|T1587.002||Code Signing Certificates|
Adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors (including backdoored images), packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
As with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.
Some aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of Web Services.
Aoqin Dragon has used custom malware, including Mongall and Heyoka Backdoor, in their operations.
APT29 has used unique malware in many of their operations.
For C0010, UNC3890 actors used unique malware, including SUGARUSH and SUGARDUMP.
Cleaver has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging.
For CostaRicto, the threat actors used custom malware, including PS1, CostaBricks, and SombRAT.
FIN7 has developed malware for use in operations, including the creation of infected removable media.
Ke3chang has developed custom malware that allowed them to maintain persistence on victim networks.
Kimsuky has developed its own unique malware such as MailFetch.py for use in operations.
Lazarus Group has developed custom malware for use in their operations.
LuminousMoth has used unique malware for information theft and exfiltration.
Moses Staff has built malware, such as DCSrv and PyDCrypt, for targeting victims' machines.
|C0022||Operation Dream Job||
For Operation Dream Job, Lazarus Group developed custom tools such as Sumarta, DBLL Dropper, Torisma, and DRATzarus for their operations.
For Operation Ghost, APT29 used new strains of malware including FatDuke, MiniDuke, RegDuke, and PolyglotDuke.
For Operation Sharpshooter, the threat actors used the Rising Sun modular backdoor.
During Operation Wocao, threat actors developed their own custom webshells to upload to compromised servers.
Sandworm Team has developed malware for its operations, including malicious mobile applications and destructive malware such as NotPetya and Olympic Destroyer.
For the SolarWinds Compromise, APT29 used numerous pieces of malware that were likely developed for or by the group, including SUNBURST, SUNSPOT, Raindrop, and TEARDROP.
Turla has developed its own unique malware for use in operations.
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.
|ID||Data Source||Data Component||Detects|
|DS0004||Malware Repository||Malware Content||
Consider analyzing malware for features that may be associated with the adversary and/or their developers, such as compiler used, debugging artifacts, or code similarities. Malware repositories can also be used to identify additional samples associated with the adversary and identify development patterns over time.
Monitor for contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.