Skip to content

T1204.001 Malicious Link

An adversary may rely upon a user clicking a malicious link in order to gain execution. Users may be subjected to social engineering to get them to click on a link that will lead to code execution. This user action will typically be observed as follow-on behavior from Spearphishing Link. Clicking on a link may also lead to other execution techniques such as exploitation of a browser or application vulnerability via Exploitation for Client Execution. Links may also lead users to download files that require execution via Malicious File.

Item Value
ID T1204.001
Sub-techniques T1204.001, T1204.002, T1204.003
Tactics TA0002
Platforms Linux, Windows, macOS
Permissions required User
Version 1.0
Created 11 March 2020
Last Modified 11 March 2020

Procedure Examples

ID Name Description
S0584 AppleJeus AppleJeus‘s spearphishing links required user interaction to navigate to the malicious website.19
G0007 APT28 APT28 has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.7980
G0016 APT29 APT29 has used various forms of spearphishing attempting to get a user to click on a malicous link.67686970
G0022 APT3 APT3 has lured victims into clicking malicious links delivered through spearphishing.54
G0050 APT32 APT32 has lured targets to download a Cobalt Strike beacon by including a malicious link within spearphishing emails.434410
G0064 APT33 APT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails.6566
G0087 APT39 APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious link.3940
S0475 BackConfig BackConfig has compromised victims via links to URLs hosting malicious content.26
S0534 Bazar Bazar can gain execution after a user clicks on a malicious link to decoy landing pages hosted on Google Docs.567
G0098 BlackTech BlackTech has used e-mails with malicious links to lure victims into installing malware.11
G0080 Cobalt Group Cobalt Group has sent emails containing malicious links that require users to execute a file or macro to infect the victim machine.777815
G0142 Confucius Confucius has lured victims into clicking on a malicious link sent through spearphishing.30
G0066 Elderwood Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links.4748
S0367 Emotet Emotet has relied upon users clicking on a malicious link delivered through spearphishing.1718
G0120 Evilnum Evilnum has sent spearphishing emails designed to trick the recipient into opening malicious shortcut links which downloads a .LNK file.31
G0085 FIN4 FIN4 has lured victims to click malicious links delivered via spearphishing emails (often sent from compromised accounts).4950
G0046 FIN7 FIN7 has used malicious links to lure victims into downloading malware.34
G0061 FIN8 FIN8 has used emails with malicious links to lure victims into installing malware.848586
S0531 Grandoreiro Grandoreiro has used malicious links to gain execution on victim machines.34
S0561 GuLoader GuLoader has relied upon users clicking on links to malicious documents.8
S0499 Hancitor Hancitor has relied upon users clicking on a malicious link delivered through phishing.2
S0528 Javali Javali has achieved execution through victims clicking links to malicious websites.14
S0585 Kerrdown Kerrdown has gained execution through victims opening malicious links.10
G0094 Kimsuky Kimsuky has lured victims into clicking malicious links.38
S0669 KOCTOPUS KOCTOPUS has relied on victims clicking on a malicious link delivered via email.12
G0032 Lazarus Group Lazarus Group has sent spearphishing emails in an attempt to lure users to click on a malicious link.4546
G0140 LazyScripter LazyScripter has relied upon users clicking on links to malicious files.12
G0065 Leviathan Leviathan has sent spearphishing email links attempting to get a user to click.5253
G0095 Machete Machete has has relied on users opening malicious links delivered through spearphishing to execute malware.747576
G0059 Magic Hound Magic Hound has attempted to lure victims into opening malicious links embedded in emails.6463
S0530 Melcoz Melcoz has gained execution through victims opening malicious links.14
G0103 Mofang Mofang‘s spearphishing emails required a user to click the link to connect to a compromised website.93
G0021 Molerats Molerats has sent malicious links via email trick users into opening a RAR archive and running an executable.3233
G0069 MuddyWater MuddyWater has distributed URLs in phishing e-mails that link to lure documents.3637
G0129 Mustang Panda Mustang Panda has sent malicious links including links directing victims to a Google Drive folder.949596
S0198 NETWIRE NETWIRE has been executed through convincing victims into clicking malicious links.138
G0014 Night Dragon Night Dragon enticed users to click on links in spearphishing emails to download malware.51
S0644 ObliqueRAT ObliqueRAT has gained execution on targeted systems through luring users to click on links to malicious URLs.2728
G0049 OilRig OilRig has delivered malicious links to achieve execution on the target system.717273
G0040 Patchwork Patchwork has used spearphishing with links to try to get users to click, download and open malicious files.81828326
S0435 PLEAD PLEAD has been executed via malicious links in e-mails.11
S0453 Pony Pony has attempted to lure targets into clicking links in spoofed emails from legitimate banks.16
S0650 QakBot QakBot has gained execution through users opening malicious links.202122232425
G0034 Sandworm Team Sandworm Team has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.41
G0121 Sidewinder Sidewinder has lured targets to click on malicious links to gain execution in the target environment.89909192
S0649 SMOKEDHAM SMOKEDHAM has relied upon users clicking on a malicious link delivered through phishing.9
S0646 SpicyOmelette SpicyOmelette has been executed through malicious links within spearphishing emails.15
G0092 TA505 TA505 has used lures to get users to click links in emails and attachments. For example, TA505 makes their malware look like legitimate Microsoft Word documents, .pdf and/or .lnk files. 5556575859606162
G0134 Transparent Tribe Transparent Tribe has directed users to open URLs hosting malicious content.2728
S0436 TSCookie TSCookie has been executed via malicious links embedded in e-mails spoofing the Ministries of Education, Culture, Sports, Science and Technology of Japan.1
G0010 Turla Turla has used spearphishing via a link to get users to download and run their malware.42
G0112 Windshift Windshift has used links embedded in e-mails to lure victims into executing malicious code.35
G0102 Wizard Spider Wizard Spider has lured victims into clicking a malicious link delivered through spearphishing.29
G0128 ZIRCONIUM ZIRCONIUM has used malicious links in e-mails to lure victims into downloading malware.8788

Mitigations

ID Mitigation Description
M1031 Network Intrusion Prevention If a link is being visited by a user, network intrusion prevention systems and systems designed to scan and remove malicious downloads can be used to block activity.
M1021 Restrict Web-Based Content If a link is being visited by a user, block unknown or unused files in transit by default that should not be downloaded or by policy from suspicious sites as a best practice to prevent some vectors, such as .scr, .exe, .pif, .cpl, etc. Some download scanning devices can open and analyze compressed and encrypted formats, such as zip and rar that may be used to conceal malicious files.
M1017 User Training Use user training as a way to bring awareness to common phishing and spearphishing techniques and how to raise suspicion for potentially malicious events.

Detection

ID Data Source Data Component
DS0022 File File Creation
DS0029 Network Traffic Network Connection Creation

References

  1. Tomonaga, S.. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020. 

  2. Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020. 

  3. Abramov, D. (2020, April 13). Grandoreiro Malware Now Targeting Banks in Spain. Retrieved November 12, 2020. 

  4. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. 

  5. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. 

  6. Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020. 

  7. Podlosky, A., Hanel, A. et al. (2020, October 16). WIZARD SPIDER Update: Resilient, Reactive and Resolute. Retrieved June 15, 2021. 

  8. Duncan, B. (2020, April 3). GuLoader: Malspam Campaign Installing NetWire RAT. Retrieved January 7, 2021. 

  9. FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021. 

  10. Amnesty International. (2021, February 24). Vietnamese activists targeted by notorious hacking group. Retrieved March 1, 2021. 

  11. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020. 

  12. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. 

  13. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign’s Usage of Process Hollowing. Retrieved January 7, 2021. 

  14. GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. 

  15. CTU. (2018, September 27). Cybercriminals Increasingly Trying to Ensnare the Big Financial Fish. Retrieved September 20, 2021. 

  16. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020. 

  17. Salvio, J.. (2014, June 27). New Banking Malware Uses Network Sniffing for Data Theft. Retrieved March 25, 2019. 

  18. Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019. 

  19. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. 

  20. Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021. 

  21. Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021. 

  22. Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021. 

  23. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021. 

  24. Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. 

  25. Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. 

  26. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. 

  27. Malhotra, A. (2021, March 2). ObliqueRAT returns with new campaign using hijacked websites. Retrieved September 2, 2021. 

  28. Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021. 

  29. DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. 

  30. Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021. 

  31. Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021. 

  32. GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. 

  33. Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020. 

  34. Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. 

  35. Karim, T. (2018, August). TRAILS OF WINDSHIFT. Retrieved June 25, 2020. 

  36. Mele, G. et al. (2021, February 10). Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies. Retrieved March 17, 2021. 

  37. Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. 

  38. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. 

  39. Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. 

  40. FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. 

  41. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. 

  42. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. 

  43. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. 

  44. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020. 

  45. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. 

  46. ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. 

  47. O’Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. 

  48. Clayton, M.. (2012, September 14). Stealing US business secrets: Experts ID two huge cyber ‘gangs’ in China. Retrieved February 15, 2018. 

  49. Vengerik, B. et al.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved December 17, 2018. 

  50. Vengerik, B. & Dennesen, K.. (2014, December 5). Hacking the Street? FIN4 Likely Playing the Market. Retrieved January 15, 2019. 

  51. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. 

  52. Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. 

  53. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department.. Retrieved August 12, 2021. 

  54. Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016. 

  55. Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019. 

  56. Proofpoint Staff. (2018, June 8). TA505 shifts with the times. Retrieved May 28, 2019. 

  57. Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. 

  58. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019. 

  59. Proofpoint Staff. (2018, July 19). TA505 Abusing SettingContent-ms within PDF files to Distribute FlawedAmmyy RAT. Retrieved April 19, 2019. 

  60. Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019. 

  61. Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020. 

  62. Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. 

  63. Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021. 

  64. ClearSky Research Team. (2020, August 1). The Kittens Are Back in Town 3 - Charming Kitten Campaign Evolved and Deploying Spear-Phishing link by WhatsApp. Retrieved April 21, 2021. 

  65. O’Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018. 

  66. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. 

  67. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. 

  68. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  69. Microsoft Threat Intelligence Center (MSTIC). (2021, May 27). New sophisticated email-based attack from NOBELIUM. Retrieved May 28, 2021. 

  70. Secureworks CTU. (2021, May 28). USAID-Themed Phishing Campaign Leverages U.S. Elections Lure. Retrieved February 24, 2022. 

  71. Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. 

  72. Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. 

  73. Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018. 

  74. The Cylance Threat Research Team. (2017, March 22). El Machete’s Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. 

  75. Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019. 

  76. ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. 

  77. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. 

  78. Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018. 

  79. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. 

  80. Secureworks CTU. (2017, March 30). IRON TWILIGHT Supports Active Measures. Retrieved February 28, 2022. 

  81. Hamada, J.. (2016, July 25). Patchwork cyberespionage group expands targets from governments to wide range of industries. Retrieved August 17, 2016. 

  82. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. 

  83. Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. 

  84. Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018. 

  85. Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018. 

  86. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. 

  87. Huntley, S. (2020, October 16). How We’re Tackling Evolving Online Threats. Retrieved March 24, 2021. 

  88. Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021. 

  89. Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. 

  90. Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021. 

  91. Rewterz. (2020, June 22). Analysis on Sidewinder APT Group – COVID-19. Retrieved January 29, 2021. 

  92. Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021. 

  93. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. 

  94. Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021. 

  95. Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021. 

  96. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022. 

Back to top