Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).
| ID | Name | Description |
|---|---|---|
| G0138 | Andariel | Andariel has used a variety of publicly-available remote access Trojans (RATs) for its operations.[1] |
| G0006 | APT1 | APT1 used publicly available malware for privilege escalation.[2] |
| G0143 | Aquatic Panda | Aquatic Panda has acquired and usednjRAT in its operations.[3] |
| G0135 | BackdoorDiplomacy | BackdoorDiplomacy has obtained and used leaked malware, including DoublePulsar, EternalBlue, EternalRocks, and EternalSynergy, in its operations.[4] |
| C0015 | C0015 | ForC0015, the threat actors usedCobalt Strike andConti ransomware.[5] |
| G1006 | Earth Lusca | Earth Lusca has acquired and used a variety of malware, includingCobalt Strike.[6] |
| G1003 | Ember Bear | Ember Bear has acquired malware and related tools from dark web forums.[7] |
| C0007 | FunnyDream | ForFunnyDream, the threat actors used a new backdoor namedFunnyDream.[8] |
| C0050 | J-magic Campaign | During theJ-magic Campaign campaign, threat actors used open-source malware post-compromise including a custom variant of the cd00r backdoor.[9] |
| G1004 | LAPSUS$ | LAPSUS$ acquired and used the Redline password stealer in their operations.[10] |
| G0140 | LazyScripter | LazyScripter has used a variety of open-source remote access Trojans for its operations.[11] |
| G1014 | LuminousMoth | LuminousMoth has obtained and used malware such asCobalt Strike.[12][13] |
| G1013 | Metador | Metador has used unique malware in their operations, includingmetaMain andMafalda.[14] |
| C0002 | Night Dragon | DuringNight Dragon, threat actors used Trojans from underground hacker websites.[15] |
| C0005 | Operation Spalax | ForOperation Spalax, the threat actors obtained malware, includingRemcos,njRAT, and AsyncRAT.[16] |
| G1015 | Scattered Spider | Scattered Spider has obtained malware to use at multiple stages of operations including information stealers, remote access tools, and ransomware.[17][18] |
| G1018 | TA2541 | TA2541 has used multiple strains of malware available for purchase on criminal forums or in open-source repositories.[19] |
| G0092 | TA505 | TA505 has used malware such asAzorult andCobalt Strike in their operations.[20] |
| G0010 | Turla | Turla has used malware obtained after compromising other threat actors, such asOilRig.[21][22] |
| G1048 | UNC3886 | UNC3886 has used the publicly available rootkitsREPTILE andMEDUSA.[23] |
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise | This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0845 | Detection of Malware | AN1977 | Monitor for contextual data about a malicious payload, such as compilation times, file hashes, as well as watermarks or other identifiable configuration information. Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle. |