Remote File Copy
|Remote File Copy|
|Tactic||Command and Control, Lateral Movement|
|Platform||Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Linux, Windows 10, MacOS, OS X|
|Data Sources||File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring|
Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol.
- After security appliances blocked one version of the ADVSTORESHELL implant, APT28 actors compiled and delivered another ADVSTORESHELL x64 backdoor.1 APT28 also used a first-stage downloader to contact the C2 server to obtain the second-stage implant.2
- FIN10 has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally.3
- FIN7 uses a PowerShell script to launch shellcode that retrieves an additional payload.4
- Tools used by Gamaredon Group are capable of downloading and executing additional payloads.5
- Several Lazarus Group malware families are capable of downloading and executing binaries from its C2 server.67
- A Patchwork payload downloads additional malware from the C2 server.8
- After re-establishing access to a victim network, Threat Group-3390 actors download tools including gsecdump and WCE that are staged temporarily on websites that were previously compromised but never used.9
- menuPass has installed updates and new malware on victims.10
- Agent.btz attempts to download an encrypted binary from a specified domain.11
- BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.12
- CHOPSTICK is capable of performing remote file transmission.13
- CORESHELL downloads another dropper from its C2 server.14
- CallMe has the capability to download a file to the victim from the C2 server.15
- ChChes is capable of downloading files, including additional modules.161718
- CloudDuke downloads and executes additional malware from either a Web address or a Microsoft OneDrive account.19
- Crimson contains a command to retrieve files from its C2 server.20
- After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.21
- DustySky searches for network drives and removable media and duplicates itself onto them.22
- Emissary has the capability to download files from the C2 server.23
- H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.24
- HTTPBrowser is capable of writing a file to the compromised system from the C2 server.9
- Hi-Zor has the ability to upload and download files from its C2 server.25
- JHUHUGIT retrieves and executes an additional payload from its C2 server.26
- Kasidet has the ability to download and execute additional files.27
- LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.28
- MiniDuke can download additional encrypted backdoors onto the victim via GIF files.29
- Misdat is capable of downloading files from the C2.30
- Mivast has the capability to download and execute .exe files.31
- MobileOrder has a command to download a file from the C2 server to the victim mobile device's SD card.15
- Nidiran can download and execute files.32
- POSHSPY downloads and executes additional PowerShell code and Windows binaries.33
- POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims.34
- Pisloader has a command to upload a file to the victim machine.35
- PowerDuke has a command to download a file.36
- Psylo has a command to download a file to the system from its C2 server.15
- Pteranodon can download and execute additional files.5
- RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.37
- RTM can download additional files.38
- RedLeaves is capable of downloading a file from a specified URL.39
- Remsec contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS.4041
- Sakula has the capability to download files.42
- SeaDuke is capable of uploading and downloading files.43
- Shamoon can download an executable to run on the victim.44
- Trojan.Karagany can upload, download, and execute files on the victim.45
- Unknown Logger is capable of downloading remote files.12
- XTunnel is capable of downloading additional files.46
- ZLib has the ability to download files.30
- certutil can be used to download files from a given URL.4748
- cmd can be used to copy files to a remotely connected system.49
Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.50
Monitor for file creation and files transferred within a network over SMB. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.
Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.50
- Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
- Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
- FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
- Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
- Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
- Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved January 25, 2016.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
- Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016.
- Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
- Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
- FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
- Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
- Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
- Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
- FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
- F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
- Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
- ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
- ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
- Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
- Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
- Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
- ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
- Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
- FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
- Kaspersky Lab's Global Research & Analysis Team. (2013, February 27). The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor. Retrieved April 5, 2017.
- Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
- Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
- Sponchioni, R.. (2016, March 11). Backdoor.Nidiran. Retrieved August 3, 2016.
- Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
- Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
- Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
- Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
- Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
- Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
- PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
- Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016.
- Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016.
- Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
- Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016.
- Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017.
- Symantec Security Response. (2014, July 7). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
- Belcher, P.. (2016, July 28). Tunnel of Gov: DNC Hack and the Russian XTunnel. Retrieved August 3, 2016.
- Microsoft. (2012, November 14). Certutil. Retrieved July 3, 2017.
- Smith, Casey. (2017, July 20). SubTee Twitter Status. Retrieved July 21, 2017.
- Microsoft. (n.d.). Copy. Retrieved April 26, 2016.
- Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.