Boot or Logon Autostart Execution: Ключи запуска в реестре / Папка автозагрузки
Other sub-techniques of Boot or Logon Autostart Execution (15)
Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.(Citation: Microsoft Run Key) These programs will be executed under the context of the user and will have the account's associated permissions level.
The following run keys are created by default on Windows systems:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Run keys may exist under multiple hives.(Citation: Microsoft Wow6432Node 2018)(Citation: Malwarebytes Wow6432Node 2016) The HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
is also available but is not created by default on Windows Vista and newer. Registry run key entries can reference programs directly or list them as a dependency.(Citation: Microsoft Run Key) For example, it is possible to load a DLL at logon using a "Depend" key with RunOnceEx: reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx\0001\Depend /v 1 /d "C:\temp\evil[.]dll"
(Citation: Oddvar Moe RunOnceEx Mar 2018)
Placing a program within a startup folder will also cause that program to execute when a user logs in. There is a startup folder location for individual user accounts as well as a system-wide startup folder that will be checked regardless of which user account logs in. The startup folder path for the current user is C:\Users\\[Username]\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
. The startup folder path for all users is C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp
.
The following Registry keys can be used to set startup folder items for persistence:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
The following Registry keys can control automatic startup of services during boot:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices
Using policy settings to specify startup programs creates corresponding values in either of two Registry keys:
* HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Programs listed in the load value of the registry key HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows
run automatically for the currently logged-on user.
By default, the multistring BootExecute
value of the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager
is set to autocheck autochk *
. This value causes Windows, at startup, to check the file-system integrity of the hard disks if the system has been shut down abnormally. Adversaries can add other programs or processes to this registry value which will automatically launch at boot.
Adversaries can use these configuration locations to execute malware, such as remote access tools, to maintain persistence through system reboots. Adversaries may also use Masquerading to make the Registry entries look as if they are associated with legitimate programs.
Примеры процедур |
|
Название | Описание |
---|---|
Emissary |
Variants of Emissary have added Run Registry keys to establish persistence.(Citation: Emissary Trojan Feb 2016) |
Pisloader |
Pisloader establishes persistence via a Registry Run key.(Citation: Palo Alto DNS Requests) |
EvilBunny |
EvilBunny has created Registry keys for persistence in |
APT19 |
An APT19 HTTP malware variant establishes persistence by setting the Registry key |
APT37 |
APT37's has added persistence via the Registry key |
APT39 |
APT39 has maintained persistence using the startup folder.(Citation: FireEye APT39 Jan 2019) |
NETWIRE |
NETWIRE creates a Registry start-up entry to establish persistence.(Citation: McAfee Netwire Mar 2015)(Citation: Red Canary NETWIRE January 2020)(Citation: Unit 42 NETWIRE April 2020)(Citation: Proofpoint NETWIRE December 2020) |
TA2541 |
TA2541 has placed VBS files in the Startup folder and used Registry run keys to establish persistence for malicious payloads.(Citation: Proofpoint TA2541 February 2022) |
Ursnif |
Ursnif has used Registry Run keys to establish automatic execution at system startup.(Citation: TrendMicro PE_URSNIF.A2)(Citation: TrendMicro BKDR_URSNIF.SM) |
Backdoor.Oldrea |
Backdoor.Oldrea adds Registry Run keys to achieve persistence.(Citation: Symantec Dragonfly)(Citation: Gigamon Berserk Bear October 2021) |
SHIPSHAPE |
SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.(Citation: FireEye APT30) |
RTM |
RTM has used Registry run keys to establish persistence for the RTM Trojan and other tools, such as a modified version of TeamViewer remote desktop software.(Citation: ESET RTM Feb 2017)(Citation: Group IB RTM August 2019) |
Magic Hound |
Magic Hound malware has used Registry Run keys to establish persistence.(Citation: Unit 42 Magic Hound Feb 2017)(Citation: DFIR Phosphorus November 2021)(Citation: Microsoft Iranian Threat Actor Trends November 2021) |
FunnyDream |
FunnyDream can use a Registry Run Key and the Startup folder to establish persistence.(Citation: Bitdefender FunnyDream Campaign November 2020) |
Agent Tesla |
Agent Tesla can add itself to the Registry as a startup program to establish persistence.(Citation: Fortinet Agent Tesla April 2018)(Citation: SentinelLabs Agent Tesla Aug 2020) |
AuTo Stealer |
AuTo Stealer can place malicious executables in a victim's AutoRun registry key or StartUp directory, depending on the AV product installed, to maintain persistence.(Citation: MalwareBytes SideCopy Dec 2021) |
Rover |
Rover persists by creating a Registry entry in |
FinFisher |
FinFisher establishes persistence by creating the Registry key |
WarzoneRAT |
WarzoneRAT can add itself to the `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` and `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UIF2IS20VK` Registry keys.(Citation: Check Point Warzone Feb 2020) |
Maze |
Maze has created a file named "startup_vrun.bat" in the Startup folder of a virtual machine to establish persistence.(Citation: Sophos Maze VM September 2020) |
Final1stspy |
Final1stspy creates a Registry Run key to establish persistence.(Citation: Unit 42 Nokki Oct 2018) |
BadPatch |
BadPatch establishes a foothold by adding a link to the malware executable in the startup folder.(Citation: Unit 42 BadPatch Oct 2017) |
Inception |
Inception has maintained persistence by modifying Registry run key value
|
During Operation Dream Job, Lazarus Group placed LNK files into the victims' startup folder for persistence.(Citation: McAfee Lazarus Jul 2020) |
|
APT28 |
APT28 has deployed malware that has copied itself to the startup directory for persistence.(Citation: TrendMicro Pawn Storm Dec 2020) |
TeamTNT |
TeamTNT has added batch scripts to the startup folder.(Citation: ATT TeamTNT Chimaera September 2020) |
Remcos |
Remcos can add itself to the Registry key |
Kazuar |
Kazuar adds a sub-key under several Registry run keys.(Citation: Unit 42 Kazuar May 2017) |
EVILNUM |
EVILNUM can achieve persistence through the Registry Run key.(Citation: ESET EvilNum July 2020)(Citation: Prevailion EvilNum May 2020) |
JCry |
JCry has created payloads in the Startup directory to maintain persistence. (Citation: Carbon Black JCry May 2019) |
Cobian RAT |
Cobian RAT creates an autostart Registry key to ensure persistence.(Citation: Zscaler Cobian Aug 2017) |
PoisonIvy |
PoisonIvy creates run key Registry entries pointing to a malicious executable dropped to disk.(Citation: Symantec Darkmoon Aug 2005) |
Carberp |
Carberp has maintained persistence by placing itself inside the current user's startup folder.(Citation: Prevx Carberp March 2011) |
Lucifer |
Lucifer can persist by setting Registry key values |
GrimAgent |
GrimAgent can set persistence with a Registry run key.(Citation: Group IB GrimAgent July 2021) |
HTTPBrowser |
HTTPBrowser has established persistence by setting the |
ThreatNeedle |
ThreatNeedle can be loaded into the Startup folder (`%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\OneDrives.lnk`) as a Shortcut file for persistence.(Citation: Kaspersky ThreatNeedle Feb 2021) |
ADVSTORESHELL |
ADVSTORESHELL achieves persistence by adding itself to the |
Leviathan |
Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.(Citation: Proofpoint Leviathan Oct 2017)(Citation: FireEye Periscope March 2018) |
Dragonfly 2.0 |
Dragonfly 2.0 added the registry value ntdll to the Registry Run key to establish persistence.(Citation: US-CERT TA18-074A) |
Helminth |
Helminth establishes persistence by creating a shortcut in the Start Menu folder.(Citation: Palo Alto OilRig May 2016) |
Naikon |
Naikon has modified a victim's Windows Run registry to establish persistence.(Citation: Bitdefender Naikon April 2021) |
DarkTortilla |
DarkTortilla has established persistence via the `Software\Microsoft\Windows NT\CurrentVersion\Run` registry key and by creating a .lnk shortcut file in the Windows startup folder.(Citation: Secureworks DarkTortilla Aug 2022) |
QakBot |
QakBot can maintain persistence by creating an auto-run Registry key.(Citation: Trend Micro Qakbot May 2020)(Citation: Crowdstrike Qakbot October 2020)(Citation: Trend Micro Qakbot December 2020)(Citation: Group IB Ransomware September 2020) |
Silence |
Silence has used |
Gelsemium |
Gelsemium can set persistence with a Registry run key.(Citation: ESET Gelsemium June 2021) |
Raspberry Robin |
Raspberry Robin will use a Registry key to achieve persistence through reboot, setting a RunOnce key such as: |
ChChes |
ChChes establishes persistence by adding a Registry Run key.(Citation: PWC Cloud Hopper Technical Annex April 2017) |
Gazer |
Gazer can establish persistence by creating a .lnk file in the Start menu.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017) |
Gorgon Group |
Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.(Citation: Unit 42 Gorgon Group Aug 2018) |
Crimson |
Crimson can add Registry run keys for persistence.(Citation: Proofpoint Operation Transparent Tribe March 2016)(Citation: Kaspersky Transparent Tribe August 2020) |
Emotet |
Emotet has been observed adding the downloaded payload to the |
CozyCar |
One persistence mechanism used by CozyCar is to set itself to be executed at system startup by adding a Registry value under one of the following Registry keys: |
Xbash |
Xbash can create a Startup item for persistence if it determines it is on a Windows system.(Citation: Unit42 Xbash Sept 2018) |
InvisiMole |
InvisiMole can place a lnk file in the Startup Folder to achieve persistence.(Citation: ESET InvisiMole June 2020) |
APT29 |
APT29 added Registry Run keys to establish persistence.(Citation: Mandiant No Easy Breach) |
SharpStage |
SharpStage has the ability to create persistence for the malware using the Registry autorun key and startup folder.(Citation: Cybereason Molerats Dec 2020) |
Clambling |
Clambling can establish persistence by adding a Registry run key.(Citation: Trend Micro DRBControl February 2020)(Citation: Talent-Jump Clambling February 2020) |
RTM |
RTM tries to add a Registry Run key under the name "Windows Update" to establish persistence.(Citation: ESET RTM Feb 2017) |
Sakula |
Most Sakula samples maintain persistence by setting the Registry Run key |
Honeybee |
Honeybee uses a batch file that configures the ComSysApp service to autostart in order to establish persistence.(Citation: McAfee Honeybee) |
ZIRCONIUM |
ZIRCONIUM has created a Registry Run key named |
Reaver |
Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.(Citation: Palo Alto Reaver Nov 2017) |
QuasarRAT |
If the QuasarRAT client process does not have administrator privileges it will add a registry key to `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` for persistence.(Citation: GitHub QuasarRAT)(Citation: CISA AR18-352A Quasar RAT December 2018) |
FLASHFLOOD |
FLASHFLOOD achieves persistence by making an entry in the Registry's Run key.(Citation: FireEye APT30) |
LoJax |
LoJax has modified the Registry key |
Patchwork |
Patchwork has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key.(Citation: Cymmetria Patchwork)(Citation: TrendMicro Patchwork Dec 2017) |
Gootloader |
Gootloader can create an autorun entry for a PowerShell script to run at reboot.(Citation: Sophos Gootloader) |
STARWHALE |
STARWHALE can establish persistence by installing itself in the startup folder, whereas the GO variant has created a `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OutlookM` registry key.(Citation: DHS CISA AA22-055A MuddyWater February 2022)(Citation: Mandiant UNC3313 Feb 2022) |
FlawedAmmyy |
FlawedAmmyy has established persistence via the `HKCU\SOFTWARE\microsoft\windows\currentversion\run` registry key.(Citation: Korean FSI TA505 2020) |
Pteranodon |
Pteranodon copies itself to the Startup folder to establish persistence.(Citation: Palo Alto Gamaredon Feb 2017) |
MarkiRAT |
MarkiRAT can drop its payload into the Startup directory to ensure it automatically runs when the compromised system is started.(Citation: Kaspersky Ferocious Kitten Jun 2021) |
Matryoshka |
Matryoshka can establish persistence by adding Registry Run keys.(Citation: ClearSky Wilted Tulip July 2017)(Citation: CopyKittens Nov 2015) |
DarkGate |
DarkGate installation includes AutoIt script execution creating a shortcut to itself as an LNK object, such as bill.lnk, in the victim startup folder.(Citation: Ensilo Darkgate 2018) DarkGate installation finishes with the creation of a registry Run key.(Citation: Ensilo Darkgate 2018) |
KONNI |
A version of KONNI has dropped a Windows shortcut into the Startup folder to establish persistence.(Citation: Talos Konni May 2017) |
Vasport |
Vasport copies itself to disk and creates an associated run key Registry entry to establish.(Citation: Symantec Vasport May 2012) |
ObliqueRAT |
ObliqueRAT can gain persistence by a creating a shortcut in the infected user's Startup directory.(Citation: Talos Oblique RAT March 2021) |
Ixeshe |
Ixeshe can achieve persistence by adding itself to the |
BBSRAT |
BBSRAT has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the Registry Run key location |
FIN6 |
FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.(Citation: FireEye FIN6 April 2016) |
Metamorfo |
Metamorfo has configured persistence to the Registry key |
AvosLocker |
AvosLocker has been executed via the `RunOnce` Registry key to run itself on safe mode.(Citation: Trend Micro AvosLocker Apr 2022) |
Snip3 |
Snip3 can create a VBS file in startup to persist after system restarts.(Citation: Telefonica Snip3 December 2021) |
Hi-Zor |
Hi-Zor creates a Registry Run key to establish persistence.(Citation: Fidelis INOCNATION) |
Turla |
A Turla Javascript backdoor added a local_update_check value under the Registry key |
Smoke Loader |
Smoke Loader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.(Citation: Malwarebytes SmokeLoader 2016) |
build_downer |
build_downer has the ability to add itself to the Registry Run key for persistence.(Citation: Trend Micro Tick November 2019) |
Rifdoor |
Rifdoor has created a new registry entry at |
Nebulae |
Nebulae can achieve persistence through a Registry Run key.(Citation: Bitdefender Naikon April 2021) |
NOKKI |
NOKKI has established persistence by writing the payload to the Registry key |
Grandoreiro |
Grandoreiro can use run keys and create link files in the startup folder for persistence.(Citation: IBM Grandoreiro April 2020)(Citation: ESET Grandoreiro April 2020) |
Putter Panda |
A dropper used by Putter Panda installs itself into the ASEP Registry key |
PUNCHBUGGY |
PUNCHBUGGY has been observed using a Registry Run key.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Morphisec ShellTea June 2019) |
MuddyWater |
MuddyWater has added Registry Run key |
Truvasys |
Truvasys adds a Registry Run key to establish persistence.(Citation: Microsoft Win Defender Truvasys Sep 2017) |
Hancitor |
Hancitor has added Registry Run keys to establish persistence.(Citation: FireEye Hancitor) |
Trojan.Karagany |
Trojan.Karagany can create a link to itself in the Startup folder to automatically start itself upon system restart.(Citation: Symantec Dragonfly)(Citation: Secureworks Karagany July 2019) |
Mivast |
Mivast creates the following Registry entry: |
USBStealer |
USBStealer registers itself under a Registry Run key with the name "USB Disk Security."(Citation: ESET Sednit USBStealer 2014) |
Winnti for Windows |
Winnti for Windows can add a service named |
JHUHUGIT |
JHUHUGIT has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process.(Citation: ESET Sednit Part 1) |
MoleNet |
MoleNet can achieve persitence on the infected machine by setting the Registry run key.(Citation: Cybereason Molerats Dec 2020) |
Sidewinder |
Sidewinder has added paths to executables in the Registry to establish persistence.(Citation: Rewterz Sidewinder APT April 2020)(Citation: Rewterz Sidewinder COVID-19 June 2020)(Citation: Cyble Sidewinder September 2020) |
BitPaymer |
BitPaymer has set the run key |
FatDuke |
FatDuke has used |
LiteDuke |
LiteDuke can create persistence by adding a shortcut in the |
NETEAGLE |
The "SCOUT" variant of NETEAGLE achieves persistence by adding itself to the |
ServHelper |
ServHelper may attempt to establish persistence via the |
ShimRat |
ShimRat has installed a registry based start-up key |
Threat Group-3390 |
Threat Group-3390's malware can add a Registry key to `Software\Microsoft\Windows\CurrentVersion\Run` for persistence.(Citation: Nccgroup Emissary Panda May 2018)(Citation: Lunghi Iron Tiger Linux) |
Remexi |
Remexi utilizes Run Registry keys in the HKLM hive as a persistence mechanism.(Citation: Securelist Remexi Jan 2019) |
SPACESHIP |
SPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.(Citation: FireEye APT30) |
Tropic Trooper |
Tropic Trooper has created shortcuts in the Startup folder to establish persistence.(Citation: Anomali Pirate Panda April 2020)(Citation: TrendMicro Tropic Trooper May 2020) |
Lazarus Group |
Lazarus Group has maintained persistence by loading malicious code into a startup folder or by adding a Registry Run key.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster RATs)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: Lazarus APT January 2022) |
APT41 |
APT41 created and modified startup files for persistence.(Citation: FireEye APT41 Aug 2019)(Citation: Group IB APT 41 June 2021) APT41 added a registry key in |
Windshift |
Windshift has created LNK files in the Startup folder to establish persistence.(Citation: BlackBerry Bahamut) |
Mispadu |
Mispadu creates a link in the startup folder for persistence.(Citation: ESET Security Mispadu Facebook Ads 2019) Mispadu adds persistence via the registry key `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`.(Citation: Metabase Q Mispadu Trojan 2023) |
Empire |
Empire can modify the registry run keys |
Chinoxy |
Chinoxy has established persistence via the `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` registry key and by loading a dropper to `(%COMMON_ STARTUP%\\eoffice.exe)`.(Citation: Bitdefender FunnyDream Campaign November 2020) |
Small Sieve |
Small Sieve has the ability to add itself to `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OutlookMicrosift` for persistence.(Citation: NCSC GCHQ Small Sieve Jan 2022) |
SMOKEDHAM |
SMOKEDHAM has used |
SDBbot |
SDBbot has the ability to add a value to the Registry Run key to establish persistence if it detects it is running with regular user privilege. (Citation: Proofpoint TA505 October 2019)(Citation: IBM TA505 April 2020) |
FIN7 |
FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.(Citation: FireEye FIN7 April 2017)(Citation: FireEye FIN7 Aug 2018) |
Dark Caracal |
Dark Caracal's version of Bandook adds a registry key to |
Gold Dragon |
Gold Dragon establishes persistence in the Startup folder.(Citation: McAfee Gold Dragon) |
TINYTYPHON |
TINYTYPHON installs itself under Registry Run key to establish persistence.(Citation: Forcepoint Monsoon) |
FIN10 |
FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.(Citation: FireEye FIN10 June 2017)(Citation: Github PowerShell Empire) |
Aria-body |
Aria-body has established persistence via the Startup folder or Run Registry key.(Citation: CheckPoint Naikon May 2020) |
PROMETHIUM |
PROMETHIUM has used Registry run keys to establish persistence.(Citation: Talos Promethium June 2020) |
PowerShower |
PowerShower sets up persistence with a Registry run key.(Citation: Unit 42 Inception November 2018) |
Turian |
Turian can establish persistence by adding Registry Run keys.(Citation: ESET BackdoorDiplomacy Jun 2021) |
Briba |
Briba creates run key Registry entries pointing to malicious DLLs dropped to disk.(Citation: Symantec Briba May 2012) |
PowerSploit |
PowerSploit's |
Bisonal |
Bisonal has added itself to the Registry key |
RunningRAT |
RunningRAT adds itself to the Registry key |
TAINTEDSCRIBE |
TAINTEDSCRIBE can copy itself into the current user’s Startup folder as “Narrator.exe” for persistence.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020) |
Machete |
Machete used the startup folder for persistence.(Citation: Securelist Machete Aug 2014)(Citation: Cylance Machete Mar 2017) |
During Operation Honeybee, the threat actors used batch files that allowed them to establish persistence by adding the following Registry key: `"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v COMSysApp /t REG_MULTI_SZ /d "COMSysApp" /f`.(Citation: McAfee Honeybee) |
|
CrossRAT |
CrossRAT uses run keys for persistence on Windows.(Citation: Lookout Dark Caracal Jan 2018) |
BACKSPACE |
BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.(Citation: FireEye APT30) |
DownPaper |
DownPaper uses PowerShell to add a Registry Run key in order to establish persistence.(Citation: ClearSky Charming Kitten Dec 2017) |
Kasidet |
Kasidet creates a Registry Run key to establish persistence.(Citation: Zscaler Kasidet)(Citation: Microsoft Kasidet) |
Flagpro |
Flagpro has dropped an executable file to the startup directory.(Citation: NTT Security Flagpro new December 2021) |
Octopus |
Octopus achieved persistence by placing a malicious executable in the startup directory and has added the |
njRAT |
njRAT has added persistence via the Registry key |
LuminousMoth |
LuminousMoth has used malicious DLLs that setup persistence in the Registry Key `HKCU\Software\Microsoft\Windows\Current Version\Run`.(Citation: Kaspersky LuminousMoth July 2021)(Citation: Bitdefender LuminousMoth July 2021) |
DnsSystem |
DnsSystem can write itself to the Startup folder to gain persistence.(Citation: Zscaler Lyceum DnsSystem June 2022) |
Zebrocy |
Zebrocy creates an entry in a Registry Run key for the malware to execute on startup.(Citation: ESET Zebrocy Nov 2018)(Citation: ESET Zebrocy May 2019)(Citation: Accenture SNAKEMACKEREL Nov 2018) |
SslMM |
To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.(Citation: Baumgartner Naikon 2015) |
Machete |
Machete used the startup folder for persistence.(Citation: Cylance Machete Mar 2017) |
BADNEWS |
BADNEWS installs a registry Run key to establish persistence.(Citation: Forcepoint Monsoon) |
Conficker |
Conficker adds Registry Run keys to establish persistence.(Citation: Trend Micro Conficker) |
ANDROMEDA |
ANDROMEDA can establish persistence by dropping a sample of itself to `C:\ProgramData\Local Settings\Temp\mskmde.com` and adding a Registry run key to execute every time a user logs on.(Citation: Mandiant Suspected Turla Campaign February 2023) |
LookBack |
LookBack sets up a Registry Run key to establish a persistence mechanism.(Citation: Proofpoint LookBack Malware Aug 2019) |
Ramsay |
Ramsay has created Registry Run keys to establish persistence.(Citation: Antiy CERT Ramsay April 2020) |
ROADSWEEP |
ROADSWEEP has been placed in the start up folder to trigger execution upon user login.(Citation: Microsoft Albanian Government Attacks September 2022) |
Koadic |
Koadic has added persistence to the `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run` Registry key.(Citation: MalwareBytes LazyScripter Feb 2021) |
FIN13 |
FIN13 has used Windows Registry run keys such as, `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hosts` to maintain persistence.(Citation: Mandiant FIN13 Aug 2022) |
DustySky |
DustySky achieves persistence by creating a Registry entry in |
Carbanak |
Carbanak stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.(Citation: FireEye CARBANAK June 2017) |
Moonstone Sleet |
Moonstone Sleet used registry run keys for process execution during initial victim infection.(Citation: Microsoft Moonstone Sleet 2024) |
VBShower |
VBShower used |
Rocke |
Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.(Citation: Talos Rocke August 2018) |
PlugX |
PlugX adds Run key entries in the Registry to establish persistence.(Citation: Lastline PlugX Analysis)(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: CIRCL PlugX March 2013) |
Chaes |
Chaes has added persistence via the Registry key |
Saint Bot |
Saint Bot has established persistence by being copied to the Startup directory or through the `\Software\Microsoft\Windows\CurrentVersion\Run` registry key.(Citation: Malwarebytes Saint Bot April 2021)(Citation: Palo Alto Unit 42 OutSteel SaintBot February 2022 ) |
Molerats |
Molerats saved malicious files within the AppData and Startup folders to maintain persistence.(Citation: Kaspersky MoleRATs April 2019) |
RCSession |
RCSession has the ability to modify a Registry Run key to establish persistence.(Citation: Trend Micro DRBControl February 2020)(Citation: Profero APT27 December 2020) |
gh0st RAT |
gh0st RAT has added a Registry Run key to establish persistence.(Citation: Nccgroup Gh0st April 2018)(Citation: Gh0stRAT ATT March 2019) |
BabyShark |
BabyShark has added a Registry key to ensure all future macros are enabled for Microsoft Word and Excel as well as for additional persistence.(Citation: Unit42 BabyShark Feb 2019)(Citation: CISA AA20-301A Kimsuky) |
TinyZBot |
TinyZBot can create a shortcut in the Windows startup folder for persistence.(Citation: Cylance Cleaver) |
DarkComet |
DarkComet adds several Registry entries to enable automatic execution at every system startup.(Citation: TrendMicro DarkComet Sept 2014)(Citation: Malwarebytes DarkComet March 2018) |
POWERSOURCE |
POWERSOURCE achieves persistence by setting a Registry Run key, with the path depending on whether the victim account has user or administrator access.(Citation: Cisco DNSMessenger March 2017) |
Seasalt |
Seasalt creates a Registry entry to ensure infection after reboot under |
Heyoka Backdoor |
Heyoka Backdoor can establish persistence with the auto start function including using the value `EverNoteTrayUService`.(Citation: SentinelOne Aoqin Dragon June 2022) |
NavRAT |
NavRAT creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence.(Citation: Talos NavRAT May 2018) |
During Operation Sharpshooter, a first-stage downloader installed Rising Sun to `%Startup%\mssync.exe` on a compromised host.(Citation: McAfee Sharpshooter December 2018) |
|
PLAINTEE |
PLAINTEE gains persistence by adding the Registry key |
InnaputRAT |
Some InnaputRAT variants establish persistence by modifying the Registry key |
SeaDuke |
SeaDuke is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory.(Citation: Unit 42 SeaDuke 2015) |
Cobalt Group |
Cobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike.(Citation: Group IB Cobalt Aug 2017) |
GRIFFON |
GRIFFON has used a persistence module that stores the implant inside the Registry, which executes at logon.(Citation: SecureList Griffon May 2019) |
Mustang Panda |
Mustang Panda has created the registry key |
Higaisa |
Higaisa added a spoofed binary to the start-up folder for persistence.(Citation: Malwarebytes Higaisa 2020)(Citation: Zscaler Higaisa 2020) |
Sykipot |
Sykipot has been known to establish persistence by adding programs to the Run Registry key.(Citation: Blasco 2013) |
Kimsuky |
Kimsuky has placed scripts in the startup folder for persistence and modified the `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce` Registry key.(Citation: Securelist Kimsuky Sept 2013)(Citation: CISA AA20-301A Kimsuky)(Citation: Crowdstrike GTR2020 Mar 2020)(Citation: Talos Kimsuky Nov 2021)(Citation: KISA Operation Muzabi) |
Prikormka |
Prikormka adds itself to a Registry Run key with the name guidVGA or guidVSA.(Citation: ESET Operation Groundbait) |
Dragonfly |
Dragonfly has added the registry value ntdll to the Registry Run key to establish persistence.(Citation: US-CERT TA18-074A) |
SNUGRIDE |
SNUGRIDE establishes persistence through a Registry Run key.(Citation: FireEye APT10 April 2017) |
SysUpdate |
SysUpdate can use a Registry Run key to establish persistence.(Citation: Trend Micro Iron Tiger April 2021) |
Okrum |
Okrum establishes persistence by creating a .lnk shortcut to itself in the Startup folder.(Citation: ESET Okrum July 2019) |
IcedID |
IcedID has established persistence by creating a Registry run key.(Citation: IBM IcedID November 2017) |
LazyScripter |
LazyScripter has achieved persistence via writing a PowerShell script to the autorun registry key.(Citation: MalwareBytes LazyScripter Feb 2021) |
NanHaiShu |
NanHaiShu modifies the %regrun% Registry to point itself to an autostart mechanism.(Citation: fsecure NanHaiShu July 2016) |
BoomBox |
BoomBox can establish persistence by writing the Registry value |
APT3 |
APT3 places scripts in the startup folder for persistence.(Citation: FireEye Operation Double Tap) |
EvilGrab |
EvilGrab adds a Registry Run key for ctfmon.exe to establish persistence.(Citation: PWC Cloud Hopper Technical Annex April 2017) |
BlackEnergy |
The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.(Citation: F-Secure BlackEnergy 2014) |
Amadey |
Amadey has changed the Startup folder to the one containing its executable by overwriting the registry keys.(Citation: Korean FSI TA505 2020)(Citation: BlackBerry Amadey 2020) |
Avaddon |
Avaddon uses registry run keys for persistence.(Citation: Arxiv Avaddon Feb 2021) |
Darkhotel |
Darkhotel has been known to establish persistence by adding programs to the Run Registry key.(Citation: Kaspersky Darkhotel) |
GuLoader |
GuLoader can establish persistence via the Registry under |
S-Type |
S-Type may create a .lnk file to itself that is saved in the Start menu folder. It may also create the Registry key |
APT33 |
APT33 has deployed a tool known as DarkComet to the Startup folder of a victim, and used Registry run keys to gain persistence.(Citation: Symantec Elfin Mar 2019)(Citation: Microsoft Holmium June 2020) |
BRONZE BUTLER |
BRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence.(Citation: Secureworks BRONZE BUTLER Oct 2017) |
Pupy |
Pupy adds itself to the startup folder or adds itself to the Registry key |
Comnie |
Comnie achieves persistence by adding a shortcut of itself to the startup path in the Registry.(Citation: Palo Alto Comnie) |
StrongPity |
StrongPity can use the |
Latrodectus |
Latrodectus can set an AutoRun key to establish persistence.(Citation: Latrodectus APR 2024) |
RedCurl |
RedCurl has established persistence by creating entries in `HKCU\Software\Microsoft\Windows\CurrentVersion\Run`.(Citation: group-ib_redcurl1)(Citation: group-ib_redcurl2) |
Zeus Panda |
Zeus Panda adds persistence by creating Registry Run keys.(Citation: Talos Zeus Panda Nov 2017)(Citation: GDATA Zeus Panda June 2017) |
Ke3chang |
Several Ke3chang backdoors achieved persistence by adding a Run key.(Citation: NCC Group APT15 Alive and Strong) |
CORESHELL |
CORESHELL has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder.(Citation: Microsoft SIR Vol 19) |
NanoCore |
NanoCore creates a RunOnce key in the Registry to execute its VBS scripts each time the user logs on to the machine.(Citation: Cofense NanoCore Mar 2018) |
SILENTTRINITY |
SILENTTRINITY can establish a LNK file in the startup folder for persistence.(Citation: GitHub SILENTTRINITY Modules July 2019) |
Confucius |
Confucius has dropped malicious files into the startup folder `%AppData%\Microsoft\Windows\Start Menu\Programs\Startup` on a compromised host in order to maintain persistence.(Citation: Uptycs Confucius APT Jan 2021) |
Cardinal RAT |
Cardinal RAT establishes Persistence by setting the |
Pikabot |
Pikabot maintains persistence following system checks through the Run key in the registry.(Citation: Zscaler Pikabot 2023) |
Ryuk |
Ryuk has used the Windows command line to create a Registry entry under |
AppleSeed |
AppleSeed has the ability to create the Registry key name |
POWERTON |
POWERTON can install a Registry Run key for persistence.(Citation: FireEye APT33 Guardrail) |
APT18 |
APT18 establishes persistence via the |
Mosquito |
Mosquito establishes persistence under the Registry key |
Astaroth |
Astaroth creates a startup item for persistence. (Citation: Cofense Astaroth Sept 2018) |
PoetRAT |
PoetRAT has added a registry key in the |
TrickBot |
TrickBot establishes persistence in the Startup folder.(Citation: ESET Trickbot Oct 2020) |
Sharpshooter |
Sharpshooter's first-stage downloader installed Rising Sun to the startup folder |
FELIXROOT |
FELIXROOT adds a shortcut file to the startup folder for persistence.(Citation: ESET GreyEnergy Oct 2018) |
RedLeaves |
RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys.(Citation: PWC Cloud Hopper Technical Annex April 2017)(Citation: Accenture Hogfish April 2018) |
PowerDuke |
PowerDuke achieves persistence by using various Registry Run keys.(Citation: Volexity PowerDuke November 2016) |
KOCTOPUS |
KOCTOPUS can set the AutoRun Registry key with a PowerShell command.(Citation: MalwareBytes LazyScripter Feb 2021) |
Gamaredon Group |
Gamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: unit42_gamaredon_dec2022) |
TURNEDUP |
TURNEDUP is capable of writing to a Registry Run key to establish.(Citation: CyberBit Early Bird Apr 2018) |
Bazar |
Bazar can create or add files to Registry Run Keys to establish persistence.(Citation: Cybereason Bazar July 2020)(Citation: NCC Group Team9 June 2020) |
Mongall |
Mongall can establish persistence with the auto start function including using the value `EverNoteTrayUService`.(Citation: SentinelOne Aoqin Dragon June 2022) |
Wizard Spider |
Wizard Spider has established persistence via the Registry key |
APT32 |
APT32 established persistence using Registry Run keys, both to execute PowerShell and VBS scripts as well as to execute their backdoor directly.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)(Citation: ESET OceanLotus Mar 2019) |
MCMD |
MCMD can use Registry Run Keys for persistence.(Citation: Secureworks MCMD July 2019) |
Elise |
If establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: |
Taidoor |
Taidoor has modified the |
RogueRobin |
RogueRobin created a shortcut in the Windows startup folder to launch a PowerShell script each time the user logs in to establish persistence.(Citation: Unit 42 DarkHydrus July 2018) |
Обнаружение
Monitor Registry for changes to run keys that do not correlate with known software, patch cycles, etc. Monitor the start folder for additions or changes. Tools such as Sysinternals Autoruns may also be used to detect system changes that could be attempts at persistence, including listing the run keys' Registry locations and startup folders. (Citation: TechNet Autoruns) Suspicious program execution as startup programs may show up as outlier processes that have not been seen before when compared against historical data. Changes to these locations typically happen under normal conditions when legitimate software is installed. To increase confidence of malicious activity, data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities, such as network connections made for Command and Control, learning details about the environment through Discovery, and Lateral Movement.
Ссылки
- US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
- Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
- The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
- Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
- Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016.
- Moe, O. (2018, March 21). Persistence using RunOnceEx - Hidden from Autoruns.exe. Retrieved June 29, 2018.
- Microsoft. (n.d.). Run and RunOnce Registry Keys. Retrieved September 12, 2024.
- Microsoft. (2018, May 31). 32-bit and 64-bit Application Data in the Registry. Retrieved August 3, 2020.
- Arntz, P. (2016, March 30). Hiding in Plain Sight. Retrieved August 3, 2020.
- Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
- Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
- Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
- Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018.
- Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
- FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
- Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
- Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021.
- Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021.
- Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
- McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.
- Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
- Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
- Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019.
- Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
- Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015.
- Skulkin, O. (2019, August 5). Following the RTM Forensic examination of a computer infected with a banking trojan. Retrieved May 11, 2020.
- Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023.
- Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
- DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023.
- Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
- Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020.
- Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018.
- Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
- Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
- FinFisher. (n.d.). Retrieved September 12, 2024.
- Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018.
- Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
- Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
- Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
- Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
- GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.
- Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
- Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021.
- AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021.
- Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
- Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
- Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021.
- Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021.
- Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.
- Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018.
- Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
- Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved September 12, 2024.
- Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
- Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
- Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016.
- Desai, D.. (2015, August 14). Chinese cyber espionage APT group leveraging recently leaked Hacking Team exploits to target a Financial Services Firm. Retrieved January 26, 2016.
- Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021.
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
- Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
- FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
- Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
- Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
- Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
- Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
- Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021.
- Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021.
- CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.
- Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021.
- Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
- Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
- Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
- ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
- Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
- Dedola, G. (2020, August 20). Transparent Tribe: Evolution analysis, part 1. Retrieved September 2, 2021.
- Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
- Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
- US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019.
- Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.
- F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
- Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
- Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
- Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024.
- Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
- Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021.
- Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
- Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
- Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
- MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
- CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
- ESET. (2018, September). LOJAX First UEFI rootkit found in the wild, courtesy of the Sednit group. Retrieved July 2, 2019.
- Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
- Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016.
- Szappanos, G. & Brandt, A. (2021, March 1). “Gootloader” expands its payload delivery options. Retrieved September 30, 2022.
- Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022.
- FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022.
- Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
- Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
- GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
- Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
- ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
- Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
- Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
- Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018.
- Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021.
- Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
- FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
- Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
- Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
- ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
- Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
- Trend Micro Research. (2022, April 4). Ransomware Spotlight AvosLocker. Retrieved January 11, 2023.
- Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.
- Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
- Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
- ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
- ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
- Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.
- Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
- Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
- Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
- ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
- Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020.
- Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
- Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
- Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
- Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
- Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
- Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
- Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.
- Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
- Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019.
- Microsoft. (2017, September 15). Backdoor:Win32/Truvasys.A!dha. Retrieved November 30, 2017.
- Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.
- Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
- Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
- Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017.
- Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
- ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
- Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021.
- Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021.
- Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021.
- Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
- Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
- Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved September 16, 2024..
- Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
- Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018.
- Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
- Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
- Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
- Moore, S. et al. (2020, April 30). Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center. Retrieved May 19, 2020.
- Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
- Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016.
- Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021.
- Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
- Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
- The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021.
- Garcia, F., Regalado, D. (2023, March 7). Inside Mispadu massive infection campaign in LATAM. Retrieved March 15, 2024.
- ESET Security. (2019, November 19). Mispadu: Advertisement for a discounted Unhappy Meal. Retrieved March 13, 2024.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- NCSC GCHQ. (2022, January 27). Small Sieve Malware Analysis Report. Retrieved August 22, 2022.
- FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
- Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020.
- Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
- Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
- Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
- Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
- Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
- CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
- Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020.
- Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
- Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
- Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.
- PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018.
- PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018.
- Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
- Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
- USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
- Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
- ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017.
- Manuel, J. and Plantado, R.. (2015, August 9). Win32/Kasidet. Retrieved March 24, 2016.
- Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
- Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
- Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
- Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
- Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
- Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
- Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
- Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022.
- Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
- ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
- ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019.
- Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
- Trend Micro. (2014, March 18). Conficker. Retrieved February 18, 2021.
- Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
- Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
- Antiy CERT. (2020, April 20). Analysis of Ramsay components of Darkhotel's infiltration and isolation network. Retrieved March 24, 2021.
- MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024.
- Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
- Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
- ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
- Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
- Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024.
- GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
- Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
- Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
- Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
- Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
- Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
- Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
- GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
- Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
- Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
- Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.
- Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019.
- CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
- Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
- Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
- TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
- Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017.
- Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.
- Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
- Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
- Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
- ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
- Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
- Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
- Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
- Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021.
- Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
- Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021.
- Blasco, J. (2013, March 21). New Sykipot developments [Blog]. Retrieved November 12, 2014.
- Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019.
- KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
- Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
- An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
- Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
- FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
- Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
- Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
- Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
- F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.
- MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
- Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
- F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016.
- Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
- Yuste, J. Pastrana, S. (2021, February 9). Avaddon ransomware: an in-depth analysis and decryption of infected systems. Retrieved August 19, 2021.
- Kaspersky Lab's Global Research and Analysis Team. (2014, November). The Darkhotel APT A Story of Unusual Hospitality. Retrieved November 12, 2014.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
- Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.
- Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
- Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
- Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
- Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
- Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
- Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
- Group-IB. (2020, August). RedCurl: The Pentest You Didn’t Know About. Retrieved August 9, 2024.
- Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
- Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018.
- Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
- Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
- Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved September 25, 2024.
- Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
- Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021.
- Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
- Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024.
- Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
- Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
- Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
- Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
- Shelmire, A. (2015, July 06). Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. Retrieved November 15, 2018.
- Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024.
- Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
- Boutin, J. (2020, October 12). ESET takes part in global operation to disrupt Trickbot. Retrieved March 15, 2021.
- Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
- Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
- Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
- Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
- Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024.
- Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.
- CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022.
- Gavriel, H. & Erbesfeld, B. (2018, April 11). New ‘Early Bird’ Code Injection Technique Discovered. Retrieved May 24, 2018.
- Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
- Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
- Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020.
- DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020.
- Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019.
- Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
- Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
- Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
- Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018.
- Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
- Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
- Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
Связанные риски
Риск | Связи | |
---|---|---|
Закрепление злоумышленника в ОС
из-за
возможности добавления программы в автозагрузку
в ОС Windows
Повышение привилегий
НСД
|
|
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.