T1608.001 Upload Malware
Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server.
Malware may be placed on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure). Malware can also be staged on web services, such as GitHub or Pastebin, or hosted on the InterPlanetary File System (IPFS), where decentralized content storage makes the removal of malicious files difficult.12
Adversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via User Execution. Masquerading may increase the chance of users mistakenly executing these files.
Item | Value |
---|---|
ID | T1608.001 |
Sub-techniques | T1608.001, T1608.002, T1608.003, T1608.004, T1608.005, T1608.006 |
Tactics | TA0042 |
Platforms | PRE |
Version | 1.2 |
Created | 17 March 2021 |
Last Modified | 11 April 2023 |
Procedure Examples
ID | Name | Description |
---|---|---|
G0050 | APT32 | APT32 has hosted malicious payloads in Dropbox, Amazon S3, and Google Drive for use during targeting.1 |
G1002 | BITTER | BITTER has registered domains to stage payloads.16 |
C0010 | C0010 | For C0010, UNC3890 actors staged malware on their infrastructure for direct download onto a compromised system.23 |
C0011 | C0011 | For C0011, Transparent Tribe hosted malicious documents on domains registered by the group.27 |
C0021 | C0021 | For C0021, the threat actors uploaded malware to websites under their control.1718 |
G1006 | Earth Lusca | Earth Lusca has staged malware and malicious files on compromised web servers, GitHub, and Google Drive.8 |
G1011 | EXOTIC LILY | EXOTIC LILY has uploaded malicious payloads to file-sharing services including TransferNow, TransferXL, WeTransfer, and OneDrive.7 |
G0047 | Gamaredon Group | Gamaredon Group has registered domains to stage payloads.56 |
G1001 | HEXANE | HEXANE has staged malware on fraudulent websites set up to impersonate targeted organizations.12 |
G0094 | Kimsuky | Kimsuky has used Blogspot to host malicious content such as beacons, file exfiltrators, and implants.11 |
G0140 | LazyScripter | LazyScripter has hosted open-source remote access Trojans used in its operations in GitHub.15 |
G1014 | LuminousMoth | LuminousMoth has hosted malicious payloads on Dropbox.14 |
G0129 | Mustang Panda | Mustang Panda has hosted malicious payloads on DropBox including PlugX.10 |
C0002 | Night Dragon | During Night Dragon, threat actors uploaded commonly available hacker tools to compromised web servers.26 |
C0022 | Operation Dream Job | For Operation Dream Job, Lazarus Group used compromised servers to host malware.22202119 |
C0013 | Operation Sharpshooter | For Operation Sharpshooter, the threat actors staged malicious files on Dropbox and other websites.24 |
C0005 | Operation Spalax | For Operation Spalax, the threat actors staged malware and malicious files in legitimate hosting services such as OneDrive or MediaFire.25 |
G1008 | SideCopy | SideCopy has used compromised domains to host its malicious payloads.9 |
G0092 | TA505 | TA505 has staged malware on actor-controlled domains.13 |
G0139 | TeamTNT | TeamTNT has uploaded backdoored Docker images to Docker Hub.4 |
G0027 | Threat Group-3390 | Threat Group-3390 has hosted malicious payloads on Dropbox.3 |
Mitigations
ID | Mitigation | Description |
---|---|---|
M1056 | Pre-compromise | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
Detection
ID | Data Source | Data Component |
---|---|---|
DS0035 | Internet Scan | Response Content |
References
-
Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020. ↩↩
-
Edmund Brumaghin. (2022, November 9). Threat Spotlight: Cyber Criminal Adoption of IPFS for Phishing, Malware Campaigns. Retrieved March 8, 2023. ↩
-
Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. ↩
-
Stroud, J. (2021, May 25). Taking TeamTNT’s Docker Images Offline. Retrieved September 22, 2021. ↩
-
Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. ↩
-
Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022. ↩
-
Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022. ↩
-
Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. ↩
-
Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. ↩
-
Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022. ↩
-
An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. ↩
-
ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. ↩
-
Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. ↩
-
Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. ↩
-
Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. ↩
-
Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022. ↩
-
Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. ↩
-
Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019. ↩
-
Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021. ↩
-
Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. ↩
-
Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021. ↩
-
ClearSky Research Team. (2020, August 13). Operation ‘Dream Job’ Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. ↩
-
Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022. ↩
-
Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. ↩
-
M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022. ↩
-
McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. ↩
-
N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022. ↩