T1588.001 Malware
Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).
Item | Value |
---|---|
ID | T1588.001 |
Sub-techniques | T1588.001, T1588.002, T1588.003, T1588.004, T1588.005, T1588.006 |
Tactics | TA0042 |
Platforms | PRE |
Version | 1.1 |
Created | 01 October 2020 |
Last Modified | 17 October 2021 |
Procedure Examples
ID | Name | Description |
---|---|---|
G0138 | Andariel | Andariel has used a variety of publicly-available remote access Trojans (RATs) for its operations.7 |
G0006 | APT1 | APT1 used publicly available malware for privilege escalation.3 |
G0143 | Aquatic Panda | Aquatic Panda has acquired and used njRAT in its operations.2 |
G0135 | BackdoorDiplomacy | BackdoorDiplomacy has obtained and used leaked malware, including DoublePulsar, EternalBlue, EternalRocks, and EternalSynergy, in its operations.14 |
C0015 | C0015 | For C0015, the threat actors used Cobalt Strike and Conti ransomware.15 |
G1006 | Earth Lusca | Earth Lusca has acquired and used a variety of malware, including Cobalt Strike.12 |
C0007 | FunnyDream | For FunnyDream, the threat actors used a new backdoor named FunnyDream.18 |
G1004 | LAPSUS$ | LAPSUS$ acquired and used the Redline password stealer in their operations.6 |
G0140 | LazyScripter | LazyScripter has used a variety of open-source remote access Trojans for its operations.4 |
G1014 | LuminousMoth | LuminousMoth has obtained and used malware such as Cobalt Strike.98 |
G1013 | Metador | Metador has used unique malware in their operations, including metaMain and Mafalda.13 |
C0002 | Night Dragon | During Night Dragon, threat actors used Trojans from underground hacker websites.17 |
C0005 | Operation Spalax | For Operation Spalax, the threat actors obtained malware, including Remcos, njRAT, and AsyncRAT.16 |
G0092 | TA505 | TA505 has used malware such as Azorult and Cobalt Strike in their operations.5 |
G0010 | Turla | Turla has used malware obtained after compromising other threat actors, such as OilRig.1011 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1056 | Pre-compromise | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0004 | Malware Repository | Malware Content |
References
-
FireEye. (2014). SUPPLY CHAIN ANALYSIS: From Quartermaster to SunshopFireEye. Retrieved March 6, 2017. ↩
-
Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022. ↩
-
Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. ↩
-
Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. ↩
-
Terefos, A. (2020, November 18). TA505: A Brief History of Their Time. Retrieved July 14, 2022. ↩
-
MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022. ↩
-
FSI. (2017, July 27). Campaign Rifle - Andariel, the Maiden of Anguish. Retrieved September 29, 2021. ↩
-
Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022. ↩
-
Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. ↩
-
NSA/NCSC. (2019, October 21). Cybersecurity Advisory: Turla Group Exploits Iranian APT To Expand Coverage Of Victims. Retrieved October 16, 2020. ↩
-
Insikt Group. (2020, March 12). Swallowing the Snake’s Tail: Tracking Turla Infrastructure. Retrieved October 20, 2020. ↩
-
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. ↩
-
Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. ↩
-
Adam Burgher. (2021, June 10). BackdoorDiplomacy: Upgrading from Quarian to Turian. Retrieved September 1, 2021 ↩
-
DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. ↩
-
M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022. ↩
-
McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. ↩
-
Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. ↩