Remote File Copy

From enterprise
Jump to: navigation, search
Remote File Copy
ID T1105
Tactic Command and Control, Lateral Movement
Platform Linux, macOS, Windows
Permissions Required User
Data Sources File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring
Requires Network Yes

Files may be copied from one system to another to stage adversary tools or other files over the course of an operation. Files may be copied from an external adversary-controlled system through the Command and Control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.

Adversaries may also copy files laterally between internal victim systems to support Lateral Movement with remote Execution using inherent file sharing protocols such as file sharing over SMB to connected network shares or with authenticated connections with Windows Admin Shares or Remote Desktop Protocol.


  • After security appliances blocked one version of the ADVSTORESHELL implant, APT28 actors compiled and delivered another ADVSTORESHELL x64 backdoor.1 APT28 also used a first-stage downloader to contact the C2 server to obtain the second-stage implant.2
  • APT3 has a tool that can copy files to remote machines.3
  • APT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors.4
  • APT34 can download remote files onto victims.5
  • BRONZE BUTLER has used various tools to download files, including DGet (a similar tool to wget).6
  • Dragonfly downloaded tools from a remote server after they were inside the victim network.7
  • FIN10 has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally.8
  • FIN7 uses a PowerShell script to launch shellcode that retrieves an additional payload.9
  • Tools used by Gamaredon Group are capable of downloading and executing additional payloads.10
  • Several Lazarus Group malware families are capable of downloading and executing binaries from its C2 server.1112
  • Magic Hound has downloaded additional code and files from servers onto victims.13
  • A Patchwork payload downloads additional malware from the C2 server.14
  • After re-establishing access to a victim network, Threat Group-3390 actors download tools including gsecdump and WCE that are staged temporarily on websites that were previously compromised but never used.15
  • menuPass has installed updates and new malware on victims.16
  • Agent.btz attempts to download an encrypted binary from a specified domain.17
  • BADNEWS is capable of downloading additional files through C2 channels, including a new version of itself.18
  • CHOPSTICK is capable of performing remote file transmission.19
  • CORESHELL downloads another dropper from its C2 server.20
  • CallMe has the capability to download a file to the victim from the C2 server.21
  • ChChes is capable of downloading files, including additional modules.222324
  • CloudDuke downloads and executes additional malware from either a Web address or a Microsoft OneDrive account.25
  • Crimson contains a command to retrieve files from its C2 server.26
  • Daserf can download remote files.276
  • After downloading its main config file, Downdelph downloads multiple payloads from C2 servers.28
  • DustySky searches for network drives and removable media and duplicates itself onto them.29
  • Emissary has the capability to download files from the C2 server.30
  • Felismus can download files from remote servers.31
  • Gazer can execute a task to download a file.3233
  • H1N1 contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests.34
  • HTTPBrowser is capable of writing a file to the compromised system from the C2 server.15
  • Helminth can download additional files.35
  • Hi-Zor has the ability to upload and download files from its C2 server.36
  • JHUHUGIT retrieves and executes an additional payload from its C2 server.37
  • Kasidet has the ability to download and execute additional files.38
  • LOWBALL uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the LOWBALL malware.39
  • MiniDuke can download additional encrypted backdoors onto the victim via GIF files.40
  • Misdat is capable of downloading files from the C2.41
  • Mivast has the capability to download and execute .exe files.42
  • MobileOrder has a command to download a file from the C2 server to the victim mobile device's SD card.21
  • Nidiran can download and execute files.43
  • POSHSPY downloads and executes additional PowerShell code and Windows binaries.44
  • POWERSOURCE has been observed being used to download TEXTMATE and the Cobalt Strike Beacon payload onto victims.45
  • POWRUNER can download or upload files from its C2 server.5
  • Pisloader has a command to upload a file to the victim machine.46
  • PowerDuke has a command to download a file.47
  • Psylo has a command to download a file to the system from its C2 server.21
  • Pteranodon can download and execute additional files.10
  • RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.48
  • RTM can download additional files.49
  • RedLeaves is capable of downloading a file from a specified URL.50
  • ... further results


Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware or unusual data transfer over known tools and protocols like FTP can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool C2 signatures over time or construct protocols in such a way as to avoid detection by common defensive tools.51


Monitor for file creation and files transferred within a network over SMB. Unusual processes with external network connections creating files on-system may be suspicious. Use of utilities, such as FTP, that does not normally occur may also be suspicious.

Analyze network data for uncommon data flows (e.g., a client sending significantly more data than it receives from a server). Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Analyze packet contents to detect communications that do not follow the expected protocol behavior for the port that is being used.51


  1. ^  Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
  2. ^  Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  3. ^  Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  4. ^  Lassalle, D., et al. (2017, November 6). OceanLotus Blossoms: Mass Digital Surveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017.
  5. a b  Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017.
  6. a b  Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018.
  7. ^  US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017.
  8. ^  FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
  9. ^  Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017.
  10. a b  Kasza, A. and Reichel, D.. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  11. ^  Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016.
  12. ^  Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016.
  13. ^  Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017.
  14. ^  Kaspersky Lab's Global Research & Analysis Team. (2016, July 8). The Dropping Elephant – aggressive cyber-espionage in the Asian region. Retrieved August 3, 2016.
  15. a b  Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved January 25, 2016.
  16. ^  PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017.
  17. ^  Shevchenko, S.. (2008, November 30). Agent.btz - A Threat That Hit Pentagon. Retrieved April 8, 2016.
  18. ^  Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  19. ^  Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  20. ^  FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  21. a b c  Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016.
  22. ^  Miller-Osborn, J. and Grunzweig, J.. (2017, February 16). menuPass Returns with New Malware and New Attacks Against Japanese Academics and Organizations. Retrieved March 1, 2017.
  23. ^  Nakamura, Y.. (2017, February 17). ChChes - Malware that Communicates with C&C Servers Using Cookie Headers. Retrieved March 1, 2017.
  24. ^  FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
  25. ^  F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
  26. ^  Huss, D.. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  1. ^  Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017.
  2. ^  ESET. (2016, October). En Route with Sednit - Part 3: A Mysterious Downloader. Retrieved November 21, 2016.
  3. ^  ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016.
  4. ^  Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016.
  5. ^  Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
  6. ^  ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017.
  7. ^  Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017.
  8. ^  Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016.
  9. ^  Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
  10. ^  Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016.
  11. ^  ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016.
  12. ^  Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.
  13. ^  FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015.
  14. ^  Kaspersky Lab's Global Research & Analysis Team. (2013, February 27). The MiniDuke Mystery: PDF 0-day Government Spy Assembler 0x29A Micro Backdoor. Retrieved April 5, 2017.
  15. ^  Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017.
  16. ^  Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.
  17. ^  Sponchioni, R.. (2016, March 11). Backdoor.Nidiran. Retrieved August 3, 2016.
  18. ^  Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
  19. ^  Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017.
  20. ^  Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016.
  21. ^  Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  22. ^  Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
  23. ^  Faou, M. and Boutin, J.. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  24. ^  PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.
  25. a b  Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016.