T1608.001

Stage Capabilities: Upload Malware

Other sub-techniques of Stage Capabilities (6)
ID Name
T1608.001 Upload Malware
T1608.002 Upload Tool
T1608.003 Install Digital Certificate
T1608.004 Drive-by Target
T1608.005 Link Target
T1608.006 SEO Poisoning

Adversaries may upload malware to third-party or adversary controlled infrastructure to make it accessible during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, and a variety of other malicious content. Adversaries may upload malware to support their operations, such as making a payload available to a victim network to enable Ingress Tool Transfer by placing it on an Internet accessible web server.

攻撃者は、攻撃中にアクセスできるように、サードパーティまたは攻撃者の管理するインフラにマルウェアをアップロードすることがあります。悪意のあるソフトウェアには、ペイロード、ドロッパー、侵害後のツール、バックドア、およびその他のさまざまな悪意のあるコンテンツが含まれます。攻撃者は、インターネットからアクセス可能なウェブサーバにペイロードを配置することで、被害ネットワークで転送ツールを利用できるようにするなど、作戦を支援するためにマルウェアをアップロードすることがあります。

Malware may be placed on infrastructure that was previously purchased/rented by the adversary (Acquire Infrastructure) or was otherwise compromised by them (Compromise Infrastructure). Malware can also be staged on web services, such as GitHub or Pastebin.[1]

マルウェアは、攻撃者が過去に購入/レンタルしたインフラ(Acquire Infrastructure)、あるいは攻撃者によって侵害されたインフラ(Compromise Infrastructure)上に置かれることがあります。また、マルウェアは、GitHubやPastebinなどのウェブサービス上に設置されることもあります[1]。

Adversaries may upload backdoored files, such as application binaries, virtual machine images, or container images, to third-party software stores or repositories (ex: GitHub, CNET, AWS Community AMIs, Docker Hub). By chance encounter, victims may directly download/install these backdoored files via User Execution. Masquerading may increase the chance of users mistakenly executing these files.

攻撃者は、アプリケーションバイナリ、仮想マシンイメージ、コンテナイメージなどの不正ファイルを、サードパーティのソフトウェアストアやリポジトリ(例:GitHub、CNET、AWS Community AMI、Docker Hub)にアップロードする可能性があります。たまたま見つけた被害者が、ユーザー実行により、これらの不正なファイルを直接ダウンロードしたり、インストールしたりする可能性があります。偽装は、ユーザーがこれらのファイルを誤って実行する可能性を高める可能性があります。

ID: T1608.001
Sub-technique of:  T1608
Platforms: PRE
Contributors: Kobi Haimovich, CardinalOps
Version: 1.1
Created: 17 March 2021
Last Modified: 17 October 2021

Procedure Examples

ID Name Description
G0050 APT32

APT32 has hosted malicious payloads in Dropbox, Amazon S3, and Google Drive for use during targeting.[1]

G1002 BITTER

BITTER has registered domains to stage payloads.[2]

C0010 C0010

For C0010, UNC3890 actors staged malware on their infrastructure for direct download onto a compromised system.[3]

C0011 C0011

For C0011, Transparent Tribe hosted malicious documents on domains registered by the group.[4]

G1006 Earth Lusca

Earth Lusca has staged malware and malicious files on compromised web servers, GitHub, and Google Drive.[5]

G1011 EXOTIC LILY

EXOTIC LILY has uploaded malicious payloads to file-sharing services including TransferNow, TransferXL, WeTransfer, and OneDrive.[6]

G0047 Gamaredon Group

Gamaredon Group has registered domains to stage payloads.[7][8]

G1001 HEXANE

HEXANE has staged malware on fraudulent websites set up to impersonate targeted organizations.[9]

G0094 Kimsuky

Kimsuky has used Blogspot to host malicious content such as beacons, file exfiltrators, and implants.[10]

G0032 Lazarus Group

Lazarus Group has hosted malicious files on compromised as well as Lazarus Group-controlled servers.[11][12][13]

G0140 LazyScripter

LazyScripter has hosted open-source remote access Trojans used in its operations in GitHub.[14]

G0129 Mustang Panda

Mustang Panda has hosted malicious payloads on DropBox including PlugX.[15]

C0002 Night Dragon

During Night Dragon, threat actors uploaded commonly available hacker tools to compromised web servers.[16]

C0013 Operation Sharpshooter

For Operation Sharpshooter, the threat actors staged malicious files on Dropbox and other websites.[17]

C0005 Operation Spalax

For Operation Spalax, the threat actors staged malware and malicious files in legitimate hosting services such as OneDrive or MediaFire.[18]

G1008 SideCopy

SideCopy has used compromised domains to host its malicious payloads.[19]

G0092 TA505

TA505 has staged malware on actor-controlled domains.[20]

G0139 TeamTNT

TeamTNT has uploaded backdoored Docker images to Docker Hub.[21]

G0027 Threat Group-3390

Threat Group-3390 has hosted malicious payloads on Dropbox.[22]

Mitigations

ID Mitigation Description
M1056 Pre-compromise

This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

ID Data Source Data Component Detects
DS0035 Internet Scan Response Content

If infrastructure or patterns in malware have been previously identified, internet scanning may uncover when an adversary has staged malware to make it accessible for targeting.Much of this activity will take place outside the visibility of the target organization, making detection of this behavior difficult. Detection efforts may be focused on post-compromise phases of the adversary lifecycle, such as User Execution or Ingress Tool Transfer .

References

  1. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.
  2. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
  3. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
  4. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.
  5. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  6. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
  7. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  8. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
  9. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  10. An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021.
  11. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  1. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  2. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
  3. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  4. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  5. McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
  6. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  7. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
  8. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  9. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  10. Stroud, J. (2021, May 25). Taking TeamTNT's Docker Images Offline. Retrieved September 22, 2021.
  11. Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021.

連絡先:@amj_trans

 

MITRE ATT&CK 日本語化プロジェクト