…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Insikt Group…
… malicious files to exploit CVE-2012-0158 and CVE-2010-3333 for execution. [78] G0081 Tropic Trooper Tropic Trooper has executed commands through Microsoft security vulnerabilities, including CVE-2017-11882, CVE-2018-0802, and CVE-2012-0158. [79] [80] S0341 Xbash Xbash can attemp…
…il with an Excel sheet containing a malicious macro to deploy the malware [256] G0081 Tropic Trooper Tropic Trooper sent spearphishing emails that contained malicious Microsoft Office and fake installer file attachments. [257] [258] [259] [260] [261] S0476 Valak Valak has been de…
…he Startup folder to automatically start itself upon system restart. [34] [226] G0081 Tropic Trooper Tropic Trooper has created shortcuts in the Startup folder to establish persistence. [227] [228] S0178 Truvasys Truvasys adds a Registry Run key to establish persistence. [229] S0…
…erform reconnaissance commands on a victim machine via a cmd.exe process. [369] G0081 Tropic Trooper Tropic Trooper has used Windows command scripts. [370] S0436 TSCookie TSCookie has the ability to execute shell commands on the infected host. [371] S0647 Turian Turian can create…
…eat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. Kasza, A., H…
…C (256 bits) encryption algorithm for its loader and configuration files. [227] G0081 Tropic Trooper Tropic Trooper has encrypted configuration files. [228] [229] S0263 TYPEFRAME APIs and strings in some TYPEFRAME variants are RC4 encrypted. Another variant is encoded with XOR. […
….Karagany Trojan.Karagany can communicate with C2 via HTTP POST requests. [380] G0081 Tropic Trooper Tropic Trooper has used HTTP in communication with the C2. [381] [382] S0436 TSCookie TSCookie can multiple protocols including HTTP and HTTPS in communication with command and co…
…he Startup folder to automatically start itself upon system restart. [38] [286] G0081 Tropic Trooper Tropic Trooper has created shortcuts in the Startup folder to establish persistence. [287] [288] S0178 Truvasys Truvasys adds a Registry Run key to establish persistence. [289] S0…
…jan.Karagany can upload, download, and execute files on the victim. [502] [503] G0081 Tropic Trooper Tropic Trooper has used a delivered trojan to download additional files. [504] S0436 TSCookie TSCookie has the ability to upload and download files to and from the infected host. …
…urveillance and Attacks Targeting ASEAN, Asian Nations, the Media, Human Rights Groups, and Civil Society. Retrieved November 6, 2017. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia a…
…any can base64 encode and AES-128-CBC encrypt data prior to transmission. [328] G0081 Tropic Trooper Tropic Trooper has encrypted configuration files. [329] [330] S0647 Turian Turian can use VMProtect for obfuscation. [44] G0010 Turla Turla has used encryption (including salted 3…
…jan.Karagany can upload, download, and execute files on the victim. [563] [564] G0081 Tropic Trooper Tropic Trooper has used a delivered trojan to download additional files. [565] S0436 TSCookie TSCookie has the ability to upload and download files to and from the infected host. …
…he Startup folder to automatically start itself upon system restart. [38] [303] G0081 Tropic Trooper Tropic Trooper has created shortcuts in the Startup folder to establish persistence. [304] [305] S0178 Truvasys Truvasys adds a Registry Run key to establish persistence. [306] S0…
…rojan.Karagany can enumerate files and directories on a compromised host. [342] G0081 Tropic Trooper Tropic Trooper has monitored files' modified time. [343] S0436 TSCookie TSCookie has the ability to discover drive information on the infected host. [344] S0647 Turian Turian can …