1. Home
  2. Techniques
  3. Enterprise
  4. 本机API

本机API

ID Name
T1106.001 直接系统调用绕过用户层钩子
T1106.002 动态API地址解析规避静态检测
T1106.003 API调用链混淆
T1106.004 内存注入型API调用劫持

本机API滥用指攻击者直接调用操作系统底层接口实施恶意操作的技术手段,涉及进程创建、内存操作、设备控制等敏感功能。与传统命令行操作相比,API调用具备更高的执行效率和更低的交互可见性。防御方通常通过监控关键API调用序列(如CreateRemoteThread、VirtualAllocEx)、分析进程加载的系统DLL行为(如异常加载ntdll.dll)、以及检测用户态钩子篡改事件等手段进行防护。但由于合法应用程序广泛使用系统API,准确区分正常与恶意调用成为核心挑战。

为规避基于API调用监控的检测体系,攻击者发展出多层次API滥用匿迹技术。通过内核级调用路径重构、动态函数解析、调用链污染以及进程上下文劫持等手法,将恶意操作深度嵌入系统合法行为流中,突破传统基于规则匹配或静态特征检测的防御边界,形成"底层化、动态化、寄生化"的新型API攻击范式。

当前本机API匿迹技术的核心演进方向集中于调用路径的立体化伪装与执行环境的深度融合。攻击者通过垂直跨越用户态-内核态边界(直接系统调用)消除用户层监控可见性,利用运行时动态解析机制(哈希寻址+延迟绑定)破坏静态分析基础,构建多维调用链混淆(逻辑嵌套+噪声注入)干扰行为分析,最终借助内存寄生技术实现恶意代码与合法进程的深度绑定。这些技术的共性在于突破传统API监控的观测维度:在调用层级上规避用户态钩子,在时间维度上延迟关键操作触发,在空间维度上隐藏于可信进程内存。通过将攻击行为分解重组为符合系统正常交互模式的微操作序列,实现"形散而神聚"的隐蔽攻击效果。

匿迹技术的演进导致传统基于API调用黑名单或单次异常调用的检测方法逐渐失效。防御方需构建跨进程、跨线程的调用链时空关联分析能力,实施内存与寄存器级别的行为完整性校验,并引入机器学习模型识别隐蔽的API调用模式异常,方能应对日益复杂的本机API滥用威胁。

ID: T1106
Sub-techniques:  T1106.001, T1106.002, T1106.003, T1106.004
Tactic: 攻击执行
Platforms: Linux, Windows, macOS
Contributors: Gordon Long, Box, Inc., @ethicalhax; Stefan Kanthak; Tristan Madani (Cybereason)
Version: 2.2
Created: 31 May 2017
Last Modified: 12 September 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过动态API解析和调用链混淆,将恶意系统调用特征融入合法API使用模式。例如使用哈希算法动态获取API地址,消除导入表特征;在关键恶意操作前后插入冗余API调用,构建符合正常软件行为的调用序列。这种深度伪装使静态分析和动态监控均难以有效提取攻击特征。

行为透明

通过内存注入劫持合法进程的API调用流,攻击者使恶意操作在受信任进程上下文中执行。例如寄生在系统服务进程中调用敏感API,利用宿主进程的合法身份掩盖异常行为。这种技术使得防御方难以通过进程行为基线分析发现异常,实现"借壳攻击"的透明化效果。

数据遮蔽

在直接系统调用场景中,攻击者通过汇编指令直接触发内核交互,避免用户态API调用参数的明文记录。部分高级实现会加密核心调用参数或使用进程间通信传递敏感数据,使得基于API参数监控的检测手段失效,关键攻击数据在传输过程中始终处于遮蔽状态。

Procedure Examples

ID Name Description
S0045 ADVSTORESHELL

ADVSTORESHELL is capable of starting a process using CreateProcess.[1]
S1129 Akira

Akira executes native Windows functions such as GetFileAttributesW and GetSystemInfo.[2]
S1025 Amadey

Amadey has used a variety of Windows API calls, including GetComputerNameA, GetUserNameA, and CreateProcessA.[3]
S0622 AppleSeed

AppleSeed has the ability to use multiple dynamically resolved API calls.[4]
G0067 APT37

APT37 leverages the Windows API calls: VirtualAlloc(), WriteProcessMemory(), and CreateRemoteThread() for process injection.[5]
G0082 APT38

APT38 has used the Windows API to execute code within a victim's system.[6]

S0456 Aria-body

Aria-body has the ability to launch files using ShellExecute.[7]
S1087 AsyncRAT

AsyncRAT has the ability to use OS APIs including CheckRemoteDebuggerPresent.[8]
S0438 Attor

Attor's dispatcher has used CreateProcessW API for execution.[9]
S0640 Avaddon

Avaddon has used the Windows Crypto API to generate an AES key.[10]
S1053 AvosLocker

AvosLocker has used a variety of Windows API calls, including NtCurrentPeb and GetLogicalDrives.[11]
S0638 Babuk

Babuk can use multiple Windows API calls for actions on compromised hosts including discovery and execution.[12][13][14]
S0475 BackConfig

BackConfig can leverage API functions such as ShellExecuteA and HttpOpenRequestA in the process of downloading and executing files.[15]
S0606 Bad Rabbit

Bad Rabbit has used various Windows API calls.[16]
S1081 BADHATCH

BADHATCH can utilize Native API functions such as, ToolHelp32 and Rt1AdjustPrivilege to enable SeDebugPrivilege on a compromised machine.[17]
S0128 BADNEWS

BADNEWS has a command to download an .exe and execute it via CreateProcess API. It can also run with ShellExecute.[18][19]
S0234 Bandook

Bandook has used the ShellExecuteW() function call.[20]

S0239 Bankshot

Bankshot creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA().[21]
S0534 Bazar

Bazar can use various APIs to allocate memory and facilitate code execution/injection.[22]
S0470 BBK

BBK has the ability to use the CreatePipe API to add a sub-process for execution via cmd.[23]
S0574 BendyBear

BendyBear can load and execute modules and Windows Application Programming (API) calls using standard shellcode API hashing.[24]
S0268 Bisonal

Bisonal has used the Windows API to communicate with the Service Control Manager to execute a thread.[25]
S0570 BitPaymer

BitPaymer has used dynamic API resolution to avoid identifiable strings within the binary, including RegEnumKeyW.[26]
S1070 Black Basta

Black Basta has the ability to use native APIs for numerous functions including discovery and defense evasion.[27][28][29][30]
G0098 BlackTech

BlackTech has used built-in API functions.[31]
S0521 BloodHound

BloodHound can use .NET API calls in the SharpHound ingestor component to pull Active Directory data.[32]
S0651 BoxCaon

BoxCaon has used Windows API calls to obtain information about the compromised host.[33]
S1063 Brute Ratel C4

Brute Ratel C4 can call multiple Windows APIs for execution, to share memory, and defense evasion.[34][35]
S0471 build_downer

build_downer has the ability to use the WinExec API to execute malware on a compromised host.[23]
S1039 Bumblebee

Bumblebee can use multiple Native APIs.[36][37]
S0693 CaddyWiper

CaddyWiper has the ability to dynamically resolve and use APIs, including SeTakeOwnershipPrivilege.[38]
S0484 Carberp

Carberp has used the NtQueryDirectoryFile and ZwQueryDirectoryFile functions to hide files and directories.[39]
S0631 Chaes

Chaes used the CreateFileW() API function with read permissions to access downloaded payloads.[40]

G0114 Chimera

Chimera has used direct Windows system calls by leveraging Dumpert.[41]
S1149 CHIMNEYSWEEP

CHIMNEYSWEEP can use Windows APIs including LoadLibrary and GetProcAddress.[42]
S0667 Chrommme

Chrommme can use Windows API including WinExec for execution.[43]
S0611 Clop

Clop has used built-in API functions such as WNetOpenEnumW(), WNetEnumResourceW(), WNetCloseEnum(), GetProcAddress(), and VirtualAlloc().[44][45]
S0154 Cobalt Strike

Cobalt Strike's Beacon payload is capable of running shell commands without cmd.exe and PowerShell commands without powershell.exe[46][47][48]
S0126 ComRAT

ComRAT can load a PE file from memory or the file system and execute it with CreateProcessW.[49]
S0575 Conti

Conti has used API calls during execution.[50][51]

S0614 CostaBricks

CostaBricks has used a number of API calls, including VirtualAlloc, VirtualFree, LoadLibraryA, GetProcAddress, and ExitProcess.[52]

S0625 Cuba

Cuba has used several built-in API functions for discovery like GetIpNetTable and NetShareEnum.[53]

S0687 Cyclops Blink

Cyclops Blink can use various Linux API functions including those for execution and discovery.[54]
S1111 DarkGate

DarkGate uses the native Windows API CallWindowProc() to decode and launch encoded shellcode payloads during execution.[55] DarkGate can call kernel mode functions directly to hide the use of process hollowing methods during execution.[56]
S1066 DarkTortilla

DarkTortilla can use a variety of API calls for persistence and defense evasion.[57]
S1033 DCSrv

DCSrv has used various Windows API functions, including DeviceIoControl, as part of its encryption process.[58]
S1052 DEADEYE

DEADEYE can execute the GetComputerNameA and GetComputerNameExA WinAPI functions.[59]
S0354 Denis

Denis used the IsDebuggerPresent, OutputDebugString, and SetLastError APIs to avoid debugging. Denis used GetProcAddress and LoadLibrary to dynamically resolve APIs. Denis also used the Wow64SetThreadContext API as part of a process hollowing process.[60]

S0659 Diavol

Diavol has used several API calls like GetLogicalDriveStrings, SleepEx, SystemParametersInfoAPI, CryptEncrypt, and others to execute parts of its attack.[61]
S0695 Donut

Donut code modules use various API functions to load and inject code.[62]

S0694 DRATzarus

DRATzarus can use various API calls to see if it is running in a sandbox.[63]
S0384 Dridex

Dridex has used the OutputDebugStringW function to avoid malware analysis as part of its anti-debugging technique.[64]

S0554 Egregor

Egregor has used the Windows API to make detection more difficult.[65]

S0367 Emotet

Emotet has used CreateProcess to create a new process to run its executable and WNetEnumResourceW to enumerate non-hidden shares.[66]
S0363 Empire

Empire contains a variety of enumeration modules that have an option to use API calls to carry out tasks.[67]
S0396 EvilBunny

EvilBunny has used various API calls as part of its checks to see if the malware is running in a sandbox.[68]

S0569 Explosive

Explosive has a function to call the OpenClipboard wrapper.[69]

S0512 FatDuke

FatDuke can call ShellExecuteW to open the default browser on the URL localhost.[70]
S0696 Flagpro

Flagpro can use Native API to enable obfuscation including GetLastError and GetTickCount.[71]
S0661 FoggyWeb

FoggyWeb's loader can use API functions to load the FoggyWeb backdoor into the same Application Domain within which the legitimate AD FS managed code is executed.[72]
S1044 FunnyDream

FunnyDream can use Native API for defense evasion, discovery, and collection.[73]
G0047 Gamaredon Group

Gamaredon Group malware has used CreateProcess to launch additional malicious components.[74]
S0666 Gelsemium

Gelsemium has the ability to use various Windows API functions to perform tasks.[43]
S0032 gh0st RAT

gh0st RAT has used the InterlockedExchange, SeShutdownPrivilege, and ExitWindowsEx Windows API functions.[75]
S0493 GoldenSpy

GoldenSpy can execute remote commands in the Windows command shell using the WinExec() API.[76]

S0477 Goopy

Goopy has the ability to enumerate the infected system's user name via GetUserNameW.[60]
G0078 Gorgon Group

Gorgon Group malware can leverage the Windows API call, CreateProcessA(), for execution.[77]
S0531 Grandoreiro

Grandoreiro can execute through the WinExec API.[78]
S0632 GrimAgent

GrimAgent can use Native API including GetProcAddress and ShellExecuteW.[79]
S0561 GuLoader

GuLoader can use a number of different APIs for discovery and execution.[80]
S0499 Hancitor

Hancitor has used CallWindowProc and EnumResourceTypesA to interpret and execute shellcode.[81]
S0391 HAWKBALL

HAWKBALL has leveraged several Windows API calls to create processes, gather disk information, and detect debugger activity.[82]
S0697 HermeticWiper

HermeticWiper can call multiple Windows API functions used for privilege escalation, service execution, and to overwrite random bites of data.[83][84][85][86]
S0698 HermeticWizard

HermeticWizard can connect to remote shares using WNetAddConnection2W.[85]
G0126 Higaisa

Higaisa has called various native OS APIs.[87]
S0431 HotCroissant

HotCroissant can perform dynamic DLL importing and API lookups using LoadLibrary and GetProcAddress on obfuscated strings.[88]
S0398 HyperBro

HyperBro has the ability to run an application (CreateProcessW) or script/file (ShellExecuteW) via API.[89]
S0537 HyperStack

HyperStack can use Windows API's ConnectNamedPipe and WNetAddConnection2 to detect incoming connections and connect to remote shares.[90]
S0483 IcedID

IcedID has called ZwWriteVirtualMemory, ZwProtectVirtualMemory, ZwQueueApcThread, and NtResumeThread to inject itself into a remote process.[91]
S1152 IMAPLoader

IMAPLoader imports native Windows APIs such as GetConsoleWindow and ShowWindow.[92]
S0434 Imminent Monitor

Imminent Monitor has leveraged CreateProcessW() call to execute the debugger.[93]
S1139 INC Ransomware

INC Ransomware can use the API DeviceIoControl to resize the allocated space for and cause the deletion of volume shadow copy snapshots.[94]
S0259 InnaputRAT

InnaputRAT uses the API call ShellExecuteW for execution.[95]
S0260 InvisiMole

InvisiMole can use winapiexec tool for indirect execution of ShellExecuteW and CreateProcessA.[96]
S1020 Kevin

Kevin can use the ShowWindow API to avoid detection.[97]
S0607 KillDisk

KillDisk has called the Windows API to retrieve the hard disk handle and shut down the machine.[98]
S0669 KOCTOPUS

KOCTOPUS can use the LoadResource and CreateProcessW APIs for execution.[99]
S0356 KONNI

KONNI has hardcoded API calls within its functions to use on the victim's machine.[100]

S1160 Latrodectus

Latrodectus has used multiple Windows API post exploitation including GetAdaptersInfo, CreateToolhelp32Snapshot, and CreateProcessW.[101][102]
G0032 Lazarus Group

Lazarus Group has used the Windows API ObtainUserAgentString to obtain the User-Agent from a compromised host to connect to a C2 server.[103] Lazarus Group has also used various, often lesser known, functions to perform various types of Discovery and Process Injection.[104][105]
S0395 LightNeuron

LightNeuron is capable of starting a process using CreateProcess.[106]
S0680 LitePower

LitePower can use various API calls.[107]
S0681 Lizar

Lizar has used various Windows API functions on a victim's machine.[108]

S0447 Lokibot

Lokibot has used LoadLibrary(), GetProcAddress() and CreateRemoteThread() API functions to execute its shellcode.[109]
S1016 MacMa

MacMa has used macOS API functions to perform tasks.[110][111]
S1060 Mafalda

Mafalda can use a variety of API calls.[112]
S0652 MarkiRAT

MarkiRAT can run the ShellExecuteW API via the Windows Command Shell.[113]
S0449 Maze

Maze has used several Windows API functions throughout the encryption process including IsDebuggerPresent, TerminateProcess, Process32FirstW, among others.[114]

S0576 MegaCortex

After escalating privileges, MegaCortex calls TerminateProcess(), CreateRemoteThread, and other Win32 APIs.[115]
G0045 menuPass

menuPass has used native APIs including GetModuleFileName, lstrcat, CreateFile, and ReadFile.[116]
S1059 metaMain

metaMain can execute an operator-provided Windows command by leveraging functions such as WinExec, WriteFile, and ReadFile.[112][117]
S0455 Metamorfo

Metamorfo has used native WINAPI calls.[118][119]
S0688 Meteor

Meteor can use WinAPI to remove a victim machine from an Active Directory domain.[120]
S1015 Milan

Milan can use the API DnsQuery_A for DNS resolution.[97]
S0084 Mis-Type

Mis-Type has used Windows API calls, including NetUserAdd and NetUserDel.[121]
S0083 Misdat

Misdat has used Windows APIs, including ExitWindowsEx and GetKeyboardType.[121]

S1122 Mispadu

Mispadu has used a variety of Windows API calls, including ShellExecute and WriteProcessMemory.[122][123]
S0256 Mosquito

Mosquito leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions.[124]
S0630 Nebulae

Nebulae has the ability to use CreateProcess to execute a process.[125]
S0457 Netwalker

Netwalker can use Windows API functions to inject the ransomware DLL.[126]
S0198 NETWIRE

NETWIRE can use Native API including CreateProcess GetProcessById, and WriteProcessMemory.[127]
S1090 NightClub

NightClub can use multiple native APIs including GetKeyState, GetForegroundWindow, GetWindowThreadProcessId, and GetKeyboardLayout.[128]
S1100 Ninja

The Ninja loader can call Windows APIs for discovery, process injection, and payload decryption.[129][130]
S0385 njRAT

njRAT has used the ShellExecute() function within a script.[131]
C0022 Operation Dream Job

During Operation Dream Job, Lazarus Group used Windows API ObtainUserAgentString to obtain the victim's User-Agent and used the value to connect to their C2 server.[103]
C0006 Operation Honeybee

During Operation Honeybee, the threat actors deployed malware that used API calls, including CreateProcessAsUser.[132]
C0013 Operation Sharpshooter

During Operation Sharpshooter, the first stage downloader resolved various Windows libraries and APIs, including LoadLibraryA(), GetProcAddress(), and CreateProcessA().[133]
C0014 Operation Wocao

During Operation Wocao, threat actors used the CreateProcessA and ShellExecute API functions to launch commands after being injected into a selected process.[134]
S1050 PcShare

PcShare has used a variety of Windows API functions.[73]
S1145 Pikabot

Pikabot uses native Windows APIs to determine if the process is being debugged and analyzed, such as CheckRemoteDebuggerPresent, NtQueryInformationProcess, ProcessDebugPort, and ProcessDebugFlags.[135] Other Pikabot variants populate a global list of Windows API addresses from the NTDLL and KERNEL32 libraries, and references these items instead of calling the API items to obfuscate execution.[136]
S0517 Pillowmint

Pillowmint has used multiple native Windows APIs to execute and conduct process injections.[137]
S0501 PipeMon

PipeMon's first stage has been executed by a call to CreateProcess with the decryption password in an argument. PipeMon has used a call to LoadLibrary to load its installer.[138]
S0435 PLEAD

PLEAD can use ShellExecute to execute applications.[139]
S0013 PlugX

PlugX can use the Windows API functions GetProcAddress, LoadLibrary, and CreateProcess to execute another process.[140][141]
S0518 PolyglotDuke

PolyglotDuke can use LoadLibraryW and CreateProcess to load and execute code.[70]
S0453 Pony

Pony has used several Windows functions for various purposes.[142]

S1058 Prestige

Prestige has used the Wow64DisableWow64FsRedirection() and Wow64RevertWow64FsRedirection() functions to disable and restore file system redirection.[143]

S0147 Pteranodon

Pteranodon has used various API calls.[144]
S0650 QakBot

QakBot can use GetProcAddress to help delete malicious strings from memory.[145]
S1076 QUIETCANARY

QUIETCANARY can call System.Net.HttpWebRequest to identify the default proxy configured on the victim computer.[146]
S0629 RainyDay

The file collection tool used by RainyDay can utilize native API including ReadDirectoryChangeW for folder monitoring.[125]
S0458 Ramsay

Ramsay can use Windows API functions such as WriteFile, CloseHandle, and GetCurrentHwProfile during its collection and file storage operations. Ramsay can execute its embedded components via CreateProcessA and ShellExecute.[147]
S0662 RCSession

RCSession can use WinSock API for communication including WSASend and WSARecv.[148]
S0416 RDFSNIFFER

RDFSNIFFER has used several Win32 API functions to interact with the victim machine.[149]
S0496 REvil

REvil can use Native API for execution and to retrieve active services.[150][151]
S0448 Rising Sun

Rising Sun used dynamic API resolutions to various Windows APIs by leveraging LoadLibrary() and GetProcAddress().[133]
S0240 ROKRAT

ROKRAT can use a variety of API calls to execute shellcode.[152]
S1078 RotaJakiro

When executing with non-root permissions, RotaJakiro uses the the shmget API to create shared memory between other known RotaJakiro processes. RotaJakiro also uses the execvp API to help its dead process "resurrect".[153]
S1073 Royal

Royal can use multiple APIs for discovery, communication, and execution.[154]
S0148 RTM

RTM can use the FindNextUrlCacheEntryA and FindFirstUrlCacheEntryA functions to search for specific strings within browser history.[155]
S0446 Ryuk

Ryuk has used multiple native APIs including ShellExecuteW to run executables,GetWindowsDirectoryW to create folders, and VirtualAlloc, WriteProcessMemory, and CreateRemoteThread for process injection.[156]
S0085 S-Type

S-Type has used Windows APIs, including GetKeyboardType, NetUserAdd, and NetUserDel.[121]
S1018 Saint Bot

Saint Bot has used different API calls, including GetProcAddress, VirtualAllocEx, WriteProcessMemory, CreateProcessA, and SetThreadContext.[157][158]
S1099 Samurai

Samurai has the ability to call Windows APIs.[129]
G0034 Sandworm Team

Sandworm Team uses Prestige to disable and restore file system redirection by using the following functions: Wow64DisableWow64FsRedirection() and Wow64RevertWow64FsRedirection().[143]
S1085 Sardonic

Sardonic has the ability to call Win32 API functions to determine if powershell.exe is running.[159]

S1089 SharpDisco

SharpDisco can leverage Native APIs through plugins including GetLogicalDrives.[128]
S0444 ShimRat

ShimRat has used Windows API functions to install the service and shim.[160]

S0445 ShimRatReporter

ShimRatReporter used several Windows API functions to gather information from the infected system.[160]
G1008 SideCopy

SideCopy has executed malware by calling the API function CreateProcessW.[161]
S0610 SideTwist

SideTwist can use GetUserNameW, GetComputerNameW, and GetComputerNameExW to gather information.[162]
G0091 Silence

Silence has leveraged the Windows API, including using CreateProcess() or ShellExecute(), to perform a variety of tasks.[163][164]
S0692 SILENTTRINITY

SILENTTRINITY has the ability to leverage API including GetProcAddress and LoadLibrary.[165]
S0623 Siloscape

Siloscape makes various native API calls.[166]
S0627 SodaMaster

SodaMaster can use RegOpenKeyW to access the Registry.[167]
S0615 SombRAT

SombRAT has the ability to respawn itself using ShellExecuteW and CreateProcessW.[52]
S1034 StrifeWater

StrifeWater can use a variety of APIs for execution.[168]
S0603 Stuxnet

Stuxnet uses the SetSecurityDescriptorDacl API to reduce object integrity levels.[169]
S0562 SUNSPOT

SUNSPOT used Windows API functions such as MoveFileEx and NtQueryInformationProcess as part of the SUNBURST injection process.[170]

S1064 SVCReady

SVCReady can use Windows API calls to gather information from an infected host.[171]
S0242 SynAck

SynAck parses the export tables of system DLLs to locate and call various Windows API functions.[172][173]
S0663 SysUpdate

SysUpdate can call the GetNetworkParams API as part of its C2 establishment process.[174]
G0092 TA505

TA505 has deployed payloads that use Windows API calls on a compromised host.[175]
S0011 Taidoor

Taidoor has the ability to use native APIs for execution including GetProcessHeap, GetProcAddress, and LoadLibrary.[176][177]
S0595 ThiefQuest

ThiefQuest uses various API to perform behaviors such as executing payloads and performing local enumeration.[178]
S0668 TinyTurla

TinyTurla has used WinHTTP, CreateProcess, and other APIs for C2 communications and other functions.[179]
G1022 ToddyCat

ToddyCat has used WinExec to execute commands received from C2 on compromised hosts.[130]
S0678 Torisma

Torisma has used various Windows API calls.[180]
S0266 TrickBot

TrickBot uses the Windows API call, CreateProcessW(), to manage execution flow.[181] TrickBot has also used Nt* API functions to perform Process Injection.[182]
G0081 Tropic Trooper

Tropic Trooper has used multiple Windows APIs including HttpInitialize, HttpCreateHttpHandle, and HttpAddUrl.[183]
G0010 Turla

Turla and its RPC backdoors have used APIs calls for various tasks related to subverting AMSI and accessing then executing commands through RPC and/or named pipes.[184]
S0022 Uroburos

Uroburos can use native Windows APIs including GetHostByName.[185]
S0386 Ursnif

Ursnif has used CreateProcessW to create child processes.[186]
S0180 Volgmer

Volgmer executes payloads using the Windows API call CreateProcessW().[187]
S0670 WarzoneRAT

WarzoneRAT can use a variety of API calls on a compromised host.[188]
S0612 WastedLocker

WastedLocker's custom crypter, CryptOne, leveraged the VirtualAlloc() API function to help execute the payload.[189]
S0579 Waterbear

Waterbear can leverage API functions for execution.[190]
S0689 WhisperGate

WhisperGate has used the ExitWindowsEx to flush file buffers to disk and stop running processes and other API calls.[191][192]
S0466 WindTail

WindTail can invoke Apple APIs contentsOfDirectoryAtPath, pathExtension, and (string) compare.[193]
S0141 Winnti for Windows

Winnti for Windows can use Native API to create a new process and to start services.[194]
S1065 Woody RAT

Woody RAT can use multiple native APIs, including WriteProcessMemory, CreateProcess, and CreateRemoteThread for process injection.[195]

S0161 XAgentOSX

XAgentOSX contains the execFile function to execute a specified file on the system using the NSTask:launch method.[196]
S0653 xCaon

xCaon has leveraged native OS function calls to retrieve victim's network adapter's information using GetAdapterInfo() API.[33]

S1151 ZeroCleare

ZeroCleare can call the GetSystemDirectoryW API to locate the system directory.[42]
S0412 ZxShell

ZxShell can leverage native API including RegisterServiceCtrlHandler to register a service.RegisterServiceCtrlHandler

S1013 ZxxZ

ZxxZ has used API functions such as Process32First, Process32Next, and ShellExecuteA.[197]

Mitigations

ID Mitigation Description
M1040 Behavior Prevention on Endpoint

On Windows 10, enable Attack Surface Reduction (ASR) rules to prevent Office VBA macros from calling Win32 APIs. [198]
M1038 Execution Prevention

Identify and block potentially malicious software executed that may be executed through this technique by using application control [199] tools, like Windows Defender Application Control[200], AppLocker, [201] [202] or Software Restriction Policies [203] where appropriate. [204]

Detection

ID Data Source Data Component Detects
DS0011 Module Module Load

Monitor DLL/PE file events, specifically creation of these binary files as well as the loading of DLLs into processes. Utilization of the Windows APIs may involve processes loading/accessing system DLLs associated with providing called functions (ex: ntdll.dll, kernel32.dll, advapi32.dll, user32.dll, and gdi32.dll). Monitoring for DLL loads, especially to abnormal/unusual or potentially malicious processes, may indicate abuse of the Windows API. Though noisy, this data can be combined with other indicators to identify adversary activity.

Analytic 1 - Look for unusual or abnormal DLL loads, processes loading DLLs not typically associated with them

sourcetype=Sysmon EventCode=7| stats count by module_name process_name user| where module_name IN ("ntdll.dll", "kernel32.dll", "advapi32.dll", "user32.dll", "gdi32.dll")

DS0009 Process OS API Execution

Monitoring API calls may generate a significant amount of data and may not be useful for defense unless collected under specific circumstances, since benign use of API functions are common and may be difficult to distinguish from malicious behavior. Correlation of other events with behavior surrounding API function calls using API monitoring will provide additional context to an event that may assist in determining if it is due to malicious behavior. Correlation of activity by process lineage by process ID may be sufficient.

References

  1. Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017.
  2. Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024.
  3. Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022.
  4. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  5. Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018.
  6. DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021.
  7. CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
  8. Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023.
  9. Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
  10. Security Lab. (2020, June 5). Avaddon: From seeking affiliates to in-the-wild in 2 days. Retrieved August 19, 2021.
  11. Hasherezade. (2021, July 23). AvosLocker enters the ransomware scene, asks for partners. Retrieved January 11, 2023.
  12. Sogeti. (2021, March). Babuk Ransomware. Retrieved August 11, 2021.
  13. Mundo, A. et al. (2021, February). Technical Analysis of Babuk Ransomware. Retrieved August 11, 2021.
  14. Sebdraven. (2021, February 8). Babuk is distributed packed. Retrieved August 11, 2021.
  15. Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
  16. M.Léveille, M-E.. (2017, October 24). Bad Rabbit: Not‑Petya is back with improved ransomware. Retrieved January 28, 2021.
  17. Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021.
  18. Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
  19. Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
  20. Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021.
  21. Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018.
  22. Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020.
  23. Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020.
  24. Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021.
  25. Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022.
  26. Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021.
  27. Zargarov, N. (2022, May 2). New Black Basta Ransomware Hijacks Windows Fax Service. Retrieved March 7, 2023.
  28. Cyble. (2022, May 6). New ransomware variant targeting high-value organizations. Retrieved March 7, 2023.
  29. Avertium. (2022, June 1). AN IN-DEPTH LOOK AT BLACK BASTA RANSOMWARE. Retrieved March 7, 2023.
  30. Check Point. (2022, October 20). BLACK BASTA AND THE UNNOTICED DELIVERY. Retrieved March 8, 2023.
  31. Demboski, M., et al. (2021, October 26). China cyber attacks: the current threat landscape. Retrieved March 25, 2022.
  32. Robbins, A., Vazarkar, R., and Schroeder, W. (2016, April 17). Bloodhound: Six Degrees of Domain Admin. Retrieved March 5, 2019.
  33. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  34. Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023.
  35. Chell, D. PART 3: How I Met Your Beacon – Brute Ratel. Retrieved February 6, 2023.
  36. Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022.
  37. Salem, A. (2022, April 27). The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection. Retrieved September 2, 2022.
  38. Malhotra, A. (2022, March 15). Threat Advisory: CaddyWiper. Retrieved March 23, 2022.
  39. Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020.
  40. Salem, E. (2020, November 17). CHAES: Novel Malware Targeting Latin American E-Commerce. Retrieved June 30, 2021.
  41. Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020..
  42. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  43. Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021.
  44. Mundo, A. (2019, August 1). Clop Ransomware. Retrieved May 10, 2021.
  45. Cybereason Nocturnus. (2020, December 23). Cybereason vs. Clop Ransomware. Retrieved May 11, 2021.
  46. Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017.
  47. Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved September 12, 2024.
  48. Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021.
  49. Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
  50. Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021.
  51. Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021.
  52. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  53. Roccio, T., et al. (2021, April). Technical Analysis of Cuba Ransomware. Retrieved June 18, 2021.
  54. NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022.
  55. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.
  56. Adi Zeligson & Rotem Kerner. (2018, November 13). Enter The DarkGate - New Cryptocurrency Mining and Ransomware Campaign. Retrieved February 9, 2024.
  57. Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
  58. Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022.
  59. Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.
  60. Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018.
  61. Neeamni, D., Rubinfeld, A.. (2021, July 1). Diavol - A New Ransomware Used By Wizard Spider?. Retrieved November 12, 2021.
  62. TheWover. (2019, May 9). donut. Retrieved March 25, 2022.
  63. ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021.
  64. Check Point Research. (2021, January 4). Stopping Serial Killer: Catching the Next Strike. Retrieved September 7, 2021.
  65. Cybleinc. (2020, October 31). Egregor Ransomware – A Deep Dive Into Its Activities and Techniques. Retrieved December 29, 2020.
  66. Binary Defense. (n.d.). Emotet Evolves With new Wi-Fi Spreader. Retrieved September 8, 2023.
  67. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
  68. Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019.
  69. Threat Intelligence and Research. (2015, March 30). VOLATILE CEDAR. Retrieved February 8, 2021.
  70. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  71. Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022.
  72. Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
  73. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  74. Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
  75. Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020.
  76. Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020.
  77. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  78. ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020.
  79. Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
  80. Salem, E. (2021, April 19). Dancing With Shellcodes: Cracking the latest version of Guloader. Retrieved July 7, 2021.
  81. Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020.
  82. Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
  83. Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022.
  84. Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022.
  85. ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
  86. Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022.
  87. Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021.
  88. US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020.
  89. Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019.
  90. Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020.
  91. Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020.
  92. PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.
  93. QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020.
  94. Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024.
  95. ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018.
  96. Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020.
  97. Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
  98. Fernando Merces, Byron Gelera, Martin Co. (2018, June 7). KillDisk Variant Hits Latin American Finance Industry. Retrieved January 12, 2021.
  99. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  100. Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022.
  101. Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024.
  102. Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024.
  1. Cashman, M. (2020, July 29). Operation North Star Campaign. Retrieved December 20, 2021.
  2. Saini, A. and Hossein, J. (2022, January 27). North Korea’s Lazarus APT leverages Windows Update client, GitHub in latest campaign. Retrieved January 27, 2022.
  3. Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022.
  4. Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
  5. Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
  6. BI.ZONE Cyber Threats Research Team. (2021, May 13). From pentest to APT attack: cybercriminal group FIN7 disguises its malware as an ethical hacker’s toolkit. Retrieved February 2, 2022.
  7. Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021.
  8. M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022.
  9. Wardle, P. (2021, November 11). OSX.CDDS (OSX.MacMa). Retrieved June 30, 2022.
  10. Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023.
  11. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  12. Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
  13. Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021.
  14. Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020.
  15. SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023.
  16. Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020.
  17. Zhang, X. (2020, February 4). Another Metamorfo Variant Targeting Customers of Financial Institutions in More Countries. Retrieved July 30, 2020.
  18. Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
  19. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  20. Pedro Tavares (Segurança Informática). (2020, September 15). Threat analysis: The emergent URSA trojan impacts many countries using a sophisticated loader. Retrieved March 13, 2024.
  21. SCILabs. (2021, December 23). Cyber Threat Profile Malteiro. Retrieved March 13, 2024.
  22. ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
  23. Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
  24. Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
  25. Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021.
  26. Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023.
  27. Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
  28. Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024.
  29. Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019.
  30. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  31. Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
  32. Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
  33. Brett Stone-Gross & Nikolaos Pantazopoulos. (2023, May 24). Technical Analysis of Pikabot. Retrieved July 12, 2024.
  34. Daniel Stepanic & Salim Bitam. (2024, February 23). PIKABOT, I choose you!. Retrieved July 12, 2024.
  35. Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020.
  36. Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020.
  37. Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
  38. Vasilenko, R. (2013, December 17). An Analysis of PlugX Malware. Retrieved November 24, 2015.
  39. Raggi, M. et al. (2022, March 7). The Good, the Bad, and the Web Bug: TA416 Increases Operational Tempo Against European Governments as Conflict in Ukraine Escalates. Retrieved March 16, 2022.
  40. hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020.
  41. MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023.
  42. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  43. Morrow, D. (2021, April 15). The rise of QakBot. Retrieved September 27, 2021.
  44. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
  45. Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020.
  46. Global Threat Center, Intelligence Team. (2020, December). APT27 Turns to Ransomware. Retrieved November 12, 2021.
  47. Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
  48. Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020.
  49. Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020.
  50. Jazi, Hossein. (2021, January 6). Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat. Retrieved March 22, 2022.
  51. Alex Turing, Hui Wang. (2021, April 28). RotaJakiro: A long live secret backdoor with 0 VT detection. Retrieved June 14, 2023.
  52. Cybereason Global SOC and Cybereason Security Research Teams. (2022, December 14). Royal Rumble: Analysis of Royal Ransomware. Retrieved March 30, 2023.
  53. Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
  54. Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020.
  55. Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022.
  56. Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
  57. Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
  58. Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020.
  59. Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022.
  60. Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
  61. GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019.
  62. Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020.
  63. Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022.
  64. Prizmant, D. (2021, June 7). Siloscape: First Known Malware Targeting Windows Containers to Compromise Cloud Environments. Retrieved June 9, 2021.
  65. GREAT. (2021, March 30). APT10: sophisticated multi-layered loader Ecipekac discovered in A41APT campaign. Retrieved June 17, 2021.
  66. Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
  67. Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22
  68. CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021.
  69. Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022.
  70. Ivanov, A. et al. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018.
  71. Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018.
  72. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
  73. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  74. Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
  75. CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
  76. Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021.
  77. Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021.
  78. Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
  79. Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018.
  80. Joe Security. (2020, July 13). TrickBot's new API-Hammering explained. Retrieved September 30, 2021.
  81. Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020.
  82. Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019.
  83. FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
  84. Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019.
  85. US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
  86. Mohanta, A. (2020, November 25). Warzone RAT comes with UAC bypass technique. Retrieved April 7, 2022.
  87. Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021.
  88. Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021.
  89. Biasini, N. et al.. (2022, January 21). Ukraine Campaign Delivers Defacement and Wipers, in Continued Escalation. Retrieved March 14, 2022.
  90. Insikt Group. (2020, January 28). WhisperGate Malware Corrupts Computers in Ukraine. Retrieved September 16, 2024.
  91. Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019.
  92. Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017.
  93. MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
  94. Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
  95. Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
  96. Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021.
  97. Beechey, J. (2010, December). Application Whitelisting: Panacea or Propaganda?. Retrieved November 18, 2014.
  98. Gorzelany, A., Hall, J., Poggemeyer, L.. (2019, January 7). Windows Defender Application Control. Retrieved July 16, 2019.
  99. Tomonaga, S. (2016, January 26). Windows Commands Abused by Attackers. Retrieved February 2, 2016.
  100. NSA Information Assurance Directorate. (2014, August). Application Whitelisting Using Microsoft AppLocker. Retrieved March 31, 2016.
  101. Corio, C., & Sayana, D. P. (2008, June). Application Lockdown with Software Restriction Policies. Retrieved September 12, 2024.
  102. Microsoft. (2012, June 27). Using Software Restriction Policies and AppLocker Policies. Retrieved April 7, 2016.