Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Техника Симметричное шифрование
EN
Риски
Каталоги
MITRE ATT&CK
Техника
Симметричное шифрование
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Encrypted Channel:  Симметричное шифрование

ID Название
.001 Симметричное шифрование
.002 Асимметричное шифрование

Adversaries may employ a known symmetric encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Symmetric encryption algorithms use the same key for plaintext encryption and ciphertext decryption. Common symmetric encryption algorithms include AES, DES, 3DES, Blowfish, and RC4.

ID: T1573.001
Относится к технике:  T1573
Тактика(-и): Command and Control
Платформы: ESXi, Linux, Network Devices, Windows, macOS
Источники данных: Network Traffic: Network Traffic Content
Версия: 1.2
Дата создания: 16 Mar 2020
Последнее изменение: 15 Apr 2025

Примеры процедур
Название Описание
TrickBot

TrickBot uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic.(Citation: Fidelis TrickBot Oct 2016)Newer versions of TrickBot have been known to use `bcrypt` to encrypt and digitally sign responses to their C2 server. (Citation: Bitdefender Trickbot C2 infra Nov 2020)
BLINDINGCAN

BLINDINGCAN has encrypted its C2 traffic with RC4.(Citation: US-CERT BLINDINGCAN Aug 2020)
Ninja

Ninja can XOR and AES encrypt C2 messages.(Citation: Kaspersky ToddyCat June 2022)
Pikabot

Earlier Pikabot variants use a custom encryption procedure leveraging multiple mechanisms including AES with multiple rounds of Base64 encoding for its command and control communication.(Citation: Zscaler Pikabot 2023) Later Pikabot variants eliminate the use of AES and instead use RC4 encryption for transmitted information.(Citation: Elastic Pikabot 2024)
Bumblebee

Bumblebee can encrypt C2 requests and responses with RC4(Citation: Proofpoint Bumblebee April 2022)
Torisma

Torisma has encrypted its C2 communications using XOR and VEST-32.(Citation: McAfee Lazarus Nov 2020)
Stuxnet

Stuxnet encodes the payload of system information sent to the command and control servers using a one byte 0xFF XOR key. Stuxnet also uses a 31-byte long static byte string to XOR data sent to command and control servers. The servers use a different static key to encrypt replies to the implant.(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
Downdelph

Downdelph uses RC4 to encrypt C2 responses.(Citation: ESET Sednit Part 3)
RotaJakiro

RotaJakiro encrypts C2 communication using a combination of AES, XOR, ROTATE encryption, and ZLIB compression.(Citation: RotaJakiro 2021 netlab360 analysis)
Sardonic

Sardonic has the ability to use an RC4 key to encrypt communications to and from actor-controlled C2 servers.(Citation: Bitdefender Sardonic Aug 2021)
Emissary

The C2 server response to a beacon sent by a variant of Emissary contains a 36-character GUID value that is used as an encryption key for subsequent network communications. Some variants of Emissary use various XOR operations to encrypt C2 data.(Citation: Lotus Blossom Dec 2015)
KEYMARBLE

KEYMARBLE uses a customized XOR algorithm to encrypt C2 communications.(Citation: US-CERT KEYMARBLE Aug 2018)
Sliver

Sliver can use AES-GCM-256 to encrypt a session key for C2 message exchange.(Citation: GitHub Sliver Encryption)
TAMECAT

TAMECAT has used AES to encrypt C2 traffic.(Citation: Mandiant APT42-untangling)
RedLeaves

RedLeaves has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear.(Citation: PWC Cloud Hopper Technical Annex April 2017)
Felismus

Some Felismus samples use a custom encryption method for C2 traffic that utilizes AES and multiple keys.(Citation: Forcepoint Felismus Mar 2017)
xCaon

xCaon has encrypted data sent to the C2 server using a XOR key.(Citation: Checkpoint IndigoZebra July 2021)

PLAINTEE

PLAINTEE encodes C2 beacons using XOR.(Citation: Rancor Unit42 June 2018)
Nebulae

Nebulae can use RC4 and XOR to encrypt C2 communications.(Citation: Bitdefender Naikon April 2021)
Lurid

Lurid performs XOR encryption.(Citation: Villeneuve 2011)
RainyDay

RainyDay can use RC4 to encrypt C2 communications.(Citation: Bitdefender Naikon April 2021)
NETWIRE

NETWIRE can use AES encryption for C2 data transferred.(Citation: Red Canary NETWIRE January 2020)
HyperStack

HyperStack has used RSA encryption for C2 communications.(Citation: Accenture HyperStack October 2020)
HAMMERTOSS

Before being appended to image files, HAMMERTOSS commands are encrypted with a key composed of both a hard-coded value and a string contained on that day's tweet. To decrypt the commands, an investigator would need access to the intended malware sample, the day's tweet, and the image file containing the command.(Citation: FireEye APT29)
CosmicDuke

CosmicDuke contains a custom version of the RC4 algorithm that includes a programming error.(Citation: F-Secure Cosmicduke)
GreyEnergy

GreyEnergy encrypts communications using AES256.(Citation: ESET GreyEnergy Oct 2018)
Emotet

Emotet is known to use RSA keys for encrypting C2 traffic. (Citation: Trend Micro Emotet Jan 2019)
SNUGRIDE

SNUGRIDE encrypts C2 traffic using AES with a static key.(Citation: FireEye APT10 April 2017)
Machete

Machete has used AES to exfiltrate documents.(Citation: ESET Machete July 2019)
FRP

FRP can use STCP (Secret TCP) with a preshared key to encrypt services exposed to public networks.(Citation: FRP GitHub)
Prikormka

Prikormka encrypts some C2 traffic with the Blowfish cipher.(Citation: ESET Operation Groundbait)
PingPull

PingPull can use AES, in cipher block chaining (CBC) mode padded with PKCS5, to encrypt C2 server communications.(Citation: Unit 42 PingPull Jun 2022)
WellMess

WellMess can encrypt HTTP POST data using RC6 and a dynamically generated AES key encrypted with a hard coded RSA public key.(Citation: PWC WellMess July 2020)(Citation: PWC WellMess C2 August 2020)(Citation: CISA WellMess July 2020)
Woody RAT

Woody RAT can use AES-CBC to encrypt data sent to its C2 server.(Citation: MalwareBytes WoodyRAT Aug 2022)

Mafalda

Mafalda can encrypt its C2 traffic with RC4.(Citation: SentinelLabs Metador Sept 2022)
SombRAT

SombRAT has encrypted its C2 communications with AES.(Citation: BlackBerry CostaRicto November 2020)
FlawedAmmyy

FlawedAmmyy has used SEAL encryption during the initial C2 handshake.(Citation: Proofpoint TA505 Mar 2018)
Rifdoor

Rifdoor has encrypted command and control (C2) communications with a stream cipher.(Citation: Carbon Black HotCroissant April 2020)
InvisiMole

InvisiMole uses variations of a simple XOR encryption routine for C&C communications.(Citation: ESET InvisiMole June 2018)
Volgmer

Volgmer uses a simple XOR cipher to encrypt traffic and files.(Citation: US-CERT Volgmer 2 Nov 2017)
ZeroT

ZeroT has used RC4 to encrypt C2 traffic.(Citation: Proofpoint TA459 April 2017)(Citation: Proofpoint ZeroT Feb 2017)
RDAT

RDAT has used AES ciphertext to encode C2 communications.(Citation: Unit42 RDAT July 2020)
Okrum

Okrum uses AES to encrypt network traffic. The key can be hardcoded or negotiated with the C2 server in the registration phase. (Citation: ESET Okrum July 2019)
Bonadan

Bonadan can XOR-encrypt C2 communications.(Citation: ESET ForSSHe December 2018)
UBoatRAT

UBoatRAT encrypts instructions in its C2 network payloads using a simple XOR cipher.(Citation: PaloAlto UBoatRAT Nov 2017)
NETEAGLE

NETEAGLE will decrypt resources it downloads with HTTP requests by using RC4 with the key "ScoutEagle."(Citation: FireEye APT30)
FatDuke

FatDuke can AES encrypt C2 communications.(Citation: ESET Dukes October 2019)
Lucifer

Lucifer can perform a decremental-xor encryption on the initial C2 request before sending it over the wire.(Citation: Unit 42 Lucifer June 2020)
Hi-Zor

Hi-Zor encrypts C2 traffic with a double XOR using two distinct single-byte keys.(Citation: Fidelis Hi-Zor)
Chaos

Chaos provides a reverse shell connection on 8338/TCP, encrypted via AES.(Citation: Chaos Stolen Backdoor)
LIGHTWIRE

LIGHTWIRE can RC4 encrypt C2 commands.(Citation: Mandiant Cutting Edge Part 2 January 2024)
CORESHELL

CORESHELL C2 messages are encrypted with custom stream ciphers using six-byte or eight-byte keys.(Citation: FireEye APT28)
BBSRAT

BBSRAT uses a custom encryption algorithm on data sent back to the C2 server over HTTP.(Citation: Palo Alto Networks BBSRAT)
PlugX

PlugX can use RC4 encryption in C2 communications.(Citation: Proofpoint TA416 Europe March 2022)
Bisonal

Bisonal variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some Bisonal samples encrypt C2 communications with RC4.(Citation: Unit 42 Bisonal July 2018)(Citation: Kaspersky CactusPete Aug 2020)(Citation: Talos Bisonal Mar 2020)

SeaDuke

SeaDuke C2 traffic has been encrypted with RC4 and AES.(Citation: Mandiant No Easy Breach)(Citation: Unit 42 SeaDuke 2015)
Duqu

The Duqu command and control protocol's data stream can be encrypted with AES-CBC.(Citation: Symantec W32.Duqu)
Explosive

Explosive has encrypted communications with the RC4 method.(Citation: ClearSky Lebanese Cedar Jan 2021)

Epic

Epic encrypts commands from the C2 server using a hardcoded key.(Citation: Kaspersky Turla)
LightNeuron

LightNeuron uses AES to encrypt C2 traffic.(Citation: ESET LightNeuron May 2019)
Mongall

Mongall has the ability to RC4 encrypt C2 communications.(Citation: SentinelOne Aoqin Dragon June 2022)
LockBit 3.0

LockBit 3.0 can encrypt C2 communications with AES.(Citation: Joint Cybersecurity Advisory LockBit 3.0 MAR 2023)
FoggyWeb

FoggyWeb has used a dynamic XOR key and custom XOR methodology for C2 communications.(Citation: MSTIC FoggyWeb September 2021)

NGLite

NGLite will use an AES encrypted channel for command and control purposes, in one case using the key WHATswrongwithUu.(Citation: NGLite Trojan)
Carbanak

Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode). Carbanak also uses XOR with random keys for its communications.(Citation: Kaspersky Carbanak)(Citation: FireEye CARBANAK June 2017)
Hydraq

Hydraq C2 traffic is encrypted using bitwise NOT and XOR operations.(Citation: Symantec Hydraq Jan 2010)
Elise

Elise encrypts exfiltrated data with RC4.(Citation: Lotus Blossom Jun 2015)
Gazer

Gazer uses custom encryption for C2 that uses 3DES.(Citation: ESET Gazer Aug 2017)(Citation: Securelist WhiteBear Aug 2017)
TSCookie

TSCookie has encrypted network communications with RC4.(Citation: JPCert TSCookie March 2018)
Latrodectus

Latrodectus can send RC4 encrypted data over C2 channels.(Citation: Latrodectus APR 2024)(Citation: Elastic Latrodectus May 2024)(Citation: Bitsight Latrodectus June 2024)
CharmPower

CharmPower can send additional modules over C2 encrypted with a simple substitution cipher.(Citation: Check Point APT35 CharmPower January 2022)
3PARA RAT

3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode with a key derived from the MD5 hash of the string HYF54&%9&jkMCXuiS. 3PARA RAT will use an 8-byte XOR key derived from the string HYF54&%9&jkMCXuiS if the DES decoding fails(Citation: CrowdStrike Putter Panda)
SMOKEDHAM

SMOKEDHAM has encrypted its C2 traffic with RC4.(Citation: FireEye SMOKEDHAM June 2021)
TAINTEDSCRIBE

TAINTEDSCRIBE uses a Linear Feedback Shift Register (LFSR) algorithm for network encryption.(Citation: CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020)
Sys10

Sys10 uses an XOR 0x1 loop to encrypt its C2 domain.(Citation: Baumgartner Naikon 2015)
BendyBear

BendyBear communicates to a C2 server over port 443 using modified RC4 and XOR-encrypted chunks.(Citation: Unit42 BendyBear Feb 2021)

Uroburos

Uroburos can encrypt the data beneath its http2 or tcp encryption at the session layer with CAST-128, using a different key for incoming and outgoing data.(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
Metamorfo

Metamorfo has encrypted C2 commands with AES-256.(Citation: ESET Casbaneiro Oct 2019)

Bandook

Bandook has used AES encryption for C2 communication.(Citation: CheckPoint Bandook Nov 2020)
PipeMon

PipeMon communications are RC4 encrypted.(Citation: ESET PipeMon May 2020)
KONNI

KONNI has used AES to encrypt C2 traffic.(Citation: Malwarebytes KONNI Evolves Jan 2022)
Winnti for Linux

Winnti for Linux has used a custom TCP protocol with four-byte XOR for command and control (C2).(Citation: Chronicle Winnti for Linux May 2019)
gh0st RAT

gh0st RAT uses RC4 and XOR to encrypt C2 traffic.(Citation: Nccgroup Gh0st April 2018)
down_new

down_new has the ability to AES encrypt C2 communications.(Citation: Trend Micro Tick November 2019)
4H RAT

4H RAT obfuscates C2 communication using a 1-byte XOR with the key 0xBE.(Citation: CrowdStrike Putter Panda)
Attor

Attor has encrypted data symmetrically using a randomly generated Blowfish (OFB) key which is encrypted with a public RSA key.(Citation: ESET Attor Oct 2019)
Mosquito

Mosquito uses a custom encryption algorithm, which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm.(Citation: ESET Turla Mosquito Jan 2018)
RTM

RTM encrypts C2 traffic with a custom RC4 variant.(Citation: ESET RTM Feb 2017)
QUIETCANARY

QUIETCANARY can RC4 encrypt C2 communications.(Citation: Mandiant Suspected Turla Campaign February 2023)
Derusbi

Derusbi obfuscates C2 traffic with variable 4-byte XOR keys.(Citation: Fidelis Turbo)
SodaMaster

SodaMaster can use RC4 to encrypt C2 communications.(Citation: Securelist APT10 March 2021)
Hikit

Hikit performs XOR encryption.(Citation: Novetta-Axiom)
Sakula

Sakula encodes C2 traffic with single-byte XOR keys.(Citation: Dell Sakula)
Bazar

Bazar can send C2 communications with XOR encryption.(Citation: NCC Group Team9 June 2020)
Kobalos

Kobalos's post-authentication communication channel uses a 32-byte-long password with RC4 for inbound and outbound traffic.(Citation: ESET Kobalos Feb 2021)(Citation: ESET Kobalos Jan 2021)

BADCALL

BADCALL encrypts C2 traffic using an XOR/ADD cipher.(Citation: US-CERT BADCALL)
MoonWind

MoonWind encrypts C2 traffic using RC4 with a static key.(Citation: Palo Alto MoonWind March 2017)
Pandora

Pandora has the ability to encrypt communications with D3DES.(Citation: Trend Micro Iron Tiger April 2021)
Cobalt Strike

Cobalt Strike has the ability to use AES-256 symmetric encryption in CBC mode with HMAC-SHA-256 to encrypt task commands and XOR to encrypt shell code and configuration data.(Citation: Talos Cobalt Strike September 2020)
SUNBURST

SUNBURST encrypted C2 traffic using a single-byte-XOR cipher.(Citation: FireEye SUNBURST Backdoor December 2020)
HotCroissant

HotCroissant has compressed network communications and encrypted them with a custom stream cipher.(Citation: Carbon Black HotCroissant April 2020)(Citation: US-CERT HOTCROISSANT February 2020)
RIPTIDE

APT12 has used the RIPTIDE RAT, which communicates over HTTP with a payload encrypted with RC4.(Citation: Moran 2014)
Samurai

Samurai can encrypt C2 communications with AES.(Citation: Kaspersky ToddyCat June 2022)
OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D encrypts data sent back to the C2 using AES in CBC mode with a null initialization vector (IV) and a key sent from the server that is padded to 32 bytes.(Citation: Unit42 OceanLotus 2017)
Taidoor

Taidoor uses RC4 to encrypt the message body of HTTP content.(Citation: TrendMicro Taidoor)(Citation: CISA MAR-10292089-1.v2 TAIDOOR August 2021)
PoisonIvy

PoisonIvy uses the Camellia cipher to encrypt communications.(Citation: FireEye Poison Ivy)
NanoCore

NanoCore uses DES to encrypt the C2 traffic.(Citation: PaloAlto NanoCore Feb 2016)
PLEAD

PLEAD has used RC4 encryption to download modules.(Citation: JPCert PLEAD Downloader June 2018)
Daserf

Daserf uses RC4 encryption to obfuscate HTTP traffic.(Citation: Secureworks BRONZE BUTLER Oct 2017)
Cardinal RAT

Cardinal RAT uses a secret key with a series of XOR and addition operations to encrypt C2 traffic.(Citation: PaloAlto CardinalRat Apr 2017)
Solar

Solar can XOR encrypt C2 communications.(Citation: ESET OilRig Campaigns Sep 2023)
FakeM

The original variant of FakeM encrypts C2 traffic using a custom encryption cipher that uses an XOR key of “YHCRA” and bit rotation between each XOR operation. Some variants of FakeM use RC4 to encrypt C2 traffic.(Citation: Scarlet Mimic Jan 2016)
More_eggs

More_eggs has used an RC4-based encryption method for its C2 communications.(Citation: Security Intelligence More Eggs Aug 2019)
SysUpdate

SysUpdate has used DES to encrypt all C2 communications.(Citation: Lunghi Iron Tiger Linux)
Mango

Mango can receive XOR-encrypted commands from C2.(Citation: ESET OilRig Campaigns Sep 2023)
WIREFIRE

WIREFIRE can AES encrypt process output sent from compromised devices to C2.(Citation: Mandiant Cutting Edge January 2024)
GrimAgent

GrimAgent can use an AES key to encrypt C2 communications.(Citation: Group IB GrimAgent July 2021)
LookBack

LookBack uses a modified version of RC4 for data transfer.(Citation: Proofpoint LookBack Malware Aug 2019)
CallMe

CallMe uses AES to encrypt C2 traffic.(Citation: Scarlet Mimic Jan 2016)
CHOPSTICK

CHOPSTICK encrypts C2 communications with RC4.(Citation: ESET Sednit Part 2)
SLIGHTPULSE

SLIGHTPULSE can RC4 encrypt all incoming and outgoing C2 messages.(Citation: Mandiant Pulse Secure Zero-Day April 2021)
NDiskMonitor

NDiskMonitor uses AES to encrypt certain information sent over its C2 channel.(Citation: TrendMicro Patchwork Dec 2017)
Winnti for Windows

Winnti for Windows can XOR encrypt C2 traffic.(Citation: Novetta Winnti April 2015)
Troll Stealer

Troll Stealer encrypts data sent to command and control infrastructure using a combination of RC4 and RSA-4096 algorithms.(Citation: S2W Troll Stealer 2024)
httpclient

httpclient encrypts C2 content with XOR using a single byte, 0x12.(Citation: CrowdStrike Putter Panda)
Ebury

Ebury has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string.(Citation: ESET Ebury Feb 2014)
ZIPLINE

ZIPLINE can use AES-128-CBC to encrypt data for both upload and download.(Citation: Mandiant Cutting Edge Part 2 January 2024)
QuasarRAT

QuasarRAT uses AES with a hardcoded pre-shared key to encrypt network communication.(Citation: GitHub QuasarRAT)(Citation: Volexity Patchwork June 2018)(Citation: CISA AR18-352A Quasar RAT December 2018)
ChChes

ChChes can encrypt C2 traffic with AES or RC4.(Citation: Palo Alto menuPass Feb 2017)(Citation: JPCERT ChChes Feb 2017)
IceApple

The IceApple Result Retriever module can AES encrypt C2 responses.(Citation: CrowdStrike IceApple May 2022)
metaMain

metaMain can encrypt the data that it sends and receives from the C2 server using an RC4 encryption algorithm.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)
SideTwist

SideTwist can encrypt C2 communications with a randomly generated key.(Citation: Check Point APT34 April 2021)
LunarWeb

LunarWeb can send AES encrypted C2 commands.(Citation: ESET Turla Lunar toolset May 2024)
XCSSET

XCSSET uses RC4 encryption over TCP to communicate with its C2 server.(Citation: trendmicro xcsset xcode project 2020)

Dipsind

Dipsind encrypts C2 data with AES256 in ECB mode.(Citation: Microsoft PLATINUM April 2016)
POWERTON

POWERTON has used AES for encrypting C2 traffic.(Citation: FireEye APT33 Guardrail)
BADNEWS

BADNEWS encrypts C2 data with a ROR by 3 and an XOR by 0x23.(Citation: Forcepoint Monsoon)(Citation: TrendMicro Patchwork Dec 2017)
QakBot

QakBot can RC4 encrypt strings in C2 communication.(Citation: Kaspersky QakBot September 2021)
Helminth

Helminth encrypts data sent to its C2 server over HTTP with RC4.(Citation: Palo Alto OilRig May 2016)
Dridex

Dridex has encrypted traffic with RC4.(Citation: Kaspersky Dridex May 2017)
Komplex

The Komplex C2 channel uses an 11-byte XOR algorithm to hide data.(Citation: Sofacy Komplex Trojan)
Comnie

Comnie encrypts command and control communications with RC4.(Citation: Palo Alto Comnie)
H1N1

H1N1 encrypts C2 traffic using an RC4 key.(Citation: Cisco H1N1 Part 2)
Azorult

Azorult can encrypt C2 traffic using XOR.(Citation: Unit42 Azorult Nov 2018)(Citation: Proofpoint Azorult July 2018)
UPPERCUT

Some versions of UPPERCUT have used the hard-coded string “this is the encrypt key” for Blowfish encryption when communicating with a C2. Later versions have hard-coded keys uniquely for each C2 address.(Citation: FireEye APT10 Sept 2018)
ADVSTORESHELL

A variant of ADVSTORESHELL encrypts some C2 with 3DES.(Citation: Bitdefender APT28 Dec 2015)
StrifeWater

StrifeWater can encrypt C2 traffic using XOR with a hard coded key.(Citation: Cybereason StrifeWater Feb 2022)
HiddenWasp

HiddenWasp uses an RC4-like algorithm with an already computed PRGA generated key-stream for network communication.(Citation: Intezer HiddenWasp Map 2019)
WarzoneRAT

WarzoneRAT can encrypt its C2 with RC4 with the password `warzone160\x00`.(Citation: Check Point Warzone Feb 2020)
FALLCHILL

FALLCHILL encrypts C2 data with RC4 encryption.(Citation: US-CERT FALLCHILL Nov 2017)(Citation: CISA AppleJeus Feb 2021)
Frankenstein

Frankenstein has communicated with a C2 via an encrypted RC4 byte stream and AES-CBC.(Citation: Talos Frankenstein June 2019)
APT28

APT28 installed a Delphi backdoor that used a custom algorithm for C2 communications.(Citation: ESET Zebrocy May 2019)
APT33

APT33 has used AES for encryption of command and control traffic.(Citation: FireEye APT33 Guardrail)
Lazarus Group

Several Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another Lazarus Group malware sample XORs C2 traffic. Other Lazarus Group malware uses Caracachs encryption to encrypt C2 payloads. Lazarus Group has also used AES to encrypt C2 traffic.(Citation: Novetta Blockbuster)(Citation: Novetta Blockbuster Destructive Malware)(Citation: McAfee Lazarus Resurfaces Feb 2018)(Citation: McAfee GhostSecret)
Darkhotel

Darkhotel has used AES-256 and 3DES for C2 communications.(Citation: Microsoft DUBNIUM July 2016)
MuddyWater

MuddyWater has used AES to encrypt C2 responses.(Citation: Talos MuddyWater Jan 2022)
BRONZE BUTLER

BRONZE BUTLER has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic. BRONZE BUTLER has also used a tool called RarStar that encodes data with a custom XOR algorithm when posting it to a C2 server.(Citation: Secureworks BRONZE BUTLER Oct 2017)
ZIRCONIUM

ZIRCONIUM has used AES encrypted communications in C2.(Citation: Zscaler APT31 Covid-19 October 2020)
Higaisa

Higaisa used AES-128 to encrypt C2 traffic.(Citation: Zscaler Higaisa 2020)
Inception

Inception has encrypted network communications with AES.(Citation: Kaspersky Cloud Atlas December 2014)
Volt Typhoon

Volt Typhoon has used a version of the Awen web shell that employed AES encryption and decryption for C2 communications.(Citation: Secureworks BRONZE SILHOUETTE May 2023)
Mustang Panda

Mustang Panda has encrypted C2 communications with RC4.(Citation: Recorded Future REDDELTA July 2020)
RedCurl

RedCurl has used AES-128 CBC to encrypt C2 communications.(Citation: group-ib_redcurl2)
Stealth Falcon

Stealth Falcon malware encrypts C2 traffic using RC4 with a hard-coded key.(Citation: Citizen Lab Stealth Falcon May 2016)

Контрмеры
Контрмера Описание
Network Intrusion Prevention

Use intrusion detection signatures to block traffic at network boundaries.

Обнаружение

With symmetric encryption, it may be possible to obtain the algorithm and key from samples and use them to decode network traffic to detect malware communications signatures. In general, analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.(Citation: University of Birmingham C2)

Ссылки

  1. CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022.
  2. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  3. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  4. Slepogin, N. (2017, May 25). Dridex: A History of Evolution. Retrieved May 31, 2019.
  5. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
  6. Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022.
  7. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  8. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  9. Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
  10. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  11. FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved September 19, 2024.
  12. Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024.
  13. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  14. Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018.
  15. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  16. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
  17. Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
  18. Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021.
  19. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.
  20. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  21. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved November 17, 2024.
  22. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  23. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  24. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.
  25. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
  26. FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024.
  27. Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018.
  28. ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
  29. Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023.
  30. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  31. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  32. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
  33. FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved November 17, 2024.
  34. Zykov, K. (2020, August 13). CactusPete APT group’s updated Bisonal backdoor. Retrieved May 5, 2021.
  35. M.Leveille, M., Sanmillan, I. (2021, February 2). Kobalos – A complex Linux threat to high performance computing infrastructure. Retrieved August 24, 2021.
  36. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.
  37. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
  38. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  39. Sebastian Feldmann. (2018, February 14). Chaos: a Stolen Backdoor Rising Again. Retrieved March 5, 2018.
  40. Tomonaga, S. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
  41. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  42. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  43. fatedier. (n.d.). What is frp?. Retrieved July 10, 2024.
  44. CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022.
  45. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  46. Jiho Kim & Sebin Lee, S2W. (2024, February 7). Kimsuky disguised as a Korean company signed with a valid certificate to distribute Troll Stealer (English ver.). Retrieved January 17, 2025.
  47. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  48. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
  49. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  50. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
  51. Fidelis Cybersecurity. (2016, February 29). The Turbo Campaign, Featuring Derusbi for 64-bit Linux. Retrieved March 2, 2016.
  52. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  53. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
  54. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
  55. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  56. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  57. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  58. Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
  59. FBI et al. (2023, March 16). #StopRansomware: LockBit 3.0. Retrieved February 5, 2025.
  60. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  61. Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
  62. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  63. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  64. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  65. Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
  66. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.
  67. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019.
  68. Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016.
  69. Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020.
  70. McLellan, T. et al. (2024, January 12). Cutting Edge: Suspected APT Targets Ivanti Connect Secure VPN in New Zero-Day Exploitation. Retrieved February 27, 2024.
  71. FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
  72. Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iran's APT42 Operations. Retrieved October 9, 2024.
  73. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  74. Moran, N., Oppenheim, M., Engle, S., & Wartell, R.. (2014, September 3). Darwin’s Favorite APT Group [Blog]. Retrieved November 12, 2014.
  75. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  76. Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022.
  77. Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  78. Perez, D. et al. (2021, April 20). Check Your Pulse: Suspected APT Actors Leverage Authentication Bypass Techniques and Pulse Secure Zero-Day. Retrieved February 5, 2024.
  79. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  80. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  81. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
  82. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  83. US-CERT. (2018, February 06). Malware Analysis Report (MAR) - 10135536-G. Retrieved June 7, 2018.
  84. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  85. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021.
  86. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  87. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
  88. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
  89. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.
  90. Villeneuve, N., Sancho, D. (2011). THE “LURID” DOWNLOADER. Retrieved November 12, 2014.
  91. Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
  92. Erye Hernandez and Danny Tsechansky. (2017, June 22). The New and Improved macOS Backdoor from OceanLotus. Retrieved September 8, 2023.
  93. US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
  94. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
  95. US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020.
  96. Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022.
  97. Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021.
  98. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  99. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  100. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
  101. Santos, R. (2022, January 26). KONNI evolves into stealthier RAT. Retrieved April 13, 2022.
  102. Lin, M. et al. (2024, January 31). Cutting Edge, Part 2: Investigating Ivanti Connect Secure VPN Zero-Day Exploitation. Retrieved February 27, 2024.
  103. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
  104. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  105. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  106. Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023.
  107. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  108. Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016.
  109. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
  110. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  111. PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020.
  112. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  113. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  114. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
  115. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  116. Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
  117. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  118. Fidelis Threat Research Team. (2016, January 27). Introducing Hi-Zor RAT. Retrieved March 24, 2016.
  119. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  120. Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved November 17, 2024.
  121. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  122. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  123. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  124. Tomonaga, S. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
  125. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  126. GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.
  127. USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
  128. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  129. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  130. F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014.
  131. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  132. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  133. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  134. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  135. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
  136. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  137. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  138. Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021.
  139. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
  140. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  141. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  142. BishopFox. (n.d.). Sliver Transport Encryption. Retrieved September 16, 2021.
  143. Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
  144. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  145. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  146. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
  147. ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021.
  148. Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018.
  149. M.Leveille, M., Sanmillan, I. (2021, January). A WILD KOBALOS APPEARS Tricksy Linux malware goes after HPCs. Retrieved August 24, 2021.
  150. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  151. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024.
  152. Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
  153. M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019.
  154. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  155. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved November 17, 2024.
  156. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  157. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  158. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021.
  159. Robert Falcone, Jeff White, and Peter Renals. (2021, November 7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer. Retrieved February 8, 2024.
  160. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
  161. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  162. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  163. Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022.
  164. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  165. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  166. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  167. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  168. Proofpoint Threat Research and Team Cymru S2 Threat Research. (2024, April 4). Latrodectus: This Spider Bytes Like Ice . Retrieved May 31, 2024.
  169. Liviu Arsene, Radu Tudorica. (2020, November 23). TrickBot is Dead. Long Live TrickBot!. Retrieved September 28, 2021.
  170. ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021.
  171. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  172. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  173. Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
  174. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  175. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
  176. Group-IB. (2021, November). RedCurl: The Awakening. Retrieved August 14, 2024.
  177. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  178. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  179. Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024.
Навигация

Связанные риски

Ничего не найдено

Каталоги

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.