Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).
||Andariel has used a variety of publicly-available remote access Trojans (RATs) for its operations.
||APT1 used publicly available malware for privilege escalation.
||Aquatic Panda has acquired and used njRAT in its operations.
||BackdoorDiplomacy has obtained and used leaked malware, including DoublePulsar, EternalBlue, EternalRocks, and EternalSynergy, in its operations.
||For C0015, the threat actors used Cobalt Strike and Conti ransomware.
||Earth Lusca has acquired and used a variety of malware, including Cobalt Strike.
||For FunnyDream, the threat actors used a new backdoor named FunnyDream.
||LAPSUS$ acquired and used the Redline password stealer in their operations.
||LazyScripter has used a variety of open-source remote access Trojans for its operations.
||LuminousMoth has obtained and used malware such as Cobalt Strike.
||Metador has used unique malware in their operations, including metaMain and Mafalda.
||During Night Dragon, threat actors used Trojans from underground hacker websites.
||For Operation Spalax, the threat actors obtained malware, including Remcos, njRAT, and AsyncRAT.
||TA505 has used malware such as Azorult and Cobalt Strike in their operations.
||Turla has used malware obtained after compromising other threat actors, such as OilRig.
||This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.