Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).
| ID | Name | Description |
|---|---|---|
| G0138 | Andariel |
Andariel has used a variety of publicly-available remote access Trojans (RATs) for its operations.[1] |
| G0006 | APT1 |
APT1 used publicly available malware for privilege escalation.[2] |
| G0143 | Aquatic Panda |
Aquatic Panda has acquired and used njRAT in its operations.[3] |
| G0135 | BackdoorDiplomacy |
BackdoorDiplomacy has obtained and used leaked malware, including DoublePulsar, EternalBlue, EternalRocks, and EternalSynergy, in its operations.[4] |
| C0015 | C0015 |
For C0015, the threat actors used Cobalt Strike and Conti ransomware.[5] |
| G1006 | Earth Lusca |
Earth Lusca has acquired and used a variety of malware, including Cobalt Strike.[6] |
| G1003 | Ember Bear |
Ember Bear has acquired malware and related tools from dark web forums.[7] |
| C0007 | FunnyDream |
For FunnyDream, the threat actors used a new backdoor named FunnyDream.[8] |
| C0050 | J-magic Campaign |
During the J-magic Campaign campaign, threat actors used open-source malware post-compromise including a custom variant of the cd00r backdoor.[9] |
| G1004 | LAPSUS$ |
LAPSUS$ acquired and used the Redline password stealer in their operations.[10] |
| G0140 | LazyScripter |
LazyScripter has used a variety of open-source remote access Trojans for its operations.[11] |
| G1014 | LuminousMoth |
LuminousMoth has obtained and used malware such as Cobalt Strike.[12][13] |
| G1013 | Metador |
Metador has used unique malware in their operations, including metaMain and Mafalda.[14] |
| C0002 | Night Dragon |
During Night Dragon, threat actors used Trojans from underground hacker websites.[15] |
| C0005 | Operation Spalax |
For Operation Spalax, the threat actors obtained malware, including Remcos, njRAT, and AsyncRAT.[16] |
| G1015 | Scattered Spider |
Scattered Spider has obtained malware to use at multiple stages of operations including information stealers, remote access tools, and ransomware.[17][18] |
| G1018 | TA2541 |
TA2541 has used multiple strains of malware available for purchase on criminal forums or in open-source repositories.[19] |
| G0092 | TA505 |
TA505 has used malware such as Azorult and Cobalt Strike in their operations.[20] |
| G0010 | Turla |
Turla has used malware obtained after compromising other threat actors, such as OilRig.[21][22] |
| G1048 | UNC3886 |
UNC3886 has used the publicly available rootkits REPTILE and MEDUSA.[23] |
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise |
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0845 | Detection of Malware | AN1977 |
Monitor for contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle. |