Register to stream ATT&CKcon 2.0 October 29-30

Remote File Copy

Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.

Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol.

ID: T1105
Tactic: Command And Control, Lateral Movement
Platform: Linux, macOS, Windows
Permissions Required: User
Data Sources: File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring
Requires Network:  Yes
Version: 1.0

Procedure Examples

Name Description
Agent Tesla Agent Tesla can download additional files for execution on the victim’s machine. [32] [33]
Agent.btz Agent.btz attempts to download an encrypted binary from a specified domain. [28]
APT18 APT18 can upload a file to the victim’s machine. [203]
APT28 APT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant. [177] [178] [88]
APT3 APT3 has a tool that can copy files to remote machines. [181]
APT32 APT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors. [192] [193]
APT33 APT33 has downloaded additional files and programs from its C2 server. [208]
APT37 APT37 has downloaded second stage malware from compromised websites. [46] [182]
APT38 APT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine. [206]
Astaroth Astaroth uses certutil and BITSAdmin to download additional malware. [155] [156]
AuditCred AuditCred can download files and additional malware. [117]
Azorult Azorult can download and execute additional files. Azorult has also downloaded a ransomware payload called Hermes. [133] [134]
BADNEWS BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself. [41] [42] [43]
BadPatch BadPatch can download and execute or update malware. [148]
Bankshot Bankshot uploads files and secondary payloads to the victim's machine. [54]
BISCUIT BISCUIT has a command to download a file from the C2 server. [34]
Bisonal Bisonal has the capability to download files to execute on the victim’s machine. [137]
BITSAdmin BITSAdmin can be used to create BITS Jobs to upload and/or download files. [9]
BONDUPDATER BONDUPDATER can download or upload files from its C2 server. [151]
Briba Briba downloads files onto infected hosts. [76]
BRONZE BUTLER BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget). [18]
Calisto Calisto has the capability to upload and download files to the victim's machine. [82]
CallMe CallMe has the capability to download a file to the victim from the C2 server. [29]
Cannon Cannon can download a payload for execution. [86]
Cardinal RAT Cardinal RAT is downloaded and installed via an executed Assess leadership areas of interest payload. Cardinal RAT can also download and execute additional payloads. [90]
certutil certutil can be used to download files from a given URL. [4] [5]
ChChes ChChes is capable of downloading files, including additional modules. [24] [25] [26]
China Chopper China Chopper's server component can download remote files. [48] [49] [50]
CHOPSTICK CHOPSTICK is capable of performing remote file transmission. [51]
CloudDuke CloudDuke downloads and executes additional malware from either a Web address or a Microsoft OneDrive account. [97]
cmd cmd can be used to copy files to a remotely connected system. [7]
Cobalt Group Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers. The group's JavaScript backdoor is also capable of downloading files. [184] [185] [186]
CoinTicker CoinTicker executes a Python script to download its second stage. [159]
CORESHELL CORESHELL downloads another dropper from its C2 server. [38]
Crimson Crimson contains a command to retrieve files from its C2 server. [127]
DarkComet DarkComet can load any files onto the infected machine to execute. [141] [142]
Daserf Daserf can download remote files. [17] [18]
DDKONG DDKONG downloads and uploads files on the victim’s machine. [135]
Denis Denis deploys additional backdoors and hacking tools to the system. [149]
Dipsind Dipsind can download remote files. [19]
DOGCALL DOGCALL can download and execute additional payloads. [72]
Downdelph After downloading its main config file, Downdelph downloads multiple payloads from C2 servers. [75]
Dragonfly 2.0 Dragonfly 2.0 copied and installed tools for operations once in the victim environment. [194] [195]
DustySky DustySky searches for network drives and removable media and duplicates itself onto them. [62]
Dyre Dyre has a command to download and executes additional files. [55]
Elderwood The Ritsol backdoor trojan used by Elderwood can download files onto a compromised host from a remote location. [140]
Elise Elise can download additional files from the C2 server for execution. [73]
Emissary Emissary has the capability to download files from the C2 server. [95]
Empire Empire can upload and download to and from a victim machine. [12]
EvilBunny EvilBunny has downloaded additional Lua scripts from the C2. [175]
Exaramel Exaramel has a command to download a file from a remote server to execute. [101]
Expand Expand can be used to download or upload a file over a network share. [11]
Felismus Felismus can download files from remote servers. [13]
FELIXROOT FELIXROOT downloads and uploads files to and from the victim’s machine. [143] [99]
FIN10 FIN10 has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally. [207]
FIN7 FIN7 has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload. [196] [197]
FIN8 FIN8 has used remote code execution to download subsequent payloads. [183]
Gamaredon Group Tools used by Gamaredon Group are capable of downloading and executing additional payloads. [64]
Gazer Gazer can execute a task to download a file. [91] [92]
gh0st RAT gh0st RAT can download files to the victim’s machine. [37]
Gold Dragon Gold Dragon can download additional components from the C2 server. [74]
Gorgon Group Gorgon Group malware can download additional files from C2 servers. [191]
GreyEnergy GreyEnergy can download additional modules and payloads. [99]
H1N1 H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests. [44]
HAPPYWORK can download and execute a second-stage payload. [46]
HAWKBALL HAWKBALL has downloaded additional files from the C2. [172]
Helminth Helminth can download additional files. [16]
Hi-Zor Hi-Zor has the ability to upload and download files from its C2 server. [79]
HiddenWasp HiddenWasp downloads a tar compressed archive from a download server to the system. [173]
HOPLIGHT HOPLIGHT has the ability to connect to a remote host in order to upload and download files. [158]
HTTPBrowser HTTPBrowser is capable of writing a file to the compromised system from the C2 server. [57]
Hydraq Hydraq creates a backdoor through which remote attackers can download files and additional malware components. [52] [53]
HyperBro HyperBro has the ability to download additional files. [176]
InvisiMole InvisiMole can upload files to the victim's machine for operations. [119]
Ixeshe Ixeshe can download and execute additional files. [167]
JHUHUGIT JHUHUGIT can retrieve an additional payload from its C2 server. JHUHUGIT has a command to download files to the victim’s machine. [59] [60] [61]
JPIN JPIN can download files and upgrade itself. [19]
jRAT jRAT can download and execute files. [123] [124] [125]
KARAE KARAE can upload and download files, including second-stage malware. [46]
Kasidet Kasidet has the ability to download and execute additional files. [114]
Kazuar Kazuar downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary. [93]
KeyBoy KeyBoy has a download and upload functionality. [168] [169]
KEYMARBLE KEYMARBLE can upload files to the victim’s machine and can download additional payloads. [27]
Koadic Koadic can download additional files. [8]
KONNI KONNI can download files and execute them on the victim’s machine. [106]
Kwampirs Kwampirs downloads additional files from C2 servers. [67]
Lazarus Group Several Lazarus Group malware families are capable of downloading and executing binaries from its C2 server. [198] [199] [200]
Leviathan Leviathan has downloaded additional scripts and files from adversary-controlled servers. Leviathan has also used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox. [120] [48]
LightNeuron LightNeuron has the ability to download and execute additional files. [174]
Linfo Linfo creates a backdoor through which remote attackers can download files onto compromised hosts. [131]
LockerGoga LockerGoga has been observed moving around the victim network via SMB, indicating the actors behind this ransomware are manually copying files form computer to computer instead of self-propagating. [154]
LOWBALL LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware. [94]
Magic Hound Magic Hound has downloaded additional code and files from servers onto victims. [180]
menuPass menuPass has installed updates and new malware on victims. [204] [205]
Micropsia Micropsia can download and execute an executable from the C2 server. [107] [108]
MiniDuke MiniDuke can download additional encrypted backdoors onto the victim via GIF files. [14]
Misdat Misdat is capable of downloading files from the C2. [69]
Mivast Mivast has the capability to download and execute .exe files. [58]
MobileOrder MobileOrder has a command to download a file from the C2 server to the victim mobile device's SD card. [29]
More_eggs More_eggs can download and launch additional payloads. [98]
Mosquito Mosquito can upload and download files to the victim. [15]
MuddyWater MuddyWater has used malware that can upload additional files to the victim’s machine. [201] [202]
NanHaiShu NanHaiShu can download additional files from URLs. [120]
NanoCore NanoCore has the capability to download and activate additional modules for execution. [83] [84]
NavRAT NavRAT can download files remotely. [77]
NDiskMonitor NDiskMonitor can download and execute a file from given URL. [43]
Nerex Nerex creates a backdoor through which remote attackers can download files onto a compromised host. [140]
Nidiran Nidiran can download and execute files. [23]
njRAT njRAT can upload and download files to and from the victim’s machine. [164]
NOKKI NOKKI has downloaded a remote module for execution. [102]
Octopus Octopus can upload and download files to and from the victim’s machine.[ [144]
OilRig OilRig can download remote files onto victims. [121]
Olympic Destroyer Olympic Destroyer attempts to copy itself to remote machines on the network. [152]
OopsIE OopsIE can download files from its C2 server to the victim's machine. [109] [110]
Orz Orz can download files onto the victim. [120]
OSX_OCEANLOTUS.D OSX_OCEANLOTUS.D has a command to download and execute a file on the victim’s machine. [103]
Pasam Pasam creates a backdoor through which remote attackers can upload files. [63]
Patchwork Patchwork payloads download additional files from the C2 server. [179] [43]
Pisloader Pisloader has a command to upload a file to the victim machine. [66]
PLAINTEE PLAINTEE has downloaded and executed additional plugins. [135]
PLATINUM PLATINUM has transferred files using the Intel® Active Management Technology (AMT) Serial-over-LAN (SOL) channel. [190]
PlugX PlugX has a module to download and execute files on the compromised machine. [116]
PoisonIvy PoisonIvy creates a backdoor through which remote attackers can upload files. [20]
POSHSPY POSHSPY downloads and executes additional PowerShell code and Windows binaries. [96]
PowerDuke PowerDuke has a command to download a file. [56]
POWERSOURCE POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims. [36]
POWERSTATS POWERSTATS can retrieve and execute additional PowerShell payloads from the C2 server. [132]
POWRUNER POWRUNER can download or upload files from its C2 server. [121]
Psylo Psylo has a command to download a file to the system from its C2 server. [29]
Pteranodon Pteranodon can download and execute additional files. [64]
PUNCHBUGGY PUNCHBUGGY can download additional files and payloads to compromised hosts. [30] [31]
Pupy Pupy can upload and download to/from a victim machine. [10]
QuasarRAT QuasarRAT can download files to the victim’s machine and execute them. [2] [3]
Rancor Rancor has downloaded additional malware, including by using certutil. [135]
RARSTONE RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory. [130]
RATANKBA RATANKBA uploads and downloads information. [138] [139]
RedLeaves RedLeaves is capable of downloading a file from a specified URL. [126]
Remcos Remcos can upload and download files to and from the victim’s machine. [6]
RemoteCMD RemoteCMD copies a file over to the remote system before execution. [136]
Remsec Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS. [104] [105]
Revenge RAT Revenge RAT has the ability to upload and download files. [160]
RGDoor RGDoor uploads and downloads files to and from the victim’s machine. [45]
RogueRobin RogueRobin can save a new file to the system from the C2 server. [39] [40]
ROKRAT ROKRAT retrieves additional malicious payloads from the C2 server. [80]
RTM RTM can download additional files. [21]
Sakula Sakula has the capability to download files. [35]
SeaDuke SeaDuke is capable of uploading and downloading files. [78]
Seasalt Seasalt has a command to download additional files. [34] [34]
SEASHARPEE SEASHARPEE can download remote files onto victims. [22]
ServHelper ServHelper may download additional files to execute. [162] [163]
Shamoon Shamoon can download an executable to run on the victim. [146]
SHUTTERSPEED SHUTTERSPEED can download and execute an arbitary executable. [46]
SLOWDRIFT SLOWDRIFT downloads additional payloads. [46]
Smoke Loader Smoke Loader downloads a new version of itself once it has installed. It also downloads additional plugins. [89]
Soft Cell Soft Cell dropped additional tools to victims during their operation, including portqry.exe, a renamed cmd.exe file, winrar, and HTRAN. [212]
SpeakUp SpeakUp downloads and executes additional files from a remote server. [157]
SQLRat SQLRat can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk. [171]
StoneDrill StoneDrill has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine. [161]
TA505 TA505 has downloaded additional malware to execute on victim systems. [210] [163] [211]
TDTESS TDTESS has a command to download and execute an additional file. [115]
Threat Group-3390 After re-establishing access to a victim network, Threat Group-3390 actors download tools including gsecdump and WCE that are staged temporarily on websites that were previously compromised but never used. [57]
TrickBot TrickBot downloads several additional files and saves them to the victim's machine. [65]
Trojan.Karagany Trojan.Karagany can upload, download, and execute files on the victim. [70]
Turla Turla has used shellcode to download Meterpreter after compromising a victim. Turla RPC backdoors can also download files onto victim machines. [187] [188] [189]
TURNEDUP TURNEDUP is capable of downloading additional files. [118]
TYPEFRAME TYPEFRAME can upload and download files to the victim’s machine. [81]
UBoatRAT UBoatRAT can upload and download files to the victim’s machine. [147]
Unknown Logger Unknown Logger is capable of downloading remote files. [41]
UPPERCUT UPPERCUT can download and upload files to and from the victim’s machine. [122]
Ursnif Ursnif has dropped payload and configuration files to disk. Ursnif has also been used to download and execute additional payloads. [165] [166]
Vasport Vasport can download files. [100]
VERMIN VERMIN can download and upload files to the victim's machine. [47]
Volgmer Volgmer can download remote files and additional payloads to the victim's machine. [111] [112] [113]
WannaCry WannaCry attempts to copy itself to remote computers after gaining access via an SMB exploit. [153]
WEBC2 WEBC2 can download and execute a file. [128]
Wiarp Wiarp creates a backdoor through which remote attackers can download files. [145]
WIRTE WIRTE has downloaded PowerShell code from the C2 server to be executed. [209]
Xbash Xbash can download additional malicious files from its C2 server. [150]
XTunnel XTunnel is capable of downloading additional files. [71]
Yahoyah Yahoyah uses HTTP GET requests to download other files that are executed in memory. [170]
Zebrocy Zebrocy obtains additional code to execute on the victim's machine, including the downloading of a secondary payload. [85] [86] [87] [88]
ZeroT ZeroT can download additional payloads onto the victim. [129]
Zeus Panda Zeus Panda can download additional malware plug-in modules and execute them on the victim’s machine. [68]
ZLib ZLib has the ability to download files. [69]

Mitigations

Mitigation Description
Network Intrusion Prevention Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools. [1]

Detection

Monitor for file creation and files transferred within a network over SMB. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used. [1]

References

  1. Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.
  2. MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018.
  3. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018.
  4. Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017.
  5. Smith, Casey. (2017, July 20). SubTee Twitter Status. Retrieved July 21, 2017.
  6. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  7. Microsoft. (n.d.). Copy. Retrieved April 26, 2016.
  8. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  9. Microsoft. (n.d.). BITSAdmin Tool. Retrieved January 12, 2018.
  10. Nicolas Verdier. (n.d.). Retrieved January 29, 2018.
  11. LOLBAS. (n.d.). Expand.exe. Retrieved February 19, 2019.
  12. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  13. Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  14. Kaspersky Lab's Global Research & Analysis Team. (2013, February 27). The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor. Retrieved April 5, 2017.
  15. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  16. Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  17. Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  18. Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  19. Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018.
  20. Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
  21. Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  22. Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
  23. Sponchioni, R.. (2016, March 11). Backdoor.Nidiran. Retrieved August 3, 2016.
  24. Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  25. Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
  26. FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  27. US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
  28. Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016.
  29. Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  30. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  31. Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019.
  32. Brumaghin, E., et al. (2018, October 15). Old dog, new tricks - Analysing new RTF-based campaign distributing Agent Tesla, Loki with PyREbox. Retrieved November 5, 2018.
  33. The DigiTrust Group. (2017, January 12). The Rise of Agent Tesla. Retrieved November 5, 2018.
  34. Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
  35. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  36. Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  37. Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018.
  38. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  39. Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018.
  40. Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019.
  41. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  42. Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018.
  43. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  44. Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  45. Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018.
  46. FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018.
  47. Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
  48. FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018.
  49. Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015.
  50. The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019.
  51. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  52. Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.
  53. Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018.
  54. US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018.
  55. Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018.
  56. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  57. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018.
  58. Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
  59. ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  60. Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018.
  61. Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
  62. ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  63. Mullaney, C. & Honda, H. (2012, May 4). Trojan.Pasam. Retrieved February 22, 2018.
  64. Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  65. Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018.
  66. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  67. Moench, B. and Aboud, E. (2016, August 23). Trojan.Kwampirs. Retrieved May 10, 2018.
  68. Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018.
  69. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  70. Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
  71. Belcher, P.. (2016, July 28). Tunnel of Gov: DNC Hack and the Russian XTunnel. Retrieved August 3, 2016.
  72. Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
  73. Accenture Security. (2018, January 27). DRAGONFISH DELIVERS NEW FORM OF ELISE MALWARE TARGETING ASEAN DEFENCE MINISTERS’ MEETING AND ASSOCIATES. Retrieved November 14, 2018.
  74. Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
  75. ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  76. Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.
  77. Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
  78. Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
  79. Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  80. Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018.
  81. US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
  82. Pantig, J. (2018, July 30). OSX.Calisto. Retrieved September 7, 2018.
  83. The DigiTrust Group. (2017, January 01). NanoCore Is Not Your Average RAT. Retrieved November 9, 2018.
  84. Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018.
  85. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  86. Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
  87. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  88. Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019.
  89. Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018.
  90. Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018.
  91. ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  92. Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  93. Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018.
  94. FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  95. Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  96. Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  97. F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  98. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  99. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  100. Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018.
  101. Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
  102. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  103. Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018.
  104. Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
  105. Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
  106. Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018.
  1. Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
  2. Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
  3. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018.
  4. Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018.
  5. US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
  6. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  7. Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
  8. Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  9. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  10. Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018.
  11. Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018.
  12. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
  13. Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018.
  14. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018.
  15. Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  16. Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018.
  17. Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018.
  18. Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019.
  19. Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019.
  20. PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  21. Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  22. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  23. Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018.
  24. Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
  25. Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.
  26. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.
  27. Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018.
  28. Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018.
  29. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  30. Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016.
  31. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  32. Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
  33. Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
  34. Ladley, F. (2012, May 15). Backdoor.Ritsol. Retrieved February 23, 2018.
  35. TrendMicro. (2014, September 03). DARKCOMET. Retrieved November 6, 2018.
  36. Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018.
  37. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  38. Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
  39. Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.
  40. Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
  41. Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018.
  42. Bar, T., Conant, S. (2017, October 20). BadPatch. Retrieved November 13, 2018.
  43. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  44. Xiao, C. (2018, September 17). Xbash Combines Botnet, Ransomware, Coinmining in Worm that Targets Linux and Windows. Retrieved November 14, 2018.
  45. Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019.
  46. Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019.
  47. Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019.
  48. Harbison, M.. (2019, March 26). Born This Way? Origins of LockerGoga. Retrieved April 16, 2019.
  49. Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved April 17, 2019.
  50. Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019.
  51. Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019.
  52. US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
  53. Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019.
  54. Livelli, K, et al. (2018, November 12). Operation Shaheen. Retrieved May 1, 2019.
  55. Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019.
  56. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.
  57. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.
  58. Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019.
  59. Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019.
  60. Sioting, S. (2013, June 15). BKDR_URSNIF.SM. Retrieved June 5, 2019.
  61. Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019.
  62. Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019.
  63. Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019.
  64. Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019.
  65. Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019.
  66. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
  67. Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019.
  68. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  69. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  70. Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  71. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  72. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  73. Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
  74. Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  75. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  76. GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019.
  77. Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018.
  78. Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018.
  79. Positive Technologies. (2016, December 16). Cobalt Snatch. Retrieved October 9, 2018.
  80. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  81. ESET Research. (2018, May 22). Turla Mosquito: A shift towards more generic tools. Retrieved July 3, 2018.
  82. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  83. Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019.
  84. Kaplan, D, et al. (2017, June 7). PLATINUM continues to evolve, find ways to maintain invisibility. Retrieved February 19, 2018.
  85. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  86. Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
  87. Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018.
  88. US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018.
  89. US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  90. Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  91. Department of Justice. (2018, August 01). HOW FIN7 ATTACKED AND STOLE DATA. Retrieved August 24, 2018.
  92. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016.
  93. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  94. Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  95. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  96. ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018.
  97. Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018.
  98. PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  99. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
  100. FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018.
  101. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
  102. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  103. S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019.
  104. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
  105. Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019.
  106. Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019.