| ID | Name |
|---|---|
| T1588.001 | Malware |
| T1588.002 | Tool |
| T1588.003 | Code Signing Certificates |
| T1588.004 | Digital Certificates |
| T1588.005 | Exploits |
| T1588.006 | Vulnerabilities |
Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.
In addition to downloading free malware from the internet, adversaries may purchase these capabilities from third-party entities. Third-party entities can include technology companies that specialize in malware development, criminal marketplaces (including Malware-as-a-Service, or MaaS), or from individuals. In addition to purchasing malware, adversaries may steal and repurpose malware from third-party entities (including other adversaries).
| ID | Name | Description |
|---|---|---|
| G0138 | Andariel |
Andariel has used a variety of publicly-available remote access Trojans (RATs) for its operations.[1] |
| G0006 | APT1 |
APT1 used publicly available malware for privilege escalation.[2] |
| G0143 | Aquatic Panda |
Aquatic Panda has acquired and used njRAT in its operations.[3] |
| G0135 | BackdoorDiplomacy |
BackdoorDiplomacy has obtained and used leaked malware, including DoublePulsar, EternalBlue, EternalRocks, and EternalSynergy, in its operations.[4] |
| G0140 | LazyScripter |
LazyScripter has used a variety of open-source remote access Trojans for its operations.[5] |
| G0010 | Turla |
Turla has used malware obtained after compromising other threat actors, such as OilRig.[6][7] |
| ID | Mitigation | Description |
|---|---|---|
| M1056 | Pre-compromise |
This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. |
| ID | Data Source | Data Component |
|---|---|---|
| DS0004 | Malware Repository | Malware Content |
| Malware Metadata |
Consider analyzing malware for features that may be associated with malware providers, such as compiler used, debugging artifacts, code similarities, or even group identifiers associated with specific MaaS offerings. Malware repositories can also be used to identify additional samples associated with the developers and the adversary utilizing their services. Identifying overlaps in malware use by different adversaries may indicate malware was obtained by the adversary rather than developed by them. In some cases, identifying overlapping characteristics in malware used by different adversaries may point to a shared quartermaster.[8]
Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle.