T1543.003 Windows Service
Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.3 Windows service configuration information, including the file path to the service’s executable or recovery programs/commands, is stored in the Windows Registry.
Adversaries may install a new service or modify an existing service to execute at startup in order to persist on a system. Service configurations can be set or modified using system utilities (such as sc.exe), by directly modifying the Registry, or by interacting directly with the Windows API.
Adversaries may also use services to install and execute malicious drivers. For example, after dropping a driver file (ex: .sys
) to disk, the payload can be loaded and registered via Native API functions such as CreateServiceW()
(or manually via functions such as ZwLoadDriver()
and ZwSetValueKey()
), by creating the required service Registry values (i.e. Modify Registry), or by using command-line utilities such as PnPUtil.exe
.586 Adversaries may leverage these drivers as Rootkits to hide the presence of malicious activity on a system. Adversaries may also load a signed yet vulnerable driver onto a compromised machine (known as “Bring Your Own Vulnerable Driver” (BYOVD)) as part of Exploitation for Privilege Escalation.26
Services may be created with administrator privileges but are executed under SYSTEM privileges, so an adversary may also use a service to escalate privileges. Adversaries may also directly start services through Service Execution. To make detection analysis more challenging, malicious services may also incorporate Masquerade Task or Service (ex: using a service and/or payload name related to a legitimate OS or benign software component).
Item | Value |
---|---|
ID | T1543.003 |
Sub-techniques | T1543.001, T1543.002, T1543.003, T1543.004 |
Tactics | TA0003, TA0004 |
Platforms | Windows |
Version | 1.3 |
Created | 17 January 2020 |
Last Modified | 21 April 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
C0025 | 2016 Ukraine Electric Power Attack | During the 2016 Ukraine Electric Power Attack, Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer. They also replaced the ImagePath registry value of a Windows service with a new backdoor binary. 39 |
S0504 | Anchor | Anchor can establish persistence by creating a service.72 |
S0584 | AppleJeus | AppleJeus can install itself as a service.65 |
G0073 | APT19 | An APT19 Port 22 malware variant registers itself as a service.122 |
G0022 | APT3 | APT3 has a tool that creates a new service for persistence.134 |
G0050 | APT32 | APT32 modified Windows Services to ensure PowerShell scripts were loaded on the system. APT32 also creates a Windows service to establish persistence.130131132 |
G0082 | APT38 | APT38 has installed a new Windows service to establish persistence.125 |
G0096 | APT41 | APT41 modified legitimate Windows services to install malware backdoors.127129 APT41 created the StorSyncSvc service to provide persistence for Cobalt Strike.128 |
S0438 | Attor | Attor‘s dispatcher can establish persistence by registering a new service.119 |
S0347 | AuditCred | AuditCred is installed as a new service on the system.38 |
S0239 | Bankshot | Bankshot can terminate a specific process by its process id.4041 |
S0127 | BBSRAT | BBSRAT can modify service configurations.114 |
S0268 | Bisonal | Bisonal has been modified to be used as a Windows service.92 |
S0570 | BitPaymer | BitPaymer has attempted to install itself as a service to maintain persistence.64 |
S1070 | Black Basta | Black Basta can create a new service to establish persistence.6362 |
S0089 | BlackEnergy | One variant of BlackEnergy creates a new service using either a hard-coded or randomly generated name.24 |
G0108 | Blue Mockingbird | Blue Mockingbird has made their XMRIG payloads persistent as a Windows Service.126 |
S0204 | Briba | Briba installs a service pointing to a malicious DLL dropped to disk.67 |
G0008 | Carbanak | Carbanak malware installs itself as a service to provide persistence and SYSTEM privileges.142 |
S0335 | Carbon | Carbon establishes persistence by creating a service and naming it based off the operating system version running on the current machine.115 |
S0261 | Catchamas | Catchamas adds a new service named NetAdapter to establish persistence.91 |
S0660 | Clambling | Clambling can register itself as a system service to gain persistence.74 |
G0080 | Cobalt Group | Cobalt Group has created new services to establish persistence.141 |
S0154 | Cobalt Strike | Cobalt Strike can install a new service.120 |
S0608 | Conficker | Conficker copies itself into the %systemroot%\system32 directory and registers as a service.84 |
S0050 | CosmicDuke | CosmicDuke uses Windows services typically named “javamtsup” for persistence.16 |
S0046 | CozyCar | One persistence mechanism used by CozyCar is to register itself as a Windows service.108 |
S0625 | Cuba | Cuba can modify services by using the OpenService and ChangeServiceConfig functions.107 |
G0105 | DarkVishnya | DarkVishnya created new services for shellcode loaders distribution.121 |
S1033 | DCSrv | DCSrv has created new services for persistence by modifying the Registry.28 |
S0567 | Dtrack | Dtrack can add a service called WBService to establish persistence.54 |
S0038 | Duqu | Duqu creates a new service that loads a malicious driver when the system starts. When Duqu is active, the operating system believes that the driver is legitimate, as it has been signed with a valid private key.88 |
S0024 | Dyre | Dyre registers itself as a service by adding several Registry keys.30 |
G1006 | Earth Lusca | Earth Lusca created a service using the command sc create “SysUpdate” binpath= “cmd /c start “[file path]””&&sc config “SysUpdate” start= auto&&net |
start SysUpdate for persistence.123 | ||
S0081 | Elise | Elise configures itself as a service.17 |
S0082 | Emissary | Emissary is capable of configuring itself as a service.21 |
S0367 | Emotet | Emotet has been observed creating new services to maintain persistence. 2627 |
S0363 | Empire | Empire can utilize built-in modules to modify service binaries and restore them to their original state.15 |
S0343 | Exaramel for Windows | The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description “Windows Check AV.”35 |
S0181 | FALLCHILL | FALLCHILL has been installed as a Windows service.65 |
G0046 | FIN7 | FIN7 created new Windows services and added them to the startup directories for persistence.124 |
S0182 | FinFisher | FinFisher creates a new Windows service with the malicious executable for persistence.9798 |
S1044 | FunnyDream | FunnyDream has established persistence by running sc.exe and by setting the WSearch service to run automatically.101 |
S0666 | Gelsemium | Gelsemium can drop itself in C:\Windows\System32\spool\prtprocs\x64\winprint.dll as an alternative Print Processor to be loaded automatically when the spoolsv Windows service starts.49 |
S0032 | gh0st RAT | gh0st RAT can create a new service to establish persistence.4546 |
S0493 | GoldenSpy | GoldenSpy has established persistence by running in the background as an autostart service.82 |
S0342 | GreyEnergy | GreyEnergy chooses a service, drops a DLL file, and writes it to that serviceDLL Registry key.89 |
S0071 | hcdLoader | hcdLoader installs itself as a service for persistence.8586 |
S0697 | HermeticWiper | HermeticWiper can load drivers by creating a new service using the CreateServiceW API.8 |
S0203 | Hydraq | Hydraq creates new services to establish persistence.116117118 |
S0604 | Industroyer | Industroyer can use an arbitrary system service to load at system boot for persistence and replaces the ImagePath registry value of a Windows service with a new backdoor binary.39 |
S0259 | InnaputRAT | Some InnaputRAT variants create a new Windows service to establish persistence.93 |
S0260 | InvisiMole | InvisiMole can register a Windows service named CsPower as part of its execution chain, and a Windows service named clr_optimization_v2.0.51527_X86 to achieve persistence.2 |
S0044 | JHUHUGIT | JHUHUGIT has registered itself as a service to establish persistence.47 |
S0265 | Kazuar | Kazuar can install itself as a new service.18 |
G0004 | Ke3chang | Ke3chang backdoor RoyalDNS established persistence through adding a service called Nwsapagent .133 |
S0387 | KeyBoy | KeyBoy installs a service pointing to a malicious DLL dropped to disk.87 |
G0094 | Kimsuky | Kimsuky has created new services for persistence.144145 |
S0356 | KONNI | KONNI has registered itself as a service using its export function.76 |
S0236 | Kwampirs | Kwampirs creates a new service named WmiApSrvEx to establish persistence.112 |
G0032 | Lazarus Group | Several Lazarus Group malware families install themselves as new services.140139 |
S0451 | LoudMiner | LoudMiner can automatically launch a Linux virtual machine as a service at startup if the AutoStart option is enabled in the VBoxVmService configuration file.81 |
S0149 | MoonWind | MoonWind installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance.69 |
S0205 | Naid | Naid creates a new service to establish.70 |
S0630 | Nebulae | Nebulae can create a service to establish persistence.31 |
S0210 | Nerex | Nerex creates a Registry subkey that registers a new service.99 |
S0118 | Nidiran | Nidiran can create a new service named msamger (Microsoft Security Accounts Manager).60 |
S0439 | Okrum | To establish persistence, Okrum can install itself as a new service named NtmSsvc.19 |
C0012 | Operation CuckooBees | During Operation CuckooBees, the threat actors modified the IKEEXT and PrintNotify Windows services for persistence.148 |
C0006 | Operation Honeybee | During Operation Honeybee, threat actors installed DLLs and backdoors as Windows services.147 |
S0664 | Pandora | Pandora has the ability to gain system privileges through Windows services.32 |
S1031 | PingPull | PingPull has the ability to install itself as a service.113 |
S0501 | PipeMon | PipeMon can establish persistence by registering a malicious DLL as an alternative Print Processor which is loaded when the print spooler service starts.71 |
S0013 | PlugX | PlugX can be added as a service to establish persistence. PlugX also has a module to change service configurations as well as start, control, and delete services.5559585657 |
S0012 | PoisonIvy | PoisonIvy creates a Registry subkey that registers a new service. PoisonIvy also creates a Registry entry modifying the Logical Disk Manager service to point to a malicious DLL dropped to disk.83 |
S0194 | PowerSploit | PowerSploit contains a collection of Privesc-PowerUp modules that can discover and replace/modify service binaries, paths, and configs.1112 |
G0056 | PROMETHIUM | PROMETHIUM has created new services and modified existing services for persistence.138 |
S0029 | PsExec | PsExec can leverage Windows services to escalate privileges from administrator to SYSTEM with the -s argument.14 |
S0650 | QakBot | QakBot can remotely create a temporary service on a target host.110 |
S0481 | Ragnar Locker | Ragnar Locker has used sc.exe to create a new service for the VirtualBox driver.42 |
S0629 | RainyDay | RainyDay can use services to establish persistence.31 |
S0169 | RawPOS | RawPOS installs itself as a service to maintain persistence.777879 |
S0495 | RDAT | RDAT has created a service when it is installed on the victim machine.51 |
S0172 | Reaver | Reaver installs itself as a new service.90 |
S0074 | Sakula | Some Sakula samples install themselves as services for persistence by calling WinExec with the net start argument.73 |
S0345 | Seasalt | Seasalt is capable of installing itself as a service.100 |
S0140 | Shamoon | Shamoon creates a new service named “ntssrv” to execute the payload. Newer versions create the “MaintenaceSrv” and “hdv_725x” services.105106 |
S0444 | ShimRat | ShimRat has installed a Windows service to maintain persistence on victim machines.96 |
S0692 | SILENTTRINITY | SILENTTRINITY can establish persistence by creating a new service.13 |
S0533 | SLOTHFULMEDIA | SLOTHFULMEDIA has created a service on victim machines named “TaskFrame” to establish persistence.50 |
S1037 | STARWHALE | STARWHALE has the ability to create the following Windows service to establish persistence on an infected host: sc create Windowscarpstss binpath= "cmd.exe /c cscript.exe c:\\windows\\system32\\w7_1.wsf humpback_whale" start= "auto" obj= "LocalSystem" .36 |
S0142 | StreamEx | StreamEx establishes persistence by installing a new service pointing to its DLL and setting the service to auto-start.20 |
S0491 | StrongPity | StrongPity has created new services and modified existing services for persistence.48 |
S0603 | Stuxnet | Stuxnet uses a driver registered as a boot start service as the main load-point.111 |
S1049 | SUGARUSH | SUGARUSH has created a service named Service1 for persistence.25 |
S0663 | SysUpdate | SysUpdate can create a service to establish persistence.32 |
S0164 | TDTESS | If running as administrator, TDTESS installs itself as a new service named bmwappushservice to establish persistence.66 |
G0139 | TeamTNT | TeamTNT has used malware that adds cryptocurrency miners as a service.146 |
S0560 | TEARDROP | TEARDROP ran as a Windows service from the c:\windows\syswow64 folder.9495 |
G0027 | Threat Group-3390 | Threat Group-3390‘s malware can create a new service, sometimes naming it after the config information, to gain persistence.136135 |
S0665 | ThreatNeedle | ThreatNeedle can run in memory and register its payload as a Windows service.22 |
S0004 | TinyZBot | TinyZBot can install as a Windows service for persistence.75 |
S0266 | TrickBot | TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots.29 |
G0081 | Tropic Trooper | Tropic Trooper has installed a service pointing to a malicious DLL dropped to disk.137 |
S0263 | TYPEFRAME | TYPEFRAME variants can add malicious DLL modules as new services.TYPEFRAME can also delete services from the victim’s machine.80 |
S0386 | Ursnif | Ursnif has registered itself as a system service in the Registry for automatic execution at system startup.109 |
S0180 | Volgmer | Volgmer installs a copy of itself in a randomly selected service, then overwrites the ServiceDLL entry in the service’s Registry entry. Some Volgmer variants also install .dll files as services with names generated by a list of hard-coded strings.103102104 |
S0366 | WannaCry | WannaCry creates the service “mssecsvc2.0” with the display name “Microsoft Security Center (2.0) Service.”5253 |
S0612 | WastedLocker | WastedLocker created and established a service that runs until the encryption process is complete.61 |
S0206 | Wiarp | Wiarp creates a backdoor through which remote attackers can create a service.68 |
S0176 | Wingbird | Wingbird uses services.exe to register a new autostart service named “Audit Service” using a copy of the local lsass.exe file.3334 |
S0141 | Winnti for Windows | Winnti for Windows sets its DLL file as a new service in the Registry to establish persistence.37 |
G0102 | Wizard Spider | Wizard Spider has installed TrickBot as a service named ControlServiceA in order to establish persistence.143 |
S0230 | ZeroT | ZeroT can add a new service to ensure PlugX persists on the system when delivered as another payload onto the system.57 |
S0086 | ZLib | ZLib creates Registry keys to allow itself to run as various services.44 |
S0350 | zwShell | zwShell has established persistence by adding itself as a new service.43 |
S0412 | ZxShell | ZxShell can create a new service using the service parser function ProcessScCommand.23 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1047 | Audit | Use auditing tools capable of detecting privilege and service abuse opportunities on systems within an enterprise and correct them. |
M1040 | Behavior Prevention on Endpoint | On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent an application from writing a signed vulnerable driver to the system.9 On Windows 10 and 11, enable Microsoft Vulnerable Driver Blocklist to assist in hardening against third party-developed service drivers.10 |
M1045 | Code Signing | Enforce registration and execution of only legitimately signed service drivers where possible. |
M1028 | Operating System Configuration | Ensure that Driver Signature Enforcement is enabled to restrict unsigned drivers from being installed. |
M1018 | User Account Management | Limit privileges of user accounts and groups so that only authorized administrators can interact with service changes and service configurations. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0017 | Command | Command Execution |
DS0027 | Driver | Driver Load |
DS0009 | Process | OS API Execution |
DS0019 | Service | Service Creation |
DS0024 | Windows Registry | Windows Registry Key Creation |
References
-
Hardy, T. & Hall, J. (2018, February 15). Use Windows Event Forwarding to help with intrusion detection. Retrieved August 7, 2018. ↩
-
Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. ↩↩
-
Miroshnikov, A. & Hall, J. (2017, April 18). 4697(S): A service was installed in the system. Retrieved August 7, 2018. ↩
-
Nicolas Falliere, Liam O. Murchu, Eric Chien. (2011, February). W32.Stuxnet Dossier. Retrieved December 7, 2020. ↩
-
Reichel, D. and Idrizovic, E. (2020, June 17). AcidBox: Rare Malware Repurposing Turla Group Exploit Targeted Russian Organizations. Retrieved March 16, 2021. ↩↩
-
Russinovich, M. (2016, January 4). Autoruns for Windows v13.51. Retrieved June 6, 2016. ↩
-
Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022. ↩↩
-
Azure Edge and Platform Security Team & Microsoft 365 Defender Research Team. (2021, December 8). Improve kernel security with the new Microsoft Vulnerable and Malicious Driver Reporting Center. Retrieved April 6, 2022. ↩
-
Jordan Geurten et al. . (2022, March 29). Microsoft recommended driver block rules. Retrieved April 7, 2022. ↩
-
PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. ↩
-
PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. ↩
-
Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. ↩
-
Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11. Retrieved May 13, 2015. ↩
-
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. ↩
-
F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014. ↩
-
Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016. ↩
-
Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. ↩
-
Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. ↩
-
Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017. ↩
-
Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016. ↩
-
Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. ↩
-
Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. ↩
-
F-Secure Labs. (2014). BlackEnergy & Quedagh: The convergence of crimeware and APT attacks. Retrieved March 24, 2016. ↩
-
Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022. ↩
-
US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019. ↩
-
Mclellan, M.. (2018, November 19). Lazy Passwords Become Rocket Fuel for Emotet SMB Spreader. Retrieved March 25, 2019. ↩
-
Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. ↩
-
Anthony, N., Pascual, C.. (2018, November 1). Trickbot Shows Off New Trick: Password Grabber Module. Retrieved November 16, 2018. ↩
-
Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018. ↩
-
Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. ↩↩
-
Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. ↩↩
-
Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017. ↩
-
Microsoft. (2017, November 9). Backdoor:Win32/Wingbird.A!dha. Retrieved November 27, 2017. ↩
-
Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. ↩
-
Tomcik, R. et al. (2022, February 24). Left On Read: Telegram Malware Spotted in Latest Iranian Cyber Espionage Activity. Retrieved August 18, 2022. ↩
-
Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017. ↩
-
Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018. ↩
-
Dragos Inc.. (2017, June 13). CRASHOVERRIDE Analysis of the Threat to Electric Grid Operations. Retrieved December 18, 2020. ↩↩
-
Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018. ↩
-
US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018. ↩
-
SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020. ↩
-
McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. ↩
-
Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. ↩
-
Pantazopoulos, N. (2018, April 17). Decoding network data from a Gh0st RAT variant. Retrieved November 2, 2018. ↩
-
Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. ↩
-
ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016. ↩
-
Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. ↩
-
Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. ↩
-
DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. ↩
-
Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020. ↩
-
Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019. ↩
-
Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019. ↩
-
Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. ↩
-
Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. ↩
-
FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017. ↩
-
Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018. ↩↩
-
PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. ↩
-
Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015. ↩
-
Sponchioni, R.. (2016, March 11). Backdoor.Nidiran. Retrieved August 3, 2016. ↩
-
Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021. ↩
-
Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023. ↩
-
Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023. ↩
-
Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. ↩
-
Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. ↩↩
-
ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. ↩
-
Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018. ↩
-
Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018. ↩
-
Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017. ↩
-
Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018. ↩
-
Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. ↩
-
Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. ↩
-
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016. ↩
-
Chen, T. and Chen, Z. (2020, February 17). CLAMBLING - A New Backdoor Base On Dropbox. Retrieved November 12, 2021. ↩
-
Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. ↩
-
Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022. ↩
-
Nesbit, B. and Ackerman, D. (2017, January). Malware Analysis Report - RawPOS Malware: Deconstructing an Intruder’s Toolkit. Retrieved October 4, 2017. ↩
-
TrendLabs Security Intelligence Blog. (2015, April). RawPOS Technical Brief. Retrieved October 4, 2017. ↩
-
Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017. ↩
-
US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. ↩
-
Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020. ↩
-
Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020. ↩
-
Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018. ↩
-
Burton, K. (n.d.). The Conficker Worm. Retrieved February 18, 2021. ↩
-
Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016. ↩
-
Shelmire, A.. (2015, July 6). Evasive Maneuvers. Retrieved January 22, 2016. ↩
-
Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019. ↩
-
Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015. ↩
-
Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. ↩
-
Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017. ↩
-
Balanza, M. (2018, April 02). Infostealer.Catchamas. Retrieved July 10, 2018. ↩
-
Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. ↩
-
ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018. ↩
-
Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021. ↩
-
FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. ↩
-
Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. ↩
-
Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. ↩
-
Ladley, F. (2012, May 15). Backdoor.Nerex. Retrieved February 23, 2018. ↩
-
Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016. ↩
-
Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. ↩
-
US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018. ↩
-
US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017. ↩
-
Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018. ↩
-
Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017. ↩
-
Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019. ↩
-
Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021. ↩
-
F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015. ↩
-
Trend Micro. (2014, December 11). PE_URSNIF.A2. Retrieved June 5, 2019. ↩
-
Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023. ↩
-
Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 ↩
-
Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. ↩
-
Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022. ↩
-
Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016. ↩
-
ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018. ↩
-
Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018. ↩
-
Lelli, A. (2010, January 11). Trojan.Hydraq. Retrieved February 20, 2018. ↩
-
Fitzgerald, P. (2010, January 26). How Trojan.Hydraq Stays On Your Computer. Retrieved February 22, 2018. ↩
-
Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. ↩
-
Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017. ↩
-
Golovanov, S. (2018, December 6). DarkVishnya: Banks attacked through direct connection to local network. Retrieved May 15, 2020. ↩
-
Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018. ↩
-
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. ↩
-
Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. ↩
-
DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea’s BeagleBoyz Robbing Banks. Retrieved September 29, 2021. ↩
-
Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020. ↩
-
Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. ↩
-
Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020. ↩
-
Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021. ↩
-
Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018. ↩
-
Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. ↩
-
Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. ↩
-
Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. ↩
-
Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016. ↩
-
Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. ↩
-
Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018. ↩
-
Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019. ↩
-
Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020. ↩
-
Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016. ↩
-
Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. ↩
-
Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018. ↩
-
Kaspersky Lab’s Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018. ↩
-
John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. ↩
-
Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. ↩
-
CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. ↩
-
AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021. ↩
-
Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. ↩
-
Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. ↩