtualized environments.(Citation: Telefonica Snip3 December 2021) |
Saint Bot |
Saint Bot has run several virtual machine and sandbox checks, including checking if `Sbiedll.dll` is present in a list of loaded modules, comparing the machine name to `HAL9TH` and the user name to `JohnDoe`, and checking the BIOS version for known virtual machine identifiers.(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
Darkhotel |
Darkhotel malware has used a series of checks to determine if it's being analyzed; checks include the length of executable names, if a filename ends with |
PlugX |
PlugX checks if VMware tools is running in the background by searching for any process named "vmtoolsd".(Citation: Unit42 PlugX June 2017) |
Shark |
Shark can stop execution if the screen width of the targeted machine is not over 600 pixels.(Citation: ClearSky Siamesekitten August 2021) |
Pupy |
Pupy has a module that checks a number of indicators on the system to determine if its running on a virtual machine.(Citation: GitHub Pupy) |
P8RAT |
P8RAT can check the compromised host for processes associated with VMware or VirtualBox environments.(Citation: Securelist APT10 March 2021) |
Grandoreiro |
Grandoreiro can detect VMWare via its I/O port and Virtual PC via the |
ROKRAT |
ROKRAT can check for VMware-related files and DLLs related to sandboxes.(Citation: Talos Group123)(Citation: NCCGroup RokRat Nov 2018)(Citation: Malwarebytes RokRAT VBA January 2021) |
Remcos |
Remcos searches for Sandboxie and VMware on the system.(Citation: Talos Remcos Aug 2018) |
Nightdoor |
Nightdoor embeds code from the public `al-khaser` project, a repository that works to detect virtual machines, sandboxes, and malware analysis environments.(Citation: Symantec Daggerfly 2024) |
Black Basta |
Black Basta can check system flags and libraries, process timing, and API's to detect code emulation or sandboxing.(Citation: Palo Alto Networks Black Basta August 2022)(Citation: Check Point Black Basta October 2022) |
During Frankenstein, the threat actors used a script that ran WMI queries to check if a VM or sandbox was running, including VMWare and Virtualbox. The script would also call WMI to determine the number of cores allocated to the system; if less than two the script would stop execution.(Citation: Talos Frankenstein June 2019) |
|
RogueRobin |
RogueRobin uses WMI to check BIOS version for VBOX, bochs, qemu, virtualbox, and vm to check for evidence that the script might be executing within an analysis environment. (Citation: Unit 42 DarkHydrus July 2018)(Citation: Unit42 DarkHydrus Jan 2019) |
ObliqueRAT |
ObliqueRAT can halt execution if it identifies processes belonging to virtual machine software or analysis tools.(Citation: Talos Oblique RAT March 2021) |
NativeZone |
NativeZone has checked if Vmware or VirtualBox VM is running on a compromised host.(Citation: MSTIC Nobelium Toolset May 2021) |
Trojan.Karagany |
Trojan.Karagany can detect commonly used and generic virtualization platforms based primarily on drivers and file paths.(Citation: Secureworks Karagany July 2019) |
BLUELIGHT |
BLUELIGHT can check to see if the infected machine has VM tools running.(Citation: Volexity InkySquid BLUELIGHT August 2021) |
Mispadu |
Mispadu can run checks to verify if it is running within a virtualized environments including Hyper-V, VirtualBox or VMWare and will terminate execution if the computer name is “JOHN-PC.”(Citation: ESET Security Mispadu Facebook Ads 2019)(Citation: SCILabs Malteiro 2021) |
XLoader |
XLoader performs timing checks using the Read-Time Stamp Counter (RDTSC) instruction on the victim CPU.(Citation: Google XLoader 2017) |
SVCReady |
SVCReady has the ability to determine if its runtime environment is virtualized.(Citation: HP SVCReady Jun 2022) |
Ferocious |
Ferocious can run anti-sandbox checks using the Microsoft Excel 4.0 function |
SUNBURST |
SUNBURST checked the domain name of the compromised host to verify it was running in a real environment.(Citation: Microsoft Analyzing Solorigate Dec 2020) |
Lazarus Group |
Lazarus Group has used tools to detect sandbox or VMware services through identifying the presence of a debugger or related services.(Citation: ClearSky Lazarus Aug 2020) |
Snip3 |
Snip3 has the ability to detect Windows Sandbox, VMWare, or VirtualBox by querying `Win32_ComputerSystem` to extract the `Manufacturer` string.(Citation: Morphisec Snip3 May 2021) |
Raspberry Robin |
Raspberry Robin performs a variety of system environment checks to determine if it is running in a virtualized or sandboxed environment, such as querying CPU temperature information and network card MAC address information.(Citation: HP RaspberryRobin 2024) |
GoldMax |
GoldMax will check if it is being run in a virtualized environment by comparing the collected MAC address to |
Latrodectus |
Latrodectus can determine if it is running in a virtualized environment by checking the OS version, checking the number of running processes, ensuring a 64-bit application is running on a 64-bit host, and checking if the host has a valid MAC address.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024) |
CSPY Downloader |
CSPY Downloader can search loaded modules, PEB structure, file paths, Registry keys, and memory to determine if it is being debugged or running in a virtual environment.(Citation: Cybereason Kimsuky November 2020) |
DarkGate |
DarkGate queries system resources on an infected machine to identify if it is executing in a sandbox or virtualized environment.(Citation: Ensilo Darkgate 2018) |
OilRig |
OilRig has used macros to verify if a mouse is connected to a compromised machine.(Citation: Check Point APT34 April 2021) |
Exbyte |
Exbyte performs various checks to determine if it is running in a sandboxed environment to prevent analysis.(Citation: Symantec BlackByte 2022) |
Pikabot |
Pikabot performs a variety of system checks to determine if it is running in an analysis environment or sandbox, such as checking the number of processors (must be greater than two), and the amount of RAM (must be greater than 2GB).(Citation: Elastic Pikabot 2024) |
BlackByte Ransomware |
BlackByte Ransomware checks for files related to known sandboxes.(Citation: Trustwave BlackByte 2021) |
DUSTTRAP |
DUSTTRAP decryption relies on the infected machine's `HKLM\SOFTWARE\Microsoft\Cryptography\MachineGUID` value.(Citation: Google Cloud APT41 2024) |
Обнаружение
Virtualization/sandbox related system checks will likely occur in the first steps of an operation but may also occur throughout as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as lateral movement, based on the information obtained. Detecting actions related to virtualization and sandbox identification may be difficult depending on the adversary's implementation and monitoring required. Monitoring for suspicious processes being spawned that gather a variety of system information or perform other forms of Discovery, especially in a short period of time, may aid in detection.
Ссылки
- Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
- ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
- Torello, A. & Guibernau, F. (n.d.). Environment Awareness. Retrieved September 13, 2024.
- Roccia, T. (2017, January 19). Stopping Malware With a Fake Virtual Machine. Retrieved April 17, 2019.
- Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
- Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
- Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
- GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
- Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
- Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
- Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
- hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020.
- Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.
- Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
- Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
- Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
- GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020.
- Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018.
- Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
- Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
- Phil Stokes. (2021, February 16). 20 Common Tools & Techniques Used by macOS Threat Actors & Malware. Retrieved August 23, 2021.
- Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.
- Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019.
- Phil Stokes. (2021, January 11). FADE DEAD | Adventures in Reversing Malicious Run-Only AppleScripts. Retrieved September 29, 2022.
- Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018.
- Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021.
- Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
- Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018.
- Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
- Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023.
- Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
- Cara Lin, Fortinet. (2024, January 8). Deceptive Cracked Software Spreads Lumma Variant on YouTube. Retrieved March 22, 2025.
- Buddy Tancio, Fe Cureg, and Jovit Samaniego, Trend Micro. (2025, January 30). Lumma Stealer’s GitHub-Based Delivery Explored via Managed Detection and Response. Retrieved March 22, 2025.
- Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
- Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
- Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
- Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
- Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
- Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022.
- Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.
- Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
- Microsoft. (2016, June 9). Reverse-engineering DUBNIUM. Retrieved March 31, 2021.
- Arunpreet Singh, Clemens Kolbitsch. (2015, November 5). Defeating Darkhotel Just-In-Time Decryption. Retrieved April 15, 2021.
- Lancaster, T., Idrizovic, E. (2017, June 27). Paranoid PlugX. Retrieved April 19, 2019.
- ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
- Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
- Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
- Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
- Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
- Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018.
- Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
- Elsad, A. (2022, August 25). Threat Assessment: Black Basta Ransomware. Retrieved March 8, 2023.
- Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023.
- Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
- Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
- Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
- MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
- Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
- Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
- SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.
- ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
- Nart Villeneuve, Randi Eitzman, Sandor Nemes & Tyler Dean, Google Cloud. (2017, October 5). Significant FormBook Distribution Campaigns Impacting the U.S. and South Korea. Retrieved March 11, 2025.
- Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
- Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
- MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021.
- Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023.
- Patrick Schläpfer . (2024, April 10). Raspberry Robin Now Spreading Through Windows Script Files. Retrieved May 17, 2024.
- Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
- Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
- Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
- Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
- Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
- Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
- Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
- Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
- Symantec Threat Hunter Team. (2022, October 21). Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool. Retrieved December 16, 2024.
- Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
- Rodel Mendrez & Lloyd Macrohon. (2021, October 15). BlackByte Ransomware – Pt. 1 In-depth Analysis. Retrieved December 16, 2024.
- Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.