ENTERPRISE MOBILE PRE-ATT&CK
TECHNIQUES
  1. Home
  2. Techniques
  3. Enterprise
  4. Scripting

Scripting

Adversaries may use scripts to aid in operations and perform multiple actions that would otherwise be manual. Scripting is useful for speeding up operational tasks and reducing the time required to gain access to critical resources. Some scripting languages may be used to bypass process monitoring mechanisms by directly interacting with the operating system at an API level instead of calling other programs. Common scripting languages for Windows include VBScript and PowerShell but could also be in the form of command-line batch scripts.

Scripts can be embedded inside Office documents as macros that can be set to execute when files used in Spearphishing Attachment and other types of spearphishing are opened. Malicious embedded macros are an alternative means of execution than software exploitation through Exploitation for Client Execution, where adversaries will rely on macros being allowed or that the user will accept to activate them.

Many popular offensive frameworks exist which use forms of scripting for security testers and adversaries alike. Metasploit [1], Veil [2], and PowerSploit [3] are three examples that are popular among penetration testers for exploit and post-compromise operations and include many features for evading defenses. Some adversaries are known to use PowerShell. [4]

ID: T1064
Tactic: Defense Evasion, Execution
Platform: Linux, macOS, Windows
Permissions Required: User
Data Sources: Process monitoring, File monitoring, Process command-line parameters
Defense Bypassed: Process whitelisting, Data Execution Prevention, Exploit Prevention
Version: 1.0

Procedure Examples

Name Description
APT1 APT1 has used batch scripting to automate execution of commands. [76]
APT19 APT19 downloaded and launched code within a SCT file. [85]
APT28 An APT28 loader Trojan uses a batch script to run its payload. The group has also used macros to execute payloads. [107] [27] [108] [109]
APT29 APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke, as well as to evade defenses. [32] [69]
APT3 APT3 has used PowerShell on victim systems to download and run payloads after exploitation. [84]
APT32 APT32 has used macros, PowerShell scripts, COM scriptlets, and VBS scripts. [110] [40]
APT37 APT37 executes shellcode and a script to decode Base64 strings. [99]
APT39 APT39 utilized custom scripts to perform internal reconnaissance. [118]
Astaroth Astaroth uses JavaScript to perform its core functionalities. [49]
Bisonal Bisonal's dropper creates VBS scripts on the victim’s machine. [16]
BRONZE BUTLER BRONZE BUTLER has used VBS, VBE, and batch scripts for execution. [92]
China Chopper China Chopper's server component is a text based payload available in a variety of scripting languages. [52]
Cobalt Group Cobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution and executed JavaScript scriptlets on the victim's machine. The group has also used an exploit toolkit known as Threadkit that launches .bat files. [101] [102] [103] [104] [105] [106]
Cobalt Strike Cobalt Strike can use PowerShell, Python, VBA, PowerSploit, other scripting frameworks to perform execution. [5] [6]
CoinTicker CoinTicker executes a bash script to establish a reverse shell and a Python script to download its second stage. [53]
Comnie Comnie executes BAT and VBS scripts. [14]
Dark Caracal Dark Caracal has used macros in Word documents that would download a second stage if executed. [70]
DarkComet DarkComet can execute various types of scripts on the victim’s machine. [28]
Darkhotel Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file. [100]
DealersChoice DealersChoice makes modifications to open-source scripts from GitHub and executes them on the victim’s machine. [17]
Deep Panda Deep Panda has used PowerShell scripts to download and execute programs in memory, without writing to disk. [4]
Denis Denis executes shellcode on the victim's machine. [40]
Dragonfly 2.0 Dragonfly 2.0 used various types of scripting to perform operations, including Python and batch scripts. The group was observed installing Python 2.7 on a victim. [87] [88]
Emotet Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads. [42] [43] [44] [45] [46]
Empire Empire has modules for executing scripts. [10]
EvilBunny EvilBunny has an integrated scripting engine to download and execute Lua scripts. [65]
Exaramel for Windows Exaramel for Windows has a command to execute VBS and GO scripts on the victim’s machine. [20]
FELIXROOT FELIXROOT executes batch scripts on the victim’s machine. [35]
FIN10 FIN10 has executed malicious .bat files containing PowerShell commands. [83]
FIN4 FIN4 has used VBA macros to display a dialog box and collect victim credentials. [111] [112]
FIN5 FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results. [95]
FIN6 FIN6 has used a Metasploit PowerShell module to download and execute shellcode and to set up a local listener. FIN6 has also used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files. [90] [91]
FIN7 FIN7 used SQL, VBS and JavaScript scripts to help perform tasks on the victim's machine. [115] [62]
FIN8 FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities. [86]
Gallmaker Gallmaker used PowerShell scripts for execution. [116]
Gamaredon Group Gamaredon Group has used various batch scripts to establish C2, download additional files, and conduct other functions. [97]
Gorgon Group Gorgon Group has used macros in Spearphishing Attachments as well as executed VBScripts on victim machines. [117]
Helminth One version of Helminth consists of VBScript and PowerShell scripts. The malware also uses batch scripting. [37]
HiddenWasp HiddenWasp uses a script to automate tasks on the victim's machine and to assist in execution. [64]
Honeybee Honeybee embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened. The actors also used batch scripting. [89]
JCry JCry has used VBS scripts. [61]
JHUHUGIT JHUHUGIT uses a .bat file to execute a .dll. [27]
jRAT jRAT has been distributed as HTA files with VBScript+JScript. [54]
Ke3chang Ke3chang has used batch scripts in its malware to install persistence mechanisms. [98]
KeyBoy KeyBoy uses Python and VBS scripts for installing files and performing execution. [60]
Keydnap Keydnap uses Python for scripting to execute additional commands. [22]
Koadic Koadic performs most of its operations using Windows Script Host (Jscript and VBScript) and runs arbitrary shellcode . [8]
Lazarus Group A Destover-like variant used by Lazarus Group uses a batch file mechanism to delete its binaries from the system. [13]
Leafminer Leafminer infected victims using JavaScript code. [93]
Leviathan Leviathan has used multiple types of scripting for execution, including JavaScript, JavaScript Scriptlets in XML, and VBScript. [31]
Machete Machete uses Python scripts. [67] [68]
Machete Machete used multiple compiled Python scripts on the victim’s system. [124]
Magic Hound Magic Hound malware has used .vbs scripts for execution. [71]
menuPass menuPass has used malicious macros embedded inside Office documents to execute files. [81] [82]
MoonWind MoonWind uses batch scripts for various purposes, including to restart and uninstall itself. [11]
MuddyWater MuddyWater has used VBScript and JavaScript files to execute its POWERSTATS payload. MuddyWater has also used Microsoft scriptlets, macros, and PowerShell scripts.[ [72] [73] [74] [75] [21]
NanHaiShu NanHaiShu executes additional Jscript and VBScript code on the victim's machine. [33]
NanoCore NanoCore uses VBS and JavaScript files. [29]
NavRAT NavRAT loads malicious shellcode and executes it in memory. [36]
OceanSalt OceanSalt has been executed via malicious macros. [41]
OilRig OilRig has used various types of scripting for execution, including .bat and .vbs scripts. The group has also used macros to deliver malware such as QUADAGENT and OopsIE. [78] [79] [25] [18] [80]
OopsIE OopsIE creates and uses a VBScript as part of its persistent execution. [25] [26]
Orz Orz can execute commands with script as well as execute JavaScript. [31]
OSX/Shlayer OSX/Shlayer can use bash scripts to check the macOS version and download payloads. [66]
OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D uses macros for execution as well as VBS and PowerShell scripts. [39]
Patchwork Patchwork used Visual Basic Scripts (VBS), JavaScript code, batch files, and .SCT files on victim machines. [113] [114]
PowerStallion PowerStallion uses PowerShell loops to iteratively check for available commands in its OneDrive C2 server. [63]
POWERSTATS POWERSTATS can use VBScript (VBE), PowerShell, and JavaScript code for execution. [21]
Proton Proton uses macOS' .command file type to script actions. [34]
Proxysvc Proxysvc uses a batch file to delete itself. [13]
PUNCHBUGGY PUNCHBUGGY has used PowerShell, python, and shellcode scripts. [59]
Pupy Pupy can use an add on feature when creating payloads that allows you to create custom Python scripts (“scriptlets”) to perform tasks offline (without requiring a session) such as sandbox detection, adding persistence, etc. [7]
QUADAGENT QUADAGENT uses VBScripts and batch scripts. [18]
Rancor Rancor has used shell and VBS scripts as well as embedded macros for execution. [94]
Remcos Remcos uses Python scripts. [9]
Remexi Remexi uses AutoIt and VBS scripts throughout its execution process. [51]
Revenge RAT Revenge RAT executes scripts on the victim's machine. [55] [56]
RogueRobin To assist in establishing persistence, RogueRobin creates %APPDATA%\OneDrive.bat and saves the following string to it:powershell.exe -WindowStyle Hidden -exec bypass -File “%APPDATA%\OneDrive.ps1”. RogueRobin also uses Windows Script Components. [23] [24]
RunningRAT RunningRAT uses a batch file to kill a security program task and then attempts to remove itself. [12]
SamSam SamSam uses custom batch scripts to execute some of its components. [48]
SeaDuke SeaDuke uses a module to execute Mimikatz with PowerShell to perform Pass the Ticket. [32]
Silence Silence has used JS, VBS, and PowerShell scripts. [120]
Smoke Loader Smoke Loader adds a Visual Basic script in the Startup folder to deploy the payload. [38]
SpeakUp SpeakUp uses Perl and Python scripts. [50]
SQLRat SQLRat has used SQL to execute JavaScript and VB scripts on the host system. [62]
Stealth Falcon Stealth Falcon malware uses PowerShell and WMI to script data collection and command execution on the victim. [77]
StoneDrill StoneDrill has several VBS scripts used throughout the malware's lifecycle. [57]
TA459 TA459 has a VBScript for execution. [96]
TA505 TA505 has used PowerShell, VBS, and JavaScript for code execution. [121] [122]
TrickBot TrickBot has used macros in Excel documents to download and deploy the malware on the user’s machine. [47]
Turla Turla has used PowerShell and VBS scripts throughout its operations. [123]
TYPEFRAME TYPEFRAME can uninstall malware components using a batch script. Additionally, a malicious Word document used for delivery uses VBA macros for execution. [19]
Ursnif Ursnif droppers have used VBA macros and PowerShell to download and execute the malware's full executable payload. [58]
WIRTE WIRTE has used VBS and PowerShell scripts throughout its operation. [119]
Xbash Xbash can execute malicious JavaScript and VBScript payloads on the victim’s machine. [30]
Zeus Panda Zeus Panda can launch remote scripts on the victim’s machine. [15]

Mitigations

Mitigation Description
Application Isolation and Sandboxing Configure Office security settings enable Protected View, to execute within a sandbox environment, and to block macros through Group Policy. Other types of virtualization and application microsegmentation may also mitigate the impact of compromise.
Disable or Remove Feature or Program Turn off unused features or restrict access to scripting engines such as VBScript or scriptable administration frameworks such as PowerShell.

Detection

Scripting may be common on admin, developer, or power user systems, depending on job function. If scripting is restricted for normal users, then any attempts to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.

Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.

Analyze Office file attachments for potentially malicious macros. Execution of macros may create suspicious process trees depending on what the macro is designed to do. Office processes, such as winword.exe, spawning instances of cmd.exe, script application like wscript.exe or powershell.exe, or other suspicious processes may indicate malicious activity. [125]

References

  1. Metasploit. (n.d.). Retrieved December 4, 2014.
  2. Veil Framework. (n.d.). Retrieved December 4, 2014.
  3. PowerSploit. (n.d.). Retrieved December 4, 2014.
  4. Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014.
  5. Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017.
  6. Mudge, R. (2017, May 23). Cobalt Strike 3.8 – Who’s Your Daddy?. Retrieved June 4, 2019.
  7. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  8. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  9. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  10. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  11. Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
  12. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  13. Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018.
  14. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  15. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  16. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  17. Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018.
  18. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
  19. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  20. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  21. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  22. Patrick Wardle. (2017, January 1). Mac Malware of 2016. Retrieved September 21, 2018.
  23. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  24. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  25. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  26. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  27. Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
  28. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  29. Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved November 9, 2018.
  30. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  31. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  32. Symantec Security Response. (2015, July 13). “Forkmeiamfamous”: Seaduke, latest weapon in the Duke armory. Retrieved July 22, 2015.
  33. F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018.
  34. Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018.
  35. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  36. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  37. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  38. Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.
  39. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  40. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  41. Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.
  42. Symantec. (2018, July 18). The Evolution of Emotet: From Banking Trojan to Threat Distributor. Retrieved March 25, 2019.
  43. Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019.
  44. Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019.
  45. Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019.
  46. Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019.
  47. Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019.
  48. Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019.
  49. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
  50. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
  51. Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
  52. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
  53. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  54. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  55. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  56. Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019.
  57. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  58. Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019.
  59. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  60. Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019.
  61. Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019.
  62. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  63. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  1. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  2. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  3. Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019.
  4. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019.
  5. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019.
  6. Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016.
  7. Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018.
  8. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  9. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  10. Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018.
  11. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  12. Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018.
  13. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  14. Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016.
  15. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  16. Falcone, R. and Lee, B. (2017, July 27). OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group. Retrieved January 8, 2018.
  17. Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019.
  18. Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018.
  19. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  20. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
  21. Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016.
  22. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  23. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  24. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  25. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  26. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  27. FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016.
  28. McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019.
  29. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  30. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  31. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  32. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  33. Axel F. (2017, April 27). APT Targets Financial Analysts with CVE-2017-0199. Retrieved February 15, 2018.
  34. Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  35. Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
  36. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  37. Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018.
  38. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  39. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
  40. Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018.
  41. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  42. Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018.
  43. Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019.
  44. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  45. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  46. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  47. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  48. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018.
  49. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019.
  50. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  51. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  52. Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018.
  53. Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018.
  54. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  55. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019.
  56. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
  57. Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019.
  58. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019.
  59. Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019.
  60. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  61. The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019.
  62. Felix. (2016, September). Analyzing Malicious Office Documents. Retrieved April 11, 2018.