Remote File Copy

Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.

Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol.

ID: T1105

Tactic: Command And Control, Lateral Movement

Platform:  Linux, macOS, Windows

Permissions Required:  User

Data Sources:  File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring

Requires Network:  Yes

Version: 1.0

Mitigations

Mitigation Description
Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.[212]

Examples

Name Description
Agent Tesla

Agent Tesla can download additional files for execution on the victim’s machine.[1][2]

Agent.btz

Agent.btz attempts to download an encrypted binary from a specified domain.[3]

APT18

APT18 can upload a file to the victim’s machine.[4]

APT28

APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant.[5][6][7]

APT3

APT3 has a tool that can copy files to remote machines.[8]

APT32

APT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.[9][10]

APT33

APT33 has downloaded additional files and programs from its C2 server.
[11]

APT37

APT37 has downloaded second stage malware from compromised websites.[12][13]

APT38

APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine.[14]

Astaroth

Astaroth uses certutil and BITSAdmin to download additional malware.[15][16]

AuditCred

AuditCred can download files and additional malware.[17]

Azorult

Azorult can download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes.[18][19]

BADNEWS

BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.[20][21][22]

BadPatch

BadPatch can download and execute or update malware.[23]

Bankshot

Bankshot uploads files and secondary payloads to the victim's machine.[24]

BISCUIT

BISCUIT has a command to download a file from the C2 server.[25]

Bisonal

Bisonal has the capability to download files to execute on the victim’s machine.[26]

BITSAdmin

BITSAdmin can be used to create BITS Jobs to upload and/or download files.[27]

BONDUPDATER

BONDUPDATER can download or upload files from its C2 server.[28]

Briba

Briba downloads files onto infected hosts.[29]

BRONZE BUTLER

BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).[30]

Calisto

Calisto has the capability to upload and download files to the victim's machine.[31]

CallMe

CallMe has the capability to download a file to the victim from the C2 server.[32]

Cannon

Cannon can download a payload for execution.[33]

Cardinal RAT

Cardinal RAT is downloaded and installed via an executed Assess leadership areas of interest payload. Cardinal RAT can also download and execute additional payloads.[34]

certutil

certutil can be used to download files from a given URL.[35][36]

ChChes

ChChes is capable of downloading files, including additional modules.[37][38][39]

China Chopper

China Chopper's server component can download remote files.[40][41][42]

CHOPSTICK

CHOPSTICK is capable of performing remote file transmission.[43]

CloudDuke

CloudDuke downloads and executes additional malware from either a Web address or a Microsoft OneDrive account.[44]

cmd

cmd can be used to copy files to a remotely connected system.[45]

Cobalt Group

Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers. The group's JavaScript backdoor is also capable of downloading files.[46][47][48]

CoinTicker

CoinTicker executes a Python script to download its second stage.[49]

CORESHELL

CORESHELL downloads another dropper from its C2 server.[50]

Crimson

Crimson contains a command to retrieve files from its C2 server.[51]

DarkComet

DarkComet can load any files onto the infected machine to execute.[52][53]

Daserf

Daserf can download remote files.[54][30]

DDKONG

DDKONG downloads and uploads files on the victim’s machine.[55]

Denis

Denis deploys additional backdoors and hacking tools to the system.[56]

Dipsind

Dipsind can download remote files.[57]

DOGCALL

DOGCALL can download and execute additional payloads.[58]

Downdelph

After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.[59]

Dragonfly 2.0

Dragonfly 2.0 copied and installed tools for operations once in the victim environment.[60][61]

DustySky

DustySky searches for network drives and removable media and duplicates itself onto them.[62]

Dyre

Dyre has a command to download and executes additional files.[63]

Elderwood

The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location.[64]

Elise

Elise can download additional files from the C2 server for execution.[65]

Emissary

Emissary has the capability to download files from the C2 server.[66]

Empire

Empire can upload and download to and from a victim machine.[67]

EvilBunny

EvilBunny has downloaded additional Lua scripts from the C2.[68]

Exaramel

Exaramel has a command to download a file from a remote server to execute.[69]

Expand

Expand can be used to download or upload a file over a network share.[70]

Felismus

Felismus can download files from remote servers.[71]

FELIXROOT

FELIXROOT downloads and uploads files to and from the victim’s machine.[72][73]

FIN10

FIN10 has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally.[74]

FIN7

FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload.[75][76]

FIN8

FIN8 has used remote code execution to download subsequent payloads.[77]

Gamaredon Group

Tools used by Gamaredon Group are capable of downloading and executing additional payloads.[78]

Gazer

Gazer can execute a task to download a file.[79][80]

gh0st RAT

gh0st RAT can download files to the victim’s machine.[81]

Gold Dragon

Gold Dragon can download additional components from the C2 server.[82]

Gorgon Group

Gorgon Group malware can download additional files from C2 servers.[83]

GreyEnergy

GreyEnergy can download additional modules and payloads.[73]

H1N1

H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.[84]

HAPPYWORK

can download and execute a second-stage payload.[12]

HAWKBALL

HAWKBALL has downloaded additional files from the C2.[85]

Helminth

Helminth can download additional files.[86]

Hi-Zor

Hi-Zor has the ability to upload and download files from its C2 server.[87]

HiddenWasp

HiddenWasp downloads a tar compressed archive from a download server to the system.[88]

HOPLIGHT

HOPLIGHT has the ability to connect to a remote host in order to upload and download files. [89]

HTTPBrowser

HTTPBrowser is capable of writing a file to the compromised system from the C2 server.[90]

Hydraq

Hydraq creates a backdoor through which remote attackers can download files and additional malware components.[91][92]

HyperBro

HyperBro has the ability to download additional files.[93]

InvisiMole

InvisiMole can upload files to the victim's machine for operations.[94]

Ixeshe

Ixeshe can download and execute additional files.[95]

JHUHUGIT

JHUHUGIT can retrieve an additional payload from its C2 server. JHUHUGIT has a command to download files to the victim’s machine.[96][97][98]

JPIN

JPIN can download files and upgrade itself.[57]

jRAT

jRAT can download and execute files.[99][100][101]

KARAE

KARAE can upload and download files, including second-stage malware.[12]

Kasidet

Kasidet has the ability to download and execute additional files.[102]

Kazuar

Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary.[103]

KeyBoy

KeyBoy has a download and upload functionality.[104][105]

KEYMARBLE

KEYMARBLE can upload files to the victim’s machine and can download additional payloads.[106]

Koadic

Koadic can download additional files.[107]

KONNI

KONNI can download files and execute them on the victim’s machine.[108]

Kwampirs

Kwampirs downloads additional files from C2 servers.[109]

Lazarus Group

Several Lazarus Group malware families are capable of downloading and executing binaries from its C2 server.[110][111][112]

Leviathan

Leviathan has downloaded additional scripts and files from adversary-controlled servers. Leviathan has also used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.[113][40]

LightNeuron

LightNeuron has the ability to download and execute additional files.[114]

Linfo

Linfo creates a backdoor through which remote attackers can download files onto compromised hosts.[115]

LockerGoga

LockerGoga has been observed moving around the victim network via SMB, indicating the actors behind this ransomware are manually copying files form computer to computer instead of self-propagating.[116]

LOWBALL

LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.[117]

Magic Hound

Magic Hound has downloaded additional code and files from servers onto victims.[118]

menuPass

menuPass has installed updates and new malware on victims.[119][120]

Micropsia

Micropsia can download and execute an executable from the C2 server.[121][122]

MiniDuke

MiniDuke can download additional encrypted backdoors onto the victim via GIF files.[123]

Misdat

Misdat is capable of downloading files from the C2.[124]

Mivast

Mivast has the capability to download and execute .exe files.[125]

MobileOrder

MobileOrder has a command to download a file from the C2 server to the victim mobile device's SD card.[32]

More_eggs

More_eggs can download and launch additional payloads.[126]

Mosquito

Mosquito can upload and download files to the victim.[127]

MuddyWater

MuddyWater has used malware that can upload additional files to the victim’s machine.[128][129]

NanHaiShu

NanHaiShu can download additional files from URLs.[113]

NanoCore

NanoCore has the capability to download and activate additional modules for execution.[130][131]

NavRAT

NavRAT can download files remotely.[132]

NDiskMonitor

NDiskMonitor can download and execute a file from given URL.[22]

Nerex

Nerex creates a backdoor through which remote attackers can download files onto a compromised host.[64]

Nidiran

Nidiran can download and execute files.[133]

njRAT

njRAT can upload and download files to and from the victim’s machine.[134]

NOKKI

NOKKI has downloaded a remote module for execution.[135]

Octopus

Octopus can upload and download files to and from the victim’s machine.[[136]

OilRig

OilRig can download remote files onto victims.[137]

Olympic Destroyer

Olympic Destroyer attempts to copy itself to remote machines on the network.[138]

OopsIE

OopsIE can download files from its C2 server to the victim's machine.[139][140]

Orz

Orz can download files onto the victim.[113]

OSX_OCEANLOTUS.D

OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine.[141]

Pasam

Pasam creates a backdoor through which remote attackers can upload files.[142]

Patchwork

Patchwork payloads download additional files from the C2 server.[143][22]

Pisloader

Pisloader has a command to upload a file to the victim machine.[144]

PLAINTEE

PLAINTEE has downloaded and executed additional plugins.[55]

PLATINUM

PLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel.[145]

PlugX

PlugX has a module to download and execute files on the compromised machine.[146]

PoisonIvy

PoisonIvy creates a backdoor through which remote attackers can upload files.[147]

POSHSPY

POSHSPY downloads and executes additional PowerShell code and Windows binaries.[148]

PowerDuke

PowerDuke has a command to download a file.[149]

POWERSOURCE

POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims.[150]

POWERSTATS

POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server.[151]

POWRUNER

POWRUNER can download or upload files from its C2 server.[137]

Psylo

Psylo has a command to download a file to the system from its C2 server.[32]

Pteranodon

Pteranodon can download and execute additional files.[78]

PUNCHBUGGY

PUNCHBUGGY can download additional files and payloads to compromised hosts.[152][153]

Pupy

Pupy can upload and download to/from a victim machine.[154]

QuasarRAT

QuasarRAT can download files to the victim’s machine and execute them.[155][156]

Rancor

Rancor has downloaded additional malware, including by using certutil.[55]

RARSTONE

RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.[157]

RATANKBA

RATANKBA uploads and downloads information.[158][159]

RedLeaves

RedLeaves is capable of downloading a file from a specified URL.[160]

Remcos

Remcos can upload and download files to and from the victim’s machine.[161]

RemoteCMD

RemoteCMD copies a file over to the remote system before execution.[162]

Remsec

Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.[163][164]

Revenge RAT

Revenge RAT has the ability to upload and download files.[165]

RGDoor

RGDoor uploads and downloads files to and from the victim’s machine.[166]

RogueRobin

RogueRobin can save a new file to the system from the C2 server.[167][168]

ROKRAT

ROKRAT retrieves additional malicious payloads from the C2 server.[169]

RTM

RTM can download additional files.[170]

Sakula

Sakula has the capability to download files.[171]

SeaDuke

SeaDuke is capable of uploading and downloading files.[172]

Seasalt

Seasalt has a command to download additional files.[25][25]

SEASHARPEE

SEASHARPEE can download remote files onto victims.[173]

ServHelper

ServHelper may download additional files to execute.[174][175]

Shamoon

Shamoon can download an executable to run on the victim.[176]

SHUTTERSPEED

SHUTTERSPEED can download and execute an arbitary executable.[12]

SLOWDRIFT

SLOWDRIFT downloads additional payloads.[12]

Smoke Loader

Smoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins.[177]

Soft Cell

Soft Cell dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN.[178]

SpeakUp

SpeakUp downloads and executes additional files from a remote server.[179]

SQLRat

SQLRat can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk. [180]

StoneDrill

StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine. [181]

TA505

TA505 has downloaded additional malware to execute on victim systems.[182][175][183]

TDTESS

TDTESS has a command to download and execute an additional file.[184]

Threat Group-3390

After re-establishing access to a victim network, Threat Group-3390 actors download tools including gsecdump and WCE that are staged temporarily on websites that were previously compromised but never used.[90]

TrickBot

TrickBot downloads several additional files and saves them to the victim's machine.[185]

Trojan.Karagany

Trojan.Karagany can upload, download, and execute files on the victim.[186]

Turla

Turla has used shellcode to download Meterpreter after compromising a victim. Turla RPC backdoors can also download files onto victim machines.[187][188][189]

TURNEDUP

TURNEDUP is capable of downloading additional files.[190]

TYPEFRAME

TYPEFRAME can upload and download files to the victim’s machine.[191]

UBoatRAT

UBoatRAT can upload and download files to the victim’s machine.[192]

Unknown Logger

Unknown Logger is capable of downloading remote files.[20]

UPPERCUT

UPPERCUT can download and upload files to and from the victim’s machine.[193]

Ursnif

Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads.[194][195]

Vasport

Vasport can download files.[196]

VERMIN

VERMIN can download and upload files to the victim's machine.[197]

Volgmer

Volgmer can download remote files and additional payloads to the victim's machine.[198][199][200]

WannaCry

WannaCry attempts to copy itself to remote computers after gaining access via an SMB exploit.[201]

WEBC2

WEBC2 can download and execute a file.[202]

Wiarp

Wiarp creates a backdoor through which remote attackers can download files.[203]

WIRTE

WIRTE has downloaded PowerShell code from the C2 server to be executed.[204]

Xbash

Xbash can download additional malicious files from its C2 server.[205]

XTunnel

XTunnel is capable of downloading additional files.[206]

Yahoyah

Yahoyah uses HTTP GET requests to download other files that are executed in memory.[207]

Zebrocy

Zebrocy obtains additional code to execute on the victim's machine, including the downloading of a secondary payload.[208][33][209][7]

ZeroT

ZeroT can download additional payloads onto the victim.[210]

Zeus Panda

Zeus Panda can download additional malware plug-in modules and execute them on the victim’s machine.[211]

ZLib

ZLib has the ability to download files.[124]

Detection

Monitor for file creation and files transferred within a network over SMB. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. [212]

References

  1. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  2. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
  3. Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016.
  4. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
  5. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  6. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  7. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  8. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  9. Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
  10. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  11. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  12. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  13. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  14. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  15. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
  16. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  17. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  18. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  19. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.
  20. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  21. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  22. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  23. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  24. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  25. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  26. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  27. Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.
  28. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.
  29. Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.
  30. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  31. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
  32. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  33. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  34. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  35. Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017.
  36. Smith, Casey. (2017, July 20). SubTee Twitter Status. Retrieved July 21, 2017.
  37. Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  38. Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
  39. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  40. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  41. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
  42. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  43. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  44. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  45. Microsoft. (n.d.). Copy. Retrieved April 26, 2016.
  46. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
  47. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
  48. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  49. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  50. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  51. Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  52. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  53. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  54. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  55. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  56. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  57. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  58. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  59. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  60. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  61. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  62. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  63. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.
  64. Ladley, F. (2012, May 15). Backdoor.Ritsol. Retrieved February 23, 2018.
  65. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018.
  66. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  67. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  68. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  69. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  70. LOLBAS. (n.d.). Expand.exe. Retrieved February 19, 2019.
  71. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  72. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  73. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  74. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
  75. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  76. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
  77. Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
  78. Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  79. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  80. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  81. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.
  82. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  83. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  84. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  85. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
  86. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  87. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  88. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  89. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  90. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  91. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  92. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  93. Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  94. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  95. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  96. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  97. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  98. Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
  99. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  100. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  101. Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019.
  102. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  103. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  104. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  105. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.
  106. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  1. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  2. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  3. Moench, B. and Aboud, E. (2016, August 23). Trojan.Kwampirs. Retrieved May 10, 2018.
  4. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  5. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  6. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  7. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  8. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  9. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  10. Harbison, M.. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.
  11. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  12. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  13. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  14. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
  15. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
  16. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  17. Kaspersky Lab's Global Research & Analysis Team. (2013, February 27). The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor. Retrieved April 5, 2017.
  18. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  19. Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
  20. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  21. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  22. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  23. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  24. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
  25. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  26. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  27. Sponchioni, R.. (2016, March 11). Backdoor.Nidiran. Retrieved August 3, 2016.
  28. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  29. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  30. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  31. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  32. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
  33. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  34. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  35. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  36. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
  37. Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
  38. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  39. Kaplan, D, et al. (2017, June 7). PLATINUM continues to evolve, find ways to maintain invisibility. Retrieved February 19, 2018.
  40. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  41. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  42. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  43. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  44. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  45. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  46. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  47. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  48. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  49. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  50. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  51. Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
  52. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  53. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  54. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  55. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  56. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  57. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  58. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  59. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  60. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
  61. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  62. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  63. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
  64. Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  65. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  66. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
  67. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  68. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  69. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.
  70. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  71. Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.
  72. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.
  73. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
  74. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  75. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  76. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
  77. Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.
  78. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  79. Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
  80. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  81. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
  82. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  83. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  84. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
  85. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  86. Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
  87. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  88. Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019.
  89. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
  90. Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018.
  91. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  92. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  93. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  94. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
  95. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
  96. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  97. Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.
  98. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
  99. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  100. Belcher, P.. (2016, July 28). Tunnel of Gov: DNC Hack and the Russian XTunnel. Retrieved August 3, 2016.
  101. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
  102. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  103. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  104. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  105. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  106. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.