ID | Name |
---|---|
T1587.001 | Malware |
T1587.002 | Code Signing Certificates |
T1587.003 | Digital Certificates |
T1587.004 | Exploits |
Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.[1][2][3][4]
As with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.
Some aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of Web Services.[5]
ID | Name | Description |
---|---|---|
G1007 | Aoqin Dragon |
Aoqin Dragon has used custom malware, including Mongall and Heyoka Backdoor, in their operations.[6] |
G0016 | APT29 |
APT29 has used unique malware in many of their operations.[7][8][9][10] |
C0010 | C0010 |
For C0010, UNC3890 actors used unique malware, including SUGARUSH and SUGARDUMP.[11] |
G0003 | Cleaver |
Cleaver has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging.[12] |
C0004 | CostaRicto |
For CostaRicto, the threat actors used custom malware, including PS1, CostaBricks, and SombRAT.[13] |
G1016 | FIN13 |
FIN13 has utilized custom malware to maintain persistence in a compromised environment.[14][15] |
G0046 | FIN7 |
FIN7 has developed malware for use in operations, including the creation of infected removable media.[4][16] |
G0119 | Indrik Spider |
Indrik Spider has developed malware for their operations, including ransomware such as BitPaymer and WastedLocker.[17] |
G0004 | Ke3chang |
Ke3chang has developed custom malware that allowed them to maintain persistence on victim networks.[18] |
G0094 | Kimsuky |
Kimsuky has developed its own unique malware such as MailFetch.py for use in operations.[19][20][21] |
G0032 | Lazarus Group |
Lazarus Group has developed custom malware for use in their operations.[22][23] |
G1014 | LuminousMoth |
LuminousMoth has used unique malware for information theft and exfiltration.[24][25] |
G1036 | Moonstone Sleet |
Moonstone Sleet has developed custom malware, including a malware delivery mechanism masquerading as a legitimate game.[26] |
G1009 | Moses Staff |
Moses Staff has built malware, such as DCSrv and PyDCrypt, for targeting victims' machines.[27] |
C0022 | Operation Dream Job |
For Operation Dream Job, Lazarus Group developed custom tools such as Sumarta, DBLL Dropper, Torisma, and DRATzarus for their operations.[28][29][30][31] |
C0023 | Operation Ghost |
For Operation Ghost, APT29 used new strains of malware including FatDuke, MiniDuke, RegDuke, and PolyglotDuke.[32] |
C0013 | Operation Sharpshooter |
For Operation Sharpshooter, the threat actors used the Rising Sun modular backdoor.[33] |
C0014 | Operation Wocao |
During Operation Wocao, threat actors developed their own custom webshells to upload to compromised servers.[34] |
G1040 | Play | |
G1039 | RedCurl |
RedCurl has created its own tools to use during operations.[37] |
G0034 | Sandworm Team |
Sandworm Team has developed malware for its operations, including malicious mobile applications and destructive malware such as NotPetya and Olympic Destroyer.[38] |
C0024 | SolarWinds Compromise |
For the SolarWinds Compromise, APT29 used numerous pieces of malware that were likely developed for or by the group, including SUNBURST, SUNSPOT, Raindrop, and TEARDROP.[39][40][41] |
G0139 | TeamTNT | |
C0030 | Triton Safety Instrumented System Attack |
In the Triton Safety Instrumented System Attack, TEMP.Veles developed, prior to the attack, malware capabilities that would require access to specific and specialized hardware and software.[43] |
G0010 | Turla |
Turla has developed its own unique malware for use in operations.[44] |
C0039 | Versa Director Zero Day Exploitation |
Versa Director Zero Day Exploitation involved the development of a new web shell variant, VersaMem.[45] |
ID | Mitigation | Description |
---|---|---|
M1056 | Pre-compromise |
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
ID | Data Source | Data Component | Detects |
---|---|---|---|
DS0004 | Malware Repository | Malware Content |
Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time. |
Malware Metadata |
Monitor for contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle. |