Develop Capabilities: Malware

Before compromising a victim, adversaries may develop malware and malware components that can be used during targeting. Building malicious software can include the development of payloads, droppers, post-compromise tools, backdoors, packers, C2 protocols, and the creation of infected removable media. Adversaries may develop malware to support their operations, creating a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.[1][2][3][4]

As with legitimate development efforts, different skill sets may be required for developing malware. The skills needed may be located in-house, or may need to be contracted out. Use of a contractor may be considered an extension of that adversary's malware development capabilities, provided the adversary plays a role in shaping requirements and maintains a degree of exclusivity to the malware.

Some aspects of malware development, such as C2 protocol development, may require adversaries to obtain additional infrastructure. For example, malware developed that will communicate with Twitter for C2, may require use of Web Services.[5]

ID: T1587.001
Sub-technique of:  T1587
Tactic: Resource Development
Platforms: PRE
Version: 1.0
Created: 01 October 2020
Last Modified: 22 October 2020

Procedure Examples

Name Description
Cleaver

Cleaver has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging.[6]

FIN7

FIN7 has developed malware for use in operations, including the creation of infected removable media.[4][7]

Night Dragon

Night Dragon used privately developed and customized remote access tools.[8]

Turla

Turla has developed its own unique malware for use in operations.[9]

Mitigations

Mitigation Description
Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.

References