1. Home
  2. Techniques
  3. Enterprise
  4. Obtain Capabilities
  5. Malware

Obtain Capabilities: Malware

ID Name
T1588.001 Malware
T1588.002 Tool
T1588.003 Code Signing Certificates
T1588.004 Digital Certificates
T1588.005 Exploits
T1588.006 Vulnerabilities
T1588.007 Artificial Intelligence

Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.

In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).

ID: T1588.001
Sub-technique of:  T1588
Tactic: Resource Development
Platforms: PRE
Version: 1.1
Created: 01 October 2020
Last Modified: 17 October 2021
Version Permalink

Procedure Examples

ID Name Description
G0138 Andariel

Andariel has used a variety of publicly-available remote access Trojans (RATs) for its operations.[1]
G0006 APT1

APT1 used publicly available malware for privilege escalation.[2]
G0143 Aquatic Panda

Aquatic Panda has acquired and used njRAT in its operations.[3]
G0135 BackdoorDiplomacy

BackdoorDiplomacy has obtained and used leaked malware, including DoublePulsar, EternalBlue, EternalRocks, and EternalSynergy, in its operations.[4]
C0015 C0015

For C0015, the threat actors used Cobalt Strike and Conti ransomware.[5]

G1006 Earth Lusca

Earth Lusca has acquired and used a variety of malware, including Cobalt Strike.[6]
G1003 Ember Bear

Ember Bear has acquired malware and related tools from dark web forums.[7]
C0007 FunnyDream

For FunnyDream, the threat actors used a new backdoor named FunnyDream.[8]

G1004 LAPSUS$

LAPSUS$ acquired and used the Redline password stealer in their operations.[9]
G0140 LazyScripter

LazyScripter has used a variety of open-source remote access Trojans for its operations.[10]
G1014 LuminousMoth

LuminousMoth has obtained and used malware such as Cobalt Strike.[11][12]
G1013 Metador

Metador has used unique malware in their operations, including metaMain and Mafalda.[13]
C0002 Night Dragon

During Night Dragon, threat actors used Trojans from underground hacker websites.[14]
C0005 Operation Spalax

For Operation Spalax, the threat actors obtained malware, including Remcos, njRAT, and AsyncRAT.[15]
G1018 TA2541

TA2541 has used multiple strains of malware available for purchase on criminal forums or in open-source repositories.[16]
G0092 TA505

TA505 has used malware such as Azorult and Cobalt Strike in their operations.[17]
G0010 Turla

Turla has used malware obtained after compromising other threat actors, such as OilRig.[18][19]

Mitigations

ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

ID Data Source Data Component Detects
DS0004 Malware Repository Malware Content

Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific MaaS offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.[20]
Malware Metadata

Monitor for contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.

References

  1. FSI. (2017, July 27). Campaign Rifle - Andariel, the Maiden of Anguish. Retrieved September 12, 2024.
  2. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  3. Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022.
  4. Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021
  5. DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
  6. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  7. US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024.
  8. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  9. MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
  10. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  1. Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022.
  2. Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022.
  3. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  4. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  5. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
  6. Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
  7. Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022.
  8. NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020.
  9. Insikt Group. (2020, March 12). Swallowing the Snake’s Tail: Tracking Turla Infrastructure. Retrieved September 16, 2024.
  10. FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to SunshopFireEye. Retrieved March 6, 2017.